diff options
| author | Derek Higgins <derekh@redhat.com> | 2012-07-05 22:15:48 +0100 |
|---|---|---|
| committer | Derek Higgins <derekh@redhat.com> | 2012-07-10 11:06:11 +0100 |
| commit | 4ab47ad224c422dcd96aa256740945d1e6a8a208 (patch) | |
| tree | 0d4c27ae82696ab68e3d830b12af5f1e26015e4f /keystone/contrib | |
| parent | ec9c038ba28af4273aae81450249e3691a2c2cb6 (diff) | |
| download | keystone-4ab47ad224c422dcd96aa256740945d1e6a8a208.tar.gz keystone-4ab47ad224c422dcd96aa256740945d1e6a8a208.tar.xz keystone-4ab47ad224c422dcd96aa256740945d1e6a8a208.zip | |
Adding user password setting api call
Fixes bug 996922
This commit adds a user_crud module that can be used in the public wsgi
pipeline, currently the only operation included allows a user to update
their own password.
In order to change their password a user should make a HTTP PATCH to
/v2.0/OS-KSCRUD/users/<userid>
with the json data fomated like this
{"user": {"password": "DCBA", "original_password": "ABCD"}}
in addition to changing the users password, all current tokens
will be cleared (for token backends that support listing) and
a new token id will be returned.
Change-Id: I0cbdafbb29a5b6531ad192f240efb9379f0efd2d
Diffstat (limited to 'keystone/contrib')
| -rw-r--r-- | keystone/contrib/user_crud/__init__.py | 17 | ||||
| -rw-r--r-- | keystone/contrib/user_crud/core.py | 88 |
2 files changed, 105 insertions, 0 deletions
diff --git a/keystone/contrib/user_crud/__init__.py b/keystone/contrib/user_crud/__init__.py new file mode 100644 index 00000000..8f4a83f0 --- /dev/null +++ b/keystone/contrib/user_crud/__init__.py @@ -0,0 +1,17 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2012 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +from keystone.contrib.user_crud.core import * diff --git a/keystone/contrib/user_crud/core.py b/keystone/contrib/user_crud/core.py new file mode 100644 index 00000000..67aecdb9 --- /dev/null +++ b/keystone/contrib/user_crud/core.py @@ -0,0 +1,88 @@ +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2012 Red Hat, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import copy +import uuid + +from keystone import exception +from keystone.common import logging +from keystone.common import wsgi +from keystone.identity import Manager as IdentityManager +from keystone.identity import UserController as UserManager +from keystone.token import Manager as TokenManager + + +LOG = logging.getLogger(__name__) + + +class UserController(wsgi.Application): + def __init__(self): + self.identity_api = IdentityManager() + self.token_api = TokenManager() + self.user_controller = UserManager() + + def set_user_password(self, context, user_id, user): + token_id = context.get('token_id') + original_password = user.get('original_password') + + token_ref = self.token_api.get_token(context=context, + token_id=token_id) + user_id_from_token = token_ref['user']['id'] + + if user_id_from_token != user_id or original_password is None: + raise exception.Forbidden() + + try: + user_ref = self.identity_api.authenticate( + context=context, + user_id=user_id_from_token, + password=original_password)[0] + if not user_ref.get('enabled', True): + raise exception.Unauthorized() + except AssertionError: + raise exception.Unauthorized() + + update_dict = {'password': user['password'], 'id': user_id} + + admin_context = copy.copy(context) + admin_context['is_admin'] = True + self.user_controller.set_user_password(admin_context, + user_id, + update_dict) + + token_id = uuid.uuid4().hex + new_token_ref = copy.copy(token_ref) + new_token_ref['id'] = token_id + self.token_api.create_token(context=context, token_id=token_id, + data=new_token_ref) + logging.debug('TOKEN_REF %s', new_token_ref) + return {'access': {'token': new_token_ref}} + + +class CrudExtension(wsgi.ExtensionRouter): + """ + + Provides a subset of CRUD operations for internal data types. + + """ + + def add_routes(self, mapper): + user_controller = UserController() + + mapper.connect('/OS-KSCRUD/users/{user_id}', + controller=user_controller, + action='set_user_password', + conditions=dict(method=['PATCH'])) |