Add support for app cred access rules

This commit introduces the --access-rules option for 'application credential create' as well as new 'access rule' commands for listing, showing, and deleting access rules. bp whitelist-extension-for-app-creds Change-Id: I04834b2874ec2a70da456a380b5bef03a392effa
author: Colleen Murphy <colleen.murphy@suse.de> 2019-08-21 17:38:29 -0700
committer: Colleen Murphy <colleen.murphy@suse.com> 2020-01-17 11:14:51 -0800
commit: 70ab3f9dd56a638cdff516ca85baa5ebd64c888b (patch)
tree: d8a92201238b7bcc749c80bb2d8a403f3d3b2d1b /openstackclient/identity
parent: db29e28b7c1a6ef737f0c4cd459906379f59b252 (diff)
download: python-openstackclient-70ab3f9dd56a638cdff516ca85baa5ebd64c888b.tar.gz
2 files changed, 145 insertions, 0 deletions
diff --git a/openstackclient/identity/v3/access_rule.py b/openstackclient/identity/v3/access_rule.py
new file mode 100644
index 00000000..d96b44da
--- /dev/null
+++ b/openstackclient/identity/v3/access_rule.py
@@ -0,0 +1,118 @@
+#   Copyright 2019 SUSE LLC
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+"""Identity v3 Access Rule action implementations"""
+
+import logging
+
+from osc_lib.command import command
+from osc_lib import exceptions
+from osc_lib import utils
+import six
+
+from openstackclient.i18n import _
+from openstackclient.identity import common
+
+
+LOG = logging.getLogger(__name__)
+
+
+class DeleteAccessRule(command.Command):
+    _description = _("Delete access rule(s)")
+
+    def get_parser(self, prog_name):
+        parser = super(DeleteAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            'access_rule',
+            metavar='<access-rule>',
+            nargs="+",
+            help=_('Application credentials(s) to delete (name or ID)'),
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+
+        errors = 0
+        for ac in parsed_args.access_rule:
+            try:
+                access_rule = utils.find_resource(
+                    identity_client.access_rules, ac)
+                identity_client.access_rules.delete(access_rule.id)
+            except Exception as e:
+                errors += 1
+                LOG.error(_("Failed to delete access rule with "
+                          "ID '%(ac)s': %(e)s"),
+                          {'ac': ac, 'e': e})
+
+        if errors > 0:
+            total = len(parsed_args.access_rule)
+            msg = (_("%(errors)s of %(total)s access rules failed "
+                   "to delete.") % {'errors': errors, 'total': total})
+            raise exceptions.CommandError(msg)
+
+
+class ListAccessRule(command.Lister):
+    _description = _("List access rules")
+
+    def get_parser(self, prog_name):
+        parser = super(ListAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            '--user',
+            metavar='<user>',
+            help=_('User whose access rules to list (name or ID)'),
+        )
+        common.add_user_domain_option_to_parser(parser)
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+        if parsed_args.user:
+            user_id = common.find_user(identity_client,
+                                       parsed_args.user,
+                                       parsed_args.user_domain).id
+        else:
+            user_id = None
+
+        columns = ('ID', 'Service', 'Method', 'Path')
+        data = identity_client.access_rules.list(
+            user=user_id)
+        return (columns,
+                (utils.get_item_properties(
+                    s, columns,
+                    formatters={},
+                ) for s in data))
+
+
+class ShowAccessRule(command.ShowOne):
+    _description = _("Display access rule details")
+
+    def get_parser(self, prog_name):
+        parser = super(ShowAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            'access_rule',
+            metavar='<access-rule>',
+            help=_('Application credential to display (name or ID)'),
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+        access_rule = utils.find_resource(identity_client.access_rules,
+                                          parsed_args.access_rule)
+
+        access_rule._info.pop('links', None)
+
+        return zip(*sorted(six.iteritems(access_rule._info)))
diff --git a/openstackclient/identity/v3/application_credential.py b/openstackclient/identity/v3/application_credential.py
index ea0b30cd..a2089856 100644
--- a/openstackclient/identity/v3/application_credential.py
+++ b/openstackclient/identity/v3/application_credential.py
@@ -16,6 +16,7 @@
 """Identity v3 Application Credential action implementations"""
 
 import datetime
+import json
 import logging
 
 from osc_lib.command import command
@@ -79,6 +80,17 @@ class CreateApplicationCredential(command.ShowOne):
                    ' other application credentials and trusts (this is the'
                    ' default behavior)'),
         )
+        parser.add_argument(
+            '--access-rules',
+            metavar='<access-rules>',
+            help=_('Either a string or file path containing a JSON-formatted '
+                   'list of access rules, each containing a request method, '
+                   'path, and service, for example '
+                   '\'[{"method": "GET", '
+                   '"path": "/v2.1/servers", '
+                   '"service": "compute"}]\''),
+
+        )
         return parser
 
     def take_action(self, parsed_args):
@@ -105,6 +117,20 @@ class CreateApplicationCredential(command.ShowOne):
         else:
             unrestricted = parsed_args.unrestricted
 
+        if parsed_args.access_rules:
+            try:
+                access_rules = json.loads(parsed_args.access_rules)
+            except ValueError:
+                try:
+                    with open(parsed_args.access_rules) as f:
+                        access_rules = json.load(f)
+                except IOError:
+                    raise exceptions.CommandError(
+                        _("Access rules is not valid JSON string or file does"
+                          " not exist."))
+        else:
+            access_rules = None
+
         app_cred_manager = identity_client.application_credentials
         application_credential = app_cred_manager.create(
             parsed_args.name,
@@ -113,6 +139,7 @@ class CreateApplicationCredential(command.ShowOne):
             description=parsed_args.description,
             secret=parsed_args.secret,
             unrestricted=unrestricted,
+            access_rules=access_rules,
         )
 
         application_credential._info.pop('links', None)
author	Colleen Murphy <colleen.murphy@suse.de>	2019-08-21 17:38:29 -0700
committer	Colleen Murphy <colleen.murphy@suse.com>	2020-01-17 11:14:51 -0800
commit	70ab3f9dd56a638cdff516ca85baa5ebd64c888b (patch)
tree	d8a92201238b7bcc749c80bb2d8a403f3d3b2d1b /openstackclient/identity
parent	db29e28b7c1a6ef737f0c4cd459906379f59b252 (diff)
download	python-openstackclient-70ab3f9dd56a638cdff516ca85baa5ebd64c888b.tar.gz