4 files changed, 225 insertions, 0 deletions

diff --git a/openstackclient/identity/v3/unscoped_saml.py b/openstackclient/identity/v3/unscoped_saml.py
new file mode 100644
index 00000000..affbaf3a
--- /dev/null
+++ b/openstackclient/identity/v3/unscoped_saml.py
@@ -0,0 +1,79 @@
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+"""Identity v3 unscoped SAML auth action implementations.
+
+The first step of federated auth is to fetch an unscoped token. From there,
+the user can list domains and projects they are allowed to access, and request
+a scoped token."""
+
+import logging
+
+from cliff import lister
+
+from openstackclient.common import exceptions
+from openstackclient.common import utils
+
+
+UNSCOPED_AUTH_PLUGINS = ['v3unscopedsaml', 'v3unscopedadfs']
+
+
+def auth_with_unscoped_saml(func):
+    """Check the unscoped federated context"""
+    def _decorated(self, parsed_args):
+        auth_plugin_name = self.app.client_manager.auth_plugin_name
+        if auth_plugin_name in UNSCOPED_AUTH_PLUGINS:
+            return func(self, parsed_args)
+        else:
+            msg = ('This command requires the use of an unscoped SAML '
+                   'authentication plugin. Please use argument '
+                   '--os-auth-plugin with one of the following '
+                   'plugins: ' + ', '.join(UNSCOPED_AUTH_PLUGINS))
+            raise exceptions.CommandError(msg)
+    return _decorated
+
+
+class ListAccessibleDomains(lister.Lister):
+    """List accessible domains"""
+
+    log = logging.getLogger(__name__ + '.ListAccessibleDomains')
+
+    @auth_with_unscoped_saml
+    def take_action(self, parsed_args):
+        self.log.debug('take_action(%s)', parsed_args)
+        columns = ('ID', 'Enabled', 'Name', 'Description')
+        identity_client = self.app.client_manager.identity
+        data = identity_client.federation.domains.list()
+        return (columns,
+                (utils.get_item_properties(
+                    s, columns,
+                    formatters={},
+                ) for s in data))
+
+
+class ListAccessibleProjects(lister.Lister):
+    """List accessible projects"""
+
+    log = logging.getLogger(__name__ + '.ListAccessibleProjects')
+
+    @auth_with_unscoped_saml
+    def take_action(self, parsed_args):
+        self.log.debug('take_action(%s)', parsed_args)
+        columns = ('ID', 'Domain ID', 'Enabled', 'Name')
+        identity_client = self.app.client_manager.identity
+        data = identity_client.federation.projects.list()
+        return (columns,
+                (utils.get_item_properties(
+                    s, columns,
+                    formatters={},
+                ) for s in data))
diff --git a/openstackclient/tests/fakes.py b/openstackclient/tests/fakes.py
index f8b7bb6f..abad4cff 100644
--- a/openstackclient/tests/fakes.py
+++ b/openstackclient/tests/fakes.py
@@ -199,6 +199,7 @@ class FakeClientManager(object):
         self.network = None
         self.session = None
         self.auth_ref = None
+        self.auth_plugin_name = None
 
 
 class FakeModule(object):
diff --git a/openstackclient/tests/identity/v3/fakes.py b/openstackclient/tests/identity/v3/fakes.py
index 5844d160..b195ed78 100644
--- a/openstackclient/tests/identity/v3/fakes.py
+++ b/openstackclient/tests/identity/v3/fakes.py
@@ -285,6 +285,19 @@ OAUTH_VERIFIER = {
 }
 
 
+class FakeAuth(object):
+    def __init__(self, auth_method_class=None):
+        self._auth_method_class = auth_method_class
+
+    def get_token(self, *args, **kwargs):
+        return token_id
+
+
+class FakeSession(object):
+    def __init__(self, **kwargs):
+        self.auth = FakeAuth()
+
+
 class FakeIdentityv3Client(object):
     def __init__(self, **kwargs):
         self.domains = mock.Mock()
@@ -320,6 +333,10 @@ class FakeFederationManager(object):
         self.mappings.resource_class = fakes.FakeResource(None, {})
         self.protocols = mock.Mock()
         self.protocols.resource_class = fakes.FakeResource(None, {})
+        self.projects = mock.Mock()
+        self.projects.resource_class = fakes.FakeResource(None, {})
+        self.domains = mock.Mock()
+        self.domains.resource_class = fakes.FakeResource(None, {})
 
 
 class FakeFederatedClient(FakeIdentityv3Client):
diff --git a/openstackclient/tests/identity/v3/test_unscoped_saml.py b/openstackclient/tests/identity/v3/test_unscoped_saml.py
new file mode 100644
index 00000000..6b2d3f5b
--- /dev/null
+++ b/openstackclient/tests/identity/v3/test_unscoped_saml.py
@@ -0,0 +1,128 @@
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+
+import copy
+
+from openstackclient.common import exceptions
+from openstackclient.identity.v3 import unscoped_saml
+from openstackclient.tests import fakes
+from openstackclient.tests.identity.v3 import fakes as identity_fakes
+
+
+class TestUnscopedSAML(identity_fakes.TestFederatedIdentity):
+
+    def setUp(self):
+        super(TestUnscopedSAML, self).setUp()
+
+        federation_lib = self.app.client_manager.identity.federation
+        self.projects_mock = federation_lib.projects
+        self.projects_mock.reset_mock()
+        self.domains_mock = federation_lib.domains
+        self.domains_mock.reset_mock()
+
+
+class TestProjectList(TestUnscopedSAML):
+
+    def setUp(self):
+        super(TestProjectList, self).setUp()
+
+        self.projects_mock.list.return_value = [
+            fakes.FakeResource(
+                None,
+                copy.deepcopy(identity_fakes.PROJECT),
+                loaded=True,
+            ),
+        ]
+
+        # Get the command object to test
+        self.cmd = unscoped_saml.ListAccessibleProjects(self.app, None)
+
+    def test_accessible_projects_list(self):
+        self.app.client_manager.auth_plugin_name = 'v3unscopedsaml'
+        arglist = []
+        verifylist = []
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        # DisplayCommandBase.take_action() returns two tuples
+        columns, data = self.cmd.take_action(parsed_args)
+
+        self.projects_mock.list.assert_called_with()
+
+        collist = ('ID', 'Domain ID', 'Enabled', 'Name')
+        self.assertEqual(columns, collist)
+        datalist = ((
+            identity_fakes.project_id,
+            identity_fakes.domain_id,
+            True,
+            identity_fakes.project_name,
+        ), )
+        self.assertEqual(tuple(data), datalist)
+
+    def test_accessible_projects_list_wrong_auth(self):
+        auth = identity_fakes.FakeAuth("wrong auth")
+        self.app.client_manager.identity.session.auth = auth
+        arglist = []
+        verifylist = []
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        self.assertRaises(exceptions.CommandError,
+                          self.cmd.take_action,
+                          parsed_args)
+
+
+class TestDomainList(TestUnscopedSAML):
+
+    def setUp(self):
+        super(TestDomainList, self).setUp()
+
+        self.domains_mock.list.return_value = [
+            fakes.FakeResource(
+                None,
+                copy.deepcopy(identity_fakes.DOMAIN),
+                loaded=True,
+            ),
+        ]
+
+        # Get the command object to test
+        self.cmd = unscoped_saml.ListAccessibleDomains(self.app, None)
+
+    def test_accessible_domains_list(self):
+        self.app.client_manager.auth_plugin_name = 'v3unscopedsaml'
+        arglist = []
+        verifylist = []
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        # DisplayCommandBase.take_action() returns two tuples
+        columns, data = self.cmd.take_action(parsed_args)
+
+        self.domains_mock.list.assert_called_with()
+
+        collist = ('ID', 'Enabled', 'Name', 'Description')
+        self.assertEqual(columns, collist)
+        datalist = ((
+            identity_fakes.domain_id,
+            True,
+            identity_fakes.domain_name,
+            identity_fakes.domain_description,
+        ), )
+        self.assertEqual(tuple(data), datalist)
+
+    def test_accessible_domains_list_wrong_auth(self):
+        auth = identity_fakes.FakeAuth("wrong auth")
+        self.app.client_manager.identity.session.auth = auth
+        arglist = []
+        verifylist = []
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        self.assertRaises(exceptions.CommandError,
+                          self.cmd.take_action,
+                          parsed_args)