Skip to content

Feature/expose app credential#948

Open
konac-hamza wants to merge 4 commits into
openstack-experimental:mainfrom
konac-hamza:feature/expose-app-credential
Open

Feature/expose app credential#948
konac-hamza wants to merge 4 commits into
openstack-experimental:mainfrom
konac-hamza:feature/expose-app-credential

Conversation

@konac-hamza

Copy link
Copy Markdown
Collaborator

This PR implements the Application Credential API (part of #782).

Changes

  • Added API type definitions for application_credential and access_rule, along with their converters in the api-types crate.
  • Followed the Python Keystone implementation to preserve compatibility and prevent known security issues in the endpoints.
  • Implemented the delete operation in both the core and SQL layers.
  • Implemented policy enforcement based on the default Keystone policies.

Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
// SPDX-License-Identifier: Apache-2.0

pub mod access_rule;
pub mod application_credential;
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>

@gtema gtema left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, look good, but there are issues that need to be addressed

state
.provider
.get_identity_provider()
.get_user(&ExecutionContext::from_auth(&state, &user_auth), &user_id)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should only create ExecutionContext once. You recreate it few times in every handler

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will define it at begin of the handler and reuse it in the handler if I need to use it.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add docstring to all fields in structures

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okey I will add by the help of AI

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add docstring to all fields in structures

pub roles: Vec<RoleRef>,

/// Only present in create response. Never returned again.
pub secret: String,

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

make this SecretString


pub unrestricted: bool,

#[cfg_attr(feature = "validate", validate(length(min = 1, max = 64)))]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

python keystone does not expose user_id for the application credential, since they are always already bound to the URL. Drop it in all structs

default allow := false

allow if {
input.credentials.user_id == input.target.user_id

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be input.target.application_credential.user_id


allow if { input.credentials.is_admin }

allow if { input.credentials.user_id == input.target.user_id } No newline at end of file

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's going to be input.target.existing.user_id

input.credentials.system == "all"
}

allow if { input.credentials.user_id == input.target.user_id } No newline at end of file

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

target.application_credential.user_id or target.user_id, but depends on how you set pass it from handler. Anyway - please look at the current policies which document the structure of the data - add it to all policies

input.credentials.system == "all"
}

allow if { input.credentials.user_id == input.target.user_id } No newline at end of file

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also here user_id is wrapped under the input.existing.application_credential.user_id

pub async fn get_project_scoped_client() -> Result<Arc<AsyncOpenStack>> {
let mut tc = AsyncOpenStack::new(&CloudConfig::from_env()?).await?;

tc.authorize(

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should not be necessary - the 'tc' already should be project scoped as directed by the env vars.

@konac-hamza

Copy link
Copy Markdown
Collaborator Author

thanks, look good, but there are issues that need to be addressed

Thanks for your review. I'm going to address all issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants