Feature/expose app credential#948
Conversation
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| pub mod access_rule; | ||
| pub mod application_credential; |
Signed-off-by: Hamza Konac <hamza.konac@tubitak.gov.tr>
gtema
left a comment
There was a problem hiding this comment.
thanks, look good, but there are issues that need to be addressed
| state | ||
| .provider | ||
| .get_identity_provider() | ||
| .get_user(&ExecutionContext::from_auth(&state, &user_auth), &user_id) |
There was a problem hiding this comment.
you should only create ExecutionContext once. You recreate it few times in every handler
There was a problem hiding this comment.
I will define it at begin of the handler and reuse it in the handler if I need to use it.
There was a problem hiding this comment.
please add docstring to all fields in structures
There was a problem hiding this comment.
okey I will add by the help of AI
There was a problem hiding this comment.
please add docstring to all fields in structures
| pub roles: Vec<RoleRef>, | ||
|
|
||
| /// Only present in create response. Never returned again. | ||
| pub secret: String, |
|
|
||
| pub unrestricted: bool, | ||
|
|
||
| #[cfg_attr(feature = "validate", validate(length(min = 1, max = 64)))] |
There was a problem hiding this comment.
python keystone does not expose user_id for the application credential, since they are always already bound to the URL. Drop it in all structs
| default allow := false | ||
|
|
||
| allow if { | ||
| input.credentials.user_id == input.target.user_id |
There was a problem hiding this comment.
it would be input.target.application_credential.user_id
|
|
||
| allow if { input.credentials.is_admin } | ||
|
|
||
| allow if { input.credentials.user_id == input.target.user_id } No newline at end of file |
There was a problem hiding this comment.
it's going to be input.target.existing.user_id
| input.credentials.system == "all" | ||
| } | ||
|
|
||
| allow if { input.credentials.user_id == input.target.user_id } No newline at end of file |
There was a problem hiding this comment.
target.application_credential.user_id or target.user_id, but depends on how you set pass it from handler. Anyway - please look at the current policies which document the structure of the data - add it to all policies
| input.credentials.system == "all" | ||
| } | ||
|
|
||
| allow if { input.credentials.user_id == input.target.user_id } No newline at end of file |
There was a problem hiding this comment.
also here user_id is wrapped under the input.existing.application_credential.user_id
| pub async fn get_project_scoped_client() -> Result<Arc<AsyncOpenStack>> { | ||
| let mut tc = AsyncOpenStack::new(&CloudConfig::from_env()?).await?; | ||
|
|
||
| tc.authorize( |
There was a problem hiding this comment.
this should not be necessary - the 'tc' already should be project scoped as directed by the env vars.
Thanks for your review. I'm going to address all issues. |
This PR implements the Application Credential API (part of #782).
Changes
application_credentialandaccess_rule, along with their converters in theapi-typescrate.