openstack
diff --git a/‎doc/source/cli/command-objects/access-rules.rst‎
Lines changed: 61 additions & 0 deletions b/‎doc/source/cli/command-objects/access-rules.rst‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎doc/source/cli/command-objects/application-credentials.rst‎
Lines changed: 7 additions & 0 deletions b/‎doc/source/cli/command-objects/application-credentials.rst‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎lower-constraints.txt‎
Lines changed: 1 addition & 1 deletion b/‎lower-constraints.txt‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎openstackclient/identity/v3/access_rule.py‎
Lines changed: 118 additions & 0 deletions b/‎openstackclient/identity/v3/access_rule.py‎
Lines changed: 118 additions & 0 deletions
diff --git a/‎openstackclient/identity/v3/application_credential.py‎
Lines changed: 27 additions & 0 deletions b/‎openstackclient/identity/v3/application_credential.py‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎openstackclient/tests/unit/identity/v3/fakes.py‎
Lines changed: 31 additions & 2 deletions b/‎openstackclient/tests/unit/identity/v3/fakes.py‎
Lines changed: 31 additions & 2 deletions
@@ -0,0 +1,61 @@
+===========
+access rule
+===========
+
+Identity v3
+
+Access rules are fine-grained permissions for application credentials. An access
+rule comprises of a service type, a request path, and a request method. Access
+rules may only be created as attributes of application credentials, but they may
+be viewed and deleted independently.
+
+
+access rule delete
+------------------
+
+Delete access rule(s)
+
+.. program:: access rule delete
+.. code:: bash
+
+    openstack access rule delete <access-rule> [<access-rule> ...]
+
+.. describe:: <access-rule>
+
+    Access rule(s) to delete (ID)
+
+access rule list
+----------------
+
+List access rules
+
+.. program:: access rule list
+.. code:: bash
+
+    openstack access rule list
+        [--user <user>]
+        [--user-domain <user-domain>]
+
+.. option:: --user
+
+    User whose access rules to list (name or ID). If not provided, looks up the
+    current user's access rules.
+
+.. option:: --user-domain
+
+    Domain the user belongs to (name or ID). This can be
+    used in case collisions between user names exist.
+
+access rule show
+---------------------------
+
+Display access rule details
+
+.. program:: access rule show
+.. code:: bash
+
+    openstack access rule show <access-rule>
+
+.. describe:: <access-rule>
+
+    Access rule to display (ID)
@@ -22,6 +22,7 @@ Create new application credential
         [--expiration <expiration>]
         [--description <description>]
         [--restricted|--unrestricted]
+        [--access-rules <access-rules>]
         <name>
 
 .. option:: --secret <secret>
@@ -52,6 +53,12 @@ Create new application credential
     Prohibit application credential from creating and deleting other
     application credentials and trusts (this is the default behavior)
 
+.. option:: --access-rules
+
+   Either a string or file path containing a JSON-formatted list of access
+   rules, each containing a request method, path, and service, for example
+   '[{"method": "GET", "path": "/v2.1/servers", "service": "compute"}]'
+
 .. describe:: <name>
 
     Name of the application credential
 
@@ -95,7 +95,7 @@ python-heatclient==1.10.0
 python-ironic-inspector-client==1.5.0
 python-ironicclient==2.3.0
 python-karborclient==0.6.0
-python-keystoneclient==3.17.0
+python-keystoneclient==3.22.0
 python-mimeparse==1.6.0
 python-mistralclient==3.1.0
 python-muranoclient==0.8.2
 
@@ -0,0 +1,118 @@
+#   Copyright 2019 SUSE LLC
+#
+#   Licensed under the Apache License, Version 2.0 (the "License"); you may
+#   not use this file except in compliance with the License. You may obtain
+#   a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#   WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#   License for the specific language governing permissions and limitations
+#   under the License.
+#
+
+"""Identity v3 Access Rule action implementations"""
+
+import logging
+
+from osc_lib.command import command
+from osc_lib import exceptions
+from osc_lib import utils
+import six
+
+from openstackclient.i18n import _
+from openstackclient.identity import common
+
+
+LOG = logging.getLogger(__name__)
+
+
+class DeleteAccessRule(command.Command):
+    _description = _("Delete access rule(s)")
+
+    def get_parser(self, prog_name):
+        parser = super(DeleteAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            'access_rule',
+            metavar='<access-rule>',
+            nargs="+",
+            help=_('Application credentials(s) to delete (name or ID)'),
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+
+        errors = 0
+        for ac in parsed_args.access_rule:
+            try:
+                access_rule = utils.find_resource(
+                    identity_client.access_rules, ac)
+                identity_client.access_rules.delete(access_rule.id)
+            except Exception as e:
+                errors += 1
+                LOG.error(_("Failed to delete access rule with "
+                          "ID '%(ac)s': %(e)s"),
+                          {'ac': ac, 'e': e})
+
+        if errors > 0:
+            total = len(parsed_args.access_rule)
+            msg = (_("%(errors)s of %(total)s access rules failed "
+                   "to delete.") % {'errors': errors, 'total': total})
+            raise exceptions.CommandError(msg)
+
+
+class ListAccessRule(command.Lister):
+    _description = _("List access rules")
+
+    def get_parser(self, prog_name):
+        parser = super(ListAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            '--user',
+            metavar='<user>',
+            help=_('User whose access rules to list (name or ID)'),
+        )
+        common.add_user_domain_option_to_parser(parser)
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+        if parsed_args.user:
+            user_id = common.find_user(identity_client,
+                                       parsed_args.user,
+                                       parsed_args.user_domain).id
+        else:
+            user_id = None
+
+        columns = ('ID', 'Service', 'Method', 'Path')
+        data = identity_client.access_rules.list(
+            user=user_id)
+        return (columns,
+                (utils.get_item_properties(
+                    s, columns,
+                    formatters={},
+                ) for s in data))
+
+
+class ShowAccessRule(command.ShowOne):
+    _description = _("Display access rule details")
+
+    def get_parser(self, prog_name):
+        parser = super(ShowAccessRule, self).get_parser(prog_name)
+        parser.add_argument(
+            'access_rule',
+            metavar='<access-rule>',
+            help=_('Application credential to display (name or ID)'),
+        )
+        return parser
+
+    def take_action(self, parsed_args):
+        identity_client = self.app.client_manager.identity
+        access_rule = utils.find_resource(identity_client.access_rules,
+                                          parsed_args.access_rule)
+
+        access_rule._info.pop('links', None)
+
+        return zip(*sorted(six.iteritems(access_rule._info)))
@@ -16,6 +16,7 @@
 """Identity v3 Application Credential action implementations"""
 
 import datetime
+import json
 import logging
 
 from osc_lib.command import command
@@ -79,6 +80,17 @@ def get_parser(self, prog_name):
                    ' other application credentials and trusts (this is the'
                    ' default behavior)'),
         )
+        parser.add_argument(
+            '--access-rules',
+            metavar='<access-rules>',
+            help=_('Either a string or file path containing a JSON-formatted '
+                   'list of access rules, each containing a request method, '
+                   'path, and service, for example '
+                   '\'[{"method": "GET", '
+                   '"path": "/v2.1/servers", '
+                   '"service": "compute"}]\''),
+
+        )
         return parser
 
     def take_action(self, parsed_args):
@@ -105,6 +117,20 @@ def take_action(self, parsed_args):
         else:
             unrestricted = parsed_args.unrestricted
 
+        if parsed_args.access_rules:
+            try:
+                access_rules = json.loads(parsed_args.access_rules)
+            except ValueError:
+                try:
+                    with open(parsed_args.access_rules) as f:
+                        access_rules = json.load(f)
+                except IOError:
+                    raise exceptions.CommandError(
+                        _("Access rules is not valid JSON string or file does"
+                          " not exist."))
+        else:
+            access_rules = None
+
         app_cred_manager = identity_client.application_credentials
         application_credential = app_cred_manager.create(
             parsed_args.name,
@@ -113,6 +139,7 @@ def take_action(self, parsed_args):
             description=parsed_args.description,
             secret=parsed_args.secret,
             unrestricted=unrestricted,
+            access_rules=access_rules,
         )
 
         application_credential._info.pop('links', None)
 
@@ -470,6 +470,14 @@
 app_cred_expires = datetime.datetime(2022, 1, 1, 0, 0)
 app_cred_expires_str = app_cred_expires.strftime('%Y-%m-%dT%H:%M:%S%z')
 app_cred_secret = 'moresecuresecret'
+app_cred_access_rules = (
+    '[{"path": "/v2.1/servers", "method": "GET", "service": "compute"}]'
+)
+app_cred_access_rules_path = '/tmp/access_rules.json'
+access_rule_id = 'access-rule-id'
+access_rule_service = 'compute'
+access_rule_path = '/v2.1/servers'
+access_rule_method = 'GET'
 APP_CRED_BASIC = {
     'id': app_cred_id,
     'name': app_cred_name,
@@ -478,7 +486,8 @@
     'description': None,
     'expires_at': None,
     'unrestricted': False,
-    'secret': app_cred_secret
+    'secret': app_cred_secret,
+    'access_rules': None
 }
 APP_CRED_OPTIONS = {
     'id': app_cred_id,
@@ -488,7 +497,25 @@
     'description': app_cred_description,
     'expires_at': app_cred_expires_str,
     'unrestricted': False,
-    'secret': app_cred_secret
+    'secret': app_cred_secret,
+    'access_rules': None,
+}
+ACCESS_RULE = {
+    'id': access_rule_id,
+    'service': access_rule_service,
+    'path': access_rule_path,
+    'method': access_rule_method,
+}
+APP_CRED_ACCESS_RULES = {
+    'id': app_cred_id,
+    'name': app_cred_name,
+    'project_id': project_id,
+    'roles': app_cred_role,
+    'description': None,
+    'expires_at': None,
+    'unrestricted': False,
+    'secret': app_cred_secret,
+    'access_rules': app_cred_access_rules
 }
 
 registered_limit_id = 'registered-limit-id'
@@ -625,6 +652,8 @@ def __init__(self, **kwargs):
         self.application_credentials = mock.Mock()
         self.application_credentials.resource_class = fakes.FakeResource(None,
                                                                          {})
+        self.access_rules = mock.Mock()
+        self.access_rules.resource_class = fakes.FakeResource(None, {})
         self.inference_rules = mock.Mock()
         self.inference_rules.resource_class = fakes.FakeResource(None, {})
         self.registered_limits = mock.Mock()