o

�N�gk�@s�dZd
d�Z
dadad!dd�
Z						d"d	d
�
Zd!dd�
Z	d#d
d�
Zd!dd�
Z	d#dd�
Z	d!dd�
Z
d!dd�
Zd!dd�
Z	d$dd�
Z
d!dd�
Z							d%dd�
Zd&dd �
ZdS)'a�
Management of Keystone users
============================

:depends:   - keystoneclient Python module
:configuration: See :py:mod:`salt.modules.keystone` for setup instructions.

.. code-block:: yaml

    Keystone tenants:
      keystone.tenant_present:
        - names:
          - admin
          - demo
          - service

    Keystone roles:
      keystone.role_present:
        - names:
          - admin
          - Member

    admin:
      keystone.user_present:
        - password: R00T_4CC3SS
        - email: admin@domain.com
        - roles:
            admin:   # tenants
              - admin  # roles
            service:
              - admin
              - Member
        - require:
          - keystone: Keystone tenants
          - keystone: Keystone roles

    nova:
      keystone.user_present:
        - password: '$up3rn0v4'
        - email: nova@domain.com
        - tenant: service
        - roles:
            service:
              - admin
        - require:
          - keystone: Keystone tenants
          - keystone: Keystone roles

    demo:
      keystone.user_present:
        - password: 'd3m0n$trati0n'
        - email: demo@domain.com
        - tenant: demo
        - roles:
            demo:
              - Member
        - require:
          - keystone: Keystone tenants
          - keystone: Keystone roles

    nova service:
      keystone.service_present:
        - name: nova
        - service_type: compute
        - description: OpenStack Compute Service

cCsd
tvrdSdS)z9
    Only load if the keystone module is in __salt__
    z
keystone.authZkeystone)Fz#keystone module could not be loaded)
�__salt__�rr�H/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/keystone.py�__virtual__Fs

r��	tenant_idNc
KsNztt
d
dd|i
|
�
�
�d�
�
dkrdadaWdSWdSty&


YdSw)ze
    Sets global variables _OS_IDENTITY_API_VERSION and _TENANT_ID
    depending on API version.
    zkeystone.api_version�profile�
v�Z
project_idNr)�floatr
�strip�
_TENANT_ID�_OS_IDENTITY_API_VERSION�KeyError)r�connection_argsrrr�_api_versionSs"


�
���

�	
�rTc		Ks|id
d|�d�d�}
td9d|i
|	�
�

|r|s|}|du
rCt
dd9||d�|	�
�
}d	|vr<d
|
d<d|�d
�|
d<|
S||d}nd}t
dd9||d�|	�
�
}
d	|
v
�r6d
}d
}d
}d
}|
|�dd�|krjd
}|
|�dd�|krvd
}|r�t|
|v
s�|
|�td�|kr�d
}|d
ur�t
dd9||
|d�|	�
�
s�d
}t�d�
r�|s�|s�|s�|r�d|
d<d|�d�|
d<|d
ur�d|
dd<|d
ur�d|
dd<|d
ur�d|�d�|
dd<|d
ur�d|
dd<|
Sd|�d�|
d<|�
r
t
d d9|||d!�|	�
�

d|�d"�|
d<d#|
dd<|�
r+t
d d9|||d$�|	�
�

d|�d"�|
d<d%|��|
dd<|�
rMt
d d9|||d&�|	�
�

d|�d"�|
d<d'|�d�|
dd<|�
rkt
d(d9||
|d�|	�
�

d|�d"�|
d<d#|
dd<|�r4|D]�}t|||d)�f
i|	�
�
}t
d*d9i|�
�
}||D]N}||v
�
r�t�d�
�
r�d|
d<d+�|�
|
d<|


St||||d,�f
i|	�
�
}t
d-d9i|�
�
}d.|
dv�
r�|
dd.�|�

�
q�|g
|
dd.<�
q�tt	|�
t	||�
�
}|D]I}t�d�
�r
d|
d<d+�|�
|
d<|


St||||d,�f
i|	�
�
}t
d/d9i|�
�
}d.|
dv�r)|
dd.�|�

�
q�|g
|
dd.<�
q�
qp|
St�d�
�rPd|
d<d0|�d1�|
d<d2|
dd3<|
St
d4d9||
||||d5�|	�
�

|�r|D]}||D]}t
d-d9||||d,�|	�
�

�qk�qed6|�d7�|
d<d8|
dd3<|
S):a�
    Ensure that the keystone user is present with the specified properties.

    name
        The name of the user to manage

    password
        The password to use for this user.

        .. note::

            If the user already exists and a different password was set for
            the user than the one specified here, the password for the user
            will be updated. Please set the ``password_reset`` option to
            ``False`` if this is not the desired behavior.

    password_reset
        Whether or not to reset password after initial set. Defaults to
        ``True``.

    email
        The email address for this user

    tenant
        The tenant (name) for this user

    project
        The project (name) for this user (overrides tenant in api v3)

    enabled
        Availability state for this user

    roles
        The roles the user should have under given tenants.
        Passed as a dictionary mapping tenant names to a list
        of roles in this tenant, i.e.::

            roles:
                admin:   # tenant
                  - admin  # role
                service:
                  - admin
                  - Member
    T�User "�" will be updated��name�changes�result�commentrN�keystone.tenant_get�rr�ErrorFr�Tenant / project "z" does not existr�id�keystone.user_get�email�enabledzkeystone.user_verify_password)r�passwordr�test�Will be updatedrZEmailzWill be True�EnabledzWill be added to "z" tenant�TenantZPasswordz" is already presentzkeystone.user_update)rrr�" has been updated�Updated)rrr�Now )r�tenantrz
Added to "zkeystone.user_password_update)Z	user_nameZtenant_namerzkeystone.user_role_listz!User roles "{}" will been updated)�user�roler(rzkeystone.user_role_add�roleszkeystone.user_role_removezKeystone user "�" will be added�Will be created�Userzkeystone.user_create)rr rrrrzKeystone user z has been added�Createdr)
rr
�getr�__opts__�dict�format�append�list�set)rr rr(rr+rZpassword_resetZprojectr�retZ
tenantdatarr)Zchange_emailZchange_enabledZ
change_tenantZchange_password�argsZtenant_rolesr*ZaddargsZnewroleZroles_to_removeZoldrolerrr�user_presentis`
9



�


�
�













�
�

�
�
�
�











�
�


�
�


�
�


�
�




��






�



���	

�





�



���	

�2�










��	






�
��
r9cK�|id
d|�d�d�}tdd||
d�|�
�
}d|v
rHt
�d�
r.d	|d
<d|�d�|d<|Std
d||
d�|�
�

d|�d�|d<d|dd<|S)zo
    Ensure that the keystone user is absent.

    name
        The name of the user that should not exist
    Tr�" is already absentrrrrr!Nr�" will be deletedrzkeystone.user_delete�" has been deleted�Deletedrr.r�r
r1r0)rrrr7r)rrr�user_absentT
�



�







r@cKs�
|id
d|�d�d�}td%d|i
|�
�

t
dd%||d�|�
�
}d|v
r�||�d	d
�|
krct�d�
rGd
|d<d|�d
�|d<d|dd<|St
dd%||
||d�|�
�

d|�d�|d<d|dd<||�dd
�|kr�t�d�
r�d
|d<d|�d
�|d<d|��|dd<|St
dd%||
||d�|�
�

d|�d�|d<d|��|dd<|St�d�
r�d
|d<d|�d�|d<d|dd<|Stdkr�t
dd%|d|
||d �|�
�
}nt
d!d%||
||d�|�
�
}|d
ur�d"n
d#|dd<||d<d|�d$�|d<|S)&z�
    Ensures that the keystone tenant exists

    name
        The name of the tenant to manage

    description
        The description to use for this tenant

    enabled
        Availability state for this tenant
    Tr�" already existsrrrrr�descriptionNr!rrrr"rZDescriptionzkeystone.tenant_update)rrCrrr%r&rzWill be r#r'r,r-r$rzkeystone.project_create�default)r�domainrCrrzkeystone.tenant_creater/ZFailed�" has been addedr)rr
r0r1r
)rrCrrrr7r(�createdrrr�tenant_presentq
s�



�
�
�











��












��

�









��	



��


rHcKr:)zs
    Ensure that the keystone tenant is absent.

    name
        The name of the tenant that should not exist
    Trr;rrrrr!Nrr<rzkeystone.tenant_deleter=r>rzTenant/Projectrr?)rrrr7r(rrr�
tenant_absent�
�.



�
�
�





�
�
rIcKst|f
|
||d
�|�
�
S)a�

    Ensures that the keystone project exists
    Alias for tenant_present from V2 API to fulfill
    V3 API naming convention.

    .. versionadded:: 2016.11.0

    name
        The name of the project to manage

    description
        The description to use for this project

    enabled
        Availability state for this project

    .. code-block:: yaml

        nova:
            keystone.project_present:
                - enabled: True
                - description: 'Nova Compute Service'

    )rCrr)
rH)rrCrrrrrr�project_present�
s
�

��rKcKst|f
d
|
i
|�
�
S)aY

    Ensure that the keystone project is absent.
    Alias for tenant_absent from V2 API to fulfill
    V3 API naming convention.

    .. versionadded:: 2016.11.0

    name
        The name of the project that should not exist

    .. code-block:: yaml

        delete_nova:
            keystone.project_absent:
                - name: nova
    r)
rI)rrrrrr�project_absentsrLcKs�|id
d|�d�d�}tdd||
d�|�
�
}d|v
r|St
�d�
r0d	|d
<d|�d�|d<|Std
|f
d|
i
|�
�

d|�d�|d<d|dd<|S)zn'
    Ensures that the keystone role exists

    name
        The name of the role that should be present
    T�Role "rBr�keystone.role_getrrr!Nrr,rzkeystone.role_createrrFr/r�Rolerr?�rrrr7r*rrr�role_present&s 



�







rQcKr:)zo
    Ensure that the keystone role is absent.

    name
        The name of the role that should not exist
    TrMr;rrNrrr!Nrr<rzkeystone.role_deleter=r>rrOrr?rPrrr�role_absentErArRcKs�|id
d|�d�d�}tdd||d�|�
�
}d|v
r|St
�d�
r0d	|d
<d|�d�|d<|Std
||
|fd|i
|�
�

d|�d�|d<d|dd<|S)z�
    Ensure service present in Keystone catalog

    name
        The name of the service

    service_type
        The type of Openstack Service

    description (optional)
        Description of the service
    T�	Service "rBr�keystone.service_getrrr!Nrr,rzkeystone.service_createrrFr/r�Servicerr?)rZservice_typerCrrr7r*rrr�service_presentbs4



�
�
�





�
�
�
rVcKr:)z�
    Ensure that the service doesn't exist in Keystone catalog

    name
        The name of the service that should not exist
    TrSr;rrTrrr!Nrr<rzkeystone.service_deleter=r>rrUrr?rPrrr�service_absent�rJrWc
s(�id
dd��td(d�i
�
�
�

t
d��f��d��
�
�
}	�f
dd�}
��
��������	f
d	d
�}|	�
r^d|	v
�
r^|	�d�
�k�
r^td
kr�d}d}
|	�dd��	krc|
d�|	�dd��	��
�d<d
}|	�dd��kr{|
d�|	�dd����
�d<d
}
t�d�
r�|s�|
r�d�d<d�dd<�dd���
7<�S|r��	�dd<|
r���dd<n�d}d}d}|	�dd��kr�d
}|
d�|	�dd����
�d<|	�dd��kr�d
}|
d�|	�dd����
�d<|	�dd��kr�d
}|
d �|	�dd����
�d<t�d�
�
r |�
s	|�
s	|�
r d�d<�dd���
7<d�dd<�S|�
r)��dd<|�
r2��dd<|�
r;��dd<�d�
r]t
d!��f��d��
�
�

|�
�dd"��d#�7<n%t�d�
�
rxd�d<d$�dd<d"��d%��d<�S|�
d"��d&��d<�ddk�
r�d"��d'��d<�S))a
    Ensure the specified endpoints exists for service

    name
        The Service name

    publicurl
        The public url of service endpoint (for V2 API)

    internalurl
        The internal url of service endpoint (for V2 API)

    adminurl
        The admin url of the service endpoint (for V2 API)

    region
        The region of the endpoint

    url
        The endpoint URL (for V3 API)

    interface
        The interface type, which describes the visibility
        of the endpoint. (for V3 API)

    T�rr�keystone.endpoint_get�r�	interfacec

s��d
d�|dS)NrrX�

)
r0)
�desc)
r7rr�_changes�s
z"endpoint_present.<locals>._changescsVtd
krt
d�f
��	��d��
�
�
�d<dSt
d�f
�����d��
�
�
�d<dS)Nrzkeystone.endpoint_create)�region�urlr[rr)r_�	publicurl�adminurl�internalurlr)r
r
r�
rbrr[rcrrrar_r7r`rr�_create_endpoint�s,


�


��	
�



��z*endpoint_present.<locals>._create_endpointrr_rFr`NzURL changes from "{}" to "{}"rr[z#Interface changes from "{}" to "{}"r!rr"rZEndpointz)Endpoint for service "{}" will be updatedraz$Public URL changes from "{}" to "{}"rbz#Admin URL changes from "{}" to "{}"rcz&Internal URL changes from "{}" to "{}"�keystone.endpoint_delete�Endpoint for service "r%r-r,rFrBr)rr
r0r
r3r1)rrarcrbr_rr`r[r�endpointr^reZ
change_urlZchange_interfaceZchange_publicurlZchange_adminurlZchange_internalurlrrdr�endpoint_present�s�%
�
�
� 



��


��



�

�




��



��



��
�
�
�

�






�
�
�
�







ric	Ks�|id
d�||du
rd|�d�n
d�d�}t
d||
f||d	�|�
�
}|s'|St�d
�
r:d|d<d|�d
�|d<|St
d||
f||d	�|�
�

d�||du
rUd|�d�n
d�|d<d|dd<|S)ad

    Ensure that the endpoint for a service doesn't exist in Keystone catalog

    name
        The name of the service whose endpoints should not exist

    region (optional)
        The region of the endpoint.  Defaults to ``RegionOne``.

    interface
        The interface type, which describes the visibility
        of the endpoint. (for V3 API)
    Tz-Endpoint for service "{}"{} is already absentNz
, interface "z",rXrrYrZr!rrgr<rrfz,Endpoint for service "{}"{} has been deletedr>rrh)r3r
r1r0)rr_rr[rr7rhrrr�endpoint_absent`sD




��
�
�
�





�
�
�

�
rj)
N)NTNNTN)NTN)NN)NNNNNNN)NNN)�__doc__rr
rrr9r@rHrIrKrLrQrRrVrWrirjrrrr�<module>
sFE	







�
l
�
Z"
�
%


�
,#






�2