Add group iteration and syncing support to Keystone auth

data/users/keystone.py

@@ -5,6 +5,7 @@ from keystoneclient.v2_0 import client as kclient
 from keystoneclient.v3 import client as kv3client
 from keystoneclient.exceptions import AuthorizationFailure as KeystoneAuthorizationFailure
 from keystoneclient.exceptions import Unauthorized as KeystoneUnauthorized
+from keystoneclient.exceptions import NotFound as KeystoneNotFound
 from data.users.federated import FederatedUsers, UserInformation
 from util.itertoolrecipes import take
 
@@ -83,6 +84,11 @@ class KeystoneV3Users(FederatedUsers):
     self.debug = os.environ.get('USERS_DEBUG') == '1'
     self.requires_email = requires_email
 
+  def _get_admin_client(self):
+    return kv3client.Client(username=self.admin_username, password=self.admin_password,
+                            tenant_name=self.admin_tenant, auth_url=self.auth_url,
+                            timeout=self.timeout, debug=self.debug)
+
   def verify_credentials(self, username_or_email, password):
     try:
       keystone_client = kv3client.Client(username=username_or_email, password=password,
@@ -116,6 +122,46 @@ class KeystoneV3Users(FederatedUsers):
 
     return (user, None)
 
+  def check_group_lookup_args(self, group_lookup_args):
+    if not group_lookup_args.get('group_id'):
+      return (False, 'Missing group_id')
+
+    group_id = group_lookup_args['group_id']
+    return self._check_group(group_id)
+
+  def _check_group(self, group_id):
+    try:
+      return (bool(self._get_admin_client().groups.get(group_id)), None)
+    except KeystoneNotFound:
+      return (False, 'Group not found')
+    except KeystoneAuthorizationFailure as kaf:
+      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
+      return (False, kaf.message or 'Invalid admin username or password')
+    except KeystoneUnauthorized as kut:
+      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
+      return (False, kut.message or 'Invalid admin username or password')
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    group_id = group_lookup_args['group_id']
+
+    (status, err) = self._check_group(group_id)
+    if not status:
+      return (None, err)
+
+    try:
+      group_member_iterator = self._get_admin_client().users.list(group=group_id)
+      def iterator():
+        for user in group_member_iterator:
+          yield (self._user_info(user), None)
+
+      return (iterator(), None)
+    except KeystoneAuthorizationFailure as kaf:
+      logger.exception('Keystone auth failure for admin user for group lookup %s', group_id)
+      return (False, kaf.message or 'Invalid admin username or password')
+    except KeystoneUnauthorized as kut:
+      logger.exception('Keystone unauthorized for admin user for group lookup %s', group_id)
+      return (False, kut.message or 'Invalid admin username or password')
+
   @staticmethod
   def _user_info(user):
     email = user.email if hasattr(user, 'email') else None
@@ -126,10 +172,7 @@ class KeystoneV3Users(FederatedUsers):
       return ([], self.federated_service, None)
 
     try:
-      keystone_client = kv3client.Client(username=self.admin_username, password=self.admin_password,
-                                         tenant_name=self.admin_tenant, auth_url=self.auth_url,
-                                         timeout=self.timeout, debug=self.debug)
-      found_users = list(take(limit, keystone_client.users.list(name=query)))
+      found_users = list(take(limit, self._get_admin_client().users.list(name=query)))
       logger.debug('For Keystone query %s found users: %s', query, found_users)
       if not found_users:
         return ([], self.federated_service, None)