feat: Enable system_scope token support (#498)

Add support to authorize with the system scope. Corresponding payload is
added, as well as token validation.

Author: gtema

src/api/v3/auth/token/common.rs

@@ -131,9 +131,7 @@ pub(super) async fn get_authz_info(
                 return Err(KeystoneApiError::Unauthorized(None));
             }
         }
-        Some(Scope::System(_scope)) => {
-            todo!()
-        }
+        Some(Scope::System(_scope)) => AuthzInfo::System,
         None => AuthzInfo::Unscoped,
     };
     authz_info.validate()?;

src/api/v3/auth/token/token_impl.rs

@@ -14,7 +14,7 @@
 
 use crate::api::common;
 use crate::api::error::KeystoneApiError;
-use crate::api::v3::auth::token::types::{Token, TokenBuilder, UserBuilder};
+use crate::api::v3::auth::token::types::{System, Token, TokenBuilder, UserBuilder};
 use crate::api::v3::role::types::Role;
 use crate::identity::IdentityApi;
 use crate::keystone::ServiceState;
@@ -38,6 +38,7 @@ impl Token {
         response.audit_ids(token.audit_ids().clone());
         response.methods(token.methods().clone());
         response.expires_at(*token.expires_at());
+        response.issued_at(*token.issued_at());
 
         let user = if let Some(user) = token.user() {
             user
@@ -75,15 +76,7 @@ impl Token {
         }
 
         match token {
-            ProviderToken::Unscoped(_token) => {}
-            ProviderToken::DomainScope(token) => {
-                if domain.is_none() {
-                    domain = Some(
-                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
-                    );
-                }
-            }
-            ProviderToken::ProjectScope(token) => {
+            ProviderToken::ApplicationCredential(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -98,7 +91,22 @@ impl Token {
                     );
                 }
             }
-            ProviderToken::ApplicationCredential(token) => {
+            ProviderToken::DomainScope(token) => {
+                if domain.is_none() {
+                    domain = Some(
+                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
+                    );
+                }
+            }
+            ProviderToken::FederationUnscoped(_token) => {}
+            ProviderToken::FederationDomainScope(token) => {
+                if domain.is_none() {
+                    domain = Some(
+                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
+                    );
+                }
+            }
+            ProviderToken::FederationProjectScope(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -113,15 +121,7 @@ impl Token {
                     );
                 }
             }
-            ProviderToken::FederationUnscoped(_token) => {}
-            ProviderToken::FederationDomainScope(token) => {
-                if domain.is_none() {
-                    domain = Some(
-                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
-                    );
-                }
-            }
-            ProviderToken::FederationProjectScope(token) => {
+            ProviderToken::ProjectScope(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -151,6 +151,9 @@ impl Token {
                     );
                 }
             }
+            ProviderToken::SystemScope(_token) => {
+                response.system(System { all: true });
+            }
             ProviderToken::Trust(token) => {
                 if project.is_none() {
                     project = Some(
@@ -182,6 +185,7 @@ impl Token {
                     );
                 }
             }
+            ProviderToken::Unscoped(_token) => {}
         }
 
         if let Some(domain) = domain {

src/api/v3/auth/token/types.rs

@@ -62,6 +62,9 @@ pub struct Token {
     /// The date and time when the token expires.
     pub expires_at: DateTime<Utc>,
 
+    /// The date and time when the token was issued.
+    pub issued_at: DateTime<Utc>,
+
     // # Subject
     /// A user object.
     //#[builder(default)]
@@ -98,6 +101,12 @@ pub struct Token {
     #[validate(nested)]
     pub roles: Option<Vec<Role>>,
 
+    /// A system object.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[builder(default)]
+    #[validate(nested)]
+    pub system: Option<System>,
+
     /// A catalog object.
     #[serde(skip_serializing_if = "Option::is_none")]
     #[builder(default)]
@@ -286,3 +295,12 @@ pub struct ValidateTokenParameters {
     /// return a 404 exception.
     pub allow_expired: Option<bool>,
 }
+
+/// System information.
+#[derive(Builder, Clone, Debug, Default, Deserialize, PartialEq, Serialize, ToSchema, Validate)]
+#[builder(build_fn(error = "BuilderError"))]
+#[builder(setter(into, strip_option))]
+pub struct System {
+    /// All
+    pub all: bool,
+}

src/api/v4/auth/token/token_impl.rs

@@ -15,7 +15,7 @@
 use crate::api::common;
 use crate::api::error::KeystoneApiError;
 use crate::api::v3::role::types::Role;
-use crate::api::v4::auth::token::types::{Token, TokenBuilder, UserBuilder};
+use crate::api::v4::auth::token::types::{System, Token, TokenBuilder, UserBuilder};
 use crate::identity::IdentityApi;
 use crate::keystone::ServiceState;
 use crate::resource::{
@@ -37,6 +37,7 @@ impl Token {
         response.audit_ids(token.audit_ids().clone());
         response.methods(token.methods().clone());
         response.expires_at(*token.expires_at());
+        response.issued_at(*token.issued_at());
 
         let user = if let Some(user) = token.user() {
             user
@@ -74,15 +75,7 @@ impl Token {
         }
 
         match token {
-            ProviderToken::Unscoped(_token) => {}
-            ProviderToken::DomainScope(token) => {
-                if domain.is_none() {
-                    domain = Some(
-                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
-                    );
-                }
-            }
-            ProviderToken::ProjectScope(token) => {
+            ProviderToken::ApplicationCredential(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -97,7 +90,22 @@ impl Token {
                     );
                 }
             }
-            ProviderToken::ApplicationCredential(token) => {
+            ProviderToken::DomainScope(token) => {
+                if domain.is_none() {
+                    domain = Some(
+                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
+                    );
+                }
+            }
+            ProviderToken::FederationUnscoped(_token) => {}
+            ProviderToken::FederationDomainScope(token) => {
+                if domain.is_none() {
+                    domain = Some(
+                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
+                    );
+                }
+            }
+            ProviderToken::FederationProjectScope(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -112,15 +120,7 @@ impl Token {
                     );
                 }
             }
-            ProviderToken::FederationUnscoped(_token) => {}
-            ProviderToken::FederationDomainScope(token) => {
-                if domain.is_none() {
-                    domain = Some(
-                        common::get_domain(state, Some(&token.domain_id), None::<&str>).await?,
-                    );
-                }
-            }
-            ProviderToken::FederationProjectScope(token) => {
+            ProviderToken::ProjectScope(token) => {
                 if project.is_none() {
                     project = Some(
                         state
@@ -150,6 +150,9 @@ impl Token {
                     );
                 }
             }
+            ProviderToken::SystemScope(_token) => {
+                response.system(System { all: true });
+            }
             ProviderToken::Trust(token) => {
                 if project.is_none() {
                     project = Some(
@@ -169,6 +172,7 @@ impl Token {
                     response.trust(trust);
                 }
             }
+            ProviderToken::Unscoped(_token) => {}
         }
 
         if let Some(domain) = domain {

src/api/v4/auth/token/types.rs

@@ -62,11 +62,16 @@ pub struct Token {
     /// The date and time when the token expires.
     pub expires_at: DateTime<Utc>,
 
+    /// The date and time when the token was issued.
+    pub issued_at: DateTime<Utc>,
+
+    // # Subject
     /// A user object.
     //#[builder(default)]
     #[validate(nested)]
     pub user: User,
 
+    // # Scope
     /// A domain object including the id and name representing the domain the
     /// token is scoped to. This is only included in tokens that are scoped
     /// to a domain.
@@ -83,12 +88,19 @@ pub struct Token {
     #[validate(nested)]
     pub project: Option<Project>,
 
+    /// A system object.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    #[builder(default)]
+    #[validate(nested)]
+    pub system: Option<System>,
+
     /// A trust object.
     #[serde(skip_serializing_if = "Option::is_none", rename = "OS-TRUST:trust")]
     #[builder(default)]
     #[validate(nested)]
     pub trust: Option<TokenTrustRepr>,
 
+    // # Roles on the scope.
     /// A list of role objects
     #[serde(skip_serializing_if = "Option::is_none")]
     #[builder(default)]
@@ -275,3 +287,12 @@ pub struct ValidateTokenParameters {
     /// return a 404 exception.
     pub allow_expired: Option<bool>,
 }
+
+/// System information.
+#[derive(Builder, Clone, Debug, Default, Deserialize, PartialEq, Serialize, ToSchema, Validate)]
+#[builder(build_fn(error = "BuilderError"))]
+#[builder(setter(into, strip_option))]
+pub struct System {
+    /// All
+    pub all: bool,
+}

src/assignment/mod.rs

@@ -217,7 +217,7 @@ impl AssignmentApi for AssignmentProvider {
                 r#type: RoleAssignmentTargetType::Domain,
                 inherited: Some(false),
             });
-        } else if let Some(val) = &params.system {
+        } else if let Some(val) = &params.system_id {
             targets.push(RoleAssignmentTarget {
                 id: val.clone(),
                 r#type: RoleAssignmentTargetType::System,

src/assignment/types/assignment.rs

@@ -230,7 +230,7 @@ pub struct RoleAssignmentListParameters {
     /// Query role assignments on the system.
     #[builder(default)]
     #[validate(length(max = 64))]
-    pub system: Option<String>,
+    pub system_id: Option<String>,
 
     // #[builder(default)]
     // pub inherited: Option<bool>,

src/auth/mod.rs

@@ -156,6 +156,8 @@ pub enum AuthzInfo {
     Domain(Domain),
     /// Project scope.
     Project(Project),
+    /// System scope.
+    System,
     /// Trust scope.
     Trust(Trust),
     /// Unscoped.
@@ -180,6 +182,7 @@ impl AuthzInfo {
                     return Err(AuthenticationError::Unauthorized);
                 }
             }
+            AuthzInfo::System => {}
             AuthzInfo::Trust(_) => {}
             AuthzInfo::Unscoped => {}
         }
@@ -295,6 +298,13 @@ mod tests {
         }
     }
 
+    #[test]
+    #[traced_test]
+    fn test_authz_validate_system() {
+        let authz = AuthzInfo::System;
+        assert!(authz.validate().is_ok());
+    }
+
     #[test]
     #[traced_test]
     fn test_authz_validate_unscoped() {