Browse Source

Use request object in policy enforcement

Pass the request object through to callbacks and policy enforcement.
This will let us move some more credential building work onto the
request in future.

Change-Id: I85db98430a10080b09a2135544733506071d1491
changes/93/338693/4
Jamie Lennox 6 years ago
parent
commit
187490fd7e
  1. 8
      keystone/assignment/controllers.py
  2. 10
      keystone/common/controller.py
  3. 4
      keystone/contrib/ec2/controllers.py
  4. 12
      keystone/identity/controllers.py

8
keystone/assignment/controllers.py

@ -593,7 +593,7 @@ class GrantAssignmentV3(controller.V3Controller):
context['path'].startswith('/OS-INHERIT') and
context['path'].endswith('/inherited_to_projects'))
def _check_grant_protection(self, context, protection, role_id=None,
def _check_grant_protection(self, request, protection, role_id=None,
user_id=None, group_id=None,
domain_id=None, project_id=None,
allow_no_user=False):
@ -621,7 +621,7 @@ class GrantAssignmentV3(controller.V3Controller):
else:
ref['project'] = self.resource_api.get_project(project_id)
self.check_protection(context, protection, ref)
self.check_protection(request, protection, ref)
@controller.protected(callback=_check_grant_protection)
def create_grant(self, request, role_id, user_id=None,
@ -941,7 +941,7 @@ class RoleAssignmentV3(controller.V3Controller):
def list_role_assignments(self, request, filters):
return self._list_role_assignments(request, filters)
def _check_list_tree_protection(self, context, protection_info):
def _check_list_tree_protection(self, request, protection_info):
"""Check protection for list assignment for tree API.
The policy rule might want to inspect the domain of any project filter
@ -954,7 +954,7 @@ class RoleAssignmentV3(controller.V3Controller):
if filter == 'scope.project.id' and value:
ref['project'] = self.resource_api.get_project(value)
self.check_protection(context, protection_info, ref)
self.check_protection(request, protection_info, ref)
@controller.filterprotected('group.id', 'role.id',
'scope.domain.id', 'scope.project.id',

10
keystone/common/controller.py

@ -129,7 +129,7 @@ def protected(callback=None):
prep_info = {'f_name': f.__name__,
'input_attr': kwargs}
callback(self,
request.context_dict,
request,
prep_info,
*args,
**kwargs)
@ -235,7 +235,7 @@ def filterprotected(*filters, **callback):
'input_attr': kwargs,
'filter_attr': target}
callback['callback'](self,
request.context_dict,
request,
prep_info,
**kwargs)
else:
@ -792,7 +792,7 @@ class V3Controller(wsgi.Application):
"""Override v2 filter to let domain_id out for v3 calls."""
return ref
def check_protection(self, context, prep_info, target_attr=None):
def check_protection(self, request, prep_info, target_attr=None):
"""Provide call protection for complex target attributes.
As well as including the standard parameters from the original API
@ -801,13 +801,13 @@ class V3Controller(wsgi.Application):
they can be referenced by policy rules.
"""
if 'is_admin' in context and context['is_admin']:
if request.context.is_admin:
LOG.warning(_LW('RBAC: Bypassing authorization'))
else:
action = 'identity:%s' % prep_info['f_name']
# TODO(henry-nash) need to log the target attributes as well
creds = _build_policy_check_credentials(self, action,
context,
request.context_dict,
prep_info['input_attr'])
# Build the dict the policy engine will check against from both the
# parameters passed into the call we are protecting (which was

4
keystone/contrib/ec2/controllers.py

@ -363,7 +363,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
def __init__(self):
super(Ec2ControllerV3, self).__init__()
def _check_credential_owner_and_user_id_match(self, context, prep_info,
def _check_credential_owner_and_user_id_match(self, request, prep_info,
user_id, credential_id):
# NOTE(morganfainberg): this method needs to capture the arguments of
# the method that is decorated with @controller.protected() (with
@ -377,7 +377,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
ref['credential'] = self.credential_api.get_credential(credential_id)
# NOTE(morganfainberg): policy_api is required for this
# check_protection to properly be able to perform policy enforcement.
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def authenticate(self, context, credentials=None, ec2Credentials=None):
(user_ref, project_ref, metadata_ref, roles_ref,

12
keystone/identity/controllers.py

@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
super(UserV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_user
def _check_user_and_group_protection(self, context, prep_info,
def _check_user_and_group_protection(self, request, prep_info,
user_id, group_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def _check_group_protection(self, context, prep_info, group_id):
def _check_group_protection(self, request, prep_info, group_id):
ref = {}
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
@validation.validated(schema.user_create, 'user')
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
super(GroupV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_group
def _check_user_protection(self, context, prep_info, user_id):
def _check_user_protection(self, request, prep_info, user_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
@validation.validated(schema.group_create, 'group')

Loading…
Cancel
Save