diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 28a7f677f5..f8c88617aa 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -593,7 +593,7 @@ class GrantAssignmentV3(controller.V3Controller): context['path'].startswith('/OS-INHERIT') and context['path'].endswith('/inherited_to_projects')) - def _check_grant_protection(self, context, protection, role_id=None, + def _check_grant_protection(self, request, protection, role_id=None, user_id=None, group_id=None, domain_id=None, project_id=None, allow_no_user=False): @@ -621,7 +621,7 @@ class GrantAssignmentV3(controller.V3Controller): else: ref['project'] = self.resource_api.get_project(project_id) - self.check_protection(context, protection, ref) + self.check_protection(request, protection, ref) @controller.protected(callback=_check_grant_protection) def create_grant(self, request, role_id, user_id=None, @@ -941,7 +941,7 @@ class RoleAssignmentV3(controller.V3Controller): def list_role_assignments(self, request, filters): return self._list_role_assignments(request, filters) - def _check_list_tree_protection(self, context, protection_info): + def _check_list_tree_protection(self, request, protection_info): """Check protection for list assignment for tree API. The policy rule might want to inspect the domain of any project filter @@ -954,7 +954,7 @@ class RoleAssignmentV3(controller.V3Controller): if filter == 'scope.project.id' and value: ref['project'] = self.resource_api.get_project(value) - self.check_protection(context, protection_info, ref) + self.check_protection(request, protection_info, ref) @controller.filterprotected('group.id', 'role.id', 'scope.domain.id', 'scope.project.id', diff --git a/keystone/common/controller.py b/keystone/common/controller.py index da926b8dbd..d875a9ad20 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -129,7 +129,7 @@ def protected(callback=None): prep_info = {'f_name': f.__name__, 'input_attr': kwargs} callback(self, - request.context_dict, + request, prep_info, *args, **kwargs) @@ -235,7 +235,7 @@ def filterprotected(*filters, **callback): 'input_attr': kwargs, 'filter_attr': target} callback['callback'](self, - request.context_dict, + request, prep_info, **kwargs) else: @@ -792,7 +792,7 @@ class V3Controller(wsgi.Application): """Override v2 filter to let domain_id out for v3 calls.""" return ref - def check_protection(self, context, prep_info, target_attr=None): + def check_protection(self, request, prep_info, target_attr=None): """Provide call protection for complex target attributes. As well as including the standard parameters from the original API @@ -801,13 +801,13 @@ class V3Controller(wsgi.Application): they can be referenced by policy rules. """ - if 'is_admin' in context and context['is_admin']: + if request.context.is_admin: LOG.warning(_LW('RBAC: Bypassing authorization')) else: action = 'identity:%s' % prep_info['f_name'] # TODO(henry-nash) need to log the target attributes as well creds = _build_policy_check_credentials(self, action, - context, + request.context_dict, prep_info['input_attr']) # Build the dict the policy engine will check against from both the # parameters passed into the call we are protecting (which was diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index 5487bebafd..d6ae212cb8 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -363,7 +363,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): def __init__(self): super(Ec2ControllerV3, self).__init__() - def _check_credential_owner_and_user_id_match(self, context, prep_info, + def _check_credential_owner_and_user_id_match(self, request, prep_info, user_id, credential_id): # NOTE(morganfainberg): this method needs to capture the arguments of # the method that is decorated with @controller.protected() (with @@ -377,7 +377,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): ref['credential'] = self.credential_api.get_credential(credential_id) # NOTE(morganfainberg): policy_api is required for this # check_protection to properly be able to perform policy enforcement. - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) def authenticate(self, context, credentials=None, ec2Credentials=None): (user_ref, project_ref, metadata_ref, roles_ref, diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 3dfe27a678..5bedc27606 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -203,17 +203,17 @@ class UserV3(controller.V3Controller): super(UserV3, self).__init__() self.get_member_from_driver = self.identity_api.get_user - def _check_user_and_group_protection(self, context, prep_info, + def _check_user_and_group_protection(self, request, prep_info, user_id, group_id): ref = {} ref['user'] = self.identity_api.get_user(user_id) ref['group'] = self.identity_api.get_group(group_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) - def _check_group_protection(self, context, prep_info, group_id): + def _check_group_protection(self, request, prep_info, group_id): ref = {} ref['group'] = self.identity_api.get_group(group_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) @controller.protected() @validation.validated(schema.user_create, 'user') @@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller): super(GroupV3, self).__init__() self.get_member_from_driver = self.identity_api.get_group - def _check_user_protection(self, context, prep_info, user_id): + def _check_user_protection(self, request, prep_info, user_id): ref = {} ref['user'] = self.identity_api.get_user(user_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) @controller.protected() @validation.validated(schema.group_create, 'group')