openstack
/
keystone
Code Issues Proposed changes

Use request object in policy enforcement 

Pass the request object through to callbacks and policy enforcement.
This will let us move some more credential building work onto the
request in future.

Change-Id: I85db98430a10080b09a2135544733506071d1491
This commit is contained in:
Jamie Lennox 2016-07-07 15:07:17 +10:00
parent e4ed9a4bd1
commit 187490fd7e
4 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
keystone/assignment/controllers.py
View File

@ -593,7 +593,7 @@ class GrantAssignmentV3(controller.V3Controller):
context['path'].startswith('/OS-INHERIT') and
context['path'].endswith('/inherited_to_projects'))
def _check_grant_protection(self, context, protection, role_id=None,
def _check_grant_protection(self, request, protection, role_id=None,
user_id=None, group_id=None,
domain_id=None, project_id=None,
allow_no_user=False):
@ -621,7 +621,7 @@ class GrantAssignmentV3(controller.V3Controller):
else:
ref['project'] = self.resource_api.get_project(project_id)
self.check_protection(context, protection, ref)
self.check_protection(request, protection, ref)
@controller.protected(callback=_check_grant_protection)
def create_grant(self, request, role_id, user_id=None,
@ -941,7 +941,7 @@ class RoleAssignmentV3(controller.V3Controller):
def list_role_assignments(self, request, filters):
return self._list_role_assignments(request, filters)
def _check_list_tree_protection(self, context, protection_info):
def _check_list_tree_protection(self, request, protection_info):
"""Check protection for list assignment for tree API.
The policy rule might want to inspect the domain of any project filter
@ -954,7 +954,7 @@ class RoleAssignmentV3(controller.V3Controller):
if filter == 'scope.project.id' and value:
ref['project'] = self.resource_api.get_project(value)
self.check_protection(context, protection_info, ref)
self.check_protection(request, protection_info, ref)
@controller.filterprotected('group.id', 'role.id',
'scope.domain.id', 'scope.project.id',

10
keystone/common/controller.py
View File

@ -129,7 +129,7 @@ def protected(callback=None):
prep_info = {'f_name': f.__name__,
'input_attr': kwargs}
callback(self,
request.context_dict,
request,
prep_info,
*args,
**kwargs)
@ -235,7 +235,7 @@ def filterprotected(*filters, **callback):
'input_attr': kwargs,
'filter_attr': target}
callback['callback'](self,
request.context_dict,
request,
prep_info,
**kwargs)
else:
@ -792,7 +792,7 @@ class V3Controller(wsgi.Application):
"""Override v2 filter to let domain_id out for v3 calls."""
return ref
def check_protection(self, context, prep_info, target_attr=None):
def check_protection(self, request, prep_info, target_attr=None):
"""Provide call protection for complex target attributes.
As well as including the standard parameters from the original API
@ -801,13 +801,13 @@ class V3Controller(wsgi.Application):
they can be referenced by policy rules.
"""
if 'is_admin' in context and context['is_admin']:
if request.context.is_admin:
LOG.warning(_LW('RBAC: Bypassing authorization'))
else:
action = 'identity:%s' % prep_info['f_name']
# TODO(henry-nash) need to log the target attributes as well
creds = _build_policy_check_credentials(self, action,
context,
request.context_dict,
prep_info['input_attr'])
# Build the dict the policy engine will check against from both the
# parameters passed into the call we are protecting (which was

4
keystone/contrib/ec2/controllers.py
View File

@ -363,7 +363,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
def __init__(self):
super(Ec2ControllerV3, self).__init__()
def _check_credential_owner_and_user_id_match(self, context, prep_info,
def _check_credential_owner_and_user_id_match(self, request, prep_info,
user_id, credential_id):
# NOTE(morganfainberg): this method needs to capture the arguments of
# the method that is decorated with @controller.protected() (with
@ -377,7 +377,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
ref['credential'] = self.credential_api.get_credential(credential_id)
# NOTE(morganfainberg): policy_api is required for this
# check_protection to properly be able to perform policy enforcement.
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def authenticate(self, context, credentials=None, ec2Credentials=None):
(user_ref, project_ref, metadata_ref, roles_ref,

12
keystone/identity/controllers.py
View File

@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
super(UserV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_user
def _check_user_and_group_protection(self, context, prep_info,
def _check_user_and_group_protection(self, request, prep_info,
user_id, group_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def _check_group_protection(self, context, prep_info, group_id):
def _check_group_protection(self, request, prep_info, group_id):
ref = {}
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
@validation.validated(schema.user_create, 'user')
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
super(GroupV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_group
def _check_user_protection(self, context, prep_info, user_id):
def _check_user_protection(self, request, prep_info, user_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
@validation.validated(schema.group_create, 'group')