Browse Source

Merge "Use request object in policy enforcement"

changes/35/318435/69
Jenkins 6 years ago committed by Gerrit Code Review
parent
commit
5122632f3d
  1. 8
      keystone/assignment/controllers.py
  2. 10
      keystone/common/controller.py
  3. 4
      keystone/contrib/ec2/controllers.py
  4. 12
      keystone/identity/controllers.py

8
keystone/assignment/controllers.py

@ -599,7 +599,7 @@ class GrantAssignmentV3(controller.V3Controller):
context['path'].startswith('/OS-INHERIT') and
context['path'].endswith('/inherited_to_projects'))
def _check_grant_protection(self, context, protection, role_id=None,
def _check_grant_protection(self, request, protection, role_id=None,
user_id=None, group_id=None,
domain_id=None, project_id=None,
allow_no_user=False):
@ -627,7 +627,7 @@ class GrantAssignmentV3(controller.V3Controller):
else:
ref['project'] = self.resource_api.get_project(project_id)
self.check_protection(context, protection, ref)
self.check_protection(request, protection, ref)
@controller.protected(callback=_check_grant_protection)
def create_grant(self, request, role_id, user_id=None,
@ -947,7 +947,7 @@ class RoleAssignmentV3(controller.V3Controller):
def list_role_assignments(self, request, filters):
return self._list_role_assignments(request, filters)
def _check_list_tree_protection(self, context, protection_info):
def _check_list_tree_protection(self, request, protection_info):
"""Check protection for list assignment for tree API.
The policy rule might want to inspect the domain of any project filter
@ -960,7 +960,7 @@ class RoleAssignmentV3(controller.V3Controller):
if filter == 'scope.project.id' and value:
ref['project'] = self.resource_api.get_project(value)
self.check_protection(context, protection_info, ref)
self.check_protection(request, protection_info, ref)
@controller.filterprotected('group.id', 'role.id',
'scope.domain.id', 'scope.project.id',

10
keystone/common/controller.py

@ -129,7 +129,7 @@ def protected(callback=None):
prep_info = {'f_name': f.__name__,
'input_attr': kwargs}
callback(self,
request.context_dict,
request,
prep_info,
*args,
**kwargs)
@ -234,7 +234,7 @@ def filterprotected(*filters, **callback):
'input_attr': kwargs,
'filter_attr': target}
callback['callback'](self,
request.context_dict,
request,
prep_info,
**kwargs)
else:
@ -789,7 +789,7 @@ class V3Controller(wsgi.Application):
"""Override v2 filter to let domain_id out for v3 calls."""
return ref
def check_protection(self, context, prep_info, target_attr=None):
def check_protection(self, request, prep_info, target_attr=None):
"""Provide call protection for complex target attributes.
As well as including the standard parameters from the original API
@ -798,13 +798,13 @@ class V3Controller(wsgi.Application):
they can be referenced by policy rules.
"""
if 'is_admin' in context and context['is_admin']:
if request.context.is_admin:
LOG.warning(_LW('RBAC: Bypassing authorization'))
else:
action = 'identity:%s' % prep_info['f_name']
# TODO(henry-nash) need to log the target attributes as well
creds = _build_policy_check_credentials(self, action,
context,
request.context_dict,
prep_info['input_attr'])
# Build the dict the policy engine will check against from both the
# parameters passed into the call we are protecting (which was

4
keystone/contrib/ec2/controllers.py

@ -364,7 +364,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
def __init__(self):
super(Ec2ControllerV3, self).__init__()
def _check_credential_owner_and_user_id_match(self, context, prep_info,
def _check_credential_owner_and_user_id_match(self, request, prep_info,
user_id, credential_id):
# NOTE(morganfainberg): this method needs to capture the arguments of
# the method that is decorated with @controller.protected() (with
@ -378,7 +378,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
ref['credential'] = self.credential_api.get_credential(credential_id)
# NOTE(morganfainberg): policy_api is required for this
# check_protection to properly be able to perform policy enforcement.
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def authenticate(self, context, credentials=None, ec2Credentials=None):
(user_ref, project_ref, metadata_ref, roles_ref,

12
keystone/identity/controllers.py

@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
super(UserV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_user
def _check_user_and_group_protection(self, context, prep_info,
def _check_user_and_group_protection(self, request, prep_info,
user_id, group_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def _check_group_protection(self, context, prep_info, group_id):
def _check_group_protection(self, request, prep_info, group_id):
ref = {}
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
def create_user(self, request, user):
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
super(GroupV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_group
def _check_user_protection(self, context, prep_info, user_id):
def _check_user_protection(self, request, prep_info, user_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
def create_group(self, request, group):

Loading…
Cancel
Save