openstack
/
keystone
Code Issues Proposed changes
Browse Source

Merge "Use request object in policy enforcement"

changes/35/318435/69
Jenkins 6 years ago committed by Gerrit Code Review
parent
407bd301b3 187490fd7e
commit
5122632f3d
4 changed files with 17 additions and 17 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      keystone/assignment/controllers.py
  2. 10
      keystone/common/controller.py
  3. 4
      keystone/contrib/ec2/controllers.py
  4. 12
      keystone/identity/controllers.py

8
keystone/assignment/controllers.py
Unescape View File

@ -599,7 +599,7 @@ class GrantAssignmentV3(controller.V3Controller):
context['path'].startswith('/OS-INHERIT') and
context['path'].endswith('/inherited_to_projects'))
def _check_grant_protection(self, context, protection, role_id=None,
def _check_grant_protection(self, request, protection, role_id=None,
user_id=None, group_id=None,
domain_id=None, project_id=None,
allow_no_user=False):
@ -627,7 +627,7 @@ class GrantAssignmentV3(controller.V3Controller):
else:
ref['project'] = self.resource_api.get_project(project_id)
self.check_protection(context, protection, ref)
self.check_protection(request, protection, ref)
@controller.protected(callback=_check_grant_protection)
def create_grant(self, request, role_id, user_id=None,
@ -947,7 +947,7 @@ class RoleAssignmentV3(controller.V3Controller):
def list_role_assignments(self, request, filters):
return self._list_role_assignments(request, filters)
def _check_list_tree_protection(self, context, protection_info):
def _check_list_tree_protection(self, request, protection_info):
"""Check protection for list assignment for tree API.
The policy rule might want to inspect the domain of any project filter
@ -960,7 +960,7 @@ class RoleAssignmentV3(controller.V3Controller):
if filter == 'scope.project.id' and value:
ref['project'] = self.resource_api.get_project(value)
self.check_protection(context, protection_info, ref)
self.check_protection(request, protection_info, ref)
@controller.filterprotected('group.id', 'role.id',
'scope.domain.id', 'scope.project.id',

10
keystone/common/controller.py
Unescape View File

@ -129,7 +129,7 @@ def protected(callback=None):
prep_info = {'f_name': f.__name__,
'input_attr': kwargs}
callback(self,
request.context_dict,
request,
prep_info,
*args,
**kwargs)
@ -234,7 +234,7 @@ def filterprotected(*filters, **callback):
'input_attr': kwargs,
'filter_attr': target}
callback['callback'](self,
request.context_dict,
request,
prep_info,
**kwargs)
else:
@ -789,7 +789,7 @@ class V3Controller(wsgi.Application):
"""Override v2 filter to let domain_id out for v3 calls."""
return ref
def check_protection(self, context, prep_info, target_attr=None):
def check_protection(self, request, prep_info, target_attr=None):
"""Provide call protection for complex target attributes.
As well as including the standard parameters from the original API
@ -798,13 +798,13 @@ class V3Controller(wsgi.Application):
they can be referenced by policy rules.
"""
if 'is_admin' in context and context['is_admin']:
if request.context.is_admin:
LOG.warning(_LW('RBAC: Bypassing authorization'))
else:
action = 'identity:%s' % prep_info['f_name']
# TODO(henry-nash) need to log the target attributes as well
creds = _build_policy_check_credentials(self, action,
context,
request.context_dict,
prep_info['input_attr'])
# Build the dict the policy engine will check against from both the
# parameters passed into the call we are protecting (which was

4
keystone/contrib/ec2/controllers.py
Unescape View File

@ -364,7 +364,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
def __init__(self):
super(Ec2ControllerV3, self).__init__()
def _check_credential_owner_and_user_id_match(self, context, prep_info,
def _check_credential_owner_and_user_id_match(self, request, prep_info,
user_id, credential_id):
# NOTE(morganfainberg): this method needs to capture the arguments of
# the method that is decorated with @controller.protected() (with
@ -378,7 +378,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
ref['credential'] = self.credential_api.get_credential(credential_id)
# NOTE(morganfainberg): policy_api is required for this
# check_protection to properly be able to perform policy enforcement.
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def authenticate(self, context, credentials=None, ec2Credentials=None):
(user_ref, project_ref, metadata_ref, roles_ref,

12
keystone/identity/controllers.py
Unescape View File

@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
super(UserV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_user
def _check_user_and_group_protection(self, context, prep_info,
def _check_user_and_group_protection(self, request, prep_info,
user_id, group_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
def _check_group_protection(self, context, prep_info, group_id):
def _check_group_protection(self, request, prep_info, group_id):
ref = {}
ref['group'] = self.identity_api.get_group(group_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
def create_user(self, request, user):
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
super(GroupV3, self).__init__()
self.get_member_from_driver = self.identity_api.get_group
def _check_user_protection(self, context, prep_info, user_id):
def _check_user_protection(self, request, prep_info, user_id):
ref = {}
ref['user'] = self.identity_api.get_user(user_id)
self.check_protection(context, prep_info, ref)
self.check_protection(request, prep_info, ref)
@controller.protected()
def create_group(self, request, group):

Write Preview
Loading…
Cancel
Save