From 187490fd7ec80b8c8c932d897408e5e185705dfa Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Thu, 7 Jul 2016 15:07:17 +1000 Subject: [PATCH] Use request object in policy enforcement Pass the request object through to callbacks and policy enforcement. This will let us move some more credential building work onto the request in future. Change-Id: I85db98430a10080b09a2135544733506071d1491 --- keystone/assignment/controllers.py | 8 ++++---- keystone/common/controller.py | 10 +++++----- keystone/contrib/ec2/controllers.py | 4 ++-- keystone/identity/controllers.py | 12 ++++++------ 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 28a7f677f5..f8c88617aa 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -593,7 +593,7 @@ class GrantAssignmentV3(controller.V3Controller): context['path'].startswith('/OS-INHERIT') and context['path'].endswith('/inherited_to_projects')) - def _check_grant_protection(self, context, protection, role_id=None, + def _check_grant_protection(self, request, protection, role_id=None, user_id=None, group_id=None, domain_id=None, project_id=None, allow_no_user=False): @@ -621,7 +621,7 @@ class GrantAssignmentV3(controller.V3Controller): else: ref['project'] = self.resource_api.get_project(project_id) - self.check_protection(context, protection, ref) + self.check_protection(request, protection, ref) @controller.protected(callback=_check_grant_protection) def create_grant(self, request, role_id, user_id=None, @@ -941,7 +941,7 @@ class RoleAssignmentV3(controller.V3Controller): def list_role_assignments(self, request, filters): return self._list_role_assignments(request, filters) - def _check_list_tree_protection(self, context, protection_info): + def _check_list_tree_protection(self, request, protection_info): """Check protection for list assignment for tree API. The policy rule might want to inspect the domain of any project filter @@ -954,7 +954,7 @@ class RoleAssignmentV3(controller.V3Controller): if filter == 'scope.project.id' and value: ref['project'] = self.resource_api.get_project(value) - self.check_protection(context, protection_info, ref) + self.check_protection(request, protection_info, ref) @controller.filterprotected('group.id', 'role.id', 'scope.domain.id', 'scope.project.id', diff --git a/keystone/common/controller.py b/keystone/common/controller.py index da926b8dbd..d875a9ad20 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -129,7 +129,7 @@ def protected(callback=None): prep_info = {'f_name': f.__name__, 'input_attr': kwargs} callback(self, - request.context_dict, + request, prep_info, *args, **kwargs) @@ -235,7 +235,7 @@ def filterprotected(*filters, **callback): 'input_attr': kwargs, 'filter_attr': target} callback['callback'](self, - request.context_dict, + request, prep_info, **kwargs) else: @@ -792,7 +792,7 @@ class V3Controller(wsgi.Application): """Override v2 filter to let domain_id out for v3 calls.""" return ref - def check_protection(self, context, prep_info, target_attr=None): + def check_protection(self, request, prep_info, target_attr=None): """Provide call protection for complex target attributes. As well as including the standard parameters from the original API @@ -801,13 +801,13 @@ class V3Controller(wsgi.Application): they can be referenced by policy rules. """ - if 'is_admin' in context and context['is_admin']: + if request.context.is_admin: LOG.warning(_LW('RBAC: Bypassing authorization')) else: action = 'identity:%s' % prep_info['f_name'] # TODO(henry-nash) need to log the target attributes as well creds = _build_policy_check_credentials(self, action, - context, + request.context_dict, prep_info['input_attr']) # Build the dict the policy engine will check against from both the # parameters passed into the call we are protecting (which was diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py index 5487bebafd..d6ae212cb8 100644 --- a/keystone/contrib/ec2/controllers.py +++ b/keystone/contrib/ec2/controllers.py @@ -363,7 +363,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): def __init__(self): super(Ec2ControllerV3, self).__init__() - def _check_credential_owner_and_user_id_match(self, context, prep_info, + def _check_credential_owner_and_user_id_match(self, request, prep_info, user_id, credential_id): # NOTE(morganfainberg): this method needs to capture the arguments of # the method that is decorated with @controller.protected() (with @@ -377,7 +377,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): ref['credential'] = self.credential_api.get_credential(credential_id) # NOTE(morganfainberg): policy_api is required for this # check_protection to properly be able to perform policy enforcement. - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) def authenticate(self, context, credentials=None, ec2Credentials=None): (user_ref, project_ref, metadata_ref, roles_ref, diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 3dfe27a678..5bedc27606 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -203,17 +203,17 @@ class UserV3(controller.V3Controller): super(UserV3, self).__init__() self.get_member_from_driver = self.identity_api.get_user - def _check_user_and_group_protection(self, context, prep_info, + def _check_user_and_group_protection(self, request, prep_info, user_id, group_id): ref = {} ref['user'] = self.identity_api.get_user(user_id) ref['group'] = self.identity_api.get_group(group_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) - def _check_group_protection(self, context, prep_info, group_id): + def _check_group_protection(self, request, prep_info, group_id): ref = {} ref['group'] = self.identity_api.get_group(group_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) @controller.protected() @validation.validated(schema.user_create, 'user') @@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller): super(GroupV3, self).__init__() self.get_member_from_driver = self.identity_api.get_group - def _check_user_protection(self, context, prep_info, user_id): + def _check_user_protection(self, request, prep_info, user_id): ref = {} ref['user'] = self.identity_api.get_user(user_id) - self.check_protection(context, prep_info, ref) + self.check_protection(request, prep_info, ref) @controller.protected() @validation.validated(schema.group_create, 'group')