Merge "Use request object in policy enforcement"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
5122632f3d
|
|
@ -599,7 +599,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
||||||
context['path'].startswith('/OS-INHERIT') and
|
context['path'].startswith('/OS-INHERIT') and
|
||||||
context['path'].endswith('/inherited_to_projects'))
|
context['path'].endswith('/inherited_to_projects'))
|
||||||
|
|
||||||
def _check_grant_protection(self, context, protection, role_id=None,
|
def _check_grant_protection(self, request, protection, role_id=None,
|
||||||
user_id=None, group_id=None,
|
user_id=None, group_id=None,
|
||||||
domain_id=None, project_id=None,
|
domain_id=None, project_id=None,
|
||||||
allow_no_user=False):
|
allow_no_user=False):
|
||||||
|
|
@ -627,7 +627,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
||||||
else:
|
else:
|
||||||
ref['project'] = self.resource_api.get_project(project_id)
|
ref['project'] = self.resource_api.get_project(project_id)
|
||||||
|
|
||||||
self.check_protection(context, protection, ref)
|
self.check_protection(request, protection, ref)
|
||||||
|
|
||||||
@controller.protected(callback=_check_grant_protection)
|
@controller.protected(callback=_check_grant_protection)
|
||||||
def create_grant(self, request, role_id, user_id=None,
|
def create_grant(self, request, role_id, user_id=None,
|
||||||
|
|
@ -947,7 +947,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
||||||
def list_role_assignments(self, request, filters):
|
def list_role_assignments(self, request, filters):
|
||||||
return self._list_role_assignments(request, filters)
|
return self._list_role_assignments(request, filters)
|
||||||
|
|
||||||
def _check_list_tree_protection(self, context, protection_info):
|
def _check_list_tree_protection(self, request, protection_info):
|
||||||
"""Check protection for list assignment for tree API.
|
"""Check protection for list assignment for tree API.
|
||||||
|
|
||||||
The policy rule might want to inspect the domain of any project filter
|
The policy rule might want to inspect the domain of any project filter
|
||||||
|
|
@ -960,7 +960,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
||||||
if filter == 'scope.project.id' and value:
|
if filter == 'scope.project.id' and value:
|
||||||
ref['project'] = self.resource_api.get_project(value)
|
ref['project'] = self.resource_api.get_project(value)
|
||||||
|
|
||||||
self.check_protection(context, protection_info, ref)
|
self.check_protection(request, protection_info, ref)
|
||||||
|
|
||||||
@controller.filterprotected('group.id', 'role.id',
|
@controller.filterprotected('group.id', 'role.id',
|
||||||
'scope.domain.id', 'scope.project.id',
|
'scope.domain.id', 'scope.project.id',
|
||||||
|
|
|
||||||
|
|
@ -129,7 +129,7 @@ def protected(callback=None):
|
||||||
prep_info = {'f_name': f.__name__,
|
prep_info = {'f_name': f.__name__,
|
||||||
'input_attr': kwargs}
|
'input_attr': kwargs}
|
||||||
callback(self,
|
callback(self,
|
||||||
request.context_dict,
|
request,
|
||||||
prep_info,
|
prep_info,
|
||||||
*args,
|
*args,
|
||||||
**kwargs)
|
**kwargs)
|
||||||
|
|
@ -234,7 +234,7 @@ def filterprotected(*filters, **callback):
|
||||||
'input_attr': kwargs,
|
'input_attr': kwargs,
|
||||||
'filter_attr': target}
|
'filter_attr': target}
|
||||||
callback['callback'](self,
|
callback['callback'](self,
|
||||||
request.context_dict,
|
request,
|
||||||
prep_info,
|
prep_info,
|
||||||
**kwargs)
|
**kwargs)
|
||||||
else:
|
else:
|
||||||
|
|
@ -789,7 +789,7 @@ class V3Controller(wsgi.Application):
|
||||||
"""Override v2 filter to let domain_id out for v3 calls."""
|
"""Override v2 filter to let domain_id out for v3 calls."""
|
||||||
return ref
|
return ref
|
||||||
|
|
||||||
def check_protection(self, context, prep_info, target_attr=None):
|
def check_protection(self, request, prep_info, target_attr=None):
|
||||||
"""Provide call protection for complex target attributes.
|
"""Provide call protection for complex target attributes.
|
||||||
|
|
||||||
As well as including the standard parameters from the original API
|
As well as including the standard parameters from the original API
|
||||||
|
|
@ -798,13 +798,13 @@ class V3Controller(wsgi.Application):
|
||||||
they can be referenced by policy rules.
|
they can be referenced by policy rules.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
if 'is_admin' in context and context['is_admin']:
|
if request.context.is_admin:
|
||||||
LOG.warning(_LW('RBAC: Bypassing authorization'))
|
LOG.warning(_LW('RBAC: Bypassing authorization'))
|
||||||
else:
|
else:
|
||||||
action = 'identity:%s' % prep_info['f_name']
|
action = 'identity:%s' % prep_info['f_name']
|
||||||
# TODO(henry-nash) need to log the target attributes as well
|
# TODO(henry-nash) need to log the target attributes as well
|
||||||
creds = _build_policy_check_credentials(self, action,
|
creds = _build_policy_check_credentials(self, action,
|
||||||
context,
|
request.context_dict,
|
||||||
prep_info['input_attr'])
|
prep_info['input_attr'])
|
||||||
# Build the dict the policy engine will check against from both the
|
# Build the dict the policy engine will check against from both the
|
||||||
# parameters passed into the call we are protecting (which was
|
# parameters passed into the call we are protecting (which was
|
||||||
|
|
|
||||||
|
|
@ -364,7 +364,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super(Ec2ControllerV3, self).__init__()
|
super(Ec2ControllerV3, self).__init__()
|
||||||
|
|
||||||
def _check_credential_owner_and_user_id_match(self, context, prep_info,
|
def _check_credential_owner_and_user_id_match(self, request, prep_info,
|
||||||
user_id, credential_id):
|
user_id, credential_id):
|
||||||
# NOTE(morganfainberg): this method needs to capture the arguments of
|
# NOTE(morganfainberg): this method needs to capture the arguments of
|
||||||
# the method that is decorated with @controller.protected() (with
|
# the method that is decorated with @controller.protected() (with
|
||||||
|
|
@ -378,7 +378,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
|
||||||
ref['credential'] = self.credential_api.get_credential(credential_id)
|
ref['credential'] = self.credential_api.get_credential(credential_id)
|
||||||
# NOTE(morganfainberg): policy_api is required for this
|
# NOTE(morganfainberg): policy_api is required for this
|
||||||
# check_protection to properly be able to perform policy enforcement.
|
# check_protection to properly be able to perform policy enforcement.
|
||||||
self.check_protection(context, prep_info, ref)
|
self.check_protection(request, prep_info, ref)
|
||||||
|
|
||||||
def authenticate(self, context, credentials=None, ec2Credentials=None):
|
def authenticate(self, context, credentials=None, ec2Credentials=None):
|
||||||
(user_ref, project_ref, metadata_ref, roles_ref,
|
(user_ref, project_ref, metadata_ref, roles_ref,
|
||||||
|
|
|
||||||
|
|
@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
|
||||||
super(UserV3, self).__init__()
|
super(UserV3, self).__init__()
|
||||||
self.get_member_from_driver = self.identity_api.get_user
|
self.get_member_from_driver = self.identity_api.get_user
|
||||||
|
|
||||||
def _check_user_and_group_protection(self, context, prep_info,
|
def _check_user_and_group_protection(self, request, prep_info,
|
||||||
user_id, group_id):
|
user_id, group_id):
|
||||||
ref = {}
|
ref = {}
|
||||||
ref['user'] = self.identity_api.get_user(user_id)
|
ref['user'] = self.identity_api.get_user(user_id)
|
||||||
ref['group'] = self.identity_api.get_group(group_id)
|
ref['group'] = self.identity_api.get_group(group_id)
|
||||||
self.check_protection(context, prep_info, ref)
|
self.check_protection(request, prep_info, ref)
|
||||||
|
|
||||||
def _check_group_protection(self, context, prep_info, group_id):
|
def _check_group_protection(self, request, prep_info, group_id):
|
||||||
ref = {}
|
ref = {}
|
||||||
ref['group'] = self.identity_api.get_group(group_id)
|
ref['group'] = self.identity_api.get_group(group_id)
|
||||||
self.check_protection(context, prep_info, ref)
|
self.check_protection(request, prep_info, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def create_user(self, request, user):
|
def create_user(self, request, user):
|
||||||
|
|
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
|
||||||
super(GroupV3, self).__init__()
|
super(GroupV3, self).__init__()
|
||||||
self.get_member_from_driver = self.identity_api.get_group
|
self.get_member_from_driver = self.identity_api.get_group
|
||||||
|
|
||||||
def _check_user_protection(self, context, prep_info, user_id):
|
def _check_user_protection(self, request, prep_info, user_id):
|
||||||
ref = {}
|
ref = {}
|
||||||
ref['user'] = self.identity_api.get_user(user_id)
|
ref['user'] = self.identity_api.get_user(user_id)
|
||||||
self.check_protection(context, prep_info, ref)
|
self.check_protection(request, prep_info, ref)
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def create_group(self, request, group):
|
def create_group(self, request, group):
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue