Merge "Use request object in policy enforcement"
This commit is contained in:
commit
5122632f3d
|
@ -599,7 +599,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
context['path'].startswith('/OS-INHERIT') and
|
||||
context['path'].endswith('/inherited_to_projects'))
|
||||
|
||||
def _check_grant_protection(self, context, protection, role_id=None,
|
||||
def _check_grant_protection(self, request, protection, role_id=None,
|
||||
user_id=None, group_id=None,
|
||||
domain_id=None, project_id=None,
|
||||
allow_no_user=False):
|
||||
|
@ -627,7 +627,7 @@ class GrantAssignmentV3(controller.V3Controller):
|
|||
else:
|
||||
ref['project'] = self.resource_api.get_project(project_id)
|
||||
|
||||
self.check_protection(context, protection, ref)
|
||||
self.check_protection(request, protection, ref)
|
||||
|
||||
@controller.protected(callback=_check_grant_protection)
|
||||
def create_grant(self, request, role_id, user_id=None,
|
||||
|
@ -947,7 +947,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
def list_role_assignments(self, request, filters):
|
||||
return self._list_role_assignments(request, filters)
|
||||
|
||||
def _check_list_tree_protection(self, context, protection_info):
|
||||
def _check_list_tree_protection(self, request, protection_info):
|
||||
"""Check protection for list assignment for tree API.
|
||||
|
||||
The policy rule might want to inspect the domain of any project filter
|
||||
|
@ -960,7 +960,7 @@ class RoleAssignmentV3(controller.V3Controller):
|
|||
if filter == 'scope.project.id' and value:
|
||||
ref['project'] = self.resource_api.get_project(value)
|
||||
|
||||
self.check_protection(context, protection_info, ref)
|
||||
self.check_protection(request, protection_info, ref)
|
||||
|
||||
@controller.filterprotected('group.id', 'role.id',
|
||||
'scope.domain.id', 'scope.project.id',
|
||||
|
|
|
@ -129,7 +129,7 @@ def protected(callback=None):
|
|||
prep_info = {'f_name': f.__name__,
|
||||
'input_attr': kwargs}
|
||||
callback(self,
|
||||
request.context_dict,
|
||||
request,
|
||||
prep_info,
|
||||
*args,
|
||||
**kwargs)
|
||||
|
@ -234,7 +234,7 @@ def filterprotected(*filters, **callback):
|
|||
'input_attr': kwargs,
|
||||
'filter_attr': target}
|
||||
callback['callback'](self,
|
||||
request.context_dict,
|
||||
request,
|
||||
prep_info,
|
||||
**kwargs)
|
||||
else:
|
||||
|
@ -789,7 +789,7 @@ class V3Controller(wsgi.Application):
|
|||
"""Override v2 filter to let domain_id out for v3 calls."""
|
||||
return ref
|
||||
|
||||
def check_protection(self, context, prep_info, target_attr=None):
|
||||
def check_protection(self, request, prep_info, target_attr=None):
|
||||
"""Provide call protection for complex target attributes.
|
||||
|
||||
As well as including the standard parameters from the original API
|
||||
|
@ -798,13 +798,13 @@ class V3Controller(wsgi.Application):
|
|||
they can be referenced by policy rules.
|
||||
|
||||
"""
|
||||
if 'is_admin' in context and context['is_admin']:
|
||||
if request.context.is_admin:
|
||||
LOG.warning(_LW('RBAC: Bypassing authorization'))
|
||||
else:
|
||||
action = 'identity:%s' % prep_info['f_name']
|
||||
# TODO(henry-nash) need to log the target attributes as well
|
||||
creds = _build_policy_check_credentials(self, action,
|
||||
context,
|
||||
request.context_dict,
|
||||
prep_info['input_attr'])
|
||||
# Build the dict the policy engine will check against from both the
|
||||
# parameters passed into the call we are protecting (which was
|
||||
|
|
|
@ -364,7 +364,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
|
|||
def __init__(self):
|
||||
super(Ec2ControllerV3, self).__init__()
|
||||
|
||||
def _check_credential_owner_and_user_id_match(self, context, prep_info,
|
||||
def _check_credential_owner_and_user_id_match(self, request, prep_info,
|
||||
user_id, credential_id):
|
||||
# NOTE(morganfainberg): this method needs to capture the arguments of
|
||||
# the method that is decorated with @controller.protected() (with
|
||||
|
@ -378,7 +378,7 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
|
|||
ref['credential'] = self.credential_api.get_credential(credential_id)
|
||||
# NOTE(morganfainberg): policy_api is required for this
|
||||
# check_protection to properly be able to perform policy enforcement.
|
||||
self.check_protection(context, prep_info, ref)
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
def authenticate(self, context, credentials=None, ec2Credentials=None):
|
||||
(user_ref, project_ref, metadata_ref, roles_ref,
|
||||
|
|
|
@ -203,17 +203,17 @@ class UserV3(controller.V3Controller):
|
|||
super(UserV3, self).__init__()
|
||||
self.get_member_from_driver = self.identity_api.get_user
|
||||
|
||||
def _check_user_and_group_protection(self, context, prep_info,
|
||||
def _check_user_and_group_protection(self, request, prep_info,
|
||||
user_id, group_id):
|
||||
ref = {}
|
||||
ref['user'] = self.identity_api.get_user(user_id)
|
||||
ref['group'] = self.identity_api.get_group(group_id)
|
||||
self.check_protection(context, prep_info, ref)
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
def _check_group_protection(self, context, prep_info, group_id):
|
||||
def _check_group_protection(self, request, prep_info, group_id):
|
||||
ref = {}
|
||||
ref['group'] = self.identity_api.get_group(group_id)
|
||||
self.check_protection(context, prep_info, ref)
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
@controller.protected()
|
||||
def create_user(self, request, user):
|
||||
|
@ -303,10 +303,10 @@ class GroupV3(controller.V3Controller):
|
|||
super(GroupV3, self).__init__()
|
||||
self.get_member_from_driver = self.identity_api.get_group
|
||||
|
||||
def _check_user_protection(self, context, prep_info, user_id):
|
||||
def _check_user_protection(self, request, prep_info, user_id):
|
||||
ref = {}
|
||||
ref['user'] = self.identity_api.get_user(user_id)
|
||||
self.check_protection(context, prep_info, ref)
|
||||
self.check_protection(request, prep_info, ref)
|
||||
|
||||
@controller.protected()
|
||||
def create_group(self, request, group):
|
||||
|
|
Loading…
Reference in New Issue