add the policy code
This commit is contained in:
parent
63943c98c6
commit
860aa86e03
|
@ -0,0 +1,23 @@
|
|||
|
||||
|
||||
class TrivialTrue(object):
|
||||
def __init__(self, options):
|
||||
self.options = options
|
||||
|
||||
def can_haz(self, target, credentials):
|
||||
return True
|
||||
|
||||
|
||||
class SimpleMatch(object):
|
||||
def __init__(self, options):
|
||||
self.options = options
|
||||
|
||||
def can_haz(self, target, credentials):
|
||||
"""Check whether key-values in target are present in credentials."""
|
||||
# TODO(termie): handle ANDs, probably by providing a tuple instead of a
|
||||
# string
|
||||
for requirement in target:
|
||||
key, match = requirement.split(':', 1)
|
||||
check = credentials.get(key)
|
||||
if check == match:
|
||||
return True
|
|
@ -44,7 +44,6 @@ class KeystoneController(service.BaseApplication):
|
|||
self.identity_api = identity.Manager(options)
|
||||
self.token_api = token.Manager(options)
|
||||
self.policy_api = policy.Manager(options)
|
||||
pass
|
||||
|
||||
def noop(self, context):
|
||||
return {}
|
||||
|
@ -155,7 +154,15 @@ class KeystoneController(service.BaseApplication):
|
|||
Optionally, also ensure that it is owned by a specific tenant.
|
||||
|
||||
"""
|
||||
assert context['is_admin']
|
||||
# TODO(termie): this stuff should probably be moved to middleware
|
||||
if not context['is_admin']:
|
||||
user_token_ref = self.token_api.get_token(context['token_id'])
|
||||
creds = user_token_ref['extras'].copy()
|
||||
creds['user_id'] = user_token_ref['user'].get('id')
|
||||
creds['tenant_id'] = user_token_ref['tenant'].get('id')
|
||||
# Accept either is_admin or the admin role
|
||||
assert self.policy_api.can_haz(('is_admin:1', 'roles:admin'),
|
||||
creds)
|
||||
|
||||
token_ref = self.token_api.get_token(context=context,
|
||||
token_id=token_id)
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# the catalog interfaces
|
||||
|
||||
import uuid
|
||||
|
||||
from keystonelight import utils
|
||||
|
||||
|
||||
class Manager(object):
|
||||
def __init__(self, options):
|
||||
self.options = options
|
||||
self.driver = utils.import_object(options['policy_driver'],
|
||||
options=options)
|
||||
|
||||
def can_haz(self, context, target, credentials):
|
||||
"""Check whether the given creds can perform action on target."""
|
||||
return self.driver.can_haz(target, credentials)
|
Loading…
Reference in New Issue