Move audit initiator creation to request
The audit initiator is basically a context with all the information about the current operation available. This information is all gathered from the request and context so we can simplify its generation by moving it onto the request object. Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c
This commit is contained in:
Jamie Lennox
parent
5046ba01d8
commit
9117e45d6e
@ -30,7 +30,6 @@ from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -106,15 +105,15 @@ class Role(controller.V2Controller):
|
||||
role_id = uuid.uuid4().hex
|
||||
|
||||
role['id'] = role_id
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
role_ref = self.role_api.create_role(role_id, role, initiator)
|
||||
role_ref = self.role_api.create_role(role_id,
|
||||
role,
|
||||
request.audit_initiator)
|
||||
return {'role': role_ref}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_role(self, request, role_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.role_api.delete_role(role_id, initiator)
|
||||
self.role_api.delete_role(role_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def get_roles(self, request):
|
||||
@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def create_role(self, request, role):
|
||||
validation.lazy_validate(schema.role_create, role)
|
||||
return self._create_role(request.context_dict, role)
|
||||
return self._create_role(request, role)
|
||||
|
||||
@controller.protected()
|
||||
def create_domain_role(self, request, role):
|
||||
validation.lazy_validate(schema.role_create, role)
|
||||
return self._create_role(request.context_dict, role)
|
||||
return self._create_role(request, role)
|
||||
|
||||
def list_roles_wrapper(self, request):
|
||||
if request.params.get('domain_id'):
|
||||
@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller):
|
||||
|
||||
@controller.protected()
|
||||
def get_role(self, request, role_id):
|
||||
return self._get_role(request.context_dict, role_id)
|
||||
return self._get_role(request, role_id)
|
||||
|
||||
@controller.protected()
|
||||
def get_domain_role(self, request, role_id):
|
||||
return self._get_role(request.context_dict, role_id)
|
||||
return self._get_role(request, role_id)
|
||||
|
||||
def update_role_wrapper(self, context, role_id, role):
|
||||
# Since we don't allow you change whether a role is global or domain
|
||||
@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def update_role(self, request, role_id, role):
|
||||
validation.lazy_validate(schema.role_update, role)
|
||||
return self._update_role(request.context_dict, role_id, role)
|
||||
return self._update_role(request, role_id, role)
|
||||
|
||||
@controller.protected()
|
||||
def update_domain_role(self, request, role_id, role):
|
||||
validation.lazy_validate(schema.role_update, role)
|
||||
return self._update_role(request.context_dict, role_id, role)
|
||||
return self._update_role(request, role_id, role)
|
||||
|
||||
def delete_role_wrapper(self, context, role_id):
|
||||
if self._is_domain_role_target(role_id):
|
||||
@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller):
|
||||
|
||||
@controller.protected()
|
||||
def delete_role(self, request, role_id):
|
||||
return self._delete_role(request.context_dict, role_id)
|
||||
return self._delete_role(request, role_id)
|
||||
|
||||
@controller.protected()
|
||||
def delete_domain_role(self, request, role_id):
|
||||
return self._delete_role(request.context_dict, role_id)
|
||||
return self._delete_role(request, role_id)
|
||||
|
||||
def _create_role(self, context, role):
|
||||
def _create_role(self, request, role):
|
||||
if role['name'] == CONF.member_role_name:
|
||||
# Use the configured member role ID when creating the configured
|
||||
# member role name. This avoids the potential of creating a
|
||||
@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller):
|
||||
role = self._assign_unique_id(role)
|
||||
|
||||
ref = self._normalize_dict(role)
|
||||
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.role_api.create_role(ref['id'], ref, initiator)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
ref = self.role_api.create_role(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _list_roles(self, request, filters):
|
||||
hints = RoleV3.build_driver_hints(request, filters)
|
||||
refs = self.role_api.list_roles(hints=hints)
|
||||
return RoleV3.wrap_collection(request.context_dict, refs, hints=hints)
|
||||
|
||||
def _get_role(self, context, role_id):
|
||||
def _get_role(self, request, role_id):
|
||||
ref = self.role_api.get_role(role_id)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _update_role(self, context, role_id, role):
|
||||
def _update_role(self, request, role_id, role):
|
||||
self._require_matching_id(role_id, role)
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.role_api.update_role(role_id, role, initiator)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
ref = self.role_api.update_role(role_id, role, request.audit_initiator)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _delete_role(self, context, role_id):
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
self.role_api.delete_role(role_id, initiator)
|
||||
def _delete_role(self, request, role_id):
|
||||
self.role_api.delete_role(role_id, request.audit_initiator)
|
||||
|
||||
@classmethod
|
||||
def build_driver_hints(cls, request, supported_filters):
|
||||
|
||||
@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref,
|
||||
group_ids = token_ref.federation_group_ids
|
||||
send_notification = functools.partial(
|
||||
notifications.send_saml_audit_notification, 'authenticate',
|
||||
request.context_dict, user_id, group_ids, identity_provider, protocol,
|
||||
request, user_id, group_ids, identity_provider, protocol,
|
||||
token_audit_id)
|
||||
|
||||
utils.assert_enabled_identity_provider(federation_api, identity_provider)
|
||||
@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
|
||||
# after sending the notification
|
||||
outcome = taxonomy.OUTCOME_FAILURE
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
request,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
|
||||
else:
|
||||
outcome = taxonomy.OUTCOME_SUCCESS
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
request,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
|
||||
@ -50,8 +50,7 @@ class Service(controller.V2Controller):
|
||||
@controller.v2_deprecated
|
||||
def delete_service(self, request, service_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.catalog_api.delete_service(service_id, initiator)
|
||||
self.catalog_api.delete_service(service_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def create_service(self, request, OS_KSADM_service):
|
||||
@ -60,9 +59,8 @@ class Service(controller.V2Controller):
|
||||
service_id = uuid.uuid4().hex
|
||||
service_ref = OS_KSADM_service.copy()
|
||||
service_ref['id'] = service_id
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_service_ref = self.catalog_api.create_service(
|
||||
service_id, service_ref, initiator)
|
||||
service_id, service_ref, request.audit_initiator)
|
||||
return {'OS-KSADM:service': new_service_ref}
|
||||
|
||||
|
||||
@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller):
|
||||
if interface_url:
|
||||
utils.check_endpoint_url(interface_url)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
|
||||
if endpoint.get('region') is not None:
|
||||
try:
|
||||
self.catalog_api.get_region(endpoint['region'])
|
||||
except exception.RegionNotFound:
|
||||
region = dict(id=endpoint['region'])
|
||||
self.catalog_api.create_region(region, initiator)
|
||||
self.catalog_api.create_region(region, request.audit_initiator)
|
||||
|
||||
legacy_endpoint_ref = endpoint.copy()
|
||||
|
||||
@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller):
|
||||
endpoint_ref['interface'] = interface
|
||||
endpoint_ref['url'] = url
|
||||
endpoint_ref['region_id'] = endpoint_ref.pop('region')
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref,
|
||||
initiator)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'],
|
||||
endpoint_ref,
|
||||
request.audit_initiator)
|
||||
|
||||
legacy_endpoint_ref['id'] = legacy_endpoint_id
|
||||
return {'endpoint': legacy_endpoint_ref}
|
||||
@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller):
|
||||
def delete_endpoint(self, request, endpoint_id):
|
||||
"""Delete up to three v3 endpoint refs based on a legacy ref ID."""
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
|
||||
deleted_at_least_one = False
|
||||
for endpoint in self.catalog_api.list_endpoints():
|
||||
if endpoint['legacy_endpoint_id'] == endpoint_id:
|
||||
self.catalog_api.delete_endpoint(endpoint['id'], initiator)
|
||||
self.catalog_api.delete_endpoint(endpoint['id'],
|
||||
request.audit_initiator)
|
||||
deleted_at_least_one = True
|
||||
|
||||
if not deleted_at_least_one:
|
||||
@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller):
|
||||
if not ref.get('id'):
|
||||
ref = self._assign_unique_id(ref)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_region(ref, initiator)
|
||||
ref = self.catalog_api.create_region(ref, request.audit_initiator)
|
||||
return wsgi.render_response(
|
||||
RegionV3.wrap_member(request.context_dict, ref),
|
||||
status=(http_client.CREATED,
|
||||
@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller):
|
||||
def update_region(self, request, region_id, region):
|
||||
validation.lazy_validate(schema.region_update, region)
|
||||
self._require_matching_id(region_id, region)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_region(region_id, region, initiator)
|
||||
ref = self.catalog_api.update_region(region_id,
|
||||
region,
|
||||
request.audit_initiator)
|
||||
return RegionV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_region(self, request, region_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_region(region_id, initiator)
|
||||
return self.catalog_api.delete_region(region_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api')
|
||||
@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller):
|
||||
def create_service(self, request, service):
|
||||
validation.lazy_validate(schema.service_create, service)
|
||||
ref = self._assign_unique_id(self._normalize_dict(service))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_service(ref['id'], ref, initiator)
|
||||
ref = self.catalog_api.create_service(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return ServiceV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('type', 'name')
|
||||
@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller):
|
||||
def update_service(self, request, service_id, service):
|
||||
validation.lazy_validate(schema.service_update, service)
|
||||
self._require_matching_id(service_id, service)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_service(service_id, service, initiator)
|
||||
ref = self.catalog_api.update_service(service_id,
|
||||
service,
|
||||
request.audit_initiator)
|
||||
return ServiceV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_service(self, request, service_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_service(service_id, initiator)
|
||||
return self.catalog_api.delete_service(service_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api')
|
||||
@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller):
|
||||
ref = cls.filter_endpoint(ref)
|
||||
return super(EndpointV3, cls).wrap_member(context, ref)
|
||||
|
||||
def _validate_endpoint_region(self, endpoint, context=None):
|
||||
def _validate_endpoint_region(self, endpoint, request):
|
||||
"""Ensure the region for the endpoint exists.
|
||||
|
||||
If 'region_id' is used to specify the region, then we will let the
|
||||
@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller):
|
||||
self.catalog_api.get_region(endpoint['region_id'])
|
||||
except exception.RegionNotFound:
|
||||
region = dict(id=endpoint['region_id'])
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
self.catalog_api.create_region(region, initiator)
|
||||
self.catalog_api.create_region(region, request.audit_initiator)
|
||||
|
||||
return endpoint
|
||||
|
||||
@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller):
|
||||
validation.lazy_validate(schema.endpoint_create, endpoint)
|
||||
utils.check_endpoint_url(endpoint['url'])
|
||||
ref = self._assign_unique_id(self._normalize_dict(endpoint))
|
||||
ref = self._validate_endpoint_region(ref, request.context_dict)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
|
||||
ref = self._validate_endpoint_region(ref, request)
|
||||
ref = self.catalog_api.create_endpoint(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return EndpointV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('interface', 'service_id', 'region_id')
|
||||
@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller):
|
||||
self._require_matching_id(endpoint_id, endpoint)
|
||||
|
||||
endpoint = self._validate_endpoint_region(endpoint.copy(),
|
||||
request.context_dict)
|
||||
request)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
|
||||
initiator)
|
||||
ref = self.catalog_api.update_endpoint(endpoint_id,
|
||||
endpoint,
|
||||
request.audit_initiator)
|
||||
return EndpointV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_endpoint(self, request, endpoint_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_endpoint(endpoint_id, initiator)
|
||||
return self.catalog_api.delete_endpoint(endpoint_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api', 'resource_api')
|
||||
|
||||
@ -12,11 +12,15 @@
|
||||
|
||||
import logging
|
||||
|
||||
from pycadf import cadftaxonomy as taxonomy
|
||||
from pycadf import host
|
||||
from pycadf import resource
|
||||
import webob
|
||||
from webob.descriptors import environ_getter
|
||||
|
||||
from keystone.common import authorization
|
||||
from keystone.common import context
|
||||
from keystone.common import utils
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _, _LW
|
||||
@ -90,6 +94,26 @@ class Request(webob.Request):
|
||||
# auth_context didn't decode anything we can use
|
||||
raise exception.Unauthorized()
|
||||
|
||||
@property
|
||||
def audit_initiator(self):
|
||||
"""A pyCADF initiator describing the current authenticated context."""
|
||||
pycadf_host = host.Host(address=self.remote_addr,
|
||||
agent=self.user_agent)
|
||||
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
|
||||
host=pycadf_host)
|
||||
|
||||
if self.context.user_id:
|
||||
initiator.id = utils.resource_uuid(self.context.user_id)
|
||||
initiator.user_id = self.context.user_id
|
||||
|
||||
if self.context.project_id:
|
||||
initiator.project_id = self.context.project_id
|
||||
|
||||
if self.context.domain_id:
|
||||
initiator.domain_id = self.context.domain_id
|
||||
|
||||
return initiator
|
||||
|
||||
auth_type = environ_getter('AUTH_TYPE', None)
|
||||
remote_domain = environ_getter('REMOTE_DOMAIN', None)
|
||||
context = environ_getter(context.REQUEST_CONTEXT_ENV, None)
|
||||
|
||||
@ -23,7 +23,6 @@ import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _LW
|
||||
from keystone.identity import schema
|
||||
from keystone import notifications
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -77,9 +76,8 @@ class User(controller.V2Controller):
|
||||
|
||||
# The manager layer will generate the unique ID for users
|
||||
user_ref = self._normalize_domain_id(request, user.copy())
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_user_ref = self.v3_to_v2_user(
|
||||
self.identity_api.create_user(user_ref, initiator))
|
||||
self.identity_api.create_user(user_ref, request.audit_initiator))
|
||||
|
||||
if default_project_id is not None:
|
||||
self.assignment_api.add_user_to_project(default_project_id,
|
||||
@ -113,9 +111,10 @@ class User(controller.V2Controller):
|
||||
# user update.
|
||||
self.resource_api.get_project(default_project_id)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
user_ref = self.v3_to_v2_user(
|
||||
self.identity_api.update_user(user_id, user, initiator))
|
||||
user_ref = self.identity_api.update_user(user_id,
|
||||
user,
|
||||
request.audit_initiator)
|
||||
user_ref = self.v3_to_v2_user(user_ref)
|
||||
|
||||
# If 'tenantId' is in either ref, we might need to add or remove the
|
||||
# user from a project.
|
||||
@ -160,8 +159,7 @@ class User(controller.V2Controller):
|
||||
@controller.v2_deprecated
|
||||
def delete_user(self, request, user_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.delete_user(user_id, initiator)
|
||||
self.identity_api.delete_user(user_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def set_user_enabled(self, request, user_id, user):
|
||||
@ -213,8 +211,7 @@ class UserV3(controller.V3Controller):
|
||||
# The manager layer will generate the unique ID for users
|
||||
ref = self._normalize_dict(user)
|
||||
ref = self._normalize_domain_id(request, ref)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.create_user(ref, initiator)
|
||||
ref = self.identity_api.create_user(ref, request.audit_initiator)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'enabled', 'name')
|
||||
@ -236,23 +233,25 @@ class UserV3(controller.V3Controller):
|
||||
ref = self.identity_api.get_user(user_id)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _update_user(self, context, user_id, user):
|
||||
def _update_user(self, request, user_id, user):
|
||||
self._require_matching_id(user_id, user)
|
||||
self._require_matching_domain_id(
|
||||
user_id, user, self.identity_api.get_user)
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.identity_api.update_user(user_id, user, initiator)
|
||||
return UserV3.wrap_member(context, ref)
|
||||
ref = self.identity_api.update_user(user_id,
|
||||
user,
|
||||
request.audit_initiator)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def update_user(self, request, user_id, user):
|
||||
validation.lazy_validate(schema.user_update, user)
|
||||
return self._update_user(request.context_dict, user_id, user)
|
||||
return self._update_user(request, user_id, user)
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def add_user_to_group(self, request, user_id, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.add_user_to_group(user_id, group_id, initiator)
|
||||
self.identity_api.add_user_to_group(user_id,
|
||||
group_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def check_user_in_group(self, request, user_id, group_id):
|
||||
@ -260,13 +259,13 @@ class UserV3(controller.V3Controller):
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def remove_user_from_group(self, request, user_id, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.remove_user_from_group(user_id, group_id, initiator)
|
||||
self.identity_api.remove_user_from_group(user_id,
|
||||
group_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def delete_user(self, request, user_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.identity_api.delete_user(user_id, initiator)
|
||||
return self.identity_api.delete_user(user_id, request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def change_password(self, request, user_id, user):
|
||||
@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller):
|
||||
# The manager layer will generate the unique ID for groups
|
||||
ref = self._normalize_dict(group)
|
||||
ref = self._normalize_domain_id(request, ref)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.create_group(ref, initiator)
|
||||
ref = self.identity_api.create_group(ref, request.audit_initiator)
|
||||
return GroupV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'name')
|
||||
@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller):
|
||||
self._require_matching_id(group_id, group)
|
||||
self._require_matching_domain_id(
|
||||
group_id, group, self.identity_api.get_group)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.update_group(group_id, group, initiator)
|
||||
ref = self.identity_api.update_group(group_id,
|
||||
group,
|
||||
request.audit_initiator)
|
||||
return GroupV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_group(self, request, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.delete_group(group_id, initiator)
|
||||
self.identity_api.delete_group(group_id, request.audit_initiator)
|
||||
|
||||
@ -481,19 +481,18 @@ class CadfNotificationWrapper(object):
|
||||
def __call__(self, f):
|
||||
@functools.wraps(f)
|
||||
def wrapper(wrapped_self, request, user_id, *args, **kwargs):
|
||||
# Always send a notification.
|
||||
initiator = _get_request_audit_info(request.context_dict, user_id)
|
||||
"""Alway send a notification."""
|
||||
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
|
||||
try:
|
||||
result = f(wrapped_self, request, user_id, *args, **kwargs)
|
||||
except Exception:
|
||||
# For authentication failure send a cadf event as well
|
||||
_send_audit_notification(self.action, initiator,
|
||||
_send_audit_notification(self.action, request.audit_initiator,
|
||||
taxonomy.OUTCOME_FAILURE,
|
||||
target, self.event_type)
|
||||
raise
|
||||
else:
|
||||
_send_audit_notification(self.action, initiator,
|
||||
_send_audit_notification(self.action, request.audit_initiator,
|
||||
taxonomy.OUTCOME_SUCCESS,
|
||||
target, self.event_type)
|
||||
return result
|
||||
@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object):
|
||||
return wrapper
|
||||
|
||||
|
||||
def send_saml_audit_notification(action, context, user_id, group_ids,
|
||||
def send_saml_audit_notification(action, request, user_id, group_ids,
|
||||
identity_provider, protocol, token_id,
|
||||
outcome):
|
||||
"""Send notification to inform observers about SAML events.
|
||||
|
||||
:param action: Action being audited
|
||||
:type action: str
|
||||
:param context: Current request context to collect request info from
|
||||
:type context: dict
|
||||
:param request: Current request to collect request info from
|
||||
:type request: keystone.common.request.Request
|
||||
:param user_id: User ID from Keystone token
|
||||
:type user_id: str
|
||||
:param group_ids: List of Group IDs from Keystone token
|
||||
@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids,
|
||||
:param outcome: One of :class:`pycadf.cadftaxonomy`
|
||||
:type outcome: str
|
||||
"""
|
||||
initiator = _get_request_audit_info(context)
|
||||
initiator = request.audit_initiator
|
||||
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
|
||||
audit_type = SAML_AUDIT_TYPE
|
||||
user_id = user_id or taxonomy.UNKNOWN
|
||||
|
||||
@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
def create_consumer(self, request, consumer):
|
||||
validation.lazy_validate(schema.consumer_create, consumer)
|
||||
ref = self._assign_unique_id(self._normalize_dict(consumer))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
consumer_ref = self.oauth_api.create_consumer(ref, initiator)
|
||||
consumer_ref = self.oauth_api.create_consumer(ref,
|
||||
request.audit_initiator)
|
||||
return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref)
|
||||
|
||||
@controller.protected()
|
||||
@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
validation.lazy_validate(schema.consumer_update, consumer)
|
||||
self._require_matching_id(consumer_id, consumer)
|
||||
ref = self._normalize_dict(consumer)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
|
||||
ref = self.oauth_api.update_consumer(consumer_id,
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
payload = {'user_id': user_token_ref.user_id,
|
||||
'consumer_id': consumer_id}
|
||||
_emit_user_oauth_consumer_token_invalidate(payload)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.oauth_api.delete_consumer(consumer_id, initiator)
|
||||
self.oauth_api.delete_consumer(consumer_id, request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('oauth_api')
|
||||
@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller):
|
||||
consumer_id = access_token['consumer_id']
|
||||
payload = {'user_id': user_id, 'consumer_id': consumer_id}
|
||||
_emit_user_oauth_consumer_token_invalidate(payload)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.oauth_api.delete_access_token(
|
||||
user_id, access_token_id, initiator)
|
||||
return self.oauth_api.delete_access_token(user_id,
|
||||
access_token_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@staticmethod
|
||||
def _get_user_id(entity):
|
||||
@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller):
|
||||
# show the details of the failure.
|
||||
oauth1.validate_oauth_params(b)
|
||||
request_token_duration = CONF.oauth1.request_token_duration
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
token_ref = self.oauth_api.create_request_token(consumer_id,
|
||||
requested_project_id,
|
||||
request_token_duration,
|
||||
initiator)
|
||||
token_ref = self.oauth_api.create_request_token(
|
||||
consumer_id,
|
||||
requested_project_id,
|
||||
request_token_duration,
|
||||
request.audit_initiator)
|
||||
|
||||
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
|
||||
% {'key': token_ref['id'],
|
||||
@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller):
|
||||
raise exception.Unauthorized(message=msg)
|
||||
|
||||
access_token_duration = CONF.oauth1.access_token_duration
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
token_ref = self.oauth_api.create_access_token(request_token_id,
|
||||
access_token_duration,
|
||||
initiator)
|
||||
request.audit_initiator)
|
||||
|
||||
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
|
||||
% {'key': token_ref['id'],
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import validation
|
||||
from keystone import notifications
|
||||
from keystone.policy import schema
|
||||
|
||||
|
||||
@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller):
|
||||
def create_policy(self, request, policy):
|
||||
validation.lazy_validate(schema.policy_create, policy)
|
||||
ref = self._assign_unique_id(self._normalize_dict(policy))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
|
||||
ref = self.policy_api.create_policy(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return PolicyV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('type')
|
||||
@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def update_policy(self, request, policy_id, policy):
|
||||
validation.lazy_validate(schema.policy_update, policy)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.policy_api.update_policy(policy_id, policy, initiator)
|
||||
ref = self.policy_api.update_policy(policy_id,
|
||||
policy,
|
||||
request.audit_initiator)
|
||||
return PolicyV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_policy(self, request, policy_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.policy_api.delete_policy(policy_id, initiator)
|
||||
return self.policy_api.delete_policy(policy_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@ -26,7 +26,6 @@ from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.resource import schema
|
||||
|
||||
|
||||
@ -94,11 +93,10 @@ class Tenant(controller.V2Controller):
|
||||
self.resource_api.ensure_default_domain_exists()
|
||||
|
||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
tenant = self.resource_api.create_project(
|
||||
tenant_ref['id'],
|
||||
self._normalize_domain_id(request, tenant_ref),
|
||||
initiator)
|
||||
request.audit_initiator)
|
||||
return {'tenant': self.v3_to_v2_project(tenant)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
@ -107,17 +105,15 @@ class Tenant(controller.V2Controller):
|
||||
self.assert_admin(request)
|
||||
self._assert_not_is_domain_project(tenant_id)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
tenant_ref = self.resource_api.update_project(
|
||||
tenant_id, tenant, initiator)
|
||||
tenant_id, tenant, request.audit_initiator)
|
||||
return {'tenant': self.v3_to_v2_project(tenant_ref)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_project(self, request, tenant_id):
|
||||
self.assert_admin(request)
|
||||
self._assert_not_is_domain_project(tenant_id)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.resource_api.delete_project(tenant_id, initiator)
|
||||
self.resource_api.delete_project(tenant_id, request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('resource_api')
|
||||
@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller):
|
||||
def create_domain(self, request, domain):
|
||||
validation.lazy_validate(schema.domain_create, domain)
|
||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.create_domain(ref['id'], ref, initiator)
|
||||
ref = self.resource_api.create_domain(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return DomainV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller):
|
||||
def update_domain(self, request, domain_id, domain):
|
||||
validation.lazy_validate(schema.domain_update, domain)
|
||||
self._require_matching_id(domain_id, domain)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.update_domain(domain_id, domain, initiator)
|
||||
ref = self.resource_api.update_domain(domain_id,
|
||||
domain,
|
||||
request.audit_initiator)
|
||||
return DomainV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_domain(self, request, domain_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.resource_api.delete_domain(domain_id, initiator)
|
||||
return self.resource_api.delete_domain(domain_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('domain_config_api')
|
||||
@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller):
|
||||
if not ref.get('parent_id'):
|
||||
ref['parent_id'] = ref.get('domain_id')
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
try:
|
||||
ref = self.resource_api.create_project(ref['id'], ref,
|
||||
initiator=initiator)
|
||||
ref = self.resource_api.create_project(
|
||||
ref['id'],
|
||||
ref,
|
||||
initiator=request.audit_initiator)
|
||||
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
|
||||
raise exception.ValidationError(e)
|
||||
return ProjectV3.wrap_member(request.context_dict, ref)
|
||||
@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller):
|
||||
self._require_matching_id(project_id, project)
|
||||
self._require_matching_domain_id(
|
||||
project_id, project, self.resource_api.get_project)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.update_project(project_id, project,
|
||||
initiator=initiator)
|
||||
ref = self.resource_api.update_project(
|
||||
project_id,
|
||||
project,
|
||||
initiator=request.audit_initiator)
|
||||
return ProjectV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_project(self, request, project_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.resource_api.delete_project(project_id,
|
||||
initiator=initiator)
|
||||
return self.resource_api.delete_project(
|
||||
project_id,
|
||||
initiator=request.audit_initiator)
|
||||
|
||||
@ -1631,7 +1631,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
super(FederatedTokenTests, self).setUp()
|
||||
self._notifications = []
|
||||
|
||||
def fake_saml_notify(action, context, user_id, group_ids,
|
||||
def fake_saml_notify(action, request, user_id, group_ids,
|
||||
identity_provider, protocol, token_id, outcome):
|
||||
note = {
|
||||
'action': action,
|
||||
|
||||
@ -24,7 +24,6 @@ from keystone.common import utils
|
||||
from keystone.common import validation
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.trust import schema
|
||||
|
||||
|
||||
@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller):
|
||||
trust['expires_at'] = self._parse_expiration_date(
|
||||
trust.get('expires_at'))
|
||||
trust_id = uuid.uuid4().hex
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_trust = self.trust_api.create_trust(trust_id, trust,
|
||||
normalized_roles,
|
||||
redelegated_trust,
|
||||
initiator)
|
||||
|
||||
request.audit_initiator)
|
||||
self._fill_in_roles(request.context_dict, new_trust)
|
||||
return TrustV3.wrap_member(request.context_dict, new_trust)
|
||||
|
||||
@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller):
|
||||
not request.context.is_admin):
|
||||
raise exception.Forbidden()
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.trust_api.delete_trust(trust_id, initiator)
|
||||
self.trust_api.delete_trust(trust_id, request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def list_roles_for_trust(self, request, trust_id):
|
||||
|
||||
Loading…
Reference in New Issue
Block a user