From 9117e45d6e7c65f6623c02fd13a599c1b01ed09f Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Fri, 15 Jul 2016 17:53:12 +1000 Subject: [PATCH] Move audit initiator creation to request The audit initiator is basically a context with all the information about the current operation available. This information is all gathered from the request and context so we can simplify its generation by moving it onto the request object. Change-Id: If91eacd3e07e0d9cd825f92b06c0ac819b3daf8c --- keystone/assignment/controllers.py | 51 ++++++++--------- keystone/auth/plugins/mapped.py | 6 +- keystone/catalog/controllers.py | 69 +++++++++++------------ keystone/common/request.py | 24 ++++++++ keystone/identity/controllers.py | 52 ++++++++--------- keystone/notifications.py | 15 +++-- keystone/oauth1/controllers.py | 31 +++++----- keystone/policy/controllers.py | 15 ++--- keystone/resource/controllers.py | 44 +++++++-------- keystone/tests/unit/test_v3_federation.py | 2 +- keystone/trust/controllers.py | 8 +-- 11 files changed, 165 insertions(+), 152 deletions(-) diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 965880488c..416e22fe9f 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -30,7 +30,6 @@ from keystone.common import wsgi import keystone.conf from keystone import exception from keystone.i18n import _ -from keystone import notifications CONF = keystone.conf.CONF @@ -106,15 +105,15 @@ class Role(controller.V2Controller): role_id = uuid.uuid4().hex role['id'] = role_id - initiator = notifications._get_request_audit_info(request.context_dict) - role_ref = self.role_api.create_role(role_id, role, initiator) + role_ref = self.role_api.create_role(role_id, + role, + request.audit_initiator) return {'role': role_ref} @controller.v2_deprecated def delete_role(self, request, role_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.role_api.delete_role(role_id, initiator) + self.role_api.delete_role(role_id, request.audit_initiator) @controller.v2_deprecated def get_roles(self, request): @@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller): @controller.protected() def create_role(self, request, role): validation.lazy_validate(schema.role_create, role) - return self._create_role(request.context_dict, role) + return self._create_role(request, role) @controller.protected() def create_domain_role(self, request, role): validation.lazy_validate(schema.role_create, role) - return self._create_role(request.context_dict, role) + return self._create_role(request, role) def list_roles_wrapper(self, request): if request.params.get('domain_id'): @@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller): @controller.protected() def get_role(self, request, role_id): - return self._get_role(request.context_dict, role_id) + return self._get_role(request, role_id) @controller.protected() def get_domain_role(self, request, role_id): - return self._get_role(request.context_dict, role_id) + return self._get_role(request, role_id) def update_role_wrapper(self, context, role_id, role): # Since we don't allow you change whether a role is global or domain @@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller): @controller.protected() def update_role(self, request, role_id, role): validation.lazy_validate(schema.role_update, role) - return self._update_role(request.context_dict, role_id, role) + return self._update_role(request, role_id, role) @controller.protected() def update_domain_role(self, request, role_id, role): validation.lazy_validate(schema.role_update, role) - return self._update_role(request.context_dict, role_id, role) + return self._update_role(request, role_id, role) def delete_role_wrapper(self, context, role_id): if self._is_domain_role_target(role_id): @@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller): @controller.protected() def delete_role(self, request, role_id): - return self._delete_role(request.context_dict, role_id) + return self._delete_role(request, role_id) @controller.protected() def delete_domain_role(self, request, role_id): - return self._delete_role(request.context_dict, role_id) + return self._delete_role(request, role_id) - def _create_role(self, context, role): + def _create_role(self, request, role): if role['name'] == CONF.member_role_name: # Use the configured member role ID when creating the configured # member role name. This avoids the potential of creating a @@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller): role = self._assign_unique_id(role) ref = self._normalize_dict(role) - - initiator = notifications._get_request_audit_info(context) - ref = self.role_api.create_role(ref['id'], ref, initiator) - return RoleV3.wrap_member(context, ref) + ref = self.role_api.create_role(ref['id'], + ref, + request.audit_initiator) + return RoleV3.wrap_member(request.context_dict, ref) def _list_roles(self, request, filters): hints = RoleV3.build_driver_hints(request, filters) refs = self.role_api.list_roles(hints=hints) return RoleV3.wrap_collection(request.context_dict, refs, hints=hints) - def _get_role(self, context, role_id): + def _get_role(self, request, role_id): ref = self.role_api.get_role(role_id) - return RoleV3.wrap_member(context, ref) + return RoleV3.wrap_member(request.context_dict, ref) - def _update_role(self, context, role_id, role): + def _update_role(self, request, role_id, role): self._require_matching_id(role_id, role) - initiator = notifications._get_request_audit_info(context) - ref = self.role_api.update_role(role_id, role, initiator) - return RoleV3.wrap_member(context, ref) + ref = self.role_api.update_role(role_id, role, request.audit_initiator) + return RoleV3.wrap_member(request.context_dict, ref) - def _delete_role(self, context, role_id): - initiator = notifications._get_request_audit_info(context) - self.role_api.delete_role(role_id, initiator) + def _delete_role(self, request, role_id): + self.role_api.delete_role(role_id, request.audit_initiator) @classmethod def build_driver_hints(cls, request, supported_filters): diff --git a/keystone/auth/plugins/mapped.py b/keystone/auth/plugins/mapped.py index c1e99f5c0d..3dfd0d215c 100644 --- a/keystone/auth/plugins/mapped.py +++ b/keystone/auth/plugins/mapped.py @@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref, group_ids = token_ref.federation_group_ids send_notification = functools.partial( notifications.send_saml_audit_notification, 'authenticate', - request.context_dict, user_id, group_ids, identity_provider, protocol, + request, user_id, group_ids, identity_provider, protocol, token_audit_id) utils.assert_enabled_identity_provider(federation_api, identity_provider) @@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context, # after sending the notification outcome = taxonomy.OUTCOME_FAILURE notifications.send_saml_audit_notification('authenticate', - request.context_dict, + request, user_id, group_ids, identity_provider, protocol, token_id, @@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context, else: outcome = taxonomy.OUTCOME_SUCCESS notifications.send_saml_audit_notification('authenticate', - request.context_dict, + request, user_id, group_ids, identity_provider, protocol, token_id, diff --git a/keystone/catalog/controllers.py b/keystone/catalog/controllers.py index f0773c34a6..62f5d66c55 100644 --- a/keystone/catalog/controllers.py +++ b/keystone/catalog/controllers.py @@ -50,8 +50,7 @@ class Service(controller.V2Controller): @controller.v2_deprecated def delete_service(self, request, service_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.catalog_api.delete_service(service_id, initiator) + self.catalog_api.delete_service(service_id, request.audit_initiator) @controller.v2_deprecated def create_service(self, request, OS_KSADM_service): @@ -60,9 +59,8 @@ class Service(controller.V2Controller): service_id = uuid.uuid4().hex service_ref = OS_KSADM_service.copy() service_ref['id'] = service_id - initiator = notifications._get_request_audit_info(request.context_dict) new_service_ref = self.catalog_api.create_service( - service_id, service_ref, initiator) + service_id, service_ref, request.audit_initiator) return {'OS-KSADM:service': new_service_ref} @@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller): if interface_url: utils.check_endpoint_url(interface_url) - initiator = notifications._get_request_audit_info(request.context_dict) - if endpoint.get('region') is not None: try: self.catalog_api.get_region(endpoint['region']) except exception.RegionNotFound: region = dict(id=endpoint['region']) - self.catalog_api.create_region(region, initiator) + self.catalog_api.create_region(region, request.audit_initiator) legacy_endpoint_ref = endpoint.copy() @@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller): endpoint_ref['interface'] = interface endpoint_ref['url'] = url endpoint_ref['region_id'] = endpoint_ref.pop('region') - self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref, - initiator) + self.catalog_api.create_endpoint(endpoint_ref['id'], + endpoint_ref, + request.audit_initiator) legacy_endpoint_ref['id'] = legacy_endpoint_id return {'endpoint': legacy_endpoint_ref} @@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller): def delete_endpoint(self, request, endpoint_id): """Delete up to three v3 endpoint refs based on a legacy ref ID.""" self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) deleted_at_least_one = False for endpoint in self.catalog_api.list_endpoints(): if endpoint['legacy_endpoint_id'] == endpoint_id: - self.catalog_api.delete_endpoint(endpoint['id'], initiator) + self.catalog_api.delete_endpoint(endpoint['id'], + request.audit_initiator) deleted_at_least_one = True if not deleted_at_least_one: @@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller): if not ref.get('id'): ref = self._assign_unique_id(ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_region(ref, initiator) + ref = self.catalog_api.create_region(ref, request.audit_initiator) return wsgi.render_response( RegionV3.wrap_member(request.context_dict, ref), status=(http_client.CREATED, @@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller): def update_region(self, request, region_id, region): validation.lazy_validate(schema.region_update, region) self._require_matching_id(region_id, region) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_region(region_id, region, initiator) + ref = self.catalog_api.update_region(region_id, + region, + request.audit_initiator) return RegionV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_region(self, request, region_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_region(region_id, initiator) + return self.catalog_api.delete_region(region_id, + request.audit_initiator) @dependency.requires('catalog_api') @@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller): def create_service(self, request, service): validation.lazy_validate(schema.service_create, service) ref = self._assign_unique_id(self._normalize_dict(service)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_service(ref['id'], ref, initiator) + ref = self.catalog_api.create_service(ref['id'], + ref, + request.audit_initiator) return ServiceV3.wrap_member(request.context_dict, ref) @controller.filterprotected('type', 'name') @@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller): def update_service(self, request, service_id, service): validation.lazy_validate(schema.service_update, service) self._require_matching_id(service_id, service) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_service(service_id, service, initiator) + ref = self.catalog_api.update_service(service_id, + service, + request.audit_initiator) return ServiceV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_service(self, request, service_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_service(service_id, initiator) + return self.catalog_api.delete_service(service_id, + request.audit_initiator) @dependency.requires('catalog_api') @@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller): ref = cls.filter_endpoint(ref) return super(EndpointV3, cls).wrap_member(context, ref) - def _validate_endpoint_region(self, endpoint, context=None): + def _validate_endpoint_region(self, endpoint, request): """Ensure the region for the endpoint exists. If 'region_id' is used to specify the region, then we will let the @@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller): self.catalog_api.get_region(endpoint['region_id']) except exception.RegionNotFound: region = dict(id=endpoint['region_id']) - initiator = notifications._get_request_audit_info(context) - self.catalog_api.create_region(region, initiator) + self.catalog_api.create_region(region, request.audit_initiator) return endpoint @@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller): validation.lazy_validate(schema.endpoint_create, endpoint) utils.check_endpoint_url(endpoint['url']) ref = self._assign_unique_id(self._normalize_dict(endpoint)) - ref = self._validate_endpoint_region(ref, request.context_dict) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator) + ref = self._validate_endpoint_region(ref, request) + ref = self.catalog_api.create_endpoint(ref['id'], + ref, + request.audit_initiator) return EndpointV3.wrap_member(request.context_dict, ref) @controller.filterprotected('interface', 'service_id', 'region_id') @@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller): self._require_matching_id(endpoint_id, endpoint) endpoint = self._validate_endpoint_region(endpoint.copy(), - request.context_dict) + request) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_endpoint(endpoint_id, endpoint, - initiator) + ref = self.catalog_api.update_endpoint(endpoint_id, + endpoint, + request.audit_initiator) return EndpointV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_endpoint(self, request, endpoint_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_endpoint(endpoint_id, initiator) + return self.catalog_api.delete_endpoint(endpoint_id, + request.audit_initiator) @dependency.requires('catalog_api', 'resource_api') diff --git a/keystone/common/request.py b/keystone/common/request.py index 37f6dd14a1..6638505fcc 100644 --- a/keystone/common/request.py +++ b/keystone/common/request.py @@ -12,11 +12,15 @@ import logging +from pycadf import cadftaxonomy as taxonomy +from pycadf import host +from pycadf import resource import webob from webob.descriptors import environ_getter from keystone.common import authorization from keystone.common import context +from keystone.common import utils import keystone.conf from keystone import exception from keystone.i18n import _, _LW @@ -90,6 +94,26 @@ class Request(webob.Request): # auth_context didn't decode anything we can use raise exception.Unauthorized() + @property + def audit_initiator(self): + """A pyCADF initiator describing the current authenticated context.""" + pycadf_host = host.Host(address=self.remote_addr, + agent=self.user_agent) + initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, + host=pycadf_host) + + if self.context.user_id: + initiator.id = utils.resource_uuid(self.context.user_id) + initiator.user_id = self.context.user_id + + if self.context.project_id: + initiator.project_id = self.context.project_id + + if self.context.domain_id: + initiator.domain_id = self.context.domain_id + + return initiator + auth_type = environ_getter('AUTH_TYPE', None) remote_domain = environ_getter('REMOTE_DOMAIN', None) context = environ_getter(context.REQUEST_CONTEXT_ENV, None) diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 4f161ee179..18329fa854 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -23,7 +23,6 @@ import keystone.conf from keystone import exception from keystone.i18n import _LW from keystone.identity import schema -from keystone import notifications CONF = keystone.conf.CONF @@ -77,9 +76,8 @@ class User(controller.V2Controller): # The manager layer will generate the unique ID for users user_ref = self._normalize_domain_id(request, user.copy()) - initiator = notifications._get_request_audit_info(request.context_dict) new_user_ref = self.v3_to_v2_user( - self.identity_api.create_user(user_ref, initiator)) + self.identity_api.create_user(user_ref, request.audit_initiator)) if default_project_id is not None: self.assignment_api.add_user_to_project(default_project_id, @@ -113,9 +111,10 @@ class User(controller.V2Controller): # user update. self.resource_api.get_project(default_project_id) - initiator = notifications._get_request_audit_info(request.context_dict) - user_ref = self.v3_to_v2_user( - self.identity_api.update_user(user_id, user, initiator)) + user_ref = self.identity_api.update_user(user_id, + user, + request.audit_initiator) + user_ref = self.v3_to_v2_user(user_ref) # If 'tenantId' is in either ref, we might need to add or remove the # user from a project. @@ -160,8 +159,7 @@ class User(controller.V2Controller): @controller.v2_deprecated def delete_user(self, request, user_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.delete_user(user_id, initiator) + self.identity_api.delete_user(user_id, request.audit_initiator) @controller.v2_deprecated def set_user_enabled(self, request, user_id, user): @@ -213,8 +211,7 @@ class UserV3(controller.V3Controller): # The manager layer will generate the unique ID for users ref = self._normalize_dict(user) ref = self._normalize_domain_id(request, ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.create_user(ref, initiator) + ref = self.identity_api.create_user(ref, request.audit_initiator) return UserV3.wrap_member(request.context_dict, ref) @controller.filterprotected('domain_id', 'enabled', 'name') @@ -236,23 +233,25 @@ class UserV3(controller.V3Controller): ref = self.identity_api.get_user(user_id) return UserV3.wrap_member(request.context_dict, ref) - def _update_user(self, context, user_id, user): + def _update_user(self, request, user_id, user): self._require_matching_id(user_id, user) self._require_matching_domain_id( user_id, user, self.identity_api.get_user) - initiator = notifications._get_request_audit_info(context) - ref = self.identity_api.update_user(user_id, user, initiator) - return UserV3.wrap_member(context, ref) + ref = self.identity_api.update_user(user_id, + user, + request.audit_initiator) + return UserV3.wrap_member(request.context_dict, ref) @controller.protected() def update_user(self, request, user_id, user): validation.lazy_validate(schema.user_update, user) - return self._update_user(request.context_dict, user_id, user) + return self._update_user(request, user_id, user) @controller.protected(callback=_check_user_and_group_protection) def add_user_to_group(self, request, user_id, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.add_user_to_group(user_id, group_id, initiator) + self.identity_api.add_user_to_group(user_id, + group_id, + request.audit_initiator) @controller.protected(callback=_check_user_and_group_protection) def check_user_in_group(self, request, user_id, group_id): @@ -260,13 +259,13 @@ class UserV3(controller.V3Controller): @controller.protected(callback=_check_user_and_group_protection) def remove_user_from_group(self, request, user_id, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.remove_user_from_group(user_id, group_id, initiator) + self.identity_api.remove_user_from_group(user_id, + group_id, + request.audit_initiator) @controller.protected() def delete_user(self, request, user_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.identity_api.delete_user(user_id, initiator) + return self.identity_api.delete_user(user_id, request.audit_initiator) @controller.protected() def change_password(self, request, user_id, user): @@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller): # The manager layer will generate the unique ID for groups ref = self._normalize_dict(group) ref = self._normalize_domain_id(request, ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.create_group(ref, initiator) + ref = self.identity_api.create_group(ref, request.audit_initiator) return GroupV3.wrap_member(request.context_dict, ref) @controller.filterprotected('domain_id', 'name') @@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller): self._require_matching_id(group_id, group) self._require_matching_domain_id( group_id, group, self.identity_api.get_group) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.update_group(group_id, group, initiator) + ref = self.identity_api.update_group(group_id, + group, + request.audit_initiator) return GroupV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_group(self, request, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.delete_group(group_id, initiator) + self.identity_api.delete_group(group_id, request.audit_initiator) diff --git a/keystone/notifications.py b/keystone/notifications.py index 5c920c132d..860dd5b09e 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -481,19 +481,18 @@ class CadfNotificationWrapper(object): def __call__(self, f): @functools.wraps(f) def wrapper(wrapped_self, request, user_id, *args, **kwargs): - # Always send a notification. - initiator = _get_request_audit_info(request.context_dict, user_id) + """Alway send a notification.""" target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) try: result = f(wrapped_self, request, user_id, *args, **kwargs) except Exception: # For authentication failure send a cadf event as well - _send_audit_notification(self.action, initiator, + _send_audit_notification(self.action, request.audit_initiator, taxonomy.OUTCOME_FAILURE, target, self.event_type) raise else: - _send_audit_notification(self.action, initiator, + _send_audit_notification(self.action, request.audit_initiator, taxonomy.OUTCOME_SUCCESS, target, self.event_type) return result @@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object): return wrapper -def send_saml_audit_notification(action, context, user_id, group_ids, +def send_saml_audit_notification(action, request, user_id, group_ids, identity_provider, protocol, token_id, outcome): """Send notification to inform observers about SAML events. :param action: Action being audited :type action: str - :param context: Current request context to collect request info from - :type context: dict + :param request: Current request to collect request info from + :type request: keystone.common.request.Request :param user_id: User ID from Keystone token :type user_id: str :param group_ids: List of Group IDs from Keystone token @@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids, :param outcome: One of :class:`pycadf.cadftaxonomy` :type outcome: str """ - initiator = _get_request_audit_info(context) + initiator = request.audit_initiator target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) audit_type = SAML_AUDIT_TYPE user_id = user_id or taxonomy.UNKNOWN diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index f55f26eda5..92428b74aa 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller): def create_consumer(self, request, consumer): validation.lazy_validate(schema.consumer_create, consumer) ref = self._assign_unique_id(self._normalize_dict(consumer)) - initiator = notifications._get_request_audit_info(request.context_dict) - consumer_ref = self.oauth_api.create_consumer(ref, initiator) + consumer_ref = self.oauth_api.create_consumer(ref, + request.audit_initiator) return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref) @controller.protected() @@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller): validation.lazy_validate(schema.consumer_update, consumer) self._require_matching_id(consumer_id, consumer) ref = self._normalize_dict(consumer) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.oauth_api.update_consumer(consumer_id, ref, initiator) + ref = self.oauth_api.update_consumer(consumer_id, + ref, + request.audit_initiator) return ConsumerCrudV3.wrap_member(request.context_dict, ref) @controller.protected() @@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller): payload = {'user_id': user_token_ref.user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) - initiator = notifications._get_request_audit_info(request.context_dict) - self.oauth_api.delete_consumer(consumer_id, initiator) + self.oauth_api.delete_consumer(consumer_id, request.audit_initiator) @dependency.requires('oauth_api') @@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller): consumer_id = access_token['consumer_id'] payload = {'user_id': user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) - initiator = notifications._get_request_audit_info(request.context_dict) - return self.oauth_api.delete_access_token( - user_id, access_token_id, initiator) + return self.oauth_api.delete_access_token(user_id, + access_token_id, + request.audit_initiator) @staticmethod def _get_user_id(entity): @@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller): # show the details of the failure. oauth1.validate_oauth_params(b) request_token_duration = CONF.oauth1.request_token_duration - initiator = notifications._get_request_audit_info(request.context_dict) - token_ref = self.oauth_api.create_request_token(consumer_id, - requested_project_id, - request_token_duration, - initiator) + token_ref = self.oauth_api.create_request_token( + consumer_id, + requested_project_id, + request_token_duration, + request.audit_initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], @@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller): raise exception.Unauthorized(message=msg) access_token_duration = CONF.oauth1.access_token_duration - initiator = notifications._get_request_audit_info(request.context_dict) token_ref = self.oauth_api.create_access_token(request_token_id, access_token_duration, - initiator) + request.audit_initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], diff --git a/keystone/policy/controllers.py b/keystone/policy/controllers.py index 3feef16b94..d7e859b032 100644 --- a/keystone/policy/controllers.py +++ b/keystone/policy/controllers.py @@ -15,7 +15,6 @@ from keystone.common import controller from keystone.common import dependency from keystone.common import validation -from keystone import notifications from keystone.policy import schema @@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller): def create_policy(self, request, policy): validation.lazy_validate(schema.policy_create, policy) ref = self._assign_unique_id(self._normalize_dict(policy)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.policy_api.create_policy(ref['id'], ref, initiator) + ref = self.policy_api.create_policy(ref['id'], + ref, + request.audit_initiator) return PolicyV3.wrap_member(request.context_dict, ref) @controller.filterprotected('type') @@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller): @controller.protected() def update_policy(self, request, policy_id, policy): validation.lazy_validate(schema.policy_update, policy) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.policy_api.update_policy(policy_id, policy, initiator) + ref = self.policy_api.update_policy(policy_id, + policy, + request.audit_initiator) return PolicyV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_policy(self, request, policy_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.policy_api.delete_policy(policy_id, initiator) + return self.policy_api.delete_policy(policy_id, + request.audit_initiator) diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py index 2523e8dee9..c84b2e3a14 100644 --- a/keystone/resource/controllers.py +++ b/keystone/resource/controllers.py @@ -26,7 +26,6 @@ from keystone.common import wsgi import keystone.conf from keystone import exception from keystone.i18n import _ -from keystone import notifications from keystone.resource import schema @@ -94,11 +93,10 @@ class Tenant(controller.V2Controller): self.resource_api.ensure_default_domain_exists() tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex) - initiator = notifications._get_request_audit_info(request.context_dict) tenant = self.resource_api.create_project( tenant_ref['id'], self._normalize_domain_id(request, tenant_ref), - initiator) + request.audit_initiator) return {'tenant': self.v3_to_v2_project(tenant)} @controller.v2_deprecated @@ -107,17 +105,15 @@ class Tenant(controller.V2Controller): self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) - initiator = notifications._get_request_audit_info(request.context_dict) tenant_ref = self.resource_api.update_project( - tenant_id, tenant, initiator) + tenant_id, tenant, request.audit_initiator) return {'tenant': self.v3_to_v2_project(tenant_ref)} @controller.v2_deprecated def delete_project(self, request, tenant_id): self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) - initiator = notifications._get_request_audit_info(request.context_dict) - self.resource_api.delete_project(tenant_id, initiator) + self.resource_api.delete_project(tenant_id, request.audit_initiator) @dependency.requires('resource_api') @@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller): def create_domain(self, request, domain): validation.lazy_validate(schema.domain_create, domain) ref = self._assign_unique_id(self._normalize_dict(domain)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.create_domain(ref['id'], ref, initiator) + ref = self.resource_api.create_domain(ref['id'], + ref, + request.audit_initiator) return DomainV3.wrap_member(request.context_dict, ref) @controller.filterprotected('enabled', 'name') @@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller): def update_domain(self, request, domain_id, domain): validation.lazy_validate(schema.domain_update, domain) self._require_matching_id(domain_id, domain) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.update_domain(domain_id, domain, initiator) + ref = self.resource_api.update_domain(domain_id, + domain, + request.audit_initiator) return DomainV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_domain(self, request, domain_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.resource_api.delete_domain(domain_id, initiator) + return self.resource_api.delete_domain(domain_id, + request.audit_initiator) @dependency.requires('domain_config_api') @@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller): if not ref.get('parent_id'): ref['parent_id'] = ref.get('domain_id') - initiator = notifications._get_request_audit_info(request.context_dict) try: - ref = self.resource_api.create_project(ref['id'], ref, - initiator=initiator) + ref = self.resource_api.create_project( + ref['id'], + ref, + initiator=request.audit_initiator) except (exception.DomainNotFound, exception.ProjectNotFound) as e: raise exception.ValidationError(e) return ProjectV3.wrap_member(request.context_dict, ref) @@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller): self._require_matching_id(project_id, project) self._require_matching_domain_id( project_id, project, self.resource_api.get_project) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.update_project(project_id, project, - initiator=initiator) + ref = self.resource_api.update_project( + project_id, + project, + initiator=request.audit_initiator) return ProjectV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_project(self, request, project_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.resource_api.delete_project(project_id, - initiator=initiator) + return self.resource_api.delete_project( + project_id, + initiator=request.audit_initiator) diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index f3e9baa2b5..6ccd351b32 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -1631,7 +1631,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): super(FederatedTokenTests, self).setUp() self._notifications = [] - def fake_saml_notify(action, context, user_id, group_ids, + def fake_saml_notify(action, request, user_id, group_ids, identity_provider, protocol, token_id, outcome): note = { 'action': action, diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index 696dbd4543..104a8a495c 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -24,7 +24,6 @@ from keystone.common import utils from keystone.common import validation from keystone import exception from keystone.i18n import _ -from keystone import notifications from keystone.trust import schema @@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller): trust['expires_at'] = self._parse_expiration_date( trust.get('expires_at')) trust_id = uuid.uuid4().hex - initiator = notifications._get_request_audit_info(request.context_dict) new_trust = self.trust_api.create_trust(trust_id, trust, normalized_roles, redelegated_trust, - initiator) - + request.audit_initiator) self._fill_in_roles(request.context_dict, new_trust) return TrustV3.wrap_member(request.context_dict, new_trust) @@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller): not request.context.is_admin): raise exception.Forbidden() - initiator = notifications._get_request_audit_info(request.context_dict) - self.trust_api.delete_trust(trust_id, initiator) + self.trust_api.delete_trust(trust_id, request.audit_initiator) @controller.protected() def list_roles_for_trust(self, request, trust_id):