diff --git a/keystone/assignment/controllers.py b/keystone/assignment/controllers.py index 965880488c..416e22fe9f 100644 --- a/keystone/assignment/controllers.py +++ b/keystone/assignment/controllers.py @@ -30,7 +30,6 @@ from keystone.common import wsgi import keystone.conf from keystone import exception from keystone.i18n import _ -from keystone import notifications CONF = keystone.conf.CONF @@ -106,15 +105,15 @@ class Role(controller.V2Controller): role_id = uuid.uuid4().hex role['id'] = role_id - initiator = notifications._get_request_audit_info(request.context_dict) - role_ref = self.role_api.create_role(role_id, role, initiator) + role_ref = self.role_api.create_role(role_id, + role, + request.audit_initiator) return {'role': role_ref} @controller.v2_deprecated def delete_role(self, request, role_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.role_api.delete_role(role_id, initiator) + self.role_api.delete_role(role_id, request.audit_initiator) @controller.v2_deprecated def get_roles(self, request): @@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller): @controller.protected() def create_role(self, request, role): validation.lazy_validate(schema.role_create, role) - return self._create_role(request.context_dict, role) + return self._create_role(request, role) @controller.protected() def create_domain_role(self, request, role): validation.lazy_validate(schema.role_create, role) - return self._create_role(request.context_dict, role) + return self._create_role(request, role) def list_roles_wrapper(self, request): if request.params.get('domain_id'): @@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller): @controller.protected() def get_role(self, request, role_id): - return self._get_role(request.context_dict, role_id) + return self._get_role(request, role_id) @controller.protected() def get_domain_role(self, request, role_id): - return self._get_role(request.context_dict, role_id) + return self._get_role(request, role_id) def update_role_wrapper(self, context, role_id, role): # Since we don't allow you change whether a role is global or domain @@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller): @controller.protected() def update_role(self, request, role_id, role): validation.lazy_validate(schema.role_update, role) - return self._update_role(request.context_dict, role_id, role) + return self._update_role(request, role_id, role) @controller.protected() def update_domain_role(self, request, role_id, role): validation.lazy_validate(schema.role_update, role) - return self._update_role(request.context_dict, role_id, role) + return self._update_role(request, role_id, role) def delete_role_wrapper(self, context, role_id): if self._is_domain_role_target(role_id): @@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller): @controller.protected() def delete_role(self, request, role_id): - return self._delete_role(request.context_dict, role_id) + return self._delete_role(request, role_id) @controller.protected() def delete_domain_role(self, request, role_id): - return self._delete_role(request.context_dict, role_id) + return self._delete_role(request, role_id) - def _create_role(self, context, role): + def _create_role(self, request, role): if role['name'] == CONF.member_role_name: # Use the configured member role ID when creating the configured # member role name. This avoids the potential of creating a @@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller): role = self._assign_unique_id(role) ref = self._normalize_dict(role) - - initiator = notifications._get_request_audit_info(context) - ref = self.role_api.create_role(ref['id'], ref, initiator) - return RoleV3.wrap_member(context, ref) + ref = self.role_api.create_role(ref['id'], + ref, + request.audit_initiator) + return RoleV3.wrap_member(request.context_dict, ref) def _list_roles(self, request, filters): hints = RoleV3.build_driver_hints(request, filters) refs = self.role_api.list_roles(hints=hints) return RoleV3.wrap_collection(request.context_dict, refs, hints=hints) - def _get_role(self, context, role_id): + def _get_role(self, request, role_id): ref = self.role_api.get_role(role_id) - return RoleV3.wrap_member(context, ref) + return RoleV3.wrap_member(request.context_dict, ref) - def _update_role(self, context, role_id, role): + def _update_role(self, request, role_id, role): self._require_matching_id(role_id, role) - initiator = notifications._get_request_audit_info(context) - ref = self.role_api.update_role(role_id, role, initiator) - return RoleV3.wrap_member(context, ref) + ref = self.role_api.update_role(role_id, role, request.audit_initiator) + return RoleV3.wrap_member(request.context_dict, ref) - def _delete_role(self, context, role_id): - initiator = notifications._get_request_audit_info(context) - self.role_api.delete_role(role_id, initiator) + def _delete_role(self, request, role_id): + self.role_api.delete_role(role_id, request.audit_initiator) @classmethod def build_driver_hints(cls, request, supported_filters): diff --git a/keystone/auth/plugins/mapped.py b/keystone/auth/plugins/mapped.py index c1e99f5c0d..3dfd0d215c 100644 --- a/keystone/auth/plugins/mapped.py +++ b/keystone/auth/plugins/mapped.py @@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref, group_ids = token_ref.federation_group_ids send_notification = functools.partial( notifications.send_saml_audit_notification, 'authenticate', - request.context_dict, user_id, group_ids, identity_provider, protocol, + request, user_id, group_ids, identity_provider, protocol, token_audit_id) utils.assert_enabled_identity_provider(federation_api, identity_provider) @@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context, # after sending the notification outcome = taxonomy.OUTCOME_FAILURE notifications.send_saml_audit_notification('authenticate', - request.context_dict, + request, user_id, group_ids, identity_provider, protocol, token_id, @@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context, else: outcome = taxonomy.OUTCOME_SUCCESS notifications.send_saml_audit_notification('authenticate', - request.context_dict, + request, user_id, group_ids, identity_provider, protocol, token_id, diff --git a/keystone/catalog/controllers.py b/keystone/catalog/controllers.py index f0773c34a6..62f5d66c55 100644 --- a/keystone/catalog/controllers.py +++ b/keystone/catalog/controllers.py @@ -50,8 +50,7 @@ class Service(controller.V2Controller): @controller.v2_deprecated def delete_service(self, request, service_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.catalog_api.delete_service(service_id, initiator) + self.catalog_api.delete_service(service_id, request.audit_initiator) @controller.v2_deprecated def create_service(self, request, OS_KSADM_service): @@ -60,9 +59,8 @@ class Service(controller.V2Controller): service_id = uuid.uuid4().hex service_ref = OS_KSADM_service.copy() service_ref['id'] = service_id - initiator = notifications._get_request_audit_info(request.context_dict) new_service_ref = self.catalog_api.create_service( - service_id, service_ref, initiator) + service_id, service_ref, request.audit_initiator) return {'OS-KSADM:service': new_service_ref} @@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller): if interface_url: utils.check_endpoint_url(interface_url) - initiator = notifications._get_request_audit_info(request.context_dict) - if endpoint.get('region') is not None: try: self.catalog_api.get_region(endpoint['region']) except exception.RegionNotFound: region = dict(id=endpoint['region']) - self.catalog_api.create_region(region, initiator) + self.catalog_api.create_region(region, request.audit_initiator) legacy_endpoint_ref = endpoint.copy() @@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller): endpoint_ref['interface'] = interface endpoint_ref['url'] = url endpoint_ref['region_id'] = endpoint_ref.pop('region') - self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref, - initiator) + self.catalog_api.create_endpoint(endpoint_ref['id'], + endpoint_ref, + request.audit_initiator) legacy_endpoint_ref['id'] = legacy_endpoint_id return {'endpoint': legacy_endpoint_ref} @@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller): def delete_endpoint(self, request, endpoint_id): """Delete up to three v3 endpoint refs based on a legacy ref ID.""" self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) deleted_at_least_one = False for endpoint in self.catalog_api.list_endpoints(): if endpoint['legacy_endpoint_id'] == endpoint_id: - self.catalog_api.delete_endpoint(endpoint['id'], initiator) + self.catalog_api.delete_endpoint(endpoint['id'], + request.audit_initiator) deleted_at_least_one = True if not deleted_at_least_one: @@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller): if not ref.get('id'): ref = self._assign_unique_id(ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_region(ref, initiator) + ref = self.catalog_api.create_region(ref, request.audit_initiator) return wsgi.render_response( RegionV3.wrap_member(request.context_dict, ref), status=(http_client.CREATED, @@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller): def update_region(self, request, region_id, region): validation.lazy_validate(schema.region_update, region) self._require_matching_id(region_id, region) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_region(region_id, region, initiator) + ref = self.catalog_api.update_region(region_id, + region, + request.audit_initiator) return RegionV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_region(self, request, region_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_region(region_id, initiator) + return self.catalog_api.delete_region(region_id, + request.audit_initiator) @dependency.requires('catalog_api') @@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller): def create_service(self, request, service): validation.lazy_validate(schema.service_create, service) ref = self._assign_unique_id(self._normalize_dict(service)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_service(ref['id'], ref, initiator) + ref = self.catalog_api.create_service(ref['id'], + ref, + request.audit_initiator) return ServiceV3.wrap_member(request.context_dict, ref) @controller.filterprotected('type', 'name') @@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller): def update_service(self, request, service_id, service): validation.lazy_validate(schema.service_update, service) self._require_matching_id(service_id, service) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_service(service_id, service, initiator) + ref = self.catalog_api.update_service(service_id, + service, + request.audit_initiator) return ServiceV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_service(self, request, service_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_service(service_id, initiator) + return self.catalog_api.delete_service(service_id, + request.audit_initiator) @dependency.requires('catalog_api') @@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller): ref = cls.filter_endpoint(ref) return super(EndpointV3, cls).wrap_member(context, ref) - def _validate_endpoint_region(self, endpoint, context=None): + def _validate_endpoint_region(self, endpoint, request): """Ensure the region for the endpoint exists. If 'region_id' is used to specify the region, then we will let the @@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller): self.catalog_api.get_region(endpoint['region_id']) except exception.RegionNotFound: region = dict(id=endpoint['region_id']) - initiator = notifications._get_request_audit_info(context) - self.catalog_api.create_region(region, initiator) + self.catalog_api.create_region(region, request.audit_initiator) return endpoint @@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller): validation.lazy_validate(schema.endpoint_create, endpoint) utils.check_endpoint_url(endpoint['url']) ref = self._assign_unique_id(self._normalize_dict(endpoint)) - ref = self._validate_endpoint_region(ref, request.context_dict) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator) + ref = self._validate_endpoint_region(ref, request) + ref = self.catalog_api.create_endpoint(ref['id'], + ref, + request.audit_initiator) return EndpointV3.wrap_member(request.context_dict, ref) @controller.filterprotected('interface', 'service_id', 'region_id') @@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller): self._require_matching_id(endpoint_id, endpoint) endpoint = self._validate_endpoint_region(endpoint.copy(), - request.context_dict) + request) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.catalog_api.update_endpoint(endpoint_id, endpoint, - initiator) + ref = self.catalog_api.update_endpoint(endpoint_id, + endpoint, + request.audit_initiator) return EndpointV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_endpoint(self, request, endpoint_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.catalog_api.delete_endpoint(endpoint_id, initiator) + return self.catalog_api.delete_endpoint(endpoint_id, + request.audit_initiator) @dependency.requires('catalog_api', 'resource_api') diff --git a/keystone/common/request.py b/keystone/common/request.py index 37f6dd14a1..6638505fcc 100644 --- a/keystone/common/request.py +++ b/keystone/common/request.py @@ -12,11 +12,15 @@ import logging +from pycadf import cadftaxonomy as taxonomy +from pycadf import host +from pycadf import resource import webob from webob.descriptors import environ_getter from keystone.common import authorization from keystone.common import context +from keystone.common import utils import keystone.conf from keystone import exception from keystone.i18n import _, _LW @@ -90,6 +94,26 @@ class Request(webob.Request): # auth_context didn't decode anything we can use raise exception.Unauthorized() + @property + def audit_initiator(self): + """A pyCADF initiator describing the current authenticated context.""" + pycadf_host = host.Host(address=self.remote_addr, + agent=self.user_agent) + initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, + host=pycadf_host) + + if self.context.user_id: + initiator.id = utils.resource_uuid(self.context.user_id) + initiator.user_id = self.context.user_id + + if self.context.project_id: + initiator.project_id = self.context.project_id + + if self.context.domain_id: + initiator.domain_id = self.context.domain_id + + return initiator + auth_type = environ_getter('AUTH_TYPE', None) remote_domain = environ_getter('REMOTE_DOMAIN', None) context = environ_getter(context.REQUEST_CONTEXT_ENV, None) diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py index 4f161ee179..18329fa854 100644 --- a/keystone/identity/controllers.py +++ b/keystone/identity/controllers.py @@ -23,7 +23,6 @@ import keystone.conf from keystone import exception from keystone.i18n import _LW from keystone.identity import schema -from keystone import notifications CONF = keystone.conf.CONF @@ -77,9 +76,8 @@ class User(controller.V2Controller): # The manager layer will generate the unique ID for users user_ref = self._normalize_domain_id(request, user.copy()) - initiator = notifications._get_request_audit_info(request.context_dict) new_user_ref = self.v3_to_v2_user( - self.identity_api.create_user(user_ref, initiator)) + self.identity_api.create_user(user_ref, request.audit_initiator)) if default_project_id is not None: self.assignment_api.add_user_to_project(default_project_id, @@ -113,9 +111,10 @@ class User(controller.V2Controller): # user update. self.resource_api.get_project(default_project_id) - initiator = notifications._get_request_audit_info(request.context_dict) - user_ref = self.v3_to_v2_user( - self.identity_api.update_user(user_id, user, initiator)) + user_ref = self.identity_api.update_user(user_id, + user, + request.audit_initiator) + user_ref = self.v3_to_v2_user(user_ref) # If 'tenantId' is in either ref, we might need to add or remove the # user from a project. @@ -160,8 +159,7 @@ class User(controller.V2Controller): @controller.v2_deprecated def delete_user(self, request, user_id): self.assert_admin(request) - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.delete_user(user_id, initiator) + self.identity_api.delete_user(user_id, request.audit_initiator) @controller.v2_deprecated def set_user_enabled(self, request, user_id, user): @@ -213,8 +211,7 @@ class UserV3(controller.V3Controller): # The manager layer will generate the unique ID for users ref = self._normalize_dict(user) ref = self._normalize_domain_id(request, ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.create_user(ref, initiator) + ref = self.identity_api.create_user(ref, request.audit_initiator) return UserV3.wrap_member(request.context_dict, ref) @controller.filterprotected('domain_id', 'enabled', 'name') @@ -236,23 +233,25 @@ class UserV3(controller.V3Controller): ref = self.identity_api.get_user(user_id) return UserV3.wrap_member(request.context_dict, ref) - def _update_user(self, context, user_id, user): + def _update_user(self, request, user_id, user): self._require_matching_id(user_id, user) self._require_matching_domain_id( user_id, user, self.identity_api.get_user) - initiator = notifications._get_request_audit_info(context) - ref = self.identity_api.update_user(user_id, user, initiator) - return UserV3.wrap_member(context, ref) + ref = self.identity_api.update_user(user_id, + user, + request.audit_initiator) + return UserV3.wrap_member(request.context_dict, ref) @controller.protected() def update_user(self, request, user_id, user): validation.lazy_validate(schema.user_update, user) - return self._update_user(request.context_dict, user_id, user) + return self._update_user(request, user_id, user) @controller.protected(callback=_check_user_and_group_protection) def add_user_to_group(self, request, user_id, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.add_user_to_group(user_id, group_id, initiator) + self.identity_api.add_user_to_group(user_id, + group_id, + request.audit_initiator) @controller.protected(callback=_check_user_and_group_protection) def check_user_in_group(self, request, user_id, group_id): @@ -260,13 +259,13 @@ class UserV3(controller.V3Controller): @controller.protected(callback=_check_user_and_group_protection) def remove_user_from_group(self, request, user_id, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.remove_user_from_group(user_id, group_id, initiator) + self.identity_api.remove_user_from_group(user_id, + group_id, + request.audit_initiator) @controller.protected() def delete_user(self, request, user_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.identity_api.delete_user(user_id, initiator) + return self.identity_api.delete_user(user_id, request.audit_initiator) @controller.protected() def change_password(self, request, user_id, user): @@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller): # The manager layer will generate the unique ID for groups ref = self._normalize_dict(group) ref = self._normalize_domain_id(request, ref) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.create_group(ref, initiator) + ref = self.identity_api.create_group(ref, request.audit_initiator) return GroupV3.wrap_member(request.context_dict, ref) @controller.filterprotected('domain_id', 'name') @@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller): self._require_matching_id(group_id, group) self._require_matching_domain_id( group_id, group, self.identity_api.get_group) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.identity_api.update_group(group_id, group, initiator) + ref = self.identity_api.update_group(group_id, + group, + request.audit_initiator) return GroupV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_group(self, request, group_id): - initiator = notifications._get_request_audit_info(request.context_dict) - self.identity_api.delete_group(group_id, initiator) + self.identity_api.delete_group(group_id, request.audit_initiator) diff --git a/keystone/notifications.py b/keystone/notifications.py index 5c920c132d..860dd5b09e 100644 --- a/keystone/notifications.py +++ b/keystone/notifications.py @@ -481,19 +481,18 @@ class CadfNotificationWrapper(object): def __call__(self, f): @functools.wraps(f) def wrapper(wrapped_self, request, user_id, *args, **kwargs): - # Always send a notification. - initiator = _get_request_audit_info(request.context_dict, user_id) + """Alway send a notification.""" target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) try: result = f(wrapped_self, request, user_id, *args, **kwargs) except Exception: # For authentication failure send a cadf event as well - _send_audit_notification(self.action, initiator, + _send_audit_notification(self.action, request.audit_initiator, taxonomy.OUTCOME_FAILURE, target, self.event_type) raise else: - _send_audit_notification(self.action, initiator, + _send_audit_notification(self.action, request.audit_initiator, taxonomy.OUTCOME_SUCCESS, target, self.event_type) return result @@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object): return wrapper -def send_saml_audit_notification(action, context, user_id, group_ids, +def send_saml_audit_notification(action, request, user_id, group_ids, identity_provider, protocol, token_id, outcome): """Send notification to inform observers about SAML events. :param action: Action being audited :type action: str - :param context: Current request context to collect request info from - :type context: dict + :param request: Current request to collect request info from + :type request: keystone.common.request.Request :param user_id: User ID from Keystone token :type user_id: str :param group_ids: List of Group IDs from Keystone token @@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids, :param outcome: One of :class:`pycadf.cadftaxonomy` :type outcome: str """ - initiator = _get_request_audit_info(context) + initiator = request.audit_initiator target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) audit_type = SAML_AUDIT_TYPE user_id = user_id or taxonomy.UNKNOWN diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index f55f26eda5..92428b74aa 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller): def create_consumer(self, request, consumer): validation.lazy_validate(schema.consumer_create, consumer) ref = self._assign_unique_id(self._normalize_dict(consumer)) - initiator = notifications._get_request_audit_info(request.context_dict) - consumer_ref = self.oauth_api.create_consumer(ref, initiator) + consumer_ref = self.oauth_api.create_consumer(ref, + request.audit_initiator) return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref) @controller.protected() @@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller): validation.lazy_validate(schema.consumer_update, consumer) self._require_matching_id(consumer_id, consumer) ref = self._normalize_dict(consumer) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.oauth_api.update_consumer(consumer_id, ref, initiator) + ref = self.oauth_api.update_consumer(consumer_id, + ref, + request.audit_initiator) return ConsumerCrudV3.wrap_member(request.context_dict, ref) @controller.protected() @@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller): payload = {'user_id': user_token_ref.user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) - initiator = notifications._get_request_audit_info(request.context_dict) - self.oauth_api.delete_consumer(consumer_id, initiator) + self.oauth_api.delete_consumer(consumer_id, request.audit_initiator) @dependency.requires('oauth_api') @@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller): consumer_id = access_token['consumer_id'] payload = {'user_id': user_id, 'consumer_id': consumer_id} _emit_user_oauth_consumer_token_invalidate(payload) - initiator = notifications._get_request_audit_info(request.context_dict) - return self.oauth_api.delete_access_token( - user_id, access_token_id, initiator) + return self.oauth_api.delete_access_token(user_id, + access_token_id, + request.audit_initiator) @staticmethod def _get_user_id(entity): @@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller): # show the details of the failure. oauth1.validate_oauth_params(b) request_token_duration = CONF.oauth1.request_token_duration - initiator = notifications._get_request_audit_info(request.context_dict) - token_ref = self.oauth_api.create_request_token(consumer_id, - requested_project_id, - request_token_duration, - initiator) + token_ref = self.oauth_api.create_request_token( + consumer_id, + requested_project_id, + request_token_duration, + request.audit_initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], @@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller): raise exception.Unauthorized(message=msg) access_token_duration = CONF.oauth1.access_token_duration - initiator = notifications._get_request_audit_info(request.context_dict) token_ref = self.oauth_api.create_access_token(request_token_id, access_token_duration, - initiator) + request.audit_initiator) result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s' % {'key': token_ref['id'], diff --git a/keystone/policy/controllers.py b/keystone/policy/controllers.py index 3feef16b94..d7e859b032 100644 --- a/keystone/policy/controllers.py +++ b/keystone/policy/controllers.py @@ -15,7 +15,6 @@ from keystone.common import controller from keystone.common import dependency from keystone.common import validation -from keystone import notifications from keystone.policy import schema @@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller): def create_policy(self, request, policy): validation.lazy_validate(schema.policy_create, policy) ref = self._assign_unique_id(self._normalize_dict(policy)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.policy_api.create_policy(ref['id'], ref, initiator) + ref = self.policy_api.create_policy(ref['id'], + ref, + request.audit_initiator) return PolicyV3.wrap_member(request.context_dict, ref) @controller.filterprotected('type') @@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller): @controller.protected() def update_policy(self, request, policy_id, policy): validation.lazy_validate(schema.policy_update, policy) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.policy_api.update_policy(policy_id, policy, initiator) + ref = self.policy_api.update_policy(policy_id, + policy, + request.audit_initiator) return PolicyV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_policy(self, request, policy_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.policy_api.delete_policy(policy_id, initiator) + return self.policy_api.delete_policy(policy_id, + request.audit_initiator) diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py index 2523e8dee9..c84b2e3a14 100644 --- a/keystone/resource/controllers.py +++ b/keystone/resource/controllers.py @@ -26,7 +26,6 @@ from keystone.common import wsgi import keystone.conf from keystone import exception from keystone.i18n import _ -from keystone import notifications from keystone.resource import schema @@ -94,11 +93,10 @@ class Tenant(controller.V2Controller): self.resource_api.ensure_default_domain_exists() tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex) - initiator = notifications._get_request_audit_info(request.context_dict) tenant = self.resource_api.create_project( tenant_ref['id'], self._normalize_domain_id(request, tenant_ref), - initiator) + request.audit_initiator) return {'tenant': self.v3_to_v2_project(tenant)} @controller.v2_deprecated @@ -107,17 +105,15 @@ class Tenant(controller.V2Controller): self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) - initiator = notifications._get_request_audit_info(request.context_dict) tenant_ref = self.resource_api.update_project( - tenant_id, tenant, initiator) + tenant_id, tenant, request.audit_initiator) return {'tenant': self.v3_to_v2_project(tenant_ref)} @controller.v2_deprecated def delete_project(self, request, tenant_id): self.assert_admin(request) self._assert_not_is_domain_project(tenant_id) - initiator = notifications._get_request_audit_info(request.context_dict) - self.resource_api.delete_project(tenant_id, initiator) + self.resource_api.delete_project(tenant_id, request.audit_initiator) @dependency.requires('resource_api') @@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller): def create_domain(self, request, domain): validation.lazy_validate(schema.domain_create, domain) ref = self._assign_unique_id(self._normalize_dict(domain)) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.create_domain(ref['id'], ref, initiator) + ref = self.resource_api.create_domain(ref['id'], + ref, + request.audit_initiator) return DomainV3.wrap_member(request.context_dict, ref) @controller.filterprotected('enabled', 'name') @@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller): def update_domain(self, request, domain_id, domain): validation.lazy_validate(schema.domain_update, domain) self._require_matching_id(domain_id, domain) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.update_domain(domain_id, domain, initiator) + ref = self.resource_api.update_domain(domain_id, + domain, + request.audit_initiator) return DomainV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_domain(self, request, domain_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.resource_api.delete_domain(domain_id, initiator) + return self.resource_api.delete_domain(domain_id, + request.audit_initiator) @dependency.requires('domain_config_api') @@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller): if not ref.get('parent_id'): ref['parent_id'] = ref.get('domain_id') - initiator = notifications._get_request_audit_info(request.context_dict) try: - ref = self.resource_api.create_project(ref['id'], ref, - initiator=initiator) + ref = self.resource_api.create_project( + ref['id'], + ref, + initiator=request.audit_initiator) except (exception.DomainNotFound, exception.ProjectNotFound) as e: raise exception.ValidationError(e) return ProjectV3.wrap_member(request.context_dict, ref) @@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller): self._require_matching_id(project_id, project) self._require_matching_domain_id( project_id, project, self.resource_api.get_project) - initiator = notifications._get_request_audit_info(request.context_dict) - ref = self.resource_api.update_project(project_id, project, - initiator=initiator) + ref = self.resource_api.update_project( + project_id, + project, + initiator=request.audit_initiator) return ProjectV3.wrap_member(request.context_dict, ref) @controller.protected() def delete_project(self, request, project_id): - initiator = notifications._get_request_audit_info(request.context_dict) - return self.resource_api.delete_project(project_id, - initiator=initiator) + return self.resource_api.delete_project( + project_id, + initiator=request.audit_initiator) diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py index ee0792b78d..1021447813 100644 --- a/keystone/tests/unit/test_v3_federation.py +++ b/keystone/tests/unit/test_v3_federation.py @@ -1619,7 +1619,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin): super(FederatedTokenTests, self).setUp() self._notifications = [] - def fake_saml_notify(action, context, user_id, group_ids, + def fake_saml_notify(action, request, user_id, group_ids, identity_provider, protocol, token_id, outcome): note = { 'action': action, diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index 696dbd4543..104a8a495c 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -24,7 +24,6 @@ from keystone.common import utils from keystone.common import validation from keystone import exception from keystone.i18n import _ -from keystone import notifications from keystone.trust import schema @@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller): trust['expires_at'] = self._parse_expiration_date( trust.get('expires_at')) trust_id = uuid.uuid4().hex - initiator = notifications._get_request_audit_info(request.context_dict) new_trust = self.trust_api.create_trust(trust_id, trust, normalized_roles, redelegated_trust, - initiator) - + request.audit_initiator) self._fill_in_roles(request.context_dict, new_trust) return TrustV3.wrap_member(request.context_dict, new_trust) @@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller): not request.context.is_admin): raise exception.Forbidden() - initiator = notifications._get_request_audit_info(request.context_dict) - self.trust_api.delete_trust(trust_id, initiator) + self.trust_api.delete_trust(trust_id, request.audit_initiator) @controller.protected() def list_roles_for_trust(self, request, trust_id):