Merge "Move audit initiator creation to request"
This commit is contained in:
commit
eb55c2c9f1
@ -30,7 +30,6 @@ from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -106,15 +105,15 @@ class Role(controller.V2Controller):
|
||||
role_id = uuid.uuid4().hex
|
||||
|
||||
role['id'] = role_id
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
role_ref = self.role_api.create_role(role_id, role, initiator)
|
||||
role_ref = self.role_api.create_role(role_id,
|
||||
role,
|
||||
request.audit_initiator)
|
||||
return {'role': role_ref}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_role(self, request, role_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.role_api.delete_role(role_id, initiator)
|
||||
self.role_api.delete_role(role_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def get_roles(self, request):
|
||||
@ -319,12 +318,12 @@ class RoleV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def create_role(self, request, role):
|
||||
validation.lazy_validate(schema.role_create, role)
|
||||
return self._create_role(request.context_dict, role)
|
||||
return self._create_role(request, role)
|
||||
|
||||
@controller.protected()
|
||||
def create_domain_role(self, request, role):
|
||||
validation.lazy_validate(schema.role_create, role)
|
||||
return self._create_role(request.context_dict, role)
|
||||
return self._create_role(request, role)
|
||||
|
||||
def list_roles_wrapper(self, request):
|
||||
if request.params.get('domain_id'):
|
||||
@ -348,11 +347,11 @@ class RoleV3(controller.V3Controller):
|
||||
|
||||
@controller.protected()
|
||||
def get_role(self, request, role_id):
|
||||
return self._get_role(request.context_dict, role_id)
|
||||
return self._get_role(request, role_id)
|
||||
|
||||
@controller.protected()
|
||||
def get_domain_role(self, request, role_id):
|
||||
return self._get_role(request.context_dict, role_id)
|
||||
return self._get_role(request, role_id)
|
||||
|
||||
def update_role_wrapper(self, context, role_id, role):
|
||||
# Since we don't allow you change whether a role is global or domain
|
||||
@ -367,12 +366,12 @@ class RoleV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def update_role(self, request, role_id, role):
|
||||
validation.lazy_validate(schema.role_update, role)
|
||||
return self._update_role(request.context_dict, role_id, role)
|
||||
return self._update_role(request, role_id, role)
|
||||
|
||||
@controller.protected()
|
||||
def update_domain_role(self, request, role_id, role):
|
||||
validation.lazy_validate(schema.role_update, role)
|
||||
return self._update_role(request.context_dict, role_id, role)
|
||||
return self._update_role(request, role_id, role)
|
||||
|
||||
def delete_role_wrapper(self, context, role_id):
|
||||
if self._is_domain_role_target(role_id):
|
||||
@ -382,13 +381,13 @@ class RoleV3(controller.V3Controller):
|
||||
|
||||
@controller.protected()
|
||||
def delete_role(self, request, role_id):
|
||||
return self._delete_role(request.context_dict, role_id)
|
||||
return self._delete_role(request, role_id)
|
||||
|
||||
@controller.protected()
|
||||
def delete_domain_role(self, request, role_id):
|
||||
return self._delete_role(request.context_dict, role_id)
|
||||
return self._delete_role(request, role_id)
|
||||
|
||||
def _create_role(self, context, role):
|
||||
def _create_role(self, request, role):
|
||||
if role['name'] == CONF.member_role_name:
|
||||
# Use the configured member role ID when creating the configured
|
||||
# member role name. This avoids the potential of creating a
|
||||
@ -398,29 +397,27 @@ class RoleV3(controller.V3Controller):
|
||||
role = self._assign_unique_id(role)
|
||||
|
||||
ref = self._normalize_dict(role)
|
||||
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.role_api.create_role(ref['id'], ref, initiator)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
ref = self.role_api.create_role(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _list_roles(self, request, filters):
|
||||
hints = RoleV3.build_driver_hints(request, filters)
|
||||
refs = self.role_api.list_roles(hints=hints)
|
||||
return RoleV3.wrap_collection(request.context_dict, refs, hints=hints)
|
||||
|
||||
def _get_role(self, context, role_id):
|
||||
def _get_role(self, request, role_id):
|
||||
ref = self.role_api.get_role(role_id)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _update_role(self, context, role_id, role):
|
||||
def _update_role(self, request, role_id, role):
|
||||
self._require_matching_id(role_id, role)
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.role_api.update_role(role_id, role, initiator)
|
||||
return RoleV3.wrap_member(context, ref)
|
||||
ref = self.role_api.update_role(role_id, role, request.audit_initiator)
|
||||
return RoleV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _delete_role(self, context, role_id):
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
self.role_api.delete_role(role_id, initiator)
|
||||
def _delete_role(self, request, role_id):
|
||||
self.role_api.delete_role(role_id, request.audit_initiator)
|
||||
|
||||
@classmethod
|
||||
def build_driver_hints(cls, request, supported_filters):
|
||||
|
@ -81,7 +81,7 @@ def handle_scoped_token(request, auth_payload, auth_context, token_ref,
|
||||
group_ids = token_ref.federation_group_ids
|
||||
send_notification = functools.partial(
|
||||
notifications.send_saml_audit_notification, 'authenticate',
|
||||
request.context_dict, user_id, group_ids, identity_provider, protocol,
|
||||
request, user_id, group_ids, identity_provider, protocol,
|
||||
token_audit_id)
|
||||
|
||||
utils.assert_enabled_identity_provider(federation_api, identity_provider)
|
||||
@ -171,7 +171,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
|
||||
# after sending the notification
|
||||
outcome = taxonomy.OUTCOME_FAILURE
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
request,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
@ -180,7 +180,7 @@ def handle_unscoped_token(request, auth_payload, auth_context,
|
||||
else:
|
||||
outcome = taxonomy.OUTCOME_SUCCESS
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
request,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
|
@ -50,8 +50,7 @@ class Service(controller.V2Controller):
|
||||
@controller.v2_deprecated
|
||||
def delete_service(self, request, service_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.catalog_api.delete_service(service_id, initiator)
|
||||
self.catalog_api.delete_service(service_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def create_service(self, request, OS_KSADM_service):
|
||||
@ -60,9 +59,8 @@ class Service(controller.V2Controller):
|
||||
service_id = uuid.uuid4().hex
|
||||
service_ref = OS_KSADM_service.copy()
|
||||
service_ref['id'] = service_id
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_service_ref = self.catalog_api.create_service(
|
||||
service_id, service_ref, initiator)
|
||||
service_id, service_ref, request.audit_initiator)
|
||||
return {'OS-KSADM:service': new_service_ref}
|
||||
|
||||
|
||||
@ -147,14 +145,12 @@ class Endpoint(controller.V2Controller):
|
||||
if interface_url:
|
||||
utils.check_endpoint_url(interface_url)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
|
||||
if endpoint.get('region') is not None:
|
||||
try:
|
||||
self.catalog_api.get_region(endpoint['region'])
|
||||
except exception.RegionNotFound:
|
||||
region = dict(id=endpoint['region'])
|
||||
self.catalog_api.create_region(region, initiator)
|
||||
self.catalog_api.create_region(region, request.audit_initiator)
|
||||
|
||||
legacy_endpoint_ref = endpoint.copy()
|
||||
|
||||
@ -178,8 +174,9 @@ class Endpoint(controller.V2Controller):
|
||||
endpoint_ref['interface'] = interface
|
||||
endpoint_ref['url'] = url
|
||||
endpoint_ref['region_id'] = endpoint_ref.pop('region')
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'], endpoint_ref,
|
||||
initiator)
|
||||
self.catalog_api.create_endpoint(endpoint_ref['id'],
|
||||
endpoint_ref,
|
||||
request.audit_initiator)
|
||||
|
||||
legacy_endpoint_ref['id'] = legacy_endpoint_id
|
||||
return {'endpoint': legacy_endpoint_ref}
|
||||
@ -188,12 +185,12 @@ class Endpoint(controller.V2Controller):
|
||||
def delete_endpoint(self, request, endpoint_id):
|
||||
"""Delete up to three v3 endpoint refs based on a legacy ref ID."""
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
|
||||
deleted_at_least_one = False
|
||||
for endpoint in self.catalog_api.list_endpoints():
|
||||
if endpoint['legacy_endpoint_id'] == endpoint_id:
|
||||
self.catalog_api.delete_endpoint(endpoint['id'], initiator)
|
||||
self.catalog_api.delete_endpoint(endpoint['id'],
|
||||
request.audit_initiator)
|
||||
deleted_at_least_one = True
|
||||
|
||||
if not deleted_at_least_one:
|
||||
@ -228,8 +225,7 @@ class RegionV3(controller.V3Controller):
|
||||
if not ref.get('id'):
|
||||
ref = self._assign_unique_id(ref)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_region(ref, initiator)
|
||||
ref = self.catalog_api.create_region(ref, request.audit_initiator)
|
||||
return wsgi.render_response(
|
||||
RegionV3.wrap_member(request.context_dict, ref),
|
||||
status=(http_client.CREATED,
|
||||
@ -252,14 +248,15 @@ class RegionV3(controller.V3Controller):
|
||||
def update_region(self, request, region_id, region):
|
||||
validation.lazy_validate(schema.region_update, region)
|
||||
self._require_matching_id(region_id, region)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_region(region_id, region, initiator)
|
||||
ref = self.catalog_api.update_region(region_id,
|
||||
region,
|
||||
request.audit_initiator)
|
||||
return RegionV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_region(self, request, region_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_region(region_id, initiator)
|
||||
return self.catalog_api.delete_region(region_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api')
|
||||
@ -275,8 +272,9 @@ class ServiceV3(controller.V3Controller):
|
||||
def create_service(self, request, service):
|
||||
validation.lazy_validate(schema.service_create, service)
|
||||
ref = self._assign_unique_id(self._normalize_dict(service))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_service(ref['id'], ref, initiator)
|
||||
ref = self.catalog_api.create_service(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return ServiceV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('type', 'name')
|
||||
@ -296,14 +294,15 @@ class ServiceV3(controller.V3Controller):
|
||||
def update_service(self, request, service_id, service):
|
||||
validation.lazy_validate(schema.service_update, service)
|
||||
self._require_matching_id(service_id, service)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_service(service_id, service, initiator)
|
||||
ref = self.catalog_api.update_service(service_id,
|
||||
service,
|
||||
request.audit_initiator)
|
||||
return ServiceV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_service(self, request, service_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_service(service_id, initiator)
|
||||
return self.catalog_api.delete_service(service_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api')
|
||||
@ -327,7 +326,7 @@ class EndpointV3(controller.V3Controller):
|
||||
ref = cls.filter_endpoint(ref)
|
||||
return super(EndpointV3, cls).wrap_member(context, ref)
|
||||
|
||||
def _validate_endpoint_region(self, endpoint, context=None):
|
||||
def _validate_endpoint_region(self, endpoint, request):
|
||||
"""Ensure the region for the endpoint exists.
|
||||
|
||||
If 'region_id' is used to specify the region, then we will let the
|
||||
@ -346,8 +345,7 @@ class EndpointV3(controller.V3Controller):
|
||||
self.catalog_api.get_region(endpoint['region_id'])
|
||||
except exception.RegionNotFound:
|
||||
region = dict(id=endpoint['region_id'])
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
self.catalog_api.create_region(region, initiator)
|
||||
self.catalog_api.create_region(region, request.audit_initiator)
|
||||
|
||||
return endpoint
|
||||
|
||||
@ -356,9 +354,10 @@ class EndpointV3(controller.V3Controller):
|
||||
validation.lazy_validate(schema.endpoint_create, endpoint)
|
||||
utils.check_endpoint_url(endpoint['url'])
|
||||
ref = self._assign_unique_id(self._normalize_dict(endpoint))
|
||||
ref = self._validate_endpoint_region(ref, request.context_dict)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
|
||||
ref = self._validate_endpoint_region(ref, request)
|
||||
ref = self.catalog_api.create_endpoint(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return EndpointV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('interface', 'service_id', 'region_id')
|
||||
@ -380,17 +379,17 @@ class EndpointV3(controller.V3Controller):
|
||||
self._require_matching_id(endpoint_id, endpoint)
|
||||
|
||||
endpoint = self._validate_endpoint_region(endpoint.copy(),
|
||||
request.context_dict)
|
||||
request)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
|
||||
initiator)
|
||||
ref = self.catalog_api.update_endpoint(endpoint_id,
|
||||
endpoint,
|
||||
request.audit_initiator)
|
||||
return EndpointV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_endpoint(self, request, endpoint_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.catalog_api.delete_endpoint(endpoint_id, initiator)
|
||||
return self.catalog_api.delete_endpoint(endpoint_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('catalog_api', 'resource_api')
|
||||
|
@ -12,11 +12,15 @@
|
||||
|
||||
import logging
|
||||
|
||||
from pycadf import cadftaxonomy as taxonomy
|
||||
from pycadf import host
|
||||
from pycadf import resource
|
||||
import webob
|
||||
from webob.descriptors import environ_getter
|
||||
|
||||
from keystone.common import authorization
|
||||
from keystone.common import context
|
||||
from keystone.common import utils
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _, _LW
|
||||
@ -90,6 +94,26 @@ class Request(webob.Request):
|
||||
# auth_context didn't decode anything we can use
|
||||
raise exception.Unauthorized()
|
||||
|
||||
@property
|
||||
def audit_initiator(self):
|
||||
"""A pyCADF initiator describing the current authenticated context."""
|
||||
pycadf_host = host.Host(address=self.remote_addr,
|
||||
agent=self.user_agent)
|
||||
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
|
||||
host=pycadf_host)
|
||||
|
||||
if self.context.user_id:
|
||||
initiator.id = utils.resource_uuid(self.context.user_id)
|
||||
initiator.user_id = self.context.user_id
|
||||
|
||||
if self.context.project_id:
|
||||
initiator.project_id = self.context.project_id
|
||||
|
||||
if self.context.domain_id:
|
||||
initiator.domain_id = self.context.domain_id
|
||||
|
||||
return initiator
|
||||
|
||||
auth_type = environ_getter('AUTH_TYPE', None)
|
||||
remote_domain = environ_getter('REMOTE_DOMAIN', None)
|
||||
context = environ_getter(context.REQUEST_CONTEXT_ENV, None)
|
||||
|
@ -23,7 +23,6 @@ import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _LW
|
||||
from keystone.identity import schema
|
||||
from keystone import notifications
|
||||
|
||||
|
||||
CONF = keystone.conf.CONF
|
||||
@ -77,9 +76,8 @@ class User(controller.V2Controller):
|
||||
|
||||
# The manager layer will generate the unique ID for users
|
||||
user_ref = self._normalize_domain_id(request, user.copy())
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_user_ref = self.v3_to_v2_user(
|
||||
self.identity_api.create_user(user_ref, initiator))
|
||||
self.identity_api.create_user(user_ref, request.audit_initiator))
|
||||
|
||||
if default_project_id is not None:
|
||||
self.assignment_api.add_user_to_project(default_project_id,
|
||||
@ -113,9 +111,10 @@ class User(controller.V2Controller):
|
||||
# user update.
|
||||
self.resource_api.get_project(default_project_id)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
user_ref = self.v3_to_v2_user(
|
||||
self.identity_api.update_user(user_id, user, initiator))
|
||||
user_ref = self.identity_api.update_user(user_id,
|
||||
user,
|
||||
request.audit_initiator)
|
||||
user_ref = self.v3_to_v2_user(user_ref)
|
||||
|
||||
# If 'tenantId' is in either ref, we might need to add or remove the
|
||||
# user from a project.
|
||||
@ -160,8 +159,7 @@ class User(controller.V2Controller):
|
||||
@controller.v2_deprecated
|
||||
def delete_user(self, request, user_id):
|
||||
self.assert_admin(request)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.delete_user(user_id, initiator)
|
||||
self.identity_api.delete_user(user_id, request.audit_initiator)
|
||||
|
||||
@controller.v2_deprecated
|
||||
def set_user_enabled(self, request, user_id, user):
|
||||
@ -213,8 +211,7 @@ class UserV3(controller.V3Controller):
|
||||
# The manager layer will generate the unique ID for users
|
||||
ref = self._normalize_dict(user)
|
||||
ref = self._normalize_domain_id(request, ref)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.create_user(ref, initiator)
|
||||
ref = self.identity_api.create_user(ref, request.audit_initiator)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'enabled', 'name')
|
||||
@ -236,23 +233,25 @@ class UserV3(controller.V3Controller):
|
||||
ref = self.identity_api.get_user(user_id)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
def _update_user(self, context, user_id, user):
|
||||
def _update_user(self, request, user_id, user):
|
||||
self._require_matching_id(user_id, user)
|
||||
self._require_matching_domain_id(
|
||||
user_id, user, self.identity_api.get_user)
|
||||
initiator = notifications._get_request_audit_info(context)
|
||||
ref = self.identity_api.update_user(user_id, user, initiator)
|
||||
return UserV3.wrap_member(context, ref)
|
||||
ref = self.identity_api.update_user(user_id,
|
||||
user,
|
||||
request.audit_initiator)
|
||||
return UserV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def update_user(self, request, user_id, user):
|
||||
validation.lazy_validate(schema.user_update, user)
|
||||
return self._update_user(request.context_dict, user_id, user)
|
||||
return self._update_user(request, user_id, user)
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def add_user_to_group(self, request, user_id, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.add_user_to_group(user_id, group_id, initiator)
|
||||
self.identity_api.add_user_to_group(user_id,
|
||||
group_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def check_user_in_group(self, request, user_id, group_id):
|
||||
@ -260,13 +259,13 @@ class UserV3(controller.V3Controller):
|
||||
|
||||
@controller.protected(callback=_check_user_and_group_protection)
|
||||
def remove_user_from_group(self, request, user_id, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.remove_user_from_group(user_id, group_id, initiator)
|
||||
self.identity_api.remove_user_from_group(user_id,
|
||||
group_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def delete_user(self, request, user_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.identity_api.delete_user(user_id, initiator)
|
||||
return self.identity_api.delete_user(user_id, request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def change_password(self, request, user_id, user):
|
||||
@ -306,8 +305,7 @@ class GroupV3(controller.V3Controller):
|
||||
# The manager layer will generate the unique ID for groups
|
||||
ref = self._normalize_dict(group)
|
||||
ref = self._normalize_domain_id(request, ref)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.create_group(ref, initiator)
|
||||
ref = self.identity_api.create_group(ref, request.audit_initiator)
|
||||
return GroupV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('domain_id', 'name')
|
||||
@ -334,11 +332,11 @@ class GroupV3(controller.V3Controller):
|
||||
self._require_matching_id(group_id, group)
|
||||
self._require_matching_domain_id(
|
||||
group_id, group, self.identity_api.get_group)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.identity_api.update_group(group_id, group, initiator)
|
||||
ref = self.identity_api.update_group(group_id,
|
||||
group,
|
||||
request.audit_initiator)
|
||||
return GroupV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_group(self, request, group_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.identity_api.delete_group(group_id, initiator)
|
||||
self.identity_api.delete_group(group_id, request.audit_initiator)
|
||||
|
@ -481,19 +481,18 @@ class CadfNotificationWrapper(object):
|
||||
def __call__(self, f):
|
||||
@functools.wraps(f)
|
||||
def wrapper(wrapped_self, request, user_id, *args, **kwargs):
|
||||
# Always send a notification.
|
||||
initiator = _get_request_audit_info(request.context_dict, user_id)
|
||||
"""Alway send a notification."""
|
||||
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
|
||||
try:
|
||||
result = f(wrapped_self, request, user_id, *args, **kwargs)
|
||||
except Exception:
|
||||
# For authentication failure send a cadf event as well
|
||||
_send_audit_notification(self.action, initiator,
|
||||
_send_audit_notification(self.action, request.audit_initiator,
|
||||
taxonomy.OUTCOME_FAILURE,
|
||||
target, self.event_type)
|
||||
raise
|
||||
else:
|
||||
_send_audit_notification(self.action, initiator,
|
||||
_send_audit_notification(self.action, request.audit_initiator,
|
||||
taxonomy.OUTCOME_SUCCESS,
|
||||
target, self.event_type)
|
||||
return result
|
||||
@ -603,15 +602,15 @@ class CadfRoleAssignmentNotificationWrapper(object):
|
||||
return wrapper
|
||||
|
||||
|
||||
def send_saml_audit_notification(action, context, user_id, group_ids,
|
||||
def send_saml_audit_notification(action, request, user_id, group_ids,
|
||||
identity_provider, protocol, token_id,
|
||||
outcome):
|
||||
"""Send notification to inform observers about SAML events.
|
||||
|
||||
:param action: Action being audited
|
||||
:type action: str
|
||||
:param context: Current request context to collect request info from
|
||||
:type context: dict
|
||||
:param request: Current request to collect request info from
|
||||
:type request: keystone.common.request.Request
|
||||
:param user_id: User ID from Keystone token
|
||||
:type user_id: str
|
||||
:param group_ids: List of Group IDs from Keystone token
|
||||
@ -625,7 +624,7 @@ def send_saml_audit_notification(action, context, user_id, group_ids,
|
||||
:param outcome: One of :class:`pycadf.cadftaxonomy`
|
||||
:type outcome: str
|
||||
"""
|
||||
initiator = _get_request_audit_info(context)
|
||||
initiator = request.audit_initiator
|
||||
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
|
||||
audit_type = SAML_AUDIT_TYPE
|
||||
user_id = user_id or taxonomy.UNKNOWN
|
||||
|
@ -65,8 +65,8 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
def create_consumer(self, request, consumer):
|
||||
validation.lazy_validate(schema.consumer_create, consumer)
|
||||
ref = self._assign_unique_id(self._normalize_dict(consumer))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
consumer_ref = self.oauth_api.create_consumer(ref, initiator)
|
||||
consumer_ref = self.oauth_api.create_consumer(ref,
|
||||
request.audit_initiator)
|
||||
return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref)
|
||||
|
||||
@controller.protected()
|
||||
@ -74,8 +74,9 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
validation.lazy_validate(schema.consumer_update, consumer)
|
||||
self._require_matching_id(consumer_id, consumer)
|
||||
ref = self._normalize_dict(consumer)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
|
||||
ref = self.oauth_api.update_consumer(consumer_id,
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
@ -94,8 +95,7 @@ class ConsumerCrudV3(controller.V3Controller):
|
||||
payload = {'user_id': user_token_ref.user_id,
|
||||
'consumer_id': consumer_id}
|
||||
_emit_user_oauth_consumer_token_invalidate(payload)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.oauth_api.delete_consumer(consumer_id, initiator)
|
||||
self.oauth_api.delete_consumer(consumer_id, request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('oauth_api')
|
||||
@ -140,9 +140,9 @@ class AccessTokenCrudV3(controller.V3Controller):
|
||||
consumer_id = access_token['consumer_id']
|
||||
payload = {'user_id': user_id, 'consumer_id': consumer_id}
|
||||
_emit_user_oauth_consumer_token_invalidate(payload)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.oauth_api.delete_access_token(
|
||||
user_id, access_token_id, initiator)
|
||||
return self.oauth_api.delete_access_token(user_id,
|
||||
access_token_id,
|
||||
request.audit_initiator)
|
||||
|
||||
@staticmethod
|
||||
def _get_user_id(entity):
|
||||
@ -248,11 +248,11 @@ class OAuthControllerV3(controller.V3Controller):
|
||||
# show the details of the failure.
|
||||
oauth1.validate_oauth_params(b)
|
||||
request_token_duration = CONF.oauth1.request_token_duration
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
token_ref = self.oauth_api.create_request_token(consumer_id,
|
||||
requested_project_id,
|
||||
request_token_duration,
|
||||
initiator)
|
||||
token_ref = self.oauth_api.create_request_token(
|
||||
consumer_id,
|
||||
requested_project_id,
|
||||
request_token_duration,
|
||||
request.audit_initiator)
|
||||
|
||||
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
|
||||
% {'key': token_ref['id'],
|
||||
@ -340,10 +340,9 @@ class OAuthControllerV3(controller.V3Controller):
|
||||
raise exception.Unauthorized(message=msg)
|
||||
|
||||
access_token_duration = CONF.oauth1.access_token_duration
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
token_ref = self.oauth_api.create_access_token(request_token_id,
|
||||
access_token_duration,
|
||||
initiator)
|
||||
request.audit_initiator)
|
||||
|
||||
result = ('oauth_token=%(key)s&oauth_token_secret=%(secret)s'
|
||||
% {'key': token_ref['id'],
|
||||
|
@ -15,7 +15,6 @@
|
||||
from keystone.common import controller
|
||||
from keystone.common import dependency
|
||||
from keystone.common import validation
|
||||
from keystone import notifications
|
||||
from keystone.policy import schema
|
||||
|
||||
|
||||
@ -28,8 +27,9 @@ class PolicyV3(controller.V3Controller):
|
||||
def create_policy(self, request, policy):
|
||||
validation.lazy_validate(schema.policy_create, policy)
|
||||
ref = self._assign_unique_id(self._normalize_dict(policy))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
|
||||
ref = self.policy_api.create_policy(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return PolicyV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('type')
|
||||
@ -47,11 +47,12 @@ class PolicyV3(controller.V3Controller):
|
||||
@controller.protected()
|
||||
def update_policy(self, request, policy_id, policy):
|
||||
validation.lazy_validate(schema.policy_update, policy)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.policy_api.update_policy(policy_id, policy, initiator)
|
||||
ref = self.policy_api.update_policy(policy_id,
|
||||
policy,
|
||||
request.audit_initiator)
|
||||
return PolicyV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_policy(self, request, policy_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.policy_api.delete_policy(policy_id, initiator)
|
||||
return self.policy_api.delete_policy(policy_id,
|
||||
request.audit_initiator)
|
||||
|
@ -26,7 +26,6 @@ from keystone.common import wsgi
|
||||
import keystone.conf
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.resource import schema
|
||||
|
||||
|
||||
@ -94,11 +93,10 @@ class Tenant(controller.V2Controller):
|
||||
self.resource_api.ensure_default_domain_exists()
|
||||
|
||||
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
tenant = self.resource_api.create_project(
|
||||
tenant_ref['id'],
|
||||
self._normalize_domain_id(request, tenant_ref),
|
||||
initiator)
|
||||
request.audit_initiator)
|
||||
return {'tenant': self.v3_to_v2_project(tenant)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
@ -107,17 +105,15 @@ class Tenant(controller.V2Controller):
|
||||
self.assert_admin(request)
|
||||
self._assert_not_is_domain_project(tenant_id)
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
tenant_ref = self.resource_api.update_project(
|
||||
tenant_id, tenant, initiator)
|
||||
tenant_id, tenant, request.audit_initiator)
|
||||
return {'tenant': self.v3_to_v2_project(tenant_ref)}
|
||||
|
||||
@controller.v2_deprecated
|
||||
def delete_project(self, request, tenant_id):
|
||||
self.assert_admin(request)
|
||||
self._assert_not_is_domain_project(tenant_id)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.resource_api.delete_project(tenant_id, initiator)
|
||||
self.resource_api.delete_project(tenant_id, request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('resource_api')
|
||||
@ -133,8 +129,9 @@ class DomainV3(controller.V3Controller):
|
||||
def create_domain(self, request, domain):
|
||||
validation.lazy_validate(schema.domain_create, domain)
|
||||
ref = self._assign_unique_id(self._normalize_dict(domain))
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.create_domain(ref['id'], ref, initiator)
|
||||
ref = self.resource_api.create_domain(ref['id'],
|
||||
ref,
|
||||
request.audit_initiator)
|
||||
return DomainV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.filterprotected('enabled', 'name')
|
||||
@ -153,14 +150,15 @@ class DomainV3(controller.V3Controller):
|
||||
def update_domain(self, request, domain_id, domain):
|
||||
validation.lazy_validate(schema.domain_update, domain)
|
||||
self._require_matching_id(domain_id, domain)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.update_domain(domain_id, domain, initiator)
|
||||
ref = self.resource_api.update_domain(domain_id,
|
||||
domain,
|
||||
request.audit_initiator)
|
||||
return DomainV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_domain(self, request, domain_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.resource_api.delete_domain(domain_id, initiator)
|
||||
return self.resource_api.delete_domain(domain_id,
|
||||
request.audit_initiator)
|
||||
|
||||
|
||||
@dependency.requires('domain_config_api')
|
||||
@ -241,10 +239,11 @@ class ProjectV3(controller.V3Controller):
|
||||
if not ref.get('parent_id'):
|
||||
ref['parent_id'] = ref.get('domain_id')
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
try:
|
||||
ref = self.resource_api.create_project(ref['id'], ref,
|
||||
initiator=initiator)
|
||||
ref = self.resource_api.create_project(
|
||||
ref['id'],
|
||||
ref,
|
||||
initiator=request.audit_initiator)
|
||||
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
|
||||
raise exception.ValidationError(e)
|
||||
return ProjectV3.wrap_member(request.context_dict, ref)
|
||||
@ -316,13 +315,14 @@ class ProjectV3(controller.V3Controller):
|
||||
self._require_matching_id(project_id, project)
|
||||
self._require_matching_domain_id(
|
||||
project_id, project, self.resource_api.get_project)
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
ref = self.resource_api.update_project(project_id, project,
|
||||
initiator=initiator)
|
||||
ref = self.resource_api.update_project(
|
||||
project_id,
|
||||
project,
|
||||
initiator=request.audit_initiator)
|
||||
return ProjectV3.wrap_member(request.context_dict, ref)
|
||||
|
||||
@controller.protected()
|
||||
def delete_project(self, request, project_id):
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
return self.resource_api.delete_project(project_id,
|
||||
initiator=initiator)
|
||||
return self.resource_api.delete_project(
|
||||
project_id,
|
||||
initiator=request.audit_initiator)
|
||||
|
@ -1619,7 +1619,7 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
|
||||
super(FederatedTokenTests, self).setUp()
|
||||
self._notifications = []
|
||||
|
||||
def fake_saml_notify(action, context, user_id, group_ids,
|
||||
def fake_saml_notify(action, request, user_id, group_ids,
|
||||
identity_provider, protocol, token_id, outcome):
|
||||
note = {
|
||||
'action': action,
|
||||
|
@ -24,7 +24,6 @@ from keystone.common import utils
|
||||
from keystone.common import validation
|
||||
from keystone import exception
|
||||
from keystone.i18n import _
|
||||
from keystone import notifications
|
||||
from keystone.trust import schema
|
||||
|
||||
|
||||
@ -137,12 +136,10 @@ class TrustV3(controller.V3Controller):
|
||||
trust['expires_at'] = self._parse_expiration_date(
|
||||
trust.get('expires_at'))
|
||||
trust_id = uuid.uuid4().hex
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
new_trust = self.trust_api.create_trust(trust_id, trust,
|
||||
normalized_roles,
|
||||
redelegated_trust,
|
||||
initiator)
|
||||
|
||||
request.audit_initiator)
|
||||
self._fill_in_roles(request.context_dict, new_trust)
|
||||
return TrustV3.wrap_member(request.context_dict, new_trust)
|
||||
|
||||
@ -227,8 +224,7 @@ class TrustV3(controller.V3Controller):
|
||||
not request.context.is_admin):
|
||||
raise exception.Forbidden()
|
||||
|
||||
initiator = notifications._get_request_audit_info(request.context_dict)
|
||||
self.trust_api.delete_trust(trust_id, initiator)
|
||||
self.trust_api.delete_trust(trust_id, request.audit_initiator)
|
||||
|
||||
@controller.protected()
|
||||
def list_roles_for_trust(self, request, trust_id):
|
||||
|
Loading…
Reference in New Issue
Block a user