openstack/keystone
Code Issues Proposed changes
b9e53a4e8a
keystone/keystone/common/context.py
Lance Bragstad 0dc5c4edab Pass context objects to policy enforcement 
The oslo.policy library actually accepts context objects as a first
class citizen, instead of a hand-built `creds` dictionary. This is a
perferred approach because it's easier for services to use
oslo.context to generate a context object that they can automatically
pass to oslo.policy for enforcement instead of inspecting the context
object and building a dictionary manually to pass to oslo.policy.

This commit makes allows keystone to partake in this by pulling the
keystone request object, which is a subclass of oslo.context's
RequestContext object, and uses it in enforcement. Additionally,
we're overriding the to_policy_values() method of oslo.context
in order to make sure we port keystone-specific values to the policy
dict representation of a context object. This ensures we have values
present that we rely on with our default policies.

This commit also bumps the lower requirement for oslo.policy to
make sure we're always using a version that understands context
objects.

Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d
2018-11-26 19:48:10 +00:00

68 lines
2.8 KiB
Python
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from oslo_context import context as oslo_context
REQUEST_CONTEXT_ENV = 'keystone.oslo_request_context'
def _prop(name):
return property(lambda x: getattr(x, name),
lambda x, y: setattr(x, name, y))
class RequestContext(oslo_context.RequestContext):
def __init__(self, **kwargs):
self.username = kwargs.pop('username', None)
self.project_tag_name = kwargs.pop('project_tag_name', None)
self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
self.trust_id = kwargs.pop('trust_id', None)
self.trustor_id = kwargs.pop('trustor_id', None)
self.trustee_id = kwargs.pop('trustee_id', None)
self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
self.authenticated = kwargs.pop('authenticated', False)
super(RequestContext, self).__init__(**kwargs)
def to_policy_values(self):
"""Add keystone-specific policy values to policy representation.
This method converts generic policy values to a dictionary form using
the base implementation from oslo_context.context.RequestContext.
Afterwards, it is going to pull keystone-specific values off the
context and represent them as items in the policy values dictionary.
This is because keystone uses default policies that rely on these
values, so we need to guarantee they are present during policy
enforcement if they are present on the context object.
This method is automatically called in
oslo_policy.policy.Enforcer.enforce() if oslo.policy knows it's dealing
with a context object.
"""
# TODO(morgan): Rework this to not need an explicit token render as
# this is a generally poorly designed behavior. The enforcer should not
# rely on a contract of the token's rendered JSON form. This likely
# needs reworking of how we handle the context in oslo.policy. Until
# this is reworked, it is not possible to merge the token render
# function into keystone.api
values = super(RequestContext, self).to_policy_values()
values['token'] = self.token_reference['token']
values['domain_id'] = self.domain_id if self.domain_id else None
return values
View Git Blame Copy Permalink