0dc5c4edab
The oslo.policy library actually accepts context objects as a first class citizen, instead of a hand-built `creds` dictionary. This is a perferred approach because it's easier for services to use oslo.context to generate a context object that they can automatically pass to oslo.policy for enforcement instead of inspecting the context object and building a dictionary manually to pass to oslo.policy. This commit makes allows keystone to partake in this by pulling the keystone request object, which is a subclass of oslo.context's RequestContext object, and uses it in enforcement. Additionally, we're overriding the to_policy_values() method of oslo.context in order to make sure we port keystone-specific values to the policy dict representation of a context object. This ensures we have values present that we rely on with our default policies. This commit also bumps the lower requirement for oslo.policy to make sure we're always using a version that understands context objects. Change-Id: I63e713f4aebf3e8cf5189a6060569d2828bc364d
68 lines
2.8 KiB
Python
68 lines
2.8 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from oslo_context import context as oslo_context
|
|
|
|
|
|
REQUEST_CONTEXT_ENV = 'keystone.oslo_request_context'
|
|
|
|
|
|
def _prop(name):
|
|
return property(lambda x: getattr(x, name),
|
|
lambda x, y: setattr(x, name, y))
|
|
|
|
|
|
class RequestContext(oslo_context.RequestContext):
|
|
|
|
def __init__(self, **kwargs):
|
|
self.username = kwargs.pop('username', None)
|
|
self.project_tag_name = kwargs.pop('project_tag_name', None)
|
|
|
|
self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
|
|
|
|
self.trust_id = kwargs.pop('trust_id', None)
|
|
self.trustor_id = kwargs.pop('trustor_id', None)
|
|
self.trustee_id = kwargs.pop('trustee_id', None)
|
|
|
|
self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
|
|
self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
|
|
|
|
self.authenticated = kwargs.pop('authenticated', False)
|
|
super(RequestContext, self).__init__(**kwargs)
|
|
|
|
def to_policy_values(self):
|
|
"""Add keystone-specific policy values to policy representation.
|
|
|
|
This method converts generic policy values to a dictionary form using
|
|
the base implementation from oslo_context.context.RequestContext.
|
|
Afterwards, it is going to pull keystone-specific values off the
|
|
context and represent them as items in the policy values dictionary.
|
|
This is because keystone uses default policies that rely on these
|
|
values, so we need to guarantee they are present during policy
|
|
enforcement if they are present on the context object.
|
|
|
|
This method is automatically called in
|
|
oslo_policy.policy.Enforcer.enforce() if oslo.policy knows it's dealing
|
|
with a context object.
|
|
|
|
"""
|
|
# TODO(morgan): Rework this to not need an explicit token render as
|
|
# this is a generally poorly designed behavior. The enforcer should not
|
|
# rely on a contract of the token's rendered JSON form. This likely
|
|
# needs reworking of how we handle the context in oslo.policy. Until
|
|
# this is reworked, it is not possible to merge the token render
|
|
# function into keystone.api
|
|
values = super(RequestContext, self).to_policy_values()
|
|
values['token'] = self.token_reference['token']
|
|
values['domain_id'] = self.domain_id if self.domain_id else None
|
|
return values
|