diff options
author | asteroide <thomas.duval@orange.com> | 2015-09-26 23:31:49 +0200 |
---|---|---|
committer | asteroide <thomas.duval@orange.com> | 2015-09-26 23:31:49 +0200 |
commit | 43da0e268fd88c05e49a3d949e3685a13fa43926 (patch) | |
tree | 089a7404eb370c844444613afa550a53490f59b8 /keystone-moon/keystone/contrib | |
parent | 82636f27ac48eadd10c7a6e5c20b87466f2d3fc2 (diff) |
Review the KeystoneMiddleware code, fix some bugs in the authz functions.
Change-Id: I9d9966c061fc71cd8ef5ce88217dcdfa63e0722f
Diffstat (limited to 'keystone-moon/keystone/contrib')
-rw-r--r-- | keystone-moon/keystone/contrib/moon/algorithms.py | 3 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/controllers.py | 8 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/core.py | 19 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/routers.py | 6 |
4 files changed, 16 insertions, 20 deletions
diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py index 30305fc1..2f997efc 100644 --- a/keystone-moon/keystone/contrib/moon/algorithms.py +++ b/keystone-moon/keystone/contrib/moon/algorithms.py @@ -1,4 +1,7 @@ import itertools +from oslo_log import log +LOG = log.getLogger(__name__) + """ an example of authz_buffer, sub_meta_rule_dict, rule_dict authz_buffer = { diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index c4fc0add..58e62a28 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -134,11 +134,11 @@ class Authz_v3(controller.V3Controller): super(Authz_v3, self).__init__() @controller.protected() - def get_authz(self, context, tenant_name, subject_name, object_name, action_name): + def get_authz(self, context, tenant_id, subject_k_id, object_name, action_name): try: - return self.authz_api.authz(tenant_name, subject_name, object_name, action_name) - except: - return False + return self.authz_api.authz(tenant_id, subject_k_id, object_name, action_name) + except Exception as e: + return {'authz': False, 'comment': unicode(e)} @dependency.requires('admin_api', 'authz_api') diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 97d18ca5..1b07dfd1 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -584,7 +584,7 @@ class IntraExtensionManager(manager.Manager): decision = one_true(decision_buffer) if not decision: raise AuthzException("{} {}-{}-{}".format(intra_extension_id, subject_id, action_id, object_id)) - return decision + return {'authz': decision, 'comment': ''} @enforce("read", "intra_extensions") def get_intra_extensions_dict(self, user_id): @@ -1808,7 +1808,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): def __init__(self): super(IntraExtensionAuthzManager, self).__init__() - def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"): + def authz(self, tenant_id, subject_k_id, object_name, action_name, genre="authz"): """Check authorization for a particular action. :return: True or False or raise an exception """ @@ -1818,27 +1818,20 @@ class IntraExtensionAuthzManager(IntraExtensionManager): genre = "intra_admin_extension_id" tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) - tenant_id = None - for _tenant_id in tenants_dict: - if tenants_dict[_tenant_id]["name"] == tenant_name: - tenant_id = _tenant_id - break - if not tenant_id: - raise TenantUnknown + + if tenant_id not in tenants_dict: + raise TenantUnknown() intra_extension_id = tenants_dict[tenant_id][genre] if not intra_extension_id: raise TenantNoIntraExtension() - subjects_dict = self.driver.get_subjects_dict(intra_extension_id) subject_id = None for _subject_id in subjects_dict: - if subjects_dict[_subject_id]['keystone_name'] == subject_name: - # subject_id = subjects_dict[_subject_id]['keystone_id'] + if subjects_dict[_subject_id]['keystone_id'] == subject_k_id: subject_id = _subject_id break if not subject_id: raise SubjectUnknown() - objects_dict = self.driver.get_objects_dict(intra_extension_id) object_id = None for _object_id in objects_dict: diff --git a/keystone-moon/keystone/contrib/moon/routers.py b/keystone-moon/keystone/contrib/moon/routers.py index 4da672cf..357ae060 100644 --- a/keystone-moon/keystone/contrib/moon/routers.py +++ b/keystone-moon/keystone/contrib/moon/routers.py @@ -76,12 +76,12 @@ class Routers(wsgi.V3ExtensionRouter): # Authz route self._add_resource( mapper, authz_controller, - path=self.PATH_PREFIX+'/authz/{tenant_name}/{subject_name}/{object_name}/{action_name}', + path=self.PATH_PREFIX+'/authz/{tenant_id}/{subject_k_id}/{object_name}/{action_name}', get_action='get_authz', rel=self._get_rel('authz'), path_vars={ - 'tenant_name': self._get_path('tenants'), - 'subject_name': self._get_path('subjects'), + 'tenant_id': self._get_path('tenants'), + 'subject_k_id': self._get_path('subjects'), 'object_name': self._get_path('objects'), 'action_name': self._get_path('actions'), }) |