aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/contrib
diff options
context:
space:
mode:
authorasteroide <thomas.duval@orange.com>2015-09-26 23:31:49 +0200
committerasteroide <thomas.duval@orange.com>2015-09-26 23:31:49 +0200
commit43da0e268fd88c05e49a3d949e3685a13fa43926 (patch)
tree089a7404eb370c844444613afa550a53490f59b8 /keystone-moon/keystone/contrib
parent82636f27ac48eadd10c7a6e5c20b87466f2d3fc2 (diff)
Review the KeystoneMiddleware code, fix some bugs in the authz functions.
Change-Id: I9d9966c061fc71cd8ef5ce88217dcdfa63e0722f
Diffstat (limited to 'keystone-moon/keystone/contrib')
-rw-r--r--keystone-moon/keystone/contrib/moon/algorithms.py3
-rw-r--r--keystone-moon/keystone/contrib/moon/controllers.py8
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py19
-rw-r--r--keystone-moon/keystone/contrib/moon/routers.py6
4 files changed, 16 insertions, 20 deletions
diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py
index 30305fc1..2f997efc 100644
--- a/keystone-moon/keystone/contrib/moon/algorithms.py
+++ b/keystone-moon/keystone/contrib/moon/algorithms.py
@@ -1,4 +1,7 @@
import itertools
+from oslo_log import log
+LOG = log.getLogger(__name__)
+
""" an example of authz_buffer, sub_meta_rule_dict, rule_dict
authz_buffer = {
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py
index c4fc0add..58e62a28 100644
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -134,11 +134,11 @@ class Authz_v3(controller.V3Controller):
super(Authz_v3, self).__init__()
@controller.protected()
- def get_authz(self, context, tenant_name, subject_name, object_name, action_name):
+ def get_authz(self, context, tenant_id, subject_k_id, object_name, action_name):
try:
- return self.authz_api.authz(tenant_name, subject_name, object_name, action_name)
- except:
- return False
+ return self.authz_api.authz(tenant_id, subject_k_id, object_name, action_name)
+ except Exception as e:
+ return {'authz': False, 'comment': unicode(e)}
@dependency.requires('admin_api', 'authz_api')
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index 97d18ca5..1b07dfd1 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -584,7 +584,7 @@ class IntraExtensionManager(manager.Manager):
decision = one_true(decision_buffer)
if not decision:
raise AuthzException("{} {}-{}-{}".format(intra_extension_id, subject_id, action_id, object_id))
- return decision
+ return {'authz': decision, 'comment': ''}
@enforce("read", "intra_extensions")
def get_intra_extensions_dict(self, user_id):
@@ -1808,7 +1808,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
def __init__(self):
super(IntraExtensionAuthzManager, self).__init__()
- def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"):
+ def authz(self, tenant_id, subject_k_id, object_name, action_name, genre="authz"):
"""Check authorization for a particular action.
:return: True or False or raise an exception
"""
@@ -1818,27 +1818,20 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
genre = "intra_admin_extension_id"
tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id())
- tenant_id = None
- for _tenant_id in tenants_dict:
- if tenants_dict[_tenant_id]["name"] == tenant_name:
- tenant_id = _tenant_id
- break
- if not tenant_id:
- raise TenantUnknown
+
+ if tenant_id not in tenants_dict:
+ raise TenantUnknown()
intra_extension_id = tenants_dict[tenant_id][genre]
if not intra_extension_id:
raise TenantNoIntraExtension()
-
subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
subject_id = None
for _subject_id in subjects_dict:
- if subjects_dict[_subject_id]['keystone_name'] == subject_name:
- # subject_id = subjects_dict[_subject_id]['keystone_id']
+ if subjects_dict[_subject_id]['keystone_id'] == subject_k_id:
subject_id = _subject_id
break
if not subject_id:
raise SubjectUnknown()
-
objects_dict = self.driver.get_objects_dict(intra_extension_id)
object_id = None
for _object_id in objects_dict:
diff --git a/keystone-moon/keystone/contrib/moon/routers.py b/keystone-moon/keystone/contrib/moon/routers.py
index 4da672cf..357ae060 100644
--- a/keystone-moon/keystone/contrib/moon/routers.py
+++ b/keystone-moon/keystone/contrib/moon/routers.py
@@ -76,12 +76,12 @@ class Routers(wsgi.V3ExtensionRouter):
# Authz route
self._add_resource(
mapper, authz_controller,
- path=self.PATH_PREFIX+'/authz/{tenant_name}/{subject_name}/{object_name}/{action_name}',
+ path=self.PATH_PREFIX+'/authz/{tenant_id}/{subject_k_id}/{object_name}/{action_name}',
get_action='get_authz',
rel=self._get_rel('authz'),
path_vars={
- 'tenant_name': self._get_path('tenants'),
- 'subject_name': self._get_path('subjects'),
+ 'tenant_id': self._get_path('tenants'),
+ 'subject_k_id': self._get_path('subjects'),
'object_name': self._get_path('objects'),
'action_name': self._get_path('actions'),
})