summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--keystone-moon/keystone/contrib/moon/controllers.py4
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py39
-rw-r--r--keystone-moon/keystone/contrib/moon/routers.py6
-rw-r--r--moonclient/moonclient/intraextension.py15
-rw-r--r--moonclient/setup.py1
5 files changed, 47 insertions, 18 deletions
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py
index 58e62a28..84e27fa3 100644
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -208,6 +208,10 @@ class IntraExtensions(controller.V3Controller):
intra_extension_dict['description'] = kw.get('intra_extension_description', None)
return self.admin_api.set_intra_extension_dict(user_id, intra_extension_id, intra_extension_dict)
+ @controller.protected()
+ def load_root_intra_extension(self, context, **kw):
+ self.admin_api.load_root_intra_extension_dict()
+
# Metadata functions
@controller.protected()
def get_subject_categories(self, context, **kw):
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index 6f9832e9..a227174c 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -176,28 +176,27 @@ def enforce(action_names, object_name, **extra):
else:
intra_extension_id = intra_root_extension_id
+ try:
+ tenants_dict = self.tenant_api.driver.get_tenants_dict()
+ except AttributeError:
+ tenants_dict = self.driver.get_tenants_dict()
if self.root_api.is_admin_subject(user_id):
# TODO: check if there is no security hole here
+ self.moonlog_api.driver.info("Authorizing because it is the user admin of the root intra-extension")
returned_value_for_func = func(*args, **kwargs)
else:
intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict()
if intra_extension_id not in intra_extensions_dict:
# if id is not an intra_extension, maybe it is a tenant id
- try:
- tenants_dict = self.tenant_api.driver.get_tenants_dict()
- except AttributeError:
- tenants_dict = self.driver.get_tenants_dict()
+ intra_extension_id = intra_root_extension_id
if intra_extension_id in tenants_dict:
# id is in fact a tenant id so, we must check against the Root intra_extension
intra_extension_id = intra_root_extension_id
+ LOG.warning("intra_extension_id is a tenant ID ({})".format(intra_extension_id))
else:
# id is not a known tenant ID, so we must check against the Root intra_extension
intra_extension_id = intra_root_extension_id
- LOG.warning("Cannot enforce because the intra-extension is unknown ({})".format(intra_extension_id))
- try:
- tenants_dict = self.tenant_api.driver.get_tenants_dict()
- except AttributeError:
- tenants_dict = self.driver.get_tenants_dict()
+ LOG.warning("Cannot enforce because the intra-extension is unknown (fallback to the root intraextension)")
for _tenant_id in tenants_dict:
if tenants_dict[_tenant_id]['intra_authz_extension_id'] == intra_extension_id or \
tenants_dict[_tenant_id]['intra_admin_extension_id'] == intra_extension_id:
@@ -261,7 +260,9 @@ def enforce(action_names, object_name, **extra):
authz_result = False
for action_id in action_id_list:
- if self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id):
+ res = self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id)
+ self.moonlog_api.info("res={}".format(res))
+ if res:
authz_result = True
else:
self.moonlog_api.authz("No authorization for ({} {}-{}-{})".format(
@@ -519,6 +520,13 @@ class IntraExtensionManager(manager.Manager):
}
"""
authz_buffer = dict()
+ # Sometimes it is not the subject ID but the User Keystone ID, so, we have to check
+ subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
+ if subject_id not in subjects_dict.keys():
+ for _subject_id in subjects_dict:
+ if subjects_dict[_subject_id]['keystone_id']:
+ subject_id = _subject_id
+ break
authz_buffer['subject_id'] = subject_id
authz_buffer['object_id'] = object_id
authz_buffer['action_id'] = action_id
@@ -882,7 +890,7 @@ class IntraExtensionManager(manager.Manager):
self.__load_rule_file(ie_dict, template_dir)
return ref
- def load_root_intra_extension_dict(self, policy_template):
+ def load_root_intra_extension_dict(self, policy_template=CONF.moon.root_policy_directory):
# Note (asteroide): Only one root Extension is authorized
# and this extension is created at the very beginning of the server
# so we don't need to use enforce here
@@ -897,13 +905,8 @@ class IntraExtensionManager(manager.Manager):
ie_dict["genre"] = "admin"
ie_dict["description"] = "policy_root"
ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict)
- try:
- self.moonlog_api.debug("Creation of IE: {}".format(ref))
- except AttributeError:
- pass
- # Creation of the root intra extension raise an error here because
- # self.moonlog_api doesn't exist.
- # FIXME (asteroide): understand why moonlog_api raise an error here...
+ self.moonlog_api.debug("Creation of root IE: {}".format(ref))
+
# read the template given by "model" and populate default variables
template_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"])
self.__load_metadata_file(ie_dict, template_dir)
diff --git a/keystone-moon/keystone/contrib/moon/routers.py b/keystone-moon/keystone/contrib/moon/routers.py
index 357ae060..fd1c0adf 100644
--- a/keystone-moon/keystone/contrib/moon/routers.py
+++ b/keystone-moon/keystone/contrib/moon/routers.py
@@ -89,6 +89,12 @@ class Routers(wsgi.V3ExtensionRouter):
# IntraExtensions/Admin route
self._add_resource(
mapper, intra_ext_controller,
+ path=self.PATH_PREFIX+'/intra_extensions/init',
+ get_action='load_root_intra_extension',
+ rel=self._get_rel('intra_extensions'),
+ path_vars={})
+ self._add_resource(
+ mapper, intra_ext_controller,
path=self.PATH_PREFIX+'/intra_extensions',
get_action='get_intra_extensions',
post_action='add_intra_extension',
diff --git a/moonclient/moonclient/intraextension.py b/moonclient/moonclient/intraextension.py
index 569a99ff..24286dd9 100644
--- a/moonclient/moonclient/intraextension.py
+++ b/moonclient/moonclient/intraextension.py
@@ -110,6 +110,21 @@ class IntraExtensionDelete(Command):
authtoken=True)
+class IntraExtensionInit(Command):
+ """Initialize the root Intra_Extension (if needed)."""
+
+ log = logging.getLogger(__name__)
+
+ def get_parser(self, prog_name):
+ parser = super(IntraExtensionInit, self).get_parser(prog_name)
+ return parser
+
+ def take_action(self, parsed_args):
+ self.app.get_url("/v3/OS-MOON/intra_extensions/init",
+ method="GET",
+ authtoken=True)
+
+
class IntraExtensionShow(ShowOne):
"""Show detail about one Intra_Extension."""
diff --git a/moonclient/setup.py b/moonclient/setup.py
index e048bf97..71ea704b 100644
--- a/moonclient/setup.py
+++ b/moonclient/setup.py
@@ -73,6 +73,7 @@ setup(
'intraextension_list = moonclient.intraextension:IntraExtensionList',
'intraextension_delete = moonclient.intraextension:IntraExtensionDelete',
'intraextension_show = moonclient.intraextension:IntraExtensionShow',
+ 'intraextension_init = moonclient.intraextension:IntraExtensionInit',
'subject_list = moonclient.subjects:SubjectsList',
'subject_add = moonclient.subjects:SubjectsAdd',