summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/common/controller.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/common/controller.py')
-rw-r--r--keystone-moon/keystone/common/controller.py98
1 files changed, 60 insertions, 38 deletions
diff --git a/keystone-moon/keystone/common/controller.py b/keystone-moon/keystone/common/controller.py
index bd26b7c4..bc7074ac 100644
--- a/keystone-moon/keystone/common/controller.py
+++ b/keystone-moon/keystone/common/controller.py
@@ -17,6 +17,7 @@ import uuid
from oslo_config import cfg
from oslo_log import log
+from oslo_utils import strutils
import six
from keystone.common import authorization
@@ -39,7 +40,7 @@ def v2_deprecated(f):
This is a placeholder for the pending deprecation of v2. The implementation
of this decorator can be replaced with::
- from keystone.openstack.common import versionutils
+ from oslo_log import versionutils
v2_deprecated = versionutils.deprecated(
@@ -52,9 +53,12 @@ def v2_deprecated(f):
def _build_policy_check_credentials(self, action, context, kwargs):
+ kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
+ kwargs_str = strutils.mask_password(kwargs_str)
+
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
- 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
+ 'kwargs': kwargs_str})
# see if auth context has already been created. If so use it.
if ('environment' in context and
@@ -219,7 +223,11 @@ class V2Controller(wsgi.Application):
@staticmethod
def filter_domain_id(ref):
"""Remove domain_id since v2 calls are not domain-aware."""
- ref.pop('domain_id', None)
+ if 'domain_id' in ref:
+ if ref['domain_id'] != CONF.identity.default_domain_id:
+ raise exception.Unauthorized(
+ _('Non-default domain is not supported'))
+ del ref['domain_id']
return ref
@staticmethod
@@ -239,6 +247,18 @@ class V2Controller(wsgi.Application):
return ref
@staticmethod
+ def filter_project_parent_id(ref):
+ """Remove parent_id since v2 calls are not hierarchy-aware."""
+ ref.pop('parent_id', None)
+ return ref
+
+ @staticmethod
+ def filter_is_domain(ref):
+ """Remove is_domain field since v2 calls are not domain-aware."""
+ ref.pop('is_domain', None)
+ return ref
+
+ @staticmethod
def normalize_username_in_response(ref):
"""Adds username to outgoing user refs to match the v2 spec.
@@ -266,9 +286,12 @@ class V2Controller(wsgi.Application):
def v3_to_v2_user(ref):
"""Convert a user_ref from v3 to v2 compatible.
- * v2.0 users are not domain aware, and should have domain_id removed
- * v2.0 users expect the use of tenantId instead of default_project_id
- * v2.0 users have a username attribute
+ - v2.0 users are not domain aware, and should have domain_id validated
+ to be the default domain, and then removed.
+
+ - v2.0 users expect the use of tenantId instead of default_project_id.
+
+ - v2.0 users have a username attribute.
This method should only be applied to user_refs being returned from the
v2.0 controller(s).
@@ -304,6 +327,35 @@ class V2Controller(wsgi.Application):
else:
raise ValueError(_('Expected dict or list: %s') % type(ref))
+ @staticmethod
+ def v3_to_v2_project(ref):
+ """Convert a project_ref from v3 to v2.
+
+ * v2.0 projects are not domain aware, and should have domain_id removed
+ * v2.0 projects are not hierarchy aware, and should have parent_id
+ removed
+
+ This method should only be applied to project_refs being returned from
+ the v2.0 controller(s).
+
+ If ref is a list type, we will iterate through each element and do the
+ conversion.
+ """
+
+ def _filter_project_properties(ref):
+ """Run through the various filter methods."""
+ V2Controller.filter_domain_id(ref)
+ V2Controller.filter_project_parent_id(ref)
+ V2Controller.filter_is_domain(ref)
+ return ref
+
+ if isinstance(ref, dict):
+ return _filter_project_properties(ref)
+ elif isinstance(ref, list):
+ return [_filter_project_properties(x) for x in ref]
+ else:
+ raise ValueError(_('Expected dict or list: %s') % type(ref))
+
def format_project_list(self, tenant_refs, **kwargs):
"""Format a v2 style project list, including marker/limits."""
marker = kwargs.get('marker')
@@ -656,19 +708,7 @@ class V3Controller(wsgi.Application):
if context['query_string'].get('domain_id') is not None:
return context['query_string'].get('domain_id')
- try:
- token_ref = token_model.KeystoneToken(
- token_id=context['token_id'],
- token_data=self.token_provider_api.validate_token(
- context['token_id']))
- except KeyError:
- raise exception.ValidationError(
- _('domain_id is required as part of entity'))
- except (exception.TokenNotFound,
- exception.UnsupportedTokenVersionException):
- LOG.warning(_LW('Invalid token found while getting domain ID '
- 'for list request'))
- raise exception.Unauthorized()
+ token_ref = utils.get_token_ref(context)
if token_ref.domain_scoped:
return token_ref.domain_id
@@ -685,25 +725,7 @@ class V3Controller(wsgi.Application):
being used.
"""
- # We could make this more efficient by loading the domain_id
- # into the context in the wrapper function above (since
- # this version of normalize_domain will only be called inside
- # a v3 protected call). However, this optimization is probably not
- # worth the duplication of state
- try:
- token_ref = token_model.KeystoneToken(
- token_id=context['token_id'],
- token_data=self.token_provider_api.validate_token(
- context['token_id']))
- except KeyError:
- # This might happen if we use the Admin token, for instance
- raise exception.ValidationError(
- _('A domain-scoped token must be used'))
- except (exception.TokenNotFound,
- exception.UnsupportedTokenVersionException):
- LOG.warning(_LW('Invalid token found while getting domain ID '
- 'for list request'))
- raise exception.Unauthorized()
+ token_ref = utils.get_token_ref(context)
if token_ref.domain_scoped:
return token_ref.domain_id