diff options
Diffstat (limited to 'keystone-moon/keystone')
-rw-r--r-- | keystone-moon/keystone/contrib/moon/core.py | 127 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/exception.py | 347 |
2 files changed, 66 insertions, 408 deletions
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index ee5e9e54..723569cd 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -95,7 +95,7 @@ def enforce(action_names, object_name, **extra): # func.func_globals["_admin_extension_uuid"] = _admin_extension_uuid if not intra_admin_extension_id: - args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.") + raise TenantNoIntraAdminExtension() return func(*args) else: authz_result = False @@ -115,6 +115,7 @@ def enforce(action_names, object_name, **extra): return wrap +# TODO (dthom) join with filer_args def filter_input(data): if type(data) not in (str, unicode): return data @@ -1399,6 +1400,7 @@ class IntraExtensionManager(manager.Manager): raise RuleUnknown() return self.driver.set_rule_dict(intra_extension_id, sub_meta_rule_id, rule_id, rule_list) + @dependency.provider('authz_api') @dependency.requires('identity_api', 'tenant_api', 'moonlog_api') class IntraExtensionAuthzManager(IntraExtensionManager): @@ -1437,129 +1439,6 @@ class IntraExtensionAuthzManager(IntraExtensionManager): raise ActionUnknown() return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) - def del_intra_extension(self, user_id, intra_extension_id): - raise AdminException() - - def set_subject_dict(self, user_id, intra_extension_uuid, subject_dict): - raise SubjectAddNotAuthorized() - - def add_subject_dict(self, user_id, intra_extension_uuid, subject_name): - raise SubjectAddNotAuthorized() - - def del_subject(self, user_id, intra_extension_uuid, subject_name): - raise SubjectDelNotAuthorized() - - def set_object_dict(self, user_id, intra_extension_uuid, object_dict): - raise ObjectAddNotAuthorized() - - def add_object(self, user_id, intra_extension_uuid, object_name): - raise ObjectAddNotAuthorized() - - def del_object(self, user_id, intra_extension_uuid, object_uuid): - raise ObjectDelNotAuthorized() - - def set_action_dict(self, user_id, intra_extension_uuid, action_dict): - raise ActionAddNotAuthorized() - - def add_action(self, user_id, intra_extension_uuid, action_dict): - raise ActionAddNotAuthorized() - - def del_action(self, user_id, intra_extension_uuid, action_uuid): - raise ActionDelNotAuthorized() - - def set_subject_category_dict(self, user_id, intra_extension_uuid, subject_category): - raise SubjectCategoryAddNotAuthorized() - - def add_subject_category(self, user_id, intra_extension_uuid, subject_category_name): - raise SubjectCategoryAddNotAuthorized() - - def del_subject_category(self, user_id, intra_extension_uuid, subject_uuid): - raise SubjectCategoryDelNotAuthorized() - - def set_object_category_dict(self, user_id, intra_extension_uuid, object_category): - raise ObjectCategoryAddNotAuthorized() - - def add_object_category(self, user_id, intra_extension_uuid, object_category_name): - raise ObjectCategoryAddNotAuthorized() - - def del_object_category(self, user_id, intra_extension_uuid, object_uuid): - raise ObjectCategoryDelNotAuthorized() - - def set_action_category_dict(self, user_id, intra_extension_uuid, action_category): - raise ActionCategoryAddNotAuthorized() - - def add_action_category(self, user_id, intra_extension_uuid, action_category_name): - raise ActionCategoryAddNotAuthorized() - - def del_action_category(self, user_id, intra_extension_uuid, action_uuid): - raise ActionCategoryDelNotAuthorized() - - def set_subject_scope_dict(self, user_id, intra_extension_uuid, category, scope): - raise SubjectCategoryScopeAddNotAuthorized() - - def add_subject_scope_dict(self, user_id, intra_extension_uuid, subject_category, scope_name): - raise SubjectCategoryScopeAddNotAuthorized() - - def del_subject_scope(self, user_id, intra_extension_uuid, subject_category, subject_category_scope): - raise SubjectCategoryScopeDelNotAuthorized() - - def set_object_scope_dict(self, user_id, intra_extension_uuid, category, scope): - raise ObjectCategoryScopeAddNotAuthorized() - - def add_object_scope(self, user_id, intra_extension_uuid, object_category, scope_name): - raise ObjectCategoryScopeAddNotAuthorized() - - def del_object_scope(self, user_id, intra_extension_uuid, object_category, object_category_scope): - raise ObjectCategoryScopeDelNotAuthorized() - - def set_action_scope_dict(self, user_id, intra_extension_uuid, category, scope): - raise ActionCategoryScopeAddNotAuthorized() - - def add_action_scope(self, user_id, intra_extension_uuid, action_category, scope_name): - raise ActionCategoryScopeAddNotAuthorized() - - def del_action_scope(self, user_id, intra_extension_uuid, action_category, action_category_scope): - raise ActionCategoryScopeDelNotAuthorized() - - def set_subject_assignment_dict(self, user_id, intra_extension_uuid, subject_uuid, assignment_dict): - raise SubjectCategoryAssignmentAddNotAuthorized() - - def del_subject_assignment(self, user_id, intra_extension_uuid, subject_uuid, category_uuid, scope_uuid): - raise SubjectCategoryAssignmentAddNotAuthorized() - - def add_subject_assignment(self, user_id, intra_extension_uuid, subject_uuid, category_uuid, scope_uuid): - raise SubjectCategoryAssignmentDelNotAuthorized() - - def set_object_category_assignment_dict(self, user_id, intra_extension_uuid, object_uuid, assignment_dict): - raise ObjectCategoryAssignmentAddNotAuthorized() - - def del_object_assignment(self, user_id, intra_extension_uuid, object_uuid, category_uuid, scope_uuid): - raise ObjectCategoryAssignmentAddNotAuthorized() - - def add_object_assignment(self, user_id, intra_extension_uuid, object_uuid, category_uuid, scope_uuid): - raise ObjectCategoryAssignmentDelNotAuthorized() - - def set_action_assignment_dict(self, user_id, intra_extension_uuid, action_uuid, assignment_dict): - raise ActionCategoryAssignmentAddNotAuthorized() - - def del_action_assignment(self, user_id, intra_extension_uuid, action_uuid, category_uuid, scope_uuid): - raise ActionCategoryAssignmentAddNotAuthorized() - - def add_action_assignment(self, user_id, intra_extension_uuid, action_uuid, category_uuid, scope_uuid): - raise ActionCategoryAssignmentDelNotAuthorized() - - def set_aggregation_algorithm_dict(self, user_id, intra_extension_uuid, aggregation_algorithm): - raise MetaRuleAddNotAuthorized() - - def get_sub_meta_rule_dict(self, user_id, intra_extension_uuid, sub_meta_rules): - raise MetaRuleAddNotAuthorized() - - def set_sub_rule(self, user_id, intra_extension_uuid, relation, sub_rule): - raise RuleAddNotAuthorized() - - def del_sub_rule(self, user_id, intra_extension_uuid, relation_name, rule): - raise RuleAddNotAuthorized() - @dependency.provider('admin_api') @dependency.requires('identity_api', 'tenant_api', 'moonlog_api') diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index 1339122c..fa985a2f 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -69,6 +69,20 @@ class TenantNoIntraExtension(TenantException): logger = "ERROR" +class TenantNoIntraAuthzExtension(TenantNoIntraExtension): + message_format = _("The tenant has not intra_authz_extension.") + code = 400 + title = 'Tenant No Intra_Authz_Extension' + logger = "ERROR" + + +class TenantNoIntraAdminExtension(TenantNoIntraExtension): + message_format = _("The tenant has not intra_admin_extension.") + code = 400 + title = 'Tenant No Intra_Admin_Extension' + logger = "ERROR" + + # Exceptions for IntraExtension @@ -93,500 +107,265 @@ class IntraExtensionCreationError(IntraExtensionException): # Authz exceptions - class AuthzException(MoonError): + message_format = _("There is an authorization error requesting this IntraExtension.") + code = 403 + title = 'Authz Exception' + logger = "AUTHZ" + + +# Admin exceptions + +class AdminException(MoonError): message_format = _("There is an error requesting this Authz IntraExtension.") code = 400 title = 'Authz Exception' logger = "AUTHZ" -class AuthzPerimeter(AuthzException): +class AdminMetaData(AdminException): code = 400 - title = 'Perimeter Exception' + title = 'Metadata Exception' -class AuthzScope(AuthzException): +class AdminPerimeter(AdminException): code = 400 - title = 'Scope Exception' + title = 'Perimeter Exception' -class AuthzMetadata(AuthzException): +class AdminScope(AdminException): code = 400 - title = 'Metadata Exception' + title = 'Scope Exception' -class AuthzAssignment(AuthzException): +class AdminAssignment(AdminException): code = 400 title = 'Assignment Exception' -class AuthzMetaRule(AuthzException): +class AdminMetaRule(AdminException): code = 400 title = 'Aggregation Algorithm Exception' -class AuthzRule(AuthzException): +class AdminRule(AdminException): code = 400 title = 'Rule Exception' -class SubjectCategoryNameExisting(AuthzMetadata): +class SubjectCategoryNameExisting(AdminMetaData): message_format = _("The given subject category name is existing.") code = 400 title = 'Subject Category Name Existing' logger = "ERROR" -class ObjectCategoryNameExisting(AuthzMetadata): +class ObjectCategoryNameExisting(AdminMetaData): message_format = _("The given object category name is existing.") code = 400 title = 'Object Category Name Existing' logger = "ERROR" -class ActionCategoryNameExisting(AuthzMetadata): +class ActionCategoryNameExisting(AdminMetaData): message_format = _("The given action category name is existing.") code = 400 title = 'Action Category Name Existing' logger = "ERROR" -class SubjectCategoryUnknown(AuthzMetadata): +class SubjectCategoryUnknown(AdminMetaData): message_format = _("The given subject category is unknown.") code = 400 title = 'Subject Category Unknown' logger = "ERROR" -class ObjectCategoryUnknown(AuthzMetadata): +class ObjectCategoryUnknown(AdminMetaData): message_format = _("The given object category is unknown.") code = 400 title = 'Object Category Unknown' logger = "ERROR" -class ActionCategoryUnknown(AuthzMetadata): +class ActionCategoryUnknown(AdminMetaData): message_format = _("The given action category is unknown.") code = 400 title = 'Action Category Unknown' logger = "ERROR" -class SubjectUnknown(AuthzPerimeter): +class SubjectUnknown(AdminPerimeter): message_format = _("The given subject is unknown.") code = 400 title = 'Subject Unknown' logger = "ERROR" -class ObjectUnknown(AuthzPerimeter): +class ObjectUnknown(AdminPerimeter): message_format = _("The given object is unknown.") code = 400 title = 'Object Unknown' logger = "ERROR" -class ActionUnknown(AuthzPerimeter): +class ActionUnknown(AdminPerimeter): message_format = _("The given action is unknown.") code = 400 title = 'Action Unknown' logger = "ERROR" -class SubjectNameExisting(AuthzPerimeter): +class SubjectNameExisting(AdminPerimeter): message_format = _("The given subject name is existing.") code = 400 title = 'Subject Name Existing' logger = "ERROR" -class ObjectNameExisting(AuthzPerimeter): +class ObjectNameExisting(AdminPerimeter): message_format = _("The given object name is existing.") code = 400 title = 'Object Name Existing' logger = "ERROR" -class ActionNameExisting(AuthzPerimeter): +class ActionNameExisting(AdminPerimeter): message_format = _("The given action name is existing.") code = 400 title = 'Action Name Existing' logger = "ERROR" -class SubjectScopeUnknown(AuthzScope): +class SubjectScopeUnknown(AdminScope): message_format = _("The given subject scope is unknown.") code = 400 title = 'Subject Scope Unknown' logger = "ERROR" -class ObjectScopeUnknown(AuthzScope): +class ObjectScopeUnknown(AdminScope): message_format = _("The given object scope is unknown.") code = 400 title = 'Object Scope Unknown' logger = "ERROR" -class ActionScopeUnknown(AuthzScope): +class ActionScopeUnknown(AdminScope): message_format = _("The given action scope is unknown.") code = 400 title = 'Action Scope Unknown' logger = "ERROR" -class SubjectScopeNameExisting(AuthzScope): +class SubjectScopeNameExisting(AdminScope): message_format = _("The given subject scope name is existing.") code = 400 title = 'Subject Scope Name Existing' logger = "ERROR" -class ObjectScopeNameExisting(AuthzScope): +class ObjectScopeNameExisting(AdminScope): message_format = _("The given object scope name is existing.") code = 400 title = 'Object Scope Name Existing' logger = "ERROR" -class ActionScopeNameExisting(AuthzScope): +class ActionScopeNameExisting(AdminScope): message_format = _("The given action scope name is existing.") code = 400 title = 'Action Scope Name Existing' logger = "ERROR" -class SubjectAssignmentOutOfScope(AuthzScope): - message_format = _("The given subject scope value is out of scope.") - code = 400 - title = 'Subject Assignment Out Of Scope' - logger = "WARNING" - - -class ActionAssignmentOutOfScope(AuthzScope): - message_format = _("The given action scope value is out of scope.") - code = 400 - title = 'Action Assignment Out Of Scope' - logger = "WARNING" - - -class ObjectAssignmentOutOfScope(AuthzScope): - message_format = _("The given object scope value is out of scope.") - code = 400 - title = 'Object Assignment Out Of Scope' - logger = "WARNING" - - -class SubjectAssignmentUnknown(AuthzAssignment): +class SubjectAssignmentUnknown(AdminAssignment): message_format = _("The given subject assignment value is unknown.") code = 400 title = 'Subject Assignment Unknown' logger = "ERROR" -class ObjectAssignmentUnknown(AuthzAssignment): +class ObjectAssignmentUnknown(AdminAssignment): message_format = _("The given object assignment value is unknown.") code = 400 title = 'Object Assignment Unknown' logger = "ERROR" -class ActionAssignmentUnknown(AuthzAssignment): +class ActionAssignmentUnknown(AdminAssignment): message_format = _("The given action assignment value is unknown.") code = 400 title = 'Action Assignment Unknown' logger = "ERROR" -class SubjectAssignmentExisting(AuthzAssignment): +class SubjectAssignmentExisting(AdminAssignment): message_format = _("The given subject assignment value is existing.") code = 400 title = 'Subject Assignment Existing' logger = "ERROR" -class ObjectAssignmentExisting(AuthzAssignment): +class ObjectAssignmentExisting(AdminAssignment): message_format = _("The given object assignment value is existing.") code = 400 title = 'Object Assignment Existing' logger = "ERROR" -class ActionAssignmentExisting(AuthzAssignment): +class ActionAssignmentExisting(AdminAssignment): message_format = _("The given action assignment value is existing.") code = 400 title = 'Action Assignment Existing' logger = "ERROR" -class AggregationAlgorithmNotExisting(AuthzMetadata): +class AggregationAlgorithmNotExisting(AdminMetaRule): message_format = _("The given aggregation algorithm is not existing.") code = 400 title = 'Aggregation Algorithm Not Existing' logger = "ERROR" -class AggregationAlgorithmUnknown(AuthzMetadata): +class AggregationAlgorithmUnknown(AdminMetaRule): message_format = _("The given aggregation algorithm is unknown.") code = 400 title = 'Aggregation Algorithm Unknown' logger = "ERROR" -class SubMetaRuleUnknown(AuthzMetadata): +class SubMetaRuleUnknown(AdminMetaRule): message_format = _("The given sub meta rule is unknown.") code = 400 title = 'Sub Meta Rule Unknown' logger = "ERROR" -class SubMetaRuleNameExisting(AuthzMetadata): +class SubMetaRuleNameExisting(AdminMetaRule): message_format = _("The sub meta rule name is existing.") code = 400 title = 'Sub Meta Rule Name Existing' logger = "ERROR" -class SubMetaRuleExisting(AuthzMetadata): +class SubMetaRuleExisting(AdminMetaRule): message_format = _("The sub meta rule is existing.") code = 400 title = 'Sub Meta Rule Existing' logger = "ERROR" -class RuleOKNotExisting(AuthzRule): - message_format = _("The positive rule for that request doen't exist.") - code = 400 - title = 'Rule OK Not Existing' - logger = "ERROR" - - -class RuleKOExisting(AuthzRule): - message_format = _("The request match a negative rule.") - code = 400 - title = 'Rule KO Existing' - logger = "ERROR" - - -class RuleExisting(AuthzRule): +class RuleExisting(AdminRule): message_format = _("The rule is existing.") code = 400 title = 'Rule Existing' logger = "ERROR" -class RuleUnknown(AuthzRule): +class RuleUnknown(AdminRule): message_format = _("The rule for that request doesn't exist.") code = 400 title = 'Rule Unknown' logger = "ERROR" - -class AddedRuleExisting(AuthzRule): - message_format = _("The added rule for that request is existing.") - code = 400 - title = 'Added Rule Existing' - logger = "ERROR" - - -# Admin exceptions - - -class AdminException(MoonError): - message_format = _("There is an authorization error requesting this IntraExtension.") - code = 403 - title = 'Admin Exception' - logger = "AUTHZ" - - -class AdminPerimeter(AuthzException): - title = 'Perimeter Exception' - - -class AdminScope(AuthzException): - title = 'Scope Exception' - - -class AdminMetadata(AuthzException): - title = 'Metadata Exception' - - -class AdminAssignment(AuthzException): - title = 'Assignment Exception' - - -class AdminRule(AuthzException): - title = 'Rule Exception' - -class AdminMetaRule(AuthzException): - title = 'MetaRule Exception' - - -class SubjectReadNotAuthorized(AdminPerimeter): - title = 'Subject Read Not Authorized' - - -class SubjectAddNotAuthorized(AdminPerimeter): - title = 'Subject Add Not Authorized' - - -class SubjectDelNotAuthorized(AdminPerimeter): - title = 'Subject Del Not Authorized' - - -class ObjectReadNotAuthorized(AdminPerimeter): - title = 'Object Read Not Authorized' - - -class ObjectAddNotAuthorized(AdminPerimeter): - title = 'Object Add Not Authorized' - - -class ObjectDelNotAuthorized(AdminPerimeter): - title = 'Object Del Not Authorized' - - -class ActionReadNotAuthorized(AdminPerimeter): - title = 'Action Read Not Authorized' - - -class ActionAddNotAuthorized(AdminPerimeter): - title = 'Action Add Not Authorized' - - -class ActionDelNotAuthorized(AdminPerimeter): - title = 'Action Del Not Authorized' - - -class SubjectScopeReadNotAuthorized(AuthzException): - title = 'Subject Scope Read Not Authorized' - - -class SubjectScopeAddNotAuthorized(AuthzException): - title = 'Subject Scope Add Not Authorized' - - -class SubjectScopeDelNotAuthorized(AuthzException): - title = 'Subject Scope Del Not Authorized' - - -class ObjectScopeReadNotAuthorized(AuthzException): - title = 'Object Scope Read Not Authorized' - - -class ObjectScopeAddNotAuthorized(AuthzException): - title = 'Object Scope Add Not Authorized' - - -class ObjectScopeDelNotAuthorized(AuthzException): - title = 'Object Scope Del Not Authorized' - - -class ActionScopeReadNotAuthorized(AuthzException): - title = 'Action Scope Read Not Authorized' - - -class ActionScopeAddNotAuthorized(AuthzException): - title = 'Action Scope Add Not Authorized' - - -class ActionScopeDelNotAuthorized(AuthzException): - title = 'Action Scope Del Not Authorized' - - -class SubjectCategoryReadNotAuthorized(AdminMetadata): - title = 'Subject Category Read Not Authorized' - logger = "AUTHZ" - - -class SubjectCategoryAddNotAuthorized(AdminMetadata): - title = 'Subject Category Add Not Authorized' - - -class SubjectCategoryDelNotAuthorized(AdminMetadata): - title = 'Subject Category Del Not Authorized' - - -class ObjectCategoryReadNotAuthorized(AdminMetadata): - title = 'Object Category Read Not Authorized' - - -class ObjectCategoryAddNotAuthorized(AdminMetadata): - title = 'Object Category Add Not Authorized' - - -class ObjectCategoryDelNotAuthorized(AdminMetadata): - title = 'Object Category Del Not Authorized' - - -class ActionCategoryReadNotAuthorized(AdminMetadata): - title = 'Action Category Read Not Authorized' - - -class ActionCategoryAddNotAuthorized(AdminMetadata): - title = 'Action Category Add Not Authorized' - - -class ActionCategoryDelNotAuthorized(AdminMetadata): - title = 'Action Category Del Not Authorized' - - -class SubjectAssignmentReadNotAuthorized(AdminAssignment): - title = 'Subject Assignment Read Not Authorized' - - -class SubjectAssignmentAddNotAuthorized(AdminAssignment): - title = 'Subject Assignment Add Not Authorized' - - -class SubjectAssignmentDelNotAuthorized(AdminAssignment): - title = 'Subject Assignment Del Not Authorized' - - -class ObjectAssignmentReadNotAuthorized(AdminAssignment): - title = 'Object Assignment Read Not Authorized' - - -class ObjectAssignmentAddNotAuthorized(AdminAssignment): - title = 'Object Assignment Add Not Authorized' - - -class ObjectAssignmentDelNotAuthorized(AdminAssignment): - title = 'Object Assignment Del Not Authorized' - - -class ActionAssignmentReadNotAuthorized(AdminAssignment): - title = 'Action Assignment Read Not Authorized' - - -class ActionAssignmentAddNotAuthorized(AdminAssignment): - title = 'Action Assignment Add Not Authorized' - - -class ActionAssignmentDelNotAuthorized(AdminAssignment): - title = 'Action Assignment Del Not Authorized' - - -class RuleReadNotAuthorized(AdminRule): - title = 'Rule Read Not Authorized' - - -class RuleAddNotAuthorized(AdminRule): - title = 'Rule Add Not Authorized' - - -class RuleDelNotAuthorized(AdminRule): - title = 'Rule Del Not Authorized' - - -class MetaRuleReadNotAuthorized(AdminRule): - title = 'MetaRule Read Not Authorized' - - -class MetaRuleAddNotAuthorized(AdminRule): - title = 'MetaRule Add Not Authorized' - - -class MetaRuleDelNotAuthorized(AdminRule): - title = 'MetaRule Del Not Authorized' |