summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone')
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py127
-rw-r--r--keystone-moon/keystone/contrib/moon/exception.py347
2 files changed, 66 insertions, 408 deletions
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index ee5e9e54..723569cd 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -95,7 +95,7 @@ def enforce(action_names, object_name, **extra):
# func.func_globals["_admin_extension_uuid"] = _admin_extension_uuid
if not intra_admin_extension_id:
- args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.")
+ raise TenantNoIntraAdminExtension()
return func(*args)
else:
authz_result = False
@@ -115,6 +115,7 @@ def enforce(action_names, object_name, **extra):
return wrap
+# TODO (dthom) join with filer_args
def filter_input(data):
if type(data) not in (str, unicode):
return data
@@ -1399,6 +1400,7 @@ class IntraExtensionManager(manager.Manager):
raise RuleUnknown()
return self.driver.set_rule_dict(intra_extension_id, sub_meta_rule_id, rule_id, rule_list)
+
@dependency.provider('authz_api')
@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
class IntraExtensionAuthzManager(IntraExtensionManager):
@@ -1437,129 +1439,6 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
raise ActionUnknown()
return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id)
- def del_intra_extension(self, user_id, intra_extension_id):
- raise AdminException()
-
- def set_subject_dict(self, user_id, intra_extension_uuid, subject_dict):
- raise SubjectAddNotAuthorized()
-
- def add_subject_dict(self, user_id, intra_extension_uuid, subject_name):
- raise SubjectAddNotAuthorized()
-
- def del_subject(self, user_id, intra_extension_uuid, subject_name):
- raise SubjectDelNotAuthorized()
-
- def set_object_dict(self, user_id, intra_extension_uuid, object_dict):
- raise ObjectAddNotAuthorized()
-
- def add_object(self, user_id, intra_extension_uuid, object_name):
- raise ObjectAddNotAuthorized()
-
- def del_object(self, user_id, intra_extension_uuid, object_uuid):
- raise ObjectDelNotAuthorized()
-
- def set_action_dict(self, user_id, intra_extension_uuid, action_dict):
- raise ActionAddNotAuthorized()
-
- def add_action(self, user_id, intra_extension_uuid, action_dict):
- raise ActionAddNotAuthorized()
-
- def del_action(self, user_id, intra_extension_uuid, action_uuid):
- raise ActionDelNotAuthorized()
-
- def set_subject_category_dict(self, user_id, intra_extension_uuid, subject_category):
- raise SubjectCategoryAddNotAuthorized()
-
- def add_subject_category(self, user_id, intra_extension_uuid, subject_category_name):
- raise SubjectCategoryAddNotAuthorized()
-
- def del_subject_category(self, user_id, intra_extension_uuid, subject_uuid):
- raise SubjectCategoryDelNotAuthorized()
-
- def set_object_category_dict(self, user_id, intra_extension_uuid, object_category):
- raise ObjectCategoryAddNotAuthorized()
-
- def add_object_category(self, user_id, intra_extension_uuid, object_category_name):
- raise ObjectCategoryAddNotAuthorized()
-
- def del_object_category(self, user_id, intra_extension_uuid, object_uuid):
- raise ObjectCategoryDelNotAuthorized()
-
- def set_action_category_dict(self, user_id, intra_extension_uuid, action_category):
- raise ActionCategoryAddNotAuthorized()
-
- def add_action_category(self, user_id, intra_extension_uuid, action_category_name):
- raise ActionCategoryAddNotAuthorized()
-
- def del_action_category(self, user_id, intra_extension_uuid, action_uuid):
- raise ActionCategoryDelNotAuthorized()
-
- def set_subject_scope_dict(self, user_id, intra_extension_uuid, category, scope):
- raise SubjectCategoryScopeAddNotAuthorized()
-
- def add_subject_scope_dict(self, user_id, intra_extension_uuid, subject_category, scope_name):
- raise SubjectCategoryScopeAddNotAuthorized()
-
- def del_subject_scope(self, user_id, intra_extension_uuid, subject_category, subject_category_scope):
- raise SubjectCategoryScopeDelNotAuthorized()
-
- def set_object_scope_dict(self, user_id, intra_extension_uuid, category, scope):
- raise ObjectCategoryScopeAddNotAuthorized()
-
- def add_object_scope(self, user_id, intra_extension_uuid, object_category, scope_name):
- raise ObjectCategoryScopeAddNotAuthorized()
-
- def del_object_scope(self, user_id, intra_extension_uuid, object_category, object_category_scope):
- raise ObjectCategoryScopeDelNotAuthorized()
-
- def set_action_scope_dict(self, user_id, intra_extension_uuid, category, scope):
- raise ActionCategoryScopeAddNotAuthorized()
-
- def add_action_scope(self, user_id, intra_extension_uuid, action_category, scope_name):
- raise ActionCategoryScopeAddNotAuthorized()
-
- def del_action_scope(self, user_id, intra_extension_uuid, action_category, action_category_scope):
- raise ActionCategoryScopeDelNotAuthorized()
-
- def set_subject_assignment_dict(self, user_id, intra_extension_uuid, subject_uuid, assignment_dict):
- raise SubjectCategoryAssignmentAddNotAuthorized()
-
- def del_subject_assignment(self, user_id, intra_extension_uuid, subject_uuid, category_uuid, scope_uuid):
- raise SubjectCategoryAssignmentAddNotAuthorized()
-
- def add_subject_assignment(self, user_id, intra_extension_uuid, subject_uuid, category_uuid, scope_uuid):
- raise SubjectCategoryAssignmentDelNotAuthorized()
-
- def set_object_category_assignment_dict(self, user_id, intra_extension_uuid, object_uuid, assignment_dict):
- raise ObjectCategoryAssignmentAddNotAuthorized()
-
- def del_object_assignment(self, user_id, intra_extension_uuid, object_uuid, category_uuid, scope_uuid):
- raise ObjectCategoryAssignmentAddNotAuthorized()
-
- def add_object_assignment(self, user_id, intra_extension_uuid, object_uuid, category_uuid, scope_uuid):
- raise ObjectCategoryAssignmentDelNotAuthorized()
-
- def set_action_assignment_dict(self, user_id, intra_extension_uuid, action_uuid, assignment_dict):
- raise ActionCategoryAssignmentAddNotAuthorized()
-
- def del_action_assignment(self, user_id, intra_extension_uuid, action_uuid, category_uuid, scope_uuid):
- raise ActionCategoryAssignmentAddNotAuthorized()
-
- def add_action_assignment(self, user_id, intra_extension_uuid, action_uuid, category_uuid, scope_uuid):
- raise ActionCategoryAssignmentDelNotAuthorized()
-
- def set_aggregation_algorithm_dict(self, user_id, intra_extension_uuid, aggregation_algorithm):
- raise MetaRuleAddNotAuthorized()
-
- def get_sub_meta_rule_dict(self, user_id, intra_extension_uuid, sub_meta_rules):
- raise MetaRuleAddNotAuthorized()
-
- def set_sub_rule(self, user_id, intra_extension_uuid, relation, sub_rule):
- raise RuleAddNotAuthorized()
-
- def del_sub_rule(self, user_id, intra_extension_uuid, relation_name, rule):
- raise RuleAddNotAuthorized()
-
@dependency.provider('admin_api')
@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py
index 1339122c..fa985a2f 100644
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -69,6 +69,20 @@ class TenantNoIntraExtension(TenantException):
logger = "ERROR"
+class TenantNoIntraAuthzExtension(TenantNoIntraExtension):
+ message_format = _("The tenant has not intra_authz_extension.")
+ code = 400
+ title = 'Tenant No Intra_Authz_Extension'
+ logger = "ERROR"
+
+
+class TenantNoIntraAdminExtension(TenantNoIntraExtension):
+ message_format = _("The tenant has not intra_admin_extension.")
+ code = 400
+ title = 'Tenant No Intra_Admin_Extension'
+ logger = "ERROR"
+
+
# Exceptions for IntraExtension
@@ -93,500 +107,265 @@ class IntraExtensionCreationError(IntraExtensionException):
# Authz exceptions
-
class AuthzException(MoonError):
+ message_format = _("There is an authorization error requesting this IntraExtension.")
+ code = 403
+ title = 'Authz Exception'
+ logger = "AUTHZ"
+
+
+# Admin exceptions
+
+class AdminException(MoonError):
message_format = _("There is an error requesting this Authz IntraExtension.")
code = 400
title = 'Authz Exception'
logger = "AUTHZ"
-class AuthzPerimeter(AuthzException):
+class AdminMetaData(AdminException):
code = 400
- title = 'Perimeter Exception'
+ title = 'Metadata Exception'
-class AuthzScope(AuthzException):
+class AdminPerimeter(AdminException):
code = 400
- title = 'Scope Exception'
+ title = 'Perimeter Exception'
-class AuthzMetadata(AuthzException):
+class AdminScope(AdminException):
code = 400
- title = 'Metadata Exception'
+ title = 'Scope Exception'
-class AuthzAssignment(AuthzException):
+class AdminAssignment(AdminException):
code = 400
title = 'Assignment Exception'
-class AuthzMetaRule(AuthzException):
+class AdminMetaRule(AdminException):
code = 400
title = 'Aggregation Algorithm Exception'
-class AuthzRule(AuthzException):
+class AdminRule(AdminException):
code = 400
title = 'Rule Exception'
-class SubjectCategoryNameExisting(AuthzMetadata):
+class SubjectCategoryNameExisting(AdminMetaData):
message_format = _("The given subject category name is existing.")
code = 400
title = 'Subject Category Name Existing'
logger = "ERROR"
-class ObjectCategoryNameExisting(AuthzMetadata):
+class ObjectCategoryNameExisting(AdminMetaData):
message_format = _("The given object category name is existing.")
code = 400
title = 'Object Category Name Existing'
logger = "ERROR"
-class ActionCategoryNameExisting(AuthzMetadata):
+class ActionCategoryNameExisting(AdminMetaData):
message_format = _("The given action category name is existing.")
code = 400
title = 'Action Category Name Existing'
logger = "ERROR"
-class SubjectCategoryUnknown(AuthzMetadata):
+class SubjectCategoryUnknown(AdminMetaData):
message_format = _("The given subject category is unknown.")
code = 400
title = 'Subject Category Unknown'
logger = "ERROR"
-class ObjectCategoryUnknown(AuthzMetadata):
+class ObjectCategoryUnknown(AdminMetaData):
message_format = _("The given object category is unknown.")
code = 400
title = 'Object Category Unknown'
logger = "ERROR"
-class ActionCategoryUnknown(AuthzMetadata):
+class ActionCategoryUnknown(AdminMetaData):
message_format = _("The given action category is unknown.")
code = 400
title = 'Action Category Unknown'
logger = "ERROR"
-class SubjectUnknown(AuthzPerimeter):
+class SubjectUnknown(AdminPerimeter):
message_format = _("The given subject is unknown.")
code = 400
title = 'Subject Unknown'
logger = "ERROR"
-class ObjectUnknown(AuthzPerimeter):
+class ObjectUnknown(AdminPerimeter):
message_format = _("The given object is unknown.")
code = 400
title = 'Object Unknown'
logger = "ERROR"
-class ActionUnknown(AuthzPerimeter):
+class ActionUnknown(AdminPerimeter):
message_format = _("The given action is unknown.")
code = 400
title = 'Action Unknown'
logger = "ERROR"
-class SubjectNameExisting(AuthzPerimeter):
+class SubjectNameExisting(AdminPerimeter):
message_format = _("The given subject name is existing.")
code = 400
title = 'Subject Name Existing'
logger = "ERROR"
-class ObjectNameExisting(AuthzPerimeter):
+class ObjectNameExisting(AdminPerimeter):
message_format = _("The given object name is existing.")
code = 400
title = 'Object Name Existing'
logger = "ERROR"
-class ActionNameExisting(AuthzPerimeter):
+class ActionNameExisting(AdminPerimeter):
message_format = _("The given action name is existing.")
code = 400
title = 'Action Name Existing'
logger = "ERROR"
-class SubjectScopeUnknown(AuthzScope):
+class SubjectScopeUnknown(AdminScope):
message_format = _("The given subject scope is unknown.")
code = 400
title = 'Subject Scope Unknown'
logger = "ERROR"
-class ObjectScopeUnknown(AuthzScope):
+class ObjectScopeUnknown(AdminScope):
message_format = _("The given object scope is unknown.")
code = 400
title = 'Object Scope Unknown'
logger = "ERROR"
-class ActionScopeUnknown(AuthzScope):
+class ActionScopeUnknown(AdminScope):
message_format = _("The given action scope is unknown.")
code = 400
title = 'Action Scope Unknown'
logger = "ERROR"
-class SubjectScopeNameExisting(AuthzScope):
+class SubjectScopeNameExisting(AdminScope):
message_format = _("The given subject scope name is existing.")
code = 400
title = 'Subject Scope Name Existing'
logger = "ERROR"
-class ObjectScopeNameExisting(AuthzScope):
+class ObjectScopeNameExisting(AdminScope):
message_format = _("The given object scope name is existing.")
code = 400
title = 'Object Scope Name Existing'
logger = "ERROR"
-class ActionScopeNameExisting(AuthzScope):
+class ActionScopeNameExisting(AdminScope):
message_format = _("The given action scope name is existing.")
code = 400
title = 'Action Scope Name Existing'
logger = "ERROR"
-class SubjectAssignmentOutOfScope(AuthzScope):
- message_format = _("The given subject scope value is out of scope.")
- code = 400
- title = 'Subject Assignment Out Of Scope'
- logger = "WARNING"
-
-
-class ActionAssignmentOutOfScope(AuthzScope):
- message_format = _("The given action scope value is out of scope.")
- code = 400
- title = 'Action Assignment Out Of Scope'
- logger = "WARNING"
-
-
-class ObjectAssignmentOutOfScope(AuthzScope):
- message_format = _("The given object scope value is out of scope.")
- code = 400
- title = 'Object Assignment Out Of Scope'
- logger = "WARNING"
-
-
-class SubjectAssignmentUnknown(AuthzAssignment):
+class SubjectAssignmentUnknown(AdminAssignment):
message_format = _("The given subject assignment value is unknown.")
code = 400
title = 'Subject Assignment Unknown'
logger = "ERROR"
-class ObjectAssignmentUnknown(AuthzAssignment):
+class ObjectAssignmentUnknown(AdminAssignment):
message_format = _("The given object assignment value is unknown.")
code = 400
title = 'Object Assignment Unknown'
logger = "ERROR"
-class ActionAssignmentUnknown(AuthzAssignment):
+class ActionAssignmentUnknown(AdminAssignment):
message_format = _("The given action assignment value is unknown.")
code = 400
title = 'Action Assignment Unknown'
logger = "ERROR"
-class SubjectAssignmentExisting(AuthzAssignment):
+class SubjectAssignmentExisting(AdminAssignment):
message_format = _("The given subject assignment value is existing.")
code = 400
title = 'Subject Assignment Existing'
logger = "ERROR"
-class ObjectAssignmentExisting(AuthzAssignment):
+class ObjectAssignmentExisting(AdminAssignment):
message_format = _("The given object assignment value is existing.")
code = 400
title = 'Object Assignment Existing'
logger = "ERROR"
-class ActionAssignmentExisting(AuthzAssignment):
+class ActionAssignmentExisting(AdminAssignment):
message_format = _("The given action assignment value is existing.")
code = 400
title = 'Action Assignment Existing'
logger = "ERROR"
-class AggregationAlgorithmNotExisting(AuthzMetadata):
+class AggregationAlgorithmNotExisting(AdminMetaRule):
message_format = _("The given aggregation algorithm is not existing.")
code = 400
title = 'Aggregation Algorithm Not Existing'
logger = "ERROR"
-class AggregationAlgorithmUnknown(AuthzMetadata):
+class AggregationAlgorithmUnknown(AdminMetaRule):
message_format = _("The given aggregation algorithm is unknown.")
code = 400
title = 'Aggregation Algorithm Unknown'
logger = "ERROR"
-class SubMetaRuleUnknown(AuthzMetadata):
+class SubMetaRuleUnknown(AdminMetaRule):
message_format = _("The given sub meta rule is unknown.")
code = 400
title = 'Sub Meta Rule Unknown'
logger = "ERROR"
-class SubMetaRuleNameExisting(AuthzMetadata):
+class SubMetaRuleNameExisting(AdminMetaRule):
message_format = _("The sub meta rule name is existing.")
code = 400
title = 'Sub Meta Rule Name Existing'
logger = "ERROR"
-class SubMetaRuleExisting(AuthzMetadata):
+class SubMetaRuleExisting(AdminMetaRule):
message_format = _("The sub meta rule is existing.")
code = 400
title = 'Sub Meta Rule Existing'
logger = "ERROR"
-class RuleOKNotExisting(AuthzRule):
- message_format = _("The positive rule for that request doen't exist.")
- code = 400
- title = 'Rule OK Not Existing'
- logger = "ERROR"
-
-
-class RuleKOExisting(AuthzRule):
- message_format = _("The request match a negative rule.")
- code = 400
- title = 'Rule KO Existing'
- logger = "ERROR"
-
-
-class RuleExisting(AuthzRule):
+class RuleExisting(AdminRule):
message_format = _("The rule is existing.")
code = 400
title = 'Rule Existing'
logger = "ERROR"
-class RuleUnknown(AuthzRule):
+class RuleUnknown(AdminRule):
message_format = _("The rule for that request doesn't exist.")
code = 400
title = 'Rule Unknown'
logger = "ERROR"
-
-class AddedRuleExisting(AuthzRule):
- message_format = _("The added rule for that request is existing.")
- code = 400
- title = 'Added Rule Existing'
- logger = "ERROR"
-
-
-# Admin exceptions
-
-
-class AdminException(MoonError):
- message_format = _("There is an authorization error requesting this IntraExtension.")
- code = 403
- title = 'Admin Exception'
- logger = "AUTHZ"
-
-
-class AdminPerimeter(AuthzException):
- title = 'Perimeter Exception'
-
-
-class AdminScope(AuthzException):
- title = 'Scope Exception'
-
-
-class AdminMetadata(AuthzException):
- title = 'Metadata Exception'
-
-
-class AdminAssignment(AuthzException):
- title = 'Assignment Exception'
-
-
-class AdminRule(AuthzException):
- title = 'Rule Exception'
-
-class AdminMetaRule(AuthzException):
- title = 'MetaRule Exception'
-
-
-class SubjectReadNotAuthorized(AdminPerimeter):
- title = 'Subject Read Not Authorized'
-
-
-class SubjectAddNotAuthorized(AdminPerimeter):
- title = 'Subject Add Not Authorized'
-
-
-class SubjectDelNotAuthorized(AdminPerimeter):
- title = 'Subject Del Not Authorized'
-
-
-class ObjectReadNotAuthorized(AdminPerimeter):
- title = 'Object Read Not Authorized'
-
-
-class ObjectAddNotAuthorized(AdminPerimeter):
- title = 'Object Add Not Authorized'
-
-
-class ObjectDelNotAuthorized(AdminPerimeter):
- title = 'Object Del Not Authorized'
-
-
-class ActionReadNotAuthorized(AdminPerimeter):
- title = 'Action Read Not Authorized'
-
-
-class ActionAddNotAuthorized(AdminPerimeter):
- title = 'Action Add Not Authorized'
-
-
-class ActionDelNotAuthorized(AdminPerimeter):
- title = 'Action Del Not Authorized'
-
-
-class SubjectScopeReadNotAuthorized(AuthzException):
- title = 'Subject Scope Read Not Authorized'
-
-
-class SubjectScopeAddNotAuthorized(AuthzException):
- title = 'Subject Scope Add Not Authorized'
-
-
-class SubjectScopeDelNotAuthorized(AuthzException):
- title = 'Subject Scope Del Not Authorized'
-
-
-class ObjectScopeReadNotAuthorized(AuthzException):
- title = 'Object Scope Read Not Authorized'
-
-
-class ObjectScopeAddNotAuthorized(AuthzException):
- title = 'Object Scope Add Not Authorized'
-
-
-class ObjectScopeDelNotAuthorized(AuthzException):
- title = 'Object Scope Del Not Authorized'
-
-
-class ActionScopeReadNotAuthorized(AuthzException):
- title = 'Action Scope Read Not Authorized'
-
-
-class ActionScopeAddNotAuthorized(AuthzException):
- title = 'Action Scope Add Not Authorized'
-
-
-class ActionScopeDelNotAuthorized(AuthzException):
- title = 'Action Scope Del Not Authorized'
-
-
-class SubjectCategoryReadNotAuthorized(AdminMetadata):
- title = 'Subject Category Read Not Authorized'
- logger = "AUTHZ"
-
-
-class SubjectCategoryAddNotAuthorized(AdminMetadata):
- title = 'Subject Category Add Not Authorized'
-
-
-class SubjectCategoryDelNotAuthorized(AdminMetadata):
- title = 'Subject Category Del Not Authorized'
-
-
-class ObjectCategoryReadNotAuthorized(AdminMetadata):
- title = 'Object Category Read Not Authorized'
-
-
-class ObjectCategoryAddNotAuthorized(AdminMetadata):
- title = 'Object Category Add Not Authorized'
-
-
-class ObjectCategoryDelNotAuthorized(AdminMetadata):
- title = 'Object Category Del Not Authorized'
-
-
-class ActionCategoryReadNotAuthorized(AdminMetadata):
- title = 'Action Category Read Not Authorized'
-
-
-class ActionCategoryAddNotAuthorized(AdminMetadata):
- title = 'Action Category Add Not Authorized'
-
-
-class ActionCategoryDelNotAuthorized(AdminMetadata):
- title = 'Action Category Del Not Authorized'
-
-
-class SubjectAssignmentReadNotAuthorized(AdminAssignment):
- title = 'Subject Assignment Read Not Authorized'
-
-
-class SubjectAssignmentAddNotAuthorized(AdminAssignment):
- title = 'Subject Assignment Add Not Authorized'
-
-
-class SubjectAssignmentDelNotAuthorized(AdminAssignment):
- title = 'Subject Assignment Del Not Authorized'
-
-
-class ObjectAssignmentReadNotAuthorized(AdminAssignment):
- title = 'Object Assignment Read Not Authorized'
-
-
-class ObjectAssignmentAddNotAuthorized(AdminAssignment):
- title = 'Object Assignment Add Not Authorized'
-
-
-class ObjectAssignmentDelNotAuthorized(AdminAssignment):
- title = 'Object Assignment Del Not Authorized'
-
-
-class ActionAssignmentReadNotAuthorized(AdminAssignment):
- title = 'Action Assignment Read Not Authorized'
-
-
-class ActionAssignmentAddNotAuthorized(AdminAssignment):
- title = 'Action Assignment Add Not Authorized'
-
-
-class ActionAssignmentDelNotAuthorized(AdminAssignment):
- title = 'Action Assignment Del Not Authorized'
-
-
-class RuleReadNotAuthorized(AdminRule):
- title = 'Rule Read Not Authorized'
-
-
-class RuleAddNotAuthorized(AdminRule):
- title = 'Rule Add Not Authorized'
-
-
-class RuleDelNotAuthorized(AdminRule):
- title = 'Rule Del Not Authorized'
-
-
-class MetaRuleReadNotAuthorized(AdminRule):
- title = 'MetaRule Read Not Authorized'
-
-
-class MetaRuleAddNotAuthorized(AdminRule):
- title = 'MetaRule Add Not Authorized'
-
-
-class MetaRuleDelNotAuthorized(AdminRule):
- title = 'MetaRule Del Not Authorized'