diff options
Diffstat (limited to 'keystone-moon')
-rw-r--r-- | keystone-moon/keystone/contrib/moon/controllers.py | 4 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/core.py | 39 | ||||
-rw-r--r-- | keystone-moon/keystone/contrib/moon/routers.py | 6 |
3 files changed, 31 insertions, 18 deletions
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index 58e62a28..84e27fa3 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -208,6 +208,10 @@ class IntraExtensions(controller.V3Controller): intra_extension_dict['description'] = kw.get('intra_extension_description', None) return self.admin_api.set_intra_extension_dict(user_id, intra_extension_id, intra_extension_dict) + @controller.protected() + def load_root_intra_extension(self, context, **kw): + self.admin_api.load_root_intra_extension_dict() + # Metadata functions @controller.protected() def get_subject_categories(self, context, **kw): diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 6f9832e9..a227174c 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -176,28 +176,27 @@ def enforce(action_names, object_name, **extra): else: intra_extension_id = intra_root_extension_id + try: + tenants_dict = self.tenant_api.driver.get_tenants_dict() + except AttributeError: + tenants_dict = self.driver.get_tenants_dict() if self.root_api.is_admin_subject(user_id): # TODO: check if there is no security hole here + self.moonlog_api.driver.info("Authorizing because it is the user admin of the root intra-extension") returned_value_for_func = func(*args, **kwargs) else: intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() if intra_extension_id not in intra_extensions_dict: # if id is not an intra_extension, maybe it is a tenant id - try: - tenants_dict = self.tenant_api.driver.get_tenants_dict() - except AttributeError: - tenants_dict = self.driver.get_tenants_dict() + intra_extension_id = intra_root_extension_id if intra_extension_id in tenants_dict: # id is in fact a tenant id so, we must check against the Root intra_extension intra_extension_id = intra_root_extension_id + LOG.warning("intra_extension_id is a tenant ID ({})".format(intra_extension_id)) else: # id is not a known tenant ID, so we must check against the Root intra_extension intra_extension_id = intra_root_extension_id - LOG.warning("Cannot enforce because the intra-extension is unknown ({})".format(intra_extension_id)) - try: - tenants_dict = self.tenant_api.driver.get_tenants_dict() - except AttributeError: - tenants_dict = self.driver.get_tenants_dict() + LOG.warning("Cannot enforce because the intra-extension is unknown (fallback to the root intraextension)") for _tenant_id in tenants_dict: if tenants_dict[_tenant_id]['intra_authz_extension_id'] == intra_extension_id or \ tenants_dict[_tenant_id]['intra_admin_extension_id'] == intra_extension_id: @@ -261,7 +260,9 @@ def enforce(action_names, object_name, **extra): authz_result = False for action_id in action_id_list: - if self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id): + res = self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id) + self.moonlog_api.info("res={}".format(res)) + if res: authz_result = True else: self.moonlog_api.authz("No authorization for ({} {}-{}-{})".format( @@ -519,6 +520,13 @@ class IntraExtensionManager(manager.Manager): } """ authz_buffer = dict() + # Sometimes it is not the subject ID but the User Keystone ID, so, we have to check + subjects_dict = self.driver.get_subjects_dict(intra_extension_id) + if subject_id not in subjects_dict.keys(): + for _subject_id in subjects_dict: + if subjects_dict[_subject_id]['keystone_id']: + subject_id = _subject_id + break authz_buffer['subject_id'] = subject_id authz_buffer['object_id'] = object_id authz_buffer['action_id'] = action_id @@ -882,7 +890,7 @@ class IntraExtensionManager(manager.Manager): self.__load_rule_file(ie_dict, template_dir) return ref - def load_root_intra_extension_dict(self, policy_template): + def load_root_intra_extension_dict(self, policy_template=CONF.moon.root_policy_directory): # Note (asteroide): Only one root Extension is authorized # and this extension is created at the very beginning of the server # so we don't need to use enforce here @@ -897,13 +905,8 @@ class IntraExtensionManager(manager.Manager): ie_dict["genre"] = "admin" ie_dict["description"] = "policy_root" ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict) - try: - self.moonlog_api.debug("Creation of IE: {}".format(ref)) - except AttributeError: - pass - # Creation of the root intra extension raise an error here because - # self.moonlog_api doesn't exist. - # FIXME (asteroide): understand why moonlog_api raise an error here... + self.moonlog_api.debug("Creation of root IE: {}".format(ref)) + # read the template given by "model" and populate default variables template_dir = os.path.join(CONF.moon.policy_directory, ie_dict["model"]) self.__load_metadata_file(ie_dict, template_dir) diff --git a/keystone-moon/keystone/contrib/moon/routers.py b/keystone-moon/keystone/contrib/moon/routers.py index 357ae060..fd1c0adf 100644 --- a/keystone-moon/keystone/contrib/moon/routers.py +++ b/keystone-moon/keystone/contrib/moon/routers.py @@ -89,6 +89,12 @@ class Routers(wsgi.V3ExtensionRouter): # IntraExtensions/Admin route self._add_resource( mapper, intra_ext_controller, + path=self.PATH_PREFIX+'/intra_extensions/init', + get_action='load_root_intra_extension', + rel=self._get_rel('intra_extensions'), + path_vars={}) + self._add_resource( + mapper, intra_ext_controller, path=self.PATH_PREFIX+'/intra_extensions', get_action='get_intra_extensions', post_action='add_intra_extension', |