From 43da0e268fd88c05e49a3d949e3685a13fa43926 Mon Sep 17 00:00:00 2001 From: asteroide Date: Sat, 26 Sep 2015 23:31:49 +0200 Subject: Review the KeystoneMiddleware code, fix some bugs in the authz functions. Change-Id: I9d9966c061fc71cd8ef5ce88217dcdfa63e0722f --- .../keystonemiddleware/authz.py | 31 +++++++++++++++++----- 1 file changed, 24 insertions(+), 7 deletions(-) (limited to 'keystonemiddleware-moon') diff --git a/keystonemiddleware-moon/keystonemiddleware/authz.py b/keystonemiddleware-moon/keystonemiddleware/authz.py index bdb31ade..a24ac897 100644 --- a/keystonemiddleware-moon/keystonemiddleware/authz.py +++ b/keystonemiddleware-moon/keystonemiddleware/authz.py @@ -245,6 +245,7 @@ class AuthZProtocol(object): :return: the action or "" """ action = "" + self.input = "" if component == "nova": length = int(env.get('CONTENT_LENGTH', '0')) # TODO (dthom): compute for Nova, Cinder, Neutron, ... @@ -252,6 +253,7 @@ class AuthZProtocol(object): if length > 0: try: sub_action_object = env['wsgi.input'].read(length) + self.input = sub_action_object action = json.loads(sub_action_object).keys()[0] body = StringIO(sub_action_object) env['wsgi.input'] = body @@ -272,8 +274,23 @@ class AuthZProtocol(object): @staticmethod def _get_object(env, component): if component == "nova": - # get the object ID which is located before "action" in the URL - return env.get("PATH_INFO").split("/")[-2] + # http://developer.openstack.org/api-ref-compute-v2.1.html + # nova URLs: + # //servers/ + # list details for server_id + # //servers//action + # execute action to server_id + # //servers//metadata + # show metadata from server_id + # //servers/details + # list servers + url = env.get("PATH_INFO").split("/") + if url[-1] == "detail": + return "servers" + try: + return url[3] + except IndexError: + return elif component == "swift": # remove the "/v1/" part of the URL return env.get("PATH_INFO").split("/", 2)[-1].replace("/", "-") @@ -293,12 +310,11 @@ class AuthZProtocol(object): component = self._find_openstack_component(env) action_id = self._get_action(env, component) if action_id: - self._LOG.debug("OpenStack component {}".format(component)) object_id = self._get_object(env, component) - self._LOG.debug("{}-{}-{}-{}".format(subject_id, object_id, action_id, tenant_id)) + if not object_id: + object_id = "servers" self.__set_token() resp = self._get_authz_from_moon(self.x_subject_token, tenant_id, subject_id, object_id, action_id) - self._LOG.info("Moon answer: {}-{}".format(resp.status_code, resp.content)) self.__unset_token() if resp.status_code == 200: try: @@ -306,8 +322,9 @@ class AuthZProtocol(object): self._LOG.debug(answer) if "authz" in answer and answer["authz"]: return self._app(env, start_response) - except: - raise exception.Unauthorized(message="You are not authorized to do that!") + except Exception as e: + # self._LOG.error("You are not authorized to do that!") + raise exception.Unauthorized(message="You are not authorized to do that! ({})".format(unicode(e))) self._LOG.debug("No action_id found for {}".format(env.get("PATH_INFO"))) # If action is not found, we can't raise an exception because a lots of action is missing # in function self._get_action, it is not possible to get them all. -- cgit 1.2.3-korg