diff options
Diffstat (limited to 'keystone/api')
-rw-r--r-- | keystone/api/auth.py | 1 | ||||
-rw-r--r-- | keystone/api/limits.py | 65 | ||||
-rw-r--r-- | keystone/api/projects.py | 30 | ||||
-rw-r--r-- | keystone/api/trusts.py | 10 | ||||
-rw-r--r-- | keystone/api/users.py | 15 |
5 files changed, 80 insertions, 41 deletions
diff --git a/keystone/api/auth.py b/keystone/api/auth.py index d399df433..91dfa43ca 100644 --- a/keystone/api/auth.py +++ b/keystone/api/auth.py @@ -338,6 +338,7 @@ class AuthFederationWebSSOResource(_AuthFederationWebSSOBase): @classmethod def _perform_auth(cls, protocol_id): idps = PROVIDERS.federation_api.list_idps() + remote_id = None for idp in idps: try: remote_id_name = federation_utils.get_remote_id_parameter( diff --git a/keystone/api/limits.py b/keystone/api/limits.py index c265a3cc7..83eed9bee 100644 --- a/keystone/api/limits.py +++ b/keystone/api/limits.py @@ -20,6 +20,7 @@ from keystone.common import json_home from keystone.common import provider_api from keystone.common import rbac_enforcer from keystone.common import validation +from keystone import exception from keystone.limit import schema from keystone.server import flask as ks_flask @@ -28,6 +29,27 @@ PROVIDERS = provider_api.ProviderAPIs ENFORCER = rbac_enforcer.RBACEnforcer +def _build_limit_enforcement_target(): + target = {} + try: + limit = PROVIDERS.unified_limit_api.get_limit( + flask.request.view_args.get('limit_id') + ) + target['limit'] = limit + if limit.get('project_id'): + project = PROVIDERS.resource_api.get_project(limit['project_id']) + target['limit']['project'] = project + elif limit.get('domain_id'): + domain = PROVIDERS.resource_api.get_domain(limit['domain_id']) + target['limit']['domain'] = domain + except exception.NotFound: # nosec + # Defer the existence check in the event the limit doesn't exist, this + # is checked later anyway. + pass + + return target + + class LimitsResource(ks_flask.ResourceBase): collection_key = 'limits' member_key = 'limit' @@ -38,27 +60,38 @@ class LimitsResource(ks_flask.ResourceBase): def _list_limits(self): filters = ['service_id', 'region_id', 'resource_name', 'project_id', 'domain_id'] + ENFORCER.enforce_call(action='identity:list_limits', filters=filters) + hints = self.build_driver_hints(filters) - project_id_filter = hints.get_exact_filter_by_name('project_id') - domain_id_filter = hints.get_exact_filter_by_name('domain_id') - if project_id_filter or domain_id_filter: - if self.oslo_context.system_scope: - refs = PROVIDERS.unified_limit_api.list_limits(hints) - else: - refs = [] - else: - project_id = self.oslo_context.project_id - domain_id = self.oslo_context.domain_id - if project_id: - hints.add_filter('project_id', project_id) - elif domain_id: - hints.add_filter('domain_id', domain_id) + + filtered_refs = [] + if self.oslo_context.system_scope: + refs = PROVIDERS.unified_limit_api.list_limits(hints) + filtered_refs = refs + elif self.oslo_context.domain_id: refs = PROVIDERS.unified_limit_api.list_limits(hints) - return self.wrap_collection(refs, hints=hints) + projects = PROVIDERS.resource_api.list_projects_in_domain( + self.oslo_context.domain_id + ) + project_ids = [project['id'] for project in projects] + for limit in refs: + if limit.get('project_id'): + if limit['project_id'] in project_ids: + filtered_refs.append(limit) + elif limit.get('domain_id'): + if limit['domain_id'] == self.oslo_context.domain_id: + filtered_refs.append(limit) + elif self.oslo_context.project_id: + hints.add_filter('project_id', self.oslo_context.project_id) + refs = PROVIDERS.unified_limit_api.list_limits(hints) + filtered_refs = refs + + return self.wrap_collection(filtered_refs, hints=hints) def _get_limit(self, limit_id): - ENFORCER.enforce_call(action='identity:get_limit') + ENFORCER.enforce_call(action='identity:get_limit', + build_target=_build_limit_enforcement_target) ref = PROVIDERS.unified_limit_api.get_limit(limit_id) return self.wrap_member(ref) diff --git a/keystone/api/projects.py b/keystone/api/projects.py index 4eb76b48f..108971c21 100644 --- a/keystone/api/projects.py +++ b/keystone/api/projects.py @@ -236,7 +236,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): GET /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:list_project_tags') + ENFORCER.enforce_call( + action='identity:list_project_tags', + build_target=_build_project_target_enforcement + ) ref = PROVIDERS.resource_api.list_project_tags(project_id) return self.wrap_member(ref) @@ -245,7 +248,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): PUT /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:update_project_tags') + ENFORCER.enforce_call( + action='identity:update_project_tags', + build_target=_build_project_target_enforcement + ) tags = self.request_body_json.get('tags', {}) validation.lazy_validate(schema.project_tags_update, tags) ref = PROVIDERS.resource_api.update_project_tags( @@ -257,7 +263,10 @@ class ProjectTagsResource(_ProjectTagResourceBase): DELETE /v3/projects/{project_id}/tags """ - ENFORCER.enforce_call(action='identity:delete_project_tags') + ENFORCER.enforce_call( + action='identity:delete_project_tags', + build_target=_build_project_target_enforcement + ) PROVIDERS.resource_api.update_project_tags(project_id, []) return None, http_client.NO_CONTENT @@ -268,7 +277,10 @@ class ProjectTagResource(_ProjectTagResourceBase): GET /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:get_project_tag') + ENFORCER.enforce_call( + action='identity:get_project_tag', + build_target=_build_project_target_enforcement, + ) PROVIDERS.resource_api.get_project_tag(project_id, value) return None, http_client.NO_CONTENT @@ -277,7 +289,10 @@ class ProjectTagResource(_ProjectTagResourceBase): PUT /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:create_project_tag') + ENFORCER.enforce_call( + action='identity:create_project_tag', + build_target=_build_project_target_enforcement + ) validation.lazy_validate(schema.project_tag_create, value) # Check if we will exceed the max number of tags on this project tags = PROVIDERS.resource_api.list_project_tags(project_id) @@ -298,7 +313,10 @@ class ProjectTagResource(_ProjectTagResourceBase): /v3/projects/{project_id}/tags/{value} """ - ENFORCER.enforce_call(action='identity:delete_project_tag') + ENFORCER.enforce_call( + action='identity:delete_project_tag', + build_target=_build_project_target_enforcement + ) PROVIDERS.resource_api.delete_project_tag(project_id, value) return None, http_client.NO_CONTENT diff --git a/keystone/api/trusts.py b/keystone/api/trusts.py index 3c40d8c67..6c56fe1b0 100644 --- a/keystone/api/trusts.py +++ b/keystone/api/trusts.py @@ -228,11 +228,11 @@ class TrustResource(ks_flask.ResourceBase): # rule check_str is "" if isinstance(rules, op_checks.TrueCheck): LOG.warning( - "The policy check string for rule \"identity:list_trusts\" has been overridden" - "to \"always true\". In the next release, this will cause the" - "\"identity:list_trusts\" action to be fully permissive as hardcoded" - "enforcement will be removed. To correct this issue, either stop overriding the" - "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly" + "The policy check string for rule \"identity:list_trusts\" has been overridden " + "to \"always true\". In the next release, this will cause the " + "\"identity:list_trusts\" action to be fully permissive as hardcoded " + "enforcement will be removed. To correct this issue, either stop overriding the " + "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly " "set a rule that is not empty." ) if not flask.request.args: diff --git a/keystone/api/users.py b/keystone/api/users.py index 2e09f4b9a..b5938b17a 100644 --- a/keystone/api/users.py +++ b/keystone/api/users.py @@ -287,19 +287,6 @@ class UserGroupsResource(ks_flask.ResourceBase): get_member_from_driver = PROVIDERS.deferred_provider_lookup( api='identity_api', method='get_group') - @staticmethod - def _built_target_attr_enforcement(): - ref = None - if flask.request.view_args: - try: - ref = {'user': PROVIDERS.identity_api.get_user( - flask.request.view_args.get('user_id'))} - except ks_exception.NotFound: # nosec - # Defer existence in the event the user doesn't exist, we'll - # check this later anyway. - pass - return ref - def get(self, user_id): """Get groups for a user. @@ -308,7 +295,7 @@ class UserGroupsResource(ks_flask.ResourceBase): filters = ('name',) hints = self.build_driver_hints(filters) ENFORCER.enforce_call(action='identity:list_groups_for_user', - build_target=self._built_target_attr_enforcement, + build_target=_build_user_target_enforcement, filters=filters) refs = PROVIDERS.identity_api.list_groups_for_user(user_id=user_id, hints=hints) |