summaryrefslogtreecommitdiff
path: root/keystone/api
diff options
context:
space:
mode:
Diffstat (limited to 'keystone/api')
-rw-r--r--keystone/api/auth.py1
-rw-r--r--keystone/api/limits.py65
-rw-r--r--keystone/api/projects.py30
-rw-r--r--keystone/api/trusts.py10
-rw-r--r--keystone/api/users.py15
5 files changed, 80 insertions, 41 deletions
diff --git a/keystone/api/auth.py b/keystone/api/auth.py
index d399df433..91dfa43ca 100644
--- a/keystone/api/auth.py
+++ b/keystone/api/auth.py
@@ -338,6 +338,7 @@ class AuthFederationWebSSOResource(_AuthFederationWebSSOBase):
@classmethod
def _perform_auth(cls, protocol_id):
idps = PROVIDERS.federation_api.list_idps()
+ remote_id = None
for idp in idps:
try:
remote_id_name = federation_utils.get_remote_id_parameter(
diff --git a/keystone/api/limits.py b/keystone/api/limits.py
index c265a3cc7..83eed9bee 100644
--- a/keystone/api/limits.py
+++ b/keystone/api/limits.py
@@ -20,6 +20,7 @@ from keystone.common import json_home
from keystone.common import provider_api
from keystone.common import rbac_enforcer
from keystone.common import validation
+from keystone import exception
from keystone.limit import schema
from keystone.server import flask as ks_flask
@@ -28,6 +29,27 @@ PROVIDERS = provider_api.ProviderAPIs
ENFORCER = rbac_enforcer.RBACEnforcer
+def _build_limit_enforcement_target():
+ target = {}
+ try:
+ limit = PROVIDERS.unified_limit_api.get_limit(
+ flask.request.view_args.get('limit_id')
+ )
+ target['limit'] = limit
+ if limit.get('project_id'):
+ project = PROVIDERS.resource_api.get_project(limit['project_id'])
+ target['limit']['project'] = project
+ elif limit.get('domain_id'):
+ domain = PROVIDERS.resource_api.get_domain(limit['domain_id'])
+ target['limit']['domain'] = domain
+ except exception.NotFound: # nosec
+ # Defer the existence check in the event the limit doesn't exist, this
+ # is checked later anyway.
+ pass
+
+ return target
+
+
class LimitsResource(ks_flask.ResourceBase):
collection_key = 'limits'
member_key = 'limit'
@@ -38,27 +60,38 @@ class LimitsResource(ks_flask.ResourceBase):
def _list_limits(self):
filters = ['service_id', 'region_id', 'resource_name', 'project_id',
'domain_id']
+
ENFORCER.enforce_call(action='identity:list_limits', filters=filters)
+
hints = self.build_driver_hints(filters)
- project_id_filter = hints.get_exact_filter_by_name('project_id')
- domain_id_filter = hints.get_exact_filter_by_name('domain_id')
- if project_id_filter or domain_id_filter:
- if self.oslo_context.system_scope:
- refs = PROVIDERS.unified_limit_api.list_limits(hints)
- else:
- refs = []
- else:
- project_id = self.oslo_context.project_id
- domain_id = self.oslo_context.domain_id
- if project_id:
- hints.add_filter('project_id', project_id)
- elif domain_id:
- hints.add_filter('domain_id', domain_id)
+
+ filtered_refs = []
+ if self.oslo_context.system_scope:
+ refs = PROVIDERS.unified_limit_api.list_limits(hints)
+ filtered_refs = refs
+ elif self.oslo_context.domain_id:
refs = PROVIDERS.unified_limit_api.list_limits(hints)
- return self.wrap_collection(refs, hints=hints)
+ projects = PROVIDERS.resource_api.list_projects_in_domain(
+ self.oslo_context.domain_id
+ )
+ project_ids = [project['id'] for project in projects]
+ for limit in refs:
+ if limit.get('project_id'):
+ if limit['project_id'] in project_ids:
+ filtered_refs.append(limit)
+ elif limit.get('domain_id'):
+ if limit['domain_id'] == self.oslo_context.domain_id:
+ filtered_refs.append(limit)
+ elif self.oslo_context.project_id:
+ hints.add_filter('project_id', self.oslo_context.project_id)
+ refs = PROVIDERS.unified_limit_api.list_limits(hints)
+ filtered_refs = refs
+
+ return self.wrap_collection(filtered_refs, hints=hints)
def _get_limit(self, limit_id):
- ENFORCER.enforce_call(action='identity:get_limit')
+ ENFORCER.enforce_call(action='identity:get_limit',
+ build_target=_build_limit_enforcement_target)
ref = PROVIDERS.unified_limit_api.get_limit(limit_id)
return self.wrap_member(ref)
diff --git a/keystone/api/projects.py b/keystone/api/projects.py
index 4eb76b48f..108971c21 100644
--- a/keystone/api/projects.py
+++ b/keystone/api/projects.py
@@ -236,7 +236,10 @@ class ProjectTagsResource(_ProjectTagResourceBase):
GET /v3/projects/{project_id}/tags
"""
- ENFORCER.enforce_call(action='identity:list_project_tags')
+ ENFORCER.enforce_call(
+ action='identity:list_project_tags',
+ build_target=_build_project_target_enforcement
+ )
ref = PROVIDERS.resource_api.list_project_tags(project_id)
return self.wrap_member(ref)
@@ -245,7 +248,10 @@ class ProjectTagsResource(_ProjectTagResourceBase):
PUT /v3/projects/{project_id}/tags
"""
- ENFORCER.enforce_call(action='identity:update_project_tags')
+ ENFORCER.enforce_call(
+ action='identity:update_project_tags',
+ build_target=_build_project_target_enforcement
+ )
tags = self.request_body_json.get('tags', {})
validation.lazy_validate(schema.project_tags_update, tags)
ref = PROVIDERS.resource_api.update_project_tags(
@@ -257,7 +263,10 @@ class ProjectTagsResource(_ProjectTagResourceBase):
DELETE /v3/projects/{project_id}/tags
"""
- ENFORCER.enforce_call(action='identity:delete_project_tags')
+ ENFORCER.enforce_call(
+ action='identity:delete_project_tags',
+ build_target=_build_project_target_enforcement
+ )
PROVIDERS.resource_api.update_project_tags(project_id, [])
return None, http_client.NO_CONTENT
@@ -268,7 +277,10 @@ class ProjectTagResource(_ProjectTagResourceBase):
GET /v3/projects/{project_id}/tags/{value}
"""
- ENFORCER.enforce_call(action='identity:get_project_tag')
+ ENFORCER.enforce_call(
+ action='identity:get_project_tag',
+ build_target=_build_project_target_enforcement,
+ )
PROVIDERS.resource_api.get_project_tag(project_id, value)
return None, http_client.NO_CONTENT
@@ -277,7 +289,10 @@ class ProjectTagResource(_ProjectTagResourceBase):
PUT /v3/projects/{project_id}/tags/{value}
"""
- ENFORCER.enforce_call(action='identity:create_project_tag')
+ ENFORCER.enforce_call(
+ action='identity:create_project_tag',
+ build_target=_build_project_target_enforcement
+ )
validation.lazy_validate(schema.project_tag_create, value)
# Check if we will exceed the max number of tags on this project
tags = PROVIDERS.resource_api.list_project_tags(project_id)
@@ -298,7 +313,10 @@ class ProjectTagResource(_ProjectTagResourceBase):
/v3/projects/{project_id}/tags/{value}
"""
- ENFORCER.enforce_call(action='identity:delete_project_tag')
+ ENFORCER.enforce_call(
+ action='identity:delete_project_tag',
+ build_target=_build_project_target_enforcement
+ )
PROVIDERS.resource_api.delete_project_tag(project_id, value)
return None, http_client.NO_CONTENT
diff --git a/keystone/api/trusts.py b/keystone/api/trusts.py
index 3c40d8c67..6c56fe1b0 100644
--- a/keystone/api/trusts.py
+++ b/keystone/api/trusts.py
@@ -228,11 +228,11 @@ class TrustResource(ks_flask.ResourceBase):
# rule check_str is ""
if isinstance(rules, op_checks.TrueCheck):
LOG.warning(
- "The policy check string for rule \"identity:list_trusts\" has been overridden"
- "to \"always true\". In the next release, this will cause the"
- "\"identity:list_trusts\" action to be fully permissive as hardcoded"
- "enforcement will be removed. To correct this issue, either stop overriding the"
- "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly"
+ "The policy check string for rule \"identity:list_trusts\" has been overridden "
+ "to \"always true\". In the next release, this will cause the "
+ "\"identity:list_trusts\" action to be fully permissive as hardcoded "
+ "enforcement will be removed. To correct this issue, either stop overriding the "
+ "\"identity:list_trusts\" rule in config to accept the defaults, or explicitly "
"set a rule that is not empty."
)
if not flask.request.args:
diff --git a/keystone/api/users.py b/keystone/api/users.py
index 2e09f4b9a..b5938b17a 100644
--- a/keystone/api/users.py
+++ b/keystone/api/users.py
@@ -287,19 +287,6 @@ class UserGroupsResource(ks_flask.ResourceBase):
get_member_from_driver = PROVIDERS.deferred_provider_lookup(
api='identity_api', method='get_group')
- @staticmethod
- def _built_target_attr_enforcement():
- ref = None
- if flask.request.view_args:
- try:
- ref = {'user': PROVIDERS.identity_api.get_user(
- flask.request.view_args.get('user_id'))}
- except ks_exception.NotFound: # nosec
- # Defer existence in the event the user doesn't exist, we'll
- # check this later anyway.
- pass
- return ref
-
def get(self, user_id):
"""Get groups for a user.
@@ -308,7 +295,7 @@ class UserGroupsResource(ks_flask.ResourceBase):
filters = ('name',)
hints = self.build_driver_hints(filters)
ENFORCER.enforce_call(action='identity:list_groups_for_user',
- build_target=self._built_target_attr_enforcement,
+ build_target=_build_user_target_enforcement,
filters=filters)
refs = PROVIDERS.identity_api.list_groups_for_user(user_id=user_id,
hints=hints)
View Lorry Controller Status