def on_request(self, request):
path = request.url
for resource, route, acl in self.acl_map:
if route.match(path):
break
else:
LOG.debug(_('Requested path not recognized. Skipping RBAC.'))
return
roles = request.get_header('X-Roles')
if not roles:
LOG.error(_('Request headers did not include X-Roles'))
return filtering.reject(_403_FORBIDDEN)
given_roles = set(roles.values) if roles else EMPTY_SET
method = request.method
try:
authorized_roles = acl[method]
except KeyError:
LOG.error(_('HTTP method not supported: %s') % method)
return filtering.reject(_403_FORBIDDEN)
# The user must have one of the roles that
# is authorized for the requested method.
if (authorized_roles & given_roles):
# Carry on
return
logline = _('User not authorized to %(method)s '
'the %(resource)s resource')
LOG.info(logline % {'method': method, 'resource': resource})
return filtering.reject(_403_FORBIDDEN)
def on_request_head(self, request_head):
try:
token_hdr = request_head.get_header(X_AUTH_TOKEN)
tenant_name_hdr = request_head.get_header(X_TENANT_NAME)
token = token_hdr.values[0]
tenant_name = tenant_name_hdr.values[0]
if len(token) >= 1 and len(tenant_name) >= 1:
# Does the token exist in the cache?
token_in_cache = self._cached_token_exists(token)
if not token_in_cache:
auth_result = self.admin_client.tokens.authenticate(
token=token, tenant_name=tenant_name)
if auth_result:
tenant_id = auth_result.tenant.get('id', None)
self._cache_set_token(token, tenant_id)
return filtering.route(self._prepare_route(
request_head, tenant_id))
if token_in_cache:
return filtering.route(self._prepare_route(
request_head, self._cache_get_tenant_id(token)))
except Unauthorized:
filtering.reject(response=self.reject_response)
except Exception as ex:
_LOG.exception(ex)
return filtering.reject(response=self.reject_response)
def on_request(self, request):
path = request.url
for resource, route, acl in self.acl_map:
if route.match(path):
break
else:
LOG.debug(_('Requested path not recognized. Skipping RBAC.'))
return
roles = request.get_header('X-Roles')
if not roles:
LOG.error(_('Request headers did not include X-Roles'))
return filtering.reject(_403_FORBIDDEN)
given_roles = set(roles.values) if roles else EMPTY_SET
method = request.method
try:
authorized_roles = acl[method]
except KeyError:
LOG.error(_('HTTP method not supported: %s') % method)
return filtering.reject(_403_FORBIDDEN)
# The user must have one of the roles that
# is authorized for the requested method.
if (authorized_roles & given_roles):
# Carry on
return
logline = _('User not authorized to %(method)s '
'the %(resource)s resource')
LOG.info(logline % {'method': method, 'resource': resource})
return filtering.reject(_403_FORBIDDEN)
def start_response(status, headers):
resp = HttpResponse()
resp.status = status
[resp.header(h).values.append(v) for h, v in headers]
return reject(resp)
def start_response(status, headers):
resp = HttpResponse()
resp.status = status
[resp.header(h).values.append(v) for h, v in headers]
return reject(resp)
def on_request_head(self, request_message):
user_agent_header = request_message.get_header("user-agent")
if user_agent_header and len(user_agent_header.values) > 0:
# If there is a user-agent value then print it out and pass
# the request upstream
print(user_agent_header.values[0])
return filtering.next()
else:
# If there is no user-agent, then reject the request
return filtering.reject()
def on_request_head(self, request_message):
user_agent_header = request_message.get_header('user-agent')
if user_agent_header and len(user_agent_header.values) > 0:
# If there is a user-agent value then print it out and pass
# the request upstream
print(user_agent_header.values[0])
return filtering.next()
else:
# If there is no user-agent, then reject the request
return filtering.reject()
def on_request_head(self, request_head):
tenant_header = request_head.get_header(AUTH_TENANT_ID)
token_header = request_head.get_header(X_AUTH_TOKEN)
if _header_is_set(tenant_header) and _header_is_set(token_header):
try:
auth_result = self.client.authenticate(
token=token_header.values[0],
tenant_id=tenant_header.values[0])
if auth_result is not False:
return filtering.next()
except Exception as ex:
_LOG.exception(ex)
return filtering.reject()
def on_request_head(self, request_head):
token_header = request_head.get_header(X_AUTH_TOKEN)
if token_header and len(token_header.values) >= 1:
match = self.id_regex.match(request_head.url)
if match and len(match.groups()) >= 1:
tenant_id = match.group(1)
try:
auth_result = self.client.authenticate(
token=token_header.values[0],
tenant_id=tenant_id)
if auth_result:
return filtering.next()
except Exception as ex:
_LOG.exception(ex)
return filtering.reject()
