def authorize_quota_class_context(context, class_name): """Ensures a request has permission to access the given quota class.""" if is_user_context(context): if not context.quota_class: raise exception.Forbidden() elif context.quota_class != class_name: raise exception.Forbidden()
def authorize_user_context(context, user_id): """Ensures a request has permission to access the given user.""" if is_user_context(context): if not context.user_id: raise exception.Forbidden() elif context.user_id != user_id: raise exception.Forbidden()
def authorize_project_context(context, project_id): """Ensures a request has permission to access the given project.""" if is_user_context(context): if not context.project_id: raise exception.Forbidden() elif context.project_id != project_id: raise exception.Forbidden()
def _floating_ip_owned_by_project(self, context, floating_ip): """Raises if floating ip does not belong to project.""" if context.is_admin: return if floating_ip.project_id != context.project_id: if floating_ip.project_id is None: LOG.warning(_LW('Address |%(address)s| is not allocated'), {'address': floating_ip.address}) raise exception.Forbidden() else: LOG.warning(_LW('Address |%(address)s| is not allocated ' 'to your project |%(project)s|'), {'address': floating_ip.address, 'project': context.project_id}) raise exception.Forbidden()
def copy_key(self, ctxt, key_id, **kwargs): if ctxt is None: raise exception.Forbidden() copied_key_id = self._generate_key_id() self.keys[copied_key_id] = self.keys[key_id] return copied_key_id
def store_key(self, ctxt, key, **kwargs): """Stores (i.e., registers) a key with the key manager.""" if ctxt is None: raise exception.Forbidden() key_id = self._generate_key_id() self.keys[key_id] = key return key_id
def delete_key(self, ctxt, key_id, **kwargs): if ctxt is None: raise exception.Forbidden() if key_id != self.key_id: raise exception.KeyManagerError( reason=_("cannot delete non-existent key")) LOG.warning(_LW("Not deleting key %s"), key_id)
def _translate_plain_exception(exc_value): if isinstance(exc_value, (glanceclient.exc.Forbidden, glanceclient.exc.Unauthorized)): return exception.Forbidden(six.text_type(exc_value)) if isinstance(exc_value, glanceclient.exc.NotFound): return exception.NotFound(six.text_type(exc_value)) if isinstance(exc_value, glanceclient.exc.BadRequest): return exception.Invalid(six.text_type(exc_value)) return exc_value
def delete_key(self, ctxt, key_id, **kwargs): """Deletes the key identified by the specified id. A Forbidden exception is raised if the context is None and a KeyError is raised if the UUID is invalid. """ if ctxt is None: raise exception.Forbidden() del self.keys[key_id]
def create_key(self, ctxt, **kwargs): """Creates a key. This implementation returns a UUID for the created key. A Forbidden exception is raised if the specified context is None. """ if ctxt is None: raise exception.Forbidden() key = self._generate_key(**kwargs) return self.store_key(ctxt, key)
def get_key(self, ctxt, key_id, **kwargs): """Retrieves the key identified by the specified id. This implementation returns the key that is associated with the specified UUID. A Forbidden exception is raised if the specified context is None; a KeyError is raised if the UUID is invalid. """ if ctxt is None: raise exception.Forbidden() return self.keys[key_id]
def _get_barbican_client(self, ctxt): """Creates a client to connect to the Barbican service. :param ctxt: the user context for authentication :return: a Barbican Client object :raises Forbidden: if the ctxt is None """ if not self._barbican_client: # Confirm context is provided, if not raise forbidden if not ctxt: msg = _("User is not authorized to use key manager.") LOG.error(msg) raise exception.Forbidden(msg) try: _SESSION = session.Session.load_from_conf_options( CONF, BARBICAN_OPT_GROUP) auth = ctxt.get_auth_plugin() service_type, service_name, interface = ( CONF.barbican.catalog_info.split(':')) region_name = CONF.barbican.os_region_name service_parameters = { 'service_type': service_type, 'service_name': service_name, 'interface': interface, 'region_name': region_name } if CONF.barbican.endpoint_template: self._base_url = (CONF.barbican.endpoint_template % ctxt.to_dict()) else: self._base_url = _SESSION.get_endpoint( auth, **service_parameters) # the barbican endpoint can't have the '/v1' on the end self._barbican_endpoint = self._base_url.rpartition('/')[0] sess = session.Session(auth=auth) self._barbican_client = barbican_client.Client( session=sess, endpoint=self._barbican_endpoint) except Exception as e: with excutils.save_and_reraise_exception(): LOG.error(_LE("Error creating Barbican client: %s"), e) return self._barbican_client
def test_detail_client_failure(self, is_avail_mock, trans_from_mock, ext_query_mock, reraise_mock): params = {} ext_query_mock.return_value = params raised = exception.Forbidden() client = mock.MagicMock() client.call.side_effect = glanceclient.exc.Forbidden ctx = mock.sentinel.ctx reraise_mock.side_effect = raised service = glance.GlanceImageService(client) with testtools.ExpectedException(exception.Forbidden): service.detail(ctx, **params) client.call.assert_called_once_with(ctx, 1, 'list') self.assertFalse(is_avail_mock.called) self.assertFalse(trans_from_mock.called) reraise_mock.assert_called_once_with()
def network_api_disassociate(self, context, instance, address): raise exception.Forbidden()
def index(self, req): raise exception.Forbidden()
def require_context(ctxt): """Raise exception.Forbidden() if context is not a user or an admin context. """ if not ctxt.is_admin and not is_user_context(ctxt): raise exception.Forbidden()