def authorize_quota_class_context(context, class_name):
"""Ensures a request has permission to access the given quota class."""
if is_user_context(context):
if not context.quota_class:
raise exception.NotAuthorized()
elif context.quota_class != class_name:
raise exception.NotAuthorized()
def authorize_user_context(context, user_id):
"""Ensures a request has permission to access the given user."""
if is_user_context(context):
if not context.user_id:
raise exception.NotAuthorized()
elif context.user_id != user_id:
raise exception.NotAuthorized()
def authorize_project_context(context, project_id):
"""Ensures a request has permission to access the given project."""
if is_user_context(context):
if not context.project_id:
raise exception.NotAuthorized()
elif context.project_id != project_id:
raise exception.NotAuthorized()
def validate_public_share_policy(context, api_params, api='create'):
"""Validates if policy allows is_public parameter to be set to True.
:arg api_params - A dictionary of values that may contain 'is_public'
:returns api_params with 'is_public' item sanitized if present
:raises exception.InvalidParameterValue if is_public is set but is Invalid
exception.NotAuthorized if is_public is True but policy prevents it
"""
if 'is_public' not in api_params:
return api_params
policies = {
'create': 'create_public_share',
'update': 'set_public_share',
}
policy_to_check = policies[api]
try:
api_params['is_public'] = strutils.bool_from_string(
api_params['is_public'], strict=True)
except ValueError as e:
raise exception.InvalidParameterValue(str(e))
public_shares_allowed = policy.check_policy(
context, 'share', policy_to_check, do_raise=False)
if api_params['is_public'] and not public_shares_allowed:
message = _("User is not authorized to set 'is_public' to True in the "
"request.")
raise exception.NotAuthorized(message=message)
return api_params
def _request(self,
req_body=None,
method=None,
header=constants.CONTENT_TYPE_URLENCODE):
req = url_request.Request(self._url, req_body, header)
if method not in (None, 'GET', 'POST'):
req.get_method = lambda: method
self._http_log_req(req)
try:
resp = self.url_opener.open(req)
resp_body = resp.read()
self._http_log_resp(resp, resp_body)
except url_error.HTTPError as http_err:
err = {
'errorCode': -1,
'httpStatusCode': http_err.code,
'messages': six.text_type(http_err),
'request': req_body
}
msg = (_("The request is invalid. Reason: %(reason)s") % {
'reason': err
})
if '403' == six.text_type(http_err.code):
raise exception.NotAuthorized()
else:
raise exception.ManilaException(message=msg)
return resp_body
def _authenticate_access(self, address, username, password):
session = requests.session()
session.verify = False
session.auth = NoAuth()
response = session.post('https://%s:%s/api/rest/authenticate'
% (address, self._port),
data={'username': username,
'password': password})
if response.status_code != http_client.OK:
LOG.debug(('failed to authenticate to remote cluster at %s as %s'),
address, username)
raise exception.NotAuthorized('Authentication failure.')
result = response.json()
session.headers.update({'Authorization': 'Bearer {}'
.format(result['token'])})
session.headers.update({'Content-Type': 'application/json'})
return session
def index(self, req):
raise exception.NotAuthorized()
def test_not_authorized(self):
# Verify response code for exception.NotAuthorized
e = exception.NotAuthorized()
self.assertEqual(403, e.code)
def wrapper(*args, **kwargs):
if not is_admin_context(args[0]) and not is_user_context(args[0]):
raise exception.NotAuthorized()
return f(*args, **kwargs)
