def get_token_data(self,
user_id,
method_names,
extras=None,
domain_id=None,
project_id=None,
expires=None,
trust=None,
token=None,
include_catalog=True,
bind=None,
access_token=None,
issued_at=None,
audit_info=None):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of='well-defined APIs')(lambda: None)()
token_data = {'methods': method_names, 'extras': extras}
# We've probably already written these to the token
if token:
for x in ('roles', 'user', 'catalog', 'project', 'domain'):
if x in token:
token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
if bind:
token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust,
access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_service_providers(token_data)
self._populate_token_dates(token_data,
expires=expires,
trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
def moved_to_assignment(f):
name = f.__name__
deprecated = versionutils.deprecated(versionutils.deprecated.ICEHOUSE,
what="identity_api." + name,
in_favor_of="assignment_api." + name,
remove_in=+1)
return deprecated(f)
def moved_to_assignment(f):
name = f.__name__
deprecated = versionutils.deprecated(versionutils.deprecated.ICEHOUSE,
what="identity_api." + name,
in_favor_of="assignment_api." + name,
remove_in=+1)
return deprecated(f)
def wrapper(*args, **kwargs):
x = versionutils.deprecated(
what="assignment." + f.__name__ + "()",
as_of=versionutils.deprecated.KILO,
in_favor_of="resource." + f.__name__ + "()",
)
return x(f)
def get_token_data(self, user_id, method_names, extras=None,
domain_id=None, project_id=None, expires=None,
trust=None, token=None, include_catalog=True,
bind=None, access_token=None, issued_at=None,
audit_info=None):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of='well-defined APIs')
token_data = {'methods': method_names,
'extras': extras}
# We've probably already written these to the token
if token:
for x in ('roles', 'user', 'catalog', 'project', 'domain'):
if x in token:
token_data[x] = token[x]
if CONF.trust.enabled and trust:
if user_id != trust['trustee_user_id']:
raise exception.Forbidden(_('User is not a trustee.'))
if bind:
token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id, trust)
self._populate_roles(token_data, user_id, domain_id, project_id, trust,
access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id, trust)
self._populate_service_providers(token_data)
self._populate_token_dates(token_data, expires=expires, trust=trust,
issued_at=issued_at)
self._populate_oauth_section(token_data, access_token)
return {'token': token_data}
def inner(f):
subst = {'cls_name': class_name, 'meth_name': f.__name__}
what = 'identity.controllers.%(cls_name)s.%(meth_name)s' % subst
favor = 'assignment.controllers.%(cls_name)s.%(meth_name)s' % subst
deprecated = versionutils.deprecated(
versionutils.deprecated.ICEHOUSE,
what=what,
in_favor_of=favor,
remove_in=+1)
return deprecated(f)
def get_token_data(self, user_id, method_names, extras=None,
domain_id=None, project_id=None, expires=None,
token=None, include_catalog=True,
bind=None, access_token=None, issued_at=None,
audit_info=None):
if extras is None:
extras = {}
if extras:
versionutils.deprecated(
what='passing token data with "extras"',
as_of=versionutils.deprecated.KILO,
in_favor_of='well-defined APIs')
token_data = {'methods': method_names,
'extras': extras}
# We've probably already written these to the token
if token:
for x in ('roles', 'user', 'catalog', 'project', 'domain'):
if x in token:
token_data[x] = token[x]
if bind:
token_data['bind'] = bind
self._populate_scope(token_data, domain_id, project_id)
self._populate_user(token_data, user_id)
self._populate_roles(token_data, user_id, domain_id, project_id,
access_token)
self._populate_audit_info(token_data, audit_info)
if include_catalog:
self._populate_service_catalog(token_data, user_id, domain_id,
project_id)
self._populate_token_dates(token_data, expires=expires,
issued_at=issued_at)
return {'token': token_data}
def wrapper(wrapped_self, role_id, *args, **kwargs):
"""Send a notification if the wrapped callable is successful."""
""" NOTE(stevemar): The reason we go through checking kwargs
and args for possible target and actor values is because the
create_grant() (and delete_grant()) method are called
differently in various tests.
Using named arguments, i.e.:
create_grant(user_id=user['id'], domain_id=domain['id'],
role_id=role['id'])
Or, using positional arguments, i.e.:
create_grant(role_id['id'], user['id'], None,
domain_id=domain['id'], None)
Or, both, i.e.:
create_grant(role_id['id'], user_id=user['id'],
domain_id=domain['id'])
Checking the values for kwargs is easy enough, since it comes
in as a dictionary
The actual method signature is
create_grant(role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False)
So, if the values of actor or target are still None after
checking kwargs, we can check the positional arguments,
based on the method signature.
"""
call_args = inspect.getcallargs(f, wrapped_self, role_id, *args,
**kwargs)
inherited = call_args['inherited_to_projects']
context = call_args['context']
initiator = _get_request_audit_info(context)
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_kwargs = {}
if call_args['project_id']:
audit_kwargs['project'] = call_args['project_id']
elif call_args['domain_id']:
audit_kwargs['domain'] = call_args['domain_id']
if call_args['user_id']:
audit_kwargs['user'] = call_args['user_id']
elif call_args['group_id']:
audit_kwargs['group'] = call_args['group_id']
audit_kwargs['inherited_to_projects'] = inherited
audit_kwargs['role'] = role_id
# For backward compatability, send both old and new event_type.
# Deprecate old format and remove it in the next release.
event_types = [self.deprecated_event_type, self.event_type]
versionutils.deprecated(
as_of=versionutils.deprecated.KILO,
remove_in=+1,
what=('sending duplicate %s notification event type' %
self.deprecated_event_type),
in_favor_of='%s notification event type' % self.event_type)
try:
result = f(wrapped_self, role_id, *args, **kwargs)
except Exception:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE, target,
event_type, **audit_kwargs)
raise
else:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS, target,
event_type, **audit_kwargs)
return result
def wrapper(*args, **kwargs):
x = versionutils.deprecated(
what='assignment.' + f.__name__ + '()',
as_of=versionutils.deprecated.KILO,
in_favor_of='resource.' + f.__name__ + '()')
return x(f)
import uuid
from keystone.common import dependency
from keystone.common import wsgi
from keystone import config
from keystone import exception
from keystone.openstack.common import log
from keystone.openstack.common import versionutils
LOG = log.getLogger(__name__)
CONF = config.CONF
DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id
v2_deprecated = versionutils.deprecated(what='v2 API',
as_of=versionutils.deprecated.ICEHOUSE,
in_favor_of='v3 API')
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(_('RBAC: Authorizing %(action)s(%(kwargs)s)'), {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
try:
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
# NOTE(jamielennox): whilst this maybe shouldn't be within this function
from keystone.common import authorization
from keystone.common import dependency
from keystone.common import driver_hints
from keystone.common import utils
from keystone.common import wsgi
from keystone import config
from keystone import exception
from keystone.openstack.common import log
from keystone.openstack.common import versionutils
LOG = log.getLogger(__name__)
CONF = config.CONF
v2_deprecated = versionutils.deprecated(what='v2 API',
as_of=versionutils.deprecated.ICEHOUSE,
in_favor_of='v3 API')
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(
_('RBAC: Authorizing %(action)s(%(kwargs)s)'), {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
})
# see if auth context has already been created. If so use it.
if ('environment' in context
and authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug(_('RBAC: using auth context from the request environment'))
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
def wrapper(wrapped_self, role_id, *args, **kwargs):
"""Send a notification if the wrapped callable is successful."""
""" NOTE(stevemar): The reason we go through checking kwargs
and args for possible target and actor values is because the
create_grant() (and delete_grant()) method are called
differently in various tests.
Using named arguments, i.e.:
create_grant(user_id=user['id'], domain_id=domain['id'],
role_id=role['id'])
Or, using positional arguments, i.e.:
create_grant(role_id['id'], user['id'], None,
domain_id=domain['id'], None)
Or, both, i.e.:
create_grant(role_id['id'], user_id=user['id'],
domain_id=domain['id'])
Checking the values for kwargs is easy enough, since it comes
in as a dictionary
The actual method signature is
create_grant(role_id, user_id=None, group_id=None,
domain_id=None, project_id=None,
inherited_to_projects=False)
So, if the values of actor or target are still None after
checking kwargs, we can check the positional arguments,
based on the method signature.
"""
call_args = inspect.getcallargs(
f, wrapped_self, role_id, *args, **kwargs)
inherited = call_args['inherited_to_projects']
context = call_args['context']
initiator = _get_request_audit_info(context)
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
audit_kwargs = {}
if call_args['project_id']:
audit_kwargs['project'] = call_args['project_id']
elif call_args['domain_id']:
audit_kwargs['domain'] = call_args['domain_id']
if call_args['user_id']:
audit_kwargs['user'] = call_args['user_id']
elif call_args['group_id']:
audit_kwargs['group'] = call_args['group_id']
audit_kwargs['inherited_to_projects'] = inherited
audit_kwargs['role'] = role_id
# For backward compatability, send both old and new event_type.
# Deprecate old format and remove it in the next release.
event_types = [self.deprecated_event_type, self.event_type]
versionutils.deprecated(
as_of=versionutils.deprecated.KILO,
remove_in=+1,
what=('sending duplicate %s notification event type' %
self.deprecated_event_type),
in_favor_of='%s notification event type' % self.event_type)
try:
result = f(wrapped_self, role_id, *args, **kwargs)
except Exception:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE,
target, event_type,
**audit_kwargs)
raise
else:
for event_type in event_types:
_send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_SUCCESS,
target, event_type,
**audit_kwargs)
return result
