Exemplo n.º 1
0
def check_is_admin(context):
    """Verify context has admin rights according to policy settings."""
    init()
    # the target is user-self
    credentials = context.to_dict()
    target = credentials
    # Backward compatibility: if ADMIN_CTX_POLICY is not
    # found, default to validating role:admin
    admin_policy = ADMIN_CTX_POLICY in policy._rules and ADMIN_CTX_POLICY or "role:admin"
    return policy.check(admin_policy, target, credentials)
Exemplo n.º 2
0
def check_is_admin(context):
    """Verify context has admin rights according to policy settings."""
    init()
    # the target is user-self
    credentials = context.to_dict()
    target = credentials
    # Backward compatibility: if ADMIN_CTX_POLICY is not
    # found, default to validating role:admin
    admin_policy = (ADMIN_CTX_POLICY in policy._rules and ADMIN_CTX_POLICY
                    or 'role:admin')
    return policy.check(admin_policy, target, credentials)
Exemplo n.º 3
0
def check_if_exists(context, action, target):
    """Verify if the action can be authorized, and raise if it is unknown.

    Check whether the action can be performed on the target within this
    context, and raise a PolicyRuleNotFound exception if the action is
    not defined in the policy engine.
    """
    # TODO(salvatore-orlando): Consider modifying oslo policy engine in
    # order to allow to raise distinct exception when check fails and
    # when policy is missing
    # Raise if there's no match for requested action in the policy engine
    if not policy._rules or action not in policy._rules:
        raise exceptions.PolicyRuleNotFound(rule=action)
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 4
0
def check_if_exists(context, action, target):
    """Verify if the action can be authorized, and raise if it is unknown.

    Check whether the action can be performed on the target within this
    context, and raise a PolicyRuleNotFound exception if the action is
    not defined in the policy engine.
    """
    # TODO(salvatore-orlando): Consider modifying oslo policy engine in
    # order to allow to raise distinct exception when check fails and
    # when policy is missing
    # Raise if there's no match for requested action in the policy engine
    if not policy._rules or action not in policy._rules:
        raise exceptions.PolicyRuleNotFound(rule=action)
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 5
0
def check(context, action, target, plugin=None):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.

    :return: Returns True if access is permitted else False.
    """
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 6
0
def check(context, action, target, plugin=None):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.

    :return: Returns True if access is permitted else False.
    """
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 7
0
def enforce(context, action, target, plugin=None):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.

    :raises neutron.exceptions.PolicyNotAllowed: if verification fails.
    """

    init()
    rule, target, credentials = _prepare_check(context, action, target)
    return policy.check(rule, target, credentials, exc=exceptions.PolicyNotAuthorized, action=action)
Exemplo n.º 8
0
def check(context, action, target, plugin=None, might_not_exist=False):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.
    :param might_not_exist: If True the policy check is skipped (and the
        function returns True) if the specified policy does not exist.
        Defaults to false.

    :return: Returns True if access is permitted else False.
    """
    if might_not_exist and not (policy._rules and action in policy._rules):
        return True
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 9
0
def check(context, action, target, plugin=None, might_not_exist=False):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.
    :param might_not_exist: If True the policy check is skipped (and the
        function returns True) if the specified policy does not exist.
        Defaults to false.

    :return: Returns True if access is permitted else False.
    """
    if might_not_exist and not (policy._rules and action in policy._rules):
        return True
    return policy.check(*(_prepare_check(context, action, target)))
Exemplo n.º 10
0
def enforce(context, action, target, plugin=None):
    """Verifies that the action is valid on the target in this context.

    :param context: neutron context
    :param action: string representing the action to be checked
        this should be colon separated for clarity.
    :param target: dictionary representing the object of the action
        for object creation this should be a dictionary representing the
        location of the object e.g. ``{'project_id': context.project_id}``
    :param plugin: currently unused and deprecated.
        Kept for backward compatibility.

    :raises neutron.exceptions.PolicyNotAuthorized: if verification fails.
    """

    rule, target, credentials = _prepare_check(context, action, target)
    result = policy.check(rule, target, credentials, action=action)
    if not result:
        LOG.debug(_("Failed policy check for '%s'"), action)
        raise exceptions.PolicyNotAuthorized(action=action)
    return result