def get_token_data(self, user_id, method_names, extras=None, domain_id=None, project_id=None, expires=None, trust=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None): if extras is None: extras = {} if extras: versionutils.deprecated( what='passing token data with "extras"', as_of=versionutils.deprecated.KILO, in_favor_of='well-defined APIs')(lambda: None)() token_data = {'methods': method_names, 'extras': extras} # We've probably already written these to the token if token: for x in ('roles', 'user', 'catalog', 'project', 'domain'): if x in token: token_data[x] = token[x] if CONF.trust.enabled and trust: if user_id != trust['trustee_user_id']: raise exception.Forbidden(_('User is not a trustee.')) if bind: token_data['bind'] = bind self._populate_scope(token_data, domain_id, project_id) self._populate_user(token_data, user_id, trust) self._populate_roles(token_data, user_id, domain_id, project_id, trust, access_token) self._populate_audit_info(token_data, audit_info) if include_catalog: self._populate_service_catalog(token_data, user_id, domain_id, project_id, trust) self._populate_service_providers(token_data) self._populate_token_dates(token_data, expires=expires, trust=trust, issued_at=issued_at) self._populate_oauth_section(token_data, access_token) return {'token': token_data}
def moved_to_assignment(f): name = f.__name__ deprecated = versionutils.deprecated(versionutils.deprecated.ICEHOUSE, what="identity_api." + name, in_favor_of="assignment_api." + name, remove_in=+1) return deprecated(f)
def wrapper(*args, **kwargs): x = versionutils.deprecated( what="assignment." + f.__name__ + "()", as_of=versionutils.deprecated.KILO, in_favor_of="resource." + f.__name__ + "()", ) return x(f)
def get_token_data(self, user_id, method_names, extras=None, domain_id=None, project_id=None, expires=None, trust=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None): if extras is None: extras = {} if extras: versionutils.deprecated( what='passing token data with "extras"', as_of=versionutils.deprecated.KILO, in_favor_of='well-defined APIs') token_data = {'methods': method_names, 'extras': extras} # We've probably already written these to the token if token: for x in ('roles', 'user', 'catalog', 'project', 'domain'): if x in token: token_data[x] = token[x] if CONF.trust.enabled and trust: if user_id != trust['trustee_user_id']: raise exception.Forbidden(_('User is not a trustee.')) if bind: token_data['bind'] = bind self._populate_scope(token_data, domain_id, project_id) self._populate_user(token_data, user_id, trust) self._populate_roles(token_data, user_id, domain_id, project_id, trust, access_token) self._populate_audit_info(token_data, audit_info) if include_catalog: self._populate_service_catalog(token_data, user_id, domain_id, project_id, trust) self._populate_service_providers(token_data) self._populate_token_dates(token_data, expires=expires, trust=trust, issued_at=issued_at) self._populate_oauth_section(token_data, access_token) return {'token': token_data}
def inner(f): subst = {'cls_name': class_name, 'meth_name': f.__name__} what = 'identity.controllers.%(cls_name)s.%(meth_name)s' % subst favor = 'assignment.controllers.%(cls_name)s.%(meth_name)s' % subst deprecated = versionutils.deprecated( versionutils.deprecated.ICEHOUSE, what=what, in_favor_of=favor, remove_in=+1) return deprecated(f)
def get_token_data(self, user_id, method_names, extras=None, domain_id=None, project_id=None, expires=None, token=None, include_catalog=True, bind=None, access_token=None, issued_at=None, audit_info=None): if extras is None: extras = {} if extras: versionutils.deprecated( what='passing token data with "extras"', as_of=versionutils.deprecated.KILO, in_favor_of='well-defined APIs') token_data = {'methods': method_names, 'extras': extras} # We've probably already written these to the token if token: for x in ('roles', 'user', 'catalog', 'project', 'domain'): if x in token: token_data[x] = token[x] if bind: token_data['bind'] = bind self._populate_scope(token_data, domain_id, project_id) self._populate_user(token_data, user_id) self._populate_roles(token_data, user_id, domain_id, project_id, access_token) self._populate_audit_info(token_data, audit_info) if include_catalog: self._populate_service_catalog(token_data, user_id, domain_id, project_id) self._populate_token_dates(token_data, expires=expires, issued_at=issued_at) return {'token': token_data}
def wrapper(wrapped_self, role_id, *args, **kwargs): """Send a notification if the wrapped callable is successful.""" """ NOTE(stevemar): The reason we go through checking kwargs and args for possible target and actor values is because the create_grant() (and delete_grant()) method are called differently in various tests. Using named arguments, i.e.: create_grant(user_id=user['id'], domain_id=domain['id'], role_id=role['id']) Or, using positional arguments, i.e.: create_grant(role_id['id'], user['id'], None, domain_id=domain['id'], None) Or, both, i.e.: create_grant(role_id['id'], user_id=user['id'], domain_id=domain['id']) Checking the values for kwargs is easy enough, since it comes in as a dictionary The actual method signature is create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False) So, if the values of actor or target are still None after checking kwargs, we can check the positional arguments, based on the method signature. """ call_args = inspect.getcallargs(f, wrapped_self, role_id, *args, **kwargs) inherited = call_args['inherited_to_projects'] context = call_args['context'] initiator = _get_request_audit_info(context) target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) audit_kwargs = {} if call_args['project_id']: audit_kwargs['project'] = call_args['project_id'] elif call_args['domain_id']: audit_kwargs['domain'] = call_args['domain_id'] if call_args['user_id']: audit_kwargs['user'] = call_args['user_id'] elif call_args['group_id']: audit_kwargs['group'] = call_args['group_id'] audit_kwargs['inherited_to_projects'] = inherited audit_kwargs['role'] = role_id # For backward compatability, send both old and new event_type. # Deprecate old format and remove it in the next release. event_types = [self.deprecated_event_type, self.event_type] versionutils.deprecated( as_of=versionutils.deprecated.KILO, remove_in=+1, what=('sending duplicate %s notification event type' % self.deprecated_event_type), in_favor_of='%s notification event type' % self.event_type) try: result = f(wrapped_self, role_id, *args, **kwargs) except Exception: for event_type in event_types: _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_FAILURE, target, event_type, **audit_kwargs) raise else: for event_type in event_types: _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_SUCCESS, target, event_type, **audit_kwargs) return result
def wrapper(*args, **kwargs): x = versionutils.deprecated( what='assignment.' + f.__name__ + '()', as_of=versionutils.deprecated.KILO, in_favor_of='resource.' + f.__name__ + '()') return x(f)
import uuid from keystone.common import dependency from keystone.common import wsgi from keystone import config from keystone import exception from keystone.openstack.common import log from keystone.openstack.common import versionutils LOG = log.getLogger(__name__) CONF = config.CONF DEFAULT_DOMAIN_ID = CONF.identity.default_domain_id v2_deprecated = versionutils.deprecated(what='v2 API', as_of=versionutils.deprecated.ICEHOUSE, in_favor_of='v3 API') def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug(_('RBAC: Authorizing %(action)s(%(kwargs)s)'), { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) try: token_ref = self.token_api.get_token(context['token_id']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized() # NOTE(jamielennox): whilst this maybe shouldn't be within this function
from keystone.common import authorization from keystone.common import dependency from keystone.common import driver_hints from keystone.common import utils from keystone.common import wsgi from keystone import config from keystone import exception from keystone.openstack.common import log from keystone.openstack.common import versionutils LOG = log.getLogger(__name__) CONF = config.CONF v2_deprecated = versionutils.deprecated(what='v2 API', as_of=versionutils.deprecated.ICEHOUSE, in_favor_of='v3 API') def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug( _('RBAC: Authorizing %(action)s(%(kwargs)s)'), { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) }) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug(_('RBAC: using auth context from the request environment')) return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
def wrapper(wrapped_self, role_id, *args, **kwargs): """Send a notification if the wrapped callable is successful.""" """ NOTE(stevemar): The reason we go through checking kwargs and args for possible target and actor values is because the create_grant() (and delete_grant()) method are called differently in various tests. Using named arguments, i.e.: create_grant(user_id=user['id'], domain_id=domain['id'], role_id=role['id']) Or, using positional arguments, i.e.: create_grant(role_id['id'], user['id'], None, domain_id=domain['id'], None) Or, both, i.e.: create_grant(role_id['id'], user_id=user['id'], domain_id=domain['id']) Checking the values for kwargs is easy enough, since it comes in as a dictionary The actual method signature is create_grant(role_id, user_id=None, group_id=None, domain_id=None, project_id=None, inherited_to_projects=False) So, if the values of actor or target are still None after checking kwargs, we can check the positional arguments, based on the method signature. """ call_args = inspect.getcallargs( f, wrapped_self, role_id, *args, **kwargs) inherited = call_args['inherited_to_projects'] context = call_args['context'] initiator = _get_request_audit_info(context) target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) audit_kwargs = {} if call_args['project_id']: audit_kwargs['project'] = call_args['project_id'] elif call_args['domain_id']: audit_kwargs['domain'] = call_args['domain_id'] if call_args['user_id']: audit_kwargs['user'] = call_args['user_id'] elif call_args['group_id']: audit_kwargs['group'] = call_args['group_id'] audit_kwargs['inherited_to_projects'] = inherited audit_kwargs['role'] = role_id # For backward compatability, send both old and new event_type. # Deprecate old format and remove it in the next release. event_types = [self.deprecated_event_type, self.event_type] versionutils.deprecated( as_of=versionutils.deprecated.KILO, remove_in=+1, what=('sending duplicate %s notification event type' % self.deprecated_event_type), in_favor_of='%s notification event type' % self.event_type) try: result = f(wrapped_self, role_id, *args, **kwargs) except Exception: for event_type in event_types: _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_FAILURE, target, event_type, **audit_kwargs) raise else: for event_type in event_types: _send_audit_notification(self.action, initiator, taxonomy.OUTCOME_SUCCESS, target, event_type, **audit_kwargs) return result