diff options
author | Simo Sorce <simo@redhat.com> | 2015-10-26 12:33:59 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2015-11-06 20:55:11 -0500 |
commit | dc6101a5acad72a22ab911bb77a594f58d220ee1 (patch) | |
tree | d8a7e1f8fda05dbfba7380907a6679a65561bf72 | |
parent | ae7eb106d77f6ba61a0aaf14e773e06fa0bb99b7 (diff) | |
download | custodia-dc6101a5acad72a22ab911bb77a594f58d220ee1.tar.gz custodia-dc6101a5acad72a22ab911bb77a594f58d220ee1.tar.xz custodia-dc6101a5acad72a22ab911bb77a594f58d220ee1.zip |
Fix authorization stack to call all modules
All authorization modules need to be executed, we cannot bail at the
first one that returns a positive answer. Some authz modules attach
data to the requst as a side effect and they need to be run even if
others also authorize access.
Additionally if a later module returns an explicit Deny, then that
must override any previous granted access.
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | custodia/httpd/server.py | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py index 2d6de41..decf401 100644 --- a/custodia/httpd/server.py +++ b/custodia/httpd/server.py @@ -337,11 +337,15 @@ class HTTPRequestHandler(BaseHTTPRequestHandler): authzers = config.get('authorizers') if authzers is None: raise HTTPError(403) + authz_ok = None for authz in authzers: valid = authzers[authz].handle(request) - if valid is not None: + if valid is True: + authz_ok = True + elif valid is False: + authz_ok = False break - if valid is not True: + if authz_ok is not True: self.server.auditlog.svc_access(self.__class__.__name__, log.AUDIT_SVC_AUTHZ_FAIL, request['client_id'], |