diff options
| author | Dolph Mathews <dolph.mathews@rackspace.com> | 2011-07-19 15:31:35 -0500 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@rackspace.com> | 2011-07-19 15:31:35 -0500 |
| commit | d4727d4b746db8a1fb4b2a7519b30ffa8f4bec7f (patch) | |
| tree | c158b3abedf63ec12314f9bebb20acaad0b38294 | |
| parent | 9dcd6c1cd2d6f3f25b97f16ea405a0f3b1c9073f (diff) | |
| download | keystone-d4727d4b746db8a1fb4b2a7519b30ffa8f4bec7f.tar.gz keystone-d4727d4b746db8a1fb4b2a7519b30ffa8f4bec7f.tar.xz keystone-d4727d4b746db8a1fb4b2a7519b30ffa8f4bec7f.zip | |
Fix for issue #85
| -rwxr-xr-x | keystone/logic/service.py | 184 |
1 files changed, 99 insertions, 85 deletions
diff --git a/keystone/logic/service.py b/keystone/logic/service.py index cc309ef2..99abe568 100755 --- a/keystone/logic/service.py +++ b/keystone/logic/service.py @@ -47,7 +47,7 @@ class IdentityService(object): raise fault.UnauthorizedFault("Unauthorized") else: duser = api.user.get_by_tenant(credentials.username, - credentials.tenant_id) + credentials.tenant_id) if duser == None: raise fault.UnauthorizedFault("Unauthorized on this tenant") @@ -55,7 +55,7 @@ class IdentityService(object): raise fault.UserDisabledFault("Your account has been disabled") if duser.password != utils.get_hashed_password(credentials.password): raise fault.UnauthorizedFault("Unauthorized") - + # # Look for an existing token, or create one, # TODO: Handle tenant/token search @@ -82,22 +82,12 @@ class IdentityService(object): return self.__get_auth_data(dtoken, tenant_id) def validate_token(self, admin_token, token_id, belongs_to=None): - self.__validate_token(admin_token) - if not token_id: - raise fault.UnauthorizedFault("Missing token") - (token, user) = self.__get_dauth_data(token_id) - - if not token: - raise fault.UnauthorizedFault("Bad token, please reauthenticate") - if token.expires < datetime.now(): - raise fault.ForbiddenFault("Token expired, please renew") - if not user.enabled: - raise fault.UserDisabledFault("The user %s has been disabled!" - % user.id) + self.__validate_admin_token(admin_token) + (token, user) = self.__validate_token(token_id, belongs_to) return self.__get_validate_data(token, user) def revoke_token(self, admin_token, token_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dtoken = api.token.get(token_id) if not dtoken: @@ -110,7 +100,7 @@ class IdentityService(object): # def create_tenant(self, admin_token, tenant): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(tenant, Tenant): raise fault.BadRequestFault("Expecting a Tenant") @@ -135,7 +125,7 @@ class IdentityService(object): ## def get_tenants(self, admin_token, marker, limit, url): try: - (_token, user) = self.__validate_token(admin_token) + (_token, user) = self.__validate_admin_token(admin_token) # If Global admin return all ts = [] dtenants = api.tenant.get_page(marker, limit) @@ -145,34 +135,34 @@ class IdentityService(object): prev, next = api.tenant.get_page_markers(marker, limit) links = [] if prev: - links.append(atom.Link('prev', "%s?'marker=%s&limit=%s'" \ - % (url, prev, limit))) + links.append(atom.Link('prev', + "%s?'marker=%s&limit=%s'" % (url, prev, limit))) if next: - links.append(atom.Link('next', "%s?'marker=%s&limit=%s'" \ - % (url, next, limit))) + links.append(atom.Link('next', + "%s?'marker=%s&limit=%s'" % (url, next, limit))) return Tenants(ts, links) except fault.UnauthorizedFault: #If not global admin ,return tenants specific to user. (_token, user) = self.__validate_token(admin_token, False) ts = [] - dtenants = api.tenant.tenants_for_user_get_page(\ + dtenants = api.tenant.tenants_for_user_get_page( user, marker, limit) for dtenant in dtenants: ts.append(Tenant(dtenant.id, dtenant.desc, dtenant.enabled)) - prev, next = api.tenant.tenants_for_user_get_page_markers(\ + prev, next = api.tenant.tenants_for_user_get_page_markers( user, marker, limit) links = [] if prev: - links.append(atom.Link('prev', "%s?'marker=%s&limit=%s'" \ - % (url, prev, limit))) + links.append(atom.Link('prev', + "%s?'marker=%s&limit=%s'" % (url, prev, limit))) if next: - links.append(atom.Link('next', "%s?'marker=%s&limit=%s'" \ - % (url, next, limit))) + links.append(atom.Link('next', + "%s?'marker=%s&limit=%s'" % (url, next, limit))) return Tenants(ts, links) def get_tenant(self, admin_token, tenant_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dtenant = api.tenant.get(tenant_id) if not dtenant: @@ -180,11 +170,11 @@ class IdentityService(object): return Tenant(dtenant.id, dtenant.desc, dtenant.enabled) def update_tenant(self, admin_token, tenant_id, tenant): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(tenant, Tenant): raise fault.BadRequestFault("Expecting a Tenant") - + dtenant = api.tenant.get(tenant_id) if dtenant == None: raise fault.ItemNotFoundFault("The tenant could not be found") @@ -193,16 +183,16 @@ class IdentityService(object): return Tenant(dtenant.id, tenant.description, tenant.enabled) def delete_tenant(self, admin_token, tenant_id): - self.__validate_token(admin_token) - + self.__validate_admin_token(admin_token) + dtenant = api.tenant.get(tenant_id) if dtenant == None: raise fault.ItemNotFoundFault("The tenant could not be found") - + if not api.tenant.is_empty(tenant_id): raise fault.ForbiddenFault("You may not delete a tenant that " "contains get_users or groups") - + api.tenant.delete(dtenant.id) return None @@ -211,7 +201,7 @@ class IdentityService(object): # def create_tenant_group(self, admin_token, tenant, group): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(group, Group): raise fault.BadRequestFault("Expecting a Group") @@ -238,7 +228,7 @@ class IdentityService(object): return Group(dtenant.id, dtenant.desc, dtenant.tenant_id) def get_tenant_groups(self, admin_token, tenant_id, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if tenant_id == None: raise fault.BadRequestFault("Expecting a Tenant Id") @@ -266,7 +256,7 @@ class IdentityService(object): return Groups(ts, links) def get_tenant_group(self, admin_token, tenant_id, group_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dtenant = api.tenant.get(tenant_id) if dtenant == None: @@ -279,7 +269,7 @@ class IdentityService(object): return Group(dtenant.id, dtenant.desc, dtenant.tenant_id) def update_tenant_group(self, admin_token, tenant_id, group_id, group): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(group, Group): raise fault.BadRequestFault("Expecting a Group") @@ -308,7 +298,7 @@ class IdentityService(object): return Group(group_id, group.description, tenant_id) def delete_tenant_group(self, admin_token, tenant_id, group_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dtenant = api.tenant.get(tenant_id) @@ -328,7 +318,7 @@ class IdentityService(object): def get_users_tenant_group(self, admin_token, tenantId, groupId, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if tenantId == None: raise fault.BadRequestFault("Expecting a Tenant Id") @@ -363,7 +353,7 @@ class IdentityService(object): return Users(ts, links) def add_user_tenant_group(self, admin_token, tenant, group, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if api.tenant.get(tenant) == None: raise fault.ItemNotFoundFault("The Tenant not found") @@ -397,7 +387,7 @@ class IdentityService(object): group_id=group) #attribute no longer exists def delete_user_tenant_group(self, admin_token, tenant, group, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if api.tenant.get(tenant) == None: raise fault.ItemNotFoundFault("The Tenant not found") @@ -437,7 +427,7 @@ class IdentityService(object): # User Operations # def create_user(self, admin_token, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dtenant = self.validate_and_fetch_user_tenant(user.tenant_id) @@ -452,8 +442,7 @@ class IdentityService(object): "An user with that id already exists") if api.user.get_by_email(user.email) != None: - raise fault.EmailConflictFault( - "Email already exists") + raise fault.EmailConflictFault("Email already exists") duser = models.User() duser.id = user.user_id @@ -478,7 +467,7 @@ class IdentityService(object): return None def get_tenant_users(self, admin_token, tenant_id, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if tenant_id == None: raise fault.BadRequestFault("Expecting a Tenant Id") @@ -506,7 +495,7 @@ class IdentityService(object): return Users(ts, links) def get_users(self, admin_token, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) ts = [] dusers = api.user.users_get_page(marker, limit) for duser in dusers: @@ -524,7 +513,7 @@ class IdentityService(object): return Users(ts, links) def get_user(self, admin_token, user_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: raise fault.ItemNotFoundFault("The user could not be found") @@ -544,7 +533,7 @@ class IdentityService(object): duser.email, duser.enabled, ts) def update_user(self, admin_token, user_id, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) @@ -569,7 +558,7 @@ class IdentityService(object): duser.email, duser.enabled) def set_user_password(self, admin_token, user_id, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: @@ -593,7 +582,7 @@ class IdentityService(object): None, None, None, None, None) def enable_disable_user(self, admin_token, user_id, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: raise fault.ItemNotFoundFault("The user could not be found") @@ -612,7 +601,7 @@ class IdentityService(object): None, None, None, user.enabled, None) def set_user_tenant(self, admin_token, user_id, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: raise fault.ItemNotFoundFault("The user could not be found") @@ -630,7 +619,7 @@ class IdentityService(object): None, user.tenant_id, None, None, None) def delete_user(self, admin_token, user_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: raise fault.ItemNotFoundFault("The user could not be found") @@ -644,7 +633,7 @@ class IdentityService(object): def get_user_groups(self, admin_token, user_id, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) ts = [] dusergroups = api.group.get_by_user_get_page(user_id, marker, limit) @@ -682,7 +671,7 @@ class IdentityService(object): return dtenant def create_global_group(self, admin_token, group): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(group, GlobalGroup): raise fault.BadRequestFault("Expecting a Group") @@ -702,7 +691,7 @@ class IdentityService(object): return GlobalGroup(dtenant.id, dtenant.desc, None) def get_global_groups(self, admin_token, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() ts = [] dtenantgroups = api.tenant_group.get_page(gtenant.id, \ @@ -722,7 +711,7 @@ class IdentityService(object): return GlobalGroups(ts, links) def get_global_group(self, admin_token, group_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() dtenant = api.tenant.get(gtenant.id) if dtenant == None: @@ -735,7 +724,7 @@ class IdentityService(object): return GlobalGroup(dtenant.id, dtenant.desc) def update_global_group(self, admin_token, group_id, group): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() if not isinstance(group, GlobalGroup): raise fault.BadRequestFault("Expecting a Group") @@ -756,7 +745,7 @@ class IdentityService(object): return GlobalGroup(group_id, group.description, gtenant.id) def delete_global_group(self, admin_token, group_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() dtenant = api.tenant.get(gtenant.id) @@ -775,7 +764,7 @@ class IdentityService(object): return None def get_users_global_group(self, admin_token, groupId, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() if gtenant.id == None: @@ -810,7 +799,7 @@ class IdentityService(object): return Users(ts, links) def add_user_global_group(self, admin_token, group, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() if api.tenant.get(gtenant.id) == None: @@ -844,7 +833,7 @@ class IdentityService(object): group_id=group) # attribute no longer exists! def delete_user_global_group(self, admin_token, group, user): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) gtenant = self.__check_create_global_tenant() if api.tenant.get(gtenant.id) == None: @@ -890,34 +879,59 @@ class IdentityService(object): for droleRef in droleRefs: ts.append(RoleRef(droleRef.id, droleRef.role_id, droleRef.tenant_id)) - user = auth.User(duser.id, duser.tenant_id, None, RoleRefs(ts, - [])) + user = auth.User(duser.id, duser.tenant_id, None, RoleRefs(ts, [])) return auth.ValidateData(token, user) - def __validate_token(self, token_id, admin=True): + def __validate_tenant(self, tenant_id): + if not tenant_id: + raise fault.UnauthorizedFault("Missing tenant") + + tenant = api.tenant.get(tenant_id) + + if not tenant.enabled: + raise fault.TenantDisabledFault("Tenant %s has been disabled!" + % tenant.id) + + def __validate_token(self, token_id, belongs_to=None): if not token_id: raise fault.UnauthorizedFault("Missing token") + (token, user) = self.__get_dauth_data(token_id) if not token: raise fault.ItemNotFoundFault("Bad token, please reauthenticate") + if token.expires < datetime.now(): raise fault.ForbiddenFault("Token expired, please renew") + if not user.enabled: - raise fault.UserDisabledFault("The user %s has been disabled!" + raise fault.UserDisabledFault("User %s has been disabled!" % user.id) - if admin: - roleRefs = api.role.ref_get_all_global_roles(user.id) - for roleRef in roleRefs: - if roleRef.role_id == backends.KeyStoneAdminRole\ - and roleRef.tenant_id is None: - return (token, user) - raise fault.UnauthorizedFault("You are not authorized " - "to make this call") + + if user.tenant_id: + self.__validate_tenant(user.tenant_id) + + if token.tenant_id: + self.__validate_tenant(token.tenant_id) + + if belongs_to and token.tenant_id != belongs_to: + raise fault.UnauthorizedFault("Unauthorized on this tenant") + return (token, user) + + def __validate_admin_token(self, token_id): + (token, user) = self.__validate_token(token_id) + + for roleRef in api.role.ref_get_all_global_roles(user.id): + if roleRef.role_id == backends.KeyStoneAdminRole and \ + roleRef.tenant_id is None: + return (token, user) + + raise fault.UnauthorizedFault( + "You are not authorized to make this call") def create_role(self, admin_token, role): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if not isinstance(role, Role): raise fault.BadRequestFault("Expecting a Role") @@ -935,7 +949,7 @@ class IdentityService(object): return role def get_roles(self, admin_token, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) ts = [] droles = api.role.get_page(marker, limit) @@ -953,7 +967,7 @@ class IdentityService(object): return Roles(ts, links) def get_role(self, admin_token, role_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) drole = api.role.get(role_id) if not drole: @@ -961,7 +975,7 @@ class IdentityService(object): return Role(drole.id, drole.desc) def create_role_ref(self, admin_token, user_id, roleRef): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: @@ -992,12 +1006,12 @@ class IdentityService(object): return roleRef def delete_role_ref(self, admin_token, role_ref_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) api.role.ref_delete(role_ref_id) return None def get_user_roles(self, admin_token, marker, limit, url, user_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) duser = api.user.get(user_id) if not duser: @@ -1019,7 +1033,7 @@ class IdentityService(object): return RoleRefs(ts, links) def get_endpoint_templates(self, admin_token, marker, limit, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) ts = [] dendpointTemplates = api.endpoint_template.get_page(marker, limit) @@ -1044,7 +1058,7 @@ class IdentityService(object): return EndpointTemplates(ts, links) def get_endpoint_template(self, admin_token, endpoint_template_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) dendpointTemplate = api.endpoint_template.get(endpoint_template_id) if not dendpointTemplate: @@ -1061,7 +1075,7 @@ class IdentityService(object): dendpointTemplate.is_global) def get_tenant_endpoints(self, admin_token, marker, limit, url, tenant_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if tenant_id == None: raise fault.BadRequestFault("Expecting a Tenant Id") @@ -1093,7 +1107,7 @@ class IdentityService(object): def create_endpoint_for_tenant(self, admin_token, tenant_id, endpoint_template, url): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) if tenant_id == None: raise fault.BadRequestFault("Expecting a Tenant Id") if api.tenant.get(tenant_id) == None: @@ -1112,6 +1126,6 @@ class IdentityService(object): return dendpoint def delete_endpoint(self, admin_token, endpoint_id): - self.__validate_token(admin_token) + self.__validate_admin_token(admin_token) api.endpoint_template.endpoint_delete(endpoint_id) return None |