a

J‰rgI.ã@s

dZd
dl
Z
d
dlmZ
d
dlmZ
d
dlmZ
d
dl	m
Z

d
dlmZ
d
dl
mZ
d
d	lmZ
d
dlZd
d
lmZ
d
dlmZ
d
dlmZ
e e¡
ZeƒZeƒZGd
d„dejƒZej Gdd„de
j!ƒƒ
Z!dd„Z"d dd„
Z#dd„Z$dd„Z%dd„Z&dd„Z'dd„Z(dS)!zGRequestContext: context for requests that persist through all of dmapi.éN)
Úcontextmanager)
Úservice_catalog)
Úplugin©
Úcontext)
Úenginefacade)
Úlog)
Ú	timeutils)
Ú	exception)
Ú
_)
Úutilscs2eZ
dZd
Z‡f
dd„Zdd„Zd	dd„
Z‡ZS)
Ú_ContextAuthPluginzñA keystoneauth auth plugin that uses the values from the Context.

    Ideally we would use the plugin provided by auth_token middleware however
    this plugin isn't serialized yet so we construct one from the serialized
    auth data.
    cs$tt
|ƒ ¡
|
|_t |¡
|_dS©
N)Úsuperr
Ú__init__Ú
auth_tokenÚksa_service_catalogZServiceCatalogV2r)ÚselfrZsc©
Ú	__class__©ú3/usr/lib/python3.9/site-packages/contego/context.pyr)s

z_ContextAuthPlugin.__init__c

Os|jSr)
r)rÚargsÚkwargsrrrÚ	get_token/s
z_ContextAuthPlugin.get_tokenNcKs|jj
||||d
S)N)Úservice_typeÚservice_nameÚ	interfaceÚregion_name)rZurl_for)rZsessionrrrrrrrrÚget_endpoint2s



ýz_ContextAuthPlugin.get_endpoint)NNNN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__rrrÚ
__classcell__rrrrr
!s

ÿr
c
s†eZ
dZd
Zd‡f
dd„	Zdd„Zd	d
„Zdd„Zd
d„Ze	eeeƒZ
‡f
dd„Ze‡f
dd„ƒ
Z
ddd„
Zddd„
Zdd„Z‡ZS)ÚRequestContextzpSecurity context and request information.

    Represents the user taking a given action within the system.
    NÚnoFcs¤|
r|
|d
<|r||d<| dd¡
t
t|ƒjfd|i
|¤
Ž

||_||_|sVt ¡}t|t	j
ƒrlt |¡
}||_|rˆdd„|Dƒ
|_
ng|_
|	|_||_|
|_dS)aÉ
:param read_deleted: 'no' indicates deleted records are hidden,
                'yes' indicates deleted records are visible,
                'only' indicates that *only* deleted records are visible.

           :param overwrite: Set to False to ensure that the greenthread local
                copy of the index is not overwritten.

           :param user_auth_plugin: The auth plugin for the current request's
                authentication data.
        ÚuserÚ
project_idZtenantNÚis_adminc
Ssg|]}
|
 d¡
d
vr|
‘qS)Útype)Zimagez
block-storageZvolumev2Zvolumev3zkey-managerZ	placementZnetwork)
Úget)Ú.0Ú
srrrÚ
<listcomp>ds
ÿz+RequestContext.__init__.<locals>.<listcomp>)Úpoprr%rÚread_deletedÚremote_addressr	ZutcnowÚ
isinstanceÚsixZstring_typesZ
parse_strtimeÚ	timestamprÚinstance_lock_checkedÚquota_classÚuser_auth_plugin)rÚuser_idr(r)r0r1r4r6rr5r7rrrrr@s(











zRequestContext.__init__c

Cs|jr|jSt
|j|jƒSdSr)r7r
rr©
rrrrÚget_auth_pluginys

zRequestContext.get_auth_pluginc


Cs|jSr©
Ú
_read_deletedr9rrrÚ_get_read_deleteds
z RequestContext._get_read_deletedcCs"|
d
v
rtt
dƒ
|
ƒ
‚
|
|_dS)N)r&ZyesZonlyz=read_deleted can only be one of 'no', 'yes' or 'only', not %r)Ú
ValueErrorrr<)rr0rrrÚ_set_read_deleted‚s



ÿz RequestContext._set_read_deletedc


Cs|`dSrr;r9rrrÚ_del_read_deletedˆs
z RequestContext._del_read_deletedc
sºtt
|ƒ ¡}
|
 t|d
dƒt|ddƒt|ddƒt|ddƒt|ddƒt|dƒrZt |j¡
ndt|ddƒt|d	dƒt|d
dƒt|ddƒt|ddƒt|d
dƒdœ¡

|
 dt|ddƒi
¡

|
S)Nr8r(r)r0r&r1r4Ú
request_idr6Ú	user_namerÚproject_namer5F)r8r(r)r0r1r4rAr6rBrrCr5Zis_admin_projectT)	rr%Úto_dictÚupdateÚgetattrÚhasattrrZstrtimer4)rÚvaluesrrrrDŽs0












ÿ












ÿó
ÿzRequestContext.to_dictc
sVtt
|ƒj|
|
 d
¡
|
 d¡
|
 dd¡|
 d¡
|
 d¡
|
 d¡
|
 d¡
|
 d	d
¡d	S)Nr8r(r0r&r1r4r6rr5F)r8r(r0r1r4r6rr5)rr%Ú	from_dictr+)ÚclsrHrrrrI¬s










ôzRequestContext.from_dictcCsFt |¡
}t 
|j¡
|_d
|_d|jv
r4|j d¡

|
du
rB|
|_|S)z5Return a version of this context with admin flag set.TZadminN)ÚcopyÚdeepcopyZrolesr)Úappendr0)rr0rrrrÚelevated½s




zRequestContext.elevatedTcCsH|d
ur|j|j
dœ}zt ||
|¡WStjyB


|r<‚YdS0d
S)aRVerifies that the given action is valid on the target in this context.

        :param action: string representing the action to be checked.
        :param target: dictionary representing the object of the action
            for object creation this should be a dictionary representing the
            location of the object e.g. ``{'project_id': context.project_id}``.
            If None, then this default target will be considered:
            {'project_id': self.project_id, 'user_id': self.user_id}
        :param fatal: if False, will return False when an exception.Forbidden
           occurs.

        :raises dmapi.exception.Forbidden: if verification fails and fatal is
            True.

        :return: returns a non-False value (not necessarily "True") if
            authorized and False if not authorized and fatal is False.
        N)r(r8F)r(r8ZpolicyZ	authorizer
Ú	Forbidden)rÚactionÚtargetZfatalrrrÚcanÍs

ÿ




zRequestContext.canc

Csd
| ¡S)Nz<Context %s>)
rDr9rrrÚ__str__ñs
zRequestContext.__str__)
NNNr&NNNNFN)
N)NT)r r!r"r#rr:r=r?r@Úpropertyr0rDÚclassmethodrIrNrRrSr$rrrrr%:s&


ý9
ÿ


$r%cCstd
d
dddS)z·A helper method to get a blank context.

    Note that overwrite is False here so this context will not update the
    greenthread-local stored context that is used when logging.
    NF)r8r(r)Ú	overwrite©
r%rrrrÚget_contextõs



ýrXr&c

Cstddd
|ddS)NTF)r8r(r)r0rVrW)
r0rrrÚget_admin_context

s



ürYc


Cs&|sd
S|jrd
S|j
r|js"d
SdS)z2Indicates if the request context is a normal user.FT)r)r8r(rrrrÚis_user_context
s





rZc

Cs|jst
|ƒ
st ¡‚
d
S)zRRaise exception.Forbidden() if context is not a user or an
    admin context.
    N)r)rZr
rO)
ZctxtrrrÚrequire_context
s
r[cCs.t|ƒ
r*|j
st ¡‚
n|j
|
kr*t ¡‚
d
S)z=Ensures a request has permission to access the given project.N)rZr(r
rO)rr(rrrÚauthorize_project_context"
s






r\cCs.t|ƒ
r*|j
st ¡‚
n|j
|
kr*t ¡‚
d
S)z:Ensures a request has permission to access the given user.N)rZr8r
rO)rr8rrrÚauthorize_user_context+
s






r]cCs.t|ƒ
r*|j
st ¡‚
n|j
|
kr*t ¡‚
d
S)zAEnsures a request has permission to access the given quota class.N)rZr6r
rO)rÚ
class_namerrrÚauthorize_quota_class_context4
s






r_)
r&))r#rKÚ
contextlibrZkeystoneauth1.accessrrZ
keystoneauth1rZoslo_contextrZoslo_db.sqlalchemyrZoslo_logrZloggingZ
oslo_utilsr	r3Zcontegor
Zcontego.i18nrrZ	getLoggerr ZLOGÚobjectZdid_not_respond_sentinelZraised_exception_sentinelZBaseAuthPluginr
Ztransaction_context_providerr%rXrYrZr[r\r]r_rrrrÚ<module>s4





;