3

ÒƜeI.ã@s

dZd
dl
Z
d
dlmZ
d
dlmZ
d
dlmZ
d
dl	m
Z

d
dlmZ
d
dl
mZ
d
d	lmZ
d
dlZd
d
lmZ
d
dlmZ
d
dlmZ
ejeƒ
ZeƒZeƒZGd
d„dejƒZej Gdd„de
j!ƒƒ
Z!dd„Z"d dd„
Z#dd„Z$dd„Z%dd„Z&dd„Z'dd„Z(dS)!zGRequestContext: context for requests that persist through all of dmapi.éN)
Úcontextmanager)
Úservice_catalog)
Úplugin)
Úcontext)
Úenginefacade)
Úlog)
Ú	timeutils)
Ú	exception)
Ú
_)
Úutilscs2eZ
dZd
Z‡f
dd„Zdd„Zd	dd„
Z‡ZS)
Ú_ContextAuthPluginzñA keystoneauth auth plugin that uses the values from the Context.

    Ideally we would use the plugin provided by auth_token middleware however
    this plugin isn't serialized yet so we construct one from the serialized
    auth data.
    cs$tt
|ƒjƒ
|
|_tj|ƒ
|_dS)
N)ÚsuperrÚ__init__Ú
auth_tokenÚksa_service_catalogZServiceCatalogV2r)ÚselfrZsc)
Ú	__class__©ú/usr/lib/python3.6/context.pyr)s

z_ContextAuthPlugin.__init__c

Os|jS)
N)
r)rÚargsÚkwargsrrrÚ	get_token/s
z_ContextAuthPlugin.get_tokenNcKs|jj
||||d
S)N)Úservice_typeÚservice_nameÚ	interfaceÚregion_name)rZurl_for)rZsessionrrrrrrrrÚget_endpoint2s


z_ContextAuthPlugin.get_endpoint)NNNN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__rrrÚ
__classcell__rr)
rrr!s

rc
s†eZ
dZd
Zd‡f
dd„	Zdd„Zd	d
„Zdd„Zd
d„Ze	eeeƒZ
‡f
dd„Ze‡f
dd„ƒ
Z
ddd„
Zddd„
Zdd„Z‡ZS)ÚRequestContextzpSecurity context and request information.

    Represents the user taking a given action within the system.
    NÚnoFcs¤|
r|
|d
<|r||d<|jddƒ
t
t|ƒjfd|i
|—Ž

||_||_|sVtjƒ}t|t	j
ƒrltj|ƒ
}||_|rˆdd„|Dƒ
|_
ng|_
|	|_||_|
|_dS)aÉ
:param read_deleted: 'no' indicates deleted records are hidden,
                'yes' indicates deleted records are visible,
                'only' indicates that *only* deleted records are visible.

           :param overwrite: Set to False to ensure that the greenthread local
                copy of the index is not overwritten.

           :param user_auth_plugin: The auth plugin for the current request's
                authentication data.
        ÚuserÚ
project_idZtenantNÚis_adminc

Ssg|]}
|
jdƒ
dkr|
‘qS)	ÚtypeÚimageú
block-storageÚvolumev2Úvolumev3úkey-managerÚ	placementÚnetwork)r(r)r*r+r,r-r.)
Úget)Ú.0Ú
srrrú
<listcomp>ds


z+RequestContext.__init__.<locals>.<listcomp>)Úpopr
r"rÚread_deletedÚremote_addressrZutcnowÚ
isinstanceÚsixZstring_typesZ
parse_strtimeÚ	timestamprÚinstance_lock_checkedÚquota_classÚuser_auth_plugin)rÚuser_idr%r&r4r5r8r:rr9r;r)
rrrr@s(










zRequestContext.__init__c

Cs|jr|jSt
|j|jƒSdS)
N)r;rrr)
rrrrÚget_auth_pluginys

zRequestContext.get_auth_pluginc


Cs|jS)
N)
Ú
_read_deleted)
rrrrÚ_get_read_deleteds
z RequestContext._get_read_deletedcCs"|
dkrtt
dƒ
|
ƒ
‚
|
|_dS)Nr#ÚyesÚonlyz=read_deleted can only be one of 'no', 'yes' or 'only', not %r)r#r@rA)Ú
ValueErrorr
r>)rr4rrrÚ_set_read_deleted‚s



z RequestContext._set_read_deletedc


Cs|`dS)
N)
r>)
rrrrÚ_del_read_deletedˆs
z RequestContext._del_read_deletedc
sºtt
|ƒjƒ}
|
jt|d
dƒt|ddƒt|ddƒt|ddƒt|ddƒt|dƒrZtj|jƒ
ndt|ddƒt|d	dƒt|d
dƒt|ddƒt|ddƒt|d
dƒdœƒ

|
jdt|ddƒi
ƒ

|
S)Nr<r%r&r4r#r5r8Ú
request_idr:Ú	user_namerÚproject_namer9F)r<r%r&r4r5r8rEr:rFrrGr9Zis_admin_projectT)	r
r"Úto_dictÚupdateÚgetattrÚhasattrrZstrtimer8)rÚvalues)
rrrrHŽs&

























zRequestContext.to_dictcsVtt
|ƒj|
|
jd
ƒ
|
jdƒ
|
jddƒ|
jdƒ
|
jdƒ
|
jdƒ
|
jdƒ
|
jd	d
ƒd	S)Nr<r%r4r#r5r8r:rr9F)r<r%r4r5r8r:rr9)r
r"Ú	from_dictr/)ÚclsrL)
rrrrM¬s









zRequestContext.from_dictcCsFtj|ƒ
}tj
|jƒ
|_d
|_d|jkr4|jjdƒ

|
dk	rB|
|_|S)z5Return a version of this context with admin flag set.TZadminN)ÚcopyÚdeepcopyZrolesr&Úappendr4)rr4rrrrÚelevated½s




zRequestContext.elevatedTcCsF|d
kr|j|j
dœ}ytj||
|ƒStjk
r@


|r<‚dSXd
S)aRVerifies that the given action is valid on the target in this context.

        :param action: string representing the action to be checked.
        :param target: dictionary representing the object of the action
            for object creation this should be a dictionary representing the
            location of the object e.g. ``{'project_id': context.project_id}``.
            If None, then this default target will be considered:
            {'project_id': self.project_id, 'user_id': self.user_id}
        :param fatal: if False, will return False when an exception.Forbidden
           occurs.

        :raises dmapi.exception.Forbidden: if verification fails and fatal is
            True.

        :return: returns a non-False value (not necessarily "True") if
            authorized and False if not authorized and fatal is False.
        N)r%r<F)r%r<ZpolicyZ	authorizer	Ú	Forbidden)rÚactionÚtargetZfatalrrrÚcanÍs







zRequestContext.canc

Csd
|jƒS)Nz<Context %s>)
rH)
rrrrÚ__str__ñs
zRequestContext.__str__)
NNNr#NNNNFN)
N)NT)rrrr rr=r?rCrDÚpropertyr4rHÚclassmethodrMrRrVrWr!rr)
rrr":s 



6


$r"cCstd
d
dddS)z·A helper method to get a blank context.

    Note that overwrite is False here so this context will not update the
    greenthread-local stored context that is used when logging.
    NF)r<r%r&Ú	overwrite)
r"rrrrÚget_contextõs


r[r#c

Cstddd
|ddS)NTF)r<r%r&r4rZ)
r")
r4rrrÚget_admin_context

s




r\c


Cs*|sd
S|jrd
S|j
s"|jr&d
SdS)z2Indicates if the request context is a normal user.FT)r&r<r%)
rrrrÚis_user_context
s





r]c

Cs|jrt
|ƒ
rtjƒ‚
d
S)zRRaise exception.Forbidden() if context is not a user or an
    admin context.
    N)r&r]r	rS)
ZctxtrrrÚrequire_context
s
r^cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)z=Ensures a request has permission to access the given project.N)r]r%r	rS)rr%rrrÚauthorize_project_context"
s






r_cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)z:Ensures a request has permission to access the given user.N)r]r<r	rS)rr<rrrÚauthorize_user_context+
s






r`cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)zAEnsures a request has permission to access the given quota class.N)r]r:r	rS)rÚ
class_namerrrÚauthorize_quota_class_context4
s






rb)
r#))r rOÚ
contextlibrZkeystoneauth1.accessrrZ
keystoneauth1rZoslo_contextrZoslo_db.sqlalchemyrZoslo_logrZloggingZ
oslo_utilsrr7Zcontegor	Zcontego.i18nr
rZ	getLoggerrZLOGÚobjectZdid_not_respond_sentinelZraised_exception_sentinelZBaseAuthPluginrZtransaction_context_providerr"r[r\r]r^r_r`rbrrrrÚ<module>s4






;