3

nS
b".ã@s

dZd
dl
Z
d
dlmZ
d
dlmZ
d
dlmZ
d
dl	m
Z

d
dlmZ
d
dl
mZ
d
d	lmZ
d
dlZd
d
lmZ
d
dlmZ
d
dlmZ
ejeƒ
ZeƒZeƒZGd
d„dejƒZej Gdd„de
j!ƒƒ
Z!dd„Z"d dd„
Z#dd„Z$dd„Z%dd„Z&dd„Z'dd„Z(dS)!zGRequestContext: context for requests that persist through all of dmapi.éN)
Úcontextmanager)
Úservice_catalog)
Úplugin)
Úcontext)
Úenginefacade)
Úlog)
Ú	timeutils)
Ú	exception)
Ú
_)
Úutilscs2eZ
dZd
Z‡f
dd„Zdd„Zd	dd„
Z‡ZS)
Ú_ContextAuthPluginzñA keystoneauth auth plugin that uses the values from the Context.

    Ideally we would use the plugin provided by auth_token middleware however
    this plugin isn't serialized yet so we construct one from the serialized
    auth data.
    cs$tt
|ƒjƒ
|
|_tj|ƒ
|_dS)
N)ÚsuperrÚ__init__Ú
auth_tokenÚksa_service_catalogZServiceCatalogV2r)ÚselfrZsc)
Ú	__class__©ú/usr/lib/python3.6/context.pyr)s

z_ContextAuthPlugin.__init__c

Os|jS)
N)
r)rÚargsÚkwargsrrrÚ	get_token/s
z_ContextAuthPlugin.get_tokenNcKs|jj
||||d
S)N)Úservice_typeÚservice_nameÚ	interfaceÚregion_name)rZurl_for)rZsessionrrrrrrrrÚget_endpoint2s


z_ContextAuthPlugin.get_endpoint)NNNN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__rrrÚ
__classcell__rr)
rrr!s

rc
s†eZ
dZd
Zd‡f
dd„	Zdd„Zd	d
„Zdd„Zd
d„Ze	eeeƒZ
‡f
dd„Ze‡f
dd„ƒ
Z
ddd„
Zddd„
Zdd„Z‡ZS)ÚRequestContextzpSecurity context and request information.

    Represents the user taking a given action within the system.
    NÚnoFcs˜|
r|
|d
<|r||d<tt
|ƒjfd|i
|—Ž

||_||_|sJtjƒ}t|tj	ƒr`tj
|ƒ
}||_|r|dd„|Dƒ
|_ng|_|	|_
||_|
|_dS)aÉ
:param read_deleted: 'no' indicates deleted records are hidden,
                'yes' indicates deleted records are visible,
                'only' indicates that *only* deleted records are visible.

           :param overwrite: Set to False to ensure that the greenthread local
                copy of the index is not overwritten.

           :param user_auth_plugin: The auth plugin for the current request's
                authentication data.
        ÚuserZtenantÚis_adminc

Ssg|]}
|
jdƒ
dkr|
‘qS)	ÚtypeÚimageú
block-storageÚvolumev2Úvolumev3úkey-managerÚ	placementÚnetwork)r'r(r)r*r+r,r-)
Úget)Ú.0Ú
srrrú
<listcomp>cs


z+RequestContext.__init__.<locals>.<listcomp>N)r
r"rÚread_deletedÚremote_addressrZutcnowÚ
isinstanceÚsixZstring_typesZ
parse_strtimeÚ	timestamprÚinstance_lock_checkedÚquota_classÚuser_auth_plugin)rÚuser_idÚ
project_idr%r2r3r6r8rr7r9r)
rrrr@s&









zRequestContext.__init__c

Cs|jr|jSt
|j|jƒSdS)
N)r9rrr)
rrrrÚget_auth_pluginxs

zRequestContext.get_auth_pluginc


Cs|jS)
N)
Ú
_read_deleted)
rrrrÚ_get_read_deleted~s
z RequestContext._get_read_deletedcCs"|
dkrtt
dƒ
|
ƒ
‚
|
|_dS)Nr#ÚyesÚonlyz=read_deleted can only be one of 'no', 'yes' or 'only', not %r)r#r?r@)Ú
ValueErrorr
r=)rr2rrrÚ_set_read_deleteds



z RequestContext._set_read_deletedc


Cs|`dS)
N)
r=)
rrrrÚ_del_read_deleted‡s
z RequestContext._del_read_deletedc
sºtt
|ƒjƒ}
|
jt|d
dƒt|ddƒt|ddƒt|ddƒt|ddƒt|dƒrZtj|jƒ
ndt|ddƒt|d	dƒt|d
dƒt|ddƒt|ddƒt|d
dƒdœƒ

|
jdt|ddƒi
ƒ

|
S)Nr:r;r%r2r#r3r6Ú
request_idr8Ú	user_namerÚproject_namer7F)r:r;r%r2r3r6rDr8rErrFr7Zis_admin_projectT)	r
r"Úto_dictÚupdateÚgetattrÚhasattrrZstrtimer6)rÚvalues)
rrrrGs&

























zRequestContext.to_dictcsVtt
|ƒj|
|
jd
ƒ
|
jdƒ
|
jddƒ|
jdƒ
|
jdƒ
|
jdƒ
|
jdƒ
|
jd	d
ƒd	S)Nr:r;r2r#r3r6r8rr7F)r:r;r2r3r6r8rr7)r
r"Ú	from_dictr.)ÚclsrK)
rrrrL«s









zRequestContext.from_dictcCsFtj|ƒ
}tj
|jƒ
|_d
|_d|jkr4|jjdƒ

|
dk	rB|
|_|S)z5Return a version of this context with admin flag set.TZadminN)ÚcopyÚdeepcopyZrolesr%Úappendr2)rr2rrrrÚelevated¼s




zRequestContext.elevatedTcCsF|d
kr|j|j
dœ}ytj||
|ƒStjk
r@


|r<‚dSXd
S)aRVerifies that the given action is valid on the target in this context.

        :param action: string representing the action to be checked.
        :param target: dictionary representing the object of the action
            for object creation this should be a dictionary representing the
            location of the object e.g. ``{'project_id': context.project_id}``.
            If None, then this default target will be considered:
            {'project_id': self.project_id, 'user_id': self.user_id}
        :param fatal: if False, will return False when an exception.Forbidden
           occurs.

        :raises dmapi.exception.Forbidden: if verification fails and fatal is
            True.

        :return: returns a non-False value (not necessarily "True") if
            authorized and False if not authorized and fatal is False.
        N)r;r:F)r;r:ZpolicyZ	authorizer	Ú	Forbidden)rÚactionÚtargetZfatalrrrÚcanÌs







zRequestContext.canc

Csd
|jƒS)Nz<Context %s>)
rG)
rrrrÚ__str__ðs
zRequestContext.__str__)
NNNr#NNNNFN)
N)NT)rrrr rr<r>rBrCÚpropertyr2rGÚclassmethodrLrQrUrVr!rr)
rrr":s 



5


$r"cCstd
d
dddS)z·A helper method to get a blank context.

    Note that overwrite is False here so this context will not update the
    greenthread-local stored context that is used when logging.
    NF)r:r;r%Ú	overwrite)
r"rrrrÚget_contextôs


rZr#c

Cstddd
|ddS)NTF)r:r;r%r2rY)
r")
r2rrrÚget_admin_context
s




r[c


Cs*|sd
S|jrd
S|j
s"|jr&d
SdS)z2Indicates if the request context is a normal user.FT)r%r:r;)
rrrrÚis_user_context
s





r\c

Cs|jrt
|ƒ
rtjƒ‚
d
S)zRRaise exception.Forbidden() if context is not a user or an
    admin context.
    N)r%r\r	rR)
ZctxtrrrÚrequire_context
s
r]cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)z=Ensures a request has permission to access the given project.N)r\r;r	rR)rr;rrrÚauthorize_project_context!
s






r^cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)z:Ensures a request has permission to access the given user.N)r\r:r	rR)rr:rrrÚauthorize_user_context*
s






r_cCs.t|ƒ
r*|j
stjƒ‚
n|j
|
kr*tjƒ‚
d
S)zAEnsures a request has permission to access the given quota class.N)r\r8r	rR)rÚ
class_namerrrÚauthorize_quota_class_context3
s






ra)
r#))r rNÚ
contextlibrZkeystoneauth1.accessrrZ
keystoneauth1rZoslo_contextrZoslo_db.sqlalchemyrZoslo_logrZloggingZ
oslo_utilsrr5Zcontegor	Zcontego.i18nr
rZ	getLoggerrZLOGÚobjectZdid_not_respond_sentinelZraised_exception_sentinelZBaseAuthPluginrZtransaction_context_providerr"rZr[r\r]r^r_rarrrrÚ<module>s4






: