"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/notifications.py" between
keystone-15.0.0.tar.gz and keystone-15.0.1.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Stein" series (maintained release).

notifications.py  (keystone-15.0.0):notifications.py  (keystone-15.0.1)
skipping to change at line 75 skipping to change at line 75
'OS-OAUTH1:access_token': taxonomy.SECURITY_CREDENTIAL, 'OS-OAUTH1:access_token': taxonomy.SECURITY_CREDENTIAL,
'OS-OAUTH1:request_token': taxonomy.SECURITY_CREDENTIAL, 'OS-OAUTH1:request_token': taxonomy.SECURITY_CREDENTIAL,
'OS-OAUTH1:consumer': taxonomy.SECURITY_ACCOUNT, 'OS-OAUTH1:consumer': taxonomy.SECURITY_ACCOUNT,
} }
SAML_AUDIT_TYPE = 'http://docs.oasis-open.org/security/saml/v2.0' SAML_AUDIT_TYPE = 'http://docs.oasis-open.org/security/saml/v2.0'
# resource types that can be notified # resource types that can be notified
_SUBSCRIBERS = {} _SUBSCRIBERS = {}
_notifier = None _notifier = None
SERVICE = 'identity' SERVICE = 'identity'
PROVIDERS = provider_api.ProviderAPIs
ROOT_DOMAIN = '<<keystone.domain.root>>' ROOT_DOMAIN = '<<keystone.domain.root>>'
CONF = keystone.conf.CONF CONF = keystone.conf.CONF
# NOTE(morganfainberg): Special case notifications that are only used # NOTE(morganfainberg): Special case notifications that are only used
# internally for handling token persistence token deletions # internally for handling token persistence token deletions
INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' INVALIDATE_TOKEN_CACHE = 'invalidate_token_cache' # nosec
PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user' PERSIST_REVOCATION_EVENT_FOR_USER = 'persist_revocation_event_for_user'
REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user' REMOVE_APP_CREDS_FOR_USER = 'remove_application_credentials_for_user'
DOMAIN_DELETED = 'domain_deleted' DOMAIN_DELETED = 'domain_deleted'
def build_audit_initiator(): def build_audit_initiator():
"""A pyCADF initiator describing the current authenticated context.""" """A pyCADF initiator describing the current authenticated context."""
pycadf_host = host.Host(address=flask.request.remote_addr, pycadf_host = host.Host(address=flask.request.remote_addr,
agent=str(flask.request.user_agent)) agent=str(flask.request.user_agent))
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER,
host=pycadf_host) host=pycadf_host)
skipping to change at line 517 skipping to change at line 518
{}).get('project_id') {}).get('project_id')
domain_id = environment.get('KEYSTONE_AUTH_CONTEXT', domain_id = environment.get('KEYSTONE_AUTH_CONTEXT',
{}).get('domain_id') {}).get('domain_id')
host = pycadf.host.Host(address=remote_addr, agent=http_user_agent) host = pycadf.host.Host(address=remote_addr, agent=http_user_agent)
initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, host=host) initiator = resource.Resource(typeURI=taxonomy.ACCOUNT_USER, host=host)
if user_id: if user_id:
initiator.user_id = user_id initiator.user_id = user_id
initiator.id = utils.resource_uuid(user_id) initiator.id = utils.resource_uuid(user_id)
initiator = _add_username_to_initiator(initiator)
if project_id: if project_id:
initiator.project_id = project_id initiator.project_id = project_id
if domain_id: if domain_id:
initiator.domain_id = domain_id initiator.domain_id = domain_id
return initiator return initiator
class CadfNotificationWrapper(object): class CadfNotificationWrapper(object):
"""Send CADF event notifications for various methods. """Send CADF event notifications for various methods.
skipping to change at line 552 skipping to change at line 554
self.action = operation self.action = operation
self.event_type = '%s.%s' % (SERVICE, operation) self.event_type = '%s.%s' % (SERVICE, operation)
def __call__(self, f): def __call__(self, f):
@functools.wraps(f) @functools.wraps(f)
def wrapper(wrapped_self, user_id, *args, **kwargs): def wrapper(wrapped_self, user_id, *args, **kwargs):
"""Will always send a notification.""" """Will always send a notification."""
target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER) target = resource.Resource(typeURI=taxonomy.ACCOUNT_USER)
initiator = build_audit_initiator() initiator = build_audit_initiator()
initiator.user_id = user_id initiator.user_id = user_id
initiator = _add_username_to_initiator(initiator)
initiator.id = utils.resource_uuid(user_id) initiator.id = utils.resource_uuid(user_id)
try: try:
result = f(wrapped_self, user_id, *args, **kwargs) result = f(wrapped_self, user_id, *args, **kwargs)
except (exception.AccountLocked, except (exception.AccountLocked,
exception.PasswordExpired) as ex: exception.PasswordExpired) as ex:
# Send a CADF event with a reason for PCI-DSS related # Send a CADF event with a reason for PCI-DSS related
# authentication failures # authentication failures
audit_reason = reason.Reason(str(ex), str(ex.code)) audit_reason = reason.Reason(str(ex), str(ex.code))
_send_audit_notification(self.action, initiator, _send_audit_notification(self.action, initiator,
taxonomy.OUTCOME_FAILURE, taxonomy.OUTCOME_FAILURE,
skipping to change at line 746 skipping to change at line 749
if _CATALOG_HELPER_OBJ is None: if _CATALOG_HELPER_OBJ is None:
_CATALOG_HELPER_OBJ = _CatalogHelperObj() _CATALOG_HELPER_OBJ = _CatalogHelperObj()
service_list = _CATALOG_HELPER_OBJ.catalog_api.list_services() service_list = _CATALOG_HELPER_OBJ.catalog_api.list_services()
service_id = None service_id = None
for i in service_list: for i in service_list:
if i['type'] == SERVICE: if i['type'] == SERVICE:
service_id = i['id'] service_id = i['id']
break break
initiator = _add_username_to_initiator(initiator)
event = eventfactory.EventFactory().new_event( event = eventfactory.EventFactory().new_event(
eventType=cadftype.EVENTTYPE_ACTIVITY, eventType=cadftype.EVENTTYPE_ACTIVITY,
outcome=outcome, outcome=outcome,
action=action, action=action,
initiator=initiator, initiator=initiator,
target=target, target=target,
reason=reason, reason=reason,
observer=resource.Resource(typeURI=taxonomy.SERVICE_SECURITY)) observer=resource.Resource(typeURI=taxonomy.SERVICE_SECURITY))
if service_id is not None: if service_id is not None:
skipping to change at line 801 skipping to change at line 806
# value, so we attach the outcome to re-create the meter name used in # value, so we attach the outcome to re-create the meter name used in
# ceilometer. # ceilometer.
if 'authenticate' in event_type: if 'authenticate' in event_type:
event_type = event_type + "." + outcome event_type = event_type + "." + outcome
if event_type in CONF.notification_opt_out: if event_type in CONF.notification_opt_out:
return True return True
return False return False
def _add_username_to_initiator(initiator):
"""Add the username to the initiator if missing."""
if hasattr(initiator, 'username'):
return initiator
try:
user_ref = PROVIDERS.identity_api.get_user(initiator.user_id)
initiator.username = user_ref['name']
except (exception.UserNotFound, AttributeError):
# Either user not found or no user_id, move along
pass
return initiator
emit_event = CadfNotificationWrapper emit_event = CadfNotificationWrapper
role_assignment = CadfRoleAssignmentNotificationWrapper role_assignment = CadfRoleAssignmentNotificationWrapper
 End of changes. 6 change blocks. 
1 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)