"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "keystone/federation/utils.py" between
keystone-17.0.0.tar.gz and keystone-18.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Victoria" series (latest release).

utils.py  (keystone-17.0.0):utils.py  (keystone-18.0.0)
skipping to change at line 189 skipping to change at line 189
"blacklist": { "blacklist": {
"type": "object", "type": "object",
"additionalProperties": False, "additionalProperties": False,
"required": ['type', 'blacklist'], "required": ['type', 'blacklist'],
"properties": { "properties": {
"type": { "type": {
"type": "string" "type": "string"
}, },
"blacklist": { "blacklist": {
"type": "array" "type": "array"
},
"regex": {
"type": "boolean"
} }
} }
}, },
"whitelist": { "whitelist": {
"type": "object", "type": "object",
"additionalProperties": False, "additionalProperties": False,
"required": ['type', 'whitelist'], "required": ['type', 'whitelist'],
"properties": { "properties": {
"type": { "type": {
"type": "string" "type": "string"
}, },
"whitelist": { "whitelist": {
"type": "array" "type": "array"
},
"regex": {
"type": "boolean"
} }
} }
}, },
"domain": { "domain": {
"type": "object", "type": "object",
"properties": { "properties": {
"id": {"type": "string"}, "id": {"type": "string"},
"name": {"type": "string"} "name": {"type": "string"}
}, },
"additionalProperties": False "additionalProperties": False
skipping to change at line 834 skipping to change at line 840
# If 'any_one_of' or 'not_any_of' are not found, then values are # If 'any_one_of' or 'not_any_of' are not found, then values are
# within 'type'. Attempt to find that 'type' within the assertion, # within 'type'. Attempt to find that 'type' within the assertion,
# and filter these values if 'whitelist' or 'blacklist' is set. # and filter these values if 'whitelist' or 'blacklist' is set.
blacklisted_values = requirement.get(self._EvalType.BLACKLIST) blacklisted_values = requirement.get(self._EvalType.BLACKLIST)
whitelisted_values = requirement.get(self._EvalType.WHITELIST) whitelisted_values = requirement.get(self._EvalType.WHITELIST)
# If a blacklist or whitelist is used, we want to map to the # If a blacklist or whitelist is used, we want to map to the
# whole list instead of just its values separately. # whole list instead of just its values separately.
if blacklisted_values is not None: if blacklisted_values is not None:
direct_map_values = [v for v in direct_map_values direct_map_values = (
if v not in blacklisted_values] self._evaluate_requirement(blacklisted_values,
direct_map_values,
self._EvalType.BLACKLIST,
regex))
elif whitelisted_values is not None: elif whitelisted_values is not None:
direct_map_values = [v for v in direct_map_values direct_map_values = (
if v in whitelisted_values] self._evaluate_requirement(whitelisted_values,
direct_map_values,
self._EvalType.WHITELIST,
regex))
direct_maps.add(direct_map_values) direct_maps.add(direct_map_values)
LOG.debug('updating a direct mapping: %s', direct_map_values) LOG.debug('updating a direct mapping: %s', direct_map_values)
return direct_maps return direct_maps
def _evaluate_values_by_regex(self, values, assertion_values): def _evaluate_values_by_regex(self, values, assertion_values):
for value in values: return [
for assertion_value in assertion_values: assertion for assertion in assertion_values
if re.search(value, assertion_value): if any([re.search(regex, assertion) for regex in values])
return True ]
return False
def _evaluate_requirement(self, values, assertion_values, def _evaluate_requirement(self, values, assertion_values,
eval_type, regex): eval_type, regex):
"""Evaluate the incoming requirement and assertion. """Evaluate the incoming requirement and assertion.
If the requirement type does not exist in the assertion data, then Filter the incoming assertions against the requirement values. If regex
return False. If regex is specified, then compare the values and is specified, the assertion list is filtered by checking if any of the
assertion values. Otherwise, grab the intersection of the values requirement regexes matches. Otherwise, the list is filtered by string
and use that to compare against the evaluation type. equality with any of the allowed values.
Once the assertion values are filtered, the output is determined by the
evaluation type:
any_one_of: return True if there are any matches, False otherwise
not_any_of: return True if there are no matches, False otherwise
blacklist: return the incoming values minus any matches
whitelist: return only the matched values
:param values: list of allowed values, defined in the requirement :param values: list of allowed values, defined in the requirement
:type values: list :type values: list
:param assertion_values: The values from the assertion to evaluate :param assertion_values: The values from the assertion to evaluate
:type assertion_values: list/string :type assertion_values: list/string
:param eval_type: determine how to evaluate requirements :param eval_type: determine how to evaluate requirements
:type eval_type: string :type eval_type: string
:param regex: perform evaluation with regex :param regex: perform evaluation with regex
:type regex: boolean :type regex: boolean
:returns: boolean, whether requirement is valid or not. :returns: list of filtered assertion values (if evaluation type is
'blacklist' or 'whitelist'), or boolean indicating if the
assertion values fulfill the requirement (if evaluation type
is 'any_one_of' or 'not_any_of')
""" """
if regex: if regex:
any_match = self._evaluate_values_by_regex(values, matches = self._evaluate_values_by_regex(values, assertion_values)
assertion_values)
else: else:
any_match = bool(set(values).intersection(set(assertion_values))) matches = set(values).intersection(set(assertion_values))
if any_match and eval_type == self._EvalType.ANY_ONE_OF:
return True
if not any_match and eval_type == self._EvalType.NOT_ANY_OF:
return True
return False if eval_type == self._EvalType.ANY_ONE_OF:
return bool(matches)
elif eval_type == self._EvalType.NOT_ANY_OF:
return not bool(matches)
elif eval_type == self._EvalType.BLACKLIST:
return list(set(assertion_values).difference(set(matches)))
elif eval_type == self._EvalType.WHITELIST:
return list(matches)
else:
raise exception.UnexpectedError(
_('Unexpected evaluation type "%(eval_type)s"') % {
'eval_type': eval_type})
def assert_enabled_identity_provider(federation_api, idp_id): def assert_enabled_identity_provider(federation_api, idp_id):
identity_provider = federation_api.get_idp(idp_id) identity_provider = federation_api.get_idp(idp_id)
if identity_provider.get('enabled') is not True: if identity_provider.get('enabled') is not True:
msg = 'Identity Provider %(idp)s is disabled' % { msg = 'Identity Provider %(idp)s is disabled' % {
'idp': idp_id} 'idp': idp_id}
tr_msg = _('Identity Provider %(idp)s is disabled') % { tr_msg = _('Identity Provider %(idp)s is disabled') % {
'idp': idp_id} 'idp': idp_id}
LOG.debug(msg) LOG.debug(msg)
raise exception.Forbidden(tr_msg) raise exception.Forbidden(tr_msg)
 End of changes. 10 change blocks. 
22 lines changed or deleted 49 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)