diff options
Diffstat (limited to 'macaroonbakery/checker.py')
-rw-r--r-- | macaroonbakery/checker.py | 42 |
1 files changed, 22 insertions, 20 deletions
diff --git a/macaroonbakery/checker.py b/macaroonbakery/checker.py index b73c92f..568fd7c 100644 --- a/macaroonbakery/checker.py +++ b/macaroonbakery/checker.py @@ -6,7 +6,7 @@ from threading import Lock import pyrfc3339 -import macaroonbakery +import macaroonbakery as bakery import macaroonbakery.checkers as checkers @@ -38,7 +38,7 @@ class Checker(object): See the Oven type (TODO) for one way of doing that. ''' def __init__(self, checker=checkers.Checker(), - authorizer=macaroonbakery.ClosedAuthorizer(), + authorizer=bakery.ClosedAuthorizer(), identity_client=None, macaroon_opstore=None): ''' @@ -57,7 +57,7 @@ class Checker(object): self._first_party_caveat_checker = checker self._authorizer = authorizer if identity_client is None: - identity_client = macaroonbakery.NoIdentities() + identity_client = bakery.NoIdentities() self._identity_client = identity_client self._macaroon_opstore = macaroon_opstore @@ -106,16 +106,18 @@ class AuthChecker(object): self._init_once(ctx) self._executed = True if self._init_errors is not None and len(self._init_errors) > 0: - raise macaroonbakery.AuthInitError(self._init_errors[0]) + raise bakery.AuthInitError(self._init_errors[0]) def _init_once(self, ctx): self._auth_indexes = {} - self._conditions = [None]*len(self._macaroons) + self._conditions = [None] * len(self._macaroons) for i, ms in enumerate(self._macaroons): try: ops, conditions = self.parent._macaroon_opstore.macaroon_ops( ms) - except macaroonbakery.VerificationError as exc: + except bakery.VerificationError: + raise + except Exception as exc: self._init_errors.append(exc.args[0]) continue @@ -155,7 +157,7 @@ class AuthChecker(object): try: identity = self.parent._identity_client.declared_identity( ctx, declared) - except macaroonbakery.IdentityError as exc: + except bakery.IdentityError as exc: self._init_errors.append( 'cannot decode declared identity: {}'.format(exc.args[0])) continue @@ -169,7 +171,7 @@ class AuthChecker(object): try: identity, cavs = self.parent.\ _identity_client.identity_from_context(ctx) - except macaroonbakery.IdentityError: + except bakery.IdentityError: self._init_errors.append('could not determine identity') if cavs is None: cavs = [] @@ -195,8 +197,8 @@ class AuthChecker(object): If an operation was not allowed, an exception will be raised which may be DischargeRequiredError holding the operations that remain to be authorized in order to allow authorization to proceed. - :param: ctx AuthContext - :param: ops an array of Op + @param ctx AuthContext + @param ops an array of Op :return: an AuthInfo object. ''' auth_info, _ = self.allow_any(ctx, ops) @@ -217,8 +219,8 @@ class AuthChecker(object): The LOGIN_OP operation is treated specially - it is always required if present in ops. - :param: ctx AuthContext - :param: ops an array of Op + @param ctx AuthContext + @param ops an array of Op :return: an AuthInfo object and the auth used as an array of int. ''' authed, used = self._allow_any(ctx, ops) @@ -233,8 +235,8 @@ class AuthChecker(object): def _allow_any(self, ctx, ops): self._init(ctx) - used = [False]*len(self._macaroons) - authed = [False]*len(ops) + used = [False] * len(self._macaroons) + authed = [False] * len(ops) num_authed = 0 errors = [] for i, op in enumerate(ops): @@ -269,7 +271,7 @@ class AuthChecker(object): return authed, used # There are some unauthorized operations. need = [] - need_index = [0]*(len(ops)-num_authed) + need_index = [0] * (len(ops) - num_authed) for i, ok in enumerate(authed): if not ok: need_index[len(need)] = i @@ -290,7 +292,7 @@ class AuthChecker(object): # no caveats to be discharged. return authed, used if self._identity is None and len(self._identity_caveats) > 0: - raise macaroonbakery.DischargeRequiredError( + raise bakery.DischargeRequiredError( msg='authentication required', ops=[LOGIN_OP], cavs=self._identity_caveats) @@ -301,8 +303,8 @@ class AuthChecker(object): err = '' if len(all_errors) > 0: err = all_errors[0] - raise macaroonbakery.PermissionDenied(err) - raise macaroonbakery.DischargeRequiredError( + raise bakery.PermissionDenied(err) + raise bakery.DischargeRequiredError( msg='some operations have extra caveats', ops=ops, cavs=caveats) def allow_capability(self, ctx, ops): @@ -352,11 +354,11 @@ class AuthChecker(object): class AuthInfo(namedtuple('AuthInfo', 'identity macaroons')): '''AuthInfo information about an authorization decision. - :param: identity: holds information on the authenticated user as + @param identity: holds information on the authenticated user as returned identity_client. It may be None after a successful authorization if LOGIN_OP access was not required. - :param: macaroons: holds all the macaroons that were used for the + @param macaroons: holds all the macaroons that were used for the authorization. Macaroons that were invalid or unnecessary are not included. ''' |