openstack/barbican
Code Issues Proposed changes

Merge "Migrate to oslo_context"

Browse Source
This commit is contained in:
Jenkins
2015-05-08 14:32:49 +00:00
committed by Gerrit Code Review
parent e175eb3b17 7f25ade93d
commit 01417a89ca
4 changed files with 28 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
barbican/api/middleware/context.py
View File

@@ -15,24 +15,17 @@
import uuid import uuid
from oslo_config import cfg from oslo_config import cfg
from oslo_policy import policy
import webob.exc import webob.exc
from barbican.api import middleware as mw from barbican.api import middleware as mw
from barbican.common import utils from barbican.common import utils
import barbican.context import barbican.context
from barbican import i18n as u from barbican import i18n as u
from barbican.openstack.common import jsonutils as json
LOG = utils.getLogger(__name__) LOG = utils.getLogger(__name__)
# TODO(jwood) Need to figure out why config is ignored in this module. # TODO(jwood) Need to figure out why config is ignored in this module.
context_opts = [ context_opts = [
cfg.BoolOpt('owner_is_project', default=True,
help=u._('When true, this option sets the owner of an image '
'to be the project. Otherwise, the owner of the '
' image will be the authenticated user issuing the '
'request.')),
cfg.StrOpt('admin_role', default='admin', cfg.StrOpt('admin_role', default='admin',
help=u._('Role used to identify an authenticated user as ' help=u._('Role used to identify an authenticated user as '
'administrator.')), 'administrator.')),
@@ -62,7 +55,6 @@ class BaseContextMiddleware(mw.Middleware):
class ContextMiddleware(BaseContextMiddleware): class ContextMiddleware(BaseContextMiddleware):
def __init__(self, app): def __init__(self, app):
self.policy_enforcer = policy.Enforcer(CONF)
super(ContextMiddleware, self).__init__(app) super(ContextMiddleware, self).__init__(app)
def process_request(self, req): def process_request(self, req):
@@ -94,11 +86,9 @@ class ContextMiddleware(BaseContextMiddleware):
def _get_anonymous_context(self): def _get_anonymous_context(self):
kwargs = { kwargs = {
'user': None, 'user': None,
'project': None, 'tenant': None,
'roles': [],
'is_admin': False, 'is_admin': False,
'read_only': True, 'read_only': True,
'policy_enforcer': self.policy_enforcer,
} }
return barbican.context.RequestContext(**kwargs) return barbican.context.RequestContext(**kwargs)
@@ -112,27 +102,21 @@ class ContextMiddleware(BaseContextMiddleware):
# NOTE(mkbhanda): keeping this just-in-case for swift # NOTE(mkbhanda): keeping this just-in-case for swift
deprecated_token = req.headers.get('X-Storage-Token') deprecated_token = req.headers.get('X-Storage-Token')
service_catalog = None
if req.headers.get('X-Service-Catalog') is not None:
try:
catalog_header = req.headers.get('X-Service-Catalog')
service_catalog = json.loads(catalog_header)
except ValueError:
msg = u._('Problem processing X-Service-Catalog')
LOG.exception(msg)
raise webob.exc.HTTPInternalServerError(msg)
kwargs = { kwargs = {
'auth_token': req.headers.get('X-Auth-Token', deprecated_token),
'user': req.headers.get('X-User-Id'), 'user': req.headers.get('X-User-Id'),
'project': req.headers.get('X-Project-Id'), 'project': req.headers.get('X-Project-Id'),
'roles': roles, 'roles': roles,
'is_admin': CONF.admin_role.strip().lower() in roles, 'is_admin': CONF.admin_role.strip().lower() in roles,
'auth_tok': req.headers.get('X-Auth-Token', deprecated_token),
'owner_is_project': CONF.owner_is_project,
'service_catalog': service_catalog,
'policy_enforcer': self.policy_enforcer,
} }
if req.headers.get('X-Domain-Id'):
kwargs['domain'] = req.headers['X-Domain-Id']
if req.headers.get('X-User-Domain-Id'):
kwargs['user_domain'] = req.headers['X-User-Domain-Id']
if req.headers.get('X-Project-Domain-Id'):
kwargs['project_domain'] = req.headers['X-Project-Domain-Id']
return barbican.context.RequestContext(**kwargs) return barbican.context.RequestContext(**kwargs)
@@ -159,5 +143,5 @@ class UnauthenticatedContextMiddleware(BaseContextMiddleware):
} }
context = barbican.context.RequestContext(**kwargs) context = barbican.context.RequestContext(**kwargs)
context.policy_enforcer = None
req.environ['barbican.context'] = context req.environ['barbican.context'] = context

76
barbican/context.py
View File

@@ -14,84 +14,42 @@
# under the License. # under the License.
from oslo_config import cfg from oslo_config import cfg
import oslo_context
from oslo_policy import policy from oslo_policy import policy
from barbican.common import utils
from barbican.openstack.common import local
CONF = cfg.CONF CONF = cfg.CONF
class RequestContext(object): class RequestContext(oslo_context.context.RequestContext):
"""User security context object """User security context object
Stores information about the security context under which the user Stores information about the security context under which the user
accesses the system, as well as additional request information. accesses the system, as well as additional request information.
""" """
def __init__(self, auth_tok=None, user=None, project=None, roles=None, def __init__(self, roles=None, policy_enforcer=None, project=None,
is_admin=False, read_only=False, show_deleted=False, **kwargs):
owner_is_project=True, service_catalog=None, # prefer usage of 'project' instead of 'tenant'
policy_enforcer=None): if project:
self.auth_tok = auth_tok kwargs['tenant'] = project
self.user = user
self.project = project self.project = project
self.roles = roles or [] self.roles = roles or []
self.read_only = read_only
# TODO(jwood): self._show_deleted = show_deleted
# (mkbhanda) possibly domain could be owner
# brings us to the key scope question
self.owner_is_project = owner_is_project
self.request_id = utils.generate_uuid()
self.service_catalog = service_catalog
self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF) self.policy_enforcer = policy_enforcer or policy.Enforcer(CONF)
self.is_admin = is_admin super(RequestContext, self).__init__(**kwargs)
# TODO(jwood): Is this needed?
# if not self.is_admin:
# self.is_admin = self.policy_enforcer.check_is_admin(self)
if not hasattr(local.store, 'context'):
self.update_store()
def to_dict(self): def to_dict(self):
# NOTE(ameade): These keys are named to correspond with the default out_dict = super(RequestContext, self).to_dict()
# format string for logging the context in openstack common out_dict['roles'] = self.roles
return {
'request_id': self.request_id,
# NOTE(bcwaldon): openstack-common logging expects 'user' # NOTE(jaosorior): For now, the oslo_context library uses 'tenant'
'user': self.user, # instead of project. But in case this changes, this will still issue
'user_id': self.user, # the dict we expect, which would contain 'project'.
if out_dict.get('tenant'):
# NOTE(bcwaldon): openstack-common logging expects 'project' out_dict['project'] = out_dict['tenant']
'project': self.project, out_dict.pop('tenant')
'project_id': self.project, return out_dict
# TODO(jwood): 'is_admin': self.is_admin,
# TODO(jwood): 'read_deleted': self.show_deleted,
'roles': self.roles,
'auth_token': self.auth_tok,
'service_catalog': self.service_catalog,
}
@classmethod @classmethod
def from_dict(cls, values): def from_dict(cls, values):
return cls(**values) return cls(**values)
def update_store(self):
local.store.context = self
@property
def owner(self):
"""Return the owner to correlate with key."""
if self.owner_is_project:
return self.project
return self.user
# TODO(jwood):
# @property
# def show_deleted(self):
# """Admins can see deleted by default"""
# if self._show_deleted or self.is_admin:
# return True
# return False

50
barbican/tests/api/middleware/test_context.py
View File

@@ -1,50 +0,0 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import mock
import webob.exc
from barbican.api.middleware import context
from barbican.tests import utils
class WhenTestingBaseContextMiddleware(utils.BaseTestCase):
def setUp(self):
super(WhenTestingBaseContextMiddleware, self).setUp()
def test_should_raise_attribute_error(self):
base = context.BaseContextMiddleware(None)
self.assertRaises(AttributeError, base.process_response, None)
class WhenTestingContextMiddleware(utils.BaseTestCase):
def setUp(self):
super(WhenTestingContextMiddleware, self).setUp()
def test_should_raise_attribute_error(self):
middle = context.ContextMiddleware(None)
request = mock.MagicMock()
request.headers = {
'X-Service-Catalog': 'force json error'
}
exception_result = self.assertRaises(
webob.exc.HTTPInternalServerError,
middle._get_authenticated_context,
request)
self.assertEqual(
'Problem processing X-Service-Catalog', exception_result.message)

1
requirements.txt
View File

@@ -11,6 +11,7 @@ kombu>=3.0.7
netaddr>=0.7.12 netaddr>=0.7.12
oslo.concurrency>=1.8.0 # Apache-2.0 oslo.concurrency>=1.8.0 # Apache-2.0
oslo.config>=1.11.0 # Apache-2.0 oslo.config>=1.11.0 # Apache-2.0
oslo.context>=0.2.0 # Apache-2.0
oslo.i18n>=1.5.0 # Apache-2.0 oslo.i18n>=1.5.0 # Apache-2.0
oslo.messaging>=1.8.0 # Apache-2.0 oslo.messaging>=1.8.0 # Apache-2.0
oslo.log>=1.0.0 # Apache-2.0 oslo.log>=1.0.0 # Apache-2.0