Add context.elevated() helper for getting admin privileges

This adds an elevated() method to glance.context.RequestContext similar to what Nova and other projects use. When doing something as admin on behalf of a user, this results in a whole context, including information about the user and the request, but with is_admin==True. Change-Id: I5499946425b1c32476c57241b4b14b601daa841f (cherry picked from commit c59ed1bce8)
2020-07-01 07:29:52 -07:00 · 2020-07-01 07:29:52 -07:00 · 5998933acf
parent ebeb31e636
commit 5998933acf
2 changed files with 43 additions and 0 deletions
--- a/glance/context.py
+++ b/glance/context.py
@ -13,6 +13,8 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

+import copy
+
 from oslo_context import context

 from glance.api import policy
@ -72,6 +74,18 @@ class RequestContext(context.RequestContext):
        """Admins can see deleted by default"""
        return self.show_deleted or self.is_admin

+    def elevated(self):
+        """Return a copy of this context with admin flag set."""
+
+        context = copy.copy(self)
+        context.roles = copy.deepcopy(self.roles)
+        if 'admin' not in context.roles:
+            context.roles.append('admin')
+
+        context.is_admin = True
+
+        return context
+

 def get_admin_context(show_deleted=False):
    """Create an administrator context."""
--- a/glance/tests/unit/test_context.py
+++ b/glance/tests/unit/test_context.py
@ -171,3 +171,32 @@ class TestContext(utils.BaseTestCase):
                                     project_domain_id="project-domain")
        self.assertEqual('user tenant domain user-domain project-domain',
                         ctx.to_dict()["user_identity"])
+
+    def test_elevated(self):
+        """Make sure we get a whole admin-capable context from elevated()."""
+        ctx = context.RequestContext(service_catalog=['foo'],
+                                     user_id='dan',
+                                     project_id='openstack',
+                                     roles=['member'])
+        admin = ctx.elevated()
+        self.assertEqual('dan', admin.user_id)
+        self.assertEqual('openstack', admin.project_id)
+        self.assertEqual(sorted(['member', 'admin']),
+                         sorted(admin.roles))
+        self.assertEqual(['foo'], admin.service_catalog)
+        self.assertTrue(admin.is_admin)
+
+    def test_elevated_again(self):
+        """Make sure a second elevation looks the same."""
+        ctx = context.RequestContext(service_catalog=['foo'],
+                                     user_id='dan',
+                                     project_id='openstack',
+                                     roles=['member'])
+        admin = ctx.elevated()
+        admin = admin.elevated()
+        self.assertEqual('dan', admin.user_id)
+        self.assertEqual('openstack', admin.project_id)
+        self.assertEqual(sorted(['member', 'admin']),
+                         sorted(admin.roles))
+        self.assertEqual(['foo'], admin.service_catalog)
+        self.assertTrue(admin.is_admin)