diff --git a/keystone/auth/controllers.py b/keystone/auth/controllers.py index c508a7d034..d76c45c756 100644 --- a/keystone/auth/controllers.py +++ b/keystone/auth/controllers.py @@ -602,9 +602,9 @@ class Auth(controller.V3Controller): @controller.protected() def get_auth_projects(self, request): - auth_context = self.get_auth_context(request.context_dict) + user_id = request.auth_context.get('user_id') + group_ids = request.auth_context.get('group_ids') - user_id = auth_context.get('user_id') user_refs = [] if user_id: try: @@ -613,7 +613,6 @@ class Auth(controller.V3Controller): # federated users have an id but they don't link to anything pass - group_ids = auth_context.get('group_ids') grp_refs = [] if group_ids: grp_refs = self.assignment_api.list_projects_for_groups(group_ids) @@ -624,9 +623,9 @@ class Auth(controller.V3Controller): @controller.protected() def get_auth_domains(self, request): - auth_context = self.get_auth_context(request.context_dict) + user_id = request.auth_context.get('user_id') + group_ids = request.auth_context.get('group_ids') - user_id = auth_context.get('user_id') user_refs = [] if user_id: try: @@ -635,7 +634,6 @@ class Auth(controller.V3Controller): # federated users have an id but they don't link to anything pass - group_ids = auth_context.get('group_ids') grp_refs = [] if group_ids: grp_refs = self.assignment_api.list_domains_for_groups(group_ids) @@ -646,9 +644,8 @@ class Auth(controller.V3Controller): @controller.protected() def get_auth_catalog(self, request): - auth_context = self.get_auth_context(request.context_dict) - user_id = auth_context.get('user_id') - project_id = auth_context.get('project_id') + user_id = request.auth_context.get('user_id') + project_id = request.auth_context.get('project_id') if not project_id: raise exception.Forbidden( diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 3083115314..e22110806b 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -450,12 +450,6 @@ class V3Controller(wsgi.Application): return '%s/%s/%s' % (endpoint, 'v3', path.lstrip('/')) - def get_auth_context(self, context): - # TODO(dolphm): this method of accessing the auth context is terrible, - # but context needs to be refactored to always have reasonable values. - env_context = context.get('environment', {}) - return env_context.get(authorization.AUTH_CONTEXT_ENV, {}) - @classmethod def full_url(cls, context, path=None): url = cls.base_url(context, path) diff --git a/keystone/common/request.py b/keystone/common/request.py index a921c80f39..d94e14a7ea 100644 --- a/keystone/common/request.py +++ b/keystone/common/request.py @@ -13,6 +13,7 @@ import webob from webob.descriptors import environ_getter +from keystone.common import authorization import keystone.conf from keystone import exception from keystone.i18n import _ @@ -66,5 +67,9 @@ class Request(webob.Request): return self._context_dict + @property + def auth_context(self): + return self.environ.get(authorization.AUTH_CONTEXT_ENV, {}) + auth_type = environ_getter('AUTH_TYPE', None) remote_domain = environ_getter('REMOTE_DOMAIN', None) diff --git a/keystone/federation/controllers.py b/keystone/federation/controllers.py index 9370f7c1e5..04000b0940 100644 --- a/keystone/federation/controllers.py +++ b/keystone/federation/controllers.py @@ -19,7 +19,6 @@ from six.moves import urllib import webob from keystone.auth import controllers as auth_controllers -from keystone.common import authorization from keystone.common import controller from keystone.common import dependency from keystone.common import utils as k_utils @@ -437,11 +436,10 @@ class DomainV3(controller.V3Controller): :returns: list of accessible domains """ - auth_context = request.environ[authorization.AUTH_CONTEXT_ENV] domains = self.assignment_api.list_domains_for_groups( - auth_context['group_ids']) + request.auth_context['group_ids']) domains = domains + self.assignment_api.list_domains_for_user( - auth_context['user_id']) + request.auth_context['user_id']) # remove duplicates domains = [dict(t) for t in set([tuple(d.items()) for d in domains])] return DomainV3.wrap_collection(request.context_dict, domains) @@ -464,11 +462,10 @@ class ProjectAssignmentV3(controller.V3Controller): :returns: list of accessible projects """ - auth_context = request.environ[authorization.AUTH_CONTEXT_ENV] projects = self.assignment_api.list_projects_for_groups( - auth_context['group_ids']) + request.auth_context['group_ids']) projects = projects + self.assignment_api.list_projects_for_user( - auth_context['user_id']) + request.auth_context['user_id']) # remove duplicates projects = [dict(t) for t in set([tuple(d.items()) for d in projects])] return ProjectAssignmentV3.wrap_collection(request.context_dict, diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index bcd5361284..a37783df5a 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -121,9 +121,7 @@ class AccessTokenCrudV3(controller.V3Controller): @controller.protected() def list_access_tokens(self, request, user_id): - env = request.context_dict.get('environment', {}) - auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {}) - if auth_context.get('is_delegated_auth'): + if request.auth_context.get('is_delegated_auth'): raise exception.Forbidden( _('Cannot list request tokens' ' with a token issued via delegation.')) @@ -356,9 +354,7 @@ class OAuthControllerV3(controller.V3Controller): there is not another easy way to make sure the user knows which roles are being requested before authorizing. """ - env = request.context_dict.get('environment', {}) - auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {}) - if auth_context.get('is_delegated_auth'): + if request.auth_context.get('is_delegated_auth'): raise exception.Forbidden( _('Cannot authorize a request token' ' with a token issued via delegation.')) diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py index 76dbb54310..bcda56ae0a 100644 --- a/keystone/resource/controllers.py +++ b/keystone/resource/controllers.py @@ -295,7 +295,7 @@ class ProjectV3(controller.V3Controller): 'params at the same time.') raise exception.ValidationError(msg) - user_id = self.get_auth_context(context).get('user_id') + user_id = request.auth_context.get('user_id') if parents_as_list: parents = self.resource_api.list_project_parents( diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index b75d3e1c7c..e0d0f7667c 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -119,13 +119,10 @@ class TrustV3(controller.V3Controller): The user creating the trust must be the trustor. """ - env = request.context_dict.get('environment', {}) - auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {}) - # Check if delegated via trust - if auth_context.get('is_delegated_auth'): + if request.auth_context.get('is_delegated_auth'): # Redelegation case - src_trust_id = auth_context['trust_id'] + src_trust_id = request.auth_context['trust_id'] if not src_trust_id: raise exception.Forbidden( _('Redelegation allowed for delegated by trust only'))