Remove get_auth_context

The controller get_auth_context method simply fetches a dict from the
environment. We can simply put this method on the request now.

Change-Id: Icba3a0286e5af440108c27f41f54de64c922f29a

keystone/auth/controllers.py

@@ -602,9 +602,9 @@ class Auth(controller.V3Controller):
 
     @controller.protected()
     def get_auth_projects(self, request):
-        auth_context = self.get_auth_context(request.context_dict)
+        user_id = request.auth_context.get('user_id')
+        group_ids = request.auth_context.get('group_ids')
 
-        user_id = auth_context.get('user_id')
         user_refs = []
         if user_id:
             try:
@@ -613,7 +613,6 @@ class Auth(controller.V3Controller):
                 # federated users have an id but they don't link to anything
                 pass
 
-        group_ids = auth_context.get('group_ids')
         grp_refs = []
         if group_ids:
             grp_refs = self.assignment_api.list_projects_for_groups(group_ids)
@@ -624,9 +623,9 @@ class Auth(controller.V3Controller):
 
     @controller.protected()
     def get_auth_domains(self, request):
-        auth_context = self.get_auth_context(request.context_dict)
+        user_id = request.auth_context.get('user_id')
+        group_ids = request.auth_context.get('group_ids')
 
-        user_id = auth_context.get('user_id')
         user_refs = []
         if user_id:
             try:
@@ -635,7 +634,6 @@ class Auth(controller.V3Controller):
                 # federated users have an id but they don't link to anything
                 pass
 
-        group_ids = auth_context.get('group_ids')
         grp_refs = []
         if group_ids:
             grp_refs = self.assignment_api.list_domains_for_groups(group_ids)
@@ -646,9 +644,8 @@ class Auth(controller.V3Controller):
 
     @controller.protected()
     def get_auth_catalog(self, request):
-        auth_context = self.get_auth_context(request.context_dict)
+        user_id = request.auth_context.get('user_id')
-        user_id = auth_context.get('user_id')
+        project_id = request.auth_context.get('project_id')
-        project_id = auth_context.get('project_id')
 
         if not project_id:
             raise exception.Forbidden(

keystone/common/controller.py

@@ -450,12 +450,6 @@ class V3Controller(wsgi.Application):
 
         return '%s/%s/%s' % (endpoint, 'v3', path.lstrip('/'))
 
-    def get_auth_context(self, context):
-        # TODO(dolphm): this method of accessing the auth context is terrible,
-        # but context needs to be refactored to always have reasonable values.
-        env_context = context.get('environment', {})
-        return env_context.get(authorization.AUTH_CONTEXT_ENV, {})
-
     @classmethod
     def full_url(cls, context, path=None):
         url = cls.base_url(context, path)

keystone/common/request.py

@@ -13,6 +13,7 @@
 import webob
 from webob.descriptors import environ_getter
 
+from keystone.common import authorization
 import keystone.conf
 from keystone import exception
 from keystone.i18n import _
@@ -66,5 +67,9 @@ class Request(webob.Request):
 
         return self._context_dict
 
+    @property
+    def auth_context(self):
+        return self.environ.get(authorization.AUTH_CONTEXT_ENV, {})
+
     auth_type = environ_getter('AUTH_TYPE', None)
     remote_domain = environ_getter('REMOTE_DOMAIN', None)

keystone/federation/controllers.py

@@ -19,7 +19,6 @@ from six.moves import urllib
 import webob
 
 from keystone.auth import controllers as auth_controllers
-from keystone.common import authorization
 from keystone.common import controller
 from keystone.common import dependency
 from keystone.common import utils as k_utils
@@ -437,11 +436,10 @@ class DomainV3(controller.V3Controller):
         :returns: list of accessible domains
 
         """
-        auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
         domains = self.assignment_api.list_domains_for_groups(
-            auth_context['group_ids'])
+            request.auth_context['group_ids'])
         domains = domains + self.assignment_api.list_domains_for_user(
-            auth_context['user_id'])
+            request.auth_context['user_id'])
         # remove duplicates
         domains = [dict(t) for t in set([tuple(d.items()) for d in domains])]
         return DomainV3.wrap_collection(request.context_dict, domains)
@@ -464,11 +462,10 @@ class ProjectAssignmentV3(controller.V3Controller):
         :returns: list of accessible projects
 
         """
-        auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
         projects = self.assignment_api.list_projects_for_groups(
-            auth_context['group_ids'])
+            request.auth_context['group_ids'])
         projects = projects + self.assignment_api.list_projects_for_user(
-            auth_context['user_id'])
+            request.auth_context['user_id'])
         # remove duplicates
         projects = [dict(t) for t in set([tuple(d.items()) for d in projects])]
         return ProjectAssignmentV3.wrap_collection(request.context_dict,

keystone/oauth1/controllers.py

@@ -121,9 +121,7 @@ class AccessTokenCrudV3(controller.V3Controller):
 
     @controller.protected()
     def list_access_tokens(self, request, user_id):
-        env = request.context_dict.get('environment', {})
+        if request.auth_context.get('is_delegated_auth'):
-        auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
-        if auth_context.get('is_delegated_auth'):
             raise exception.Forbidden(
                 _('Cannot list request tokens'
                   ' with a token issued via delegation.'))
@@ -356,9 +354,7 @@ class OAuthControllerV3(controller.V3Controller):
         there is not another easy way to make sure the user knows which roles
         are being requested before authorizing.
         """
-        env = request.context_dict.get('environment', {})
+        if request.auth_context.get('is_delegated_auth'):
-        auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
-        if auth_context.get('is_delegated_auth'):
             raise exception.Forbidden(
                 _('Cannot authorize a request token'
                   ' with a token issued via delegation.'))

keystone/resource/controllers.py

@@ -295,7 +295,7 @@ class ProjectV3(controller.V3Controller):
                     'params at the same time.')
             raise exception.ValidationError(msg)
 
-        user_id = self.get_auth_context(context).get('user_id')
+        user_id = request.auth_context.get('user_id')
 
         if parents_as_list:
             parents = self.resource_api.list_project_parents(

keystone/trust/controllers.py

@@ -119,13 +119,10 @@ class TrustV3(controller.V3Controller):
         The user creating the trust must be the trustor.
 
         """
-        env = request.context_dict.get('environment', {})
-        auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
-
         # Check if delegated via trust
-        if auth_context.get('is_delegated_auth'):
+        if request.auth_context.get('is_delegated_auth'):
             # Redelegation case
-            src_trust_id = auth_context['trust_id']
+            src_trust_id = request.auth_context['trust_id']
             if not src_trust_id:
                 raise exception.Forbidden(
                     _('Redelegation allowed for delegated by trust only'))