Remove get_auth_context
The controller get_auth_context method simply fetches a dict from the environment. We can simply put this method on the request now. Change-Id: Icba3a0286e5af440108c27f41f54de64c922f29a
This commit is contained in:
parent
46b76a3d8e
commit
3a19aa518d
|
@ -602,9 +602,9 @@ class Auth(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_auth_projects(self, request):
|
def get_auth_projects(self, request):
|
||||||
auth_context = self.get_auth_context(request.context_dict)
|
user_id = request.auth_context.get('user_id')
|
||||||
|
group_ids = request.auth_context.get('group_ids')
|
||||||
|
|
||||||
user_id = auth_context.get('user_id')
|
|
||||||
user_refs = []
|
user_refs = []
|
||||||
if user_id:
|
if user_id:
|
||||||
try:
|
try:
|
||||||
|
@ -613,7 +613,6 @@ class Auth(controller.V3Controller):
|
||||||
# federated users have an id but they don't link to anything
|
# federated users have an id but they don't link to anything
|
||||||
pass
|
pass
|
||||||
|
|
||||||
group_ids = auth_context.get('group_ids')
|
|
||||||
grp_refs = []
|
grp_refs = []
|
||||||
if group_ids:
|
if group_ids:
|
||||||
grp_refs = self.assignment_api.list_projects_for_groups(group_ids)
|
grp_refs = self.assignment_api.list_projects_for_groups(group_ids)
|
||||||
|
@ -624,9 +623,9 @@ class Auth(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_auth_domains(self, request):
|
def get_auth_domains(self, request):
|
||||||
auth_context = self.get_auth_context(request.context_dict)
|
user_id = request.auth_context.get('user_id')
|
||||||
|
group_ids = request.auth_context.get('group_ids')
|
||||||
|
|
||||||
user_id = auth_context.get('user_id')
|
|
||||||
user_refs = []
|
user_refs = []
|
||||||
if user_id:
|
if user_id:
|
||||||
try:
|
try:
|
||||||
|
@ -635,7 +634,6 @@ class Auth(controller.V3Controller):
|
||||||
# federated users have an id but they don't link to anything
|
# federated users have an id but they don't link to anything
|
||||||
pass
|
pass
|
||||||
|
|
||||||
group_ids = auth_context.get('group_ids')
|
|
||||||
grp_refs = []
|
grp_refs = []
|
||||||
if group_ids:
|
if group_ids:
|
||||||
grp_refs = self.assignment_api.list_domains_for_groups(group_ids)
|
grp_refs = self.assignment_api.list_domains_for_groups(group_ids)
|
||||||
|
@ -646,9 +644,8 @@ class Auth(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def get_auth_catalog(self, request):
|
def get_auth_catalog(self, request):
|
||||||
auth_context = self.get_auth_context(request.context_dict)
|
user_id = request.auth_context.get('user_id')
|
||||||
user_id = auth_context.get('user_id')
|
project_id = request.auth_context.get('project_id')
|
||||||
project_id = auth_context.get('project_id')
|
|
||||||
|
|
||||||
if not project_id:
|
if not project_id:
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
|
|
|
@ -450,12 +450,6 @@ class V3Controller(wsgi.Application):
|
||||||
|
|
||||||
return '%s/%s/%s' % (endpoint, 'v3', path.lstrip('/'))
|
return '%s/%s/%s' % (endpoint, 'v3', path.lstrip('/'))
|
||||||
|
|
||||||
def get_auth_context(self, context):
|
|
||||||
# TODO(dolphm): this method of accessing the auth context is terrible,
|
|
||||||
# but context needs to be refactored to always have reasonable values.
|
|
||||||
env_context = context.get('environment', {})
|
|
||||||
return env_context.get(authorization.AUTH_CONTEXT_ENV, {})
|
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def full_url(cls, context, path=None):
|
def full_url(cls, context, path=None):
|
||||||
url = cls.base_url(context, path)
|
url = cls.base_url(context, path)
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
import webob
|
import webob
|
||||||
from webob.descriptors import environ_getter
|
from webob.descriptors import environ_getter
|
||||||
|
|
||||||
|
from keystone.common import authorization
|
||||||
import keystone.conf
|
import keystone.conf
|
||||||
from keystone import exception
|
from keystone import exception
|
||||||
from keystone.i18n import _
|
from keystone.i18n import _
|
||||||
|
@ -66,5 +67,9 @@ class Request(webob.Request):
|
||||||
|
|
||||||
return self._context_dict
|
return self._context_dict
|
||||||
|
|
||||||
|
@property
|
||||||
|
def auth_context(self):
|
||||||
|
return self.environ.get(authorization.AUTH_CONTEXT_ENV, {})
|
||||||
|
|
||||||
auth_type = environ_getter('AUTH_TYPE', None)
|
auth_type = environ_getter('AUTH_TYPE', None)
|
||||||
remote_domain = environ_getter('REMOTE_DOMAIN', None)
|
remote_domain = environ_getter('REMOTE_DOMAIN', None)
|
||||||
|
|
|
@ -19,7 +19,6 @@ from six.moves import urllib
|
||||||
import webob
|
import webob
|
||||||
|
|
||||||
from keystone.auth import controllers as auth_controllers
|
from keystone.auth import controllers as auth_controllers
|
||||||
from keystone.common import authorization
|
|
||||||
from keystone.common import controller
|
from keystone.common import controller
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
from keystone.common import utils as k_utils
|
from keystone.common import utils as k_utils
|
||||||
|
@ -437,11 +436,10 @@ class DomainV3(controller.V3Controller):
|
||||||
:returns: list of accessible domains
|
:returns: list of accessible domains
|
||||||
|
|
||||||
"""
|
"""
|
||||||
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
|
|
||||||
domains = self.assignment_api.list_domains_for_groups(
|
domains = self.assignment_api.list_domains_for_groups(
|
||||||
auth_context['group_ids'])
|
request.auth_context['group_ids'])
|
||||||
domains = domains + self.assignment_api.list_domains_for_user(
|
domains = domains + self.assignment_api.list_domains_for_user(
|
||||||
auth_context['user_id'])
|
request.auth_context['user_id'])
|
||||||
# remove duplicates
|
# remove duplicates
|
||||||
domains = [dict(t) for t in set([tuple(d.items()) for d in domains])]
|
domains = [dict(t) for t in set([tuple(d.items()) for d in domains])]
|
||||||
return DomainV3.wrap_collection(request.context_dict, domains)
|
return DomainV3.wrap_collection(request.context_dict, domains)
|
||||||
|
@ -464,11 +462,10 @@ class ProjectAssignmentV3(controller.V3Controller):
|
||||||
:returns: list of accessible projects
|
:returns: list of accessible projects
|
||||||
|
|
||||||
"""
|
"""
|
||||||
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
|
|
||||||
projects = self.assignment_api.list_projects_for_groups(
|
projects = self.assignment_api.list_projects_for_groups(
|
||||||
auth_context['group_ids'])
|
request.auth_context['group_ids'])
|
||||||
projects = projects + self.assignment_api.list_projects_for_user(
|
projects = projects + self.assignment_api.list_projects_for_user(
|
||||||
auth_context['user_id'])
|
request.auth_context['user_id'])
|
||||||
# remove duplicates
|
# remove duplicates
|
||||||
projects = [dict(t) for t in set([tuple(d.items()) for d in projects])]
|
projects = [dict(t) for t in set([tuple(d.items()) for d in projects])]
|
||||||
return ProjectAssignmentV3.wrap_collection(request.context_dict,
|
return ProjectAssignmentV3.wrap_collection(request.context_dict,
|
||||||
|
|
|
@ -121,9 +121,7 @@ class AccessTokenCrudV3(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_access_tokens(self, request, user_id):
|
def list_access_tokens(self, request, user_id):
|
||||||
env = request.context_dict.get('environment', {})
|
if request.auth_context.get('is_delegated_auth'):
|
||||||
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
|
|
||||||
if auth_context.get('is_delegated_auth'):
|
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Cannot list request tokens'
|
_('Cannot list request tokens'
|
||||||
' with a token issued via delegation.'))
|
' with a token issued via delegation.'))
|
||||||
|
@ -356,9 +354,7 @@ class OAuthControllerV3(controller.V3Controller):
|
||||||
there is not another easy way to make sure the user knows which roles
|
there is not another easy way to make sure the user knows which roles
|
||||||
are being requested before authorizing.
|
are being requested before authorizing.
|
||||||
"""
|
"""
|
||||||
env = request.context_dict.get('environment', {})
|
if request.auth_context.get('is_delegated_auth'):
|
||||||
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
|
|
||||||
if auth_context.get('is_delegated_auth'):
|
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Cannot authorize a request token'
|
_('Cannot authorize a request token'
|
||||||
' with a token issued via delegation.'))
|
' with a token issued via delegation.'))
|
||||||
|
|
|
@ -295,7 +295,7 @@ class ProjectV3(controller.V3Controller):
|
||||||
'params at the same time.')
|
'params at the same time.')
|
||||||
raise exception.ValidationError(msg)
|
raise exception.ValidationError(msg)
|
||||||
|
|
||||||
user_id = self.get_auth_context(context).get('user_id')
|
user_id = request.auth_context.get('user_id')
|
||||||
|
|
||||||
if parents_as_list:
|
if parents_as_list:
|
||||||
parents = self.resource_api.list_project_parents(
|
parents = self.resource_api.list_project_parents(
|
||||||
|
|
|
@ -119,13 +119,10 @@ class TrustV3(controller.V3Controller):
|
||||||
The user creating the trust must be the trustor.
|
The user creating the trust must be the trustor.
|
||||||
|
|
||||||
"""
|
"""
|
||||||
env = request.context_dict.get('environment', {})
|
|
||||||
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
|
|
||||||
|
|
||||||
# Check if delegated via trust
|
# Check if delegated via trust
|
||||||
if auth_context.get('is_delegated_auth'):
|
if request.auth_context.get('is_delegated_auth'):
|
||||||
# Redelegation case
|
# Redelegation case
|
||||||
src_trust_id = auth_context['trust_id']
|
src_trust_id = request.auth_context['trust_id']
|
||||||
if not src_trust_id:
|
if not src_trust_id:
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Redelegation allowed for delegated by trust only'))
|
_('Redelegation allowed for delegated by trust only'))
|
||||||
|
|
Loading…
Reference in New Issue