Add user_domain_id, project_domain_id to auth context

When creating the auth context, also include the user's domain ID
and project domain ID.

Partial-Bug: 1500222
Change-Id: I31c42fe1d0d484cb2af2259acda8b3c7fd75e309

keystone/common/authorization.py

@@ -31,8 +31,12 @@ It is a dictionary with the following attributes:
 
 * ``token``: Token from the request
 * ``user_id``: user ID of the principal
+* ``user_domain_id`` (optional): Domain ID of the principal if the principal
+                                 has a domain.
 * ``project_id`` (optional): project ID of the scoped project if auth is
                              project-scoped
+* ``project_domain_id`` (optional): Domain ID of the scoped project if auth is
+                                    project-scoped.
 * ``domain_id`` (optional): domain ID of the scoped domain if auth is
                             domain-scoped
 * ``domain_name`` (optional): domain name of the scoped domain if auth is
@@ -64,9 +68,11 @@ def token_to_auth_context(token):
     except KeyError:
         LOG.warning(_LW('RBAC: Invalid user data in token'))
         raise exception.Unauthorized()
+    auth_context['user_domain_id'] = token.user_domain_id
 
     if token.project_scoped:
         auth_context['project_id'] = token.project_id
+        auth_context['project_domain_id'] = token.project_domain_id
     elif token.domain_scoped:
         auth_context['domain_id'] = token.domain_id
         auth_context['domain_name'] = token.domain_name

keystone/tests/unit/common/test_authorization.py

@@ -40,8 +40,12 @@ class TestTokenToAuthContext(unit.BaseTestCase):
         self.assertTrue(auth_context['is_delegated_auth'])
         self.assertEqual(token_data['token']['user']['id'],
                          auth_context['user_id'])
+        self.assertEqual(token_data['token']['user']['domain']['id'],
+                         auth_context['user_domain_id'])
         self.assertEqual(token_data['token']['project']['id'],
                          auth_context['project_id'])
+        self.assertEqual(token_data['token']['project']['domain']['id'],
+                         auth_context['project_domain_id'])
         self.assertNotIn('domain_id', auth_context)
         self.assertNotIn('domain_name', auth_context)
         self.assertEqual(token_data['token']['OS-TRUST:trust']['id'],
@@ -74,6 +78,7 @@ class TestTokenToAuthContext(unit.BaseTestCase):
         auth_context = authorization.token_to_auth_context(token)
 
         self.assertNotIn('project_id', auth_context)
+        self.assertNotIn('project_domain_id', auth_context)
 
         self.assertEqual(domain_id, auth_context['domain_id'])
         self.assertEqual(domain_name, auth_context['domain_name'])
@@ -89,6 +94,7 @@ class TestTokenToAuthContext(unit.BaseTestCase):
         auth_context = authorization.token_to_auth_context(token)
 
         self.assertNotIn('project_id', auth_context)
+        self.assertNotIn('project_domain_id', auth_context)
         self.assertNotIn('domain_id', auth_context)
         self.assertNotIn('domain_name', auth_context)