diff --git a/keystone/common/controller.py b/keystone/common/controller.py index 2b876c5f65..fd52e9e166 100644 --- a/keystone/common/controller.py +++ b/keystone/common/controller.py @@ -123,7 +123,7 @@ def protected(callback=None): def wrapper(f): @functools.wraps(f) def inner(self, request, *args, **kwargs): - if request.context_dict.get('is_admin', False): + if request.context.is_admin: LOG.warning(_LW('RBAC: Bypassing authorization')) elif callback is not None: prep_info = {'f_name': f.__name__, @@ -205,7 +205,7 @@ def filterprotected(*filters, **callback): def _filterprotected(f): @functools.wraps(f) def wrapper(self, request, **kwargs): - if not request.context_dict['is_admin']: + if not request.context.is_admin: # The target dict for the policy check will include: # # - Any query filter parameters diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py index c684802e63..577bd42a69 100644 --- a/keystone/common/wsgi.py +++ b/keystone/common/wsgi.py @@ -286,7 +286,7 @@ class Application(BaseApplication): does not have the admin role """ - if not request.context_dict['is_admin']: + if not request.context.is_admin: user_token_ref = utils.get_token_ref(request.context_dict) validate_token_bind(request.context_dict, user_token_ref) diff --git a/keystone/tests/unit/core.py b/keystone/tests/unit/core.py index d9ef87a9ee..09dfb27002 100644 --- a/keystone/tests/unit/core.py +++ b/keystone/tests/unit/core.py @@ -41,6 +41,7 @@ from sqlalchemy import exc import testtools from testtools import testcase +from keystone.common import context from keystone.common import dependency from keystone.common import request from keystone.common import sql @@ -588,15 +589,15 @@ class TestCase(BaseTestCase): return ksfixtures.Policy(dirs.etc('policy.json'), self.config_fixture) def make_request(self, path='/', **kwargs): - context = {} + is_admin = kwargs.pop('is_admin', False) + environ = kwargs.setdefault('environ', {}) - try: - context['is_admin'] = kwargs.pop('is_admin') - except KeyError: - pass + if not environ.get(context.REQUEST_CONTEXT_ENV): + environ[context.REQUEST_CONTEXT_ENV] = context.RequestContext( + is_admin=is_admin) req = request.Request.blank(path=path, **kwargs) - req.context_dict.update(context) + req.context_dict['is_admin'] = is_admin return req diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index dcc0e0713d..b06bf1489d 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -34,8 +34,9 @@ def _trustor_trustee_only(trust, user_id): raise exception.Forbidden() -def _admin_trustor_only(context, trust, user_id): - if user_id != trust.get('trustor_user_id') and not context['is_admin']: +def _admin_trustor_only(request, trust, user_id): + if (user_id != trust.get('trustor_user_id') and + not request.context.is_admin): raise exception.Forbidden() @@ -246,7 +247,7 @@ class TrustV3(controller.V3Controller): def delete_trust(self, request, trust_id): trust = self.trust_api.get_trust(trust_id) user_id = self._get_user_id(request.context_dict) - _admin_trustor_only(request.context_dict, trust, user_id) + _admin_trustor_only(request, trust, user_id) initiator = notifications._get_request_audit_info(request.context_dict) self.trust_api.delete_trust(trust_id, initiator) diff --git a/keystone/v2_crud/user_crud.py b/keystone/v2_crud/user_crud.py index 6f8159bd73..4e5d4d8545 100644 --- a/keystone/v2_crud/user_crud.py +++ b/keystone/v2_crud/user_crud.py @@ -76,14 +76,14 @@ class UserController(identity.controllers.User): update_dict = {'password': user['password'], 'id': user_id} - old_admin = request.context_dict.pop('is_admin', False) - request.context_dict['is_admin'] = True + old_admin = request.context.is_admin + request.context.is_admin = True super(UserController, self).set_user_password(request, user_id, update_dict) - request.context_dict['is_admin'] = old_admin + request.context.is_admin = old_admin # Issue a new token based upon the original token data. This will # always be a V2.0 token.