Merge "Use the context's is_admin property"

keystone/common/controller.py

@@ -123,7 +123,7 @@ def protected(callback=None):
     def wrapper(f):
         @functools.wraps(f)
         def inner(self, request, *args, **kwargs):
-            if request.context_dict.get('is_admin', False):
+            if request.context.is_admin:
                 LOG.warning(_LW('RBAC: Bypassing authorization'))
             elif callback is not None:
                 prep_info = {'f_name': f.__name__,
@@ -205,7 +205,7 @@ def filterprotected(*filters, **callback):
     def _filterprotected(f):
         @functools.wraps(f)
         def wrapper(self, request, **kwargs):
-            if not request.context_dict['is_admin']:
+            if not request.context.is_admin:
                 # The target dict for the policy check will include:
                 #
                 # - Any query filter parameters

keystone/common/wsgi.py

@@ -286,7 +286,7 @@ class Application(BaseApplication):
             does not have the admin role
 
         """
-        if not request.context_dict['is_admin']:
+        if not request.context.is_admin:
             user_token_ref = utils.get_token_ref(request.context_dict)
 
             validate_token_bind(request.context_dict, user_token_ref)

keystone/tests/unit/core.py

@@ -41,6 +41,7 @@ from sqlalchemy import exc
 import testtools
 from testtools import testcase
 
+from keystone.common import context
 from keystone.common import dependency
 from keystone.common import request
 from keystone.common import sql
@@ -588,15 +589,15 @@ class TestCase(BaseTestCase):
         return ksfixtures.Policy(dirs.etc('policy.json'), self.config_fixture)
 
     def make_request(self, path='/', **kwargs):
-        context = {}
+        is_admin = kwargs.pop('is_admin', False)
+        environ = kwargs.setdefault('environ', {})
 
-        try:
+        if not environ.get(context.REQUEST_CONTEXT_ENV):
-            context['is_admin'] = kwargs.pop('is_admin')
+            environ[context.REQUEST_CONTEXT_ENV] = context.RequestContext(
-        except KeyError:
+                is_admin=is_admin)
-            pass
 
         req = request.Request.blank(path=path, **kwargs)
-        req.context_dict.update(context)
+        req.context_dict['is_admin'] = is_admin
 
         return req
 

keystone/trust/controllers.py

@@ -34,8 +34,9 @@ def _trustor_trustee_only(trust, user_id):
         raise exception.Forbidden()
 
 
-def _admin_trustor_only(context, trust, user_id):
+def _admin_trustor_only(request, trust, user_id):
-    if user_id != trust.get('trustor_user_id') and not context['is_admin']:
+    if (user_id != trust.get('trustor_user_id') and
+            not request.context.is_admin):
         raise exception.Forbidden()
 
 
@@ -246,7 +247,7 @@ class TrustV3(controller.V3Controller):
     def delete_trust(self, request, trust_id):
         trust = self.trust_api.get_trust(trust_id)
         user_id = self._get_user_id(request.context_dict)
-        _admin_trustor_only(request.context_dict, trust, user_id)
+        _admin_trustor_only(request, trust, user_id)
         initiator = notifications._get_request_audit_info(request.context_dict)
         self.trust_api.delete_trust(trust_id, initiator)
 

keystone/v2_crud/user_crud.py

@@ -76,14 +76,14 @@ class UserController(identity.controllers.User):
 
         update_dict = {'password': user['password'], 'id': user_id}
 
-        old_admin = request.context_dict.pop('is_admin', False)
+        old_admin = request.context.is_admin
-        request.context_dict['is_admin'] = True
+        request.context.is_admin = True
 
         super(UserController, self).set_user_password(request,
                                                       user_id,
                                                       update_dict)
 
-        request.context_dict['is_admin'] = old_admin
+        request.context.is_admin = old_admin
 
         # Issue a new token based upon the original token data. This will
         # always be a V2.0 token.