Handle more auth information via context

Add more information from the auth_context dict to the request context
object and start the process of converting code over to using the
context instead.

Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
changes/90/339390/4
Jamie Lennox 7 years ago
parent 1d7c96d6a3
commit 9dc21e8525

@ -29,6 +29,16 @@ class RequestContext(oslo_context.RequestContext):
self.username = kwargs.pop('username', None)
self.user_domain_name = kwargs.pop('user_domain_name', None)
self.project_domain_name = kwargs.pop('project_domain_name', None)
self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
self.trust_id = kwargs.pop('trust_id', None)
self.trustor_id = kwargs.pop('trustor_id', None)
self.trustee_id = kwargs.pop('trustee_id', None)
self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
self.authenticated = kwargs.pop('authenticated', False)
super(RequestContext, self).__init__(**kwargs)

@ -214,12 +214,24 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
request_context.user_id = auth_context.get('user_id')
request_context.project_id = auth_context.get('project_id')
request_context.domain_id = auth_context.get('domain_id')
request_context.domain_name = auth_context.get('domain_name')
request_context.user_domain_id = auth_context.get('user_domain_id')
request_context.roles = auth_context.get('roles')
project_domain_id = auth_context.get('project_domain_id')
request_context.project_domain_id = project_domain_id
is_delegated_auth = auth_context.get('is_delegated_auth', False)
request_context.is_delegated_auth = is_delegated_auth
request_context.trust_id = auth_context.get('trust_id')
request_context.trustor_id = auth_context.get('trustor_id')
request_context.trustee_id = auth_context.get('trustee_id')
access_token_id = auth_context.get('access_token_id')
request_context.oauth_consumer_id = auth_context.get('consumer_id')
request_context.oauth_acess_token_id = access_token_id
LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context

@ -122,7 +122,7 @@ class AccessTokenCrudV3(controller.V3Controller):
@controller.protected()
def list_access_tokens(self, request, user_id):
if request.auth_context.get('is_delegated_auth'):
if request.context.is_delegated_auth:
raise exception.Forbidden(
_('Cannot list request tokens'
' with a token issued via delegation.'))
@ -359,7 +359,7 @@ class OAuthControllerV3(controller.V3Controller):
there is not another easy way to make sure the user knows which roles
are being requested before authorizing.
"""
if request.auth_context.get('is_delegated_auth'):
if request.context.is_delegated_auth:
raise exception.Forbidden(
_('Cannot authorize a request token'
' with a token issued via delegation.'))

@ -298,11 +298,9 @@ class ProjectV3(controller.V3Controller):
'params at the same time.')
raise exception.ValidationError(msg)
user_id = request.auth_context.get('user_id')
if parents_as_list:
parents = self.resource_api.list_project_parents(
ref['id'], user_id)
ref['id'], request.context.user_id)
ref['parents'] = [ProjectV3.wrap_member(context, p)
for p in parents]
elif parents_as_ids:
@ -310,7 +308,7 @@ class ProjectV3(controller.V3Controller):
if subtree_as_list:
subtree = self.resource_api.list_projects_in_subtree(
ref['id'], user_id)
ref['id'], request.context.user_id)
ref['subtree'] = [ProjectV3.wrap_member(context, p)
for p in subtree]
elif subtree_as_ids:

@ -121,9 +121,9 @@ class TrustV3(controller.V3Controller):
"""
validation.lazy_validate(schema.trust_create, trust)
# Check if delegated via trust
if request.auth_context.get('is_delegated_auth'):
if request.context.is_delegated_auth:
# Redelegation case
src_trust_id = request.auth_context['trust_id']
src_trust_id = request.context.trust_id
if not src_trust_id:
raise exception.Forbidden(
_('Redelegation allowed for delegated by trust only'))

Loading…
Cancel
Save