Handle more auth information via context

Add more information from the auth_context dict to the request context object and start the process of converting code over to using the context instead. Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
7 years ago · 9dc21e8525
parent 1d7c96d6a3
commit 9dc21e8525
5 changed files with 28 additions and 8 deletions
--- a/keystone/common/context.py
+++ b/keystone/common/context.py
@ -29,6 +29,16 @@ class RequestContext(oslo_context.RequestContext):
        self.username = kwargs.pop('username', None)
        self.user_domain_name = kwargs.pop('user_domain_name', None)
        self.project_domain_name = kwargs.pop('project_domain_name', None)
+
+        self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
+
+        self.trust_id = kwargs.pop('trust_id', None)
+        self.trustor_id = kwargs.pop('trustor_id', None)
+        self.trustee_id = kwargs.pop('trustee_id', None)
+
+        self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
+        self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
+
        self.authenticated = kwargs.pop('authenticated', False)
        super(RequestContext, self).__init__(**kwargs)

--- a/keystone/middleware/auth.py
+++ b/keystone/middleware/auth.py
@ -214,12 +214,24 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
        request_context.user_id = auth_context.get('user_id')
        request_context.project_id = auth_context.get('project_id')
        request_context.domain_id = auth_context.get('domain_id')
+        request_context.domain_name = auth_context.get('domain_name')
        request_context.user_domain_id = auth_context.get('user_domain_id')
        request_context.roles = auth_context.get('roles')

        project_domain_id = auth_context.get('project_domain_id')
        request_context.project_domain_id = project_domain_id

+        is_delegated_auth = auth_context.get('is_delegated_auth', False)
+        request_context.is_delegated_auth = is_delegated_auth
+
+        request_context.trust_id = auth_context.get('trust_id')
+        request_context.trustor_id = auth_context.get('trustor_id')
+        request_context.trustee_id = auth_context.get('trustee_id')
+
+        access_token_id = auth_context.get('access_token_id')
+        request_context.oauth_consumer_id = auth_context.get('consumer_id')
+        request_context.oauth_acess_token_id = access_token_id
+
        LOG.debug('RBAC: auth_context: %s', auth_context)
        request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context

--- a/keystone/oauth1/controllers.py
+++ b/keystone/oauth1/controllers.py
@ -122,7 +122,7 @@ class AccessTokenCrudV3(controller.V3Controller):

    @controller.protected()
    def list_access_tokens(self, request, user_id):
-        if request.auth_context.get('is_delegated_auth'):
+        if request.context.is_delegated_auth:
            raise exception.Forbidden(
                _('Cannot list request tokens'
                  ' with a token issued via delegation.'))
@ -359,7 +359,7 @@ class OAuthControllerV3(controller.V3Controller):
        there is not another easy way to make sure the user knows which roles
        are being requested before authorizing.
        """
-        if request.auth_context.get('is_delegated_auth'):
+        if request.context.is_delegated_auth:
            raise exception.Forbidden(
                _('Cannot authorize a request token'
                  ' with a token issued via delegation.'))
--- a/keystone/resource/controllers.py
+++ b/keystone/resource/controllers.py
@ -298,11 +298,9 @@ class ProjectV3(controller.V3Controller):
                    'params at the same time.')
            raise exception.ValidationError(msg)

-        user_id = request.auth_context.get('user_id')
-
        if parents_as_list:
            parents = self.resource_api.list_project_parents(
-                ref['id'], user_id)
+                ref['id'], request.context.user_id)
            ref['parents'] = [ProjectV3.wrap_member(context, p)
                              for p in parents]
        elif parents_as_ids:
@ -310,7 +308,7 @@ class ProjectV3(controller.V3Controller):

        if subtree_as_list:
            subtree = self.resource_api.list_projects_in_subtree(
-                ref['id'], user_id)
+                ref['id'], request.context.user_id)
            ref['subtree'] = [ProjectV3.wrap_member(context, p)
                              for p in subtree]
        elif subtree_as_ids:
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@ -121,9 +121,9 @@ class TrustV3(controller.V3Controller):
        """
        validation.lazy_validate(schema.trust_create, trust)
        # Check if delegated via trust
-        if request.auth_context.get('is_delegated_auth'):
+        if request.context.is_delegated_auth:
            # Redelegation case
-            src_trust_id = request.auth_context['trust_id']
+            src_trust_id = request.context.trust_id
            if not src_trust_id:
                raise exception.Forbidden(
                    _('Redelegation allowed for delegated by trust only'))