From 9dc21e85250e1555e6aa47b02cf246fba9c10870 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Fri, 8 Jul 2016 17:42:40 +1000 Subject: [PATCH] Handle more auth information via context Add more information from the auth_context dict to the request context object and start the process of converting code over to using the context instead. Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf --- keystone/common/context.py | 10 ++++++++++ keystone/middleware/auth.py | 12 ++++++++++++ keystone/oauth1/controllers.py | 4 ++-- keystone/resource/controllers.py | 6 ++---- keystone/trust/controllers.py | 4 ++-- 5 files changed, 28 insertions(+), 8 deletions(-) diff --git a/keystone/common/context.py b/keystone/common/context.py index 240efc21eb..7ac997a395 100644 --- a/keystone/common/context.py +++ b/keystone/common/context.py @@ -29,6 +29,16 @@ class RequestContext(oslo_context.RequestContext): self.username = kwargs.pop('username', None) self.user_domain_name = kwargs.pop('user_domain_name', None) self.project_domain_name = kwargs.pop('project_domain_name', None) + + self.is_delegated_auth = kwargs.pop('is_delegated_auth', False) + + self.trust_id = kwargs.pop('trust_id', None) + self.trustor_id = kwargs.pop('trustor_id', None) + self.trustee_id = kwargs.pop('trustee_id', None) + + self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None) + self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None) + self.authenticated = kwargs.pop('authenticated', False) super(RequestContext, self).__init__(**kwargs) diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py index e65671c32f..1efc04085e 100644 --- a/keystone/middleware/auth.py +++ b/keystone/middleware/auth.py @@ -214,12 +214,24 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol): request_context.user_id = auth_context.get('user_id') request_context.project_id = auth_context.get('project_id') request_context.domain_id = auth_context.get('domain_id') + request_context.domain_name = auth_context.get('domain_name') request_context.user_domain_id = auth_context.get('user_domain_id') request_context.roles = auth_context.get('roles') project_domain_id = auth_context.get('project_domain_id') request_context.project_domain_id = project_domain_id + is_delegated_auth = auth_context.get('is_delegated_auth', False) + request_context.is_delegated_auth = is_delegated_auth + + request_context.trust_id = auth_context.get('trust_id') + request_context.trustor_id = auth_context.get('trustor_id') + request_context.trustee_id = auth_context.get('trustee_id') + + access_token_id = auth_context.get('access_token_id') + request_context.oauth_consumer_id = auth_context.get('consumer_id') + request_context.oauth_acess_token_id = access_token_id + LOG.debug('RBAC: auth_context: %s', auth_context) request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context diff --git a/keystone/oauth1/controllers.py b/keystone/oauth1/controllers.py index 29b6b84096..a72be56d05 100644 --- a/keystone/oauth1/controllers.py +++ b/keystone/oauth1/controllers.py @@ -122,7 +122,7 @@ class AccessTokenCrudV3(controller.V3Controller): @controller.protected() def list_access_tokens(self, request, user_id): - if request.auth_context.get('is_delegated_auth'): + if request.context.is_delegated_auth: raise exception.Forbidden( _('Cannot list request tokens' ' with a token issued via delegation.')) @@ -359,7 +359,7 @@ class OAuthControllerV3(controller.V3Controller): there is not another easy way to make sure the user knows which roles are being requested before authorizing. """ - if request.auth_context.get('is_delegated_auth'): + if request.context.is_delegated_auth: raise exception.Forbidden( _('Cannot authorize a request token' ' with a token issued via delegation.')) diff --git a/keystone/resource/controllers.py b/keystone/resource/controllers.py index 4fef4e45ae..e32a5d0250 100644 --- a/keystone/resource/controllers.py +++ b/keystone/resource/controllers.py @@ -298,11 +298,9 @@ class ProjectV3(controller.V3Controller): 'params at the same time.') raise exception.ValidationError(msg) - user_id = request.auth_context.get('user_id') - if parents_as_list: parents = self.resource_api.list_project_parents( - ref['id'], user_id) + ref['id'], request.context.user_id) ref['parents'] = [ProjectV3.wrap_member(context, p) for p in parents] elif parents_as_ids: @@ -310,7 +308,7 @@ class ProjectV3(controller.V3Controller): if subtree_as_list: subtree = self.resource_api.list_projects_in_subtree( - ref['id'], user_id) + ref['id'], request.context.user_id) ref['subtree'] = [ProjectV3.wrap_member(context, p) for p in subtree] elif subtree_as_ids: diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py index b06bf1489d..5dc46ca2e6 100644 --- a/keystone/trust/controllers.py +++ b/keystone/trust/controllers.py @@ -121,9 +121,9 @@ class TrustV3(controller.V3Controller): """ validation.lazy_validate(schema.trust_create, trust) # Check if delegated via trust - if request.auth_context.get('is_delegated_auth'): + if request.context.is_delegated_auth: # Redelegation case - src_trust_id = request.auth_context['trust_id'] + src_trust_id = request.context.trust_id if not src_trust_id: raise exception.Forbidden( _('Redelegation allowed for delegated by trust only'))