openstack
/
keystone
Code Issues Proposed changes

Handle more auth information via context 

Add more information from the auth_context dict to the request context
object and start the process of converting code over to using the
context instead.

Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
This commit is contained in:
Jamie Lennox 2016-07-08 17:42:40 +10:00
parent 1d7c96d6a3
commit 9dc21e8525
5 changed files with 28 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
keystone/common/context.py
View File

@ -29,6 +29,16 @@ class RequestContext(oslo_context.RequestContext):
self.username = kwargs.pop('username', None) self.username = kwargs.pop('username', None)
self.user_domain_name = kwargs.pop('user_domain_name', None) self.user_domain_name = kwargs.pop('user_domain_name', None)
self.project_domain_name = kwargs.pop('project_domain_name', None) self.project_domain_name = kwargs.pop('project_domain_name', None)
self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
self.trust_id = kwargs.pop('trust_id', None)
self.trustor_id = kwargs.pop('trustor_id', None)
self.trustee_id = kwargs.pop('trustee_id', None)
self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
self.authenticated = kwargs.pop('authenticated', False) self.authenticated = kwargs.pop('authenticated', False)
super(RequestContext, self).__init__(**kwargs) super(RequestContext, self).__init__(**kwargs)

12
keystone/middleware/auth.py
View File

@ -214,12 +214,24 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
request_context.user_id = auth_context.get('user_id') request_context.user_id = auth_context.get('user_id')
request_context.project_id = auth_context.get('project_id') request_context.project_id = auth_context.get('project_id')
request_context.domain_id = auth_context.get('domain_id') request_context.domain_id = auth_context.get('domain_id')
request_context.domain_name = auth_context.get('domain_name')
request_context.user_domain_id = auth_context.get('user_domain_id') request_context.user_domain_id = auth_context.get('user_domain_id')
request_context.roles = auth_context.get('roles') request_context.roles = auth_context.get('roles')
project_domain_id = auth_context.get('project_domain_id') project_domain_id = auth_context.get('project_domain_id')
request_context.project_domain_id = project_domain_id request_context.project_domain_id = project_domain_id
is_delegated_auth = auth_context.get('is_delegated_auth', False)
request_context.is_delegated_auth = is_delegated_auth
request_context.trust_id = auth_context.get('trust_id')
request_context.trustor_id = auth_context.get('trustor_id')
request_context.trustee_id = auth_context.get('trustee_id')
access_token_id = auth_context.get('access_token_id')
request_context.oauth_consumer_id = auth_context.get('consumer_id')
request_context.oauth_acess_token_id = access_token_id
LOG.debug('RBAC: auth_context: %s', auth_context) LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context

4
keystone/oauth1/controllers.py
View File

@ -122,7 +122,7 @@ class AccessTokenCrudV3(controller.V3Controller):
@controller.protected() @controller.protected()
def list_access_tokens(self, request, user_id): def list_access_tokens(self, request, user_id):
if request.auth_context.get('is_delegated_auth'): if request.context.is_delegated_auth:
raise exception.Forbidden( raise exception.Forbidden(
_('Cannot list request tokens' _('Cannot list request tokens'
' with a token issued via delegation.')) ' with a token issued via delegation.'))
@ -359,7 +359,7 @@ class OAuthControllerV3(controller.V3Controller):
there is not another easy way to make sure the user knows which roles there is not another easy way to make sure the user knows which roles
are being requested before authorizing. are being requested before authorizing.
""" """
if request.auth_context.get('is_delegated_auth'): if request.context.is_delegated_auth:
raise exception.Forbidden( raise exception.Forbidden(
_('Cannot authorize a request token' _('Cannot authorize a request token'
' with a token issued via delegation.')) ' with a token issued via delegation.'))

6
keystone/resource/controllers.py
View File

@ -298,11 +298,9 @@ class ProjectV3(controller.V3Controller):
'params at the same time.') 'params at the same time.')
raise exception.ValidationError(msg) raise exception.ValidationError(msg)
user_id = request.auth_context.get('user_id')
if parents_as_list: if parents_as_list:
parents = self.resource_api.list_project_parents( parents = self.resource_api.list_project_parents(
ref['id'], user_id) ref['id'], request.context.user_id)
ref['parents'] = [ProjectV3.wrap_member(context, p) ref['parents'] = [ProjectV3.wrap_member(context, p)
for p in parents] for p in parents]
elif parents_as_ids: elif parents_as_ids:
@ -310,7 +308,7 @@ class ProjectV3(controller.V3Controller):
if subtree_as_list: if subtree_as_list:
subtree = self.resource_api.list_projects_in_subtree( subtree = self.resource_api.list_projects_in_subtree(
ref['id'], user_id) ref['id'], request.context.user_id)
ref['subtree'] = [ProjectV3.wrap_member(context, p) ref['subtree'] = [ProjectV3.wrap_member(context, p)
for p in subtree] for p in subtree]
elif subtree_as_ids: elif subtree_as_ids:

4
keystone/trust/controllers.py
View File

@ -121,9 +121,9 @@ class TrustV3(controller.V3Controller):
""" """
validation.lazy_validate(schema.trust_create, trust) validation.lazy_validate(schema.trust_create, trust)
# Check if delegated via trust # Check if delegated via trust
if request.auth_context.get('is_delegated_auth'): if request.context.is_delegated_auth:
# Redelegation case # Redelegation case
src_trust_id = request.auth_context['trust_id'] src_trust_id = request.context.trust_id
if not src_trust_id: if not src_trust_id:
raise exception.Forbidden( raise exception.Forbidden(
_('Redelegation allowed for delegated by trust only')) _('Redelegation allowed for delegated by trust only'))