Handle more auth information via context
Add more information from the auth_context dict to the request context object and start the process of converting code over to using the context instead. Change-Id: I3a5d8af30834873dfc7a10464a22355f379ebbcf
This commit is contained in:
parent
1d7c96d6a3
commit
9dc21e8525
|
@ -29,6 +29,16 @@ class RequestContext(oslo_context.RequestContext):
|
||||||
self.username = kwargs.pop('username', None)
|
self.username = kwargs.pop('username', None)
|
||||||
self.user_domain_name = kwargs.pop('user_domain_name', None)
|
self.user_domain_name = kwargs.pop('user_domain_name', None)
|
||||||
self.project_domain_name = kwargs.pop('project_domain_name', None)
|
self.project_domain_name = kwargs.pop('project_domain_name', None)
|
||||||
|
|
||||||
|
self.is_delegated_auth = kwargs.pop('is_delegated_auth', False)
|
||||||
|
|
||||||
|
self.trust_id = kwargs.pop('trust_id', None)
|
||||||
|
self.trustor_id = kwargs.pop('trustor_id', None)
|
||||||
|
self.trustee_id = kwargs.pop('trustee_id', None)
|
||||||
|
|
||||||
|
self.oauth_consumer_id = kwargs.pop('oauth_consumer_id', None)
|
||||||
|
self.oauth_access_token_id = kwargs.pop('oauth_access_token_id', None)
|
||||||
|
|
||||||
self.authenticated = kwargs.pop('authenticated', False)
|
self.authenticated = kwargs.pop('authenticated', False)
|
||||||
super(RequestContext, self).__init__(**kwargs)
|
super(RequestContext, self).__init__(**kwargs)
|
||||||
|
|
||||||
|
|
|
@ -214,12 +214,24 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
|
||||||
request_context.user_id = auth_context.get('user_id')
|
request_context.user_id = auth_context.get('user_id')
|
||||||
request_context.project_id = auth_context.get('project_id')
|
request_context.project_id = auth_context.get('project_id')
|
||||||
request_context.domain_id = auth_context.get('domain_id')
|
request_context.domain_id = auth_context.get('domain_id')
|
||||||
|
request_context.domain_name = auth_context.get('domain_name')
|
||||||
request_context.user_domain_id = auth_context.get('user_domain_id')
|
request_context.user_domain_id = auth_context.get('user_domain_id')
|
||||||
request_context.roles = auth_context.get('roles')
|
request_context.roles = auth_context.get('roles')
|
||||||
|
|
||||||
project_domain_id = auth_context.get('project_domain_id')
|
project_domain_id = auth_context.get('project_domain_id')
|
||||||
request_context.project_domain_id = project_domain_id
|
request_context.project_domain_id = project_domain_id
|
||||||
|
|
||||||
|
is_delegated_auth = auth_context.get('is_delegated_auth', False)
|
||||||
|
request_context.is_delegated_auth = is_delegated_auth
|
||||||
|
|
||||||
|
request_context.trust_id = auth_context.get('trust_id')
|
||||||
|
request_context.trustor_id = auth_context.get('trustor_id')
|
||||||
|
request_context.trustee_id = auth_context.get('trustee_id')
|
||||||
|
|
||||||
|
access_token_id = auth_context.get('access_token_id')
|
||||||
|
request_context.oauth_consumer_id = auth_context.get('consumer_id')
|
||||||
|
request_context.oauth_acess_token_id = access_token_id
|
||||||
|
|
||||||
LOG.debug('RBAC: auth_context: %s', auth_context)
|
LOG.debug('RBAC: auth_context: %s', auth_context)
|
||||||
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
|
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
|
||||||
|
|
||||||
|
|
|
@ -122,7 +122,7 @@ class AccessTokenCrudV3(controller.V3Controller):
|
||||||
|
|
||||||
@controller.protected()
|
@controller.protected()
|
||||||
def list_access_tokens(self, request, user_id):
|
def list_access_tokens(self, request, user_id):
|
||||||
if request.auth_context.get('is_delegated_auth'):
|
if request.context.is_delegated_auth:
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Cannot list request tokens'
|
_('Cannot list request tokens'
|
||||||
' with a token issued via delegation.'))
|
' with a token issued via delegation.'))
|
||||||
|
@ -359,7 +359,7 @@ class OAuthControllerV3(controller.V3Controller):
|
||||||
there is not another easy way to make sure the user knows which roles
|
there is not another easy way to make sure the user knows which roles
|
||||||
are being requested before authorizing.
|
are being requested before authorizing.
|
||||||
"""
|
"""
|
||||||
if request.auth_context.get('is_delegated_auth'):
|
if request.context.is_delegated_auth:
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Cannot authorize a request token'
|
_('Cannot authorize a request token'
|
||||||
' with a token issued via delegation.'))
|
' with a token issued via delegation.'))
|
||||||
|
|
|
@ -298,11 +298,9 @@ class ProjectV3(controller.V3Controller):
|
||||||
'params at the same time.')
|
'params at the same time.')
|
||||||
raise exception.ValidationError(msg)
|
raise exception.ValidationError(msg)
|
||||||
|
|
||||||
user_id = request.auth_context.get('user_id')
|
|
||||||
|
|
||||||
if parents_as_list:
|
if parents_as_list:
|
||||||
parents = self.resource_api.list_project_parents(
|
parents = self.resource_api.list_project_parents(
|
||||||
ref['id'], user_id)
|
ref['id'], request.context.user_id)
|
||||||
ref['parents'] = [ProjectV3.wrap_member(context, p)
|
ref['parents'] = [ProjectV3.wrap_member(context, p)
|
||||||
for p in parents]
|
for p in parents]
|
||||||
elif parents_as_ids:
|
elif parents_as_ids:
|
||||||
|
@ -310,7 +308,7 @@ class ProjectV3(controller.V3Controller):
|
||||||
|
|
||||||
if subtree_as_list:
|
if subtree_as_list:
|
||||||
subtree = self.resource_api.list_projects_in_subtree(
|
subtree = self.resource_api.list_projects_in_subtree(
|
||||||
ref['id'], user_id)
|
ref['id'], request.context.user_id)
|
||||||
ref['subtree'] = [ProjectV3.wrap_member(context, p)
|
ref['subtree'] = [ProjectV3.wrap_member(context, p)
|
||||||
for p in subtree]
|
for p in subtree]
|
||||||
elif subtree_as_ids:
|
elif subtree_as_ids:
|
||||||
|
|
|
@ -121,9 +121,9 @@ class TrustV3(controller.V3Controller):
|
||||||
"""
|
"""
|
||||||
validation.lazy_validate(schema.trust_create, trust)
|
validation.lazy_validate(schema.trust_create, trust)
|
||||||
# Check if delegated via trust
|
# Check if delegated via trust
|
||||||
if request.auth_context.get('is_delegated_auth'):
|
if request.context.is_delegated_auth:
|
||||||
# Redelegation case
|
# Redelegation case
|
||||||
src_trust_id = request.auth_context['trust_id']
|
src_trust_id = request.context.trust_id
|
||||||
if not src_trust_id:
|
if not src_trust_id:
|
||||||
raise exception.Forbidden(
|
raise exception.Forbidden(
|
||||||
_('Redelegation allowed for delegated by trust only'))
|
_('Redelegation allowed for delegated by trust only'))
|
||||||
|
|
Loading…
Reference in New Issue