openstack
/
keystone
Code Issues Proposed changes

Pass a request to controllers instead of a context 

Instead of the unformed context dictionary pass a full request object
with access to the context_dict so that existing functions still work.
After this we can replace smaller usages of the context dict with
functions and properties on the request directly.

Change-Id: Ibe822ed7c76a24a7d31d98ce62f873a01e5fb213
This commit is contained in:
Jamie Lennox 2016-05-19 23:06:14 +10:00
parent 1084c4c41f
commit da6ea7e224
29 changed files with 906 additions and 824 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

177
keystone/assignment/controllers.py
View File

@ -42,7 +42,7 @@ class TenantAssignment(controller.V2Controller):
"""The V2 Project APIs that are processing assignments."""
@controller.v2_auth_deprecated
def get_projects_for_token(self, context, **kw):
def get_projects_for_token(self, request, **kw):
"""Get valid tenants for token based on token used to authenticate.
Pulls the token from the context, validates it and gets the valid
@ -51,21 +51,21 @@ class TenantAssignment(controller.V2Controller):
Doesn't care about token scopedness.
"""
token_ref = utils.get_token_ref(context)
token_ref = utils.get_token_ref(request.context_dict)
tenant_refs = (
self.assignment_api.list_projects_for_user(token_ref.user_id))
tenant_refs = [self.v3_to_v2_project(ref) for ref in tenant_refs
if ref['domain_id'] == CONF.identity.default_domain_id]
params = {
'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'),
'limit': request.context_dict['query_string'].get('limit'),
'marker': request.context_dict['query_string'].get('marker'),
}
return self.format_project_list(tenant_refs, **params)
@controller.v2_deprecated
def get_project_users(self, context, tenant_id, **kw):
self.assert_admin(context)
def get_project_users(self, request, tenant_id, **kw):
self.assert_admin(request.context_dict)
user_refs = []
user_ids = self.assignment_api.list_user_ids_for_project(tenant_id)
for user_id in user_ids:
@ -87,14 +87,14 @@ class Role(controller.V2Controller):
"""The Role management APIs."""
@controller.v2_deprecated
def get_role(self, context, role_id):
self.assert_admin(context)
def get_role(self, request, role_id):
self.assert_admin(request.context_dict)
return {'role': self.role_api.get_role(role_id)}
@controller.v2_deprecated
def create_role(self, context, role):
def create_role(self, request, role):
role = self._normalize_dict(role)
self.assert_admin(context)
self.assert_admin(request.context_dict)
if 'name' not in role or not role['name']:
msg = _('Name field is required and cannot be empty')
@ -109,19 +109,19 @@ class Role(controller.V2Controller):
role_id = uuid.uuid4().hex
role['id'] = role_id
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
role_ref = self.role_api.create_role(role_id, role, initiator)
return {'role': role_ref}
@controller.v2_deprecated
def delete_role(self, context, role_id):
self.assert_admin(context)
initiator = notifications._get_request_audit_info(context)
def delete_role(self, request, role_id):
self.assert_admin(request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
self.role_api.delete_role(role_id, initiator)
@controller.v2_deprecated
def get_roles(self, context):
self.assert_admin(context)
def get_roles(self, request):
self.assert_admin(request.context_dict)
return {'roles': self.role_api.list_roles()}
@ -131,14 +131,14 @@ class RoleAssignmentV2(controller.V2Controller):
# COMPAT(essex-3)
@controller.v2_deprecated
def get_user_roles(self, context, user_id, tenant_id=None):
def get_user_roles(self, request, user_id, tenant_id=None):
"""Get the roles for a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
# NOTE(davechen): Router without project id is defined,
# but we don't plan on implementing this.
if tenant_id is None:
@ -150,14 +150,14 @@ class RoleAssignmentV2(controller.V2Controller):
for x in roles]}
@controller.v2_deprecated
def add_role_to_user(self, context, user_id, role_id, tenant_id=None):
def add_role_to_user(self, request, user_id, role_id, tenant_id=None):
"""Add a role to a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
if tenant_id is None:
raise exception.NotImplemented(
message=_('User roles not supported: tenant_id required'))
@ -169,14 +169,14 @@ class RoleAssignmentV2(controller.V2Controller):
return {'role': role_ref}
@controller.v2_deprecated
def remove_role_from_user(self, context, user_id, role_id, tenant_id=None):
def remove_role_from_user(self, request, user_id, role_id, tenant_id=None):
"""Remove a role from a user and tenant pair.
Since we're trying to ignore the idea of user-only roles we're
not implementing them in hopes that the idea will die off.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
if tenant_id is None:
raise exception.NotImplemented(
message=_('User roles not supported: tenant_id required'))
@ -188,7 +188,7 @@ class RoleAssignmentV2(controller.V2Controller):
# COMPAT(diablo): CRUD extension
@controller.v2_deprecated
def get_role_refs(self, context, user_id):
def get_role_refs(self, request, user_id):
"""Ultimate hack to get around having to make role_refs first-class.
This will basically iterate over the various roles the user has in
@ -197,7 +197,7 @@ class RoleAssignmentV2(controller.V2Controller):
up the appropriate data when we need to delete them.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
tenants = self.assignment_api.list_projects_for_user(user_id)
o = []
for tenant in tenants:
@ -217,14 +217,14 @@ class RoleAssignmentV2(controller.V2Controller):
# COMPAT(diablo): CRUD extension
@controller.v2_deprecated
def create_role_ref(self, context, user_id, role):
def create_role_ref(self, request, user_id, role):
"""Used for adding a user to a tenant.
In the legacy data model adding a user to a tenant required setting
a role.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
# TODO(termie): for now we're ignoring the actual role
tenant_id = role.get('tenantId')
role_id = role.get('roleId')
@ -236,7 +236,7 @@ class RoleAssignmentV2(controller.V2Controller):
# COMPAT(diablo): CRUD extension
@controller.v2_deprecated
def delete_role_ref(self, context, user_id, role_ref_id):
def delete_role_ref(self, request, user_id, role_ref_id):
"""Used for deleting a user from a tenant.
In the legacy data model removing a user from a tenant required
@ -247,7 +247,7 @@ class RoleAssignmentV2(controller.V2Controller):
we remove the user from the tenant.
"""
self.assert_admin(context)
self.assert_admin(request.context_dict)
# TODO(termie): for now we're ignoring the actual role
role_ref_ref = urllib.parse.parse_qs(role_ref_id)
tenant_id = role_ref_ref.get('tenantId')[0]
@ -268,11 +268,14 @@ class ProjectAssignmentV3(controller.V3Controller):
self.get_member_from_driver = self.resource_api.get_project
@controller.filterprotected('domain_id', 'enabled', 'name')
def list_user_projects(self, context, filters, user_id):
hints = ProjectAssignmentV3.build_driver_hints(context, filters)
def list_user_projects(self, request, filters, user_id):
hints = ProjectAssignmentV3.build_driver_hints(request.context_dict,
filters)
refs = self.assignment_api.list_projects_for_user(user_id,
hints=hints)
return ProjectAssignmentV3.wrap_collection(context, refs, hints=hints)
return ProjectAssignmentV3.wrap_collection(request.context_dict,
refs,
hints=hints)
@dependency.requires('role_api')
@ -319,33 +322,33 @@ class RoleV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.role_create, 'role')
def create_role(self, context, role):
return self._create_role(context, role)
def create_role(self, request, role):
return self._create_role(request.context_dict, role)
@controller.protected()
@validation.validated(schema.role_create, 'role')
def create_domain_role(self, context, role):
return self._create_role(context, role)
def create_domain_role(self, request, role):
return self._create_role(request.context_dict, role)
def list_roles_wrapper(self, context):
def list_roles_wrapper(self, request):
# If there is no domain_id filter defined, then we only want to return
# global roles, so we set the domain_id filter to None.
params = context['query_string']
params = request.context_dict['query_string']
if 'domain_id' not in params:
context['query_string']['domain_id'] = None
request.context_dict['query_string']['domain_id'] = None
if context['query_string']['domain_id'] is not None:
return self.list_domain_roles(context)
if request.context_dict['query_string']['domain_id'] is not None:
return self.list_domain_roles(request)
else:
return self.list_roles(context)
return self.list_roles(request)
@controller.filterprotected('name', 'domain_id')
def list_roles(self, context, filters):
return self._list_roles(context, filters)
def list_roles(self, request, filters):
return self._list_roles(request.context_dict, filters)
@controller.filterprotected('name', 'domain_id')
def list_domain_roles(self, context, filters):
return self._list_roles(context, filters)
def list_domain_roles(self, request, filters):
return self._list_roles(request.context_dict, filters)
def get_role_wrapper(self, context, role_id):
if self._is_domain_role_target(role_id):
@ -354,12 +357,12 @@ class RoleV3(controller.V3Controller):
return self.get_role(context, role_id=role_id)
@controller.protected()
def get_role(self, context, role_id):
return self._get_role(context, role_id)
def get_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
@controller.protected()
def get_domain_role(self, context, role_id):
return self._get_role(context, role_id)
def get_domain_role(self, request, role_id):
return self._get_role(request.context_dict, role_id)
def update_role_wrapper(self, context, role_id, role):
# Since we don't allow you change whether a role is global or domain
@ -373,13 +376,13 @@ class RoleV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.role_update, 'role')
def update_role(self, context, role_id, role):
return self._update_role(context, role_id, role)
def update_role(self, request, role_id, role):
return self._update_role(request.context_dict, role_id, role)
@controller.protected()
@validation.validated(schema.role_update, 'role')
def update_domain_role(self, context, role_id, role):
return self._update_role(context, role_id, role)
def update_domain_role(self, request, role_id, role):
return self._update_role(request.context_dict, role_id, role)
def delete_role_wrapper(self, context, role_id):
if self._is_domain_role_target(role_id):
@ -388,12 +391,12 @@ class RoleV3(controller.V3Controller):
return self.delete_role(context, role_id=role_id)
@controller.protected()
def delete_role(self, context, role_id):
return self._delete_role(context, role_id)
def delete_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
@controller.protected()
def delete_domain_role(self, context, role_id):
return self._delete_role(context, role_id)
def delete_domain_role(self, request, role_id):
return self._delete_role(request.context_dict, role_id)
def _create_role(self, context, role):
if role['name'] == CONF.member_role_name:
@ -484,38 +487,40 @@ class ImpliedRolesV3(controller.V3Controller):
return response
@controller.protected()
def get_implied_role(self, context, prior_role_id, implied_role_id):
def get_implied_role(self, request, prior_role_id, implied_role_id):
ref = self.role_api.get_implied_role(prior_role_id, implied_role_id)
prior_id = ref['prior_role_id']
implied_id = ref['implied_role_id']
endpoint = super(controller.V3Controller, ImpliedRolesV3).base_url(
context, 'public')
request.context_dict, 'public')
response = self._populate_implied_role_response(
endpoint, prior_id, implied_id)
return response
@controller.protected()
def check_implied_role(self, context, prior_role_id, implied_role_id):
def check_implied_role(self, request, prior_role_id, implied_role_id):
self.role_api.get_implied_role(prior_role_id, implied_role_id)
@controller.protected()
def create_implied_role(self, context, prior_role_id, implied_role_id):
def create_implied_role(self, request, prior_role_id, implied_role_id):
self.role_api.create_implied_role(prior_role_id, implied_role_id)
return wsgi.render_response(
self.get_implied_role(context, prior_role_id, implied_role_id),
self.get_implied_role(request,
prior_role_id,
implied_role_id),
status=(201, 'Created'))
@controller.protected()
def delete_implied_role(self, context, prior_role_id, implied_role_id):
def delete_implied_role(self, request, prior_role_id, implied_role_id):
self.role_api.delete_implied_role(prior_role_id, implied_role_id)
@controller.protected()
def list_implied_roles(self, context, prior_role_id):
def list_implied_roles(self, request, prior_role_id):
ref = self.role_api.list_implied_roles(prior_role_id)
implied_ids = [r['implied_role_id'] for r in ref]
endpoint = super(controller.V3Controller, ImpliedRolesV3).base_url(
context, 'public')
request.context_dict, 'public')
results = self._populate_implied_roles_response(
endpoint, prior_role_id, implied_ids)
@ -523,14 +528,14 @@ class ImpliedRolesV3(controller.V3Controller):
return results
@controller.protected()
def list_role_inference_rules(self, context):
def list_role_inference_rules(self, request):
refs = self.role_api.list_role_inference_rules()
role_dict = {role_ref['id']: role_ref
for role_ref in self.role_api.list_roles()}
rules = dict()
endpoint = super(controller.V3Controller, ImpliedRolesV3).base_url(
context, 'public')
request.context_dict, 'public')
for ref in refs:
implied_role_id = ref['implied_role_id']
@ -614,7 +619,7 @@ class GrantAssignmentV3(controller.V3Controller):
self.check_protection(context, protection, ref)
@controller.protected(callback=_check_grant_protection)
def create_grant(self, context, role_id, user_id=None,
def create_grant(self, request, role_id, user_id=None,
group_id=None, domain_id=None, project_id=None):
"""Grant a role to a user or group on either a domain or project."""
self._require_domain_xor_project(domain_id, project_id)
@ -622,10 +627,11 @@ class GrantAssignmentV3(controller.V3Controller):
self.assignment_api.create_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context), context)
self._check_if_inherited(request.context_dict),
request.context_dict)
@controller.protected(callback=_check_grant_protection)
def list_grants(self, context, user_id=None,
def list_grants(self, request, user_id=None,
group_id=None, domain_id=None, project_id=None):
"""List roles granted to user/group on either a domain or project."""
self._require_domain_xor_project(domain_id, project_id)
@ -633,11 +639,11 @@ class GrantAssignmentV3(controller.V3Controller):
refs = self.assignment_api.list_grants(
user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
return GrantAssignmentV3.wrap_collection(context, refs)
self._check_if_inherited(request.context_dict))
return GrantAssignmentV3.wrap_collection(request.context_dict, refs)
@controller.protected(callback=_check_grant_protection)
def check_grant(self, context, role_id, user_id=None,
def check_grant(self, request, role_id, user_id=None,
group_id=None, domain_id=None, project_id=None):
"""Check if a role has been granted on either a domain or project."""
self._require_domain_xor_project(domain_id, project_id)
@ -645,14 +651,14 @@ class GrantAssignmentV3(controller.V3Controller):
self.assignment_api.get_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context))
self._check_if_inherited(request.context_dict))
# NOTE(lbragstad): This will allow users to clean up role assignments
# from the backend in the event the user was removed prior to the role
# assignment being removed.
@controller.protected(callback=functools.partial(
_check_grant_protection, allow_no_user=True))
def revoke_grant(self, context, role_id, user_id=None,
def revoke_grant(self, request, role_id, user_id=None,
group_id=None, domain_id=None, project_id=None):
"""Revoke a role from user/group on either a domain or project."""
self._require_domain_xor_project(domain_id, project_id)
@ -660,7 +666,8 @@ class GrantAssignmentV3(controller.V3Controller):
self.assignment_api.delete_grant(
role_id, user_id, group_id, domain_id, project_id,
self._check_if_inherited(context), context)
self._check_if_inherited(request.context_dict),
request.context_dict)
@dependency.requires('assignment_api', 'identity_api', 'resource_api')
@ -925,8 +932,8 @@ class RoleAssignmentV3(controller.V3Controller):
@controller.filterprotected('group.id', 'role.id',
'scope.domain.id', 'scope.project.id',
'scope.OS-INHERIT:inherited_to', 'user.id')
def list_role_assignments(self, context, filters):
return self._list_role_assignments(context, filters)
def list_role_assignments(self, request, filters):
return self._list_role_assignments(request.context_dict, filters)
def _check_list_tree_protection(self, context, protection_info):
"""Check protection for list assignment for tree API.
@ -947,15 +954,15 @@ class RoleAssignmentV3(controller.V3Controller):
'scope.domain.id', 'scope.project.id',
'scope.OS-INHERIT:inherited_to', 'user.id',
callback=_check_list_tree_protection)
def list_role_assignments_for_tree(self, context, filters):
if not context['query_string'].get('scope.project.id'):
def list_role_assignments_for_tree(self, request, filters):
if not request.context_dict['query_string'].get('scope.project.id'):
msg = _('scope.project.id must be specified if include_subtree '
'is also specified')
raise exception.ValidationError(message=msg)
return self._list_role_assignments(context, filters,
return self._list_role_assignments(request.context_dict, filters,
include_subtree=True)
def list_role_assignments_wrapper(self, context):
def list_role_assignments_wrapper(self, request):
"""Main entry point from router for list role assignments.
Since we want different policy file rules to be applicable based on
@ -964,9 +971,9 @@ class RoleAssignmentV3(controller.V3Controller):
protected entry point.
"""
params = context['query_string']
params = request.context_dict['query_string']
if 'include_subtree' in params and (
self.query_filter_is_true(params['include_subtree'])):
return self.list_role_assignments_for_tree(context)
return self.list_role_assignments_for_tree(request)
else:
return self.list_role_assignments(context)
return self.list_role_assignments(request)

60
keystone/auth/controllers.py
View File

@ -391,16 +391,17 @@ class Auth(controller.V3Controller):
super(Auth, self).__init__(*args, **kw)
config.setup_authentication()
def authenticate_for_token(self, context, auth=None):
def authenticate_for_token(self, request, auth=None):
"""Authenticate user and issue a token."""
include_catalog = 'nocatalog' not in context['query_string']
query_string = request.context_dict['query_string']
include_catalog = 'nocatalog' not in query_string
try:
auth_info = AuthInfo.create(context, auth=auth)
auth_info = AuthInfo.create(request.context_dict, auth=auth)
auth_context = AuthContext(extras={},
method_names=[],
bind={})
self.authenticate(context, auth_info, auth_context)
self.authenticate(request, auth_info, auth_context)
if auth_context.get('access_token_id'):
auth_info.set_scope(None, auth_context['project_id'], None)
self._check_and_set_default_scoping(auth_info, auth_context)
@ -496,15 +497,17 @@ class Auth(controller.V3Controller):
LOG.warning(msg, {'user_id': user_ref['id'],
'project_id': default_project_id})
def authenticate(self, context, auth_info, auth_context):
def authenticate(self, request, auth_info, auth_context):
"""Authenticate user."""
# The 'external' method allows any 'REMOTE_USER' based authentication
# In some cases the server can set REMOTE_USER as '' instead of
# dropping it, so this must be filtered out
if context['environment'].get('REMOTE_USER'):
if request.context_dict['environment'].get('REMOTE_USER'):
try:
external = get_auth_method('external')
external.authenticate(context, auth_info, auth_context)
external.authenticate(request.context_dict,
auth_info,
auth_context)
except exception.AuthMethodNotSupported:
# This will happen there is no 'external' plugin registered
# and the container is performing authentication.
@ -523,7 +526,7 @@ class Auth(controller.V3Controller):
auth_response = {'methods': []}
for method_name in auth_info.get_method_names():
method = get_auth_method(method_name)
resp = method.authenticate(context,
resp = method.authenticate(request.context_dict,
auth_info.get_method_data(method_name),
auth_context)
if resp:
@ -539,8 +542,8 @@ class Auth(controller.V3Controller):
raise exception.Unauthorized(msg)
@controller.protected()
def check_token(self, context):
token_id = context.get('subject_token_id')
def check_token(self, request):
token_id = request.context_dict.get('subject_token_id')
token_data = self.token_provider_api.validate_v3_token(
token_id)
# NOTE(morganfainberg): The code in
@ -549,14 +552,15 @@ class Auth(controller.V3Controller):
return render_token_data_response(token_id, token_data)
@controller.protected()
def revoke_token(self, context):
token_id = context.get('subject_token_id')
def revoke_token(self, request):
token_id = request.context_dict.get('subject_token_id')
return self.token_provider_api.revoke_token(token_id)
@controller.protected()
def validate_token(self, context):
token_id = context.get('subject_token_id')
include_catalog = 'nocatalog' not in context['query_string']
def validate_token(self, request):
token_id = request.context_dict.get('subject_token_id')
query_string = request.context_dict['query_string']
include_catalog = 'nocatalog' not in query_string
token_data = self.token_provider_api.validate_v3_token(
token_id)
if not include_catalog and 'catalog' in token_data['token']:
@ -564,11 +568,12 @@ class Auth(controller.V3Controller):
return render_token_data_response(token_id, token_data)
@controller.protected()
def revocation_list(self, context, auth=None):
def revocation_list(self, request, auth=None):
if not CONF.token.revoke_by_id:
raise exception.Gone()
audit_id_only = ('audit_id_only' in context['query_string'])
query_string = request.context_dict['query_string']
audit_id_only = 'audit_id_only' in query_string
tokens = self.token_provider_api.list_revoked_tokens()
@ -600,8 +605,8 @@ class Auth(controller.V3Controller):
return a or b
@controller.protected()
def get_auth_projects(self, context):
auth_context = self.get_auth_context(context)
def get_auth_projects(self, request):
auth_context = self.get_auth_context(request.context_dict)
user_id = auth_context.get('user_id')
user_refs = []
@ -618,11 +623,12 @@ class Auth(controller.V3Controller):
grp_refs = self.assignment_api.list_projects_for_groups(group_ids)
refs = self._combine_lists_uniquely(user_refs, grp_refs)
return resource_controllers.ProjectV3.wrap_collection(context, refs)
return resource_controllers.ProjectV3.wrap_collection(
request.context_dict, refs)
@controller.protected()
def get_auth_domains(self, context):
auth_context = self.get_auth_context(context)
def get_auth_domains(self, request):
auth_context = self.get_auth_context(request.context_dict)
user_id = auth_context.get('user_id')
user_refs = []
@ -639,11 +645,12 @@ class Auth(controller.V3Controller):
grp_refs = self.assignment_api.list_domains_for_groups(group_ids)
refs = self._combine_lists_uniquely(user_refs, grp_refs)
return resource_controllers.DomainV3.wrap_collection(context, refs)
return resource_controllers.DomainV3.wrap_collection(
request.context_dict, refs)
@controller.protected()
def get_auth_catalog(self, context):
auth_context = self.get_auth_context(context)
def get_auth_catalog(self, request):
auth_context = self.get_auth_context(request.context_dict)
user_id = auth_context.get('user_id')
project_id = auth_context.get('project_id')
@ -660,7 +667,8 @@ class Auth(controller.V3Controller):
# several private methods.
return {
'catalog': self.catalog_api.get_v3_catalog(user_id, project_id),
'links': {'self': self.base_url(context, path='auth/catalog')}
'links': {'self': self.base_url(request.context_dict,
path='auth/catalog')}
}

183
keystone/catalog/controllers.py
View File

@ -36,30 +36,30 @@ INTERFACES = ['public', 'internal', 'admin']
class Service(controller.V2Controller):
@controller.v2_deprecated
def get_services(self, context):
self.assert_admin(context)
def get_services(self, request):
self.assert_admin(request.context_dict)
service_list = self.catalog_api.list_services()
return {'OS-KSADM:services': service_list}
@controller.v2_deprecated
def get_service(self, context, service_id):
self.assert_admin(context)
def get_service(self, request, service_id):
self.assert_admin(request.context_dict)
service_ref = self.catalog_api.get_service(service_id)
return {'OS-KSADM:service': service_ref}
@controller.v2_deprecated
def delete_service(self, context, service_id):
self.assert_admin(context)
initiator = notifications._get_request_audit_info(context)
def delete_service(self, request, service_id):
self.assert_admin(request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
self.catalog_api.delete_service(service_id, initiator)
@controller.v2_deprecated
def create_service(self, context, OS_KSADM_service):
self.assert_admin(context)
def create_service(self, request, OS_KSADM_service):
self.assert_admin(request.context_dict)
service_id = uuid.uuid4().hex
service_ref = OS_KSADM_service.copy()
service_ref['id'] = service_id
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
new_service_ref = self.catalog_api.create_service(
service_id, service_ref, initiator)
return {'OS-KSADM:service': new_service_ref}
@ -69,9 +69,9 @@ class Service(controller.V2Controller):
class Endpoint(controller.V2Controller):
@controller.v2_deprecated
def get_endpoints(self, context):
def get_endpoints(self, request):
"""Merge matching v3 endpoint refs into legacy refs."""
self.assert_admin(context)
self.assert_admin(request.context_dict)
legacy_endpoints = {}
v3_endpoints = {}
for endpoint in self.catalog_api.list_endpoints():
@ -129,9 +129,9 @@ class Endpoint(controller.V2Controller):
return {'endpoints': list(legacy_endpoints.values())}
@controller.v2_deprecated
def create_endpoint(self, context, endpoint):
def create_endpoint(self, request, endpoint):
"""Create three v3 endpoint refs based on a legacy ref."""
self.assert_admin(context)
self.assert_admin(request.context_dict)
# according to the v2 spec publicurl is mandatory
self._require_attribute(endpoint, 'publicurl')
@ -146,7 +146,7 @@ class Endpoint(controller.V2Controller):
if interface_url:
utils.check_endpoint_url(interface_url)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
if endpoint.get('region') is not None:
try:
@ -184,10 +184,10 @@ class Endpoint(controller.V2Controller):
return {'endpoint': legacy_endpoint_ref}
@controller.v2_deprecated
def delete_endpoint(self, context, endpoint_id):
def delete_endpoint(self, request, endpoint_id):
"""Delete up to three v3 endpoint refs based on a legacy ref ID."""
self.assert_admin(context)
initiator = notifications._get_request_audit_info(context)
self.assert_admin(request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
deleted_at_least_one = False
for endpoint in self.catalog_api.list_endpoints():
@ -221,40 +221,42 @@ class RegionV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.region_create, 'region')
def create_region(self, context, region):
def create_region(self, request, region):
ref = self._normalize_dict(region)
if not ref.get('id'):
ref = self._assign_unique_id(ref)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_region(ref, initiator)
return wsgi.render_response(
RegionV3.wrap_member(context, ref),
RegionV3.wrap_member(request.context_dict, ref),
status=(201, 'Created'))
@controller.filterprotected('parent_region_id')
def list_regions(self, context, filters):
hints = RegionV3.build_driver_hints(context, filters)
def list_regions(self, request, filters):
hints = RegionV3.build_driver_hints(request.context_dict, filters)
refs = self.catalog_api.list_regions(hints)
return RegionV3.wrap_collection(context, refs, hints=hints)
return RegionV3.wrap_collection(request.context_dict,
refs,
hints=hints)
@controller.protected()
def get_region(self, context, region_id):
def get_region(self, request, region_id):
ref = self.catalog_api.get_region(region_id)
return RegionV3.wrap_member(context, ref)
return RegionV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.region_update, 'region')
def update_region(self, context, region_id, region):
def update_region(self, request, region_id, region):
self._require_matching_id(region_id, region)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_region(region_id, region, initiator)
return RegionV3.wrap_member(context, ref)
return RegionV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_region(self, context, region_id):
initiator = notifications._get_request_audit_info(context)
def delete_region(self, request, region_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_region(region_id, initiator)
@ -269,34 +271,36 @@ class ServiceV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.service_create, 'service')
def create_service(self, context, service):
def create_service(self, request, service):
ref = self._assign_unique_id(self._normalize_dict(service))
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_service(ref['id'], ref, initiator)
return ServiceV3.wrap_member(context, ref)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type', 'name')
def list_services(self, context, filters):
hints = ServiceV3.build_driver_hints(context, filters)
def list_services(self, request, filters):
hints = ServiceV3.build_driver_hints(request.context_dict, filters)
refs = self.catalog_api.list_services(hints=hints)
return ServiceV3.wrap_collection(context, refs, hints=hints)
return ServiceV3.wrap_collection(request.context_dict,
refs,
hints=hints)
@controller.protected()
def get_service(self, context, service_id):
def get_service(self, request, service_id):
ref = self.catalog_api.get_service(service_id)
return ServiceV3.wrap_member(context, ref)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.service_update, 'service')
def update_service(self, context, service_id, service):
def update_service(self, request, service_id, service):
self._require_matching_id(service_id, service)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_service(service_id, service, initiator)
return ServiceV3.wrap_member(context, ref)
return ServiceV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_service(self, context, service_id):
initiator = notifications._get_request_audit_info(context)
def delete_service(self, request, service_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_service(service_id, initiator)
@ -347,40 +351,43 @@ class EndpointV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.endpoint_create, 'endpoint')
def create_endpoint(self, context, endpoint):
def create_endpoint(self, request, endpoint):
utils.check_endpoint_url(endpoint['url'])
ref = self._assign_unique_id(self._normalize_dict(endpoint))
ref = self._validate_endpoint_region(ref, context)
initiator = notifications._get_request_audit_info(context)
ref = self._validate_endpoint_region(ref, request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.create_endpoint(ref['id'], ref, initiator)
return EndpointV3.wrap_member(context, ref)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('interface', 'service_id', 'region_id')
def list_endpoints(self, context, filters):
hints = EndpointV3.build_driver_hints(context, filters)
def list_endpoints(self, request, filters):
hints = EndpointV3.build_driver_hints(request.context_dict, filters)
refs = self.catalog_api.list_endpoints(hints=hints)
return EndpointV3.wrap_collection(context, refs, hints=hints)
return EndpointV3.wrap_collection(request.context_dict,
refs,
hints=hints)
@controller.protected()
def get_endpoint(self, context, endpoint_id):
def get_endpoint(self, request, endpoint_id):
ref = self.catalog_api.get_endpoint(endpoint_id)
return EndpointV3.wrap_member(context, ref)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.endpoint_update, 'endpoint')
def update_endpoint(self, context, endpoint_id, endpoint):
def update_endpoint(self, request, endpoint_id, endpoint):
self._require_matching_id(endpoint_id, endpoint)
endpoint = self._validate_endpoint_region(endpoint.copy(), context)
endpoint = self._validate_endpoint_region(endpoint.copy(),
request.context_dict)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.catalog_api.update_endpoint(endpoint_id, endpoint,
initiator)
return EndpointV3.wrap_member(context, ref)
return EndpointV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_endpoint(self, context, endpoint_id):
initiator = notifications._get_request_audit_info(context)
def delete_endpoint(self, request, endpoint_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.catalog_api.delete_endpoint(endpoint_id, initiator)
@ -407,7 +414,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
project_or_endpoint_id)
@controller.protected()
def add_endpoint_to_project(self, context, project_id, endpoint_id):
def add_endpoint_to_project(self, request, project_id, endpoint_id):
"""Establish an association between an endpoint and a project."""
# NOTE(gyee): we just need to make sure endpoint and project exist
# first. We don't really care whether if project is disabled.
@ -419,7 +426,7 @@ class EndpointFilterV3Controller(controller.V3Controller):
project_id)
@controller.protected()
def check_endpoint_in_project(self, context, project_id, endpoint_id):
def check_endpoint_in_project(self, request, project_id, endpoint_id):
"""Verify endpoint is currently associated with given project."""
self.catalog_api.get_endpoint(endpoint_id)
self.resource_api.get_project(project_id)
@ -427,31 +434,32 @@ class EndpointFilterV3Controller(controller.V3Controller):
project_id)
@controller.protected()
def list_endpoints_for_project(self, context, project_id):
def list_endpoints_for_project(self, request, project_id):
"""List all endpoints currently associated with a given project."""
self.resource_api.get_project(project_id)
filtered_endpoints = self.catalog_api.list_endpoints_for_project(
project_id)
return EndpointV3.wrap_collection(
context, [v for v in six.itervalues(filtered_endpoints)])
request.context_dict,
[v for v in six.itervalues(filtered_endpoints)])
@controller.protected()
def remove_endpoint_from_project(self, context, project_id, endpoint_id):
def remove_endpoint_from_project(self, request, project_id, endpoint_id):
"""Remove the endpoint from the association with given project."""
self.catalog_api.remove_endpoint_from_project(endpoint_id,
project_id)
@controller.protected()
def list_projects_for_endpoint(self, context, endpoint_id):
def list_projects_for_endpoint(self, request, endpoint_id):
"""Return a list of projects associated with the endpoint."""
self.catalog_api.get_endpoint(endpoint_id)
refs = self.catalog_api.list_projects_for_endpoint(endpoint_id)
projects = [self.resource_api.get_project(
ref['project_id']) for ref in refs]
return resource.controllers.ProjectV3.wrap_collection(context,
projects)
return resource.controllers.ProjectV3.wrap_collection(
request.context_dict, projects)
@dependency.requires('catalog_api', 'resource_api')
@ -473,13 +481,13 @@ class EndpointGroupV3Controller(controller.V3Controller):
@controller.protected()
@validation.validated(schema.endpoint_group_create, 'endpoint_group')
def create_endpoint_group(self, context, endpoint_group):
def create_endpoint_group(self, request, endpoint_group):
"""Create an Endpoint Group with the associated filters."""
ref = self._assign_unique_id(self._normalize_dict(endpoint_group))
self._require_attribute(ref, 'filters')
self._require_valid_filter(ref)
ref = self.catalog_api.create_endpoint_group(ref['id'], ref)
return EndpointGroupV3Controller.wrap_member(context, ref)
return EndpointGroupV3Controller.wrap_member(request.context_dict, ref)
def _require_valid_filter(self, endpoint_group):
filters = endpoint_group.get('filters')
@ -493,15 +501,15 @@ class EndpointGroupV3Controller(controller.V3Controller):
return ' or '.join(self.VALID_FILTER_KEYS)
@controller.protected()
def get_endpoint_group(self, context, endpoint_group_id):
def get_endpoint_group(self, request, endpoint_group_id):
"""Retrieve the endpoint group associated with the id if exists."""
ref = self.catalog_api.get_endpoint_group(endpoint_group_id)
return EndpointGroupV3Controller.wrap_member(
context, ref)
request.context_dict, ref)
@controller.protected()
@validation.validated(schema.endpoint_group_update, 'endpoint_group')
def update_endpoint_group(self, context, endpoint_group_id,
def update_endpoint_group(self, request, endpoint_group_id,
endpoint_group):
"""Update fixed values and/or extend the filters."""
if 'filters' in endpoint_group:
@ -509,30 +517,30 @@ class EndpointGroupV3Controller(controller.V3Controller):
ref = self.catalog_api.update_endpoint_group(endpoint_group_id,
endpoint_group)
return EndpointGroupV3Controller.wrap_member(
context, ref)
request.context_dict, ref)
@controller.protected()
def delete_endpoint_group(self, context, endpoint_group_id):
def delete_endpoint_group(self, request, endpoint_group_id):
"""Delete endpoint_group."""
self.catalog_api.delete_endpoint_group(endpoint_group_id)
@controller.protected()
def list_endpoint_groups(self, context):
def list_endpoint_groups(self, request):
"""List all endpoint groups."""
refs = self.catalog_api.list_endpoint_groups()
return EndpointGroupV3Controller.wrap_collection(
context, refs)
request.context_dict, refs)
@controller.protected()
def list_endpoint_groups_for_project(self, context, project_id):
def list_endpoint_groups_for_project(self, request, project_id):
"""List all endpoint groups associated with a given project."""
return EndpointGroupV3Controller.wrap_collection(
context,
request.context_dict,
self.catalog_api.get_endpoint_groups_for_project(project_id))
@controller.protected()
def list_projects_associated_with_endpoint_group(self,
context,
request,
endpoint_group_id):
"""List all projects associated with endpoint group."""
endpoint_group_refs = (self.catalog_api.
@ -544,18 +552,19 @@ class EndpointGroupV3Controller(controller.V3Controller):
endpoint_group_ref['project_id'])
if project:
projects.append(project)
return resource.controllers.ProjectV3.wrap_collection(context,
projects)
return resource.controllers.ProjectV3.wrap_collection(
request.context_dict, projects)
@controller.protected()
def list_endpoints_associated_with_endpoint_group(self,
context,
request,
endpoint_group_id):
"""List all the endpoints filtered by a specific endpoint group."""
filtered_endpoints = (self.catalog_api.
get_endpoints_filtered_by_endpoint_group(
endpoint_group_id))
return EndpointV3.wrap_collection(context, filtered_endpoints)
return EndpointV3.wrap_collection(request.context_dict,
filtered_endpoints)
@dependency.requires('catalog_api', 'resource_api')
@ -577,7 +586,7 @@ class ProjectEndpointGroupV3Controller(controller.V3Controller):
project_id))
@controller.protected()
def get_endpoint_group_in_project(self, context, endpoint_group_id,
def get_endpoint_group_in_project(self, request, endpoint_group_id,
project_id):
"""Retrieve the endpoint group associated with the id if exists."""
self.resource_api.get_project(project_id)
@ -585,10 +594,10 @@ class ProjectEndpointGroupV3Controller(controller.V3Controller):
ref = self.catalog_api.get_endpoint_group_in_project(
endpoint_group_id, project_id)
return ProjectEndpointGroupV3Controller.wrap_member(
context, ref)
request.context_dict, ref)
@controller.protected()
def add_endpoint_group_to_project(self, context, endpoint_group_id,
def add_endpoint_group_to_project(self, request, endpoint_group_id,
project_id):
"""Create an association between an endpoint group and project."""
self.resource_api.get_project(project_id)
@ -597,7 +606,7 @@ class ProjectEndpointGroupV3Controller(controller.V3Controller):
endpoint_group_id, project_id)
@controller.protected()
def remove_endpoint_group_from_project(self, context, endpoint_group_id,
def remove_endpoint_group_from_project(self, request, endpoint_group_id,
project_id):
"""Remove the endpoint group from associated project."""
self.resource_api.get_project(project_id)

44
keystone/common/controller.py
View File

@ -122,17 +122,23 @@ def protected(callback=None):
"""
def wrapper(f):
@functools.wraps(f)
def inner(self, context, *args, **kwargs):
if 'is_admin' in context and context['is_admin']:
def inner(self, request, *args, **kwargs):
if request.context_dict.get('is_admin', False):
LOG.warning(_LW('RBAC: Bypassing authorization'))
elif callback is not None:
prep_info = {'f_name': f.__name__,
'input_attr': kwargs}
callback(self, context, prep_info, *args, **kwargs)
callback(self,
request.context_dict,
prep_info,
*args,
**kwargs)
else:
action = 'identity:%s' % f.__name__
creds = _build_policy_check_credentials(self, action,
context, kwargs)
creds = _build_policy_check_credentials(self,
action,
request.context_dict,
kwargs)
policy_dict = {}
@ -149,11 +155,11 @@ def protected(callback=None):
# TODO(henry-nash): Move this entire code to a member
# method inside v3 Auth
if context.get('subject_token_id') is not None:
if request.context_dict.get('subject_token_id') is not None:
token_ref = token_model.KeystoneToken(
token_id=context['subject_token_id'],
token_id=request.context_dict['subject_token_id'],
token_data=self.token_provider_api.validate_token(
context['subject_token_id']))
request.context_dict['subject_token_id']))
policy_dict.setdefault('target', {})
policy_dict['target'].setdefault(self.member_name, {})
policy_dict['target'][self.member_name]['user_id'] = (
@ -178,7 +184,7 @@ def protected(callback=None):
action,
utils.flatten_dict(policy_dict))
LOG.debug('RBAC: Authorization granted')
return f(self, context, *args, **kwargs)
return f(self, request, *args, **kwargs)
return inner
return wrapper
@ -198,8 +204,8 @@ def filterprotected(*filters, **callback):
"""
def _filterprotected(f):
@functools.wraps(f)
def wrapper(self, context, **kwargs):
if not context['is_admin']:
def wrapper(self, request, **kwargs):
if not request.context_dict['is_admin']:
# The target dict for the policy check will include:
#
# - Any query filter parameters
@ -212,8 +218,9 @@ def filterprotected(*filters, **callback):
target = dict()
if filters:
for item in filters:
if item in context['query_string']:
target[item] = context['query_string'][item]
if item in request.context_dict['query_string']:
i = request.context_dict['query_string'][item]
target[item] = i
LOG.debug('RBAC: Adding query filter params (%s)', (
', '.join(['%s=%s' % (item, target[item])
@ -227,12 +234,15 @@ def filterprotected(*filters, **callback):
prep_info = {'f_name': f.__name__,
'input_attr': kwargs,
'filter_attr': target}
callback['callback'](self, context, prep_info, **kwargs)
callback['callback'](self,
request.context_dict,
prep_info,
**kwargs)
else:
# No callback, so we are going to check the protection here
action = 'identity:%s' % f.__name__
creds = _build_policy_check_credentials(self, action,
context, kwargs)
creds = _build_policy_check_credentials(
self, action, request.context_dict, kwargs)
# Add in any formal url parameters
for key in kwargs:
target[key] = kwargs[key]
@ -244,7 +254,7 @@ def filterprotected(*filters, **callback):
LOG.debug('RBAC: Authorization granted')
else:
LOG.warning(_LW('RBAC: Bypassing authorization'))
return f(self, context, filters, **kwargs)
return f(self, request, filters, **kwargs)
return wrapper
return _filterprotected

2
keystone/common/wsgi.py
View File

@ -219,7 +219,7 @@ class Application(BaseApplication):
params = self._normalize_dict(params)
try:
result = method(req.context_dict, **params)
result = method(req, **params)
except exception.Unauthorized as e:
LOG.warning(
_LW("Authorization failed. %(exception)s from "

51
keystone/contrib/ec2/controllers.py
View File

@ -265,7 +265,7 @@ class Ec2ControllerCommon(object):
class Ec2Controller(Ec2ControllerCommon, controller.V2Controller):
@controller.v2_ec2_deprecated
def authenticate(self, context, credentials=None, ec2Credentials=None):
def authenticate(self, request, credentials=None, ec2Credentials=None):
(user_ref, tenant_ref, metadata_ref, roles_ref,
catalog_ref) = self._authenticate(credentials=credentials,
ec2credentials=ec2Credentials)
@ -285,29 +285,29 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller):
return token_data
@controller.v2_ec2_deprecated
def get_credential(self, context, user_id, credential_id):
if not self._is_admin(context):
self._assert_identity(context, user_id)
def get_credential(self, request, user_id, credential_id):
if not self._is_admin(request.context_dict):
self._assert_identity(request.context_dict, user_id)
return super(Ec2Controller, self).get_credential(user_id,
credential_id)
@controller.v2_ec2_deprecated
def get_credentials(self, context, user_id):
if not self._is_admin(context):
self._assert_identity(context, user_id)
def get_credentials(self, request, user_id):
if not self._is_admin(request.context_dict):
self._assert_identity(request.context_dict, user_id)
return super(Ec2Controller, self).get_credentials(user_id)
@controller.v2_ec2_deprecated
def create_credential(self, context, user_id, tenant_id):
if not self._is_admin(context):
self._assert_identity(context, user_id)
return super(Ec2Controller, self).create_credential(context, user_id,
tenant_id)
def create_credential(self, request, user_id, tenant_id):
if not self._is_admin(request.context_dict):
self._assert_identity(request.context_dict, user_id)
return super(Ec2Controller, self).create_credential(
request.context_dict, user_id, tenant_id)
@controller.v2_ec2_deprecated
def delete_credential(self, context, user_id, credential_id):
if not self._is_admin(context):
self._assert_identity(context, user_id)
def delete_credential(self, request, user_id, credential_id):
if not self._is_admin(request.context_dict):
self._assert_identity(request.context_dict, user_id)
self._assert_owner(user_id, credential_id)
return super(Ec2Controller, self).delete_credential(user_id,
credential_id)
@ -392,24 +392,27 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
return render_token_data_response(token_id, token_data)
@controller.protected(callback=_check_credential_owner_and_user_id_match)
def ec2_get_credential(self, context, user_id, credential_id):
def ec2_get_credential(self, request, user_id, credential_id):
ref = super(Ec2ControllerV3, self).get_credential(user_id,
credential_id)
return Ec2ControllerV3.wrap_member(context, ref['credential'])
return Ec2ControllerV3.wrap_member(request.context_dict,
ref['credential'])
@controller.protected()
def ec2_list_credentials(self, context, user_id):
def ec2_list_credentials(self, request, user_id):
refs = super(Ec2ControllerV3, self).get_credentials(user_id)
return Ec2ControllerV3.wrap_collection(context, refs['credentials'])
return Ec2ControllerV3.wrap_collection(request.context_dict,
refs['credentials'])
@controller.protected()
def ec2_create_credential(self, context, user_id, tenant_id):
ref = super(Ec2ControllerV3, self).create_credential(context, user_id,
tenant_id)
return Ec2ControllerV3.wrap_member(context, ref['credential'])
def ec2_create_credential(self, request, user_id, tenant_id):
ref = super(Ec2ControllerV3, self).create_credential(
request.context_dict, user_id, tenant_id)
return Ec2ControllerV3.wrap_member(request.context_dict,
ref['credential'])
@controller.protected(callback=_check_credential_owner_and_user_id_match)
def ec2_delete_credential(self, context, user_id, credential_id):
def ec2_delete_credential(self, request, user_id, credential_id):
return super(Ec2ControllerV3, self).delete_credential(user_id,
credential_id)

22
keystone/credential/controllers.py
View File

@ -63,12 +63,12 @@ class CredentialV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.credential_create, 'credential')
def create_credential(self, context, credential):
trust_id = self._get_trust_id_for_request(context)
def create_credential(self, request, credential):
trust_id = self._get_trust_id_for_request(request.context_dict)
ref = self._assign_unique_id(self._normalize_dict(credential),
trust_id)
ref = self.credential_api.create_credential(ref['id'], ref)
return CredentialV3.wrap_member(context, ref)
return CredentialV3.wrap_member(request.context_dict, ref)
@staticmethod
def _blob_to_json(ref):
@ -83,27 +83,27 @@ class CredentialV3(controller.V3Controller):
return ref
@controller.filterprotected('user_id', 'type')
def list_credentials(self, context, filters):
hints = CredentialV3.build_driver_hints(context, filters)
def list_credentials(self, request, filters):
hints = CredentialV3.build_driver_hints(request.context_dict, filters)
refs = self.credential_api.list_credentials(hints)
ret_refs = [self._blob_to_json(r) for r in refs]
return CredentialV3.wrap_collection(context, ret_refs,
return CredentialV3.wrap_collection(request.context_dict, ret_refs,
hints=hints)
@controller.protected()
def get_credential(self, context, credential_id):
def get_credential(self, request, credential_id):
ref = self.credential_api.get_credential(credential_id)
ret_ref = self._blob_to_json(ref)
return CredentialV3.wrap_member(context, ret_ref)
return CredentialV3.wrap_member(request.context_dict, ret_ref)
@controller.protected()
@validation.validated(schema.credential_update, 'credential')
def update_credential(self, context, credential_id, credential):
def update_credential(self, request, credential_id, credential):
self._require_matching_id(credential_id, credential)
ref = self.credential_api.update_credential(credential_id, credential)
return CredentialV3.wrap_member(context, ref)
return CredentialV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_credential(self, context, credential_id):
def delete_credential(self, request, credential_id):
return self.credential_api.delete_credential(credential_id)

27
keystone/endpoint_policy/controllers.py
View File

@ -50,7 +50,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
payload['resource_info'])
@controller.protected()
def create_policy_association_for_endpoint(self, context,
def create_policy_association_for_endpoint(self, request,
policy_id, endpoint_id):
"""Create an association between a policy and an endpoint."""
self.policy_api.get_policy(policy_id)
@ -59,7 +59,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, endpoint_id=endpoint_id)
@controller.protected()
def check_policy_association_for_endpoint(self, context,
def check_policy_association_for_endpoint(self, request,
policy_id, endpoint_id):
"""Check an association between a policy and an endpoint."""
self.policy_api.get_policy(policy_id)
@ -68,7 +68,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, endpoint_id=endpoint_id)
@controller.protected()
def delete_policy_association_for_endpoint(self, context,
def delete_policy_association_for_endpoint(self, request,
policy_id, endpoint_id):
"""Delete an association between a policy and an endpoint."""
self.policy_api.get_policy(policy_id)
@ -77,7 +77,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, endpoint_id=endpoint_id)
@controller.protected()
def create_policy_association_for_service(self, context,
def create_policy_association_for_service(self, request,
policy_id, service_id):
"""Create an association between a policy and a service."""
self.policy_api.get_policy(policy_id)
@ -86,7 +86,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, service_id=service_id)
@controller.protected()
def check_policy_association_for_service(self, context,
def check_policy_association_for_service(self, request,
policy_id, service_id):
"""Check an association between a policy and a service."""
self.policy_api.get_policy(policy_id)
@ -95,7 +95,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, service_id=service_id)
@controller.protected()
def delete_policy_association_for_service(self, context,
def delete_policy_association_for_service(self, request,
policy_id, service_id):
"""Delete an association between a policy and a service."""
self.policy_api.get_policy(policy_id)
@ -105,7 +105,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
@controller.protected()
def create_policy_association_for_region_and_service(
self, context, policy_id, service_id, region_id):
self, request, policy_id, service_id, region_id):
"""Create an association between a policy and region+service."""
self.policy_api.get_policy(policy_id)
self.catalog_api.get_service(service_id)
@ -115,7 +115,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
@controller.protected()
def check_policy_association_for_region_and_service(
self, context, policy_id, service_id, region_id):
self, request, policy_id, service_id, region_id):
"""Check an association between a policy and region+service."""
self.policy_api.get_policy(policy_id)
self.catalog_api.get_service(service_id)
@ -125,7 +125,7 @@ class EndpointPolicyV3Controller(controller.V3Controller):
@controller.protected()
def delete_policy_association_for_region_and_service(
self, context, policy_id, service_id, region_id):
self, request, policy_id, service_id, region_id):
"""Delete an association between a policy and region+service."""
self.policy_api.get_policy(policy_id)
self.catalog_api.get_service(service_id)
@ -134,14 +134,14 @@ class EndpointPolicyV3Controller(controller.V3Controller):
policy_id, service_id=service_id, region_id=region_id)
@controller.protected()
def get_policy_for_endpoint(self, context, endpoint_id):
def get_policy_for_endpoint(self, request, endpoint_id):
"""Get the effective policy for an endpoint."""
self.catalog_api.get_endpoint(endpoint_id)
ref = self.endpoint_policy_api.get_policy_for_endpoint(endpoint_id)
# NOTE(henry-nash): since the collection and member for this class is
# set to endpoints, we have to handle wrapping this policy entity
# ourselves.
self._add_self_referential_link(context, ref)
self._add_self_referential_link(request.context_dict, ref)
return {'policy': ref}
# NOTE(henry-nash): As in the catalog controller, we must ensure that the
@ -159,8 +159,9 @@ class EndpointPolicyV3Controller(controller.V3Controller):
return super(EndpointPolicyV3Controller, cls).wrap_member(context, ref)
@controller.protected()
def list_endpoints_for_policy(self, context, policy_id):
def list_endpoints_for_policy(self, request, policy_id):
"""List endpoints with the effective association to a policy."""
self.policy_api.get_policy(policy_id)
refs = self.endpoint_policy_api.list_endpoints_for_policy(policy_id)
return EndpointPolicyV3Controller.wrap_collection(context, refs)
return EndpointPolicyV3Controller.wrap_collection(request.context_dict,
refs)

120
keystone/federation/controllers.py
View File

@ -91,35 +91,36 @@ class IdentityProvider(_ControllerBase):
@controller.protected()
@validation.validated(schema.identity_provider_create, 'identity_provider')
def create_identity_provider(self, context, idp_id, identity_provider):
def create_identity_provider(self, request, idp_id, identity_provider):
identity_provider = self._normalize_dict(identity_provider)
identity_provider.setdefault('enabled', False)
idp_ref = self.federation_api.create_idp(idp_id, identity_provider)
response = IdentityProvider.wrap_member(context, idp_ref)
response = IdentityProvider.wrap_member(request.context_dict, idp_ref)
return wsgi.render_response(body=response, status=('201', 'Created'))
@controller.filterprotected('id', 'enabled')
def list_identity_providers(self, context, filters):
hints = self.build_driver_hints(context, filters)
def list_identity_providers(self, request, filters):
hints = self.build_driver_hints(request.context_dict, filters)
ref = self.federation_api.list_idps(hints=hints)
ref = [self.filter_params(x) for x in ref]
return IdentityProvider.wrap_collection(context, ref, hints=hints)
return IdentityProvider.wrap_collection(request.context_dict,
ref, hints=hints)
@controller.protected()
def get_identity_provider(self, context, idp_id):
def get_identity_provider(self, request, idp_id):
ref = self.federation_api.get_idp(idp_id)
return IdentityProvider.wrap_member(context, ref)
return IdentityProvider.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_identity_provider(self, context, idp_id):
def delete_identity_provider(self, request, idp_id):
self.federation_api.delete_idp(idp_id)
@controller.protected()
@validation.validated(schema.identity_provider_update, 'identity_provider')
def update_identity_provider(self, context, idp_id, identity_provider):
def update_identity_provider(self, request, idp_id, identity_provider):
identity_provider = self._normalize_dict(identity_provider)
idp_ref = self.federation_api.update_idp(idp_id, identity_provider)
return IdentityProvider.wrap_member(context, idp_ref)
return IdentityProvider.wrap_member(request.context_dict, idp_ref)
@dependency.requires('federation_api')
@ -179,33 +180,34 @@ class FederationProtocol(_ControllerBase):
@controller.protected()
@validation.validated(schema.protocol_create, 'protocol')
def create_protocol(self, context, idp_id, protocol_id, protocol):
def create_protocol(self, request, idp_id, protocol_id, protocol):
ref = self._normalize_dict(protocol)
ref = self.federation_api.create_protocol(idp_id, protocol_id, ref)
response = FederationProtocol.wrap_member(context, ref)
response = FederationProtocol.wrap_member(request.context_dict, ref)
return wsgi.render_response(body=response, status=('201', 'Created'))
@controller.protected()
@validation.validated(schema.protocol_update, 'protocol')
def update_protocol(self, context, idp_id, protocol_id, protocol):
def update_protocol(self, request, idp_id, protocol_id, protocol):
ref = self._normalize_dict(protocol)
ref = self.federation_api.update_protocol(idp_id, protocol_id,
protocol)
return FederationProtocol.wrap_member(context, ref)
return FederationProtocol.wrap_member(request.context_dict, ref)
@controller.protected()
def get_protocol(self, context, idp_id, protocol_id):
def get_protocol(self, request, idp_id, protocol_id):
ref = self.federation_api.get_protocol(idp_id, protocol_id)
return FederationProtocol.wrap_member(context, ref)
return FederationProtocol.wrap_member(request.context_dict, ref)
@controller.protected()
def list_protocols(self, context, idp_id):
def list_protocols(self, request, idp_id):
protocols_ref = self.federation_api.list_protocols(idp_id)
protocols = list(protocols_ref)
return FederationProtocol.wrap_collection(context, protocols)
return FederationProtocol.wrap_collection(request.context_dict,
protocols)
@controller.protected()
def delete_protocol(self, context, idp_id, protocol_id):
def delete_protocol(self, request, idp_id, protocol_id):
self.federation_api.delete_protocol(idp_id, protocol_id)
@ -215,33 +217,34 @@ class MappingController(_ControllerBase):
member_name = 'mapping'
@controller.protected()
def create_mapping(self, context, mapping_id, mapping):
def create_mapping(self, request, mapping_id, mapping):
ref = self._normalize_dict(mapping)
utils.validate_mapping_structure(ref)
mapping_ref = self.federation_api.create_mapping(mapping_id, ref)
response = MappingController.wrap_member(context, mapping_ref)
response = MappingController.wrap_member(request.context_dict,
mapping_ref)
return wsgi.render_response(body=response, status=('201', 'Created'))
@controller.protected()
def list_mappings(self, context):
def list_mappings(self, request):
ref = self.federation_api.list_mappings()
return MappingController.wrap_collection(context, ref)
return MappingController.wrap_collection(request.context_dict, ref)
@controller.protected()
def get_mapping(self, context, mapping_id):
def get_mapping(self, request, mapping_id):
ref = self.federation_api.get_mapping(mapping_id)
return MappingController.wrap_member(context, ref)
return MappingController.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_mapping(self, context, mapping_id):
def delete_mapping(self, request, mapping_id):
self.federation_api.delete_mapping(mapping_id)
@controller.protected()
def update_mapping(self, context, mapping_id, mapping):
def update_mapping(self, request, mapping_id, mapping):
mapping = self._normalize_dict(mapping)
utils.validate_mapping_structure(mapping)
mapping_ref = self.federation_api.update_mapping(mapping_id, mapping)
return MappingController.wrap_member(context, mapping_ref)
return MappingController.wrap_member(request.context_dict, mapping_ref)
@dependency.requires('federation_api')
@ -281,7 +284,7 @@ class Auth(auth_controllers.Auth):
return host
def federated_authentication(self, context, idp_id, protocol_id):
def federated_authentication(self, request, idp_id, protocol_id):
"""Authenticate from dedicated url endpoint.
Build HTTP request body for federated authentication and inject
@ -298,34 +301,37 @@ class Auth(auth_controllers.Auth):
}
}
return self.authenticate_for_token(context, auth=auth)
return self.authenticate_for_token(request, auth=auth)
def federated_sso_auth(self, context, protocol_id):
def federated_sso_auth(self, request, protocol_id):
try:
remote_id_name = utils.get_remote_id_parameter(protocol_id)
remote_id = context['environment'][remote_id_name]
remote_id = request.context_dict['environment'][remote_id_name]
except KeyError:
msg = _('Missing entity ID from environment')
LOG.error(msg)
raise exception.Unauthorized(msg)
host = self._get_sso_origin_host(context)
host = self._get_sso_origin_host(request.context_dict)
ref = self.federation_api.get_idp_from_remote_id(remote_id)
# NOTE(stevemar): the returned object is a simple dict that
# contains the idp_id and remote_id.
identity_provider = ref['idp_id']
res = self.federated_authentication(context, identity_provider,
res = self.federated_authentication(request,
identity_provider,
protocol_id)
token_id = res.headers['X-Subject-Token']
return self.render_html_response(host, token_id)
def federated_idp_specific_sso_auth(self, context, idp_id, protocol_id):
host = self._get_sso_origin_host(context)
def federated_idp_specific_sso_auth(self, request, idp_id, protocol_id):
host = self._get_sso_origin_host(request.context_dict)
# NOTE(lbragstad): We validate that the Identity Provider actually
# exists in the Mapped authentication plugin.
res = self.federated_authentication(context, idp_id, protocol_id)
res = self.federated_authentication(request,
idp_id,
protocol_id)
token_id = res.headers['X-Subject-Token']
return self.render_html_response(host, token_id)
@ -378,13 +384,13 @@ class Auth(auth_controllers.Auth):
('X-auth-url', service_provider['auth_url'].encode('utf-8'))]
@validation.validated(schema.saml_create, 'auth')
def create_saml_assertion(self, context, auth):
def create_saml_assertion(self, request, auth):
"""Exchange a scoped token for a SAML assertion.
:param auth: Dictionary that contains a token and service provider ID
:returns: SAML Assertion based on properties from the token
"""
t = self._create_base_saml_assertion(context, auth)
t = self._create_base_saml_assertion(request.context_dict, auth)
(response, service_provider) = t
headers = self._build_response_headers(service_provider)
@ -423,17 +429,18 @@ class DomainV3(controller.V3Controller):
self.get_member_from_driver = self.resource_api.get_domain
@controller.protected()
def list_domains_for_groups(self, context):
def list_domains_for_groups(self, request):
"""List all domains available to an authenticated user's groups.
:param context: request context
:returns: list of accessible domains
"""
auth_context = context['environment'][authorization.AUTH_CONTEXT_ENV]
env = request.context_dict['environment']
auth_context = env[authorization.AUTH_CONTEXT_ENV]
domains = self.assignment_api.list_domains_for_groups(
auth_context['group_ids'])
return DomainV3.wrap_collection(context, domains)
return DomainV3.wrap_collection(request.context_dict, domains)
@dependency.requires('assignment_api', 'resource_api')
@ -446,17 +453,19 @@ class ProjectAssignmentV3(controller.V3Controller):
self.get_member_from_driver = self.resource_api.get_project
@controller.protected()
def list_projects_for_groups(self, context):
def list_projects_for_groups(self, request):
"""List all projects available to an authenticated user's groups.
:param context: request context
:returns: list of accessible projects
"""
auth_context = context['environment'][authorization.AUTH_CONTEXT_ENV]
env = request.context_dict['environment']
auth_context = env[authorization.AUTH_CONTEXT_ENV]
projects = self.assignment_api.list_projects_for_groups(
auth_context['group_ids'])
return ProjectAssignmentV3.wrap_collection(context, projects)
return ProjectAssignmentV3.wrap_collection(request.context_dict,
projects)
@dependency.requires('federation_api')
@ -471,37 +480,38 @@ class ServiceProvider(_ControllerBase):
@controller.protected()
@validation.validated(schema.service_provider_create, 'service_provider')
def create_service_provider(self, context, sp_id, service_provider):
def create_service_provider(self, request, sp_id, service_provider):
service_provider = self._normalize_dict(service_provider)
service_provider.setdefault('enabled', False)
service_provider.setdefault('relay_state_prefix',
CONF.saml.relay_state_prefix)
sp_ref = self.federation_api.create_sp(sp_id, service_provider)
response = ServiceProvider.wrap_member(context, sp_ref)
response = ServiceProvider.wrap_member(request.context_dict, sp_ref)
return wsgi.render_response(body=response, status=('201', 'Created'))
@controller.filterprotected('id', 'enabled')
def list_service_providers(self, context, filters):
hints = self.build_driver_hints(context, filters)
def list_service_providers(self, request, filters):
hints = self.build_driver_hints(request.context_dict, filters)
ref = self.federation_api.list_sps(hints=hints)
ref = [self.filter_params(x) for x in ref]
return ServiceProvider.wrap_collection(context, ref, hints=hints)
return ServiceProvider.wrap_collection(request.context_dict,
ref, hints=hints)
@controller.protected()
def get_service_provider(self, context, sp_id):
def get_service_provider(self, request, sp_id):
ref = self.federation_api.get_sp(sp_id)
return ServiceProvider.wrap_member(context, ref)
return ServiceProvider.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_service_provider(self, context, sp_id):
def delete_service_provider(self, request, sp_id):
self.federation_api.delete_sp(sp_id)
@controller.protected()
@validation.validated(schema.service_provider_update, 'service_provider')
def update_service_provider(self, context, sp_id, service_provider):
def update_service_provider(self, request, sp_id, service_provider):
service_provider = self._normalize_dict(service_provider)
sp_ref = self.federation_api.update_sp(sp_id, service_provider)
return ServiceProvider.wrap_member(context, sp_ref)
return ServiceProvider.wrap_member(request.context_dict, sp_ref)
class SAMLMetadataV3(_ControllerBase):

135
keystone/identity/controllers.py
View File

@ -34,38 +34,39 @@ LOG = log.getLogger(__name__)
class User(controller.V2Controller):
@controller.v2_deprecated
def get_user(self, context, user_id):
self.assert_admin(context)
def get_user(self, request, user_id):
self.assert_admin(request.context_dict)
ref = self.identity_api.get_user(user_id)
return {'user': self.v3_to_v2_user(ref)}
@controller.v2_deprecated
def get_users(self, context):
def get_users(self, request):
# NOTE(termie): i can't imagine that this really wants all the data
# about every single user in the system...
if 'name' in context['query_string']:
if 'name' in request.context_dict['query_string']:
return self.get_user_by_name(
context, context['query_string'].get('name'))
request,
request.context_dict['query_string'].get('name'))
self.assert_admin(context)
self.assert_admin(request.context_dict)
user_list = self.identity_api.list_users(
CONF.identity.default_domain_id)
return {'users': self.v3_to_v2_user(user_list)}
@controller.v2_deprecated
def get_user_by_name(self, context, user_name):
self.assert_admin(context)
def get_user_by_name(self, request, user_name):
self.assert_admin(request.context_dict)
ref = self.identity_api.get_user_by_name(
user_name, CONF.identity.default_domain_id)
return {'user': self.v3_to_v2_user(ref)}
# CRUD extension
@controller.v2_deprecated
def create_user(self, context, user):
def create_user(self, request, user):
user = self._normalize_OSKSADM_password_on_request(user)
user = self.normalize_username_in_request(user)
user = self._normalize_dict(user)
self.assert_admin(context)
self.assert_admin(request.context_dict)
if 'name' not in user or not user['name']:
msg = _('Name field is required and cannot be empty')
@ -83,8 +84,8 @@ class User(controller.V2Controller):
self.resource_api.ensure_default_domain_exists()
# The manager layer will generate the unique ID for users
user_ref = self._normalize_domain_id(context, user.copy())
initiator = notifications._get_request_audit_info(context)
user_ref = self._normalize_domain_id(request.context_dict, user.copy())
initiator = notifications._get_request_audit_info(request.context_dict)
new_user_ref = self.v3_to_v2_user(
self.identity_api.create_user(user_ref, initiator))
@ -94,10 +95,10 @@ class User(controller.V2Controller):
return {'user': new_user_ref}
@controller.v2_deprecated
def update_user(self, context, user_id, user):
def update_user(self, request, user_id, user):
# NOTE(termie): this is really more of a patch than a put
user = self.normalize_username_in_request(user)
self.assert_admin(context)
self.assert_admin(request.context_dict)
if 'enabled' in user and not isinstance(user['enabled'], bool):
msg = _('Enabled field should be a boolean')
@ -123,7 +124,7 @@ class User(controller.V2Controller):
# user update.
self.resource_api.get_project(default_project_id)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
user_ref = self.v3_to_v2_user(
self.identity_api.update_user(user_id, user, initiator))
@ -168,19 +169,19 @@ class User(controller.V2Controller):
return {'user': user_ref}
@controller.v2_deprecated
def delete_user(self, context, user_id):
self.assert_admin(context)
initiator = notifications._get_request_audit_info(context)
def delete_user(self, request, user_id):
self.assert_admin(request.context_dict)
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_user(user_id, initiator)
@controller.v2_deprecated
def set_user_enabled(self, context, user_id, user):
return self.update_user(context, user_id, user)
def set_user_enabled(self, request, user_id, user):
return self.update_user(request, user_id, user)
@controller.v2_deprecated
def set_user_password(self, context, user_id, user):
def set_user_password(self, request, user_id, user):
user = self._normalize_OSKSADM_password_on_request(user)
return self.update_user(context, user_id, user)
return self.update_user(request, user_id, user)
@staticmethod
def _normalize_OSKSADM_password_on_request(ref):
@ -218,33 +219,32 @@ class UserV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.user_create, 'user')
def create_user(self, context, user):
def create_user(self, request, user):
# The manager layer will generate the unique ID for users
ref = self._normalize_dict(user)
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self._normalize_domain_id(request.context_dict, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_user(ref, initiator)
return UserV3.wrap_member(context, ref)
return UserV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'enabled', 'name')
def list_users(self, context, filters):
hints = UserV3.build_driver_hints(context, filters)
refs = self.identity_api.list_users(
domain_scope=self._get_domain_id_for_list_request(context),
hints=hints)
return UserV3.wrap_collection(context, refs, hints=hints)
def list_users(self, request, filters):
hints = UserV3.build_driver_hints(request.context_dict, filters)
domain = self._get_domain_id_for_list_request(request.context_dict)
refs = self.identity_api.list_users(domain_scope=domain, hints=hints)
return UserV3.wrap_collection(request.context_dict, refs, hints=hints)
@controller.filterprotected('domain_id', 'enabled', 'name',
callback=_check_group_protection)
def list_users_in_group(self, context, filters, group_id):
hints = UserV3.build_driver_hints(context, filters)
def list_users_in_group(self, request, filters, group_id):
hints = UserV3.build_driver_hints(request.context_dict, filters)
refs = self.identity_api.list_users_in_group(group_id, hints=hints)
return UserV3.wrap_collection(context, refs, hints=hints)
return UserV3.wrap_collection(request.context_dict, refs, hints=hints)
@controller.protected()
def get_user(self, context, user_id):
def get_user(self, request, user_id):
ref = self.identity_api.get_user(user_id)
return UserV3.wrap_member(context, ref)
return UserV3.wrap_member(request.context_dict, ref)
def _update_user(self, context, user_id, user):
self._require_matching_id(user_id, user)
@ -256,30 +256,30 @@ class UserV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.user_update, 'user')
def update_user(self, context, user_id, user):
return self._update_user(context, user_id, user)
def update_user(self, request, user_id, user):
return self._update_user(request.context_dict, user_id, user)
@controller.protected(callback=_check_user_and_group_protection)
def add_user_to_group(self, context, user_id, group_id):
initiator = notifications._get_request_audit_info(context)
def add_user_to_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.add_user_to_group(user_id, group_id, initiator)
@controller.protected(callback=_check_user_and_group_protection)
def check_user_in_group(self, context, user_id, group_id):
def check_user_in_group(self, request, user_id, group_id):
return self.identity_api.check_user_in_group(user_id, group_id)
@controller.protected(callback=_check_user_and_group_protection)
def remove_user_from_group(self, context, user_id, group_id):
initiator = notifications._get_request_audit_info(context)
def remove_user_from_group(self, request, user_id, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.remove_user_from_group(user_id, group_id, initiator)
@controller.protected()
def delete_user(self, context, user_id):
initiator = notifications._get_request_audit_info(context)
def delete_user(self, request, user_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.identity_api.delete_user(user_id, initiator)
@controller.protected()
def change_password(self, context, user_id, user):
def change_password(self, request, user_id, user):
original_password = user.get('original_password')
if original_password is None:
raise exception.ValidationError(target='user',
@ -291,7 +291,7 @@ class UserV3(controller.V3Controller):
attribute='password')
try:
self.identity_api.change_password(
context, user_id, original_password, password)
request.context_dict, user_id, original_password, password)
except AssertionError:
raise exception.Unauthorized()
@ -312,44 +312,43 @@ class GroupV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.group_create, 'group')
def create_group(self, context, group):
def create_group(self, request, group):
# The manager layer will generate the unique ID for groups
ref = self._normalize_dict(group)
ref = self._normalize_domain_id(context, ref)
initiator = notifications._get_request_audit_info(context)
ref = self._normalize_domain_id(request.context_dict, ref)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.create_group(ref, initiator)
return GroupV3.wrap_member(context, ref)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'name')
def list_groups(self, context, filters):
hints = GroupV3.build_driver_hints(context, filters)
refs = self.identity_api.list_groups(
domain_scope=self._get_domain_id_for_list_request(context),
hints=hints)
return GroupV3.wrap_collection(context, refs, hints=hints)
def list_groups(self, request, filters):
hints = GroupV3.build_driver_hints(request.context_dict, filters)
domain = self._get_domain_id_for_list_request(request.context_dict)
refs = self.identity_api.list_groups(domain_scope=domain, hints=hints)
return GroupV3.wrap_collection(request.context_dict, refs, hints=hints)
@controller.filterprotected('name', callback=_check_user_protection)
def list_groups_for_user(self, context, filters, user_id):
hints = GroupV3.build_driver_hints(context, filters)
def list_groups_for_user(self, request, filters, user_id):
hints = GroupV3.build_driver_hints(request.context_dict, filters)
refs = self.identity_api.list_groups_for_user(user_id, hints=hints)
return GroupV3.wrap_collection(context, refs, hints=hints)
return GroupV3.wrap_collection(request.context_dict, refs, hints=hints)
@controller.protected()
def get_group(self, context, group_id):
def get_group(self, request, group_id):
ref = self.identity_api.get_group(group_id)
return GroupV3.wrap_member(context, ref)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.group_update, 'group')
def update_group(self, context, group_id, group):
def update_group(self, request, group_id, group):
self._require_matching_id(group_id, group)
self._require_matching_domain_id(
group_id, group, self.identity_api.get_group)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.identity_api.update_group(group_id, group, initiator)
return GroupV3.wrap_member(context, ref)
return GroupV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_group(self, context, group_id):
initiator = notifications._get_request_audit_info(context)
def delete_group(self, request, group_id):
initiator = notifications._get_request_audit_info(request.context_dict)
self.identity_api.delete_group(group_id, initiator)

86
keystone/oauth1/controllers.py
View File

@ -60,38 +60,38 @@ class ConsumerCrudV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.consumer_create, 'consumer')
def create_consumer(self, context, consumer):
def create_consumer(self, request, consumer):
ref = self._assign_unique_id(self._normalize_dict(consumer))
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
consumer_ref = self.oauth_api.create_consumer(ref, initiator)
return ConsumerCrudV3.wrap_member(context, consumer_ref)
return ConsumerCrudV3.wrap_member(request.context_dict, consumer_ref)
@controller.protected()
@validation.validated(schema.consumer_update, 'consumer')
def update_consumer(self, context, consumer_id, consumer):
def update_consumer(self, request, consumer_id, consumer):
self._require_matching_id(consumer_id, consumer)
ref = self._normalize_dict(consumer)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.oauth_api.update_consumer(consumer_id, ref, initiator)
return ConsumerCrudV3.wrap_member(context, ref)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
@controller.protected()
def list_consumers(self, context):
def list_consumers(self, request):
ref = self.oauth_api.list_consumers()
return ConsumerCrudV3.wrap_collection(context, ref)
return ConsumerCrudV3.wrap_collection(request.context_dict, ref)
@controller.protected()
def get_consumer(self, context, consumer_id):
def get_consumer(self, request, consumer_id):
ref = self.oauth_api.get_consumer(consumer_id)
return ConsumerCrudV3.wrap_member(context, ref)
return ConsumerCrudV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_consumer(self, context, consumer_id):
user_token_ref = utils.get_token_ref(context)
def delete_consumer(self, request, consumer_id):
user_token_ref = utils.get_token_ref(request.context_dict)
payload = {'user_id': user_token_ref.user_id,
'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
self.oauth_api.delete_consumer(consumer_id, initiator)
@ -110,33 +110,36 @@ class AccessTokenCrudV3(controller.V3Controller):
ref['links']['self'] = cls.base_url(context, path) + '/' + ref['id']
@controller.protected()
def get_access_token(self, context, user_id, access_token_id):
def get_access_token(self, request, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id:
raise exception.NotFound()
access_token = self._format_token_entity(context, access_token)
return AccessTokenCrudV3.wrap_member(context, access_token)
access_token = self._format_token_entity(request.context_dict,
access_token)
return AccessTokenCrudV3.wrap_member(request.context_dict,
access_token)
@controller.protected()
def list_access_tokens(self, context, user_id):
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
def list_access_tokens(self, request, user_id):
env = request.context_dict.get('environment', {})
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
if auth_context.get('is_delegated_auth'):
raise exception.Forbidden(
_('Cannot list request tokens'
' with a token issued via delegation.'))
refs = self.oauth_api.list_access_tokens(user_id)
formatted_refs = ([self._format_token_entity(context, x)
formatted_refs = ([self._format_token_entity(request.context_dict, x)
for x in refs])
return AccessTokenCrudV3.wrap_collection(context, formatted_refs)
return AccessTokenCrudV3.wrap_collection(request.context_dict,
formatted_refs)
@controller.protected()
def delete_access_token(self, context, user_id, access_token_id):
def delete_access_token(self, request, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
consumer_id = access_token['consumer_id']
payload = {'user_id': user_id, 'consumer_id': consumer_id}
_emit_user_oauth_consumer_token_invalidate(payload)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
return self.oauth_api.delete_access_token(
user_id, access_token_id, initiator)
@ -170,17 +173,17 @@ class AccessTokenRolesV3(controller.V3Controller):
member_name = 'role'
@controller.protected()
def list_access_token_roles(self, context, user_id, access_token_id):
def list_access_token_roles(self, request, user_id, access_token_id):
access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id:
raise exception.NotFound()
authed_role_ids = access_token['role_ids']
authed_role_ids = jsonutils.loads(authed_role_ids)
refs = ([self._format_role_entity(x) for x in authed_role_ids])
return AccessTokenRolesV3.wrap_collection(context, refs)
return AccessTokenRolesV3.wrap_collection(request.context_dict, refs)
@controller.protected()
def get_access_token_role(self, context, user_id,
def get_access_token_role(self, request, user_id,
access_token_id, role_id):
access_token = self.oauth_api.get_access_token(access_token_id)
if access_token['authorizing_user_id'] != user_id:
@ -190,7 +193,8 @@ class AccessTokenRolesV3(controller.V3Controller):
for authed_role_id in authed_role_ids:
if authed_role_id == role_id:
role = self._format_role_entity(role_id)
return AccessTokenRolesV3.wrap_member(context, role)
return AccessTokenRolesV3.wrap_member(request.context_dict,
role)
raise exception.RoleNotFound(role_id=role_id)
def _format_role_entity(self, role_id):
@ -209,8 +213,8 @@ class OAuthControllerV3(controller.V3Controller):
collection_name = 'not_used'
member_name = 'not_used'
def create_request_token(self, context):
headers = context['headers']
def create_request_token(self, request):
headers = request.context_dict['headers']
oauth_headers = oauth1.get_oauth_headers(headers)
consumer_id = oauth_headers.get('oauth_consumer_key')
requested_project_id = headers.get('Requested-Project-Id')
@ -226,7 +230,7 @@ class OAuthControllerV3(controller.V3Controller):
self.resource_api.get_project(requested_project_id)
self.oauth_api.get_consumer(consumer_id)
url = self.base_url(context, context['path'])
url = self.base_url(request.context_dict, request.context_dict['path'])
req_headers = {'Requested-Project-Id': requested_project_id}
req_headers.update(headers)
@ -236,7 +240,7 @@ class OAuthControllerV3(controller.V3Controller):
h, b, s = request_verifier.create_request_token_response(
url,
http_method='POST',
body=context['query_string'],
body=request.context_dict['query_string'],
headers=req_headers)
if (not b) or int(s) > 399:
@ -244,7 +248,7 @@ class OAuthControllerV3(controller.V3Controller):
raise exception.Unauthorized(message=msg)
request_token_duration = CONF.oauth1.request_token_duration
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_request_token(consumer_id,
requested_project_id,
request_token_duration,
@ -265,8 +269,8 @@ class OAuthControllerV3(controller.V3Controller):
return response
def create_access_token(self, context):
headers = context['headers']
def create_access_token(self, request):
headers = request.context_dict['headers']
oauth_headers = oauth1.get_oauth_headers(headers)
consumer_id = oauth_headers.get('oauth_consumer_key')
request_token_id = oauth_headers.get('oauth_token')
@ -293,7 +297,7 @@ class OAuthControllerV3(controller.V3Controller):
if now > expires:
raise exception.Unauthorized(_('Request token is expired'))
url = self.base_url(context, context['path'])
url = self.base_url(request.context_dict, request.context_dict['path'])
access_verifier = oauth1.AccessTokenEndpoint(
request_validator=validator.OAuthValidator(),
@ -301,7 +305,7 @@ class OAuthControllerV3(controller.V3Controller):
h, b, s = access_verifier.create_access_token_response(
url,
http_method='POST',
body=context['query_string'],
body=request.context_dict['query_string'],
headers=headers)
params = oauth1.extract_non_oauth_params(b)
if params:
@ -325,7 +329,7 @@ class OAuthControllerV3(controller.V3Controller):
raise exception.Unauthorized(message=msg)
access_token_duration = CONF.oauth1.access_token_duration
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
token_ref = self.oauth_api.create_access_token(request_token_id,
access_token_duration,
initiator)
@ -346,7 +350,7 @@ class OAuthControllerV3(controller.V3Controller):
return response
@controller.protected()
def authorize_request_token(self, context, request_token_id, roles):
def authorize_request_token(self, request, request_token_id, roles):
"""An authenticated user is going to authorize a request token.
As a security precaution, the requested roles must match those in
@ -354,8 +358,8 @@ class OAuthControllerV3(controller.V3Controller):
there is not another easy way to make sure the user knows which roles
are being requested before authorizing.
"""
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
env = request.context_dict.get('environment', {})
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
if auth_context.get('is_delegated_auth'):
raise exception.Forbidden(
_('Cannot authorize a request token'
@ -377,7 +381,7 @@ class OAuthControllerV3(controller.V3Controller):
authed_roles.add(role['id'])
# verify the authorizing user has the roles
user_token = utils.get_token_ref(context)
user_token = utils.get_token_ref(request.context_dict)
user_id = user_token.user_id
project_id = req_token['requested_project_id']
user_roles = self.assignment_api.get_roles_for_user_and_project(

27
keystone/policy/controllers.py
View File

@ -26,31 +26,32 @@ class PolicyV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.policy_create, 'policy')
def create_policy(self, context, policy):
def create_policy(self, request, policy):
ref = self._assign_unique_id(self._normalize_dict(policy))
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.create_policy(ref['id'], ref, initiator)
return PolicyV3.wrap_member(context, ref)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('type')
def list_policies(self, context, filters):
hints = PolicyV3.build_driver_hints(context, filters)
def list_policies(self, request, filters):
hints = PolicyV3.build_driver_hints(request.context_dict, filters)
refs = self.policy_api.list_policies(hints=hints)
return PolicyV3.wrap_collection(context, refs, hints=hints)
return PolicyV3.wrap_collection(request.context_dict,
refs, hints=hints)
@controller.protected()
def get_policy(self, context, policy_id):
def get_policy(self, request, policy_id):
ref = self.policy_api.get_policy(policy_id)
return PolicyV3.wrap_member(context, ref)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.policy_update, 'policy')
def update_policy(self, context, policy_id, policy):
initiator = notifications._get_request_audit_info(context)
def update_policy(self, request, policy_id, policy):
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.policy_api.update_policy(policy_id, policy, initiator)
return PolicyV3.wrap_member(context, ref)
return PolicyV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_policy(self, context, policy_id):
initiator = notifications._get_request_audit_info(context)
def delete_policy(self, request, policy_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.policy_api.delete_policy(policy_id, initiator)

107
keystone/resource/controllers.py
View File

@ -36,12 +36,13 @@ CONF = cfg.CONF
class Tenant(controller.V2Controller):
@controller.v2_deprecated
def get_all_projects(self, context, **kw):
def get_all_projects(self, request, **kw):
"""Get a list of all tenants for an admin user."""
self.assert_admin(context)
self.assert_admin(request.context_dict)
if 'name' in context['query_string']:
return self._get_project_by_name(context['query_string']['name'])
name = request.context_dict['query_string'].get('name')
if name:
return self._get_project_by_name(name)
try:
tenant_refs = self.resource_api.list_projects_in_domain(
@ -54,8 +55,8 @@ class Tenant(controller.V2Controller):
for tenant_ref in tenant_refs
if not tenant_ref.get('is_domain')]
params = {
'limit': context['query_string'].get('limit'),
'marker': context['query_string'].get('marker'),
'limit': request.context_dict['query_string'].get('limit'),
'marker': request.context_dict['query_string'].get('marker'),
}
return self.format_project_list(tenant_refs, **params)
@ -67,9 +68,9 @@ class Tenant(controller.V2Controller):
raise exception.ProjectNotFound(project_id)
@controller.v2_deprecated
def get_project(self, context, tenant_id):
def get_project(self, request, tenant_id):
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
self.assert_admin(request.context_dict)
ref = self.resource_api.get_project(tenant_id)
self._assert_not_is_domain_project(tenant_id, ref)
return {'tenant': self.v3_to_v2_project(ref)}
@ -83,7 +84,7 @@ class Tenant(controller.V2Controller):
# CRUD Extension
@controller.v2_deprecated
def create_project(self, context, tenant):
def create_project(self, request, tenant):
tenant_ref = self._normalize_dict(tenant)
if 'name' not in tenant_ref or not tenant_ref['name']:
@ -95,37 +96,37 @@ class Tenant(controller.V2Controller):
'allowed in v2.')
raise exception.ValidationError(message=msg)
self.assert_admin(context)
self.assert_admin(request.context_dict)
self.resource_api.ensure_default_domain_exists()
tenant_ref['id'] = tenant_ref.get('id', uuid.uuid4().hex)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant = self.resource_api.create_project(
tenant_ref['id'],
self._normalize_domain_id(context, tenant_ref),
self._normalize_domain_id(request.context_dict, tenant_ref),
initiator)
return {'tenant': self.v3_to_v2_project(tenant)}
@controller.v2_deprecated
def update_project(self, context, tenant_id, tenant):
self.assert_admin(context)
def update_project(self, request, tenant_id, tenant):
self.assert_admin(request.context_dict)
self._assert_not_is_domain_project(tenant_id)
# Remove domain_id and is_domain if specified - a v2 api caller
# should not be specifying that
clean_tenant = tenant.copy()
clean_tenant.pop('domain_id', None)
clean_tenant.pop('is_domain', None)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
tenant_ref = self.resource_api.update_project(
tenant_id, clean_tenant, initiator)
return {'tenant': self.v3_to_v2_project(tenant_ref)}
@controller.v2_deprecated
def delete_project(self, context, tenant_id):
self.assert_admin(context)
def delete_project(self, request, tenant_id):
self.assert_admin(request.context_dict)
self._assert_not_is_domain_project(tenant_id)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
self.resource_api.delete_project(tenant_id, initiator)
@ -140,34 +141,35 @@ class DomainV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.domain_create, 'domain')
def create_domain(self, context, domain):
def create_domain(self, request, domain):
ref = self._assign_unique_id(self._normalize_dict(domain))
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.create_domain(ref['id'], ref, initiator)
return DomainV3.wrap_member(context, ref)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('enabled', 'name')
def list_domains(self, context, filters):
hints = DomainV3.build_driver_hints(context, filters)
def list_domains(self, request, filters):
hints = DomainV3.build_driver_hints(request.context_dict, filters)
refs = self.resource_api.list_domains(hints=hints)
return DomainV3.wrap_collection(context, refs, hints=hints)
return DomainV3.wrap_collection(request.context_dict,
refs, hints=hints)
@controller.protected()
def get_domain(self, context, domain_id):
def get_domain(self, request, domain_id):
ref = self.resource_api.get_domain(domain_id)
return DomainV3.wrap_member(context, ref)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.domain_update, 'domain')
def update_domain(self, context, domain_id, domain):
def update_domain(self, request, domain_id, domain):
self._require_matching_id(domain_id, domain)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_domain(domain_id, domain, initiator)
return DomainV3.wrap_member(context, ref)
return DomainV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_domain(self, context, domain_id):
initiator = notifications._get_request_audit_info(context)
def delete_domain(self, request, domain_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_domain(domain_id, initiator)
@ -177,7 +179,7 @@ class DomainConfigV3(controller.V3Controller):
member_name = 'config'
@controller.protected()
def create_domain_config(self, context, domain_id, config):
def create_domain_config(self, request, domain_id, config):
self.resource_api.get_domain(domain_id)
original_config = (
self.domain_config_api.get_config_with_sensitive_info(domain_id))
@ -190,14 +192,14 @@ class DomainConfigV3(controller.V3Controller):
status=('201', 'Created'))
@controller.protected()
def get_domain_config(self, context, domain_id, group=None, option=None):
def get_domain_config(self, request, domain_id, group=None, option=None):
self.resource_api.get_domain(domain_id)
ref = self.domain_config_api.get_config(domain_id, group, option)
return {self.member_name: ref}
@controller.protected()
def update_domain_config(
self, context, domain_id, config, group, option):
self, request, domain_id, config, group, option):
self.resource_api.get_domain(domain_id)
ref = self.domain_config_api.update_config(
domain_id, config, group, option)
@ -215,12 +217,12 @@ class DomainConfigV3(controller.V3Controller):
@controller.protected()
def delete_domain_config(
self, context, domain_id, group=None, option=None):
self, request, domain_id, group=None, option=None):
self.resource_api.get_domain(domain_id)
self.domain_config_api.delete_config(domain_id, group, option)
@controller.protected()
def get_domain_config_default(self, context, group=None, option=None):
def get_domain_config_default(self, request, group=None, option=None):
ref = self.domain_config_api.get_config_default(group, option)
return {self.member_name: ref}
@ -236,35 +238,36 @@ class ProjectV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.project_create, 'project')
def create_project(self, context, project):
def create_project(self, request, project):
ref = self._assign_unique_id(self._normalize_dict(project))
if not ref.get('is_domain'):
ref = self._normalize_domain_id(context, ref)
ref = self._normalize_domain_id(request.context_dict, ref)
# Our API requires that you specify the location in the hierarchy
# unambiguously. This could be by parent_id or, if it is a top level
# project, just by providing a domain_id.
if not ref.get('parent_id'):
ref['parent_id'] = ref.get('domain_id')
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
try:
ref = self.resource_api.create_project(ref['id'], ref,
initiator=initiator)
except (exception.DomainNotFound, exception.ProjectNotFound) as e:
raise exception.ValidationError(e)
return ProjectV3.wrap_member(context, ref)
return ProjectV3.wrap_member(request.context_dict, ref)
@controller.filterprotected('domain_id', 'enabled', 'name',
'parent_id', 'is_domain')
def list_projects(self, context, filters):
hints = ProjectV3.build_driver_hints(context, filters)
def list_projects(self, request, filters):
hints = ProjectV3.build_driver_hints(request.context_dict, filters)
# If 'is_domain' has not been included as a query, we default it to
# False (which in query terms means '0'
if 'is_domain' not in context['query_string']:
if 'is_domain' not in request.context_dict['query_string']:
hints.add_filter('is_domain', '0')
refs = self.resource_api.list_projects(hints=hints)
return ProjectV3.wrap_collection(context, refs, hints=hints)
return ProjectV3.wrap_collection(request.context_dict,
refs, hints=hints)
def _expand_project_ref(self, context, ref):
params = context['query_string']
@ -311,24 +314,24 @@ class ProjectV3(controller.V3Controller):
ref['id'])
@controller.protected()
def get_project(self, context, project_id):
def get_project(self, request, project_id):
ref = self.resource_api.get_project(project_id)
self._expand_project_ref(context, ref)
return ProjectV3.wrap_member(context, ref)
self._expand_project_ref(request.context_dict, ref)
return ProjectV3.wrap_member(request.context_dict, ref)
@controller.protected()
@validation.validated(schema.project_update, 'project')
def update_project(self, context, project_id, project):
def update_project(self, request, project_id, project):
self._require_matching_id(project_id, project)
self._require_matching_domain_id(
project_id, project, self.resource_api.get_project)
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
ref = self.resource_api.update_project(project_id, project,
initiator=initiator)
return ProjectV3.wrap_member(context, ref)
return ProjectV3.wrap_member(request.context_dict, ref)
@controller.protected()
def delete_project(self, context, project_id):
initiator = notifications._get_request_audit_info(context)
def delete_project(self, request, project_id):
initiator = notifications._get_request_audit_info(request.context_dict)
return self.resource_api.delete_project(project_id,
initiator=initiator)

8
keystone/revoke/controllers.py
View File

@ -21,8 +21,8 @@ from keystone.i18n import _
@dependency.requires('revoke_api')
class RevokeController(controller.V3Controller):
@controller.protected()
def list_revoke_events(self, context):
since = context['query_string'].get('since')
def list_revoke_events(self, request):
since = request.context_dict['query_string'].get('since')
last_fetch = None
if since:
try:
@ -37,8 +37,8 @@ class RevokeController(controller.V3Controller):
'links': {
'next': None,
'self': RevokeController.base_url(
context,
path=context['path']),
request.context_dict,
path=request.context_dict['path']),
'previous': None}
}
return response

15
keystone/tests/unit/core.py
View File

@ -46,6 +46,7 @@ from keystone import auth
from keystone.common import config
from keystone.common import dependency
from keystone.common.kvs import core as kvs_core
from keystone.common import request
from keystone.common import sql
from keystone import exception
from keystone.identity.backends.ldap import common as ks_ldap
@ -574,6 +575,20 @@ class TestCase(BaseTestCase):
def _policy_fixture(self):
return ksfixtures.Policy(dirs.etc('policy.json'), self.config_fixture)
def make_request(self, path='/', **kwargs):
context = {}
for k in ('is_admin', 'query_string'):
try:
context[k] = kwargs.pop(k)
except KeyError:
pass
req = request.Request.blank(path=path, **kwargs)
req.context_dict.update(context)
return req
def config_overrides(self):
# NOTE(morganfainberg): enforce config_overrides can only ever be
# called a single time.

10
keystone/tests/unit/identity/test_controllers.py
View File

@ -24,8 +24,6 @@ from keystone.tests.unit.ksfixtures import database
CONF = cfg.CONF
_ADMIN_CONTEXT = {'is_admin': True, 'query_string': {}}
class UserTestCaseNoDefaultDomain(unit.TestCase):
@ -45,7 +43,7 @@ class UserTestCaseNoDefaultDomain(unit.TestCase):
def test_get_users(self):
# When list_users is done and there's no default domain, the result is
# an empty list.
res = self.user_controller.get_users(_ADMIN_CONTEXT)
res = self.user_controller.get_users(self.make_request(is_admin=True))
self.assertEqual([], res['users'])
def test_get_user_by_name(self):
@ -54,12 +52,14 @@ class UserTestCaseNoDefaultDomain(unit.TestCase):
user_name = uuid.uuid4().hex
self.assertRaises(
exception.UserNotFound,
self.user_controller.get_user_by_name, _ADMIN_CONTEXT, user_name)
self.user_controller.get_user_by_name,
self.make_request(is_admin=True), user_name)
def test_create_user(self):
# When a user is created using the v2 controller and there's no default
# domain, it doesn't fail with can't find domain (a default domain is
# created)
user = {'name': uuid.uuid4().hex}
self.user_controller.create_user(_ADMIN_CONTEXT, user)
self.user_controller.create_user(self.make_request(is_admin=True),
user)
# If the above doesn't fail then this is successful.

8
keystone/tests/unit/resource/test_controllers.py
View File

@ -24,8 +24,6 @@ from keystone.tests.unit.ksfixtures import database
CONF = cfg.CONF
_ADMIN_CONTEXT = {'is_admin': True, 'query_string': {}}
class TenantTestCaseNoDefaultDomain(unit.TestCase):
@ -45,7 +43,8 @@ class TenantTestCaseNoDefaultDomain(unit.TestCase):
def test_get_all_projects(self):
# When get_all_projects is done and there's no default domain, the
# result is an empty list.
res = self.tenant_controller.get_all_projects(_ADMIN_CONTEXT)
req = self.make_request(is_admin=True)
res = self.tenant_controller.get_all_projects(req)
self.assertEqual([], res['tenants'])
def test_create_project(self):
@ -53,5 +52,6 @@ class TenantTestCaseNoDefaultDomain(unit.TestCase):
# default domain, it doesn't fail with can't find domain (a default
# domain is created)
tenant = {'name': uuid.uuid4().hex}
self.tenant_controller.create_project(_ADMIN_CONTEXT, tenant)
self.tenant_controller.create_project(self.make_request(is_admin=True),
tenant)
# If the above doesn't fail then this is successful.

282
keystone/tests/unit/test_auth.py
View File

@ -84,10 +84,10 @@ class AuthTest(unit.TestCase):
self.load_backends()
self.load_fixtures(default_fixtures)
self.context_with_remote_user = {'environment':
{'REMOTE_USER': 'FOO',
'AUTH_TYPE': 'Negotiate'}}
self.empty_context = {'environment': {}}
environ = {'REMOTE_USER': 'FOO', 'AUTH_TYPE': 'Negotiate'}
self.request_with_remote_user = self.make_request(environ=environ)
self.empty_request = self.make_request()
self.controller = token.controllers.Auth()
@ -163,20 +163,20 @@ class AuthBadRequests(AuthTest):
"""Verify sending empty json dict raises the right exception."""
self.assertRaises(exception.ValidationError,
self.controller.authenticate,
{}, {})
self.make_request(), {})
def test_authenticate_blank_auth(self):
"""Verify sending blank 'auth' raises the right exception."""
body_dict = _build_user_auth()
self.assertRaises(exception.ValidationError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_invalid_auth_content(self):
"""Verify sending invalid 'auth' raises the right exception."""
self.assertRaises(exception.ValidationError,
self.controller.authenticate,
{}, {'auth': 'abcd'})
self.make_request(), {'auth': 'abcd'})
def test_authenticate_user_id_too_large(self):
"""Verify sending large 'userId' raises the right exception."""
@ -184,14 +184,14 @@ class AuthBadRequests(AuthTest):
password='foo2')
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_username_too_large(self):
"""Verify sending large 'username' raises the right exception."""
body_dict = _build_user_auth(username='0' * 65, password='foo2')
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_tenant_id_too_large(self):
"""Verify sending large 'tenantId' raises the right exception."""
@ -199,7 +199,7 @@ class AuthBadRequests(AuthTest):
tenant_id='0' * 65)
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_tenant_name_too_large(self):
"""Verify sending large 'tenantName' raises the right exception."""
@ -207,14 +207,14 @@ class AuthBadRequests(AuthTest):
tenant_name='0' * 65)
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_token_too_large(self):
"""Verify sending large 'token' raises the right exception."""
body_dict = _build_user_auth(token={'id': '0' * 8193})
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_password_too_large(self):
"""Verify sending large 'password' raises the right exception."""
@ -222,7 +222,7 @@ class AuthBadRequests(AuthTest):
body_dict = _build_user_auth(username='FOO', password='0' * length)
self.assertRaises(exception.ValidationSizeError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_fails_if_project_unsafe(self):
"""Verify authenticate to a project with unsafe name fails."""
@ -236,7 +236,7 @@ class AuthBadRequests(AuthTest):
self.resource_api.create_project(project['id'], project)
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'], project['id'], self.role_member['id'])
no_context = {}
empty_request = self.make_request()
body_dict = _build_user_auth(
username=self.user_foo['name'],
@ -244,7 +244,7 @@ class AuthBadRequests(AuthTest):
tenant_name=project['name'])
# Since name url restriction is off, we should be able to authenticate
self.controller.authenticate(no_context, body_dict)
self.controller.authenticate(empty_request, body_dict)
# Set the name url restriction to strict and we should fail to
# authenticate
@ -252,7 +252,7 @@ class AuthBadRequests(AuthTest):
project_name_url_safe='strict')
self.assertRaises(exception.Unauthorized,
self.controller.authenticate,
no_context, body_dict)
empty_request, body_dict)
class AuthWithToken(AuthTest):
@ -260,7 +260,8 @@ class AuthWithToken(AuthTest):
"""Verify getting an unscoped token with password creds."""
body_dict = _build_user_auth(username='FOO',
password='foo2')
unscoped_token = self.controller.authenticate({}, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
self.assertNotIn('tenant', unscoped_token['access']['token'])
def test_auth_invalid_token(self):
@ -269,7 +270,7 @@ class AuthWithToken(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_auth_bad_formatted_token(self):
"""Verify exception is raised if invalid token."""
@ -277,18 +278,20 @@ class AuthWithToken(AuthTest):
self.assertRaises(
exception.ValidationError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_auth_unscoped_token_no_project(self):
"""Verify getting an unscoped token with an unscoped token."""
body_dict = _build_user_auth(
username='FOO',
password='foo2')
unscoped_token = self.controller.authenticate({}, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
body_dict = _build_user_auth(
token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate({}, body_dict)
unscoped_token_2 = self.controller.authenticate(self.make_request(),
body_dict)
self.assertEqualTokens(unscoped_token, unscoped_token_2)
@ -303,12 +306,14 @@ class AuthWithToken(AuthTest):
body_dict = _build_user_auth(
username='FOO',
password='foo2')
unscoped_token = self.controller.authenticate({}, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
# Get a token on BAR tenant using the unscoped token
body_dict = _build_user_auth(
token=unscoped_token["access"]["token"],
tenant_name="BAR")
scoped_token = self.controller.authenticate({}, body_dict)
scoped_token = self.controller.authenticate(self.make_request(),
body_dict)
tenant = scoped_token["access"]["token"]["tenant"]
roles = scoped_token["access"]["metadata"]["roles"]
@ -330,7 +335,7 @@ class AuthWithToken(AuthTest):
e = self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
# explicitly verify that the error message shows that a *name* is
# found where an *ID* is expected
self.assertIn(
@ -352,7 +357,7 @@ class AuthWithToken(AuthTest):
e = self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
# explicitly verify that the error message details above have been
# suppressed.
self.assertNotIn(
@ -384,7 +389,8 @@ class AuthWithToken(AuthTest):
password='foo2',
tenant_name="BAR")
scoped_token = self.controller.authenticate({}, body_dict)
scoped_token = self.controller.authenticate(self.make_request(),
body_dict)
tenant = scoped_token["access"]["token"]["tenant"]
roles = scoped_token["access"]["metadata"]["roles"]
@ -394,7 +400,7 @@ class AuthWithToken(AuthTest):
def test_belongs_to_no_tenant(self):
r = self.controller.authenticate(
{},
self.make_request(),
auth={
'passwordCredentials': {
'username': self.user_foo['name'],
@ -405,7 +411,8 @@ class AuthWithToken(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.validate_token,
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
self.make_request(is_admin=True,
query_string={'belongsTo': 'BAR'}),
token_id=unscoped_token_id)
def test_belongs_to(self):
@ -414,26 +421,28 @@ class AuthWithToken(AuthTest):
password='foo2',
tenant_name="BAR")
scoped_token = self.controller.authenticate({}, body_dict)
scoped_token = self.controller.authenticate(self.make_request(),
body_dict)
scoped_token_id = scoped_token['access']['token']['id']
self.assertRaises(
exception.Unauthorized,
self.controller.validate_token,
dict(is_admin=True, query_string={'belongsTo': 'me'}),
self.make_request(is_admin=True, query_string={'belongsTo': 'me'}),
token_id=scoped_token_id)
self.assertRaises(
exception.Unauthorized,
self.controller.validate_token,
dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
self.make_request(is_admin=True,
query_string={'belongsTo': 'BAR'}),
token_id=scoped_token_id)
def test_token_auth_with_binding(self):
self.config_fixture.config(group='token', bind=['kerberos'])
body_dict = _build_user_auth()
unscoped_token = self.controller.authenticate(
self.context_with_remote_user, body_dict)
self.request_with_remote_user, body_dict)
# the token should have bind information in it
bind = unscoped_token['access']['token']['bind']
@ -447,11 +456,11 @@ class AuthWithToken(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
self.empty_context, body_dict)
self.empty_request, body_dict)
# using token with remote user context succeeds
scoped_token = self.controller.authenticate(
self.context_with_remote_user, body_dict)
self.request_with_remote_user, body_dict)
# the bind information should be carried over from the original token
bind = scoped_token['access']['token']['bind']
@ -466,34 +475,31 @@ class AuthWithToken(AuthTest):
self.role_api.create_role(role_one['id'], role_one)
self.assignment_api.add_role_to_user_and_project(
self.user_foo['id'], project1['id'], role_one['id'])
no_context = {}
# Get a scoped token for the tenant
body_dict = _build_user_auth(
username=self.user_foo['name'],
password=self.user_foo['password'],
tenant_name=project1['name'])
token = self.controller.authenticate(no_context, body_dict)
token = self.controller.authenticate(self.empty_request, body_dict)
# Ensure it is valid
token_id = token['access']['token']['id']
self.controller.validate_token(
dict(is_admin=True, query_string={}),
token_id=token_id)
self.controller.validate_token(self.make_request(is_admin=True),
token_id=token_id)
# Delete the role, which should invalidate the token
role_controller.delete_role(
dict(is_admin=True, query_string={}), role_one['id'])
role_controller.delete_role(self.make_request(is_admin=True),
role_one['id'])
# Check the token is now invalid
self.assertRaises(
exception.TokenNotFound,
self.controller.validate_token,
dict(is_admin=True, query_string={}),
self.make_request(is_admin=True),
token_id=token_id)
def test_deleting_role_assignment_does_not_revoke_unscoped_token(self):
no_context = {}
admin_context = dict(is_admin=True, query_string={})
admin_request = self.make_request(is_admin=True)
project = unit.new_project_ref(
domain_id=CONF.identity.default_domain_id)
@ -504,13 +510,14 @@ class AuthWithToken(AuthTest):
self.user_foo['id'], project['id'], role['id'])
# Get an unscoped token.
token = self.controller.authenticate(no_context, _build_user_auth(
username=self.user_foo['name'],
password=self.user_foo['password']))
token = self.controller.authenticate(
self.make_request(),
_build_user_auth(username=self.user_foo['name'],
password=self.user_foo['password']))
token_id = token['access']['token']['id']
# Ensure it is valid
self.controller.validate_token(admin_context, token_id=token_id)
self.controller.validate_token(admin_request, token_id=token_id)
# Delete the role assignment, which should not invalidate the token,
# because we're not consuming it with just an unscoped token.
@ -518,23 +525,23 @@ class AuthWithToken(AuthTest):
self.user_foo['id'], project['id'], role['id'])
# Ensure it is still valid
self.controller.validate_token(admin_context, token_id=token_id)
self.controller.validate_token(admin_request, token_id=token_id)
def test_only_original_audit_id_is_kept(self):
context = {}
def get_audit_ids(token):
return token['access']['token']['audit_ids']
# get a token
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
starting_audit_id = get_audit_ids(unscoped_token)[0]
self.assertIsNotNone(starting_audit_id)
# get another token to ensure the correct parent audit_id is set
body_dict = _build_user_auth(token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
unscoped_token_2 = self.controller.authenticate(self.make_request(),
body_dict)
audit_ids = get_audit_ids(unscoped_token_2)
self.assertThat(audit_ids, matchers.HasLength(2))
self.assertThat(audit_ids[-1], matchers.Equals(starting_audit_id))
@ -542,24 +549,26 @@ class AuthWithToken(AuthTest):
# get another token from token 2 and ensure the correct parent
# audit_id is set
body_dict = _build_user_auth(token=unscoped_token_2["access"]["token"])
unscoped_token_3 = self.controller.authenticate(context, body_dict)
unscoped_token_3 = self.controller.authenticate(self.make_request(),
body_dict)
audit_ids = get_audit_ids(unscoped_token_3)
self.assertThat(audit_ids, matchers.HasLength(2))
self.assertThat(audit_ids[-1], matchers.Equals(starting_audit_id))
def test_revoke_by_audit_chain_id_original_token(self):
self.config_fixture.config(group='token', revoke_by_id=False)
context = {}
# get a token
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
token_id = unscoped_token['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
# get a second token
body_dict = _build_user_auth(token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
unscoped_token_2 = self.controller.authenticate(self.make_request(),
body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
@ -574,17 +583,18 @@ class AuthWithToken(AuthTest):
def test_revoke_by_audit_chain_id_chained_token(self):
self.config_fixture.config(group='token', revoke_by_id=False)
context = {}
# get a token
body_dict = _build_user_auth(username='FOO', password='foo2')
unscoped_token = self.controller.authenticate(context, body_dict)
unscoped_token = self.controller.authenticate(self.make_request(),
body_dict)
token_id = unscoped_token['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
# get a second token
body_dict = _build_user_auth(token=unscoped_token["access"]["token"])
unscoped_token_2 = self.controller.authenticate(context, body_dict)
unscoped_token_2 = self.controller.authenticate(self.make_request(),
body_dict)
token_2_id = unscoped_token_2['access']['token']['id']
self.time_fixture.advance_time_seconds(1)
@ -616,7 +626,7 @@ class FernetAuthWithToken(AuthWithToken):
body_dict = _build_user_auth()
self.assertRaises(exception.NotImplemented,
self.controller.authenticate,
self.context_with_remote_user,
self.request_with_remote_user,
body_dict)
def test_revoke_with_no_audit_info(self):
@ -635,7 +645,7 @@ class AuthWithPasswordCredentials(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_auth_valid_user_invalid_password(self):
"""Verify exception is raised if invalid password."""
@ -645,7 +655,7 @@ class AuthWithPasswordCredentials(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_auth_empty_password(self):
"""Verify exception is raised if empty password."""
@ -655,7 +665,7 @@ class AuthWithPasswordCredentials(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{}, body_dict)
self.empty_request, body_dict)
def test_auth_no_password(self):
"""Verify exception is raised if empty password."""
@ -663,14 +673,14 @@ class AuthWithPasswordCredentials(AuthTest):
self.assertRaises(
exception.ValidationError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_blank_password_credentials(self):
"""Sending empty dict as passwordCredentials raises 400 Bad Requset."""
body_dict = {'passwordCredentials': {}, 'tenantName': 'demo'}
self.assertRaises(exception.ValidationError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_authenticate_no_username(self):
"""Verify skipping username raises the right exception."""
@ -678,13 +688,13 @@ class AuthWithPasswordCredentials(AuthTest):
tenant_name="demo")
self.assertRaises(exception.ValidationError,
self.controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_bind_without_remote_user(self):
self.config_fixture.config(group='token', bind=['kerberos'])
body_dict = _build_user_auth(username='FOO', password='foo2',
tenant_name='BAR')
token = self.controller.authenticate({}, body_dict)
token = self.controller.authenticate(self.make_request(), body_dict)
self.assertNotIn('bind', token['access']['token'])
def test_change_default_domain_id(self):
@ -715,7 +725,7 @@ class AuthWithPasswordCredentials(AuthTest):
password=new_user['password'])
# The test is successful if this doesn't raise, so no need to assert.
self.controller.authenticate({}, body_dict)
self.controller.authenticate(self.make_request(), body_dict)
class AuthWithRemoteUser(AuthTest):
@ -725,11 +735,11 @@ class AuthWithRemoteUser(AuthTest):
username='FOO',
password='foo2')
local_token = self.controller.authenticate(
{}, body_dict)
self.make_request(), body_dict)
body_dict = _build_user_auth()
remote_token = self.controller.authenticate(
self.context_with_remote_user, body_dict)
self.request_with_remote_user, body_dict)
self.assertEqualTokens(local_token, remote_token,
enforce_audit_ids=False)
@ -739,7 +749,7 @@ class AuthWithRemoteUser(AuthTest):
self.assertRaises(
exception.ValidationError,
self.controller.authenticate,
{'REMOTE_USER': 'FOO'},
self.make_request(environ={'REMOTE_USER': 'FOO'}),
None)
def test_scoped_remote_authn(self):
@ -749,12 +759,12 @@ class AuthWithRemoteUser(AuthTest):
password='foo2',
tenant_name='BAR')
local_token = self.controller.authenticate(
{}, body_dict)
self.make_request(), body_dict)
body_dict = _build_user_auth(
tenant_name='BAR')
remote_token = self.controller.authenticate(
self.context_with_remote_user, body_dict)
self.request_with_remote_user, body_dict)
self.assertEqualTokens(local_token, remote_token,
enforce_audit_ids=False)
@ -766,11 +776,11 @@ class AuthWithRemoteUser(AuthTest):
password='two2',
tenant_name='BAZ')
local_token = self.controller.authenticate(
{}, body_dict)
self.make_request(), body_dict)
body_dict = _build_user_auth(tenant_name='BAZ')
remote_token = self.controller.authenticate(
{'environment': {'REMOTE_USER': 'TWO'}}, body_dict)
self.make_request(environ={'REMOTE_USER': 'TWO'}), body_dict)
self.assertEqualTokens(local_token, remote_token,
enforce_audit_ids=False)
@ -781,20 +791,20 @@ class AuthWithRemoteUser(AuthTest):
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate,
{'environment': {'REMOTE_USER': uuid.uuid4().hex}},
self.make_request(environ={'REMOTE_USER': uuid.uuid4().hex}),
body_dict)
def test_bind_with_kerberos(self):
self.config_fixture.config(group='token', bind=['kerberos'])
body_dict = _build_user_auth(tenant_name="BAR")
token = self.controller.authenticate(self.context_with_remote_user,
token = self.controller.authenticate(self.request_with_remote_user,
body_dict)
self.assertEqual('FOO', token['access']['token']['bind']['kerberos'])
def test_bind_without_config_opt(self):
self.config_fixture.config(group='token', bind=['x509'])
body_dict = _build_user_auth(tenant_name='BAR')
token = self.controller.authenticate(self.context_with_remote_user,
token = self.controller.authenticate(self.request_with_remote_user,
body_dict)
self.assertNotIn('bind', token['access']['token'])
@ -824,7 +834,7 @@ class AuthWithTrust(AuthTest):
super(AuthWithTrust, self).config_overrides()
self.config_fixture.config(group='trust', enabled=True)
def _create_auth_context(self, token_id):
def _create_auth_request(self, token_id):
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(token_id))
@ -834,31 +844,35 @@ class AuthWithTrust(AuthTest):
# variables wsgi.url_scheme, SERVER_NAME, SERVER_PORT, and SCRIPT_NAME.
# We have to set them in the context so the base url can be constructed
# accordingly.
return {'environment': {authorization.AUTH_CONTEXT_ENV: auth_context,
'wsgi.url_scheme': 'http',
'SCRIPT_NAME': '/v3',
'SERVER_PORT': '80',
'SERVER_NAME': HOST},
'token_id': token_id,
'host_url': HOST_URL}
environ = {authorization.AUTH_CONTEXT_ENV: auth_context,
'wsgi.url_scheme': 'http',
'HTTP_HOST': HOST_URL,
'SCRIPT_NAME': '/v3',
'SERVER_PORT': '80',
'SERVER_NAME': HOST}
req = self.make_request(environ=environ)
req.context_dict['token_id'] = token_id
return req
def create_trust(self, trust_data, trustor_name, expires_at=None,
impersonation=True):
username = trustor_name
password = 'foo2'
unscoped_token = self.get_unscoped_token(username, password)
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
trust_data_copy = copy.deepcopy(trust_data)
trust_data_copy['expires_at'] = expires_at
trust_data_copy['impersonation'] = impersonation
return self.trust_controller.create_trust(
context, trust=trust_data_copy)['trust']
request, trust=trust_data_copy)['trust']
def get_unscoped_token(self, username, password='foo2'):
body_dict = _build_user_auth(username=username, password=password)
return self.controller.authenticate({}, body_dict)
return self.controller.authenticate(self.make_request(), body_dict)
def build_v2_token_request(self, username, password, trust,
tenant_id=None):
@ -873,7 +887,7 @@ class AuthWithTrust(AuthTest):
def test_create_trust_bad_data_fails(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
bad_sample_data = {'trustor_user_id': self.trustor['id'],
'project_id': self.tenant_bar['id'],
@ -881,15 +895,16 @@ class AuthWithTrust(AuthTest):
self.assertRaises(exception.ValidationError,
self.trust_controller.create_trust,
context, trust=bad_sample_data)
request, trust=bad_sample_data)
def test_create_trust_no_roles(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = {'token_id': unscoped_token['access']['token']['id']}
req = self.make_request()
req.context_dict['token_id'] = unscoped_token['access']['token']['id']
self.sample_data['roles'] = []
self.assertRaises(exception.Forbidden,
self.trust_controller.create_trust,
context, trust=self.sample_data)
req, trust=self.sample_data)
def test_create_trust(self):
expires_at = (timeutils.utcnow() +
@ -932,12 +947,12 @@ class AuthWithTrust(AuthTest):
Also, token can be generated with that trust.
"""
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
self.sample_data['project_id'] = None
self.sample_data['roles'] = []
new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust']
request, trust=self.sample_data)['trust']
self.assertEqual(self.trustor['id'], new_trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], new_trust['trustee_user_id'])
self.assertIs(new_trust['impersonation'], True)
@ -947,11 +962,11 @@ class AuthWithTrust(AuthTest):
def test_get_trust(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust']
trust = self.trust_controller.get_trust(context,
request, trust=self.sample_data)['trust']
trust = self.trust_controller.get_trust(request,
new_trust['id'])['trust']
self.assertEqual(self.trustor['id'], trust['trustor_user_id'])
self.assertEqual(self.trustee['id'], trust['trustee_user_id'])
@ -962,14 +977,14 @@ class AuthWithTrust(AuthTest):
def test_get_trust_without_auth_context(self):
"""Verify a trust cannot be retrieved if auth context is missing."""
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
new_trust = self.trust_controller.create_trust(
context, trust=self.sample_data)['trust']
request, trust=self.sample_data)['trust']
# Delete the auth context before calling get_trust().
del context['environment'][authorization.AUTH_CONTEXT_ENV]
del request.context_dict['environment'][authorization.AUTH_CONTEXT_ENV]
self.assertRaises(exception.Forbidden,
self.trust_controller.get_trust, context,
self.trust_controller.get_trust, request,
new_trust['id'])
def test_create_trust_no_impersonation(self):
@ -995,7 +1010,7 @@ class AuthWithTrust(AuthTest):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
request_body = self.build_v2_token_request('FOO', 'foo2', new_trust)
self.assertRaises(exception.Forbidden, self.controller.authenticate,
{}, request_body)
self.make_request(), request_body)
def test_token_from_trust_wrong_project_fails(self):
for assigned_role in self.assigned_roles:
@ -1005,11 +1020,12 @@ class AuthWithTrust(AuthTest):
request_body = self.build_v2_token_request('TWO', 'two2', new_trust,
self.tenant_baz['id'])
self.assertRaises(exception.Forbidden, self.controller.authenticate,
{}, request_body)
self.make_request(), request_body)
def fetch_v2_token_from_trust(self, trust):
request_body = self.build_v2_token_request('TWO', 'two2', trust)
auth_response = self.controller.authenticate({}, request_body)
auth_response = self.controller.authenticate(self.make_request(),
request_body)
return auth_response
def fetch_v3_token_from_trust(self, trust, trustee):
@ -1029,10 +1045,8 @@ class AuthWithTrust(AuthTest):
}
}
}
auth_response = (self.auth_v3_controller.authenticate_for_token
({'environment': {},
'query_string': {}},
v3_password_data))
auth_response = self.auth_v3_controller.authenticate_for_token(
self.make_request(), v3_password_data)
token = auth_response.headers['X-Subject-Token']
v3_req_with_trust = {
@ -1041,10 +1055,8 @@ class AuthWithTrust(AuthTest):
"token": {"id": token}},
"scope": {
"OS-TRUST:trust": {"id": trust['id']}}}
token_auth_response = (self.auth_v3_controller.authenticate_for_token
({'environment': {},
'query_string': {}},
v3_req_with_trust))
token_auth_response = self.auth_v3_controller.authenticate_for_token(
self.make_request(), v3_req_with_trust)
return token_auth_response
def test_create_v3_token_from_trust(self):
@ -1075,8 +1087,7 @@ class AuthWithTrust(AuthTest):
self.assertRaises(
exception.Forbidden,
self.auth_v3_controller.authenticate_for_token,
{'environment': {},
'query_string': {}}, v3_token_data)
self.make_request(), v3_token_data)
def test_token_from_trust(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
@ -1111,12 +1122,12 @@ class AuthWithTrust(AuthTest):
tenant_id=self.tenant_bar['id'])
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate, {}, request_body)
self.controller.authenticate, self.make_request(), request_body)
def test_delete_trust_revokes_token(self):
unscoped_token = self.get_unscoped_token(self.trustor['name'])
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
self.fetch_v2_token_from_trust(new_trust)
trust_id = new_trust['id']
@ -1124,7 +1135,7 @@ class AuthWithTrust(AuthTest):
self.trustor['id'],
trust_id=trust_id)
self.assertEqual(1, len(tokens))
self.trust_controller.delete_trust(context, trust_id=trust_id)
self.trust_controller.delete_trust(request, trust_id=trust_id)
tokens = self.token_provider_api._persistence._list_tokens(
self.trustor['id'],
trust_id=trust_id)
@ -1138,7 +1149,7 @@ class AuthWithTrust(AuthTest):
request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
self.controller.authenticate, self.make_request(), request_body)
def test_expired_trust_get_token_fails(self):
expires_at = (timeutils.utcnow() +
@ -1152,7 +1163,8 @@ class AuthWithTrust(AuthTest):
new_trust)
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
self.controller.authenticate,
self.make_request(), request_body)
def test_token_from_trust_with_wrong_role_fails(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
@ -1168,7 +1180,7 @@ class AuthWithTrust(AuthTest):
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
self.controller.authenticate, self.make_request(), request_body)
def test_do_not_consume_remaining_uses_when_get_token_fails(self):
trust_data = copy.deepcopy(self.sample_data)
@ -1181,12 +1193,14 @@ class AuthWithTrust(AuthTest):
request_body = self.build_v2_token_request('TWO', 'two2', new_trust)
self.assertRaises(exception.Forbidden,
self.controller.authenticate, {}, request_body)
self.controller.authenticate,
self.make_request(),
request_body)
unscoped_token = self.get_unscoped_token(self.trustor['name'])
context = self._create_auth_context(
request = self._create_auth_request(
unscoped_token['access']['token']['id'])
trust = self.trust_controller.get_trust(context,
trust = self.trust_controller.get_trust(request,
new_trust['id'])['trust']
self.assertEqual(3, trust['remaining_uses'])
@ -1202,7 +1216,7 @@ class AuthWithTrust(AuthTest):
self.disable_user(self.trustor)
self.assertRaises(
exception.Forbidden,
self.controller.authenticate, {}, request_body)
self.controller.authenticate, self.make_request(), request_body)
def test_trust_get_token_fails_if_trustee_disabled(self):
new_trust = self.create_trust(self.sample_data, self.trustor['name'])
@ -1212,7 +1226,7 @@ class AuthWithTrust(AuthTest):
self.disable_user(self.trustee)
self.assertRaises(
exception.Unauthorized,
self.controller.authenticate, {}, request_body)
self.controller.authenticate, self.make_request(), request_body)
class TokenExpirationTest(AuthTest):
@ -1224,7 +1238,7 @@ class TokenExpirationTest(AuthTest):
mock_utcnow.return_value = now
r = self.controller.authenticate(
{},
self.make_request(),
auth={
'passwordCredentials': {
'username': self.user_foo['name'],
@ -1237,14 +1251,14 @@ class TokenExpirationTest(AuthTest):
mock_utcnow.return_value = now + datetime.timedelta(seconds=1)
r = self.controller.validate_token(
dict(is_admin=True, query_string={}),
self.make_request(is_admin=True),
token_id=unscoped_token_id)
self.assertEqual(original_expiration, r['access']['token']['expires'])
mock_utcnow.return_value = now + datetime.timedelta(seconds=2)
r = self.controller.authenticate(
{},
self.make_request(),
auth={
'token': {
'id': unscoped_token_id,
@ -1257,7 +1271,7 @@ class TokenExpirationTest(AuthTest):
mock_utcnow.return_value = now + datetime.timedelta(seconds=3)
r = self.controller.validate_token(
dict(is_admin=True, query_string={}),
self.make_request(is_admin=True),
token_id=scoped_token_id)
self.assertEqual(original_expiration, r['access']['token']['expires'])
@ -1321,7 +1335,7 @@ class AuthCatalog(unit.SQLDriverOverrides, AuthTest):
password='foo2',
tenant_name="BAR")
token = self.controller.authenticate({}, body_dict)
token = self.controller.authenticate(self.make_request(), body_dict)
# Check the catalog
self.assertEqual(1, len(token['access']['serviceCatalog']))
@ -1347,12 +1361,12 @@ class AuthCatalog(unit.SQLDriverOverrides, AuthTest):
password='foo2',
tenant_name="BAR")
token = self.controller.authenticate({}, body_dict)
token = self.controller.authenticate(self.make_request(), body_dict)
# Validate
token_id = token['access']['token']['id']
validate_ref = self.controller.validate_token(
dict(is_admin=True, query_string={}),
self.make_request(is_admin=True),
token_id=token_id)
# Check the catalog

17
keystone/tests/unit/test_auth_plugin.py
View File

@ -73,7 +73,7 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase):
auth_info = auth.controllers.AuthInfo.create(None, auth_data)
auth_context = {'extras': {}, 'method_names': []}
try:
self.api.authenticate({'environment': {}}, auth_info, auth_context)
self.api.authenticate(self.make_request(), auth_info, auth_context)
except exception.AdditionalAuthRequired as e:
self.assertIn('methods', e.authentication)
self.assertIn(METHOD_NAME, e.authentication['methods'])
@ -87,7 +87,7 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase):
auth_data = {'identity': auth_data}
auth_info = auth.controllers.AuthInfo.create(None, auth_data)
auth_context = {'extras': {}, 'method_names': []}
self.api.authenticate({'environment': {}}, auth_info, auth_context)
self.api.authenticate(self.make_request(), auth_info, auth_context)
self.assertEqual(DEMO_USER_ID, auth_context['user_id'])
# test incorrect response
@ -99,7 +99,7 @@ class TestAuthPlugin(unit.SQLDriverOverrides, unit.TestCase):
auth_context = {'extras': {}, 'method_names': []}
self.assertRaises(exception.Unauthorized,
self.api.authenticate,
{'environment': {}},
self.make_request(),
auth_info,
auth_context)
@ -146,18 +146,19 @@ class TestMapped(unit.TestCase):
with mock.patch.object(auth.plugins.mapped.Mapped,
'authenticate',
return_value=None) as authenticate:
context = {'environment': {}}
request = self.make_request()
auth_data = {
'identity': {
'methods': [method_name],
method_name: {'protocol': method_name},
}
}
auth_info = auth.controllers.AuthInfo.create(context, auth_data)
auth_info = auth.controllers.AuthInfo.create(request.context_dict,
auth_data)
auth_context = {'extras': {},
'method_names': [],
'user_id': uuid.uuid4().hex}
self.api.authenticate(context, auth_info, auth_context)
self.api.authenticate(request, auth_info, auth_context)
# make sure Mapped plugin got invoked with the correct payload
((context, auth_payload, auth_context),
kwargs) = authenticate.call_args
@ -178,8 +179,8 @@ class TestMapped(unit.TestCase):
auth_context = {'extras': {},
'method_names': [],
'user_id': uuid.uuid4().hex}
environment = {'environment': {'REMOTE_USER': 'foo@idp.com'}}
self.api.authenticate(environment, auth_info, auth_context)
request = self.make_request(environ={'REMOTE_USER': 'foo@idp.com'})
self.api.authenticate(request, auth_info, auth_context)
# make sure Mapped plugin got invoked with the correct payload
((context, auth_payload, auth_context),
kwargs) = authenticate.call_args

2
keystone/tests/unit/test_cert_setup.py
View File

@ -76,7 +76,7 @@ class CertSetupTestCase(rest.RestfulTestCase):
}
self.assertRaises(exception.UnexpectedError,
controller.authenticate,
{}, body_dict)
self.make_request(), body_dict)
def test_create_pki_certs(self, rebuild=False):
pki = openssl.ConfigurePKI(None, None, rebuild=rebuild)

42
keystone/tests/unit/test_v2_controller.py
View File

@ -12,8 +12,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import copy
import uuid
from testtools import matchers
@ -26,9 +24,6 @@ from keystone.tests.unit import default_fixtures
from keystone.tests.unit.ksfixtures import database
_ADMIN_CONTEXT = {'is_admin': True, 'query_string': {}}
class TenantTestCase(unit.TestCase):
"""Test for the V2 Tenant controller.
@ -57,18 +52,19 @@ class TenantTestCase(unit.TestCase):
project_id = self.tenant_bar['id']
orig_project_users = (
self.assignment_tenant_controller.get_project_users(_ADMIN_CONTEXT,
project_id))
self.assignment_tenant_controller.get_project_users(
self.make_request(is_admin=True), project_id))
# Assign a role to a user that doesn't exist to the `bar` project.
user_id = uuid.uuid4().hex
self.assignment_role_controller.add_role_to_user(
_ADMIN_CONTEXT, user_id, self.role_other['id'], project_id)
self.make_request(is_admin=True), user_id,
self.role_other['id'], project_id)
new_project_users = (
self.assignment_tenant_controller.get_project_users(_ADMIN_CONTEXT,
project_id))
self.assignment_tenant_controller.get_project_users(
self.make_request(is_admin=True), project_id))
# The new user isn't included in the result, so no change.
# asserting that the expected values appear in the list,
@ -93,7 +89,8 @@ class TenantTestCase(unit.TestCase):
# Now list all projects using the v2 API - we should only get
# back those in the default features, since only those are in the
# default domain.
refs = self.tenant_controller.get_all_projects(_ADMIN_CONTEXT)
refs = self.tenant_controller.get_all_projects(
self.make_request(is_admin=True))
self.assertEqual(len(default_fixtures.TENANTS), len(refs['tenants']))
for tenant in default_fixtures.TENANTS:
tenant_copy = tenant.copy()
@ -111,21 +108,21 @@ class TenantTestCase(unit.TestCase):
"""Test that get project does not return is_domain projects."""
project = self._create_is_domain_project()
context = copy.deepcopy(_ADMIN_CONTEXT)
context['query_string']['name'] = project['name']
request = self.make_request(is_admin=True)
request.context_dict['query_string']['name'] = project['name']
self.assertRaises(
exception.ProjectNotFound,
self.tenant_controller.get_all_projects,
context)
request)
context = copy.deepcopy(_ADMIN_CONTEXT)
context['query_string']['name'] = project['id']
request = self.make_request(is_admin=True)
request.context_dict['query_string']['name'] = project['id']
self.assertRaises(
exception.ProjectNotFound,
self.tenant_controller.get_all_projects,
context)
request)
def test_create_is_domain_project_fails(self):
"""Test that the creation of a project acting as a domain fails."""
@ -135,7 +132,7 @@ class TenantTestCase(unit.TestCase):
self.assertRaises(
exception.ValidationError,
self.tenant_controller.create_project,
_ADMIN_CONTEXT,
self.make_request(is_admin=True),
project)
def test_create_project_passing_is_domain_false_fails(self):
@ -146,7 +143,7 @@ class TenantTestCase(unit.TestCase):
self.assertRaises(
exception.ValidationError,
self.tenant_controller.create_project,
_ADMIN_CONTEXT,
self.make_request(is_admin=True),
project)
def test_update_is_domain_project_not_found(self):
@ -157,7 +154,7 @@ class TenantTestCase(unit.TestCase):
self.assertRaises(
exception.ProjectNotFound,
self.tenant_controller.update_project,
_ADMIN_CONTEXT,
self.make_request(is_admin=True),
project['id'],
project)
@ -168,7 +165,7 @@ class TenantTestCase(unit.TestCase):
self.assertRaises(
exception.ProjectNotFound,
self.tenant_controller.delete_project,
_ADMIN_CONTEXT,
self.make_request(is_admin=True),
project['id'])
def test_list_is_domain_project_not_found(self):
@ -179,7 +176,8 @@ class TenantTestCase(unit.TestCase):
project1 = self._create_is_domain_project()
project2 = self._create_is_domain_project()
refs = self.tenant_controller.get_all_projects(_ADMIN_CONTEXT)
refs = self.tenant_controller.get_all_projects(
self.make_request(is_admin=True))
projects = refs.get('tenants')
self.assertNotIn(project1, projects)

7
keystone/tests/unit/test_v3.py
View File

@ -1301,17 +1301,16 @@ class RestfulTestCase(unit.SQLDriverOverrides, rest.RestfulTestCase,
def build_external_auth_request(self, remote_user,
remote_domain=None, auth_data=None,
kerberos=False):
context = {'environment': {'REMOTE_USER': remote_user,
'AUTH_TYPE': 'Negotiate'}}
environment = {'REMOTE_USER': remote_user, 'AUTH_TYPE': 'Negotiate'}
if remote_domain:
context['environment']['REMOTE_DOMAIN'] = remote_domain
environment['REMOTE_DOMAIN'] = remote_domain
if not auth_data:
auth_data = self.build_authentication_request(
kerberos=kerberos)['auth']
no_context = None
auth_info = auth.controllers.AuthInfo.create(no_context, auth_data)
auth_context = {'extras': {}, 'method_names': []}
return context, auth_info, auth_context
return self.make_request(environ=environment), auth_info, auth_context
class VersionTestCase(RestfulTestCase):

55
keystone/tests/unit/test_v3_auth.py
View File

@ -2493,11 +2493,11 @@ class TestAuthExternalDisabled(test_v3.RestfulTestCase):
def test_remote_user_disabled(self):
api = auth.controllers.Auth()
remote_user = '%s@%s' % (self.user['name'], self.domain['name'])
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
remote_user)
self.assertRaises(exception.Unauthorized,
api.authenticate,
context,
request,
auth_info,
auth_context)
@ -2514,10 +2514,10 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
api = auth.controllers.Auth()
remote_user = self.user['name']
remote_domain = self.domain['name']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
remote_user, remote_domain=remote_domain, kerberos=self.kerberos)
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.user['id'], auth_context['user_id'])
# Now test to make sure the user name can, itself, contain the
@ -2525,10 +2525,10 @@ class TestAuthExternalDomain(test_v3.RestfulTestCase):
user = {'name': 'myname@mydivision'}
self.identity_api.update_user(self.user['id'], user)
remote_user = user['name']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
remote_user, remote_domain=remote_domain, kerberos=self.kerberos)
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.user['id'], auth_context['user_id'])
def test_project_id_scoped_with_remote_user(self):
@ -2570,10 +2570,10 @@ class TestAuthExternalDefaultDomain(test_v3.RestfulTestCase):
def test_remote_user_with_default_domain(self):
api = auth.controllers.Auth()
remote_user = self.default_domain_user['name']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
remote_user, kerberos=self.kerberos)
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.default_domain_user['id'],
auth_context['user_id'])
@ -2582,10 +2582,10 @@ class TestAuthExternalDefaultDomain(test_v3.RestfulTestCase):
user = {'name': 'myname@mydivision'}
self.identity_api.update_user(self.default_domain_user['id'], user)
remote_user = user['name']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
remote_user, kerberos=self.kerberos)
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.default_domain_user['id'],
auth_context['user_id'])
@ -3204,28 +3204,28 @@ class TestAuth(test_v3.RestfulTestCase):
def test_remote_user_no_realm(self):
api = auth.controllers.Auth()
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
self.default_domain_user['name'])
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.default_domain_user['id'],
auth_context['user_id'])
# Now test to make sure the user name can, itself, contain the
# '@' character.
user = {'name': 'myname@mydivision'}
self.identity_api.update_user(self.default_domain_user['id'], user)
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
user["name"])
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
self.assertEqual(self.default_domain_user['id'],
auth_context['user_id'])
def test_remote_user_no_domain(self):
api = auth.controllers.Auth()
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
self.user['name'])
self.assertRaises(exception.Unauthorized,
api.authenticate,
context,
request,
auth_info,
auth_context)
@ -3237,10 +3237,10 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_id=self.default_domain_user['domain_id'],
username=self.default_domain_user['name'],
password=self.default_domain_user['password'])['auth']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
self.default_domain_user['name'], auth_data=auth_data)
api.authenticate(context, auth_info, auth_context)
api.authenticate(request, auth_info, auth_context)
def test_remote_user_and_explicit_external(self):
# both REMOTE_USER and password methods must pass.
@ -3256,7 +3256,7 @@ class TestAuth(test_v3.RestfulTestCase):
auth_context = {'extras': {}, 'method_names': []}
self.assertRaises(exception.Unauthorized,
api.authenticate,
self.empty_context,
self.make_request(),
auth_info,
auth_context)
@ -3267,11 +3267,11 @@ class TestAuth(test_v3.RestfulTestCase):
user_domain_id=self.domain['id'],
username=self.user['name'],
password='badpassword')['auth']
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
self.default_domain_user['name'], auth_data=auth_data)
self.assertRaises(exception.Unauthorized,
api.authenticate,
context,
request,
auth_info,
auth_context)
@ -3639,11 +3639,11 @@ class TestAuthJSONExternal(test_v3.RestfulTestCase):
def test_remote_user_no_method(self):
api = auth.controllers.Auth()
context, auth_info, auth_context = self.build_external_auth_request(
request, auth_info, auth_context = self.build_external_auth_request(
self.default_domain_user['name'])
self.assertRaises(exception.Unauthorized,
api.authenticate,
context,
request,
auth_info,
auth_context)
@ -4618,11 +4618,10 @@ class TestAPIProtectionWithoutAuthContextMiddleware(test_v3.RestfulTestCase):
auth_controller = auth.controllers.Auth()
# all we care is that auth context is not in the environment and
# 'token_id' is used to build the auth context instead
context = {'subject_token_id': token,
'token_id': token,
'query_string': {},
'environment': {}}
r = auth_controller.validate_token(context)
request = self.make_request()
request.context_dict['subject_token_id'] = token
request.context_dict['token_id'] = token
r = auth_controller.validate_token(request)
self.assertEqual(http_client.OK, r.status_code)

94
keystone/tests/unit/test_v3_federation.py
View File

@ -159,11 +159,11 @@ class FederatedSetupMixin(object):
assertion='EMPLOYEE_ASSERTION',
environment=None):
api = federation_controllers.Auth()
context = {'environment': environment or {}}
self._inject_assertion(context, assertion)
request = self.make_request(environ=environment or {})
self._inject_assertion(request, assertion)
if idp is None:
idp = self.IDP
r = api.federated_authentication(context, idp, self.PROTOCOL)
r = api.federated_authentication(request, idp, self.PROTOCOL)
return r
def idp_ref(self, id=None):
@ -206,10 +206,10 @@ class FederatedSetupMixin(object):
}
}
def _inject_assertion(self, context, variant, query_string=None):
def _inject_assertion(self, request, variant, query_string=None):
assertion = getattr(mapping_fixtures, variant)
context['environment'].update(assertion)
context['query_string'] = query_string or []
request.context_dict['environment'].update(assertion)
request.context_dict['query_string'] = query_string or []
def load_federation_sample_data(self):
"""Inject additional data."""
@ -719,15 +719,15 @@ class FederatedSetupMixin(object):
self.proto_saml['id'],
self.proto_saml)
# Generate fake tokens
context = {'environment': {}}
request = self.make_request()
self.tokens = {}
VARIANTS = ('EMPLOYEE_ASSERTION', 'CUSTOMER_ASSERTION',
'ADMIN_ASSERTION')
api = auth_controllers.Auth()
for variant in VARIANTS:
self._inject_assertion(context, variant)
r = api.authenticate_for_token(context, self.UNSCOPED_V3_SAML2_REQ)
self._inject_assertion(request, variant)
r = api.authenticate_for_token(request, self.UNSCOPED_V3_SAML2_REQ)
self.tokens[variant] = r.headers.get('X-Subject-Token')
self.TOKEN_SCOPE_PROJECT_FROM_NONEXISTENT_TOKEN = self._scope_request(
@ -1759,16 +1759,14 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
"""
api = auth_controllers.Auth()
context = {
'environment': {
'malformed_object': object(),
'another_bad_idea': tuple(range(10)),
'yet_another_bad_param': dict(zip(uuid.uuid4().hex,
range(32)))
}
environ = {
'malformed_object': object(),
'another_bad_idea': tuple(range(10)),
'yet_another_bad_param': dict(zip(uuid.uuid4().hex, range(32)))
}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION')
r = api.authenticate_for_token(context, self.UNSCOPED_V3_SAML2_REQ)
request = self.make_request(environ=environ)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION')
r = api.authenticate_for_token(request, self.UNSCOPED_V3_SAML2_REQ)
self.assertIsNotNone(r.headers.get('X-Subject-Token'))
def test_scope_to_project_once_notify(self):
@ -1858,11 +1856,11 @@ class FederatedTokenTests(test_v3.RestfulTestCase, FederatedSetupMixin):
def test_issue_token_from_rules_without_user(self):
api = auth_controllers.Auth()
context = {'environment': {}}
self._inject_assertion(context, 'BAD_TESTER_ASSERTION')
request = self.make_request()
self._inject_assertion(request, 'BAD_TESTER_ASSERTION')
self.assertRaises(exception.Unauthorized,
api.authenticate_for_token,
context, self.UNSCOPED_V3_SAML2_REQ)
request, self.UNSCOPED_V3_SAML2_REQ)
def test_issue_token_with_nonexistent_group(self):
"""Inject assertion that matches rule issuing bad group id.
@ -3547,10 +3545,10 @@ class WebSSOTests(FederatedTokenTests):
def test_federated_sso_auth(self):
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': self.ORIGIN}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_sso_auth(context, self.PROTOCOL)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_sso_auth(request, self.PROTOCOL)
# `resp.body` will be `str` in Python 2 and `bytes` in Python 3
# which is why expected value: `self.TRUSTED_DASHBOARD`
# needs to be encoded
@ -3577,10 +3575,10 @@ class WebSSOTests(FederatedTokenTests):
remote_id_attribute=self.PROTOCOL_REMOTE_ID_ATTR)
environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': self.ORIGIN}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_sso_auth(context, self.PROTOCOL)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_sso_auth(request, self.PROTOCOL)
# `resp.body` will be `str` in Python 2 and `bytes` in Python 3
# which is why expected value: `self.TRUSTED_DASHBOARD`
# needs to be encoded
@ -3588,61 +3586,61 @@ class WebSSOTests(FederatedTokenTests):
def test_federated_sso_auth_bad_remote_id(self):
environment = {self.REMOTE_ID_ATTR: self.IDP}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': self.ORIGIN}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
self.assertRaises(exception.IdentityProviderNotFound,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_federated_sso_missing_query(self):
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
context = {'environment': environment}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION')
request = self.make_request(environ=environment)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION')
self.assertRaises(exception.ValidationError,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_federated_sso_missing_query_bad_remote_id(self):
environment = {self.REMOTE_ID_ATTR: self.IDP}
context = {'environment': environment}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION')
request = self.make_request(environ=environment)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION')
self.assertRaises(exception.ValidationError,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_federated_sso_untrusted_dashboard(self):
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': uuid.uuid4().hex}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
self.assertRaises(exception.Unauthorized,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_federated_sso_untrusted_dashboard_bad_remote_id(self):
environment = {self.REMOTE_ID_ATTR: self.IDP}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': uuid.uuid4().hex}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
self.assertRaises(exception.Unauthorized,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_federated_sso_missing_remote_id(self):
context = {'environment': {}}
request = self.make_request()
query_string = {'origin': self.ORIGIN}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
self.assertRaises(exception.Unauthorized,
self.api.federated_sso_auth,
context, self.PROTOCOL)
request, self.PROTOCOL)
def test_identity_provider_specific_federated_authentication(self):
environment = {self.REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
context = {'environment': environment}
request = self.make_request(environ=environment)
query_string = {'origin': self.ORIGIN}
self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_idp_specific_sso_auth(context,
self._inject_assertion(request, 'EMPLOYEE_ASSERTION', query_string)
resp = self.api.federated_idp_specific_sso_auth(request,
self.idp['id'],
self.PROTOCOL)
# `resp.body` will be `str` in Python 2 and `bytes` in Python 3

28
keystone/tests/unit/test_wsgi.py
View File

@ -33,13 +33,13 @@ from keystone.tests import unit
class FakeApp(wsgi.Application):
def index(self, context):
def index(self, request):
return {'a': 'b'}
class FakeAttributeCheckerApp(wsgi.Application):
def index(self, context):
return context['query_string']
def index(self, request):
return request.context_dict['query_string']
def assert_attribute(self, body, attr):
"""Assert that the given request has a certain attribute."""
@ -88,16 +88,16 @@ class ApplicationTest(BaseWSGITest):
def test_query_string_available(self):
class FakeApp(wsgi.Application):
def index(self, context):
return context['query_string']
def index(self, request):
return request.context_dict['query_string']
req = self._make_request(url='/?1=2')
resp = req.get_response(FakeApp())
self.assertEqual({'1': '2'}, jsonutils.loads(resp.body))
def test_headers_available(self):
class FakeApp(wsgi.Application):
def index(self, context):
return context['headers']
def index(self, request):
return request.context_dict['headers']
app = FakeApp()
req = self._make_request(url='/?1=2')
@ -221,8 +221,8 @@ class ApplicationTest(BaseWSGITest):
def test_improperly_encoded_params(self):
class FakeApp(wsgi.Application):
def index(self, context):
return context['query_string']
def index(self, request):
return request.context_dict['query_string']
# this is high bit set ASCII, copy & pasted from Windows.
# aka code page 1252. It is not valid UTF8.
req = self._make_request(url='/?name=nonexit%E8nt')
@ -231,8 +231,8 @@ class ApplicationTest(BaseWSGITest):
def test_properly_encoded_params(self):
class FakeApp(wsgi.Application):
def index(self, context):
return context['query_string']
def index(self, request):
return request.context_dict['query_string']
# nonexitènt encoded as UTF-8
req = self._make_request(url='/?name=nonexit%C3%A8nt')
resp = req.get_response(FakeApp())
@ -241,8 +241,8 @@ class ApplicationTest(BaseWSGITest):
def test_base_url(self):
class FakeApp(wsgi.Application):
def index(self, context):
return self.base_url(context, 'public')
def index(self, request):
return self.base_url(request.context_dict, 'public')
req = self._make_request(url='/')
# NOTE(gyee): according to wsgiref, if HTTP_HOST is present in the
# request environment, it will be used to construct the base url.
@ -582,7 +582,7 @@ class LocalizedResponseTest(unit.TestCase):
# Fake app raises NotFound exception to simulate Keystone raising.
class FakeApp(wsgi.Application):
def index(self, context):
def index(self, request):
raise exception.NotFound(target=target)
# Make the request with Accept-Language on the app, expect an error

30
keystone/token/controllers.py
View File

@ -48,19 +48,19 @@ class ExternalAuthNotApplicable(Exception):
class Auth(controller.V2Controller):
@controller.v2_deprecated
def ca_cert(self, context, auth=None):
def ca_cert(self, request, auth=None):
with open(CONF.signing.ca_certs, 'r') as ca_file:
data = ca_file.read()
return data
@controller.v2_deprecated
def signing_cert(self, context, auth=None):
def signing_cert(self, request, auth=None):
with open(CONF.signing.certfile, 'r') as cert_file:
data = cert_file.read()
return data
@controller.v2_auth_deprecated
def authenticate(self, context, auth=None):
def authenticate(self, request, auth=None):
"""Authenticate credentials and return a token.
Accept auth as a dict that looks like::
@ -88,16 +88,16 @@ class Auth(controller.V2Controller):
if "token" in auth:
# Try to authenticate using a token
auth_info = self._authenticate_token(
context, auth)
request.context_dict, auth)
else:
# Try external authentication
try:
auth_info = self._authenticate_external(
context, auth)
request.context_dict, auth)
except ExternalAuthNotApplicable:
# Try local authentication
auth_info = self._authenticate_local(
context, auth)
request.context_dict, auth)
user_ref, tenant_ref, metadata_ref, expiry, bind, audit_id = auth_info
# Validate that the auth info is valid and nothing is disabled
@ -421,7 +421,7 @@ class Auth(controller.V2Controller):
@controller.v2_deprecated
@controller.protected()
def validate_token_head(self, context, token_id):
def validate_token_head(self, request, token_id):
"""Check that a token is valid.
Optionally, also ensure that it is owned by a specific tenant.
@ -432,12 +432,12 @@ class Auth(controller.V2Controller):
the content body.
"""
belongs_to = context['query_string'].get('belongsTo')
belongs_to = request.context_dict['query_string'].get('belongsTo')
return self.token_provider_api.validate_v2_token(token_id, belongs_to)
@controller.v2_deprecated
@controller.protected()
def validate_token(self, context, token_id):
def validate_token(self, request, token_id):
"""Check that a token is valid.
Optionally, also ensure that it is owned by a specific tenant.
@ -445,20 +445,20 @@ class Auth(controller.V2Controller):
Returns metadata about the token along any associated roles.
"""
belongs_to = context['query_string'].get('belongsTo')
belongs_to = request.context_dict['query_string'].get('belongsTo')
# TODO(ayoung) validate against revocation API
return self.token_provider_api.validate_v2_token(token_id, belongs_to)
@controller.v2_deprecated
def delete_token(self, context, token_id):
def delete_token(self, request, token_id):
"""Delete a token, effectively invalidating it for authz."""
# TODO(termie): this stuff should probably be moved to middleware
self.assert_admin(context)
self.assert_admin(request.context_dict)
self.token_provider_api.revoke_token(token_id)
@controller.v2_deprecated
@controller.protected()
def revocation_list(self, context, auth=None):
def revocation_list(self, request, auth=None):
if not CONF.token.revoke_by_id:
raise exception.Gone()
tokens = self.token_provider_api.list_revoked_tokens()
@ -476,9 +476,9 @@ class Auth(controller.V2Controller):
return {'signed': signed_text}
@controller.v2_deprecated
def endpoints(self, context, token_id):
def endpoints(self, request, token_id):
"""Return a list of endpoints available to the token."""
self.assert_admin(context)
self.assert_admin(request.context_dict)
token_ref = self._get_token_ref(token_id)

55
keystone/trust/controllers.py
View File

@ -60,13 +60,13 @@ class TrustV3(controller.V3Controller):
return None
return token_ref.user_id
def get_trust(self, context, trust_id):
user_id = self._get_user_id(context)
def get_trust(self, request, trust_id):
user_id = self._get_user_id(request.context_dict)
trust = self.trust_api.get_trust(trust_id)
_trustor_trustee_only(trust, user_id)
self._fill_in_roles(context, trust,
self._fill_in_roles(request.context_dict, trust,
self.role_api.list_roles())
return TrustV3.wrap_member(context, trust)
return TrustV3.wrap_member(request.context_dict, trust)
def _fill_in_roles(self, context, trust, all_roles):
if trust.get('expires_at') is not None:
@ -113,14 +113,14 @@ class TrustV3(controller.V3Controller):
@controller.protected()
@validation.validated(schema.trust_create, 'trust')
def create_trust(self, context, trust):
def create_trust(self, request, trust):
"""Create a new trust.
The user creating the trust must be the trustor.
"""
auth_context = context.get('environment',
{}).get('KEYSTONE_AUTH_CONTEXT', {})
env = request.context_dict.get('environment', {})
auth_context = env.get('KEYSTONE_AUTH_CONTEXT', {})
# Check if delegated via trust
if auth_context.get('is_delegated_auth'):
@ -136,7 +136,7 @@ class TrustV3(controller.V3Controller):
if trust.get('project_id'):
self._require_role(trust)
self._require_user_is_trustor(context, trust)
self._require_user_is_trustor(request.context_dict, trust)
self._require_trustee_exists(trust['trustee_user_id'])
all_roles = self.role_api.list_roles()
# Normalize roles
@ -146,13 +146,13 @@ class TrustV3(controller.V3Controller):
trust['expires_at'] = self._parse_expiration_date(
trust.get('expires_at'))
trust_id = uuid.uuid4().hex
initiator = notifications._get_request_audit_info(context)
initiator = notifications._get_request_audit_info(request.context_dict)
new_trust = self.trust_api.create_trust(trust_id, trust,
normalized_roles,
redelegated_trust,
initiator)
self._fill_in_roles(context, new_trust, all_roles)
return TrustV3.wrap_member(context, new_trust)
self._fill_in_roles(request.context_dict, new_trust, all_roles)
return TrustV3.wrap_member(request.context_dict, new_trust)
def _require_trustee_exists(self, trustee_user_id):
self.identity_api.get_user(trustee_user_id)
@ -215,22 +215,22 @@ class TrustV3(controller.V3Controller):
raise exception.RoleNotFound(role_id=role_id)
@controller.protected()
def list_trusts(self, context):
query = context['query_string']
def list_trusts(self, request):
query = request.context_dict['query_string']
trusts = []
if not query:
self.assert_admin(context)
self.assert_admin(request.context_dict)
trusts += self.trust_api.list_trusts()
if 'trustor_user_id' in query:
user_id = query['trustor_user_id']
calling_user_id = self._get_user_id(context)
calling_user_id = self._get_user_id(request.context_dict)
if user_id != calling_user_id:
raise exception.Forbidden()
trusts += (self.trust_api.
list_trusts_for_trustor(user_id))
if 'trustee_user_id' in query:
user_id = query['trustee_user_id']
calling_user_id = self._get_user_id(context)
calling_user_id = self._get_user_id(request.context_dict)
if user_id != calling_user_id:
raise exception.Forbidden()
trusts += self.trust_api.list_trusts_for_trustee(user_id)
@ -244,27 +244,28 @@ class TrustV3(controller.V3Controller):
trust['expires_at'] = (utils.isotime
(trust['expires_at'],
subsecond=True))
return TrustV3.wrap_collection(context, trusts)
return TrustV3.wrap_collection(request.context_dict, trusts)
@controller.protected()
def delete_trust(self, context, trust_id):
def delete_trust(self, request, trust_id):
trust = self.trust_api.get_trust(trust_id)
user_id = self._get_user_id(context)
_admin_trustor_only(context, trust, user_id)
initiator = notifications._get_request_audit_info(context)
user_id = self._get_user_id(request.context_dict)
_admin_trustor_only(request.context_dict, trust, user_id)
initiator = notifications._get_request_audit_info(request.context_dict)
self.trust_api.delete_trust(trust_id, initiator)
@controller.protected()
def list_roles_for_trust(self, context, trust_id):
trust = self.get_trust(context, trust_id)['trust']
user_id = self._get_user_id(context)
def list_roles_for_trust(self, request, trust_id):
trust = self.get_trust(request, trust_id)['trust']
user_id = self._get_user_id(request.context_dict)
_trustor_trustee_only(trust, user_id)
return {'roles': trust['roles'],
'links': trust['roles_links']}
@controller.protected()
def get_role_for_trust(self, context, trust_id, role_id):
def get_role_for_trust(self, request, trust_id, role_id):
"""Get a role that has been assigned to a trust."""
self._check_role_for_trust(context, trust_id, role_id)
self._check_role_for_trust(request.context_dict, trust_id, role_id)
role = self.role_api.get_role(role_id)
return assignment.controllers.RoleV3.wrap_member(context, role)
return assignment.controllers.RoleV3.wrap_member(request.context_dict,
role)

16
keystone/v2_crud/user_crud.py
View File

@ -12,7 +12,6 @@
# License for the specific language governing permissions and limitations
# under the License.
import copy
import uuid
from oslo_log import log
@ -50,8 +49,8 @@ extension.register_public_extension(
@dependency.requires('catalog_api', 'identity_api', 'resource_api',
'token_provider_api')
class UserController(identity.controllers.User):
def set_user_password(self, context, user_id, user):
token_id = context.get('token_id')
def set_user_password(self, request, user_id, user):
token_id = request.context_dict.get('token_id')
original_password = user.get('original_password')
token_data = self.token_provider_api.validate_token(token_id)
@ -66,7 +65,7 @@ class UserController(identity.controllers.User):
try:
user_ref = self.identity_api.authenticate(
context,
request.context_dict,
user_id=token_ref.user_id,
password=original_password)
if not user_ref.get('enabled', True):
@ -77,12 +76,15 @@ class UserController(identity.controllers.User):
update_dict = {'password': user['password'], 'id': user_id}
admin_context = copy.copy(context)
admin_context['is_admin'] = True
super(UserController, self).set_user_password(admin_context,
old_admin = request.context_dict.pop('is_admin', False)
request.context_dict['is_admin'] = True
super(UserController, self).set_user_password(request,
user_id,
update_dict)
request.context_dict['is_admin'] = old_admin
# Issue a new token based upon the original token data. This will
# always be a V2.0 token.

20
keystone/version/controllers.py
View File

@ -56,10 +56,10 @@ class Extensions(wsgi.Application):
def extensions(self):
return None
def get_extensions_info(self, context):
def get_extensions_info(self, request):
return {'extensions': {'values': list(self.extensions.values())}}
def get_extension_info(self, context, extension_alias):
def get_extension_info(self, request, extension_alias):
try:
return {'extension': self.extensions[extension_alias]}
except KeyError:
@ -159,24 +159,24 @@ class Version(wsgi.Application):
return versions
def get_versions(self, context):
def get_versions(self, request):
req_mime_type = v3_mime_type_best_match(context)
req_mime_type = v3_mime_type_best_match(request.context_dict)
if req_mime_type == MimeTypes.JSON_HOME:
v3_json_home = request_v3_json_home('/v3')
return wsgi.render_response(
body=v3_json_home,
headers=(('Content-Type', MimeTypes.JSON_HOME),))
versions = self._get_versions_list(context)
versions = self._get_versions_list(request.context_dict)
return wsgi.render_response(status=(300, 'Multiple Choices'), body={
'versions': {
'values': list(versions.values())
}
})
def get_version_v2(self, context):
versions = self._get_versions_list(context)
def get_version_v2(self, request):
versions = self._get_versions_list(request.context_dict)
if 'v2.0' in _VERSIONS:
return wsgi.render_response(body={
'version': versions['v2.0']
@ -195,10 +195,10 @@ class Version(wsgi.Application):
'resources': dict(all_resources())
}
def get_version_v3(self, context):
versions = self._get_versions_list(context)
def get_version_v3(self, request):
versions = self._get_versions_list(request.context_dict)
if 'v3' in _VERSIONS:
req_mime_type = v3_mime_type_best_match(context)
req_mime_type = v3_mime_type_best_match(request.context_dict)
if req_mime_type == MimeTypes.JSON_HOME:
return wsgi.render_response(