openstack
/
keystone
Code Issues Proposed changes

Use request.environ through auth and federation 

Use the request.envion property directly rather than the context dict
environment in federation and the linked authentication modules. This
moves us towards removing the environment from the context_dict.

Change-Id: I6862bcdbd435bda03527ffdc93f5f915d50fce1e
This commit is contained in:
Jamie Lennox 2016-07-04 14:42:56 +10:00
parent c5e0cd4510
commit f5b32964fa
5 changed files with 32 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
keystone/auth/plugins/mapped.py
View File

@ -55,7 +55,7 @@ class Mapped(auth.AuthMethodHandler):
"""
if 'id' in auth_payload:
token_ref = self._get_token_ref(auth_payload)
handle_scoped_token(request.context_dict,
handle_scoped_token(request,
auth_payload,
auth_context,
token_ref,
@ -63,7 +63,7 @@ class Mapped(auth.AuthMethodHandler):
self.identity_api,
self.token_provider_api)
else:
handle_unscoped_token(request.context_dict,
handle_unscoped_token(request,
auth_payload,
auth_context,
self.resource_api,
@ -71,7 +71,7 @@ class Mapped(auth.AuthMethodHandler):
self.identity_api)
def handle_scoped_token(context, auth_payload, auth_context, token_ref,
def handle_scoped_token(request, auth_payload, auth_context, token_ref,
federation_api, identity_api, token_provider_api):
utils.validate_expiration(token_ref)
token_audit_id = token_ref.audit_id
@ -81,7 +81,7 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
context, user_id, group_ids, identity_provider, protocol,
request.context_dict, user_id, group_ids, identity_provider, protocol,
token_audit_id)
utils.assert_enabled_identity_provider(federation_api, identity_provider)
@ -106,7 +106,7 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
auth_context[federation_constants.PROTOCOL] = protocol
def handle_unscoped_token(context, auth_payload, auth_context,
def handle_unscoped_token(request, auth_payload, auth_context,
resource_api, federation_api, identity_api):
def is_ephemeral_user(mapped_properties):
@ -125,7 +125,7 @@ def handle_unscoped_token(context, auth_payload, auth_context,
METHOD_NAME)
auth_context['user_id'] = user_info.user_id
assertion = extract_assertion_data(context)
assertion = extract_assertion_data(request)
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
@ -152,7 +152,7 @@ def handle_unscoped_token(context, auth_payload, auth_context,
if is_ephemeral_user(mapped_properties):
unique_id, display_name = (
get_user_unique_id_and_display_name(context, mapped_properties)
get_user_unique_id_and_display_name(request, mapped_properties)
)
user = identity_api.shadow_federated_user(identity_provider,
protocol, unique_id,
@ -171,7 +171,8 @@ def handle_unscoped_token(context, auth_payload, auth_context,
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
user_id, group_ids,
identity_provider,
protocol, token_id,
@ -179,15 +180,16 @@ def handle_unscoped_token(context, auth_payload, auth_context,
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
notifications.send_saml_audit_notification('authenticate',
request.context_dict,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
def extract_assertion_data(context):
assertion = dict(utils.get_assertion_params_from_env(context))
def extract_assertion_data(request):
assertion = dict(utils.get_assertion_params_from_env(request))
return assertion
@ -217,7 +219,7 @@ def apply_mapping_filter(identity_provider, protocol, assertion,
return mapped_properties, mapping_id
def get_user_unique_id_and_display_name(context, mapped_properties):
def get_user_unique_id_and_display_name(request, mapped_properties):
"""Setup federated username.
Function covers all the cases for properly setting user id, a primary
@ -233,7 +235,7 @@ def get_user_unique_id_and_display_name(context, mapped_properties):
3) If user_id is not set and user_name is, set user_id as url safe version
of user_name.
:param context: authentication context
:param request: current request object
:param mapped_properties: Properties issued by a RuleProcessor.
:type: dictionary
@ -246,7 +248,7 @@ def get_user_unique_id_and_display_name(context, mapped_properties):
user = mapped_properties['user']
user_id = user.get('id')
user_name = user.get('name') or context['environment'].get('REMOTE_USER')
user_name = user.get('name') or request.remote_user
if not any([user_id, user_name]):
msg = _("Could not map user while setting ephemeral user identity. "

2
keystone/auth/plugins/token.py
View File

@ -46,7 +46,7 @@ class Token(auth.AuthMethodHandler):
token_ref = self._get_token_ref(auth_payload)
if token_ref.is_federated_user and self.federation_api:
mapped.handle_scoped_token(
request.context_dict, auth_payload, user_context, token_ref,
request, auth_payload, user_context, token_ref,
self.federation_api, self.identity_api,
self.token_provider_api)
else:

8
keystone/federation/controllers.py
View File

@ -307,7 +307,7 @@ class Auth(auth_controllers.Auth):
def federated_sso_auth(self, request, protocol_id):
try:
remote_id_name = utils.get_remote_id_parameter(protocol_id)
remote_id = request.context_dict['environment'][remote_id_name]
remote_id = request.environ[remote_id_name]
except KeyError:
msg = _('Missing entity ID from environment')
LOG.error(msg)
@ -437,8 +437,7 @@ class DomainV3(controller.V3Controller):
:returns: list of accessible domains
"""
env = request.context_dict['environment']
auth_context = env[authorization.AUTH_CONTEXT_ENV]
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
domains = self.assignment_api.list_domains_for_groups(
auth_context['group_ids'])
domains = domains + self.assignment_api.list_domains_for_user(
@ -465,8 +464,7 @@ class ProjectAssignmentV3(controller.V3Controller):
:returns: list of accessible projects
"""
env = request.context_dict['environment']
auth_context = env[authorization.AUTH_CONTEXT_ENV]
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
projects = self.assignment_api.list_projects_for_groups(
auth_context['group_ids'])
projects = projects + self.assignment_api.list_projects_for_user(

6
keystone/federation/utils.py
View File

@ -426,10 +426,10 @@ def transform_to_group_ids(group_names, mapping_id,
group['name'])
def get_assertion_params_from_env(context):
LOG.debug('Environment variables: %s', context['environment'])
def get_assertion_params_from_env(request):
LOG.debug('Environment variables: %s', request.environ)
prefix = CONF.federation.assertion_prefix
for k, v in list(context['environment'].items()):
for k, v in list(request.environ.items()):
if not k.startswith(prefix):
continue
# These bytes may be decodable as ISO-8859-1 according to Section

15
keystone/tests/unit/contrib/federation/test_utils.py
View File

@ -14,6 +14,7 @@ import uuid
from oslo_config import fixture as config_fixture
from oslo_serialization import jsonutils
import webob
from keystone.auth.plugins import mapped
import keystone.conf
@ -548,15 +549,15 @@ class MappingRuleEngineTests(unit.BaseTestCase):
as it was not explicitly specified in the mapping.
"""
request = webob.Request.blank('/')
mapping = mapping_fixtures.MAPPING_USER_IDS
rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules'])
assertion = mapping_fixtures.ADMIN_ASSERTION
mapped_properties = rp.process(assertion)
context = {'environment': {}}
self.assertIsNotNone(mapped_properties)
self.assertValidMappedUserObject(mapped_properties)
unique_id, display_name = mapped.get_user_unique_id_and_display_name(
context, mapped_properties)
request, mapped_properties)
self.assertEqual('bob', unique_id)
self.assertEqual('bob', display_name)
@ -581,17 +582,17 @@ class MappingRuleEngineTests(unit.BaseTestCase):
not to change it.
"""
request = webob.Request.blank('/')
testcases = [(mapping_fixtures.CUSTOMER_ASSERTION, 'bwilliams'),
(mapping_fixtures.EMPLOYEE_ASSERTION, 'tbo')]
for assertion, exp_user_name in testcases:
mapping = mapping_fixtures.MAPPING_USER_IDS
rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules'])
mapped_properties = rp.process(assertion)
context = {'environment': {}}
self.assertIsNotNone(mapped_properties)
self.assertValidMappedUserObject(mapped_properties)
unique_id, display_name = (
mapped.get_user_unique_id_and_display_name(context,
mapped.get_user_unique_id_and_display_name(request,
mapped_properties)
)
self.assertEqual(exp_user_name, display_name)
@ -761,8 +762,10 @@ class TestUnicodeAssertionData(unit.BaseTestCase):
# pulled from the HTTP headers. These bytes may be decodable as
# ISO-8859-1 according to Section 3.2.4 of RFC 7230. Let's assume
# that our web server plugins are correctly encoding the data.
context = dict(environment=mapping_fixtures.UNICODE_NAME_ASSERTION)
data = mapping_utils.get_assertion_params_from_env(context)
request = webob.Request.blank(
'/path',
environ=mapping_fixtures.UNICODE_NAME_ASSERTION)
data = mapping_utils.get_assertion_params_from_env(request)
# NOTE(dstanek): keystone.auth.plugins.mapped
return dict(data)