Use request.environ through auth and federation
Use the request.envion property directly rather than the context dict environment in federation and the linked authentication modules. This moves us towards removing the environment from the context_dict. Change-Id: I6862bcdbd435bda03527ffdc93f5f915d50fce1e
This commit is contained in:
parent
c5e0cd4510
commit
f5b32964fa
|
@ -55,7 +55,7 @@ class Mapped(auth.AuthMethodHandler):
|
|||
"""
|
||||
if 'id' in auth_payload:
|
||||
token_ref = self._get_token_ref(auth_payload)
|
||||
handle_scoped_token(request.context_dict,
|
||||
handle_scoped_token(request,
|
||||
auth_payload,
|
||||
auth_context,
|
||||
token_ref,
|
||||
|
@ -63,7 +63,7 @@ class Mapped(auth.AuthMethodHandler):
|
|||
self.identity_api,
|
||||
self.token_provider_api)
|
||||
else:
|
||||
handle_unscoped_token(request.context_dict,
|
||||
handle_unscoped_token(request,
|
||||
auth_payload,
|
||||
auth_context,
|
||||
self.resource_api,
|
||||
|
@ -71,7 +71,7 @@ class Mapped(auth.AuthMethodHandler):
|
|||
self.identity_api)
|
||||
|
||||
|
||||
def handle_scoped_token(context, auth_payload, auth_context, token_ref,
|
||||
def handle_scoped_token(request, auth_payload, auth_context, token_ref,
|
||||
federation_api, identity_api, token_provider_api):
|
||||
utils.validate_expiration(token_ref)
|
||||
token_audit_id = token_ref.audit_id
|
||||
|
@ -81,7 +81,7 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
|
|||
group_ids = token_ref.federation_group_ids
|
||||
send_notification = functools.partial(
|
||||
notifications.send_saml_audit_notification, 'authenticate',
|
||||
context, user_id, group_ids, identity_provider, protocol,
|
||||
request.context_dict, user_id, group_ids, identity_provider, protocol,
|
||||
token_audit_id)
|
||||
|
||||
utils.assert_enabled_identity_provider(federation_api, identity_provider)
|
||||
|
@ -106,7 +106,7 @@ def handle_scoped_token(context, auth_payload, auth_context, token_ref,
|
|||
auth_context[federation_constants.PROTOCOL] = protocol
|
||||
|
||||
|
||||
def handle_unscoped_token(context, auth_payload, auth_context,
|
||||
def handle_unscoped_token(request, auth_payload, auth_context,
|
||||
resource_api, federation_api, identity_api):
|
||||
|
||||
def is_ephemeral_user(mapped_properties):
|
||||
|
@ -125,7 +125,7 @@ def handle_unscoped_token(context, auth_payload, auth_context,
|
|||
METHOD_NAME)
|
||||
auth_context['user_id'] = user_info.user_id
|
||||
|
||||
assertion = extract_assertion_data(context)
|
||||
assertion = extract_assertion_data(request)
|
||||
identity_provider = auth_payload['identity_provider']
|
||||
protocol = auth_payload['protocol']
|
||||
|
||||
|
@ -152,7 +152,7 @@ def handle_unscoped_token(context, auth_payload, auth_context,
|
|||
|
||||
if is_ephemeral_user(mapped_properties):
|
||||
unique_id, display_name = (
|
||||
get_user_unique_id_and_display_name(context, mapped_properties)
|
||||
get_user_unique_id_and_display_name(request, mapped_properties)
|
||||
)
|
||||
user = identity_api.shadow_federated_user(identity_provider,
|
||||
protocol, unique_id,
|
||||
|
@ -171,7 +171,8 @@ def handle_unscoped_token(context, auth_payload, auth_context,
|
|||
# send off failed authentication notification, raise the exception
|
||||
# after sending the notification
|
||||
outcome = taxonomy.OUTCOME_FAILURE
|
||||
notifications.send_saml_audit_notification('authenticate', context,
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
|
@ -179,15 +180,16 @@ def handle_unscoped_token(context, auth_payload, auth_context,
|
|||
raise
|
||||
else:
|
||||
outcome = taxonomy.OUTCOME_SUCCESS
|
||||
notifications.send_saml_audit_notification('authenticate', context,
|
||||
notifications.send_saml_audit_notification('authenticate',
|
||||
request.context_dict,
|
||||
user_id, group_ids,
|
||||
identity_provider,
|
||||
protocol, token_id,
|
||||
outcome)
|
||||
|
||||
|
||||
def extract_assertion_data(context):
|
||||
assertion = dict(utils.get_assertion_params_from_env(context))
|
||||
def extract_assertion_data(request):
|
||||
assertion = dict(utils.get_assertion_params_from_env(request))
|
||||
return assertion
|
||||
|
||||
|
||||
|
@ -217,7 +219,7 @@ def apply_mapping_filter(identity_provider, protocol, assertion,
|
|||
return mapped_properties, mapping_id
|
||||
|
||||
|
||||
def get_user_unique_id_and_display_name(context, mapped_properties):
|
||||
def get_user_unique_id_and_display_name(request, mapped_properties):
|
||||
"""Setup federated username.
|
||||
|
||||
Function covers all the cases for properly setting user id, a primary
|
||||
|
@ -233,7 +235,7 @@ def get_user_unique_id_and_display_name(context, mapped_properties):
|
|||
3) If user_id is not set and user_name is, set user_id as url safe version
|
||||
of user_name.
|
||||
|
||||
:param context: authentication context
|
||||
:param request: current request object
|
||||
:param mapped_properties: Properties issued by a RuleProcessor.
|
||||
:type: dictionary
|
||||
|
||||
|
@ -246,7 +248,7 @@ def get_user_unique_id_and_display_name(context, mapped_properties):
|
|||
user = mapped_properties['user']
|
||||
|
||||
user_id = user.get('id')
|
||||
user_name = user.get('name') or context['environment'].get('REMOTE_USER')
|
||||
user_name = user.get('name') or request.remote_user
|
||||
|
||||
if not any([user_id, user_name]):
|
||||
msg = _("Could not map user while setting ephemeral user identity. "
|
||||
|
|
|
@ -46,7 +46,7 @@ class Token(auth.AuthMethodHandler):
|
|||
token_ref = self._get_token_ref(auth_payload)
|
||||
if token_ref.is_federated_user and self.federation_api:
|
||||
mapped.handle_scoped_token(
|
||||
request.context_dict, auth_payload, user_context, token_ref,
|
||||
request, auth_payload, user_context, token_ref,
|
||||
self.federation_api, self.identity_api,
|
||||
self.token_provider_api)
|
||||
else:
|
||||
|
|
|
@ -307,7 +307,7 @@ class Auth(auth_controllers.Auth):
|
|||
def federated_sso_auth(self, request, protocol_id):
|
||||
try:
|
||||
remote_id_name = utils.get_remote_id_parameter(protocol_id)
|
||||
remote_id = request.context_dict['environment'][remote_id_name]
|
||||
remote_id = request.environ[remote_id_name]
|
||||
except KeyError:
|
||||
msg = _('Missing entity ID from environment')
|
||||
LOG.error(msg)
|
||||
|
@ -437,8 +437,7 @@ class DomainV3(controller.V3Controller):
|
|||
:returns: list of accessible domains
|
||||
|
||||
"""
|
||||
env = request.context_dict['environment']
|
||||
auth_context = env[authorization.AUTH_CONTEXT_ENV]
|
||||
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
|
||||
domains = self.assignment_api.list_domains_for_groups(
|
||||
auth_context['group_ids'])
|
||||
domains = domains + self.assignment_api.list_domains_for_user(
|
||||
|
@ -465,8 +464,7 @@ class ProjectAssignmentV3(controller.V3Controller):
|
|||
:returns: list of accessible projects
|
||||
|
||||
"""
|
||||
env = request.context_dict['environment']
|
||||
auth_context = env[authorization.AUTH_CONTEXT_ENV]
|
||||
auth_context = request.environ[authorization.AUTH_CONTEXT_ENV]
|
||||
projects = self.assignment_api.list_projects_for_groups(
|
||||
auth_context['group_ids'])
|
||||
projects = projects + self.assignment_api.list_projects_for_user(
|
||||
|
|
|
@ -426,10 +426,10 @@ def transform_to_group_ids(group_names, mapping_id,
|
|||
group['name'])
|
||||
|
||||
|
||||
def get_assertion_params_from_env(context):
|
||||
LOG.debug('Environment variables: %s', context['environment'])
|
||||
def get_assertion_params_from_env(request):
|
||||
LOG.debug('Environment variables: %s', request.environ)
|
||||
prefix = CONF.federation.assertion_prefix
|
||||
for k, v in list(context['environment'].items()):
|
||||
for k, v in list(request.environ.items()):
|
||||
if not k.startswith(prefix):
|
||||
continue
|
||||
# These bytes may be decodable as ISO-8859-1 according to Section
|
||||
|
|
|
@ -14,6 +14,7 @@ import uuid
|
|||
|
||||
from oslo_config import fixture as config_fixture
|
||||
from oslo_serialization import jsonutils
|
||||
import webob
|
||||
|
||||
from keystone.auth.plugins import mapped
|
||||
import keystone.conf
|
||||
|
@ -548,15 +549,15 @@ class MappingRuleEngineTests(unit.BaseTestCase):
|
|||
as it was not explicitly specified in the mapping.
|
||||
|
||||
"""
|
||||
request = webob.Request.blank('/')
|
||||
mapping = mapping_fixtures.MAPPING_USER_IDS
|
||||
rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules'])
|
||||
assertion = mapping_fixtures.ADMIN_ASSERTION
|
||||
mapped_properties = rp.process(assertion)
|
||||
context = {'environment': {}}
|
||||
self.assertIsNotNone(mapped_properties)
|
||||
self.assertValidMappedUserObject(mapped_properties)
|
||||
unique_id, display_name = mapped.get_user_unique_id_and_display_name(
|
||||
context, mapped_properties)
|
||||
request, mapped_properties)
|
||||
self.assertEqual('bob', unique_id)
|
||||
self.assertEqual('bob', display_name)
|
||||
|
||||
|
@ -581,17 +582,17 @@ class MappingRuleEngineTests(unit.BaseTestCase):
|
|||
not to change it.
|
||||
|
||||
"""
|
||||
request = webob.Request.blank('/')
|
||||
testcases = [(mapping_fixtures.CUSTOMER_ASSERTION, 'bwilliams'),
|
||||
(mapping_fixtures.EMPLOYEE_ASSERTION, 'tbo')]
|
||||
for assertion, exp_user_name in testcases:
|
||||
mapping = mapping_fixtures.MAPPING_USER_IDS
|
||||
rp = mapping_utils.RuleProcessor(FAKE_MAPPING_ID, mapping['rules'])
|
||||
mapped_properties = rp.process(assertion)
|
||||
context = {'environment': {}}
|
||||
self.assertIsNotNone(mapped_properties)
|
||||
self.assertValidMappedUserObject(mapped_properties)
|
||||
unique_id, display_name = (
|
||||
mapped.get_user_unique_id_and_display_name(context,
|
||||
mapped.get_user_unique_id_and_display_name(request,
|
||||
mapped_properties)
|
||||
)
|
||||
self.assertEqual(exp_user_name, display_name)
|
||||
|
@ -761,8 +762,10 @@ class TestUnicodeAssertionData(unit.BaseTestCase):
|
|||
# pulled from the HTTP headers. These bytes may be decodable as
|
||||
# ISO-8859-1 according to Section 3.2.4 of RFC 7230. Let's assume
|
||||
# that our web server plugins are correctly encoding the data.
|
||||
context = dict(environment=mapping_fixtures.UNICODE_NAME_ASSERTION)
|
||||
data = mapping_utils.get_assertion_params_from_env(context)
|
||||
request = webob.Request.blank(
|
||||
'/path',
|
||||
environ=mapping_fixtures.UNICODE_NAME_ASSERTION)
|
||||
data = mapping_utils.get_assertion_params_from_env(request)
|
||||
# NOTE(dstanek): keystone.auth.plugins.mapped
|
||||
return dict(data)
|
||||
|
||||
|
|
Loading…
Reference in New Issue