From 1a40b3d43bac5244bcba6bdbc4802fb76430d8d3 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Fri, 29 Dec 2017 21:28:17 +0000
Subject: [PATCH] Implement system-scope

The context should carry some information that all services will need
in order to enforce scoping. System scope can be implemented here
and available for projects when they start adding scope types to
policies.

bp system-scope

Change-Id: I02fdaccfdd002d60b0b51c5d3327c783009cf35e
---
 oslo_context/context.py            | 12 +++++++++++-
 oslo_context/tests/test_context.py | 28 ++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/oslo_context/context.py b/oslo_context/context.py
index 6475c2c..731b36e 100644
--- a/oslo_context/context.py
+++ b/oslo_context/context.py
@@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
     'project_id': ['HTTP_X_PROJECT_ID',
                    'HTTP_X_TENANT_ID',
                    'HTTP_X_TENANT'],
+    'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
     'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
     'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
     'user_name': ['HTTP_X_USER_NAME'],
@@ -219,7 +220,8 @@ class RequestContext(object):
                  service_project_domain_id=None,
                  service_project_domain_name=None,
                  service_roles=None,
-                 global_request_id=None):
+                 global_request_id=None,
+                 system_scope=None):
         """Initialize the RequestContext
 
         :param overwrite: Set to False to ensure that the greenthread local
@@ -228,6 +230,11 @@ class RequestContext(object):
                                  the token as the admin project. Defaults to
                                  True for backwards compatibility.
         :type is_admin_project: bool
+        :param system_scope: The system scope of a token. The value ``all``
+                             represents the entire deployment system. A service
+                             ID represents a specific service within the
+                             deployment system.
+        :type system_scope: string
         """
         # setting to private variables to avoid triggering subclass properties
         self._user_id = user_id
@@ -240,6 +247,7 @@ class RequestContext(object):
         self.user_name = user_name
         self.project_name = project_name
         self.domain_name = domain_name
+        self.system_scope = system_scope
         self.user_domain_name = user_domain_name
         self.project_domain_name = project_domain_name
         self.is_admin = is_admin
@@ -309,6 +317,7 @@ class RequestContext(object):
         return _DeprecatedPolicyValues({
             'user_id': self.user_id,
             'user_domain_id': self.user_domain_id,
+            'system_scope': self.system_scope,
             'project_id': self.project_id,
             'project_domain_id': self.project_domain_id,
             'roles': self.roles,
@@ -330,6 +339,7 @@ class RequestContext(object):
 
         return {'user': self.user_id,
                 'tenant': self.project_id,
+                'system_scope': self.system_scope,
                 'project': self.project_id,
                 'domain': self.domain_id,
                 'user_domain': self.user_domain_id,
diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py
index 7fb8d60..d7bab78 100644
--- a/oslo_context/tests/test_context.py
+++ b/oslo_context/tests/test_context.py
@@ -554,6 +554,7 @@ class ContextTest(test_base.BaseTestCase):
 
         self.assertEqual({'user_id': user,
                           'user_domain_id': user_domain,
+                          'system_scope': None,
                           'project_id': tenant,
                           'project_domain_id': project_domain,
                           'roles': roles,
@@ -565,6 +566,32 @@ class ContextTest(test_base.BaseTestCase):
                           'service_roles': service_roles},
                          ctx.to_policy_values())
 
+        # NOTE(lbragstad): This string has special meaning in that the value
+        # ``all`` represents the entire deployment system.
+        system_all = 'all'
+
+        ctx = context.RequestContext(user=user,
+                                     user_domain=user_domain,
+                                     system_scope=system_all,
+                                     roles=roles,
+                                     service_user_id=service_user_id,
+                                     service_project_id=service_project_id,
+                                     service_roles=service_roles)
+
+        self.assertEqual({'user_id': user,
+                          'user_domain_id': user_domain,
+                          'system_scope': system_all,
+                          'project_id': None,
+                          'project_domain_id': None,
+                          'roles': roles,
+                          'is_admin_project': True,
+                          'service_user_id': service_user_id,
+                          'service_user_domain_id': None,
+                          'service_project_id': service_project_id,
+                          'service_project_domain_id': None,
+                          'service_roles': service_roles},
+                         ctx.to_policy_values())
+
         ctx = context.RequestContext(user=user,
                                      user_domain=user_domain,
                                      tenant=tenant,
@@ -577,6 +604,7 @@ class ContextTest(test_base.BaseTestCase):
 
         self.assertEqual({'user_id': user,
                           'user_domain_id': user_domain,
+                          'system_scope': None,
                           'project_id': tenant,
                           'project_domain_id': project_domain,
                           'roles': roles,