Browse Source

Implement domain-scope for context objects

The OpenStack identity sevice issues domain-scoped tokens and
keystonemiddlware sets a specific header when it validates a
domain-scoped token. This commit allows context objects to set
domain_id attributes for tokens scoped to a domain and also processes
the domain ID header from keystonemiddlware.

Change-Id: I620d647499abaf5a7103d82af22a190fcc0b3fae
Lance Bragstad 6 months ago
parent
commit
f65408df5c
2 changed files with 34 additions and 0 deletions
  1. 2
    0
      oslo_context/context.py
  2. 32
    0
      oslo_context/tests/test_context.py

+ 2
- 0
oslo_context/context.py View File

@@ -49,6 +49,7 @@ _ENVIRON_HEADERS = {
49 49
     'project_id': ['HTTP_X_PROJECT_ID',
50 50
                    'HTTP_X_TENANT_ID',
51 51
                    'HTTP_X_TENANT'],
52
+    'domain_id': ['HTTP_X_DOMAIN_ID'],
52 53
     'system_scope': ['HTTP_OPENSTACK_SYSTEM_SCOPE'],
53 54
     'user_domain_id': ['HTTP_X_USER_DOMAIN_ID'],
54 55
     'project_domain_id': ['HTTP_X_PROJECT_DOMAIN_ID'],
@@ -318,6 +319,7 @@ class RequestContext(object):
318 319
             'user_id': self.user_id,
319 320
             'user_domain_id': self.user_domain_id,
320 321
             'system_scope': self.system_scope,
322
+            'domain_id': self.domain_id,
321 323
             'project_id': self.project_id,
322 324
             'project_domain_id': self.project_domain_id,
323 325
             'roles': self.roles,

+ 32
- 0
oslo_context/tests/test_context.py View File

@@ -221,6 +221,8 @@ class ContextTest(test_base.BaseTestCase):
221 221
         user_id = generate_id(user_name)
222 222
         project_name = uuid.uuid4().hex
223 223
         project_id = generate_id(project_name)
224
+        domain_name = uuid.uuid4().hex
225
+        domain_id = generate_id(domain_name)
224 226
         user_domain_name = uuid.uuid4().hex
225 227
         user_domain_id = generate_id(user_domain_name)
226 228
         project_domain_name = uuid.uuid4().hex
@@ -243,6 +245,7 @@ class ContextTest(test_base.BaseTestCase):
243 245
             'HTTP_X_AUTH_TOKEN': auth_token,
244 246
             'HTTP_X_USER_ID': user_id,
245 247
             'HTTP_X_PROJECT_ID': project_id,
248
+            'HTTP_X_DOMAIN_ID': domain_id,
246 249
             'HTTP_X_USER_DOMAIN_ID': user_domain_id,
247 250
             'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id,
248 251
             'HTTP_X_ROLES': ','.join(roles),
@@ -270,6 +273,7 @@ class ContextTest(test_base.BaseTestCase):
270 273
         self.assertEqual(user_id, ctx.user_id)
271 274
         self.assertEqual(user_name, ctx.user_name)
272 275
         self.assertEqual(project_id, ctx.project_id)
276
+        self.assertEqual(domain_id, ctx.domain_id)
273 277
         self.assertEqual(project_name, ctx.project_name)
274 278
         self.assertEqual(user_domain_id, ctx.user_domain_id)
275 279
         self.assertEqual(user_domain_name, ctx.user_domain_name)
@@ -555,6 +559,7 @@ class ContextTest(test_base.BaseTestCase):
555 559
         self.assertEqual({'user_id': user,
556 560
                           'user_domain_id': user_domain,
557 561
                           'system_scope': None,
562
+                          'domain_id': None,
558 563
                           'project_id': tenant,
559 564
                           'project_domain_id': project_domain,
560 565
                           'roles': roles,
@@ -581,6 +586,32 @@ class ContextTest(test_base.BaseTestCase):
581 586
         self.assertEqual({'user_id': user,
582 587
                           'user_domain_id': user_domain,
583 588
                           'system_scope': system_all,
589
+                          'domain_id': None,
590
+                          'project_id': None,
591
+                          'project_domain_id': None,
592
+                          'roles': roles,
593
+                          'is_admin_project': True,
594
+                          'service_user_id': service_user_id,
595
+                          'service_user_domain_id': None,
596
+                          'service_project_id': service_project_id,
597
+                          'service_project_domain_id': None,
598
+                          'service_roles': service_roles},
599
+                         ctx.to_policy_values())
600
+
601
+        # context representing a domain-scoped token.
602
+        domain_id = uuid.uuid4().hex
603
+        ctx = context.RequestContext(user=user,
604
+                                     user_domain=user_domain,
605
+                                     domain_id=domain_id,
606
+                                     roles=roles,
607
+                                     service_user_id=service_user_id,
608
+                                     service_project_id=service_project_id,
609
+                                     service_roles=service_roles)
610
+
611
+        self.assertEqual({'user_id': user,
612
+                          'user_domain_id': user_domain,
613
+                          'system_scope': None,
614
+                          'domain_id': domain_id,
584 615
                           'project_id': None,
585 616
                           'project_domain_id': None,
586 617
                           'roles': roles,
@@ -605,6 +636,7 @@ class ContextTest(test_base.BaseTestCase):
605 636
         self.assertEqual({'user_id': user,
606 637
                           'user_domain_id': user_domain,
607 638
                           'system_scope': None,
639
+                          'domain_id': None,
608 640
                           'project_id': tenant,
609 641
                           'project_domain_id': project_domain,
610 642
                           'roles': roles,

Loading…
Cancel
Save