Do not prompt for scope options with default scoped tokens

This changes the scope validation to occur after a token has already been created. Previous flow: 1. Validate authentication options. 2. Validate authorization options if the command requires a scope. 3. Create a token (using authentication + authorization options) 4. Run command. This means that scope was being checked, even if a default scope was applied in step 3 by Keystone. New flow: 1. Validate authentication options. 2. Create token (using authentication + authorization options) 3 Validate authorization options if the command requires a scope and the token is not scoped. 4. Run command. Change-Id: Idae368a11249f425b14b891fc68b4176e2b3e981 Closes-Bug: 1592062
2016-06-15 16:26:35 +00:00
parent 1464c8a237
commit fe0c8e955b
5 changed files with 47 additions and 31 deletions
--- a/openstackclient/api/auth.py
+++ b/openstackclient/api/auth.py
@@ -128,12 +128,24 @@ def build_auth_params(auth_plugin_name, cmd_options):
    return (auth_plugin_loader, auth_params)


-def check_valid_auth_options(options, auth_plugin_name, required_scope=True):
-    """Perform basic option checking, provide helpful error messages.
+def check_valid_authorization_options(options, auth_plugin_name):
+    """Validate authorization options, and provide helpful error messages."""
+    if (options.auth.get('project_id') and not
+            options.auth.get('domain_id') and not
+            options.auth.get('domain_name') and not
+            options.auth.get('project_name') and not
+            options.auth.get('tenant_id') and not
+            options.auth.get('tenant_name')):
+        raise exc.CommandError(_(
+            'Missing parameter(s): '
+            'Set either a project or a domain scope, but not both. Set a '
+            'project scope with --os-project-name, OS_PROJECT_NAME, or '
+            'auth.project_name. Alternatively, set a domain scope with '
+            '--os-domain-name, OS_DOMAIN_NAME or auth.domain_name.'))

-    :param required_scope: indicate whether a scoped token is required

-    """
+def check_valid_authentication_options(options, auth_plugin_name):
+    """Validate authentication options, and provide helpful error messages."""

    msgs = []
    if auth_plugin_name.endswith('password'):
@@ -143,18 +155,6 @@ def check_valid_auth_options(options, auth_plugin_name, required_scope=True):
        if not options.auth.get('auth_url'):
            msgs.append(_('Set an authentication URL, with --os-auth-url,'
                          ' OS_AUTH_URL or auth.auth_url'))
-        if (required_scope and not
-                options.auth.get('project_id') and not
-                options.auth.get('domain_id') and not
-                options.auth.get('domain_name') and not
-                options.auth.get('project_name') and not
-                options.auth.get('tenant_id') and not
-                options.auth.get('tenant_name')):
-            msgs.append(_('Set a scope, such as a project or domain, set a '
-                          'project scope with --os-project-name, '
-                          'OS_PROJECT_NAME or auth.project_name, set a domain '
-                          'scope with --os-domain-name, OS_DOMAIN_NAME or '
-                          'auth.domain_name'))
    elif auth_plugin_name.endswith('token'):
        if not options.auth.get('token'):
            msgs.append(_('Set a token with --os-token, OS_TOKEN or '