def test_user_tenants_filter_by_vo(self): """Verify that multiple tenants are filtered out.""" CONF.voms.voms_policy = dirs.tests_conf("voms_multiple_vos.json") # first request with dteam proxy req_dteam = prepare_request(get_auth_body(), fakes.user_proxies["dteam"], fakes.user_cert) aux = core.VomsAuthNMiddleware(None) aux._no_verify = True aux._process_request(req_dteam) params = req_dteam.environ[middleware.PARAMS_ENV] remote_token = self.controller.authenticate(req_dteam, params["auth"]) tenant_controller = controllers.TenantAssignment() token_id = remote_token["access"]["token"]["id"] token_ref = token_model.KeystoneToken(token_id=token_id, token_data=remote_token) auth_context = authorization.token_to_auth_context(token_ref) fake_context = { "environment": {authorization.AUTH_CONTEXT_ENV: auth_context}, "token_id": token_id, "query_string": {"limit": None}, } req_dteam.context_dict = fake_context tenants = tenant_controller.get_projects_for_token(req_dteam) dteam_tenants = aux._filter_tenants(tenants["tenants"]) self.assertEqual(self.tenant_name, dteam_tenants[0]["name"]) # repeat with other VO req_ops = prepare_request(get_auth_body(), fakes.user_proxies["ops"], fakes.user_cert) aux._process_request(req_ops) params = req_dteam.environ[middleware.PARAMS_ENV] remote_token = self.controller.authenticate(req_ops, params["auth"]) tenant_controller = controllers.TenantAssignment() token_id = remote_token["access"]["token"]["id"] token_ref = token_model.KeystoneToken(token_id=token_id, token_data=remote_token) auth_context = authorization.token_to_auth_context(token_ref) fake_context = { "environment": {authorization.AUTH_CONTEXT_ENV: auth_context}, "token_id": token_id, "query_string": {"limit": None}, } req_ops.context_dict = fake_context tenants = tenant_controller.get_projects_for_token(req_ops) # user should be now in two tenants self.assertEqual(2, len(tenants["tenants"])) ops_tenants = aux._filter_tenants(tenants["tenants"]) # check that is correctly filtered out self.assertEqual(1, len(ops_tenants)) self.assertEqual(self.aux_tenant_name, ops_tenants[0]["name"])
def test_token_is_project_scoped_with_trust(self): # Check auth_context result when the token is project-scoped and has # trust info. # SAMPLE_V3_TOKEN has OS-TRUST:trust in it. token_data = test_token_provider.SAMPLE_V3_TOKEN token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertEqual(token, auth_context['token']) self.assertTrue(auth_context['is_delegated_auth']) self.assertEqual(token_data['token']['user']['id'], auth_context['user_id']) self.assertEqual(token_data['token']['project']['id'], auth_context['project_id']) self.assertNotIn('domain_id', auth_context) self.assertNotIn('domain_name', auth_context) self.assertEqual(token_data['token']['OS-TRUST:trust']['id'], auth_context['trust_id']) self.assertEqual( token_data['token']['OS-TRUST:trust']['trustor_user_id'], auth_context['trustor_id']) self.assertEqual( token_data['token']['OS-TRUST:trust']['trustee_user_id'], auth_context['trustee_id']) self.assertItemsEqual( [r['name'] for r in token_data['token']['roles']], auth_context['roles']) self.assertIsNone(auth_context['consumer_id']) self.assertIsNone(auth_context['access_token_id']) self.assertNotIn('group_ids', auth_context)
def _build_token_auth_context(self, request, token_id): if CONF.admin_token and token_id == CONF.admin_token: versionutils.report_deprecated_feature( LOG, _LW('build_auth_context middleware checking for the admin ' 'token is deprecated as of the Mitaka release and will be ' 'removed in the O release. If your deployment requires ' 'use of the admin token, update keystone-paste.ini so ' 'that admin_token_auth is before build_auth_context in ' 'the paste pipelines, otherwise remove the ' 'admin_token_auth middleware from the paste pipelines.')) return {}, True context = {'token_id': token_id} context['environment'] = request.environ try: token_ref = token_model.KeystoneToken( token_id=token_id, token_data=self.token_provider_api.validate_token(token_id)) # TODO(gyee): validate_token_bind should really be its own # middleware wsgi.validate_token_bind(context, token_ref) return authorization.token_to_auth_context(token_ref), False except exception.TokenNotFound: LOG.warning(_LW('RBAC: Invalid token')) raise exception.Unauthorized()
def _build_auth_context(self, request): token_id = request.headers.get(AUTH_TOKEN_HEADER).strip() if token_id == CONF.admin_token: # NOTE(gyee): no need to proceed any further as the special admin # token is being handled by AdminTokenAuthMiddleware. This code # will not be impacted even if AdminTokenAuthMiddleware is removed # from the pipeline as "is_admin" is default to "False". This code # is independent of AdminTokenAuthMiddleware. return {} context = {'token_id': token_id} context['environment'] = request.environ try: token_ref = token_model.KeystoneToken( token_id=token_id, token_data=self.token_provider_api.validate_token(token_id)) # TODO(gyee): validate_token_bind should really be its own # middleware wsgi.validate_token_bind(context, token_ref) return authorization.token_to_auth_context(token_ref) except exception.TokenNotFound: LOG.warning(_LW('RBAC: Invalid token')) raise exception.Unauthorized()
def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug( "RBAC: Authorizing %(action)s(%(kwargs)s)", {"action": action, "kwargs": ", ".join(["%s=%s" % (k, kwargs[k]) for k in kwargs])}, ) # see if auth context has already been created. If so use it. if "environment" in context and authorization.AUTH_CONTEXT_ENV in context["environment"]: LOG.debug("RBAC: using auth context from the request environment") return context["environment"].get(authorization.AUTH_CONTEXT_ENV) # There is no current auth context, build it from the incoming token. # TODO(morganfainberg): Collapse this logic with AuthContextMiddleware # in sane manner as this just mirrors the logic in AuthContextMiddleware try: LOG.debug("RBAC: building auth context from the incoming auth token") token_ref = token_model.KeystoneToken( token_id=context["token_id"], token_data=self.token_provider_api.validate_token(context["token_id"]) ) # NOTE(jamielennox): whilst this maybe shouldn't be within this # function it would otherwise need to reload the token_ref from # backing store. wsgi.validate_token_bind(context, token_ref) except exception.TokenNotFound: LOG.warning(_("RBAC: Invalid token")) raise exception.Unauthorized() auth_context = authorization.token_to_auth_context(token_ref) return auth_context
def test_token_is_for_federated_user(self): # When the token is for a federated user then group_ids is in # auth_context. token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) group_ids = [uuid.uuid4().hex for x in range(1, 5)] federation_data = { 'identity_provider': { 'id': uuid.uuid4().hex }, 'protocol': { 'id': 'saml2' }, 'groups': [{ 'id': gid } for gid in group_ids] } token_data['token']['user'][federation_constants.FEDERATION] = ( federation_data) token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertItemsEqual(group_ids, auth_context['group_ids'])
def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug( 'RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) }) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug('RBAC: using auth context from the request environment') return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # now build the auth context from the incoming auth token try: LOG.debug('RBAC: building auth context from the incoming auth token') # TODO(ayoung): These two functions return the token in different # formats. However, the call # to get_token hits the caching layer, and does not validate the # token. This should be reduced to one call if not CONF.token.revoke_by_id: self.token_api.token_provider_api.validate_token( context['token_id']) token_ref = self.token_api.get_token(context['token_id']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized() # NOTE(jamielennox): whilst this maybe shouldn't be within this function # it would otherwise need to reload the token_ref from backing store. wsgi.validate_token_bind(context, token_ref) auth_context = authorization.token_to_auth_context(token_ref['token_data']) return auth_context
def _build_auth_context(self, request): token_id = request.headers.get(AUTH_TOKEN_HEADER) if token_id == CONF.admin_token: # NOTE(gyee): no need to proceed any further as the special admin # token is being handled by AdminTokenAuthMiddleware. This code # will not be impacted even if AdminTokenAuthMiddleware is removed # from the pipeline as "is_admin" is default to "False". This code # is independent of AdminTokenAuthMiddleware. return {} context = {'token_id': token_id} context['environment'] = request.environ try: token_ref = self.token_api.get_token(token_id) # TODO(ayoung): These two functions return the token in different # formats instead of two calls, only make one. However, the call # to get_token hits the caching layer, and does not validate the # token. In the future, this should be reduced to one call. if not CONF.token.revoke_by_id: self.token_api.token_provider_api.validate_token( context['token_id']) # TODO(gyee): validate_token_bind should really be its own # middleware wsgi.validate_token_bind(context, token_ref) return authorization.token_to_auth_context( token_ref['token_data']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized()
def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug('RBAC: using auth context from the request environment') return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # now build the auth context from the incoming auth token try: LOG.debug('RBAC: building auth context from the incoming auth token') # TODO(ayoung): These two functions return the token in different # formats. However, the call # to get_token hits the caching layer, and does not validate the # token. This should be reduced to one call if not CONF.token.revoke_by_id: self.token_api.token_provider_api.validate_token( context['token_id']) token_ref = self.token_api.get_token(context['token_id']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized() # NOTE(jamielennox): whilst this maybe shouldn't be within this function # it would otherwise need to reload the token_ref from backing store. wsgi.validate_token_bind(context, token_ref) auth_context = authorization.token_to_auth_context(token_ref['token_data']) return auth_context
def _create_auth_context(self, token_id): token_ref = self.token_api.get_token(token_id) auth_context = authorization.token_to_auth_context( token_ref['token_data']) return {'environment': {authorization.AUTH_CONTEXT_ENV: auth_context}, 'token_id': token_id, 'host_url': HOST_URL}
def _build_policy_check_credentials(self, action, context, kwargs): kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) kwargs_str = strutils.mask_password(kwargs_str) LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': kwargs_str }) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug('RBAC: using auth context from the request environment') return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # There is no current auth context, build it from the incoming token. # TODO(morganfainberg): Collapse this logic with AuthContextMiddleware # in a sane manner as this just mirrors the logic in AuthContextMiddleware try: LOG.debug('RBAC: building auth context from the incoming auth token') token_ref = token_model.KeystoneToken( token_id=context['token_id'], token_data=self.token_provider_api.validate_token( context['token_id'])) # NOTE(jamielennox): whilst this maybe shouldn't be within this # function it would otherwise need to reload the token_ref from # backing store. wsgi.validate_token_bind(context, token_ref) except exception.TokenNotFound: LOG.warning(_LW('RBAC: Invalid token')) raise exception.Unauthorized() auth_context = authorization.token_to_auth_context(token_ref) return auth_context
def _build_policy_check_credentials(self, action, context, kwargs): kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) kwargs_str = strutils.mask_password(kwargs_str) LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': kwargs_str}) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug('RBAC: using auth context from the request environment') return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # There is no current auth context, build it from the incoming token. # TODO(morganfainberg): Collapse this logic with AuthContextMiddleware # in a sane manner as this just mirrors the logic in AuthContextMiddleware try: LOG.debug('RBAC: building auth context from the incoming auth token') token_ref = token_model.KeystoneToken( token_id=context['token_id'], token_data=self.token_provider_api.validate_token( context['token_id'])) # NOTE(jamielennox): whilst this maybe shouldn't be within this # function it would otherwise need to reload the token_ref from # backing store. wsgi.validate_token_bind(context, token_ref) except exception.TokenNotFound: LOG.warning(_LW('RBAC: Invalid token')) raise exception.Unauthorized() auth_context = authorization.token_to_auth_context(token_ref) return auth_context
def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug( _('RBAC: Authorizing %(action)s(%(kwargs)s)'), { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs]) }) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug(_('RBAC: using auth context from the request environment')) return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # now build the auth context from the incoming auth token try: LOG.debug( _('RBAC: building auth context from the incoming ' 'auth token')) token_ref = self.token_api.get_token(context['token_id']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized() # NOTE(jamielennox): whilst this maybe shouldn't be within this function # it would otherwise need to reload the token_ref from backing store. wsgi.validate_token_bind(context, token_ref) auth_context = authorization.token_to_auth_context(token_ref['token_data']) return auth_context
def _build_policy_check_credentials(self, action, context, kwargs): LOG.debug(_('RBAC: Authorizing %(action)s(%(kwargs)s)'), { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) # see if auth context has already been created. If so use it. if ('environment' in context and authorization.AUTH_CONTEXT_ENV in context['environment']): LOG.debug(_('RBAC: using auth context from the request environment')) return context['environment'].get(authorization.AUTH_CONTEXT_ENV) # now build the auth context from the incoming auth token try: LOG.debug(_('RBAC: building auth context from the incoming ' 'auth token')) token_ref = self.token_api.get_token(context['token_id']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized() # NOTE(jamielennox): whilst this maybe shouldn't be within this function # it would otherwise need to reload the token_ref from backing store. wsgi.validate_token_bind(context, token_ref) auth_context = authorization.token_to_auth_context(token_ref['token_data']) return auth_context
def _build_auth_context(self, request): token_id = request.headers.get(AUTH_TOKEN_HEADER) if token_id == CONF.admin_token: # NOTE(gyee): no need to proceed any further as the special admin # token is being handled by AdminTokenAuthMiddleware. This code # will not be impacted even if AdminTokenAuthMiddleware is removed # from the pipeline as "is_admin" is default to "False". This code # is independent of AdminTokenAuthMiddleware. return {} context = {'token_id': token_id} context['environment'] = request.environ try: token_ref = self.token_api.get_token(token_id) # TODO(ayoung): These two functions return the token in different # formats instead of two calls, only make one. However, the call # to get_token hits the caching layer, and does not validate the # token. In the future, this should be reduced to one call. if not CONF.token.revoke_by_id: self.token_api.token_provider_api.validate_token( context['token_id']) # TODO(gyee): validate_token_bind should really be its own # middleware wsgi.validate_token_bind(context, token_ref) return authorization.token_to_auth_context(token_ref['token_data']) except exception.TokenNotFound: LOG.warning(_('RBAC: Invalid token')) raise exception.Unauthorized()
def test_oauth_variables_not_set(self): token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertIsNone(auth_context['access_token_id']) self.assertIsNone(auth_context['consumer_id'])
def _create_auth_context(self, token_id): token_ref = self.token_api.get_token(token_id) auth_context = authorization.token_to_auth_context( token_ref['token_data']) return { 'environment': { authorization.AUTH_CONTEXT_ENV: auth_context }, 'token_id': token_id }
def _create_auth_context(self, token_id): token_ref = token_model.KeystoneToken( token_id=token_id, token_data=self.token_provider_api.validate_token(token_id) ) auth_context = authorization.token_to_auth_context(token_ref) return { "environment": {authorization.AUTH_CONTEXT_ENV: auth_context}, "token_id": token_id, "host_url": HOST_URL, }
def test_token_is_unscoped(self): # Check contents of auth_context when the token is unscoped. token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) del token_data['token']['project'] token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertNotIn('project_id', auth_context) self.assertNotIn('domain_id', auth_context) self.assertNotIn('domain_name', auth_context)
def test_oauth_variables_set_for_oauth_token(self): token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) access_token_id = uuid.uuid4().hex consumer_id = uuid.uuid4().hex token_data['token']['OS-OAUTH1'] = {'access_token_id': access_token_id, 'consumer_id': consumer_id} token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertEqual(access_token_id, auth_context['access_token_id']) self.assertEqual(consumer_id, auth_context['consumer_id'])
def test_oauth_variables_set_for_oauth_token(self): token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) access_token_id = uuid.uuid4().hex consumer_id = uuid.uuid4().hex token_data['token']['OS-OAUTH1'] = { 'access_token_id': access_token_id, 'consumer_id': consumer_id } token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertEqual(access_token_id, auth_context['access_token_id']) self.assertEqual(consumer_id, auth_context['consumer_id'])
def test_token_is_domain_scoped(self): # Check contents of auth_context when token is domain-scoped. token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) del token_data['token']['project'] domain_id = uuid.uuid4().hex domain_name = uuid.uuid4().hex token_data['token']['domain'] = {'id': domain_id, 'name': domain_name} token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertNotIn('project_id', auth_context) self.assertEqual(domain_id, auth_context['domain_id']) self.assertEqual(domain_name, auth_context['domain_name'])
def test_unscoped_remote_authn_existing_user_in_tenant(self): """Verify unscoped request for existing user, already in a tenant.""" user = { "name": fakes.user_dn, "enabled": True, "domain_id": default_fixtures.DEFAULT_DOMAIN_ID, } tenant_id = default_fixtures.TENANTS[-1]["id"] # Create the user user = self.identity_api.create_user(user) # Add the user to tenant different than the mapped one self.assignment_api.add_user_to_project(tenant_id, user["id"]) req = prepare_request(get_auth_body(), fakes.user_proxies["dteam"], fakes.user_cert) aux = core.VomsAuthNMiddleware(None) aux._no_verify = True aux._process_request(req) params = req.environ[middleware.PARAMS_ENV] remote_token = self.controller.authenticate(req, params["auth"]) tenant_controller = controllers.TenantAssignment() token_id = remote_token["access"]["token"]["id"] token_ref = token_model.KeystoneToken(token_id=token_id, token_data=remote_token) auth_context = authorization.token_to_auth_context(token_ref) fake_context = { "environment": {authorization.AUTH_CONTEXT_ENV: auth_context}, "token_id": token_id, "query_string": {"limit": None}, } req.context_dict = fake_context tenants = tenant_controller.get_projects_for_token(req) self.assertItemsEqual( (self.tenant_id, tenant_id), # User tenants [i["id"].lower() for i in tenants["tenants"]] )
def test_token_is_for_federated_user(self): # When the token is for a federated user then group_ids is in # auth_context. token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN) group_ids = [uuid.uuid4().hex for x in range(1, 5)] federation_data = {'identity_provider': {'id': uuid.uuid4().hex}, 'protocol': {'id': 'saml2'}, 'groups': [{'id': gid} for gid in group_ids]} token_data['token']['user'][federation_constants.FEDERATION] = ( federation_data) token = token_model.KeystoneToken(token_id=uuid.uuid4().hex, token_data=token_data) auth_context = authorization.token_to_auth_context(token) self.assertItemsEqual(group_ids, auth_context['group_ids'])
def fill_context(self, request): # The request context stores itself in thread-local memory for logging. request_context = context.RequestContext( request_id=request.environ.get('openstack.request_id'), authenticated=False, overwrite=True) request.environ[context.REQUEST_CONTEXT_ENV] = request_context if authorization.AUTH_CONTEXT_ENV in request.environ: msg = _LW('Auth context already exists in the request ' 'environment; it will be used for authorization ' 'instead of creating a new one.') LOG.warning(msg) return # NOTE(gyee): token takes precedence over SSL client certificates. # This will preserve backward compatibility with the existing # behavior. Tokenless authorization with X.509 SSL client # certificate is effectively disabled if no trusted issuers are # provided. if request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', False): request_context.is_admin = True auth_context = {} elif request.token_auth.has_user_token: request_context.auth_token = request.user_token ref = token_model.KeystoneToken(token_id=request.user_token, token_data=request.token_info) auth_context = authorization.token_to_auth_context(ref) elif self._validate_trusted_issuer(request): auth_context = self._build_tokenless_auth_context(request) else: LOG.debug('There is either no auth token in the request or ' 'the certificate issuer is not trusted. No auth ' 'context will be set.') return # set authenticated to flag to keystone that a token has been validated request_context.authenticated = True # The attributes of request_context are put into the logs. This is a # common pattern for all the OpenStack services. In all the other # projects these are IDs, so set the attributes to IDs here rather than # the name. request_context.user_id = auth_context.get('user_id') request_context.project_id = auth_context.get('project_id') request_context.domain_id = auth_context.get('domain_id') request_context.domain_name = auth_context.get('domain_name') request_context.user_domain_id = auth_context.get('user_domain_id') request_context.roles = auth_context.get('roles') is_admin_project = auth_context.get('is_admin_project', True) request_context.is_admin_project = is_admin_project project_domain_id = auth_context.get('project_domain_id') request_context.project_domain_id = project_domain_id is_delegated_auth = auth_context.get('is_delegated_auth', False) request_context.is_delegated_auth = is_delegated_auth request_context.trust_id = auth_context.get('trust_id') request_context.trustor_id = auth_context.get('trustor_id') request_context.trustee_id = auth_context.get('trustee_id') access_token_id = auth_context.get('access_token_id') request_context.oauth_consumer_id = auth_context.get('consumer_id') request_context.oauth_acess_token_id = access_token_id LOG.debug('RBAC: auth_context: %s', auth_context) request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
def fill_context(self, request): # The request context stores itself in thread-local memory for logging. request_context = oslo_context.RequestContext( request_id=request.environ.get('openstack.request_id')) if authorization.AUTH_CONTEXT_ENV in request.environ: msg = _LW('Auth context already exists in the request ' 'environment; it will be used for authorization ' 'instead of creating a new one.') LOG.warning(msg) return # NOTE(gyee): token takes precedence over SSL client certificates. # This will preserve backward compatibility with the existing # behavior. Tokenless authorization with X.509 SSL client # certificate is effectively disabled if no trusted issuers are # provided. if request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', False): request_context.is_admin = True auth_context = {} elif CONF.admin_token and request.user_token == CONF.admin_token: versionutils.report_deprecated_feature( LOG, _LW('build_auth_context middleware checking for the admin ' 'token is deprecated as of the Mitaka release and will be ' 'removed in the O release. If your deployment requires ' 'use of the admin token, update keystone-paste.ini so ' 'that admin_token_auth is before build_auth_context in ' 'the paste pipelines, otherwise remove the ' 'admin_token_auth middleware from the paste pipelines.')) request_context.is_admin = True auth_context = {} elif request.token_auth.has_user_token: request_context.auth_token = request.user_token ref = token_model.KeystoneToken(token_id=request.user_token, token_data=request.token_info) auth_context = authorization.token_to_auth_context(ref) elif self._validate_trusted_issuer(request): auth_context = self._build_tokenless_auth_context(request) else: LOG.debug('There is either no auth token in the request or ' 'the certificate issuer is not trusted. No auth ' 'context will be set.') return # The attributes of request_context are put into the logs. This is a # common pattern for all the OpenStack services. In all the other # projects these are IDs, so set the attributes to IDs here rather than # the name. request_context.user = auth_context.get('user_id') request_context.tenant = auth_context.get('project_id') request_context.domain = auth_context.get('domain_id') request_context.user_domain = auth_context.get('user_domain_id') request_context.project_domain = auth_context.get('project_domain_id') request_context.update_store() LOG.debug('RBAC: auth_context: %s', auth_context) request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
def fill_context(self, request): # The request context stores itself in thread-local memory for logging. request_context = context.RequestContext( request_id=request.environ.get('openstack.request_id'), authenticated=False, overwrite=True) request.environ[context.REQUEST_CONTEXT_ENV] = request_context if authorization.AUTH_CONTEXT_ENV in request.environ: msg = ('Auth context already exists in the request ' 'environment; it will be used for authorization ' 'instead of creating a new one.') LOG.warning(msg) return # NOTE(gyee): token takes precedence over SSL client certificates. # This will preserve backward compatibility with the existing # behavior. Tokenless authorization with X.509 SSL client # certificate is effectively disabled if no trusted issuers are # provided. if request.environ.get(wsgi.CONTEXT_ENV, {}).get('is_admin', False): request_context.is_admin = True auth_context = {} elif request.token_auth.has_user_token: request_context.auth_token = request.user_token ref = token_model.KeystoneToken(token_id=request.user_token, token_data=request.token_info) auth_context = authorization.token_to_auth_context(ref) elif self._validate_trusted_issuer(request): auth_context = self._build_tokenless_auth_context(request) else: LOG.debug('There is either no auth token in the request or ' 'the certificate issuer is not trusted. No auth ' 'context will be set.') return # set authenticated to flag to keystone that a token has been validated request_context.authenticated = True # The attributes of request_context are put into the logs. This is a # common pattern for all the OpenStack services. In all the other # projects these are IDs, so set the attributes to IDs here rather than # the name. request_context.user_id = auth_context.get('user_id') request_context.project_id = auth_context.get('project_id') request_context.domain_id = auth_context.get('domain_id') request_context.domain_name = auth_context.get('domain_name') request_context.user_domain_id = auth_context.get('user_domain_id') request_context.roles = auth_context.get('roles') is_admin_project = auth_context.get('is_admin_project', True) request_context.is_admin_project = is_admin_project project_domain_id = auth_context.get('project_domain_id') request_context.project_domain_id = project_domain_id is_delegated_auth = auth_context.get('is_delegated_auth', False) request_context.is_delegated_auth = is_delegated_auth request_context.trust_id = auth_context.get('trust_id') request_context.trustor_id = auth_context.get('trustor_id') request_context.trustee_id = auth_context.get('trustee_id') access_token_id = auth_context.get('access_token_id') request_context.oauth_consumer_id = auth_context.get('consumer_id') request_context.oauth_acess_token_id = access_token_id LOG.debug('RBAC: auth_context: %s', auth_context) request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context