def test_user_tenants_filter_by_vo(self):
"""Verify that multiple tenants are filtered out."""
CONF.voms.voms_policy = dirs.tests_conf("voms_multiple_vos.json")
# first request with dteam proxy
req_dteam = prepare_request(get_auth_body(),
fakes.user_proxies["dteam"],
fakes.user_cert)
aux = core.VomsAuthNMiddleware(None)
aux._no_verify = True
aux._process_request(req_dteam)
params = req_dteam.environ[middleware.PARAMS_ENV]
remote_token = self.controller.authenticate(req_dteam,
params["auth"])
tenant_controller = controllers.TenantAssignment()
token_id = remote_token["access"]["token"]["id"]
token_ref = token_model.KeystoneToken(token_id=token_id,
token_data=remote_token)
auth_context = authorization.token_to_auth_context(token_ref)
fake_context = {
"environment": {authorization.AUTH_CONTEXT_ENV: auth_context},
"token_id": token_id,
"query_string": {"limit": None},
}
req_dteam.context_dict = fake_context
tenants = tenant_controller.get_projects_for_token(req_dteam)
dteam_tenants = aux._filter_tenants(tenants["tenants"])
self.assertEqual(self.tenant_name, dteam_tenants[0]["name"])
# repeat with other VO
req_ops = prepare_request(get_auth_body(),
fakes.user_proxies["ops"],
fakes.user_cert)
aux._process_request(req_ops)
params = req_dteam.environ[middleware.PARAMS_ENV]
remote_token = self.controller.authenticate(req_ops,
params["auth"])
tenant_controller = controllers.TenantAssignment()
token_id = remote_token["access"]["token"]["id"]
token_ref = token_model.KeystoneToken(token_id=token_id,
token_data=remote_token)
auth_context = authorization.token_to_auth_context(token_ref)
fake_context = {
"environment": {authorization.AUTH_CONTEXT_ENV: auth_context},
"token_id": token_id,
"query_string": {"limit": None},
}
req_ops.context_dict = fake_context
tenants = tenant_controller.get_projects_for_token(req_ops)
# user should be now in two tenants
self.assertEqual(2, len(tenants["tenants"]))
ops_tenants = aux._filter_tenants(tenants["tenants"])
# check that is correctly filtered out
self.assertEqual(1, len(ops_tenants))
self.assertEqual(self.aux_tenant_name, ops_tenants[0]["name"])
def test_token_is_project_scoped_with_trust(self):
# Check auth_context result when the token is project-scoped and has
# trust info.
# SAMPLE_V3_TOKEN has OS-TRUST:trust in it.
token_data = test_token_provider.SAMPLE_V3_TOKEN
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertEqual(token, auth_context['token'])
self.assertTrue(auth_context['is_delegated_auth'])
self.assertEqual(token_data['token']['user']['id'],
auth_context['user_id'])
self.assertEqual(token_data['token']['project']['id'],
auth_context['project_id'])
self.assertNotIn('domain_id', auth_context)
self.assertNotIn('domain_name', auth_context)
self.assertEqual(token_data['token']['OS-TRUST:trust']['id'],
auth_context['trust_id'])
self.assertEqual(
token_data['token']['OS-TRUST:trust']['trustor_user_id'],
auth_context['trustor_id'])
self.assertEqual(
token_data['token']['OS-TRUST:trust']['trustee_user_id'],
auth_context['trustee_id'])
self.assertItemsEqual(
[r['name'] for r in token_data['token']['roles']],
auth_context['roles'])
self.assertIsNone(auth_context['consumer_id'])
self.assertIsNone(auth_context['access_token_id'])
self.assertNotIn('group_ids', auth_context)
def _build_token_auth_context(self, request, token_id):
if CONF.admin_token and token_id == CONF.admin_token:
versionutils.report_deprecated_feature(
LOG,
_LW('build_auth_context middleware checking for the admin '
'token is deprecated as of the Mitaka release and will be '
'removed in the O release. If your deployment requires '
'use of the admin token, update keystone-paste.ini so '
'that admin_token_auth is before build_auth_context in '
'the paste pipelines, otherwise remove the '
'admin_token_auth middleware from the paste pipelines.'))
return {}, True
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(token_id))
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(token_ref), False
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
def _build_auth_context(self, request):
token_id = request.headers.get(AUTH_TOKEN_HEADER).strip()
if token_id == CONF.admin_token:
# NOTE(gyee): no need to proceed any further as the special admin
# token is being handled by AdminTokenAuthMiddleware. This code
# will not be impacted even if AdminTokenAuthMiddleware is removed
# from the pipeline as "is_admin" is default to "False". This code
# is independent of AdminTokenAuthMiddleware.
return {}
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(token_id))
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(token_ref)
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
def _build_token_auth_context(self, request, token_id):
if CONF.admin_token and token_id == CONF.admin_token:
versionutils.report_deprecated_feature(
LOG,
_LW('build_auth_context middleware checking for the admin '
'token is deprecated as of the Mitaka release and will be '
'removed in the O release. If your deployment requires '
'use of the admin token, update keystone-paste.ini so '
'that admin_token_auth is before build_auth_context in '
'the paste pipelines, otherwise remove the '
'admin_token_auth middleware from the paste pipelines.'))
return {}, True
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(token_id))
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(token_ref), False
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(
"RBAC: Authorizing %(action)s(%(kwargs)s)",
{"action": action, "kwargs": ", ".join(["%s=%s" % (k, kwargs[k]) for k in kwargs])},
)
# see if auth context has already been created. If so use it.
if "environment" in context and authorization.AUTH_CONTEXT_ENV in context["environment"]:
LOG.debug("RBAC: using auth context from the request environment")
return context["environment"].get(authorization.AUTH_CONTEXT_ENV)
# There is no current auth context, build it from the incoming token.
# TODO(morganfainberg): Collapse this logic with AuthContextMiddleware
# in sane manner as this just mirrors the logic in AuthContextMiddleware
try:
LOG.debug("RBAC: building auth context from the incoming auth token")
token_ref = token_model.KeystoneToken(
token_id=context["token_id"], token_data=self.token_provider_api.validate_token(context["token_id"])
)
# NOTE(jamielennox): whilst this maybe shouldn't be within this
# function it would otherwise need to reload the token_ref from
# backing store.
wsgi.validate_token_bind(context, token_ref)
except exception.TokenNotFound:
LOG.warning(_("RBAC: Invalid token"))
raise exception.Unauthorized()
auth_context = authorization.token_to_auth_context(token_ref)
return auth_context
def test_token_is_for_federated_user(self):
# When the token is for a federated user then group_ids is in
# auth_context.
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
group_ids = [uuid.uuid4().hex for x in range(1, 5)]
federation_data = {
'identity_provider': {
'id': uuid.uuid4().hex
},
'protocol': {
'id': 'saml2'
},
'groups': [{
'id': gid
} for gid in group_ids]
}
token_data['token']['user'][federation_constants.FEDERATION] = (
federation_data)
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertItemsEqual(group_ids, auth_context['group_ids'])
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(
'RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
})
# see if auth context has already been created. If so use it.
if ('environment' in context
and authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug('RBAC: using auth context from the request environment')
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# now build the auth context from the incoming auth token
try:
LOG.debug('RBAC: building auth context from the incoming auth token')
# TODO(ayoung): These two functions return the token in different
# formats. However, the call
# to get_token hits the caching layer, and does not validate the
# token. This should be reduced to one call
if not CONF.token.revoke_by_id:
self.token_api.token_provider_api.validate_token(
context['token_id'])
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
# NOTE(jamielennox): whilst this maybe shouldn't be within this function
# it would otherwise need to reload the token_ref from backing store.
wsgi.validate_token_bind(context, token_ref)
auth_context = authorization.token_to_auth_context(token_ref['token_data'])
return auth_context
def _build_auth_context(self, request):
token_id = request.headers.get(AUTH_TOKEN_HEADER)
if token_id == CONF.admin_token:
# NOTE(gyee): no need to proceed any further as the special admin
# token is being handled by AdminTokenAuthMiddleware. This code
# will not be impacted even if AdminTokenAuthMiddleware is removed
# from the pipeline as "is_admin" is default to "False". This code
# is independent of AdminTokenAuthMiddleware.
return {}
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = self.token_api.get_token(token_id)
# TODO(ayoung): These two functions return the token in different
# formats instead of two calls, only make one. However, the call
# to get_token hits the caching layer, and does not validate the
# token. In the future, this should be reduced to one call.
if not CONF.token.revoke_by_id:
self.token_api.token_provider_api.validate_token(
context['token_id'])
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(
token_ref['token_data'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
# see if auth context has already been created. If so use it.
if ('environment' in context and
authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug('RBAC: using auth context from the request environment')
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# now build the auth context from the incoming auth token
try:
LOG.debug('RBAC: building auth context from the incoming auth token')
# TODO(ayoung): These two functions return the token in different
# formats. However, the call
# to get_token hits the caching layer, and does not validate the
# token. This should be reduced to one call
if not CONF.token.revoke_by_id:
self.token_api.token_provider_api.validate_token(
context['token_id'])
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
# NOTE(jamielennox): whilst this maybe shouldn't be within this function
# it would otherwise need to reload the token_ref from backing store.
wsgi.validate_token_bind(context, token_ref)
auth_context = authorization.token_to_auth_context(token_ref['token_data'])
return auth_context
def _create_auth_context(self, token_id):
token_ref = self.token_api.get_token(token_id)
auth_context = authorization.token_to_auth_context(
token_ref['token_data'])
return {'environment': {authorization.AUTH_CONTEXT_ENV: auth_context},
'token_id': token_id,
'host_url': HOST_URL}
def _build_policy_check_credentials(self, action, context, kwargs):
kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
kwargs_str = strutils.mask_password(kwargs_str)
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': kwargs_str
})
# see if auth context has already been created. If so use it.
if ('environment' in context
and authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug('RBAC: using auth context from the request environment')
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# There is no current auth context, build it from the incoming token.
# TODO(morganfainberg): Collapse this logic with AuthContextMiddleware
# in a sane manner as this just mirrors the logic in AuthContextMiddleware
try:
LOG.debug('RBAC: building auth context from the incoming auth token')
token_ref = token_model.KeystoneToken(
token_id=context['token_id'],
token_data=self.token_provider_api.validate_token(
context['token_id']))
# NOTE(jamielennox): whilst this maybe shouldn't be within this
# function it would otherwise need to reload the token_ref from
# backing store.
wsgi.validate_token_bind(context, token_ref)
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
auth_context = authorization.token_to_auth_context(token_ref)
return auth_context
def _build_auth_context(self, request):
token_id = request.headers.get(AUTH_TOKEN_HEADER).strip()
if token_id == CONF.admin_token:
# NOTE(gyee): no need to proceed any further as the special admin
# token is being handled by AdminTokenAuthMiddleware. This code
# will not be impacted even if AdminTokenAuthMiddleware is removed
# from the pipeline as "is_admin" is default to "False". This code
# is independent of AdminTokenAuthMiddleware.
return {}
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = token_model.KeystoneToken(
token_id=token_id,
token_data=self.token_provider_api.validate_token(token_id))
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(token_ref)
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
def _build_policy_check_credentials(self, action, context, kwargs):
kwargs_str = ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
kwargs_str = strutils.mask_password(kwargs_str)
LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', {
'action': action,
'kwargs': kwargs_str})
# see if auth context has already been created. If so use it.
if ('environment' in context and
authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug('RBAC: using auth context from the request environment')
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# There is no current auth context, build it from the incoming token.
# TODO(morganfainberg): Collapse this logic with AuthContextMiddleware
# in a sane manner as this just mirrors the logic in AuthContextMiddleware
try:
LOG.debug('RBAC: building auth context from the incoming auth token')
token_ref = token_model.KeystoneToken(
token_id=context['token_id'],
token_data=self.token_provider_api.validate_token(
context['token_id']))
# NOTE(jamielennox): whilst this maybe shouldn't be within this
# function it would otherwise need to reload the token_ref from
# backing store.
wsgi.validate_token_bind(context, token_ref)
except exception.TokenNotFound:
LOG.warning(_LW('RBAC: Invalid token'))
raise exception.Unauthorized()
auth_context = authorization.token_to_auth_context(token_ref)
return auth_context
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(
_('RBAC: Authorizing %(action)s(%(kwargs)s)'), {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])
})
# see if auth context has already been created. If so use it.
if ('environment' in context
and authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug(_('RBAC: using auth context from the request environment'))
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# now build the auth context from the incoming auth token
try:
LOG.debug(
_('RBAC: building auth context from the incoming '
'auth token'))
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
# NOTE(jamielennox): whilst this maybe shouldn't be within this function
# it would otherwise need to reload the token_ref from backing store.
wsgi.validate_token_bind(context, token_ref)
auth_context = authorization.token_to_auth_context(token_ref['token_data'])
return auth_context
def _build_policy_check_credentials(self, action, context, kwargs):
LOG.debug(_('RBAC: Authorizing %(action)s(%(kwargs)s)'), {
'action': action,
'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])})
# see if auth context has already been created. If so use it.
if ('environment' in context and
authorization.AUTH_CONTEXT_ENV in context['environment']):
LOG.debug(_('RBAC: using auth context from the request environment'))
return context['environment'].get(authorization.AUTH_CONTEXT_ENV)
# now build the auth context from the incoming auth token
try:
LOG.debug(_('RBAC: building auth context from the incoming '
'auth token'))
token_ref = self.token_api.get_token(context['token_id'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
# NOTE(jamielennox): whilst this maybe shouldn't be within this function
# it would otherwise need to reload the token_ref from backing store.
wsgi.validate_token_bind(context, token_ref)
auth_context = authorization.token_to_auth_context(token_ref['token_data'])
return auth_context
def _build_auth_context(self, request):
token_id = request.headers.get(AUTH_TOKEN_HEADER)
if token_id == CONF.admin_token:
# NOTE(gyee): no need to proceed any further as the special admin
# token is being handled by AdminTokenAuthMiddleware. This code
# will not be impacted even if AdminTokenAuthMiddleware is removed
# from the pipeline as "is_admin" is default to "False". This code
# is independent of AdminTokenAuthMiddleware.
return {}
context = {'token_id': token_id}
context['environment'] = request.environ
try:
token_ref = self.token_api.get_token(token_id)
# TODO(ayoung): These two functions return the token in different
# formats instead of two calls, only make one. However, the call
# to get_token hits the caching layer, and does not validate the
# token. In the future, this should be reduced to one call.
if not CONF.token.revoke_by_id:
self.token_api.token_provider_api.validate_token(
context['token_id'])
# TODO(gyee): validate_token_bind should really be its own
# middleware
wsgi.validate_token_bind(context, token_ref)
return authorization.token_to_auth_context(token_ref['token_data'])
except exception.TokenNotFound:
LOG.warning(_('RBAC: Invalid token'))
raise exception.Unauthorized()
def test_oauth_variables_not_set(self):
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertIsNone(auth_context['access_token_id'])
self.assertIsNone(auth_context['consumer_id'])
def test_oauth_variables_not_set(self):
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertIsNone(auth_context['access_token_id'])
self.assertIsNone(auth_context['consumer_id'])
def _create_auth_context(self, token_id):
token_ref = self.token_api.get_token(token_id)
auth_context = authorization.token_to_auth_context(
token_ref['token_data'])
return {
'environment': {
authorization.AUTH_CONTEXT_ENV: auth_context
},
'token_id': token_id
}
def _create_auth_context(self, token_id):
token_ref = token_model.KeystoneToken(
token_id=token_id, token_data=self.token_provider_api.validate_token(token_id)
)
auth_context = authorization.token_to_auth_context(token_ref)
return {
"environment": {authorization.AUTH_CONTEXT_ENV: auth_context},
"token_id": token_id,
"host_url": HOST_URL,
}
def test_token_is_unscoped(self):
# Check contents of auth_context when the token is unscoped.
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
del token_data['token']['project']
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertNotIn('project_id', auth_context)
self.assertNotIn('domain_id', auth_context)
self.assertNotIn('domain_name', auth_context)
def test_oauth_variables_set_for_oauth_token(self):
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
access_token_id = uuid.uuid4().hex
consumer_id = uuid.uuid4().hex
token_data['token']['OS-OAUTH1'] = {'access_token_id': access_token_id,
'consumer_id': consumer_id}
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertEqual(access_token_id, auth_context['access_token_id'])
self.assertEqual(consumer_id, auth_context['consumer_id'])
def test_oauth_variables_set_for_oauth_token(self):
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
access_token_id = uuid.uuid4().hex
consumer_id = uuid.uuid4().hex
token_data['token']['OS-OAUTH1'] = {
'access_token_id': access_token_id,
'consumer_id': consumer_id
}
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertEqual(access_token_id, auth_context['access_token_id'])
self.assertEqual(consumer_id, auth_context['consumer_id'])
def test_token_is_domain_scoped(self):
# Check contents of auth_context when token is domain-scoped.
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
del token_data['token']['project']
domain_id = uuid.uuid4().hex
domain_name = uuid.uuid4().hex
token_data['token']['domain'] = {'id': domain_id, 'name': domain_name}
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertNotIn('project_id', auth_context)
self.assertEqual(domain_id, auth_context['domain_id'])
self.assertEqual(domain_name, auth_context['domain_name'])
def test_unscoped_remote_authn_existing_user_in_tenant(self):
"""Verify unscoped request for existing user, already in a tenant."""
user = {
"name": fakes.user_dn,
"enabled": True,
"domain_id": default_fixtures.DEFAULT_DOMAIN_ID,
}
tenant_id = default_fixtures.TENANTS[-1]["id"]
# Create the user
user = self.identity_api.create_user(user)
# Add the user to tenant different than the mapped one
self.assignment_api.add_user_to_project(tenant_id, user["id"])
req = prepare_request(get_auth_body(),
fakes.user_proxies["dteam"],
fakes.user_cert)
aux = core.VomsAuthNMiddleware(None)
aux._no_verify = True
aux._process_request(req)
params = req.environ[middleware.PARAMS_ENV]
remote_token = self.controller.authenticate(req,
params["auth"])
tenant_controller = controllers.TenantAssignment()
token_id = remote_token["access"]["token"]["id"]
token_ref = token_model.KeystoneToken(token_id=token_id,
token_data=remote_token)
auth_context = authorization.token_to_auth_context(token_ref)
fake_context = {
"environment": {authorization.AUTH_CONTEXT_ENV: auth_context},
"token_id": token_id,
"query_string": {"limit": None},
}
req.context_dict = fake_context
tenants = tenant_controller.get_projects_for_token(req)
self.assertItemsEqual(
(self.tenant_id, tenant_id), # User tenants
[i["id"].lower() for i in tenants["tenants"]]
)
def test_token_is_for_federated_user(self):
# When the token is for a federated user then group_ids is in
# auth_context.
token_data = copy.deepcopy(test_token_provider.SAMPLE_V3_TOKEN)
group_ids = [uuid.uuid4().hex for x in range(1, 5)]
federation_data = {'identity_provider': {'id': uuid.uuid4().hex},
'protocol': {'id': 'saml2'},
'groups': [{'id': gid} for gid in group_ids]}
token_data['token']['user'][federation_constants.FEDERATION] = (
federation_data)
token = token_model.KeystoneToken(token_id=uuid.uuid4().hex,
token_data=token_data)
auth_context = authorization.token_to_auth_context(token)
self.assertItemsEqual(group_ids, auth_context['group_ids'])
def fill_context(self, request):
# The request context stores itself in thread-local memory for logging.
request_context = context.RequestContext(
request_id=request.environ.get('openstack.request_id'),
authenticated=False,
overwrite=True)
request.environ[context.REQUEST_CONTEXT_ENV] = request_context
if authorization.AUTH_CONTEXT_ENV in request.environ:
msg = _LW('Auth context already exists in the request '
'environment; it will be used for authorization '
'instead of creating a new one.')
LOG.warning(msg)
return
# NOTE(gyee): token takes precedence over SSL client certificates.
# This will preserve backward compatibility with the existing
# behavior. Tokenless authorization with X.509 SSL client
# certificate is effectively disabled if no trusted issuers are
# provided.
if request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', False):
request_context.is_admin = True
auth_context = {}
elif request.token_auth.has_user_token:
request_context.auth_token = request.user_token
ref = token_model.KeystoneToken(token_id=request.user_token,
token_data=request.token_info)
auth_context = authorization.token_to_auth_context(ref)
elif self._validate_trusted_issuer(request):
auth_context = self._build_tokenless_auth_context(request)
else:
LOG.debug('There is either no auth token in the request or '
'the certificate issuer is not trusted. No auth '
'context will be set.')
return
# set authenticated to flag to keystone that a token has been validated
request_context.authenticated = True
# The attributes of request_context are put into the logs. This is a
# common pattern for all the OpenStack services. In all the other
# projects these are IDs, so set the attributes to IDs here rather than
# the name.
request_context.user_id = auth_context.get('user_id')
request_context.project_id = auth_context.get('project_id')
request_context.domain_id = auth_context.get('domain_id')
request_context.domain_name = auth_context.get('domain_name')
request_context.user_domain_id = auth_context.get('user_domain_id')
request_context.roles = auth_context.get('roles')
is_admin_project = auth_context.get('is_admin_project', True)
request_context.is_admin_project = is_admin_project
project_domain_id = auth_context.get('project_domain_id')
request_context.project_domain_id = project_domain_id
is_delegated_auth = auth_context.get('is_delegated_auth', False)
request_context.is_delegated_auth = is_delegated_auth
request_context.trust_id = auth_context.get('trust_id')
request_context.trustor_id = auth_context.get('trustor_id')
request_context.trustee_id = auth_context.get('trustee_id')
access_token_id = auth_context.get('access_token_id')
request_context.oauth_consumer_id = auth_context.get('consumer_id')
request_context.oauth_acess_token_id = access_token_id
LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
def fill_context(self, request):
# The request context stores itself in thread-local memory for logging.
request_context = oslo_context.RequestContext(
request_id=request.environ.get('openstack.request_id'))
if authorization.AUTH_CONTEXT_ENV in request.environ:
msg = _LW('Auth context already exists in the request '
'environment; it will be used for authorization '
'instead of creating a new one.')
LOG.warning(msg)
return
# NOTE(gyee): token takes precedence over SSL client certificates.
# This will preserve backward compatibility with the existing
# behavior. Tokenless authorization with X.509 SSL client
# certificate is effectively disabled if no trusted issuers are
# provided.
if request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', False):
request_context.is_admin = True
auth_context = {}
elif CONF.admin_token and request.user_token == CONF.admin_token:
versionutils.report_deprecated_feature(
LOG,
_LW('build_auth_context middleware checking for the admin '
'token is deprecated as of the Mitaka release and will be '
'removed in the O release. If your deployment requires '
'use of the admin token, update keystone-paste.ini so '
'that admin_token_auth is before build_auth_context in '
'the paste pipelines, otherwise remove the '
'admin_token_auth middleware from the paste pipelines.'))
request_context.is_admin = True
auth_context = {}
elif request.token_auth.has_user_token:
request_context.auth_token = request.user_token
ref = token_model.KeystoneToken(token_id=request.user_token,
token_data=request.token_info)
auth_context = authorization.token_to_auth_context(ref)
elif self._validate_trusted_issuer(request):
auth_context = self._build_tokenless_auth_context(request)
else:
LOG.debug('There is either no auth token in the request or '
'the certificate issuer is not trusted. No auth '
'context will be set.')
return
# The attributes of request_context are put into the logs. This is a
# common pattern for all the OpenStack services. In all the other
# projects these are IDs, so set the attributes to IDs here rather than
# the name.
request_context.user = auth_context.get('user_id')
request_context.tenant = auth_context.get('project_id')
request_context.domain = auth_context.get('domain_id')
request_context.user_domain = auth_context.get('user_domain_id')
request_context.project_domain = auth_context.get('project_domain_id')
request_context.update_store()
LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
def fill_context(self, request):
# The request context stores itself in thread-local memory for logging.
request_context = oslo_context.RequestContext(
request_id=request.environ.get('openstack.request_id'))
if authorization.AUTH_CONTEXT_ENV in request.environ:
msg = _LW('Auth context already exists in the request '
'environment; it will be used for authorization '
'instead of creating a new one.')
LOG.warning(msg)
return
# NOTE(gyee): token takes precedence over SSL client certificates.
# This will preserve backward compatibility with the existing
# behavior. Tokenless authorization with X.509 SSL client
# certificate is effectively disabled if no trusted issuers are
# provided.
if request.environ.get(core.CONTEXT_ENV, {}).get('is_admin', False):
request_context.is_admin = True
auth_context = {}
elif CONF.admin_token and request.user_token == CONF.admin_token:
versionutils.report_deprecated_feature(
LOG,
_LW('build_auth_context middleware checking for the admin '
'token is deprecated as of the Mitaka release and will be '
'removed in the O release. If your deployment requires '
'use of the admin token, update keystone-paste.ini so '
'that admin_token_auth is before build_auth_context in '
'the paste pipelines, otherwise remove the '
'admin_token_auth middleware from the paste pipelines.'))
request_context.is_admin = True
auth_context = {}
elif request.token_auth.has_user_token:
request_context.auth_token = request.user_token
ref = token_model.KeystoneToken(token_id=request.user_token,
token_data=request.token_info)
auth_context = authorization.token_to_auth_context(ref)
elif self._validate_trusted_issuer(request):
auth_context = self._build_tokenless_auth_context(request)
else:
LOG.debug('There is either no auth token in the request or '
'the certificate issuer is not trusted. No auth '
'context will be set.')
return
# The attributes of request_context are put into the logs. This is a
# common pattern for all the OpenStack services. In all the other
# projects these are IDs, so set the attributes to IDs here rather than
# the name.
request_context.user = auth_context.get('user_id')
request_context.tenant = auth_context.get('project_id')
request_context.domain = auth_context.get('domain_id')
request_context.user_domain = auth_context.get('user_domain_id')
request_context.project_domain = auth_context.get('project_domain_id')
request_context.update_store()
LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
def fill_context(self, request):
# The request context stores itself in thread-local memory for logging.
request_context = context.RequestContext(
request_id=request.environ.get('openstack.request_id'),
authenticated=False,
overwrite=True)
request.environ[context.REQUEST_CONTEXT_ENV] = request_context
if authorization.AUTH_CONTEXT_ENV in request.environ:
msg = ('Auth context already exists in the request '
'environment; it will be used for authorization '
'instead of creating a new one.')
LOG.warning(msg)
return
# NOTE(gyee): token takes precedence over SSL client certificates.
# This will preserve backward compatibility with the existing
# behavior. Tokenless authorization with X.509 SSL client
# certificate is effectively disabled if no trusted issuers are
# provided.
if request.environ.get(wsgi.CONTEXT_ENV, {}).get('is_admin', False):
request_context.is_admin = True
auth_context = {}
elif request.token_auth.has_user_token:
request_context.auth_token = request.user_token
ref = token_model.KeystoneToken(token_id=request.user_token,
token_data=request.token_info)
auth_context = authorization.token_to_auth_context(ref)
elif self._validate_trusted_issuer(request):
auth_context = self._build_tokenless_auth_context(request)
else:
LOG.debug('There is either no auth token in the request or '
'the certificate issuer is not trusted. No auth '
'context will be set.')
return
# set authenticated to flag to keystone that a token has been validated
request_context.authenticated = True
# The attributes of request_context are put into the logs. This is a
# common pattern for all the OpenStack services. In all the other
# projects these are IDs, so set the attributes to IDs here rather than
# the name.
request_context.user_id = auth_context.get('user_id')
request_context.project_id = auth_context.get('project_id')
request_context.domain_id = auth_context.get('domain_id')
request_context.domain_name = auth_context.get('domain_name')
request_context.user_domain_id = auth_context.get('user_domain_id')
request_context.roles = auth_context.get('roles')
is_admin_project = auth_context.get('is_admin_project', True)
request_context.is_admin_project = is_admin_project
project_domain_id = auth_context.get('project_domain_id')
request_context.project_domain_id = project_domain_id
is_delegated_auth = auth_context.get('is_delegated_auth', False)
request_context.is_delegated_auth = is_delegated_auth
request_context.trust_id = auth_context.get('trust_id')
request_context.trustor_id = auth_context.get('trustor_id')
request_context.trustee_id = auth_context.get('trustee_id')
access_token_id = auth_context.get('access_token_id')
request_context.oauth_consumer_id = auth_context.get('consumer_id')
request_context.oauth_acess_token_id = access_token_id
LOG.debug('RBAC: auth_context: %s', auth_context)
request.environ[authorization.AUTH_CONTEXT_ENV] = auth_context
