Merge "Add is_admin_project to context"

2016-07-11 15:16:53 +00:00 · 2016-07-11 15:16:53 +00:00 · 9feb9db8d6
parent 740b81784b d3af1d06b4
commit 9feb9db8d6
2 changed files with 54 additions and 4 deletions
--- a/oslo_context/context.py
+++ b/oslo_context/context.py
@ -73,11 +73,16 @@ class RequestContext(object):
                 read_only=False, show_deleted=False, request_id=None,
                 resource_uuid=None, overwrite=True, roles=None,
                 user_name=None, project_name=None, domain_name=None,
-                 user_domain_name=None, project_domain_name=None):
+                 user_domain_name=None, project_domain_name=None,
+                 is_admin_project=True):
        """Initialize the RequestContext

        :param overwrite: Set to False to ensure that the greenthread local
                          copy of the index is not overwritten.
+        :param is_admin_project: Whether the specified project is specified in
+                                 the token as the admin project. Defaults to
+                                 True for backwards compatibility.
+        :type is_admin_project: bool
        """
        self.auth_token = auth_token
        self.user = user
@ -93,6 +98,7 @@ class RequestContext(object):
        self.project_domain = project_domain
        self.project_domain_name = project_domain_name
        self.is_admin = is_admin
+        self.is_admin_project = is_admin_project
        self.read_only = read_only
        self.show_deleted = show_deleted
        self.resource_uuid = resource_uuid
@ -123,7 +129,8 @@ class RequestContext(object):
                'user_domain_id': self.user_domain,
                'project_id': self.tenant,
                'project_domain_id': self.project_domain,
-                'roles': self.roles}
+                'roles': self.roles,
+                'is_admin_project': self.is_admin_project}

    def to_dict(self):
        """Return a dictionary of context attributes."""
@ -146,7 +153,8 @@ class RequestContext(object):
                'request_id': self.request_id,
                'resource_uuid': self.resource_uuid,
                'roles': self.roles,
-                'user_identity': user_idt}
+                'user_identity': user_idt,
+                'is_admin_project': self.is_admin_project}

    def get_logging_values(self):
        """Return a dictionary of logging specific context attributes."""
@ -196,6 +204,13 @@ class RequestContext(object):
            roles = [r.strip() for r in roles.split(',')] if roles else []
            kwargs['roles'] = roles

+        if 'is_admin_project' not in kwargs:
+            # NOTE(jamielennox): we default is_admin_project to true because if
+            # nothing is provided we have to assume it is the admin project to
+            # make old policy continue to work.
+            is_admin_proj_str = environ.get('HTTP_X_IS_ADMIN_PROJECT', 'true')
+            kwargs['is_admin_project'] = is_admin_proj_str.lower() == 'true'
+
        return cls(**kwargs)


--- a/oslo_context/tests/test_context.py
+++ b/oslo_context/tests/test_context.py
@ -244,6 +244,22 @@ class ContextTest(test_base.BaseTestCase):
        ctx = context.RequestContext.from_environ(environ=environ)
        self.assertEqual(['abc', 'def', 'ghi'], ctx.roles)

+    def test_environ_admin_project(self):
+        environ = {}
+        ctx = context.RequestContext.from_environ(environ=environ)
+        self.assertIs(True, ctx.is_admin_project)
+        self.assertIs(True, ctx.to_policy_values()['is_admin_project'])
+
+        environ = {'HTTP_X_IS_ADMIN_PROJECT': 'True'}
+        ctx = context.RequestContext.from_environ(environ=environ)
+        self.assertIs(True, ctx.is_admin_project)
+        self.assertIs(True, ctx.to_policy_values()['is_admin_project'])
+
+        environ = {'HTTP_X_IS_ADMIN_PROJECT': 'False'}
+        ctx = context.RequestContext.from_environ(environ=environ)
+        self.assertIs(False, ctx.is_admin_project)
+        self.assertIs(False, ctx.to_policy_values()['is_admin_project'])
+
    def test_from_function_and_args(self):
        ctx = context.RequestContext(user="user1")
        arg = []
@ -393,6 +409,7 @@ class ContextTest(test_base.BaseTestCase):
        project_domain = uuid.uuid4().hex
        roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex]

+        # default is_admin_project is True
        ctx = context.RequestContext(user=user,
                                     user_domain=user_domain,
                                     tenant=tenant,
@ -403,4 +420,22 @@ class ContextTest(test_base.BaseTestCase):
                          'user_domain_id': user_domain,
                          'project_id': tenant,
                          'project_domain_id': project_domain,
-                          'roles': roles}, ctx.to_policy_values())
+                          'roles': roles,
+                          'is_admin_project': True},
+                         ctx.to_policy_values())
+
+        # is_admin_project False gets passed through
+        ctx = context.RequestContext(user=user,
+                                     user_domain=user_domain,
+                                     tenant=tenant,
+                                     project_domain=project_domain,
+                                     roles=roles,
+                                     is_admin_project=False)
+
+        self.assertEqual({'user_id': user,
+                          'user_domain_id': user_domain,
+                          'project_id': tenant,
+                          'project_domain_id': project_domain,
+                          'roles': roles,
+                          'is_admin_project': False},
+                         ctx.to_policy_values())