From f383bd2973c58c5272504603e4f9dddd55c5bb68 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Mon, 25 Jan 2016 15:33:12 +1100 Subject: [PATCH] Add roles to context Roles are an important part of the user context. They typically don't need to be serialized for RPC but they are needed for policy. Include roles onto the context object and make sure it is loaded from the auth_token middleware environment. Related-Bug: #1537653 Change-Id: Ia575ba803a0fb70f39146bd75d381ed19414bd23 --- oslo_context/context.py | 7 ++++++- oslo_context/tests/test_context.py | 14 +++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/oslo_context/context.py b/oslo_context/context.py index bd1a6c4..adad06d 100644 --- a/oslo_context/context.py +++ b/oslo_context/context.py @@ -53,7 +53,7 @@ class RequestContext(object): def __init__(self, auth_token=None, user=None, tenant=None, domain=None, user_domain=None, project_domain=None, is_admin=False, read_only=False, show_deleted=False, request_id=None, - resource_uuid=None, overwrite=True): + resource_uuid=None, overwrite=True, roles=None): """Initialize the RequestContext :param overwrite: Set to False to ensure that the greenthread local @@ -69,6 +69,7 @@ class RequestContext(object): self.read_only = read_only self.show_deleted = show_deleted self.resource_uuid = resource_uuid + self.roles = roles or [] if not request_id: request_id = generate_request_id() self.request_id = request_id @@ -99,6 +100,7 @@ class RequestContext(object): 'auth_token': self.auth_token, 'request_id': self.request_id, 'resource_uuid': self.resource_uuid, + 'roles': self.roles, 'user_identity': user_idt} def get_logging_values(self): @@ -143,6 +145,9 @@ class RequestContext(object): kwargs.setdefault('project_domain', environ.get('HTTP_X_PROJECT_DOMAIN_ID')) + roles = environ.get('HTTP_X_ROLES') + kwargs.setdefault('roles', roles.split(',') if roles else []) + return cls(**kwargs) diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py index 4555da3..eff31c9 100644 --- a/oslo_context/tests/test_context.py +++ b/oslo_context/tests/test_context.py @@ -135,12 +135,14 @@ class ContextTest(test_base.BaseTestCase): project_id = uuid.uuid4().hex user_domain_id = uuid.uuid4().hex project_domain_id = uuid.uuid4().hex + roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex] environ = {'HTTP_X_AUTH_TOKEN': auth_token, 'HTTP_X_USER_ID': user_id, 'HTTP_X_PROJECT_ID': project_id, 'HTTP_X_USER_DOMAIN_ID': user_domain_id, - 'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id} + 'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id, + 'HTTP_X_ROLES': ','.join(roles)} ctx = context.RequestContext.from_environ(environ) @@ -149,6 +151,14 @@ class ContextTest(test_base.BaseTestCase): self.assertEqual(project_id, ctx.tenant) self.assertEqual(user_domain_id, ctx.user_domain) self.assertEqual(project_domain_id, ctx.project_domain) + self.assertEqual(roles, ctx.roles) + + def test_from_environ_no_roles(self): + ctx = context.RequestContext.from_environ(environ={}) + self.assertEqual([], ctx.roles) + + ctx = context.RequestContext.from_environ(environ={'HTTP_X_ROLES': ''}) + self.assertEqual([], ctx.roles) def test_from_function_and_args(self): ctx = context.RequestContext(user="user1") @@ -214,6 +224,7 @@ class ContextTest(test_base.BaseTestCase): self.assertIn('request_id', d) self.assertIn('resource_uuid', d) self.assertIn('user_identity', d) + self.assertIn('roles', d) self.assertEqual(auth_token, d['auth_token']) self.assertEqual(tenant, d['tenant']) @@ -228,6 +239,7 @@ class ContextTest(test_base.BaseTestCase): user_identity = "%s %s %s %s %s" % (user, tenant, domain, user_domain, project_domain) self.assertEqual(user_identity, d['user_identity']) + self.assertEqual([], d['roles']) def test_get_logging_values(self): auth_token = "token1"