Use AccessInfo in UserAuthPlugin instead of custom

The UserAuthPlugin in auth_token_middleware provided a sanitized view of
an AccessInfo object. This was required in keystoneclient time when it
would do things like default to the 'default' domain on v2 tokens which
was wrong and should not be exposed to other services.

This was one of the things that was cleaned up in the keystoneauth
transition and so there's really no further need to hide this from
services. It also meant every time we wanted to expose something
additional to a service we had to hack in a proxy property.

Remove the old _TokenData proxy and expose the keystoneauth AccessInfo
object to services.

Change-Id: I95a7a7a7ad59daf6cb623923de6c8a8533c4734a
This commit is contained in:
Jamie Lennox 2016-07-07 16:41:51 +10:00
parent 29709a4aaf
commit d0716d25e4
3 changed files with 17 additions and 181 deletions

View File

@ -590,14 +590,13 @@ class AuthProtocol(BaseAuthProtocol):
content_type='application/json')
if request.user_token_valid:
user_auth_ref = request.token_auth._user_auth_ref
request.set_user_headers(user_auth_ref)
request.set_user_headers(request.token_auth.user)
if self._include_service_catalog:
request.set_service_catalog_headers(user_auth_ref)
request.set_service_catalog_headers(request.token_auth.user)
if request.service_token and request.service_token_valid:
request.set_service_headers(request.token_auth._serv_auth_ref)
request.set_service_headers(request.token_auth.service)
if self.log.isEnabledFor(logging.DEBUG):
self.log.debug('Received request from %s',

View File

@ -13,140 +13,11 @@
from keystoneauth1.identity import base as base_identity
class _TokenData(object):
"""An abstraction to show auth_token consumers some of the token contents.
This is a simplified and cleaned up keystoneclient.access.AccessInfo object
with which services relying on auth_token middleware can find details of
the current token.
"""
def __init__(self, auth_ref):
self._stored_auth_ref = auth_ref
@property
def _is_v2(self):
return self._stored_auth_ref.version == 'v2.0'
@property
def auth_token(self):
"""The token data used to authenticate requests.
:returns: token data.
:rtype: str
"""
return self._stored_auth_ref.auth_token
@property
def user_id(self):
"""The user id associated with the authentication request.
:rtype: str
"""
return self._stored_auth_ref.user_id
@property
def user_domain_id(self):
"""The domain ID of the user associated with the authentication.
Returns the domain id of the user associated with the authentication
request.
:returns: str
"""
# NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
# because it can't know that value. We want to return None instead.
if self._is_v2:
return None
return self._stored_auth_ref.user_domain_id
@property
def project_id(self):
"""The project ID associated with the authentication.
:rtype: str
"""
return self._stored_auth_ref.project_id
@property
def project_domain_id(self):
"""The ID of the project associated with the authentication.
The domain id of the project associated with the authentication
request.
:rtype: str
"""
# NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
# because it can't know that value. We want to return None instead.
if self._is_v2:
return None
return self._stored_auth_ref.project_domain_id
@property
def domain_id(self):
"""The domain ID the authentication is scoped to.
:rtype: str
"""
return self._stored_auth_ref.domain_id
@property
def trust_id(self):
"""Return the trust id associated with the authentication request..
:rtype: str
"""
return self._stored_auth_ref.trust_id
@property
def trustor_user_id(self):
"""The trustor id associated with the authentication request.
:rtype: str
"""
return self._stored_auth_ref.trustor_user_id
@property
def trustee_user_id(self):
"""The trustee id associated with the authentication request.
:rtype: str
"""
return self._stored_auth_ref.trustee_user_id
@property
def role_ids(self):
"""Role ids of the user associated with the authentication request.
:rtype: set(str)
"""
return frozenset(self._stored_auth_ref.role_ids or [])
@property
def role_names(self):
"""Role names of the user associated with the authentication request.
:rtype: set(str)
"""
return frozenset(self._stored_auth_ref.role_names or [])
@property
def is_admin_project(self):
"""Return true if the current project scope is the admin project.
:rtype: bool
"""
return self._stored_auth_ref.is_admin_project
@property
def _log_format(self):
roles = ','.join(self.role_names)
return 'user_id %s, project_id %s, roles %s' % (self.user_id,
self.project_id,
roles)
def _log_format(auth_ref):
roles = ','.join(auth_ref.role_names)
return 'user_id %s, project_id %s, roles %s' % (auth_ref.user_id,
auth_ref.project_id,
roles)
class UserAuthPlugin(base_identity.BaseIdentityPlugin):
@ -163,67 +34,33 @@ class UserAuthPlugin(base_identity.BaseIdentityPlugin):
def __init__(self, user_auth_ref, serv_auth_ref):
super(UserAuthPlugin, self).__init__(reauthenticate=False)
# NOTE(jamielennox): _user_auth_ref and _serv_auth_ref are private
# because this object ends up in the environ that is passed to the
# service, however they are used within auth_token middleware.
self._user_auth_ref = user_auth_ref
self._serv_auth_ref = serv_auth_ref
self._user_data = None
self._serv_data = None
self.user = user_auth_ref
self.service = serv_auth_ref
@property
def has_user_token(self):
"""Did this authentication request contained a user auth token."""
return self._user_auth_ref is not None
@property
def user(self):
"""Authentication information about the user token.
Will return None if a user token was not passed with this request.
"""
if not self.has_user_token:
return None
if not self._user_data:
self._user_data = _TokenData(self._user_auth_ref)
return self._user_data
return self.user is not None
@property
def has_service_token(self):
"""Did this authentication request contained a service token."""
return self._serv_auth_ref is not None
@property
def service(self):
"""Authentication information about the service token.
Will return None if a user token was not passed with this request.
"""
if not self.has_service_token:
return None
if not self._serv_data:
self._serv_data = _TokenData(self._serv_auth_ref)
return self._serv_data
return self.service is not None
def get_auth_ref(self, session, **kwargs):
# NOTE(jamielennox): We will always use the auth_ref that was
# calculated by the middleware. reauthenticate=False in __init__ should
# ensure that this function is only called on the first access.
return self._user_auth_ref
return self.user
@property
def _log_format(self):
msg = []
if self.has_user_token:
msg.append('user: %s' % self.user._log_format)
msg.append('user: %s' % _log_format(self.user))
if self.has_service_token:
msg.append('service: %s' % self.service._log_format)
msg.append('service: %s' % _log_format(self.service))
return ' '.join(msg)

View File

@ -109,7 +109,7 @@ class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
self.requests_mock.post(url, json=self.service_token)
def get_role_names(self, token):
return set(x['name'] for x in token['access']['user'].get('roles', []))
return [x['name'] for x in token['access']['user'].get('roles', [])]
def get_token(self):
token = fixture.V2Token()
@ -174,7 +174,7 @@ class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
json=self.service_token)
def get_role_names(self, token):
return set(x['name'] for x in token['token'].get('roles', []))
return [x['name'] for x in token['token'].get('roles', [])]
def get_token(self, project=True):
token_id = uuid.uuid4().hex