Use AccessInfo in UserAuthPlugin instead of custom
The UserAuthPlugin in auth_token_middleware provided a sanitized view of an AccessInfo object. This was required in keystoneclient time when it would do things like default to the 'default' domain on v2 tokens which was wrong and should not be exposed to other services. This was one of the things that was cleaned up in the keystoneauth transition and so there's really no further need to hide this from services. It also meant every time we wanted to expose something additional to a service we had to hack in a proxy property. Remove the old _TokenData proxy and expose the keystoneauth AccessInfo object to services. Change-Id: I95a7a7a7ad59daf6cb623923de6c8a8533c4734a
This commit is contained in:
parent
29709a4aaf
commit
d0716d25e4
|
@ -590,14 +590,13 @@ class AuthProtocol(BaseAuthProtocol):
|
|||
content_type='application/json')
|
||||
|
||||
if request.user_token_valid:
|
||||
user_auth_ref = request.token_auth._user_auth_ref
|
||||
request.set_user_headers(user_auth_ref)
|
||||
request.set_user_headers(request.token_auth.user)
|
||||
|
||||
if self._include_service_catalog:
|
||||
request.set_service_catalog_headers(user_auth_ref)
|
||||
request.set_service_catalog_headers(request.token_auth.user)
|
||||
|
||||
if request.service_token and request.service_token_valid:
|
||||
request.set_service_headers(request.token_auth._serv_auth_ref)
|
||||
request.set_service_headers(request.token_auth.service)
|
||||
|
||||
if self.log.isEnabledFor(logging.DEBUG):
|
||||
self.log.debug('Received request from %s',
|
||||
|
|
|
@ -13,140 +13,11 @@
|
|||
from keystoneauth1.identity import base as base_identity
|
||||
|
||||
|
||||
class _TokenData(object):
|
||||
"""An abstraction to show auth_token consumers some of the token contents.
|
||||
|
||||
This is a simplified and cleaned up keystoneclient.access.AccessInfo object
|
||||
with which services relying on auth_token middleware can find details of
|
||||
the current token.
|
||||
"""
|
||||
|
||||
def __init__(self, auth_ref):
|
||||
self._stored_auth_ref = auth_ref
|
||||
|
||||
@property
|
||||
def _is_v2(self):
|
||||
return self._stored_auth_ref.version == 'v2.0'
|
||||
|
||||
@property
|
||||
def auth_token(self):
|
||||
"""The token data used to authenticate requests.
|
||||
|
||||
:returns: token data.
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.auth_token
|
||||
|
||||
@property
|
||||
def user_id(self):
|
||||
"""The user id associated with the authentication request.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.user_id
|
||||
|
||||
@property
|
||||
def user_domain_id(self):
|
||||
"""The domain ID of the user associated with the authentication.
|
||||
|
||||
Returns the domain id of the user associated with the authentication
|
||||
request.
|
||||
|
||||
:returns: str
|
||||
"""
|
||||
# NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
|
||||
# because it can't know that value. We want to return None instead.
|
||||
if self._is_v2:
|
||||
return None
|
||||
|
||||
return self._stored_auth_ref.user_domain_id
|
||||
|
||||
@property
|
||||
def project_id(self):
|
||||
"""The project ID associated with the authentication.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.project_id
|
||||
|
||||
@property
|
||||
def project_domain_id(self):
|
||||
"""The ID of the project associated with the authentication.
|
||||
|
||||
The domain id of the project associated with the authentication
|
||||
request.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
# NOTE(jamielennox): v2 AccessInfo returns 'default' for domain_id
|
||||
# because it can't know that value. We want to return None instead.
|
||||
if self._is_v2:
|
||||
return None
|
||||
|
||||
return self._stored_auth_ref.project_domain_id
|
||||
|
||||
@property
|
||||
def domain_id(self):
|
||||
"""The domain ID the authentication is scoped to.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.domain_id
|
||||
|
||||
@property
|
||||
def trust_id(self):
|
||||
"""Return the trust id associated with the authentication request..
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.trust_id
|
||||
|
||||
@property
|
||||
def trustor_user_id(self):
|
||||
"""The trustor id associated with the authentication request.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.trustor_user_id
|
||||
|
||||
@property
|
||||
def trustee_user_id(self):
|
||||
"""The trustee id associated with the authentication request.
|
||||
|
||||
:rtype: str
|
||||
"""
|
||||
return self._stored_auth_ref.trustee_user_id
|
||||
|
||||
@property
|
||||
def role_ids(self):
|
||||
"""Role ids of the user associated with the authentication request.
|
||||
|
||||
:rtype: set(str)
|
||||
"""
|
||||
return frozenset(self._stored_auth_ref.role_ids or [])
|
||||
|
||||
@property
|
||||
def role_names(self):
|
||||
"""Role names of the user associated with the authentication request.
|
||||
|
||||
:rtype: set(str)
|
||||
"""
|
||||
return frozenset(self._stored_auth_ref.role_names or [])
|
||||
|
||||
@property
|
||||
def is_admin_project(self):
|
||||
"""Return true if the current project scope is the admin project.
|
||||
|
||||
:rtype: bool
|
||||
"""
|
||||
return self._stored_auth_ref.is_admin_project
|
||||
|
||||
@property
|
||||
def _log_format(self):
|
||||
roles = ','.join(self.role_names)
|
||||
return 'user_id %s, project_id %s, roles %s' % (self.user_id,
|
||||
self.project_id,
|
||||
roles)
|
||||
def _log_format(auth_ref):
|
||||
roles = ','.join(auth_ref.role_names)
|
||||
return 'user_id %s, project_id %s, roles %s' % (auth_ref.user_id,
|
||||
auth_ref.project_id,
|
||||
roles)
|
||||
|
||||
|
||||
class UserAuthPlugin(base_identity.BaseIdentityPlugin):
|
||||
|
@ -163,67 +34,33 @@ class UserAuthPlugin(base_identity.BaseIdentityPlugin):
|
|||
def __init__(self, user_auth_ref, serv_auth_ref):
|
||||
super(UserAuthPlugin, self).__init__(reauthenticate=False)
|
||||
|
||||
# NOTE(jamielennox): _user_auth_ref and _serv_auth_ref are private
|
||||
# because this object ends up in the environ that is passed to the
|
||||
# service, however they are used within auth_token middleware.
|
||||
self._user_auth_ref = user_auth_ref
|
||||
self._serv_auth_ref = serv_auth_ref
|
||||
|
||||
self._user_data = None
|
||||
self._serv_data = None
|
||||
self.user = user_auth_ref
|
||||
self.service = serv_auth_ref
|
||||
|
||||
@property
|
||||
def has_user_token(self):
|
||||
"""Did this authentication request contained a user auth token."""
|
||||
return self._user_auth_ref is not None
|
||||
|
||||
@property
|
||||
def user(self):
|
||||
"""Authentication information about the user token.
|
||||
|
||||
Will return None if a user token was not passed with this request.
|
||||
"""
|
||||
if not self.has_user_token:
|
||||
return None
|
||||
|
||||
if not self._user_data:
|
||||
self._user_data = _TokenData(self._user_auth_ref)
|
||||
|
||||
return self._user_data
|
||||
return self.user is not None
|
||||
|
||||
@property
|
||||
def has_service_token(self):
|
||||
"""Did this authentication request contained a service token."""
|
||||
return self._serv_auth_ref is not None
|
||||
|
||||
@property
|
||||
def service(self):
|
||||
"""Authentication information about the service token.
|
||||
|
||||
Will return None if a user token was not passed with this request.
|
||||
"""
|
||||
if not self.has_service_token:
|
||||
return None
|
||||
|
||||
if not self._serv_data:
|
||||
self._serv_data = _TokenData(self._serv_auth_ref)
|
||||
|
||||
return self._serv_data
|
||||
return self.service is not None
|
||||
|
||||
def get_auth_ref(self, session, **kwargs):
|
||||
# NOTE(jamielennox): We will always use the auth_ref that was
|
||||
# calculated by the middleware. reauthenticate=False in __init__ should
|
||||
# ensure that this function is only called on the first access.
|
||||
return self._user_auth_ref
|
||||
return self.user
|
||||
|
||||
@property
|
||||
def _log_format(self):
|
||||
msg = []
|
||||
|
||||
if self.has_user_token:
|
||||
msg.append('user: %s' % self.user._log_format)
|
||||
msg.append('user: %s' % _log_format(self.user))
|
||||
|
||||
if self.has_service_token:
|
||||
msg.append('service: %s' % self.service._log_format)
|
||||
msg.append('service: %s' % _log_format(self.service))
|
||||
|
||||
return ' '.join(msg)
|
||||
|
|
|
@ -109,7 +109,7 @@ class V2UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
|
|||
self.requests_mock.post(url, json=self.service_token)
|
||||
|
||||
def get_role_names(self, token):
|
||||
return set(x['name'] for x in token['access']['user'].get('roles', []))
|
||||
return [x['name'] for x in token['access']['user'].get('roles', [])]
|
||||
|
||||
def get_token(self):
|
||||
token = fixture.V2Token()
|
||||
|
@ -174,7 +174,7 @@ class V3UserPluginTests(BaseUserPluginTests, base.BaseAuthTokenTestCase):
|
|||
json=self.service_token)
|
||||
|
||||
def get_role_names(self, token):
|
||||
return set(x['name'] for x in token['token'].get('roles', []))
|
||||
return [x['name'] for x in token['token'].get('roles', [])]
|
||||
|
||||
def get_token(self, project=True):
|
||||
token_id = uuid.uuid4().hex
|
||||
|
|
Loading…
Reference in New Issue