Add roles to context

Roles are an important part of the user context. They typically don't need to be serialized for RPC but they are needed for policy. Include roles onto the context object and make sure it is loaded from the auth_token middleware environment. Related-Bug: #1537653 Change-Id: Ia575ba803a0fb70f39146bd75d381ed19414bd23
author: Jamie Lennox <jamielennox@gmail.com> 2016-01-25 15:33:12 +1100
committer: Ronald Bradford <ronald.bradford@gmail.com> 2016-02-19 21:17:36 +0000
commit: f383bd2973c58c5272504603e4f9dddd55c5bb68 (patch)
tree: a6e00b003d3ca6e7f22714a1e99ff0ad39d49c4e /oslo_context
parent: ce60425d580a0e54b197367116a9926fa0712e89 (diff)
download: oslo-context-f383bd2973c58c5272504603e4f9dddd55c5bb68.tar.gz
2 files changed, 19 insertions, 2 deletions
diff --git a/oslo_context/context.py b/oslo_context/context.py
index bd1a6c4..adad06d 100644
--- a/oslo_context/context.py
+++ b/oslo_context/context.py
@@ -53,7 +53,7 @@ class RequestContext(object):
     def __init__(self, auth_token=None, user=None, tenant=None, domain=None,
                  user_domain=None, project_domain=None, is_admin=False,
                  read_only=False, show_deleted=False, request_id=None,
-                 resource_uuid=None, overwrite=True):
+                 resource_uuid=None, overwrite=True, roles=None):
         """Initialize the RequestContext
 
         :param overwrite: Set to False to ensure that the greenthread local
@@ -69,6 +69,7 @@ class RequestContext(object):
         self.read_only = read_only
         self.show_deleted = show_deleted
         self.resource_uuid = resource_uuid
+        self.roles = roles or []
         if not request_id:
             request_id = generate_request_id()
         self.request_id = request_id
@@ -99,6 +100,7 @@ class RequestContext(object):
                 'auth_token': self.auth_token,
                 'request_id': self.request_id,
                 'resource_uuid': self.resource_uuid,
+                'roles': self.roles,
                 'user_identity': user_idt}
 
     def get_logging_values(self):
@@ -143,6 +145,9 @@ class RequestContext(object):
         kwargs.setdefault('project_domain',
                           environ.get('HTTP_X_PROJECT_DOMAIN_ID'))
 
+        roles = environ.get('HTTP_X_ROLES')
+        kwargs.setdefault('roles', roles.split(',') if roles else [])
+
         return cls(**kwargs)
 
 
diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py
index 4555da3..eff31c9 100644
--- a/oslo_context/tests/test_context.py
+++ b/oslo_context/tests/test_context.py
@@ -135,12 +135,14 @@ class ContextTest(test_base.BaseTestCase):
         project_id = uuid.uuid4().hex
         user_domain_id = uuid.uuid4().hex
         project_domain_id = uuid.uuid4().hex
+        roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex]
 
         environ = {'HTTP_X_AUTH_TOKEN': auth_token,
                    'HTTP_X_USER_ID': user_id,
                    'HTTP_X_PROJECT_ID': project_id,
                    'HTTP_X_USER_DOMAIN_ID': user_domain_id,
-                   'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id}
+                   'HTTP_X_PROJECT_DOMAIN_ID': project_domain_id,
+                   'HTTP_X_ROLES': ','.join(roles)}
 
         ctx = context.RequestContext.from_environ(environ)
 
@@ -149,6 +151,14 @@ class ContextTest(test_base.BaseTestCase):
         self.assertEqual(project_id, ctx.tenant)
         self.assertEqual(user_domain_id, ctx.user_domain)
         self.assertEqual(project_domain_id, ctx.project_domain)
+        self.assertEqual(roles, ctx.roles)
+
+    def test_from_environ_no_roles(self):
+        ctx = context.RequestContext.from_environ(environ={})
+        self.assertEqual([], ctx.roles)
+
+        ctx = context.RequestContext.from_environ(environ={'HTTP_X_ROLES': ''})
+        self.assertEqual([], ctx.roles)
 
     def test_from_function_and_args(self):
         ctx = context.RequestContext(user="user1")
@@ -214,6 +224,7 @@ class ContextTest(test_base.BaseTestCase):
         self.assertIn('request_id', d)
         self.assertIn('resource_uuid', d)
         self.assertIn('user_identity', d)
+        self.assertIn('roles', d)
 
         self.assertEqual(auth_token, d['auth_token'])
         self.assertEqual(tenant, d['tenant'])
@@ -228,6 +239,7 @@ class ContextTest(test_base.BaseTestCase):
         user_identity = "%s %s %s %s %s" % (user, tenant, domain,
                                             user_domain, project_domain)
         self.assertEqual(user_identity, d['user_identity'])
+        self.assertEqual([], d['roles'])
 
     def test_get_logging_values(self):
         auth_token = "token1"
author	Jamie Lennox <jamielennox@gmail.com>	2016-01-25 15:33:12 +1100
committer	Ronald Bradford <ronald.bradford@gmail.com>	2016-02-19 21:17:36 +0000
commit	f383bd2973c58c5272504603e4f9dddd55c5bb68 (patch)
tree	a6e00b003d3ca6e7f22714a1e99ff0ad39d49c4e /oslo_context
parent	ce60425d580a0e54b197367116a9926fa0712e89 (diff)
download	oslo-context-f383bd2973c58c5272504603e4f9dddd55c5bb68.tar.gz