diff options
Diffstat (limited to 'oslo_context')
-rw-r--r-- | oslo_context/context.py | 21 | ||||
-rw-r--r-- | oslo_context/tests/test_context.py | 37 |
2 files changed, 54 insertions, 4 deletions
diff --git a/oslo_context/context.py b/oslo_context/context.py index dfe5666..d0d79c0 100644 --- a/oslo_context/context.py +++ b/oslo_context/context.py @@ -74,11 +74,16 @@ class RequestContext(object): read_only=False, show_deleted=False, request_id=None, resource_uuid=None, overwrite=True, roles=None, user_name=None, project_name=None, domain_name=None, - user_domain_name=None, project_domain_name=None): + user_domain_name=None, project_domain_name=None, + is_admin_project=True): """Initialize the RequestContext :param overwrite: Set to False to ensure that the greenthread local copy of the index is not overwritten. + :param is_admin_project: Whether the specified project is specified in + the token as the admin project. Defaults to + True for backwards compatibility. + :type is_admin_project: bool """ self.auth_token = auth_token self.user = user @@ -94,6 +99,7 @@ class RequestContext(object): self.project_domain = project_domain self.project_domain_name = project_domain_name self.is_admin = is_admin + self.is_admin_project = is_admin_project self.read_only = read_only self.show_deleted = show_deleted self.resource_uuid = resource_uuid @@ -124,7 +130,8 @@ class RequestContext(object): 'user_domain_id': self.user_domain, 'project_id': self.tenant, 'project_domain_id': self.project_domain, - 'roles': self.roles} + 'roles': self.roles, + 'is_admin_project': self.is_admin_project} def to_dict(self): """Return a dictionary of context attributes.""" @@ -147,7 +154,8 @@ class RequestContext(object): 'request_id': self.request_id, 'resource_uuid': self.resource_uuid, 'roles': self.roles, - 'user_identity': user_idt} + 'user_identity': user_idt, + 'is_admin_project': self.is_admin_project} def get_logging_values(self): """Return a dictionary of logging specific context attributes.""" @@ -197,6 +205,13 @@ class RequestContext(object): roles = [r.strip() for r in roles.split(',')] if roles else [] kwargs['roles'] = roles + if 'is_admin_project' not in kwargs: + # NOTE(jamielennox): we default is_admin_project to true because if + # nothing is provided we have to assume it is the admin project to + # make old policy continue to work. + is_admin_proj_str = environ.get('HTTP_X_IS_ADMIN_PROJECT', 'true') + kwargs['is_admin_project'] = is_admin_proj_str.lower() == 'true' + return cls(**kwargs) diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py index 3af7d61..54046cb 100644 --- a/oslo_context/tests/test_context.py +++ b/oslo_context/tests/test_context.py @@ -254,6 +254,22 @@ class ContextTest(test_base.BaseTestCase): ctx = context.RequestContext.from_environ(environ=environ) self.assertEqual(['abc', 'def', 'ghi'], ctx.roles) + def test_environ_admin_project(self): + environ = {} + ctx = context.RequestContext.from_environ(environ=environ) + self.assertIs(True, ctx.is_admin_project) + self.assertIs(True, ctx.to_policy_values()['is_admin_project']) + + environ = {'HTTP_X_IS_ADMIN_PROJECT': 'True'} + ctx = context.RequestContext.from_environ(environ=environ) + self.assertIs(True, ctx.is_admin_project) + self.assertIs(True, ctx.to_policy_values()['is_admin_project']) + + environ = {'HTTP_X_IS_ADMIN_PROJECT': 'False'} + ctx = context.RequestContext.from_environ(environ=environ) + self.assertIs(False, ctx.is_admin_project) + self.assertIs(False, ctx.to_policy_values()['is_admin_project']) + def test_from_function_and_args(self): ctx = context.RequestContext(user="user1") arg = [] @@ -403,6 +419,7 @@ class ContextTest(test_base.BaseTestCase): project_domain = uuid.uuid4().hex roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex] + # default is_admin_project is True ctx = context.RequestContext(user=user, user_domain=user_domain, tenant=tenant, @@ -413,4 +430,22 @@ class ContextTest(test_base.BaseTestCase): 'user_domain_id': user_domain, 'project_id': tenant, 'project_domain_id': project_domain, - 'roles': roles}, ctx.to_policy_values()) + 'roles': roles, + 'is_admin_project': True}, + ctx.to_policy_values()) + + # is_admin_project False gets passed through + ctx = context.RequestContext(user=user, + user_domain=user_domain, + tenant=tenant, + project_domain=project_domain, + roles=roles, + is_admin_project=False) + + self.assertEqual({'user_id': user, + 'user_domain_id': user_domain, + 'project_id': tenant, + 'project_domain_id': project_domain, + 'roles': roles, + 'is_admin_project': False}, + ctx.to_policy_values()) |