From 187d5740632073750ccd4a5f8f1b4abed51f24b0 Mon Sep 17 00:00:00 2001
From: Jamie Lennox <jamielennox@gmail.com>
Date: Mon, 25 Jan 2016 18:56:26 +1100
Subject: Standardize an oslo.policy credentials dictionary

Currently all the services pass there own dictionary to the oslo.policy
enforcement engine. This means that there is no standard policy language
between services.

Create a dictionary with the standard credential items that may be
required in policy enforcement. This method will need to be overriden
from individual services for backwards compatibility for some time.

Change-Id: I7bc31764e79eb61f602c7b8601149ac75bee9f9f
Closes-Bug: #1537653
---
 oslo_context/context.py            | 18 ++++++++++++++++++
 oslo_context/tests/test_context.py | 19 +++++++++++++++++++
 2 files changed, 37 insertions(+)

(limited to 'oslo_context')

diff --git a/oslo_context/context.py b/oslo_context/context.py
index 9564abd..24aa64e 100644
--- a/oslo_context/context.py
+++ b/oslo_context/context.py
@@ -80,6 +80,24 @@ class RequestContext(object):
         """Store the context in the current thread."""
         _request_store.context = self
 
+    def to_policy_values(self):
+        """A dictionary of context attributes to enforce policy with.
+
+        oslo.policy enforcement requires a dictionary of attributes
+        representing the current logged in user on which it applies policy
+        enforcement. This dictionary defines a standard list of attributes that
+        should be available for enforcement across services.
+
+        It is expected that services will often have to override this method
+        with either deprecated values or additional attributes used by that
+        service specific policy.
+        """
+        return {'user_id': self.user,
+                'user_domain_id': self.user_domain,
+                'project_id': self.tenant,
+                'project_domain_id': self.project_domain,
+                'roles': self.roles}
+
     def to_dict(self):
         """Return a dictionary of context attributes."""
         user_idt = (
diff --git a/oslo_context/tests/test_context.py b/oslo_context/tests/test_context.py
index 6b18820..e4f49c9 100644
--- a/oslo_context/tests/test_context.py
+++ b/oslo_context/tests/test_context.py
@@ -318,3 +318,22 @@ class ContextTest(test_base.BaseTestCase):
         id1 = context.generate_request_id()
         id2 = context.generate_request_id()
         self.assertNotEqual(id1, id2)
+
+    def test_policy_dict(self):
+        user = uuid.uuid4().hex
+        user_domain = uuid.uuid4().hex
+        tenant = uuid.uuid4().hex
+        project_domain = uuid.uuid4().hex
+        roles = [uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex]
+
+        ctx = context.RequestContext(user=user,
+                                     user_domain=user_domain,
+                                     tenant=tenant,
+                                     project_domain=project_domain,
+                                     roles=roles)
+
+        self.assertEqual({'user_id': user,
+                          'user_domain_id': user_domain,
+                          'project_id': tenant,
+                          'project_domain_id': project_domain,
+                          'roles': roles}, ctx.to_policy_values())
-- 
cgit v1.2.1