From fe0c8e955be0331aef9cc6847c9bddc43ce66d92 Mon Sep 17 00:00:00 2001
From: Dolph Mathews <dolph.mathews@gmail.com>
Date: Wed, 15 Jun 2016 16:26:35 +0000
Subject: Do not prompt for scope options with default scoped tokens

This changes the scope validation to occur after a token has already
been created.

Previous flow:

1. Validate authentication options.
2. Validate authorization options if the command requires a scope.
3. Create a token (using authentication + authorization options)
4. Run command.

This means that scope was being checked, even if a default scope was
applied in step 3 by Keystone.

New flow:

1. Validate authentication options.
2. Create token (using authentication + authorization options)
3  Validate authorization options if the command requires a scope and
   the token is not scoped.
4. Run command.

Change-Id: Idae368a11249f425b14b891fc68b4176e2b3e981
Closes-Bug: 1592062
---
 openstackclient/common/clientmanager.py | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'openstackclient/common')

diff --git a/openstackclient/common/clientmanager.py b/openstackclient/common/clientmanager.py
index 04f624d0..5dbfb417 100644
--- a/openstackclient/common/clientmanager.py
+++ b/openstackclient/common/clientmanager.py
@@ -140,10 +140,8 @@ class ClientManager(object):
         # prior to dereferrencing auth_ref.
         self._auth_setup_completed = False
 
-    def setup_auth(self, required_scope=True):
-        """Set up authentication
-
-        :param required_scope: indicate whether a scoped token is required
+    def setup_auth(self):
+        """Set up authentication.
 
         This is deferred until authentication is actually attempted because
         it gets in the way of things that do not require auth.
@@ -157,9 +155,8 @@ class ClientManager(object):
         self.auth_plugin_name = auth.select_auth_plugin(self._cli_options)
 
         # Basic option checking to avoid unhelpful error messages
-        auth.check_valid_auth_options(self._cli_options,
-                                      self.auth_plugin_name,
-                                      required_scope=required_scope)
+        auth.check_valid_authentication_options(self._cli_options,
+                                                self.auth_plugin_name)
 
         # Horrible hack alert...must handle prompt for null password if
         # password auth is requested.
@@ -229,6 +226,20 @@ class ClientManager(object):
 
         self._auth_setup_completed = True
 
+    def validate_scope(self):
+        if self._auth_ref.project_id is not None:
+            # We already have a project scope.
+            return
+        if self._auth_ref.domain_id is not None:
+            # We already have a domain scope.
+            return
+
+        # We do not have a scoped token (and the user's default project scope
+        # was not implied), so the client needs to be explicitly configured
+        # with a scope.
+        auth.check_valid_authorization_options(self._cli_options,
+                                               self.auth_plugin_name)
+
     @property
     def auth_ref(self):
         """Dereference will trigger an auth if it hasn't already"""
-- 
cgit v1.2.1