0bdd434add
Log messages are no longer being translated. This removes all use of the _LE, _LI, _LW and _LC translation markers to simplify logging and to avoid confusion with new contributions. See: http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html It will be a giant patch if all these _LE, _LI, _LW and _LC being deleted within one patch, so this patch only delete _LW, _LC and _LE has been handled in previous patch; deletion of _LI will be in the following patches related with this one. Change-Id: Ia696ee76f22e488b9a219305f4f220eca2161cee
104 lines
3.7 KiB
Python
104 lines
3.7 KiB
Python
# Copyright (c) 2013 Mirantis Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
# implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from oslo_log import log as logging
|
|
from oslo_middleware import base
|
|
from oslo_utils import strutils
|
|
import webob
|
|
import webob.exc as ex
|
|
|
|
from sahara.i18n import _
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
class AuthValidator(base.Middleware):
|
|
|
|
"""Handles token auth results and tenants."""
|
|
|
|
@webob.dec.wsgify
|
|
def __call__(self, req):
|
|
"""Ensures that tenants in url and token are equal.
|
|
|
|
Handle incoming request by checking tenant info prom the headers and
|
|
url ({tenant_id} url attribute).
|
|
|
|
Pass request downstream on success.
|
|
Reject request if tenant_id from headers not equals to tenant_id from
|
|
url.
|
|
"""
|
|
token_tenant = req.environ.get("HTTP_X_TENANT_ID")
|
|
if not token_tenant:
|
|
LOG.warning("Can't get tenant_id from env")
|
|
raise ex.HTTPServiceUnavailable()
|
|
|
|
path = req.environ['PATH_INFO']
|
|
if path != '/':
|
|
try:
|
|
version, url_tenant, rest = strutils.split_path(path, 3, 3,
|
|
True)
|
|
except ValueError:
|
|
LOG.warning("Incorrect path: {path}".format(path=path))
|
|
raise ex.HTTPNotFound(_("Incorrect path"))
|
|
|
|
if token_tenant != url_tenant:
|
|
LOG.debug("Unauthorized: token tenant != requested tenant")
|
|
raise ex.HTTPUnauthorized(
|
|
_('Token tenant != requested tenant'))
|
|
return self.application
|
|
|
|
|
|
class AuthValidatorV2(base.Middleware):
|
|
|
|
"""Handles token auth results and tenants."""
|
|
|
|
@webob.dec.wsgify
|
|
def __call__(self, req):
|
|
"""Ensures that the requested and token tenants match
|
|
|
|
Handle incoming requests by checking tenant info from the
|
|
headers and url ({tenant_id} url attribute), if using v1 or v1.1
|
|
APIs. If using the v2 API, this function will check the token
|
|
tenant and the requested tenant in the headers.
|
|
|
|
Pass request downstream on success.
|
|
Reject request if tenant_id from headers is not equal to the
|
|
tenant_id from url or v2 project header.
|
|
"""
|
|
path = req.environ['PATH_INFO']
|
|
if path != '/':
|
|
token_tenant = req.environ.get("HTTP_X_TENANT_ID")
|
|
if not token_tenant:
|
|
LOG.warning("Can't get tenant_id from env")
|
|
raise ex.HTTPServiceUnavailable()
|
|
|
|
try:
|
|
if path.startswith('/v2'):
|
|
version, rest = strutils.split_path(path, 2, 2, True)
|
|
requested_tenant = req.headers.get('OpenStack-Project-ID')
|
|
else:
|
|
version, requested_tenant, rest = strutils.split_path(
|
|
path, 3, 3, True)
|
|
except ValueError:
|
|
LOG.warning("Incorrect path: {path}".format(path=path))
|
|
raise ex.HTTPNotFound(_("Incorrect path"))
|
|
|
|
if token_tenant != requested_tenant:
|
|
LOG.debug("Unauthorized: token tenant != requested tenant")
|
|
raise ex.HTTPUnauthorized(
|
|
_('Token tenant != requested tenant'))
|
|
return self.application
|