openstack/deb-sahara
Code Issues Proposed changes
42ac162344
deb-sahara/sahara/api/middleware/auth_valid.py
lcsong 0bdd434add Remove log translations 
Log messages are no longer being translated. This removes all use of
the _LE, _LI, _LW and _LC translation markers to simplify logging and to
avoid confusion with new contributions.

See:
http://lists.openstack.org/pipermail/openstack-i18n/2016-November/002574.html
http://lists.openstack.org/pipermail/openstack-dev/2017-March/113365.html

It will be a giant patch if all these _LE, _LI, _LW and _LC being deleted
within one patch, so this patch only delete _LW,  _LC and _LE has been
handled in previous patch; deletion of _LI will be in the following patches
related with this one.

Change-Id: Ia696ee76f22e488b9a219305f4f220eca2161cee
2017-04-10 16:02:05 +08:00

104 lines
3.7 KiB
Python
Raw Blame History

# Copyright (c) 2013 Mirantis Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from oslo_log import log as logging
from oslo_middleware import base
from oslo_utils import strutils
import webob
import webob.exc as ex
from sahara.i18n import _
LOG = logging.getLogger(__name__)
class AuthValidator(base.Middleware):
"""Handles token auth results and tenants."""
@webob.dec.wsgify
def __call__(self, req):
"""Ensures that tenants in url and token are equal.
Handle incoming request by checking tenant info prom the headers and
url ({tenant_id} url attribute).
Pass request downstream on success.
Reject request if tenant_id from headers not equals to tenant_id from
url.
"""
token_tenant = req.environ.get("HTTP_X_TENANT_ID")
if not token_tenant:
LOG.warning("Can't get tenant_id from env")
raise ex.HTTPServiceUnavailable()
path = req.environ['PATH_INFO']
if path != '/':
try:
version, url_tenant, rest = strutils.split_path(path, 3, 3,
True)
except ValueError:
LOG.warning("Incorrect path: {path}".format(path=path))
raise ex.HTTPNotFound(_("Incorrect path"))
if token_tenant != url_tenant:
LOG.debug("Unauthorized: token tenant != requested tenant")
raise ex.HTTPUnauthorized(
_('Token tenant != requested tenant'))
return self.application
class AuthValidatorV2(base.Middleware):
"""Handles token auth results and tenants."""
@webob.dec.wsgify
def __call__(self, req):
"""Ensures that the requested and token tenants match
Handle incoming requests by checking tenant info from the
headers and url ({tenant_id} url attribute), if using v1 or v1.1
APIs. If using the v2 API, this function will check the token
tenant and the requested tenant in the headers.
Pass request downstream on success.
Reject request if tenant_id from headers is not equal to the
tenant_id from url or v2 project header.
"""
path = req.environ['PATH_INFO']
if path != '/':
token_tenant = req.environ.get("HTTP_X_TENANT_ID")
if not token_tenant:
LOG.warning("Can't get tenant_id from env")
raise ex.HTTPServiceUnavailable()
try:
if path.startswith('/v2'):
version, rest = strutils.split_path(path, 2, 2, True)
requested_tenant = req.headers.get('OpenStack-Project-ID')
else:
version, requested_tenant, rest = strutils.split_path(
path, 3, 3, True)
except ValueError:
LOG.warning("Incorrect path: {path}".format(path=path))
raise ex.HTTPNotFound(_("Incorrect path"))
if token_tenant != requested_tenant:
LOG.debug("Unauthorized: token tenant != requested tenant")
raise ex.HTTPUnauthorized(
_('Token tenant != requested tenant'))
return self.application
View Git Blame Copy Permalink