Enforce usage of project scoped token
In order for functionality to remain intact (ie disallow people to create / do actions in designate that ends up with a "None" tenant_id as the owner in the db) we need to enforce the use of a project scoped token for now. Closes-Bug: #1460187 Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f
This commit is contained in:
parent
f5cf7dad7a
commit
ae235cba3c
|
@ -126,6 +126,10 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
||||||
# If the key is valid, Keystone does not include this header at all
|
# If the key is valid, Keystone does not include this header at all
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
tenant_id = headers.get('X-Tenant-ID')
|
||||||
|
if tenant_id is None:
|
||||||
|
return flask.Response(status=401)
|
||||||
|
|
||||||
if headers.get('X-Service-Catalog'):
|
if headers.get('X-Service-Catalog'):
|
||||||
catalog = json.loads(headers.get('X-Service-Catalog'))
|
catalog = json.loads(headers.get('X-Service-Catalog'))
|
||||||
else:
|
else:
|
||||||
|
@ -137,7 +141,7 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
||||||
request,
|
request,
|
||||||
auth_token=headers.get('X-Auth-Token'),
|
auth_token=headers.get('X-Auth-Token'),
|
||||||
user=headers.get('X-User-ID'),
|
user=headers.get('X-User-ID'),
|
||||||
tenant=headers.get('X-Tenant-ID'),
|
tenant=tenant_id,
|
||||||
roles=roles,
|
roles=roles,
|
||||||
service_catalog=catalog)
|
service_catalog=catalog)
|
||||||
|
|
||||||
|
|
|
@ -79,6 +79,23 @@ class KeystoneContextMiddlewareTest(ApiTestCase):
|
||||||
|
|
||||||
self.assertEqual(response.status_code, 401)
|
self.assertEqual(response.status_code, 401)
|
||||||
|
|
||||||
|
def test_process_unscoped_token(self):
|
||||||
|
app = middleware.KeystoneContextMiddleware({})
|
||||||
|
|
||||||
|
request = FakeRequest()
|
||||||
|
|
||||||
|
request.headers = {
|
||||||
|
'X-Auth-Token': 'AuthToken',
|
||||||
|
'X-User-ID': 'UserID',
|
||||||
|
'X-Tenant-ID': None,
|
||||||
|
'X-Roles': 'admin,Member',
|
||||||
|
}
|
||||||
|
|
||||||
|
# Process the request
|
||||||
|
response = app(request)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, 401)
|
||||||
|
|
||||||
|
|
||||||
class NoAuthContextMiddlewareTest(ApiTestCase):
|
class NoAuthContextMiddlewareTest(ApiTestCase):
|
||||||
def test_process_request(self):
|
def test_process_request(self):
|
||||||
|
|
Loading…
Reference in New Issue