Prevent spoofing instance_id from neutron to nova

Previously, one could update a port's device_id in neutron to be
that of another tenant's instance_id and then be able to retrieve
that instance's metadata. This patch prevents this from occurring by
checking that X-Tenant-ID received from the metadata request matches
the tenant_id in the nova database.

DocImpact - This patch is dependent on another patch in neutron
            which adds X-Tenant-ID to the request. Therefore to
            minimize downtime one should upgrade Neutron first (then
            restart neutron-metadata-agent) and lastly update nova.

Change-Id: I93bf662797c3986324ca2099b403833c2e990fb4
Closes-Bug: #1235450

nova/api/metadata/handler.py

@@ -148,6 +148,7 @@ class MetadataRequestHandler(wsgi.Application):
 
     def _handle_instance_id_request(self, req):
         instance_id = req.headers.get('X-Instance-ID')
+        tenant_id = req.headers.get('X-Tenant-ID')
         signature = req.headers.get('X-Instance-ID-Signature')
         remote_address = req.headers.get('X-Forwarded-For')
 
@@ -155,8 +156,12 @@ class MetadataRequestHandler(wsgi.Application):
 
         if instance_id is None:
             msg = _('X-Instance-ID header is missing from request.')
+        elif tenant_id is None:
+            msg = _('X-Tenant-ID header is missing from request.')
         elif not isinstance(instance_id, six.string_types):
             msg = _('Multiple X-Instance-ID headers found within request.')
+        elif not isinstance(tenant_id, six.string_types):
+            msg = _('Multiple X-Tenant-ID headers found within request.')
         else:
             msg = None
 
@@ -196,4 +201,12 @@ class MetadataRequestHandler(wsgi.Application):
             LOG.error(_('Failed to get metadata for instance id: %s'),
                       instance_id)
 
+        if meta_data.instance['project_id'] != tenant_id:
+            LOG.warning(_("Tenant_id %(tenant_id)s does not match tenant_id "
+                          "of instance %(instance_id)s."),
+                        {'tenant_id': tenant_id,
+                         'instance_id': instance_id})
+            # causes a 404 to be raised
+            meta_data = None
+
         return meta_data

nova/tests/test_metadata.py

@@ -643,6 +643,7 @@ class MetadataHandlerTestCase(test.TestCase):
             relpath="/2009-04-04/user-data",
             address="192.192.192.2",
             headers={'X-Instance-ID': 'a-b-c-d',
+                     'X-Tenant-ID': 'test',
                      'X-Instance-ID-Signature': signed})
         self.assertEqual(response.status_int, 200)
 
@@ -655,6 +656,7 @@ class MetadataHandlerTestCase(test.TestCase):
             fake_get_metadata_by_instance_id=fake_get_metadata,
             headers={'X-Forwarded-For': '192.192.192.2',
                      'X-Instance-ID': 'a-b-c-d',
+                     'X-Tenant-ID': 'test',
                      'X-Instance-ID-Signature': signed})
 
         self.assertEqual(response.status_int, 200)
@@ -669,10 +671,36 @@ class MetadataHandlerTestCase(test.TestCase):
             fake_get_metadata_by_instance_id=fake_get_metadata,
             headers={'X-Forwarded-For': '192.192.192.2',
                      'X-Instance-ID': 'a-b-c-d',
+                     'X-Tenant-ID': 'test',
                      'X-Instance-ID-Signature': ''})
 
         self.assertEqual(response.status_int, 403)
 
+        # missing X-Tenant-ID from request
+        response = fake_request(
+            self.stubs, self.mdinst,
+            relpath="/2009-04-04/user-data",
+            address="192.192.192.2",
+            fake_get_metadata_by_instance_id=fake_get_metadata,
+            headers={'X-Forwarded-For': '192.192.192.2',
+                     'X-Instance-ID': 'a-b-c-d',
+                     'X-Instance-ID-Signature': signed})
+
+        self.assertEqual(response.status_int, 400)
+
+        # mismatched X-Tenant-ID
+        response = fake_request(
+            self.stubs, self.mdinst,
+            relpath="/2009-04-04/user-data",
+            address="192.192.192.2",
+            fake_get_metadata_by_instance_id=fake_get_metadata,
+            headers={'X-Forwarded-For': '192.192.192.2',
+                     'X-Instance-ID': 'a-b-c-d',
+                     'X-Tenant-ID': 'FAKE',
+                     'X-Instance-ID-Signature': signed})
+
+        self.assertEqual(response.status_int, 404)
+
         # without X-Forwarded-For
         response = fake_request(
             self.stubs, self.mdinst,
@@ -680,6 +708,7 @@ class MetadataHandlerTestCase(test.TestCase):
             address="192.192.192.2",
             fake_get_metadata_by_instance_id=fake_get_metadata,
             headers={'X-Instance-ID': 'a-b-c-d',
+                     'X-Tenant-ID': 'test',
                      'X-Instance-ID-Signature': signed})
 
         self.assertEqual(response.status_int, 500)
@@ -697,6 +726,7 @@ class MetadataHandlerTestCase(test.TestCase):
             fake_get_metadata_by_instance_id=fake_get_metadata,
             headers={'X-Forwarded-For': '192.192.192.2',
                      'X-Instance-ID': 'z-z-z-z',
+                     'X-Tenant-ID': 'test',
                      'X-Instance-ID-Signature': signed})
         self.assertEqual(response.status_int, 500)