Support for header "X-Auth-Project-Id" in osapi.

nova/api/openstack/auth.py

@@ -49,19 +49,22 @@ class AuthMiddleware(wsgi.Middleware):
         if not self.has_authentication(req):
             return self.authenticate(req)
         user = self.get_user_by_authentication(req)
-        accounts = self.auth.get_projects(user=user)
         if not user:
             token = req.headers["X-Auth-Token"]
             msg = _("%(user)s could not be found with token '%(token)s'")
             LOG.warn(msg % locals())
             return faults.Fault(webob.exc.HTTPUnauthorized())
 
-        if accounts:
-            #we are punting on this til auth is settled,
-            #and possibly til api v1.1 (mdragon)
-            account = accounts[0]
-        else:
-            return faults.Fault(webob.exc.HTTPUnauthorized())
+        try:
+            account = req.headers["X-Auth-Project-Id"]
+        except KeyError:
+            # FIXME(usrleon): It needed only for compatibility
+            # while osapi clients don't use this header
+            accounts = self.auth.get_projects(user=user)
+            if accounts:
+                account = accounts[0]
+            else:
+                return faults.Fault(webob.exc.HTTPUnauthorized())
 
         if not self.auth.is_admin(user) and \
            not self.auth.is_project_member(user, account):

nova/auth/novarc.template

@@ -14,4 +14,5 @@ alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_P
 alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}"
 export NOVA_API_KEY="%(access)s"
 export NOVA_USERNAME="%(user)s"
+export NOVA_PROJECT_ID="%(project)s"
 export NOVA_URL="%(os)s"

nova/tests/api/openstack/fakes.py

@@ -353,6 +353,11 @@ class FakeAuthManager(object):
         return user.admin
 
     def is_project_member(self, user, project):
+        if not isinstance(project, Project):
+            try:
+                project = self.get_project(project)
+            except exc.NotFound:
+                raise webob.exc.HTTPUnauthorized()
         return ((user.id in project.member_ids) or
                 (user.id == project.project_manager_id))
 

nova/tests/api/openstack/test_auth.py

@@ -114,6 +114,28 @@ class Test(test.TestCase):
         self.assertEqual(result.status, '401 Unauthorized')
         self.assertEqual(self.destroy_called, True)
 
+    def test_authorize_project(self):
+        f = fakes.FakeAuthManager()
+        user = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None)
+        f.add_user(user)
+        f.create_project('user1_project', user)
+        f.create_project('user2_project', user)
+
+        req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'})
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '204 No Content')
+
+        token = result.headers['X-Auth-Token']
+        self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter)
+        req = webob.Request.blank('/v1.0/fake')
+        req.headers['X-Auth-Token'] = token
+        req.headers['X-Auth-Project-Id'] = 'user2_project'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '200 OK')
+        self.assertEqual(result.headers['X-Test-Success'], 'True')
+
     def test_bad_user_bad_key(self):
         req = webob.Request.blank('/v1.0/')
         req.headers['X-Auth-User'] = 'unknown_user'
@@ -143,6 +165,49 @@ class Test(test.TestCase):
         result = req.get_response(fakes.wsgi_app())
         self.assertEqual(result.status, '401 Unauthorized')
 
+    def test_bad_project(self):
+        f = fakes.FakeAuthManager()
+        user1 = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None)
+        user2 = nova.auth.manager.User('id2', 'user2', 'user2_key', None, None)
+        f.add_user(user1)
+        f.add_user(user2)
+        f.create_project('user1_project', user1)
+        f.create_project('user2_project', user2)
+
+        req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'})
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '204 No Content')
+
+        token = result.headers['X-Auth-Token']
+        self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter)
+        req = webob.Request.blank('/v1.0/fake')
+        req.headers['X-Auth-Token'] = token
+        req.headers['X-Auth-Project-Id'] = 'user2_project'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '401 Unauthorized')
+
+    def test_not_existing_project(self):
+        f = fakes.FakeAuthManager()
+        user1 = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None)
+        f.add_user(user1)
+        f.create_project('user1_project', user1)
+
+        req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'})
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '204 No Content')
+
+        token = result.headers['X-Auth-Token']
+        self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter)
+        req = webob.Request.blank('/v1.0/fake')
+        req.headers['X-Auth-Token'] = token
+        req.headers['X-Auth-Project-Id'] = 'unknown_project'
+        result = req.get_response(fakes.wsgi_app())
+        self.assertEqual(result.status, '401 Unauthorized')
+
 
 class TestFunctional(test.TestCase):
     def test_token_expiry(self):