diff --git a/nova/api/openstack/auth.py b/nova/api/openstack/auth.py index b49bf449b73d..7c3e683d671a 100644 --- a/nova/api/openstack/auth.py +++ b/nova/api/openstack/auth.py @@ -49,19 +49,22 @@ class AuthMiddleware(wsgi.Middleware): if not self.has_authentication(req): return self.authenticate(req) user = self.get_user_by_authentication(req) - accounts = self.auth.get_projects(user=user) if not user: token = req.headers["X-Auth-Token"] msg = _("%(user)s could not be found with token '%(token)s'") LOG.warn(msg % locals()) return faults.Fault(webob.exc.HTTPUnauthorized()) - if accounts: - #we are punting on this til auth is settled, - #and possibly til api v1.1 (mdragon) - account = accounts[0] - else: - return faults.Fault(webob.exc.HTTPUnauthorized()) + try: + account = req.headers["X-Auth-Project-Id"] + except KeyError: + # FIXME(usrleon): It needed only for compatibility + # while osapi clients don't use this header + accounts = self.auth.get_projects(user=user) + if accounts: + account = accounts[0] + else: + return faults.Fault(webob.exc.HTTPUnauthorized()) if not self.auth.is_admin(user) and \ not self.auth.is_project_member(user, account): diff --git a/nova/auth/novarc.template b/nova/auth/novarc.template index eba3a853716d..d05c099d7ca8 100644 --- a/nova/auth/novarc.template +++ b/nova/auth/novarc.template @@ -14,4 +14,5 @@ alias ec2-bundle-image="ec2-bundle-image --cert ${EC2_CERT} --privatekey ${EC2_P alias ec2-upload-bundle="ec2-upload-bundle -a ${EC2_ACCESS_KEY} -s ${EC2_SECRET_KEY} --url ${S3_URL} --ec2cert ${NOVA_CERT}" export NOVA_API_KEY="%(access)s" export NOVA_USERNAME="%(user)s" +export NOVA_PROJECT_ID="%(project)s" export NOVA_URL="%(os)s" diff --git a/nova/tests/api/openstack/fakes.py b/nova/tests/api/openstack/fakes.py index 7d632aaeba81..a10fb7433eda 100644 --- a/nova/tests/api/openstack/fakes.py +++ b/nova/tests/api/openstack/fakes.py @@ -353,6 +353,11 @@ class FakeAuthManager(object): return user.admin def is_project_member(self, user, project): + if not isinstance(project, Project): + try: + project = self.get_project(project) + except exc.NotFound: + raise webob.exc.HTTPUnauthorized() return ((user.id in project.member_ids) or (user.id == project.project_manager_id)) diff --git a/nova/tests/api/openstack/test_auth.py b/nova/tests/api/openstack/test_auth.py index 8f189c744152..af3478c7d61e 100644 --- a/nova/tests/api/openstack/test_auth.py +++ b/nova/tests/api/openstack/test_auth.py @@ -114,6 +114,28 @@ class Test(test.TestCase): self.assertEqual(result.status, '401 Unauthorized') self.assertEqual(self.destroy_called, True) + def test_authorize_project(self): + f = fakes.FakeAuthManager() + user = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None) + f.add_user(user) + f.create_project('user1_project', user) + f.create_project('user2_project', user) + + req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'}) + req.headers['X-Auth-User'] = 'user1' + req.headers['X-Auth-Key'] = 'user1_key' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '204 No Content') + + token = result.headers['X-Auth-Token'] + self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter) + req = webob.Request.blank('/v1.0/fake') + req.headers['X-Auth-Token'] = token + req.headers['X-Auth-Project-Id'] = 'user2_project' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '200 OK') + self.assertEqual(result.headers['X-Test-Success'], 'True') + def test_bad_user_bad_key(self): req = webob.Request.blank('/v1.0/') req.headers['X-Auth-User'] = 'unknown_user' @@ -143,6 +165,49 @@ class Test(test.TestCase): result = req.get_response(fakes.wsgi_app()) self.assertEqual(result.status, '401 Unauthorized') + def test_bad_project(self): + f = fakes.FakeAuthManager() + user1 = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None) + user2 = nova.auth.manager.User('id2', 'user2', 'user2_key', None, None) + f.add_user(user1) + f.add_user(user2) + f.create_project('user1_project', user1) + f.create_project('user2_project', user2) + + req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'}) + req.headers['X-Auth-User'] = 'user1' + req.headers['X-Auth-Key'] = 'user1_key' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '204 No Content') + + token = result.headers['X-Auth-Token'] + self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter) + req = webob.Request.blank('/v1.0/fake') + req.headers['X-Auth-Token'] = token + req.headers['X-Auth-Project-Id'] = 'user2_project' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '401 Unauthorized') + + def test_not_existing_project(self): + f = fakes.FakeAuthManager() + user1 = nova.auth.manager.User('id1', 'user1', 'user1_key', None, None) + f.add_user(user1) + f.create_project('user1_project', user1) + + req = webob.Request.blank('/v1.0/', {'HTTP_HOST': 'foo'}) + req.headers['X-Auth-User'] = 'user1' + req.headers['X-Auth-Key'] = 'user1_key' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '204 No Content') + + token = result.headers['X-Auth-Token'] + self.stubs.Set(nova.api.openstack, 'APIRouterV10', fakes.FakeRouter) + req = webob.Request.blank('/v1.0/fake') + req.headers['X-Auth-Token'] = token + req.headers['X-Auth-Project-Id'] = 'unknown_project' + result = req.get_response(fakes.wsgi_app()) + self.assertEqual(result.status, '401 Unauthorized') + class TestFunctional(test.TestCase): def test_token_expiry(self):