X_USER is deprecated in favor of X_USER_ID

Addressed bug 926372 Eventually, we should stop supporting X_USER because it is *supposed* to be the user's login name rather than their id. But this change preserves the old behavior for stability. For more info checkout keystone/middleware/auth_token.py in the keystone project. Change-Id: Ie837e73f9a592a903af71a426e202f8b6a9ac581
2012-02-03 17:31:35 -05:00
parent cd0df1e8b0
commit f0a1148589
2 changed files with 64 additions and 4 deletions
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -56,10 +56,10 @@ class NovaKeystoneContext(wsgi.Middleware):

    @webob.dec.wsgify(RequestClass=wsgi.Request)
    def __call__(self, req):
-        try:
-            user_id = req.headers['X_USER']
-        except KeyError:
-            logging.debug("X_USER not found in request")
+        user_id = req.headers.get('X_USER')
+        user_id = req.headers.get('X_USER_ID', user_id)
+        if user_id is None:
+            logging.debug("Neither X_USER_ID nor X_USER found in request")
            return webob.exc.HTTPUnauthorized()
        # get the roles
        roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
--- a/nova/tests/api/test_auth.py
+++ b/nova/tests/api/test_auth.py
@@ -0,0 +1,60 @@
+# Copyright (c) 2012 OpenStack, LLC
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import webob
+
+import nova.api.auth
+from nova import test
+
+
+class TestNovaKeystoneContextMiddleware(test.TestCase):
+
+    def setUp(self):
+
+        @webob.dec.wsgify()
+        def fake_app(req):
+            self.context = req.environ['nova.context']
+            return webob.Response()
+
+        self.context = None
+        self.middleware = nova.api.auth.NovaKeystoneContext(fake_app)
+        self.request = webob.Request.blank('/')
+        self.request.headers['X_TENANT_ID'] = 'testtenantid'
+        self.request.headers['X_AUTH_TOKEN'] = 'testauthtoken'
+
+    def tearDown(self):
+        pass
+
+    def test_no_user_or_user_id(self):
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '401 Unauthorized')
+
+    def test_user_only(self):
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuserid')
+
+    def test_user_id_only(self):
+        self.request.headers['X_USER'] = 'testuser'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuser')
+
+    def test_user_id_trumps_user(self):
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        self.request.headers['X_USER'] = 'testuser'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuserid')