Enforce usage of project scoped token
In order for functionality to remain intact (ie disallow people to create / do
actions in designate that ends up with a "None" tenant_id as the owner in the
db) we need to enforce the use of a project scoped token for now.
Closes-Bug: #1460187
Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f
(cherry picked from commit ae235cba3c
)
This commit is contained in:
parent
d7e5484d20
commit
5cac3a602f
|
@ -126,6 +126,10 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
|||
# If the key is valid, Keystone does not include this header at all
|
||||
pass
|
||||
|
||||
tenant_id = headers.get('X-Tenant-ID')
|
||||
if tenant_id is None:
|
||||
return flask.Response(status=401)
|
||||
|
||||
if headers.get('X-Service-Catalog'):
|
||||
catalog = json.loads(headers.get('X-Service-Catalog'))
|
||||
else:
|
||||
|
@ -137,7 +141,7 @@ class KeystoneContextMiddleware(ContextMiddleware):
|
|||
request,
|
||||
auth_token=headers.get('X-Auth-Token'),
|
||||
user=headers.get('X-User-ID'),
|
||||
tenant=headers.get('X-Tenant-ID'),
|
||||
tenant=tenant_id,
|
||||
roles=roles,
|
||||
service_catalog=catalog)
|
||||
|
||||
|
|
|
@ -79,6 +79,23 @@ class KeystoneContextMiddlewareTest(ApiTestCase):
|
|||
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
def test_process_unscoped_token(self):
|
||||
app = middleware.KeystoneContextMiddleware({})
|
||||
|
||||
request = FakeRequest()
|
||||
|
||||
request.headers = {
|
||||
'X-Auth-Token': 'AuthToken',
|
||||
'X-User-ID': 'UserID',
|
||||
'X-Tenant-ID': None,
|
||||
'X-Roles': 'admin,Member',
|
||||
}
|
||||
|
||||
# Process the request
|
||||
response = app(request)
|
||||
|
||||
self.assertEqual(response.status_code, 401)
|
||||
|
||||
|
||||
class NoAuthContextMiddlewareTest(ApiTestCase):
|
||||
def test_process_request(self):
|
||||
|
|
Loading…
Reference in New Issue