Deny API requests where context doesn't match path

We shouldn't overwrite the context tenant_id (which comes from the scope of the auth_token) with that from the path, instead raise a HTTPForbidden exception if the path-provided tenant_id doesn't match the context. Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81 Closes-Bug: #1256983
2013-12-02 23:59:19 +00:00 · 2013-12-02 23:59:19 +00:00 · 22f4fdafc0
parent 3fc572eb9c
commit 22f4fdafc0
3 changed files with 43 additions and 12 deletions
--- a/heat/api/openstack/v1/util.py
+++ b/heat/api/openstack/v1/util.py
@ -21,12 +21,13 @@ from heat.common import identifier

 def tenant_local(handler):
    '''
-    Decorator for a handler method that sets the correct tenant_id in the
+    Decorator for a handler method that checks the path matches the
    request context.
    '''
    @wraps(handler)
    def handle_stack_method(controller, req, tenant_id, **kwargs):
-        req.context.tenant_id = tenant_id
+        if req.context.tenant_id != tenant_id:
+            raise exc.HTTPForbidden()
        return handler(controller, req, **kwargs)

    return handle_stack_method
--- a/heat/tests/test_api_openstack_v1.py
+++ b/heat/tests/test_api_openstack_v1.py
@ -884,14 +884,6 @@ class StackControllerTest(ControllerTest, HeatTestCase):

        req = self._get('/stacks/%(stack_name)s/%(stack_id)s' % identity)

-        error = heat_exc.InvalidTenant(target='a', actual='b')
-        self.m.StubOutWithMock(rpc, 'call')
-        rpc.call(req.context, self.topic,
-                 {'namespace': None,
-                  'method': 'show_stack',
-                  'args': {'stack_identity': dict(identity)},
-                  'version': self.api_version},
-                 None).AndRaise(to_remote_error(error))
        self.m.ReplayAll()

        resp = request_with_middleware(fault.FaultWrapper,
@ -900,8 +892,8 @@ class StackControllerTest(ControllerTest, HeatTestCase):
                                       stack_name=identity.stack_name,
                                       stack_id=identity.stack_id)

-        self.assertEqual(resp.json['code'], 403)
-        self.assertEqual(resp.json['error']['type'], 'InvalidTenant')
+        self.assertEqual(resp.status_int, 403)
+        self.assertIn('403 Forbidden', str(resp))
        self.m.VerifyAll()

    def test_get_template(self):
--- a/heat/tests/test_api_openstack_v1_util.py
+++ b/heat/tests/test_api_openstack_v1_util.py
@ -0,0 +1,38 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from webob import exc
+
+from heat.api.openstack.v1 import util
+from heat.common import context
+from heat.common.wsgi import Request
+from heat.tests.common import HeatTestCase
+
+
+class TestTenantLocal(HeatTestCase):
+    def setUp(self):
+        super(TestTenantLocal, self).setUp()
+        self.req = Request({})
+        self.req.context = context.RequestContext(tenant_id='foo')
+
+    def test_tenant_local(self):
+        @util.tenant_local
+        def an_action(controller, req):
+            return 'woot'
+
+        self.assertEqual('woot',
+                         an_action(None, self.req, tenant_id='foo'))
+
+        self.assertRaises(exc.HTTPForbidden,
+                          an_action, None, self.req, tenant_id='bar')