From ae235cba3c5bda5d1da6816135400107660a2794 Mon Sep 17 00:00:00 2001
From: Endre Karlson <endre.karlson@hp.com>
Date: Tue, 2 Jun 2015 14:56:41 +0200
Subject: [PATCH] Enforce usage of project scoped token

In order for functionality to remain intact (ie disallow people to create / do
actions in designate that ends up with a "None" tenant_id as the owner in the
db) we need to enforce the use of a project scoped token for now.

Closes-Bug: #1460187

Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f
---
 designate/api/middleware.py                 |  6 +++++-
 designate/tests/test_api/test_middleware.py | 17 +++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/designate/api/middleware.py b/designate/api/middleware.py
index 99dbd6568..cae599b7c 100644
--- a/designate/api/middleware.py
+++ b/designate/api/middleware.py
@@ -126,6 +126,10 @@ class KeystoneContextMiddleware(ContextMiddleware):
             # If the key is valid, Keystone does not include this header at all
             pass
 
+        tenant_id = headers.get('X-Tenant-ID')
+        if tenant_id is None:
+            return flask.Response(status=401)
+
         if headers.get('X-Service-Catalog'):
             catalog = json.loads(headers.get('X-Service-Catalog'))
         else:
@@ -137,7 +141,7 @@ class KeystoneContextMiddleware(ContextMiddleware):
             request,
             auth_token=headers.get('X-Auth-Token'),
             user=headers.get('X-User-ID'),
-            tenant=headers.get('X-Tenant-ID'),
+            tenant=tenant_id,
             roles=roles,
             service_catalog=catalog)
 
diff --git a/designate/tests/test_api/test_middleware.py b/designate/tests/test_api/test_middleware.py
index d04429a02..81e09acde 100644
--- a/designate/tests/test_api/test_middleware.py
+++ b/designate/tests/test_api/test_middleware.py
@@ -79,6 +79,23 @@ class KeystoneContextMiddlewareTest(ApiTestCase):
 
         self.assertEqual(response.status_code, 401)
 
+    def test_process_unscoped_token(self):
+        app = middleware.KeystoneContextMiddleware({})
+
+        request = FakeRequest()
+
+        request.headers = {
+            'X-Auth-Token': 'AuthToken',
+            'X-User-ID': 'UserID',
+            'X-Tenant-ID': None,
+            'X-Roles': 'admin,Member',
+        }
+
+        # Process the request
+        response = app(request)
+
+        self.assertEqual(response.status_code, 401)
+
 
 class NoAuthContextMiddlewareTest(ApiTestCase):
     def test_process_request(self):