From 6f805f28b623ce11448281bc3cae66cbd9af02be Mon Sep 17 00:00:00 2001
From: Salvatore Orlando <salvatore.orlando@eu.citrix.com>
Date: Fri, 12 Aug 2011 12:12:36 +0100
Subject: [PATCH] First, trivial, implementation of authN+authZ

---
 etc/quantum.conf                              | 11 +++---
 .../{auth_token.py => authentication.py}      |  2 +-
 quantum/common/authorization.py               | 35 +++++++++++++------
 3 files changed, 32 insertions(+), 16 deletions(-)
 rename quantum/common/{auth_token.py => authentication.py} (99%)

diff --git a/etc/quantum.conf b/etc/quantum.conf
index 193ce8b39..1fd76257e 100644
--- a/etc/quantum.conf
+++ b/etc/quantum.conf
@@ -16,8 +16,11 @@ use = egg:Paste#urlmap
 /: quantumversions
 /v0.1: quantumapi
 
-[filter:tokenauth]
-paste.filter_factory = quantum.common.auth_token:filter_factory
+[pipeline:quantumapi]
+pipeline = authN authZ quantumapiapp
+
+[filter:authN]
+paste.filter_factory = quantum.common.authentication:filter_factory
 auth_host = 127.0.0.1
 auth_port = 5001
 auth_protocol = http
@@ -26,8 +29,8 @@ auth_protocol = http
 admin_user = admin
 admin_password = secrete
 
-[pipeline:quantumapi]
-pipeline = tokenauth quantumapiapp
+[filter:authZ]
+paste.filter_factory = quantum.common.authorization:filter_factory
 
 [app:quantumversions]
 paste.app_factory = quantum.api.versions:Versions.factory
diff --git a/quantum/common/auth_token.py b/quantum/common/authentication.py
similarity index 99%
rename from quantum/common/auth_token.py
rename to quantum/common/authentication.py
index c52dcec21..cb86fd787 100755
--- a/quantum/common/auth_token.py
+++ b/quantum/common/authentication.py
@@ -66,7 +66,7 @@ from webob.exc import Request, Response
 from quantum.common.bufferedhttp import http_connect_raw as http_connect
 
 PROTOCOL_NAME = "Token Authentication"
-LOG = logging.getLogger('quantum.common.auth_token')
+LOG = logging.getLogger('quantum.common.authentication')
 
 class AuthProtocol(object):
     """Auth Middleware that handles authenticating client calls"""
diff --git a/quantum/common/authorization.py b/quantum/common/authorization.py
index 30a90c428..f212d5bd0 100644
--- a/quantum/common/authorization.py
+++ b/quantum/common/authorization.py
@@ -28,48 +28,61 @@
 import logging
 
 from webob.exc import HTTPUnauthorized, HTTPForbidden
-from webob.exc import Request, Response
 
 LOG = logging.getLogger('quantum.common.authorization')
 
 class QuantumAuthorization(object):
     """ Authorizes an operation before it reaches the API WSGI app"""
 
+    def __init__(self, app, conf):
+        """ Common initialization code """
+        LOG.info("Starting the Authorization component")
+        self.conf = conf
+        self.app = app
+
+    
     def __call__(self, req, start_response):
         """ Handle incoming request. Authorize. And send downstream. """
         LOG.debug("entering QuantumAuthorization.__call__")
         self.start_response = start_response
+        LOG.debug("Self is:%s" %self)
+        LOG.debug("Req is:%s:" %req)
         self.req = req
 
         # Retrieves TENANT ID from headers as the request 
         # should already have been authenticated with Keystone
         self.headers = req.copy()
-        if not "X_TENANT" in self.headers:
+        LOG.debug("Looking for X_TENANT header")
+        LOG.debug("Headers:%s" %self.headers)
+        if not "HTTP_X_TENANT" in self.headers:
             # This is bad, very bad
-            self._reject()
-        
-        auth_tenant_id = self.headers['X_TENANT']
-        path = self.req.path
+            return self._reject()
+        LOG.debug("X_TENANT header found:%s", self.headers['HTTP_X_TENANT'])
+        LOG.debug("Looking for tenant_id in request URI")
+        auth_tenant_id = self.headers['HTTP_X_TENANT']
+        path = self.req['PATH_INFO']
         parts=path.split('/')
+        LOG.debug("Request parts:%s", parts)
         #TODO (salvatore-orlando): need bound checking here
         idx = parts.index('tenants') + 1
         req_tenant_id = parts[idx]
-        
+        LOG.debug("Tenant ID from request:%s", req_tenant_id)
         if auth_tenant_id != req_tenant_id:
             # This is bad, very bad
-            self._forbid()
+            return self._forbid()
         
-        # Okay, authorize it!
+        # Okay, authorize it - pass downstream
+        return self.app(self.req, self.start_response)
         
     def _reject(self):
         """Apparently the request has not been authenticated """
-        return HTTPUnauthorized()(self.env,
+        return HTTPUnauthorized()(self.req,
             self.start_response)
     
     
     def _forbid(self):
         """Cannot authorize. Operating on non-owned resources"""
-        return HTTPForbidden()(self.env,
+        return HTTPForbidden()(self.req,
             self.start_response)
         
         
-- 
2.45.2