From f9c285fd617403ab89c857e3d8bab0d06d19d3ba Mon Sep 17 00:00:00 2001
From: Isaku Yamahata <isaku.yamahata@intel.com>
Date: Mon, 4 Aug 2014 23:44:18 +0900
Subject: [PATCH] add auth token to context

As discussed at
http://lists.openstack.org/pipermail/openstack-dev/2014-July/040644.html
SerivceVM project (and other routervm plugins) need auth token in context.
The first user will be l3 routervm plugin.

Closes-Bug: #1343854
Closes-Bug: #1352698
Change-Id: Id5a4c98059894eef33faf19d5ab063780b362f4a
---
 neutron/auth.py                            |  6 +++++-
 neutron/common/rpc.py                      |  7 ++++++-
 neutron/context.py                         |  6 ++++--
 neutron/tests/unit/test_auth.py            | 14 ++++++++++++++
 neutron/tests/unit/test_neutron_context.py | 15 +++++++++++++++
 5 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/neutron/auth.py b/neutron/auth.py
index 2e131b974..a91ab6d31 100644
--- a/neutron/auth.py
+++ b/neutron/auth.py
@@ -48,10 +48,14 @@ class NeutronKeystoneContext(wsgi.Middleware):
         # Use request_id if already set
         req_id = req.environ.get(request_id.ENV_REQUEST_ID)
 
+        # Get the auth token
+        auth_token = req.headers.get('X_AUTH_TOKEN',
+                                     req.headers.get('X_STORAGE_TOKEN'))
+
         # Create a context with the authentication data
         ctx = context.Context(user_id, tenant_id, roles=roles,
                               user_name=user_name, tenant_name=tenant_name,
-                              request_id=req_id)
+                              request_id=req_id, auth_token=auth_token)
 
         # Inject the context...
         req.environ['neutron.context'] = ctx
diff --git a/neutron/common/rpc.py b/neutron/common/rpc.py
index d3e7ec77c..255551bc2 100644
--- a/neutron/common/rpc.py
+++ b/neutron/common/rpc.py
@@ -106,7 +106,12 @@ def get_notifier(service=None, host=None, publisher_id=None):
 
 class RPCDispatcher(rpc_dispatcher.RPCDispatcher):
     def __call__(self, incoming):
-        LOG.debug('Incoming RPC: ctxt:%s message:%s', incoming.ctxt,
+        # NOTE(yamahata): '***' is chosen for consistency with
+        # openstack.common.strutils.mask_password
+        sanitize_key_list = ('auth_token', )
+        sanitized_ctxt = dict((k, '***' if k in sanitize_key_list else v)
+                              for (k, v) in incoming.ctxt.items())
+        LOG.debug('Incoming RPC: ctxt:%s message:%s', sanitized_ctxt,
                   incoming.message)
         return super(RPCDispatcher, self).__call__(incoming)
 
diff --git a/neutron/context.py b/neutron/context.py
index fd4da9235..f248e7025 100644
--- a/neutron/context.py
+++ b/neutron/context.py
@@ -39,7 +39,7 @@ class ContextBase(common_context.RequestContext):
     def __init__(self, user_id, tenant_id, is_admin=None, read_deleted="no",
                  roles=None, timestamp=None, load_admin_roles=True,
                  request_id=None, tenant_name=None, user_name=None,
-                 overwrite=True, **kwargs):
+                 overwrite=True, auth_token=None, **kwargs):
         """Object initialization.
 
         :param read_deleted: 'no' indicates deleted records are hidden, 'yes'
@@ -52,7 +52,8 @@ class ContextBase(common_context.RequestContext):
         :param kwargs: Extra arguments that might be present, but we ignore
             because they possibly came in from older rpc messages.
         """
-        super(ContextBase, self).__init__(user=user_id, tenant=tenant_id,
+        super(ContextBase, self).__init__(auth_token=auth_token,
+                                          user=user_id, tenant=tenant_id,
                                           is_admin=is_admin,
                                           request_id=request_id)
         self.user_name = user_name
@@ -130,6 +131,7 @@ class ContextBase(common_context.RequestContext):
                 'tenant_name': self.tenant_name,
                 'project_name': self.tenant_name,
                 'user_name': self.user_name,
+                'auth_token': self.auth_token,
                 }
 
     @classmethod
diff --git a/neutron/tests/unit/test_auth.py b/neutron/tests/unit/test_auth.py
index 2e7dc5fa6..77f9d580c 100644
--- a/neutron/tests/unit/test_auth.py
+++ b/neutron/tests/unit/test_auth.py
@@ -95,3 +95,17 @@ class NeutronKeystoneContextTestCase(base.BaseTestCase):
         self.request.environ[request_id.ENV_REQUEST_ID] = req_id
         self.request.get_response(self.middleware)
         self.assertEqual(req_id, self.context.request_id)
+
+    def test_with_auth_token(self):
+        self.request.headers['X_PROJECT_ID'] = 'testtenantid'
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.auth_token, 'testauthtoken')
+
+    def test_without_auth_token(self):
+        self.request.headers['X_PROJECT_ID'] = 'testtenantid'
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        del self.request.headers['X_AUTH_TOKEN']
+        self.request.get_response(self.middleware)
+        self.assertIsNone(self.context.auth_token)
diff --git a/neutron/tests/unit/test_neutron_context.py b/neutron/tests/unit/test_neutron_context.py
index ebf30b72c..c04f5d7ee 100644
--- a/neutron/tests/unit/test_neutron_context.py
+++ b/neutron/tests/unit/test_neutron_context.py
@@ -39,6 +39,7 @@ class TestNeutronContext(base.BaseTestCase):
         self.assertEqual('tenant_id', ctx.tenant)
         self.assertIsNone(ctx.user_name)
         self.assertIsNone(ctx.tenant_name)
+        self.assertIsNone(ctx.auth_token)
 
     def test_neutron_context_create_logs_unknown_kwarg(self):
         with mock.patch.object(context.LOG, 'debug') as mock_log:
@@ -59,6 +60,11 @@ class TestNeutronContext(base.BaseTestCase):
         ctx = context.Context('user_id', 'tenant_id', request_id='req_id_xxx')
         self.assertEqual('req_id_xxx', ctx.request_id)
 
+    def test_neutron_context_create_with_auth_token(self):
+        ctx = context.Context('user_id', 'tenant_id',
+                              auth_token='auth_token_xxx')
+        self.assertEqual('auth_token_xxx', ctx.auth_token)
+
     def test_neutron_context_to_dict(self):
         ctx = context.Context('user_id', 'tenant_id')
         ctx_dict = ctx.to_dict()
@@ -70,6 +76,7 @@ class TestNeutronContext(base.BaseTestCase):
         self.assertIsNone(ctx_dict['user_name'])
         self.assertIsNone(ctx_dict['tenant_name'])
         self.assertIsNone(ctx_dict['project_name'])
+        self.assertIsNone(ctx_dict['auth_token'])
 
     def test_neutron_context_to_dict_with_name(self):
         ctx = context.Context('user_id', 'tenant_id',
@@ -79,12 +86,19 @@ class TestNeutronContext(base.BaseTestCase):
         self.assertEqual('tenant_name', ctx_dict['tenant_name'])
         self.assertEqual('tenant_name', ctx_dict['project_name'])
 
+    def test_neutron_context_to_dict_with_auth_token(self):
+        ctx = context.Context('user_id', 'tenant_id',
+                              auth_token='auth_token_xxx')
+        ctx_dict = ctx.to_dict()
+        self.assertEqual('auth_token_xxx', ctx_dict['auth_token'])
+
     def test_neutron_context_admin_to_dict(self):
         self.db_api_session.return_value = 'fakesession'
         ctx = context.get_admin_context()
         ctx_dict = ctx.to_dict()
         self.assertIsNone(ctx_dict['user_id'])
         self.assertIsNone(ctx_dict['tenant_id'])
+        self.assertIsNone(ctx_dict['auth_token'])
         self.assertIsNotNone(ctx.session)
         self.assertNotIn('session', ctx_dict)
 
@@ -93,6 +107,7 @@ class TestNeutronContext(base.BaseTestCase):
         ctx_dict = ctx.to_dict()
         self.assertIsNone(ctx_dict['user_id'])
         self.assertIsNone(ctx_dict['tenant_id'])
+        self.assertIsNone(ctx_dict['auth_token'])
         self.assertFalse(hasattr(ctx, 'session'))
 
     def test_neutron_context_with_load_roles_true(self):
-- 
2.45.2