Pass serviceCatalog in auth_token middleware

* This will allow for chained requests (novaclient -> nova -> cinder) * Fixes bug 1010237 Change-Id: Iab126cb1f2fb01ca7da24fa9fe97ec81ee96e455
openstack · Jun 19, 2012 · cc91786 · cc91786
1 parent 720b764
commit cc91786
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 3 deletions.
diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py
@@ -76,6 +76,9 @@
 HTTP_X_ROLES
     Comma delimited list of case-sensitive Roles
 
+HTTP_X_SERVICE_CATALOG
+    json encoded keystone service catalog (optional).
+
 HTTP_X_TENANT
     *Deprecated* in favor of HTTP_X_TENANT_ID and HTTP_X_TENANT_NAME
     Keystone-assigned unique identifier, deprecated
@@ -394,6 +397,7 @@ def _build_user_headers(self, token_info):
          * X_USER_ID: id of user
          * X_USER_NAME: name of user
          * X_ROLES: list of roles
+         * X_SERVICE_CATALOG: service catalog
 
         Additional (deprecated) headers include:
          * X_USER: name of user
@@ -435,7 +439,7 @@ def default_tenant():
         user_id = user['id']
         user_name = user['name']
 
-        return {
+        rval = {
             'X-Identity-Status': 'Confirmed',
             'X-Tenant-Id': tenant_id,
             'X-Tenant-Name': tenant_name,
@@ -448,6 +452,14 @@ def default_tenant():
             'X-Role': roles,
         }
 
+        try:
+            catalog = token_info['access']['serviceCatalog']
+            rval['X-Service-Catalog'] = json.dumps(catalog)
+        except KeyError:
+            pass
+
+        return rval
+
     def _header_to_env_var(self, key):
         """Convert header to wsgi env variable.
 

diff --git a/keystone/service.py b/keystone/service.py
@@ -414,10 +414,10 @@ def validate_token(self, context, token_id):
         for role_id in metadata_ref.get('roles', []):
             roles_ref.append(self.identity_api.get_role(context, role_id))
 
-        # Get a service catalog if belongs_to is not none
+        # Get a service catalog if possible
         # This is needed for on-behalf-of requests
         catalog_ref = None
-        if belongs_to is not None:
+        if token_ref.get('tenant'):
             catalog_ref = self.catalog_api.get_catalog(
                 context=context,
                 user_id=token_ref['user']['id'],

diff --git a/tests/test_auth_token_middleware.py b/tests/test_auth_token_middleware.py
@@ -43,6 +43,7 @@
                     {'name': 'role2'},
                 ],
             },
+            'serviceCatalog': {}
         },
     },
     'default-tenant-token': {
@@ -244,6 +245,7 @@ def test_valid_request(self):
         req.headers['X-Auth-Token'] = 'valid-token'
         body = self.middleware(req.environ, self.start_fake_response)
         self.assertEqual(self.response_status, 200)
+        self.assertTrue(req.headers.get('X-Service-Catalog'))
         self.assertEqual(body, ['SUCCESS'])
 
     def test_default_tenant_token(self):

diff --git a/tests/test_content_types.py b/tests/test_content_types.py
@@ -375,6 +375,13 @@ def test_validate_token_belongs_to(self):
         self.assertValidAuthenticationResponse(r,
                                                require_service_catalog=True)
 
+    def test_validate_token_no_belongs_to_still_returns_catalog(self):
+        token = self.get_scoped_token()
+        path = ('/v2.0/tokens/%s' % token)
+        r = self.admin_request(path=path, token=token)
+        self.assertValidAuthenticationResponse(r,
+                                               require_service_catalog=True)
+
     def test_validate_token_head(self):
         """The same call as above, except using HEAD.