Enforce usage of project scoped token

In order for functionality to remain intact (ie disallow people to create / do
actions in designate that ends up with a "None" tenant_id as the owner in the
db) we need to enforce the use of a project scoped token for now.

Closes-Bug: #1460187

Change-Id: I8a64fe4938b3b9b0ade9fe210e4da0d19ad1c23f

designate/api/middleware.py

@@ -126,6 +126,10 @@ def process_request(self, request):
             # If the key is valid, Keystone does not include this header at all
             pass
 
+        tenant_id = headers.get('X-Tenant-ID')
+        if tenant_id is None:
+            return flask.Response(status=401)
+
         if headers.get('X-Service-Catalog'):
             catalog = json.loads(headers.get('X-Service-Catalog'))
         else:
@@ -137,7 +141,7 @@ def process_request(self, request):
             request,
             auth_token=headers.get('X-Auth-Token'),
             user=headers.get('X-User-ID'),
-            tenant=headers.get('X-Tenant-ID'),
+            tenant=tenant_id,
             roles=roles,
             service_catalog=catalog)
 

designate/tests/test_api/test_middleware.py

@@ -79,6 +79,23 @@ def test_process_request_invalid_keystone_token(self):
 
         self.assertEqual(response.status_code, 401)
 
+    def test_process_unscoped_token(self):
+        app = middleware.KeystoneContextMiddleware({})
+
+        request = FakeRequest()
+
+        request.headers = {
+            'X-Auth-Token': 'AuthToken',
+            'X-User-ID': 'UserID',
+            'X-Tenant-ID': None,
+            'X-Roles': 'admin,Member',
+        }
+
+        # Process the request
+        response = app(request)
+
+        self.assertEqual(response.status_code, 401)
+
 
 class NoAuthContextMiddlewareTest(ApiTestCase):
     def test_process_request(self):