X_USER is deprecated in favor of X_USER_ID

Addressed bug 926372

Eventually, we should stop supporting X_USER because it is *supposed* to
be the user's login name rather than their id. But this change preserves
the old behavior for stability.

For more info checkout keystone/middleware/auth_token.py in the keystone
project.

Change-Id: Ie837e73f9a592a903af71a426e202f8b6a9ac581

2 files changed, 64 insertions, 4 deletions

diff --git a/nova/api/auth.py b/nova/api/auth.py
index cb601bdb3..316a8f72f 100644
--- a/nova/api/auth.py
+++ b/nova/api/auth.py
@@ -56,10 +56,10 @@ class NovaKeystoneContext(wsgi.Middleware):
 
     @webob.dec.wsgify(RequestClass=wsgi.Request)
     def __call__(self, req):
-        try:
-            user_id = req.headers['X_USER']
-        except KeyError:
-            logging.debug("X_USER not found in request")
+        user_id = req.headers.get('X_USER')
+        user_id = req.headers.get('X_USER_ID', user_id)
+        if user_id is None:
+            logging.debug("Neither X_USER_ID nor X_USER found in request")
             return webob.exc.HTTPUnauthorized()
         # get the roles
         roles = [r.strip() for r in req.headers.get('X_ROLE', '').split(',')]
diff --git a/nova/tests/api/test_auth.py b/nova/tests/api/test_auth.py
new file mode 100644
index 000000000..0625957f7
--- /dev/null
+++ b/nova/tests/api/test_auth.py
@@ -0,0 +1,60 @@
+# Copyright (c) 2012 OpenStack, LLC
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import webob
+
+import nova.api.auth
+from nova import test
+
+
+class TestNovaKeystoneContextMiddleware(test.TestCase):
+
+    def setUp(self):
+
+        @webob.dec.wsgify()
+        def fake_app(req):
+            self.context = req.environ['nova.context']
+            return webob.Response()
+
+        self.context = None
+        self.middleware = nova.api.auth.NovaKeystoneContext(fake_app)
+        self.request = webob.Request.blank('/')
+        self.request.headers['X_TENANT_ID'] = 'testtenantid'
+        self.request.headers['X_AUTH_TOKEN'] = 'testauthtoken'
+
+    def tearDown(self):
+        pass
+
+    def test_no_user_or_user_id(self):
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '401 Unauthorized')
+
+    def test_user_only(self):
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuserid')
+
+    def test_user_id_only(self):
+        self.request.headers['X_USER'] = 'testuser'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuser')
+
+    def test_user_id_trumps_user(self):
+        self.request.headers['X_USER_ID'] = 'testuserid'
+        self.request.headers['X_USER'] = 'testuser'
+        response = self.request.get_response(self.middleware)
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(self.context.user_id, 'testuserid')