From b97da136a5c8c937757ad82249061140b1bf22e5 Mon Sep 17 00:00:00 2001
From: Steven Hardy <shardy@redhat.com>
Date: Mon, 2 Dec 2013 23:59:19 +0000
Subject: [PATCH] Deny API requests where context doesn't match path

We shouldn't overwrite the context path (which comes from the scope
of the auth_token) with that from the path, instead raise a
HTTPForbidden exception if the path-provided tenant_id doesn't match
the context.

Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81
Closes-Bug: #1256983
---
 heat/api/openstack/v1/util.py            |  5 +++--
 heat/tests/test_api_openstack_v1_util.py | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/heat/api/openstack/v1/util.py b/heat/api/openstack/v1/util.py
index 2235857..3d403ce 100644
--- a/heat/api/openstack/v1/util.py
+++ b/heat/api/openstack/v1/util.py
@@ -21,12 +21,13 @@ from heat.common import identifier
 
 def tenant_local(handler):
     '''
-    Decorator for a handler method that sets the correct tenant_id in the
+    Decorator for a handler method that checks the path matches the
     request context.
     '''
     @wraps(handler)
     def handle_stack_method(controller, req, tenant_id, **kwargs):
-        req.context.tenant_id = tenant_id
+        if req.context.tenant_id != tenant_id:
+            raise exc.HTTPForbidden()
         return handler(controller, req, **kwargs)
 
     return handle_stack_method
diff --git a/heat/tests/test_api_openstack_v1_util.py b/heat/tests/test_api_openstack_v1_util.py
index e1d859c..00f1038 100644
--- a/heat/tests/test_api_openstack_v1_util.py
+++ b/heat/tests/test_api_openstack_v1_util.py
@@ -12,7 +12,10 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+from webob import exc
+
 from heat.api.openstack.v1 import util
+from heat.common import context
 from heat.common.wsgi import Request
 from heat.tests.common import HeatTestCase
 
@@ -77,3 +80,23 @@ class TestGetAllowedParams(HeatTestCase):
         self.whitelist = {'foo': 'blah'}
         result = util.get_allowed_params(self.params, self.whitelist)
         self.assertNotIn('foo', result)
+
+
+class TestTenantLocal(HeatTestCase):
+    def setUp(self):
+        super(TestTenantLocal, self).setUp()
+        self.req = Request({})
+        self.req.context = context.RequestContext(tenant_id='foo')
+
+
+    def test_tenant_local(self):
+
+        @util.tenant_local
+        def an_action(controller, req):
+            return 'woot'
+
+        self.assertEqual('woot',
+                         an_action(None, self.req, tenant_id='foo'))
+
+        self.assertRaises(exc.HTTPForbidden,
+                          an_action, None, self.req, tenant_id='bar')
-- 
1.8.3.1