Coverage for nova/api/openstack/identity.py: 100%

27 statements  

« prev     ^ index     » next       coverage.py v7.6.12, created at 2025-04-17 15:08 +0000

1# Copyright 2017 IBM 

2# 

3# Licensed under the Apache License, Version 2.0 (the "License"); you may 

4# not use this file except in compliance with the License. You may obtain 

5# a copy of the License at 

6# 

7# http://www.apache.org/licenses/LICENSE-2.0 

8# 

9# Unless required by applicable law or agreed to in writing, software 

10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 

11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 

12# License for the specific language governing permissions and limitations 

13# under the License. 

14 

15from keystoneauth1 import exceptions as kse 

16from oslo_log import log as logging 

17import webob 

18 

19from nova.i18n import _ 

20from nova import utils 

21 

22 

23LOG = logging.getLogger(__name__) 

24 

25 

26def verify_project_id(context, project_id): 

27 """verify that a project_id exists. 

28 

29 This attempts to verify that a project id exists. If it does not, 

30 an HTTPBadRequest is emitted. Also HTTPBadRequest is emitted 

31 if Keystone identity service version 3.0 is not found. 

32 

33 """ 

34 adap = utils.get_ksa_adapter( 

35 'identity', ksa_auth=context.get_auth_plugin(), 

36 min_version=(3, 0), max_version=(3, 'latest')) 

37 

38 try: 

39 resp = adap.get('/projects/%s' % project_id) 

40 except kse.EndpointNotFound: 

41 LOG.error( 

42 "Keystone identity service version 3.0 was not found. This " 

43 "might be caused by Nova misconfiguration or Keystone " 

44 "problems.") 

45 msg = _("Nova was unable to find Keystone service endpoint.") 

46 # TODO(astupnik). It may be reasonable to switch to HTTP 503 

47 # (HTTP Service Unavailable) instead of HTTP Bad Request here. 

48 # If proper Keystone service is inaccessible, then technially 

49 # this is a server side error and not an error in Nova. 

50 raise webob.exc.HTTPBadRequest(explanation=msg) 

51 except kse.ClientException: 

52 # something is wrong, like there isn't a keystone v3 endpoint, 

53 # or nova isn't configured for the interface to talk to it; 

54 # we'll take the pass and default to everything being ok. 

55 LOG.info("Unable to contact keystone to verify project_id") 

56 return True 

57 

58 if resp: 

59 # All is good with this 20x status 

60 return True 

61 elif resp.status_code == 404: 

62 # we got access, and we know this project is not there 

63 msg = _("Project ID %s is not a valid project.") % project_id 

64 raise webob.exc.HTTPBadRequest(explanation=msg) 

65 elif resp.status_code == 403: 

66 # we don't have enough permission to verify this, so default 

67 # to "it's ok". 

68 LOG.info( 

69 "Insufficient permissions for user %(user)s to verify " 

70 "existence of project_id %(pid)s", 

71 {"user": context.user_id, "pid": project_id}) 

72 return True 

73 else: 

74 LOG.warning( 

75 "Unexpected response from keystone trying to " 

76 "verify project_id %(pid)s - resp: %(code)s %(content)s", 

77 {"pid": project_id, 

78 "code": resp.status_code, 

79 "content": resp.content}) 

80 # realize we did something wrong, but move on with a warning 

81 return True