::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
: Copyright (c) 2017 Mirantis Inc., Enea AB and others.
:
: All rights reserved. This program and the accompanying materials
: are made available under the terms of the Apache License, Version 2.0
: which accompanies this distribution, and is available at
: http://www.apache.org/licenses/LICENSE-2.0
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Wed, 3 Jan 2018 00:50:50 +0100
Subject: [PATCH] controller: Use keystoneclient to check project ID

Port fix from [1] for using the internal network when connecting
to keystone during project ID validation in nova, instead of
going through public endpoint (and using SSL).

[1] https://bugs.launchpad.net/nova/+bug/1716344

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
 nova/controller.sls                                |  10 ++
 ...keystoneclient-to-check-project-ID-exists.patch | 116 +++++++++++++++++++++
 2 files changed, 126 insertions(+)
 create mode 100644 nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch

diff --git a/nova/controller.sls b/nova/controller.sls
index a55d037..59af945 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -71,6 +71,16 @@ contrail_nova_packages:

 {%- endif %}

+nova-api-openstack-identity-patch:
+  file.patch:
+  - name: /usr/lib/python2.7/dist-packages
+  - source: salt://nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
+  - hash: False
+  - options: '-p1'
+  - unless: 'test -f /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch && cd /usr/lib/python2.7/dist-packages && patch -p1 -R --dry-run /var/cache/salt/minion/files/base/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch'
+  - require:
+    - pkg: nova_controller_packages
+
 /etc/nova/nova.conf:
   file.managed:
   - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
diff --git a/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
new file mode 100644
index 0000000..58d027e
--- /dev/null
+++ b/nova/files/0001-Use-keystoneclient-to-check-project-ID-exists.patch
@@ -0,0 +1,116 @@
+From: Christoph Fiehe <fiehe@gmx.de>
+Date: Wed, 3 Jan 2018 00:11:20 +0100
+Subject: [PATCH] Use keystoneclient to check project ID exists
+
+Based on Christoph's implementation proposed in [1].
+
+[1] https://bugs.launchpad.net/nova/+bug/1716344
+
+Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
+---
+ nova/api/openstack/identity.py | 81 ++++++++++++++++--------------------------
+ 1 file changed, 30 insertions(+), 51 deletions(-)
+
+diff --git a/nova/api/openstack/identity.py b/nova/api/openstack/identity.py
+index 833d3b5..3269cec 100644
+--- a/nova/api/openstack/identity.py
++++ b/nova/api/openstack/identity.py
+@@ -12,16 +12,15 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+
+-from keystoneauth1 import exceptions as kse
+-from keystoneauth1 import loading as ks_loading
++from keystoneauth1 import session
++from keystoneclient import exceptions as kse
++from keystoneclient.v3 import client
+ from oslo_log import log as logging
+ import webob
+
+-import nova.conf
+ from nova.i18n import _
+
+
+-CONF = nova.conf.CONF
+ LOG = logging.getLogger(__name__)
+
+
+@@ -32,51 +31,31 @@ def verify_project_id(context, project_id):
+     an HTTPBadRequest is emitted.
+
+     """
+-    sess = ks_loading.load_session_from_conf_options(
+-        CONF, 'keystone', auth=context.get_auth_plugin())
+-
+-    failure = webob.exc.HTTPBadRequest(
+-            explanation=_("Project ID %s is not a valid project.") %
+-            project_id)
++    auth = context.get_auth_plugin()
++    sess = session.Session(auth=auth)
++    keystone = client.Client(session=sess)
+     try:
+-        resp = sess.get('/projects/%s' % project_id,
+-                        endpoint_filter={
+-                            'service_type': 'identity',
+-                            'version': (3, 0)
+-                        },
+-                        raise_exc=False)
+-    except kse.EndpointNotFound:
+-        LOG.error(
+-            "Keystone identity service version 3.0 was not found. This might "
+-            "be because your endpoint points to the v2.0 versioned endpoint "
+-            "which is not supported. Please fix this.")
+-        raise failure
+-    except kse.ClientException:
+-        # something is wrong, like there isn't a keystone v3 endpoint,
+-        # we'll take the pass and default to everything being ok.
+-        LOG.exception("Unable to contact keystone to verify project_id")
+-        return True
+-
+-    if resp:
+-        # All is good with this 20x status
+-        return True
+-    elif resp.status_code == 404:
+-        # we got access, and we know this project is not there
+-        raise failure
+-    elif resp.status_code == 403:
+-        # we don't have enough permission to verify this, so default
+-        # to "it's ok".
+-        LOG.info(
+-            "Insufficient permissions for user %(user)s to verify "
+-            "existence of project_id %(pid)s",
+-            {"user": context.user_id, "pid": project_id})
+-        return True
+-    else:
+-        LOG.warning(
+-            "Unexpected response from keystone trying to "
+-            "verify project_id %(pid)s - resp: %(code)s %(content)s",
+-            {"pid": project_id,
+-             "code": resp.status_code,
+-             "content": resp.content})
+-        # realize we did something wrong, but move on with a warning
+-        return True
++        project = keystone.projects.get(project_id)
++    except kse.ClientException as e:
++        if e.http_status == 404:
++            # we got access, and we know this project is not there
++            raise webob.exc.HTTPBadRequest(
++                explanation=_("Project ID %s is not a valid project.") %
++                project_id)
++        elif e.http_status == 403:
++            # we don't have enough permission to verify this, so default
++            # to "it's ok".
++            LOG.info(
++                "Insufficient permissions for user %(user)s to verify "
++                "existence of project_id %(pid)s",
++                {"user": context.user_id, "pid": project_id})
++            return True
++        else:
++            LOG.warning(
++                "Unexpected response from keystone trying to "
++                "verify project_id %(pid)s - resp: %(code)s %(content)s",
++                {"pid": project_id,
++                 "code": resp.status_code,
++                 "content": resp.content})
++            # realize we did something wrong, but move on with a warning
++            return True