From efb1fb99d87f754a008877f2e2d391221cb43721 Mon Sep 17 00:00:00 2001
From: Matthew Edmonds <edmondsw@us.ibm.com>
Date: Wed, 12 Jul 2017 09:45:59 -0400
Subject: [PATCH] strip whitespace from token

This change strips whitespace from incoming tokens to prevent errors
that are difficult for a caller to root cause.

Change-Id: I4b3fd18314c3ca94beb3b0c8c17280451d6c8755
Closes-Bug: #1689468
---
 keystonemiddleware/auth_token/__init__.py            |  3 +++
 .../tests/unit/auth_token/test_base_middleware.py    | 12 ++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/keystonemiddleware/auth_token/__init__.py b/keystonemiddleware/auth_token/__init__.py
index cc60cf72..6cb1f93c 100644
--- a/keystonemiddleware/auth_token/__init__.py
+++ b/keystonemiddleware/auth_token/__init__.py
@@ -430,6 +430,9 @@ class BaseAuthProtocol(object):
 
     def _do_fetch_token(self, token, **kwargs):
         """Helper method to fetch a token and convert it into an AccessInfo."""
+        # NOTE(edmondsw): strip the token to remove any whitespace that may
+        # have been passed along in the header per bug 1689468
+        token = token.strip()
         if self.kwargs_to_fetch_token:
             data = self.fetch_token(token, **kwargs)
         else:
diff --git a/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py b/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py
index 5595b0ac..32e43382 100644
--- a/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py
+++ b/keystonemiddleware/tests/unit/auth_token/test_base_middleware.py
@@ -89,7 +89,7 @@ class BaseAuthProtocolTests(testtools.TestCase):
 
         @webob.dec.wsgify
         def _do_cb(req):
-            self.assertEqual(token_id, req.headers['X-Auth-Token'])
+            self.assertEqual(token_id, req.headers['X-Auth-Token'].strip())
 
             self.assertEqual('Confirmed', req.headers['X-Identity-Status'])
             self.assertNotIn('X-Service-Token', req.headers)
@@ -110,6 +110,10 @@ class BaseAuthProtocolTests(testtools.TestCase):
         m = FetchingMiddleware(_do_cb, token_dict)
         self.call(m, headers={'X-Auth-Token': token_id})
 
+        # also try with whitespace in the token
+        self.call(m, headers={'X-Auth-Token': token_id + ' '})
+        self.call(m, headers={'X-Auth-Token': token_id + '\r'})
+
     def test_invalid_user_token(self):
         token_id = uuid.uuid4().hex
 
@@ -149,7 +153,7 @@ class BaseAuthProtocolTests(testtools.TestCase):
 
         @webob.dec.wsgify
         def _do_cb(req):
-            self.assertEqual(token_id, req.headers['X-Service-Token'])
+            self.assertEqual(token_id, req.headers['X-Service-Token'].strip())
 
             self.assertEqual('Confirmed',
                              req.headers['X-Service-Identity-Status'])
@@ -171,6 +175,10 @@ class BaseAuthProtocolTests(testtools.TestCase):
         m = FetchingMiddleware(_do_cb, token_dict)
         self.call(m, headers={'X-Service-Token': token_id})
 
+        # also try with whitespace in the token
+        self.call(m, headers={'X-Service-Token': token_id + ' '})
+        self.call(m, headers={'X-Service-Token': token_id + '\r'})
+
     def test_invalid_service_token(self):
         token_id = uuid.uuid4().hex