Skip middleware request processing for admin token

In be558717 the request handling was refactored and more of the token handling was left to keystonemiddleware. However, when using the deprecated admin_token, the token needs to be handled differently. Specifically, there may be no 'token' or 'access' key in the body of the request, which keystoneauth expects to have keystonemiddleware pass to it[1][2]. Luckily the admin_token doesn't need a lot of special processing, so we can just skip that step and move on to fill_context. [1] http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n399 [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/access/access.py#n41 Closes-bug: #1603038 Change-Id: Iac4a5769072925fe2f36768c8f31816e6866f2f6
2016-07-19 15:41:24 -07:00 · 2016-07-19 15:41:24 -07:00 · e420b16c22
parent 18a1f1a554
commit e420b16c22
2 changed files with 14 additions and 6 deletions
--- a/keystone/middleware/auth.py
+++ b/keystone/middleware/auth.py
@ -45,9 +45,6 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
                                                    enforce_token_bind=bind)

    def fetch_token(self, token):
-        if CONF.admin_token and token == CONF.admin_token:
-            return {}
-
        try:
            return self.token_provider_api.validate_token(token)
        except exception.TokenNotFound:
@ -138,10 +135,12 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):

    @wsgi.middleware_exceptions
    def process_request(self, request):
-        resp = super(AuthContextMiddleware, self).process_request(request)
+        context_env = request.environ.get(core.CONTEXT_ENV, {})
+        if not context_env.get('is_admin', False):
+            resp = super(AuthContextMiddleware, self).process_request(request)

-        if resp:
-            return resp
+            if resp:
+                return resp

        # NOTE(jamielennox): function is split so testing can check errors from
        # fill_context. There is no actual reason for fill_context to raise
--- a/keystone/tests/unit/test_middleware.py
+++ b/keystone/tests/unit/test_middleware.py
@ -16,6 +16,7 @@ import copy
 import hashlib
 import uuid

+import fixtures
 from six.moves import http_client
 import webtest

@ -762,3 +763,11 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
        self.assertRaisesRegexp(exception.TokenlessAuthConfigError,
                                expected_msg,
                                auth._build_idp_id)
+
+    def test_admin_token_context(self):
+        self.config_fixture.config(admin_token='ADMIN')
+        log_fix = self.useFixture(fixtures.FakeLogger())
+        headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'}
+        environ = {middleware.core.CONTEXT_ENV: {'is_admin': True}}
+        self._do_middleware_request(headers=headers, extra_environ=environ)
+        self.assertNotIn('Invalid user token', log_fix.output)