strip whitespace from token

This change strips whitespace from incoming tokens to prevent errors
that are difficult for a caller to root cause.

Change-Id: I4b3fd18314c3ca94beb3b0c8c17280451d6c8755
Closes-Bug: #1689468
This commit is contained in:
Matthew Edmonds 2017-07-12 09:45:59 -04:00
parent fe241a0ad9
commit efb1fb99d8
2 changed files with 13 additions and 2 deletions

View File

@ -430,6 +430,9 @@ class BaseAuthProtocol(object):
def _do_fetch_token(self, token, **kwargs):
"""Helper method to fetch a token and convert it into an AccessInfo."""
# NOTE(edmondsw): strip the token to remove any whitespace that may
# have been passed along in the header per bug 1689468
token = token.strip()
if self.kwargs_to_fetch_token:
data = self.fetch_token(token, **kwargs)
else:

View File

@ -89,7 +89,7 @@ class BaseAuthProtocolTests(testtools.TestCase):
@webob.dec.wsgify
def _do_cb(req):
self.assertEqual(token_id, req.headers['X-Auth-Token'])
self.assertEqual(token_id, req.headers['X-Auth-Token'].strip())
self.assertEqual('Confirmed', req.headers['X-Identity-Status'])
self.assertNotIn('X-Service-Token', req.headers)
@ -110,6 +110,10 @@ class BaseAuthProtocolTests(testtools.TestCase):
m = FetchingMiddleware(_do_cb, token_dict)
self.call(m, headers={'X-Auth-Token': token_id})
# also try with whitespace in the token
self.call(m, headers={'X-Auth-Token': token_id + ' '})
self.call(m, headers={'X-Auth-Token': token_id + '\r'})
def test_invalid_user_token(self):
token_id = uuid.uuid4().hex
@ -149,7 +153,7 @@ class BaseAuthProtocolTests(testtools.TestCase):
@webob.dec.wsgify
def _do_cb(req):
self.assertEqual(token_id, req.headers['X-Service-Token'])
self.assertEqual(token_id, req.headers['X-Service-Token'].strip())
self.assertEqual('Confirmed',
req.headers['X-Service-Identity-Status'])
@ -171,6 +175,10 @@ class BaseAuthProtocolTests(testtools.TestCase):
m = FetchingMiddleware(_do_cb, token_dict)
self.call(m, headers={'X-Service-Token': token_id})
# also try with whitespace in the token
self.call(m, headers={'X-Service-Token': token_id + ' '})
self.call(m, headers={'X-Service-Token': token_id + '\r'})
def test_invalid_service_token(self):
token_id = uuid.uuid4().hex