Explicitly convert X-Target-Insecure to a boolean

We will now only accept the string values "False" or "True". Previously any given value was interpreted as a string and thus True. Closes-Bug: #1666565 Change-Id: Ibd105c881dbe16cd4516bfb775c8f5f43c961b45 (cherry picked from commit b16a4ce465)
2018-08-17 10:48:30 +01:00 · 2018-08-17 10:48:30 +01:00 · 4a7065c6a3
parent 45c9d4ece0
commit 4a7065c6a3
3 changed files with 65 additions and 1 deletions
--- a/mistral/context.py
+++ b/mistral/context.py
@ -131,10 +131,20 @@ def _extract_mistral_auth_params(headers):
    service_catalog = None

    if headers.get("X-Target-Auth-Uri"):
+        insecure_header = headers.get('X-Target-Insecure', 'False')
+        if insecure_header == 'False':
+            insecure = False
+        elif insecure_header == 'True':
+            insecure = True
+        else:
+            raise (exc.MistralException(
+                'X-Target-Insecure must be either "True", "False" or not '
+                'provided. The default is "False".'))
+
        params = {
            # TODO(akovi): Target cert not handled yet
            'auth_cacert': None,
-            'insecure': headers.get('X-Target-Insecure', False),
+            'insecure': insecure,
            'auth_token': headers.get('X-Target-Auth-Token'),
            'auth_uri': headers.get('X-Target-Auth-Uri'),
            'tenant': headers.get('X-Target-Project-Id'),
--- a/mistral/tests/unit/test_context.py
+++ b/mistral/tests/unit/test_context.py
@ -0,0 +1,46 @@
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+from mistral import context
+from mistral import exceptions
+from mistral.tests.unit.engine import base
+
+
+class ContextTestCase(base.EngineTestCase):
+
+    def test_target_insecure(self):
+        # Defaults to False if X-Target-Auth-Uri isn't passed.
+        headers = context._extract_mistral_auth_params({
+            'X-Target-Insecure': 'True',
+        })
+        self.assertFalse(headers['insecure'])
+
+        headers = {
+            "X-Target-Auth-Uri": "uri",
+            'X-Target-Auth-Token': 'Token',
+        }
+
+        params = context._extract_mistral_auth_params(headers)
+        self.assertFalse(params['insecure'])
+
+        headers['X-Target-Insecure'] = 'True'
+        params = context._extract_mistral_auth_params(headers)
+        self.assertTrue(params['insecure'])
+
+        headers['X-Target-Insecure'] = 'False'
+        params = context._extract_mistral_auth_params(headers)
+        self.assertFalse(params['insecure'])
+
+        headers['X-Target-Insecure'] = 'S3cure'
+        self.assertRaises(
+            exceptions.MistralException,
+            context._extract_mistral_auth_params, headers)
--- a/releasenotes/notes/x-target-insecure-values-4b2bdbfd42526abc.yaml
+++ b/releasenotes/notes/x-target-insecure-values-4b2bdbfd42526abc.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    The header X-Target-Insecure previously accepted any string and used it
+    for comparisons. This meant unless it was empty (or not provided) it would
+    always evaluate as True. This change makes the validation stricter, only
+    accepting "True" and "False" and converting these to boolean values. Any
+    other value will return an error.