From f5bd968a9793ecab90ffb22c8a22eaf32eb7a035 Mon Sep 17 00:00:00 2001 From: Jamie Lennox Date: Fri, 29 Sep 2017 14:57:01 +1000 Subject: [PATCH] Move auth header definitions into authorization common/authorization.py seems to be the canonical local for all our information relating to auth parameters. The header definitions should really be there as well. Change-Id: I20d5cc94a55dd8936b5fe376ebbabd69909bb4dd --- keystone/common/authorization.py | 8 ++++++++ keystone/middleware/auth.py | 3 +-- keystone/middleware/core.py | 20 ++++++++------------ keystone/tests/unit/test_middleware.py | 6 +++--- keystone/tests/unit/test_v3.py | 4 ++-- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/keystone/common/authorization.py b/keystone/common/authorization.py index 2915ce8a6d..bf744b635f 100644 --- a/keystone/common/authorization.py +++ b/keystone/common/authorization.py @@ -26,6 +26,14 @@ from keystone.i18n import _ from keystone.models import token_model +# Header used to transmit the auth token +AUTH_TOKEN_HEADER = 'X-Auth-Token' + + +# Header used to transmit the subject token +SUBJECT_TOKEN_HEADER = 'X-Subject-Token' + + CONF = conf.CONF AUTH_CONTEXT_ENV = 'KEYSTONE_AUTH_CONTEXT' """Environment variable used to convey the Keystone auth context. diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py index f242319685..1223ffec2c 100644 --- a/keystone/middleware/auth.py +++ b/keystone/middleware/auth.py @@ -23,7 +23,6 @@ from keystone import exception from keystone.federation import constants as federation_constants from keystone.federation import utils from keystone.i18n import _ -from keystone.middleware import core from keystone.models import token_model from keystone.token.providers import common @@ -141,7 +140,7 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol): # NOTE(notmorgan): This code is merged over from the admin token # middleware and now emits the security warning when the # conf.admin_token value is set. - token = request.headers.get(core.AUTH_TOKEN_HEADER) + token = request.headers.get(authorization.AUTH_TOKEN_HEADER) if CONF.admin_token and (token == CONF.admin_token): context_env['is_admin'] = True LOG.warning( diff --git a/keystone/middleware/core.py b/keystone/middleware/core.py index 804cbeb54d..bacb618daf 100644 --- a/keystone/middleware/core.py +++ b/keystone/middleware/core.py @@ -16,28 +16,24 @@ from oslo_log import log from oslo_log import versionutils from oslo_serialization import jsonutils +from keystone.common import authorization from keystone.common import wsgi from keystone import exception LOG = log.getLogger(__name__) -# Header used to transmit the auth token -AUTH_TOKEN_HEADER = 'X-Auth-Token' - - -# Header used to transmit the subject token -SUBJECT_TOKEN_HEADER = 'X-Subject-Token' - class TokenAuthMiddleware(wsgi.Middleware): def process_request(self, request): - token = request.headers.get(AUTH_TOKEN_HEADER) - context = request.environ.get(wsgi.CONTEXT_ENV, {}) + context = request.environ.setdefault(wsgi.CONTEXT_ENV, {}) + + token = request.headers.get(authorization.AUTH_TOKEN_HEADER) context['token_id'] = token - if SUBJECT_TOKEN_HEADER in request.headers: - context['subject_token_id'] = request.headers[SUBJECT_TOKEN_HEADER] - request.environ[wsgi.CONTEXT_ENV] = context + + subject_token = request.headers.get(authorization.SUBJECT_TOKEN_HEADER) + if subject_token: + context['subject_token_id'] = subject_token class AdminTokenAuthMiddleware(wsgi.Middleware): diff --git a/keystone/tests/unit/test_middleware.py b/keystone/tests/unit/test_middleware.py index 4f5022398f..fcdf6790e2 100644 --- a/keystone/tests/unit/test_middleware.py +++ b/keystone/tests/unit/test_middleware.py @@ -106,7 +106,7 @@ class TokenAuthMiddlewareTest(MiddlewareRequestTestBase): MIDDLEWARE_CLASS = middleware.TokenAuthMiddleware def test_request(self): - headers = {middleware.AUTH_TOKEN_HEADER: 'MAGIC'} + headers = {authorization.AUTH_TOKEN_HEADER: 'MAGIC'} req = self._do_middleware_request(headers=headers) context = req.environ[wsgi.CONTEXT_ENV] self.assertEqual('MAGIC', context['token_id']) @@ -721,7 +721,7 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests, def test_admin_token_context(self): self.config_fixture.config(admin_token='ADMIN') log_fix = self.useFixture(fixtures.FakeLogger()) - headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'} + headers = {authorization.AUTH_TOKEN_HEADER: 'ADMIN'} req = self._do_middleware_request(headers=headers) self.assertTrue(req.environ[wsgi.CONTEXT_ENV]['is_admin']) self.assertNotIn('Invalid user token', log_fix.output) @@ -730,6 +730,6 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests, self.config_fixture.config( admin_token='ADMIN') log_fix = self.useFixture(fixtures.FakeLogger()) - headers = {middleware.AUTH_TOKEN_HEADER: 'NOT-ADMIN'} + headers = {authorization.AUTH_TOKEN_HEADER: 'NOT-ADMIN'} self._do_middleware_request(headers=headers) self.assertIn('Invalid user token', log_fix.output) diff --git a/keystone/tests/unit/test_v3.py b/keystone/tests/unit/test_v3.py index 005d397ab1..64a074eef6 100644 --- a/keystone/tests/unit/test_v3.py +++ b/keystone/tests/unit/test_v3.py @@ -1242,7 +1242,7 @@ class AuthContextMiddlewareAdminTokenTestCase(RestfulTestCase): app = webtest.TestApp(middleware.AuthContextMiddleware(application), extra_environ=extra_environ) - resp = app.get('/', headers={middleware.AUTH_TOKEN_HEADER: token}) + resp = app.get('/', headers={authorization.AUTH_TOKEN_HEADER: token}) self.assertEqual('body', resp.text) # just to make sure it worked return resp.request @@ -1273,7 +1273,7 @@ class AuthContextMiddlewareTestCase(RestfulTestCase): app = webtest.TestApp(middleware.AuthContextMiddleware(application), extra_environ=extra_environ) - resp = app.get('/', headers={middleware.AUTH_TOKEN_HEADER: token}) + resp = app.get('/', headers={authorization.AUTH_TOKEN_HEADER: token}) self.assertEqual(b'body', resp.body) # just to make sure it worked return resp.request