diff --git a/mistral/context.py b/mistral/context.py index 9235811f3..12e63d40e 100644 --- a/mistral/context.py +++ b/mistral/context.py @@ -131,10 +131,20 @@ def _extract_mistral_auth_params(headers): service_catalog = None if headers.get("X-Target-Auth-Uri"): + insecure_header = headers.get('X-Target-Insecure', 'False') + if insecure_header == 'False': + insecure = False + elif insecure_header == 'True': + insecure = True + else: + raise (exc.MistralException( + 'X-Target-Insecure must be either "True", "False" or not ' + 'provided. The default is "False".')) + params = { # TODO(akovi): Target cert not handled yet 'auth_cacert': None, - 'insecure': headers.get('X-Target-Insecure', False), + 'insecure': insecure, 'auth_token': headers.get('X-Target-Auth-Token'), 'auth_uri': headers.get('X-Target-Auth-Uri'), 'tenant': headers.get('X-Target-Project-Id'), diff --git a/mistral/tests/unit/test_context.py b/mistral/tests/unit/test_context.py new file mode 100644 index 000000000..d300050f4 --- /dev/null +++ b/mistral/tests/unit/test_context.py @@ -0,0 +1,46 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from mistral import context +from mistral import exceptions +from mistral.tests.unit.engine import base + + +class ContextTestCase(base.EngineTestCase): + + def test_target_insecure(self): + # Defaults to False if X-Target-Auth-Uri isn't passed. + headers = context._extract_mistral_auth_params({ + 'X-Target-Insecure': 'True', + }) + self.assertFalse(headers['insecure']) + + headers = { + "X-Target-Auth-Uri": "uri", + 'X-Target-Auth-Token': 'Token', + } + + params = context._extract_mistral_auth_params(headers) + self.assertFalse(params['insecure']) + + headers['X-Target-Insecure'] = 'True' + params = context._extract_mistral_auth_params(headers) + self.assertTrue(params['insecure']) + + headers['X-Target-Insecure'] = 'False' + params = context._extract_mistral_auth_params(headers) + self.assertFalse(params['insecure']) + + headers['X-Target-Insecure'] = 'S3cure' + self.assertRaises( + exceptions.MistralException, + context._extract_mistral_auth_params, headers) diff --git a/releasenotes/notes/x-target-insecure-values-4b2bdbfd42526abc.yaml b/releasenotes/notes/x-target-insecure-values-4b2bdbfd42526abc.yaml new file mode 100644 index 000000000..7e7d72db2 --- /dev/null +++ b/releasenotes/notes/x-target-insecure-values-4b2bdbfd42526abc.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + The header X-Target-Insecure previously accepted any string and used it + for comparisons. This meant unless it was empty (or not provided) it would + always evaluate as True. This change makes the validation stricter, only + accepting "True" and "False" and converting these to boolean values. Any + other value will return an error.