Support HTTP_X_SERVICE_IDENTITY_STATUS in keystoneauth

Keystone's auth_token now supports delay denial when a service token is invalid. This change handles the consequences for determining 401 vs 403 responses. Related-Bug: #1422389 Change-Id: I90ba062e357cccea061c7101463b82b7c5e69293
author: Donagh McCabe <donagh.mccabe@hp.com> 2015-02-25 13:54:55 +0000
committer: John Dickinson <me@not.mn> 2015-04-14 13:15:15 -0700
commit: 8a1453e61e95956fd8a87546e068a60a275ae665 (patch)
tree: 169c65d146e2cd080a714072c0fef1537872f92e
parent: d3213fb1fe00ae649ba198577b7e8b37180d3753 (diff)
download: swift-8a1453e61e95956fd8a87546e068a60a275ae665.tar.gz
2 files changed, 28 insertions, 1 deletions
diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py
index 09d559664..221251d44 100644
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@@ -242,7 +242,9 @@ class KeystoneAuth(object):
         # using _integral_keystone_identity to replace current
         # _keystone_identity. The purpose of keeping it in this release it for
         # back compatibility.
-        if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed':
+        if (environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed'
+            or environ.get(
+                'HTTP_X_SERVICE_IDENTITY_STATUS') not in (None, 'Confirmed')):
             return
         roles = []
         if 'HTTP_X_ROLES' in environ:
diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py
index b1e7bbda1..76b520518 100644
--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@@ -158,6 +158,31 @@ class SwiftAuth(unittest.TestCase):
         resp = req.get_response(self.test_auth)
         self.assertEqual(resp.status_int, 401)
 
+    def test_denied_responses(self):
+
+        def get_resp_status(headers):
+            req = self._make_request(headers=headers)
+            resp = req.get_response(self.test_auth)
+            return resp.status_int
+
+        self.assertEqual(get_resp_status({'X_IDENTITY_STATUS': 'Confirmed'}),
+                         403)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Confirmed',
+                          'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 403)
+        self.assertEqual(get_resp_status({}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid',
+                          'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Confirmed',
+                          'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid',
+                          'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401)
+
     def test_blank_reseller_prefix(self):
         conf = {'reseller_prefix': ''}
         test_auth = keystoneauth.filter_factory(conf)(FakeApp())
author	Donagh McCabe <donagh.mccabe@hp.com>	2015-02-25 13:54:55 +0000
committer	John Dickinson <me@not.mn>	2015-04-14 13:15:15 -0700
commit	8a1453e61e95956fd8a87546e068a60a275ae665 (patch)
tree	169c65d146e2cd080a714072c0fef1537872f92e
parent	d3213fb1fe00ae649ba198577b7e8b37180d3753 (diff)
download	swift-8a1453e61e95956fd8a87546e068a60a275ae665.tar.gz