diff options
author | Donagh McCabe <donagh.mccabe@hp.com> | 2015-02-25 13:54:55 +0000 |
---|---|---|
committer | John Dickinson <me@not.mn> | 2015-04-14 13:15:15 -0700 |
commit | 8a1453e61e95956fd8a87546e068a60a275ae665 (patch) | |
tree | 169c65d146e2cd080a714072c0fef1537872f92e | |
parent | d3213fb1fe00ae649ba198577b7e8b37180d3753 (diff) | |
download | swift-8a1453e61e95956fd8a87546e068a60a275ae665.tar.gz |
Support HTTP_X_SERVICE_IDENTITY_STATUS in keystoneauth
Keystone's auth_token now supports delay denial when
a service token is invalid. This change handles
the consequences for determining 401 vs 403 responses.
Related-Bug: #1422389
Change-Id: I90ba062e357cccea061c7101463b82b7c5e69293
-rw-r--r-- | swift/common/middleware/keystoneauth.py | 4 | ||||
-rw-r--r-- | test/unit/common/middleware/test_keystoneauth.py | 25 |
2 files changed, 28 insertions, 1 deletions
diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py index 09d559664..221251d44 100644 --- a/swift/common/middleware/keystoneauth.py +++ b/swift/common/middleware/keystoneauth.py @@ -242,7 +242,9 @@ class KeystoneAuth(object): # using _integral_keystone_identity to replace current # _keystone_identity. The purpose of keeping it in this release it for # back compatibility. - if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed': + if (environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed' + or environ.get( + 'HTTP_X_SERVICE_IDENTITY_STATUS') not in (None, 'Confirmed')): return roles = [] if 'HTTP_X_ROLES' in environ: diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py index b1e7bbda1..76b520518 100644 --- a/test/unit/common/middleware/test_keystoneauth.py +++ b/test/unit/common/middleware/test_keystoneauth.py @@ -158,6 +158,31 @@ class SwiftAuth(unittest.TestCase): resp = req.get_response(self.test_auth) self.assertEqual(resp.status_int, 401) + def test_denied_responses(self): + + def get_resp_status(headers): + req = self._make_request(headers=headers) + resp = req.get_response(self.test_auth) + return resp.status_int + + self.assertEqual(get_resp_status({'X_IDENTITY_STATUS': 'Confirmed'}), + 403) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Confirmed', + 'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 403) + self.assertEqual(get_resp_status({}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid', + 'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Confirmed', + 'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid', + 'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401) + def test_blank_reseller_prefix(self): conf = {'reseller_prefix': ''} test_auth = keystoneauth.filter_factory(conf)(FakeApp()) |