diff options
| author | Jenkins <jenkins@review.openstack.org> | 2015-04-14 22:44:01 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2015-04-14 22:44:01 +0000 |
| commit | bc2c9ba2a561d391760bd0e2af02c7c4370d3af7 (patch) | |
| tree | 34ebf0de1595867f34678a940f976edeb0a16557 | |
| parent | 87f84f6aae82a42ca2f46a50412075b69b612c37 (diff) | |
| parent | 8a1453e61e95956fd8a87546e068a60a275ae665 (diff) | |
| download | swift-bc2c9ba2a561d391760bd0e2af02c7c4370d3af7.tar.gz | |
Merge "Support HTTP_X_SERVICE_IDENTITY_STATUS in keystoneauth"
| -rw-r--r-- | swift/common/middleware/keystoneauth.py | 4 | ||||
| -rw-r--r-- | test/unit/common/middleware/test_keystoneauth.py | 25 |
2 files changed, 28 insertions, 1 deletions
diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py index 505024e69..9887cdd06 100644 --- a/swift/common/middleware/keystoneauth.py +++ b/swift/common/middleware/keystoneauth.py @@ -242,7 +242,9 @@ class KeystoneAuth(object): # using _integral_keystone_identity to replace current # _keystone_identity. The purpose of keeping it in this release it for # back compatibility. - if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed': + if (environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed' + or environ.get( + 'HTTP_X_SERVICE_IDENTITY_STATUS') not in (None, 'Confirmed')): return roles = [] if 'HTTP_X_ROLES' in environ: diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py index b1e7bbda1..76b520518 100644 --- a/test/unit/common/middleware/test_keystoneauth.py +++ b/test/unit/common/middleware/test_keystoneauth.py @@ -158,6 +158,31 @@ class SwiftAuth(unittest.TestCase): resp = req.get_response(self.test_auth) self.assertEqual(resp.status_int, 401) + def test_denied_responses(self): + + def get_resp_status(headers): + req = self._make_request(headers=headers) + resp = req.get_response(self.test_auth) + return resp.status_int + + self.assertEqual(get_resp_status({'X_IDENTITY_STATUS': 'Confirmed'}), + 403) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Confirmed', + 'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 403) + self.assertEqual(get_resp_status({}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid', + 'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Confirmed', + 'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401) + self.assertEqual(get_resp_status( + {'X_IDENTITY_STATUS': 'Invalid', + 'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401) + def test_blank_reseller_prefix(self): conf = {'reseller_prefix': ''} test_auth = keystoneauth.filter_factory(conf)(FakeApp()) |