make roles case-insensitive

Fix bug #1010519 Change-Id: I5b4a50e2d546ba8b4b018178af09707bc4d31fce
2012-06-08 18:15:47 +03:00 · 2012-06-08 18:15:47 +03:00 · 081823ad86
commit 081823ad86
parent 7aa688a897
2 changed files with 28 additions and 3 deletions
--- a/glance/common/context.py
+++ b/glance/common/context.py
@ -100,7 +100,7 @@ class ContextMiddleware(wsgi.Middleware):
        #NOTE(bcwaldon): X-Roles is a csv string, but we need to parse
        # it into a list to be useful
        roles_header = req.headers.get('X-Roles', '')
-        roles = [r.strip() for r in roles_header.split(',')]
+        roles = [r.strip().lower() for r in roles_header.split(',')]

        #NOTE(bcwaldon): This header is deprecated in favor of X-Auth-Token
        deprecated_token = req.headers.get('X-Storage-Token')
@ -109,7 +109,7 @@ class ContextMiddleware(wsgi.Middleware):
            'user': req.headers.get('X-User-Id'),
            'tenant': req.headers.get('X-Tenant-Id'),
            'roles': roles,
-            'is_admin': CONF.admin_role in roles,
+            'is_admin': CONF.admin_role.strip().lower() in roles,
            'auth_tok': req.headers.get('X-Auth-Token', deprecated_token),
            'owner_is_tenant': CONF.owner_is_tenant,
        }
--- a/glance/tests/unit/test_context_middleware.py
+++ b/glance/tests/unit/test_context_middleware.py
@ -34,7 +34,7 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)

-        # without the 'admin' role, is_admin shoud be False
+        # without the 'admin' role, is_admin should be False
        req = self._build_request()
        self._build_middleware().process_request(req)
        self.assertFalse(req.context.is_admin)
@ -45,6 +45,31 @@ class TestContextMiddleware(base.IsolatedUnitTest):
        self._build_middleware().process_request(req)
        self.assertTrue(req.context.is_admin)

+    def test_roles_case_insensitive(self):
+        # accept role from request
+        req = self._build_request(roles=['Admin', 'role2'])
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+        # accept role from config
+        req = self._build_request(roles=['role1'])
+        self.config(admin_role='rOLe1')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+    def test_roles_stripping(self):
+        # stripping extra spaces in request
+        req = self._build_request(roles=['\trole1'])
+        self.config(admin_role='role1')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
+        # stripping extra spaces in config
+        req = self._build_request(roles=['\trole1\n'])
+        self.config(admin_role=' role1\t')
+        self._build_middleware().process_request(req)
+        self.assertTrue(req.context.is_admin)
+
    def test_anonymous_access_enabled(self):
        req = self._build_request(identity_status='Nope')
        self.config(allow_anonymous_access=True)