Disable Admin tokens set to None

Partial-Bug: 1545761 Change-Id: Ie292f447f2fe1357824b322817b1585c82d0c552
2016-02-16 14:53:54 -05:00 · 2016-02-16 14:53:54 -05:00 · 37e9d6bbf1
commit 37e9d6bbf1
parent a14d761387
6 changed files with 34 additions and 5 deletions
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@ -46,10 +46,13 @@ _DEPRECATE_EP_MSG = ('The option to enable the OS-ENDPOINT-POLICY extension '

 FILE_OPTIONS = {
    None: [
-        cfg.StrOpt('admin_token', secret=True, default='ADMIN',
+        cfg.StrOpt('admin_token', secret=True, default=None,
                   help='A "shared secret" that can be used to bootstrap '
                        'Keystone. This "token" does not represent a user, '
-                        'and carries no explicit authorization. To disable '
+                        'and carries no explicit authorization. If set '
+                        'to `None`, the value is ignored and the '
+                        '`admin_token` log in mechanism is effectively '
+                        'disabled. To completely disable `admin_token` '
                        'in production (highly recommended), remove '
                        'AdminTokenAuthMiddleware from your paste '
                        'application pipelines (for example, in '
--- a/keystone/middleware/core.py
+++ b/keystone/middleware/core.py
@ -69,7 +69,7 @@ class AdminTokenAuthMiddleware(wsgi.Middleware):
    def process_request(self, request):
        token = request.headers.get(AUTH_TOKEN_HEADER)
        context = request.environ.get(CONTEXT_ENV, {})
-        context['is_admin'] = (token == CONF.admin_token)
+        context['is_admin'] = CONF.admin_token and (token == CONF.admin_token)
        request.environ[CONTEXT_ENV] = context


--- a/keystone/tests/unit/test_middleware.py
+++ b/keystone/tests/unit/test_middleware.py
@ -114,8 +114,13 @@ class AdminTokenAuthMiddlewareTest(MiddlewareRequestTestBase):

    MIDDLEWARE_CLASS = middleware.AdminTokenAuthMiddleware

+    def config_overrides(self):
+        super(AdminTokenAuthMiddlewareTest, self).config_overrides()
+        self.config_fixture.config(
+            admin_token='ADMIN')
+
    def test_request_admin(self):
-        headers = {middleware.AUTH_TOKEN_HEADER: CONF.admin_token}
+        headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'}
        req = self._do_middleware_request(headers=headers)
        self.assertTrue(req.environ[middleware.CONTEXT_ENV]['is_admin'])

--- a/keystone/tests/unit/test_v3.py
+++ b/keystone/tests/unit/test_v3.py
@ -1330,6 +1330,11 @@ class VersionTestCase(RestfulTestCase):
 class AuthContextMiddlewareAdminTokenTestCase(RestfulTestCase):
    EXTENSION_TO_ADD = 'admin_token_auth'

+    def config_overrides(self):
+        super(AuthContextMiddlewareAdminTokenTestCase, self).config_overrides()
+        self.config_fixture.config(
+            admin_token='ADMIN')
+
    # NOTE(morganfainberg): This is knowingly copied from below for simplicity
    # during the deprecation cycle.
    def _middleware_request(self, token, extra_environ=None):
@ -1364,7 +1369,7 @@ class AuthContextMiddlewareAdminTokenTestCase(RestfulTestCase):
        # For backwards compatibility AuthContextMiddleware will check that the
        # admin token (as configured in the CONF file) is present and not
        # attempt to build the auth context. This is deprecated.
-        req = self._middleware_request(CONF.admin_token)
+        req = self._middleware_request('ADMIN')
        auth_context = req.environ.get(authorization.AUTH_CONTEXT_ENV)
        self.assertDictEqual({}, auth_context)
        self.assertEqual(1, mock_report_deprecated.call_count)
--- a/keystone/tests/unit/test_v3_identity.py
+++ b/keystone/tests/unit/test_v3_identity.py
@ -36,6 +36,11 @@ CONF = cfg.CONF
 class IdentityTestCaseStaticAdminToken(test_v3.RestfulTestCase):
    EXTENSION_TO_ADD = 'admin_token_auth'

+    def config_overrides(self):
+        super(IdentityTestCaseStaticAdminToken, self).config_overrides()
+        self.config_fixture.config(
+            admin_token='ADMIN')
+
    def test_list_users_with_static_admin_token_and_multiple_backends(self):
        # domain-specific operations with the bootstrap ADMIN token is
        # disallowed when domain-specific drivers are enabled
--- a/releasenotes/notes/admin_token-c634ec12fc714255.yaml
+++ b/releasenotes/notes/admin_token-c634ec12fc714255.yaml
@ -0,0 +1,11 @@
+---
+security:
+  - The admin_token method of authentication was never intended to be
+    used for any purpose other than bootstrapping an install. However
+    many deployments had to leave the admin_token method enabled due
+    to restrictions on editing the paste file used to configure the
+    web pipelines.  To minimize the risk from this mechanism, the
+    `admin_token` configuration value now defaults to a python `None`
+    value.  In addition, if the value is set to `None`, either explicitly or
+    implicitly, the `admin_token` will not be enabled, and an attempt to
+    use it will lead to a failed authentication.