Merge "Skip middleware request processing for admin token"

keystone/middleware/auth.py

@@ -45,9 +45,6 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
                                                     enforce_token_bind=bind)
 
     def fetch_token(self, token):
-        if CONF.admin_token and token == CONF.admin_token:
-            return {}
-
         try:
             return self.token_provider_api.validate_token(token)
         except exception.TokenNotFound:
@@ -138,10 +135,12 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
 
     @wsgi.middleware_exceptions
     def process_request(self, request):
-        resp = super(AuthContextMiddleware, self).process_request(request)
+        context_env = request.environ.get(core.CONTEXT_ENV, {})
+        if not context_env.get('is_admin', False):
+            resp = super(AuthContextMiddleware, self).process_request(request)
 
-        if resp:
-            return resp
+            if resp:
+                return resp
 
         # NOTE(jamielennox): function is split so testing can check errors from
         # fill_context. There is no actual reason for fill_context to raise

keystone/tests/unit/test_middleware.py

@@ -16,6 +16,7 @@ import copy
 import hashlib
 import uuid
 
+import fixtures
 from six.moves import http_client
 import webtest
 
@@ -762,3 +763,11 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
         self.assertRaisesRegexp(exception.TokenlessAuthConfigError,
                                 expected_msg,
                                 auth._build_idp_id)
+
+    def test_admin_token_context(self):
+        self.config_fixture.config(admin_token='ADMIN')
+        log_fix = self.useFixture(fixtures.FakeLogger())
+        headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'}
+        environ = {middleware.core.CONTEXT_ENV: {'is_admin': True}}
+        self._do_middleware_request(headers=headers, extra_environ=environ)
+        self.assertNotIn('Invalid user token', log_fix.output)