diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py index 1efc04085e..9c03c4a839 100644 --- a/keystone/middleware/auth.py +++ b/keystone/middleware/auth.py @@ -45,9 +45,6 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol): enforce_token_bind=bind) def fetch_token(self, token): - if CONF.admin_token and token == CONF.admin_token: - return {} - try: return self.token_provider_api.validate_token(token) except exception.TokenNotFound: @@ -138,10 +135,12 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol): @wsgi.middleware_exceptions def process_request(self, request): - resp = super(AuthContextMiddleware, self).process_request(request) + context_env = request.environ.get(core.CONTEXT_ENV, {}) + if not context_env.get('is_admin', False): + resp = super(AuthContextMiddleware, self).process_request(request) - if resp: - return resp + if resp: + return resp # NOTE(jamielennox): function is split so testing can check errors from # fill_context. There is no actual reason for fill_context to raise diff --git a/keystone/tests/unit/test_middleware.py b/keystone/tests/unit/test_middleware.py index aede051f1d..e0176edfca 100644 --- a/keystone/tests/unit/test_middleware.py +++ b/keystone/tests/unit/test_middleware.py @@ -16,6 +16,7 @@ import copy import hashlib import uuid +import fixtures from six.moves import http_client import webtest @@ -762,3 +763,11 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests, self.assertRaisesRegexp(exception.TokenlessAuthConfigError, expected_msg, auth._build_idp_id) + + def test_admin_token_context(self): + self.config_fixture.config(admin_token='ADMIN') + log_fix = self.useFixture(fixtures.FakeLogger()) + headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'} + environ = {middleware.core.CONTEXT_ENV: {'is_admin': True}} + self._do_middleware_request(headers=headers, extra_environ=environ) + self.assertNotIn('Invalid user token', log_fix.output)