From e420b16c22288c0a8cb9b1337e56f04ca1ef8737 Mon Sep 17 00:00:00 2001
From: Colleen Murphy <colleen@gazlene.net>
Date: Tue, 19 Jul 2016 15:41:24 -0700
Subject: [PATCH] Skip middleware request processing for admin token

In be558717 the request handling was refactored and more of the token
handling was left to keystonemiddleware. However, when using the
deprecated admin_token, the token needs to be handled differently.
Specifically, there may be no 'token' or 'access' key in the body of
the request, which keystoneauth expects to have keystonemiddleware pass
to it[1][2]. Luckily the admin_token doesn't need a lot of special
processing, so we can just skip that step and move on to fill_context.

[1] http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token/__init__.py#n399
[2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/access/access.py#n41

Closes-bug: #1603038

Change-Id: Iac4a5769072925fe2f36768c8f31816e6866f2f6
---
 keystone/middleware/auth.py            | 11 +++++------
 keystone/tests/unit/test_middleware.py |  9 +++++++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py
index 1efc04085e..9c03c4a839 100644
--- a/keystone/middleware/auth.py
+++ b/keystone/middleware/auth.py
@@ -45,9 +45,6 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
                                                     enforce_token_bind=bind)
 
     def fetch_token(self, token):
-        if CONF.admin_token and token == CONF.admin_token:
-            return {}
-
         try:
             return self.token_provider_api.validate_token(token)
         except exception.TokenNotFound:
@@ -138,10 +135,12 @@ class AuthContextMiddleware(auth_token.BaseAuthProtocol):
 
     @wsgi.middleware_exceptions
     def process_request(self, request):
-        resp = super(AuthContextMiddleware, self).process_request(request)
+        context_env = request.environ.get(core.CONTEXT_ENV, {})
+        if not context_env.get('is_admin', False):
+            resp = super(AuthContextMiddleware, self).process_request(request)
 
-        if resp:
-            return resp
+            if resp:
+                return resp
 
         # NOTE(jamielennox): function is split so testing can check errors from
         # fill_context. There is no actual reason for fill_context to raise
diff --git a/keystone/tests/unit/test_middleware.py b/keystone/tests/unit/test_middleware.py
index aede051f1d..e0176edfca 100644
--- a/keystone/tests/unit/test_middleware.py
+++ b/keystone/tests/unit/test_middleware.py
@@ -16,6 +16,7 @@ import copy
 import hashlib
 import uuid
 
+import fixtures
 from six.moves import http_client
 import webtest
 
@@ -762,3 +763,11 @@ class AuthContextMiddlewareTest(test_backend_sql.SqlTests,
         self.assertRaisesRegexp(exception.TokenlessAuthConfigError,
                                 expected_msg,
                                 auth._build_idp_id)
+
+    def test_admin_token_context(self):
+        self.config_fixture.config(admin_token='ADMIN')
+        log_fix = self.useFixture(fixtures.FakeLogger())
+        headers = {middleware.AUTH_TOKEN_HEADER: 'ADMIN'}
+        environ = {middleware.core.CONTEXT_ENV: {'is_admin': True}}
+        self._do_middleware_request(headers=headers, extra_environ=environ)
+        self.assertNotIn('Invalid user token', log_fix.output)