From ee2e3272ac01d79133ffb735aac1ed125a88955d Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Wed, 17 Feb 2016 10:03:38 -0600
Subject: [PATCH] Move admin_token_auth before build_auth_context in sample
 paste.ini

It's deprecated to have admin_token_auth after build_auth_context,
so move admin_token_auth before build_auth_context.

Also, for safety in the code handling the deprecated configuration,
only do the admin_token check if admin_token is not the default.

Closes-Bug: 1549371
Change-Id: I2607e718ecd50eb605a1e4bbfb3862e3968b6484
---
 etc/keystone-paste.ini      |  6 +++---
 keystone/middleware/auth.py | 14 ++++++++------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/etc/keystone-paste.ini b/etc/keystone-paste.ini
index be5285342e..bb7d20cc40 100644
--- a/etc/keystone-paste.ini
+++ b/etc/keystone-paste.ini
@@ -54,17 +54,17 @@ use = egg:keystone#admin_service
 [pipeline:public_api]
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension public_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension public_service
 
 [pipeline:admin_api]
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension admin_service
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension s3_extension admin_service
 
 [pipeline:api_v3]
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension service_v3
+pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3
 
 [app:public_version_service]
 use = egg:keystone#public_version_service
diff --git a/keystone/middleware/auth.py b/keystone/middleware/auth.py
index 909675243f..19083f5a31 100644
--- a/keystone/middleware/auth.py
+++ b/keystone/middleware/auth.py
@@ -75,14 +75,16 @@ class AuthContextMiddleware(wsgi.Middleware):
         return None, None, False
 
     def _build_token_auth_context(self, request, token_id):
-        if token_id == CONF.admin_token:
+        if CONF.admin_token and token_id == CONF.admin_token:
             versionutils.report_deprecated_feature(
                 LOG,
-                _LW('Auth context checking for the admin token is deprecated '
-                    'as of the Mitaka release and will be removed in the O '
-                    'release. Update keystone-paste.ini so that '
-                    'admin_token_auth is before build_auth_context in the '
-                    'paste pipelines.'))
+                _LW('build_auth_context middleware checking for the admin '
+                    'token is deprecated as of the Mitaka release and will be '
+                    'removed in the O release. If your deployment requires '
+                    'use of the admin token, update keystone-paste.ini so '
+                    'that admin_token_auth is before build_auth_context in '
+                    'the paste pipelines, otherwise remove the '
+                    'admin_token_auth middleware from the paste pipelines.'))
             return {}, True
 
         context = {'token_id': token_id}