Make placement base API return version without auth

Allow both GET '/placement' and '/placement/' to return version info without doing authentication. In many deployment placement is found on a prefix of '/placement' different servers will or will not append the '/'. To be most resilient, accept either as "root". A unit test is added which confirms that no auth is required for root but auth is still required elsewhere. Co-Authored-By: Chris Dent <cdent@anticdent.org> Related-Bug: #1838633 Change-Id: Iaa93ec943f4f4fbb6c1af3a809859813872e62d7
2019-08-05 12:58:02 +05:30 · 2019-08-05 12:58:02 +05:30 · 5466ec1833
commit 5466ec1833
parent b12cba973d
2 changed files with 77 additions and 2 deletions
--- a/placement/auth.py
+++ b/placement/auth.py
@ -66,7 +66,7 @@ class PlacementKeystoneContext(Middleware):
        ctx = context.RequestContext.from_environ(
            req.environ, request_id=req_id)
-        if ctx.user_id is None and req.environ['PATH_INFO'] != '/':
+        if ctx.user_id is None and req.environ['PATH_INFO'] not in ['/', '']:
            LOG.debug("Neither X_USER_ID nor X_USER found in request")
            return webob.exc.HTTPUnauthorized()
@ -86,7 +86,7 @@ class PlacementAuthProtocol(auth_token.AuthProtocol):
        super(PlacementAuthProtocol, self).__init__(app, conf)
    def __call__(self, environ, start_response):
-        if environ['PATH_INFO'] == '/':
+        if environ['PATH_INFO'] in ['/', '']:
            return self._placement_app(environ, start_response)
        return super(PlacementAuthProtocol, self).__call__(
--- a/placement/tests/unit/test_auth.py
+++ b/placement/tests/unit/test_auth.py
@ -0,0 +1,75 @@
 #    Licensed under the Apache License, Version 2.0 (the "License"); you may
 #    not use this file except in compliance with the License. You may obtain
 #    a copy of the License at
 #
 #         http://www.apache.org/licenses/LICENSE-2.0
 #
 #    Unless required by applicable law or agreed to in writing, software
 #    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
 """Unit tests for the auth middleware used by the Placement service.
 Most of the functionality of the auth middleware is tested in functional
 and integration tests but sometimes it is more convenient or accurate to
 use unit tests.
 """
 from keystonemiddleware import auth_token
 from oslo_config import cfg
 from oslo_config import fixture as config_fixture
 from oslo_policy import opts as policy_opts
 import testtools
 import webob
 from placement import conf
 from placement import deploy
 class RootNoAuth(testtools.TestCase):
    """Confirm that no auth is required for accessing root."""
    def setUp(self):
        """Establish config defaults for middlewares."""
        super(RootNoAuth, self).setUp()
        config = cfg.ConfigOpts()
        conf_fixture = self.useFixture(config_fixture.Config(config))
        conf.register_opts(conf_fixture.conf)
        auth_token_opts = auth_token.AUTH_TOKEN_OPTS[0][1]
        conf_fixture.register_opts(auth_token_opts, group='keystone_authtoken')
        www_authenticate_uri = 'http://example.com/identity'
        conf_fixture.config(
            www_authenticate_uri=www_authenticate_uri,
            group='keystone_authtoken')
        # ensure that the auth_token middleware is chosen
        conf_fixture.config(auth_strategy='keystone', group='api')
        # register and default policy opts (referenced by deploy)
        policy_opts.set_defaults(conf_fixture.conf)
        self.conf = conf_fixture.conf
        self.app = deploy.deploy(self.conf)
    def _test_root_req(self, req):
        # set no environ on req, thus no auth
        req.environ['REMOTE_ADDR'] = '127.0.0.1'
        response = req.get_response(self.app)
        data = response.json_body
        self.assertEqual('CURRENT', data['versions'][0]['status'])
    def test_slash_no_auth(self):
        """Accessing / requires no auth."""
        req = webob.Request.blank('/', method='GET')
        self._test_root_req(req)
    def test_no_slash_no_auth(self):
        """Accessing '' requires no auth."""
        req = webob.Request.blank('', method='GET')
        self._test_root_req(req)
    def test_auth_elsewhere(self):
        """Make sure auth is happening."""
        req = webob.Request.blank('/resource_providers', method='GET')
        req.environ['REMOTE_ADDR'] = '127.0.0.1'
        response = req.get_response(self.app)
        self.assertEqual('401 Unauthorized', response.status)