Support HTTP_X_SERVICE_IDENTITY_STATUS in keystoneauth

Keystone's auth_token now supports delay denial when a service token is invalid. This change handles the consequences for determining 401 vs 403 responses. Related-Bug: #1422389 Change-Id: I90ba062e357cccea061c7101463b82b7c5e69293
2015-02-25 13:54:55 +00:00 · 2015-02-25 13:54:55 +00:00 · 8a1453e61e
commit 8a1453e61e
parent d3213fb1fe
2 changed files with 28 additions and 1 deletions
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@ -242,7 +242,9 @@ class KeystoneAuth(object):
        # using _integral_keystone_identity to replace current
        # _keystone_identity. The purpose of keeping it in this release it for
        # back compatibility.
-        if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed':
+        if (environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed'
+            or environ.get(
+                'HTTP_X_SERVICE_IDENTITY_STATUS') not in (None, 'Confirmed')):
            return
        roles = []
        if 'HTTP_X_ROLES' in environ:
--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@ -158,6 +158,31 @@ class SwiftAuth(unittest.TestCase):
        resp = req.get_response(self.test_auth)
        self.assertEqual(resp.status_int, 401)

+    def test_denied_responses(self):
+
+        def get_resp_status(headers):
+            req = self._make_request(headers=headers)
+            resp = req.get_response(self.test_auth)
+            return resp.status_int
+
+        self.assertEqual(get_resp_status({'X_IDENTITY_STATUS': 'Confirmed'}),
+                         403)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Confirmed',
+                          'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 403)
+        self.assertEqual(get_resp_status({}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid',
+                          'X_SERVICE_IDENTITY_STATUS': 'Confirmed'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Confirmed',
+                          'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401)
+        self.assertEqual(get_resp_status(
+                         {'X_IDENTITY_STATUS': 'Invalid',
+                          'X_SERVICE_IDENTITY_STATUS': 'Invalid'}), 401)
+
    def test_blank_reseller_prefix(self):
        conf = {'reseller_prefix': ''}
        test_auth = keystoneauth.filter_factory(conf)(FakeApp())