Do not add auth token in context for noauth API mode

Client can send auth token even if API works in "noauth" mode. This behavior misinforms conductor service. Now if context received via RPC do not contains auth token API works w/o authentication. Change-Id: I67f0d3dcbfa80916ae3e77d03f6cc91244ca2179
2015-05-25 14:52:54 +03:00 · 2015-05-25 14:52:54 +03:00 · 046ba03d57
commit 046ba03d57
parent 906998b424
2 changed files with 23 additions and 1 deletions
--- a/ironic/api/hooks.py
+++ b/ironic/api/hooks.py
@ -65,12 +65,16 @@ class ContextHook(hooks.PecanHook):
    def before(self, state):
        headers = state.request.headers

+        # Do not pass any token with context for noauth mode
+        auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else
+                      headers.get('X-Auth-Token'))
+
        creds = {
            'user': headers.get('X-User') or headers.get('X-User-Id'),
            'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
            'domain_id': headers.get('X-User-Domain-Id'),
            'domain_name': headers.get('X-User-Domain-Name'),
-            'auth_token': headers.get('X-Auth-Token'),
+            'auth_token': auth_token,
            'roles': headers.get('X-Roles', '').split(','),
        }

--- a/ironic/tests/api/test_hooks.py
+++ b/ironic/tests/api/test_hooks.py
@ -228,6 +228,24 @@ class TestContextHook(base.FunctionalTest):
            is_admin=True,
            roles=headers['X-Roles'].split(','))

+    @mock.patch.object(context, 'RequestContext')
+    def test_context_hook_noauth_token_removed(self, mock_ctx):
+        cfg.CONF.set_override('auth_strategy', 'noauth')
+        headers = fake_headers(admin=False)
+        reqstate = FakeRequestState(headers=headers)
+        context_hook = hooks.ContextHook(None)
+        context_hook.before(reqstate)
+        mock_ctx.assert_called_with(
+            auth_token=None,
+            user=headers['X-User'],
+            tenant=headers['X-Tenant'],
+            domain_id=headers['X-User-Domain-Id'],
+            domain_name=headers['X-User-Domain-Name'],
+            is_public_api=False,
+            show_password=False,
+            is_admin=False,
+            roles=headers['X-Roles'].split(','))
+

 class TestContextHookCompatJuno(TestContextHook):
    def setUp(self):