From 046ba03d57a7300f7f8d24c7a12e32db6df8a508 Mon Sep 17 00:00:00 2001
From: Yuriy Zveryanskyy <yzveryanskyy@mirantis.com>
Date: Mon, 25 May 2015 14:52:54 +0300
Subject: [PATCH] Do not add auth token in context for noauth API mode

Client can send auth token even if API works in "noauth" mode.
This behavior misinforms conductor service. Now if context
received via RPC do not contains auth token API works w/o
authentication.

Change-Id: I67f0d3dcbfa80916ae3e77d03f6cc91244ca2179
---
 ironic/api/hooks.py            |  6 +++++-
 ironic/tests/api/test_hooks.py | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/ironic/api/hooks.py b/ironic/api/hooks.py
index ddf81a9860..0132e14fb7 100644
--- a/ironic/api/hooks.py
+++ b/ironic/api/hooks.py
@@ -65,12 +65,16 @@ class ContextHook(hooks.PecanHook):
     def before(self, state):
         headers = state.request.headers
 
+        # Do not pass any token with context for noauth mode
+        auth_token = (None if cfg.CONF.auth_strategy == 'noauth' else
+                      headers.get('X-Auth-Token'))
+
         creds = {
             'user': headers.get('X-User') or headers.get('X-User-Id'),
             'tenant': headers.get('X-Tenant') or headers.get('X-Tenant-Id'),
             'domain_id': headers.get('X-User-Domain-Id'),
             'domain_name': headers.get('X-User-Domain-Name'),
-            'auth_token': headers.get('X-Auth-Token'),
+            'auth_token': auth_token,
             'roles': headers.get('X-Roles', '').split(','),
         }
 
diff --git a/ironic/tests/api/test_hooks.py b/ironic/tests/api/test_hooks.py
index ea0b089c0d..ba915eec2d 100644
--- a/ironic/tests/api/test_hooks.py
+++ b/ironic/tests/api/test_hooks.py
@@ -228,6 +228,24 @@ class TestContextHook(base.FunctionalTest):
             is_admin=True,
             roles=headers['X-Roles'].split(','))
 
+    @mock.patch.object(context, 'RequestContext')
+    def test_context_hook_noauth_token_removed(self, mock_ctx):
+        cfg.CONF.set_override('auth_strategy', 'noauth')
+        headers = fake_headers(admin=False)
+        reqstate = FakeRequestState(headers=headers)
+        context_hook = hooks.ContextHook(None)
+        context_hook.before(reqstate)
+        mock_ctx.assert_called_with(
+            auth_token=None,
+            user=headers['X-User'],
+            tenant=headers['X-Tenant'],
+            domain_id=headers['X-User-Domain-Id'],
+            domain_name=headers['X-User-Domain-Name'],
+            is_public_api=False,
+            show_password=False,
+            is_admin=False,
+            roles=headers['X-Roles'].split(','))
+
 
 class TestContextHookCompatJuno(TestContextHook):
     def setUp(self):