def test_validate_client_impersonation(self, m):
test_redis = get_auth_redis_client()
m.post('http://mockurl/tokens', text='\
{"access": {"token": {"id": "the-token", \
"expires": "2025-09-04T14:09:20.236Z"}}}')
token_data = AdminToken(url='http://mockurl', tenant='tenant-id',
passwd='passwd', token='thetoken')
self.assertIsNone(token_data.token_data)
m.get('http://mockurl/tenants/tenant-id/users', text='\
{"users": [{"id": "the-user-id"}]}')
m.get('http://mockurl/users/the-user-id/RAX-AUTH/admins', text='\
{"users": [{"username": "******"}]}')
m.post('http://mockurl/RAX-AUTH/impersonation-tokens', text='\
{"access": {"token": {"id": "the-token",\
"expires": "2025-09-04T14:09:20.236Z"}}}')
retval, token, cache_key = validate_client_impersonation(test_redis,
url='http://mockurl', tenant='tenant-id', admintoken=token_data)
self.assertTrue(retval)
self.assertIsNotNone(cache_key)
self.assertEqual(token["expires"], "2025-09-04T14:09:20.236Z")
self.assertEqual(token["tenant"], "tenant-id")
self.assertEqual(token["token"], "the-token")
m.post('http://mockurl/RAX-AUTH/impersonation-tokens', status_code=404)
retval, token, cache_key = validate_client_impersonation(test_redis,
url='http://mockurl', tenant='tenant-id', admintoken=token_data)
self.assertFalse(retval)
self.assertIsNone(token)
self.assertIsNone(cache_key)
def middleware(env, start_response):
# Inject transaction-id into the response headers.
def transactionhook(status, headers, exc_info=None):
transaction = context.RequestContext()
setattr(local.store, 'context', transaction)
stealth.context.transaction = transaction
headers.append(('Transaction-ID', str(
stealth.context.transaction.request_id)))
return start_response(status, headers, exc_info)
try:
project_id = env['HTTP_X_PROJECT_ID']
token = ''
cache_key = ''
valid = False
if 'HTTP_X_AUTH_TOKEN' in env:
cache_key = env['HTTP_X_AUTH_TOKEN']
# Validate the input cache_key.
valid, token = token_validation.validate_client_token(redis_client,
auth_url, project_id, cache_key)
if valid:
env['X-AUTH-TOKEN'] = token
env.pop('HTTP_X_AUTH_TOKEN', cache_key)
return app(env, transactionhook)
# Validate the client with the impersonation token
valid, usertoken, cache_key = \
token_validation.validate_client_impersonation(
redis_client, auth_url, project_id, Admintoken)
if valid and usertoken and usertoken['token']:
# Inject cahce_key as the auth token into the response headers.
def custom_start_response(status, headers, exc_info=None):
headers.append(('HTTP_X_AUTH_TOKEN', str(cache_key)))
return transactionhook(status, headers, exc_info)
token = usertoken['token']
env['X-AUTH-TOKEN'] = token
LOG.debug(('Middleware: Auth Token validated.'))
return app(env, custom_start_response)
else:
# Validation failed for some reason, just error out as a 401
LOG.error(('Middleware: Auth Token validation failed.'))
return _http_unauthorized(start_response)
except (KeyError, LookupError):
# Header failure, error out with 412
LOG.error(('Middleware: Missing required headers.'))
return _http_precondition_failed(start_response)
def auth(self, req, resp):
try:
auth_token = None
valid = False
cache_key = None
project_id = req.headers['X-PROJECT-ID']
if 'X-AUTH-TOKEN' in req.headers:
cache_key = req.headers['X-AUTH-TOKEN']
valid, auth_token = token_validation.validate_client_token(
self.redis_client,
self.auth_url, project_id, cache_key)
if not valid:
valid, usertoken, cache_key =\
token_validation.validate_client_impersonation(
self.redis_client, self.auth_url, project_id,
self.Admintoken)
if not valid:
# Validation failed for some reason,
# just error out as a 401
LOG.error('Auth Token validation failed.')
return False, 'Auth Token validation failed.'
# WHY NOT? else if usertoken and usertoken['token']:
auth_token = usertoken['token']
#
# auth_token here is the real auth token from Keystone,
# It can be replaced in the user requests and forward
# to the service providers.
#
# req.headers['X-AUTH-TOKEN'] = auth_token
#
# validate the client and fill out the request it's valid
LOG.debug('Auth Token validated.')
# Return only generated hmac values back to the users.
return True, cache_key
except (KeyError, LookupError):
# Header failure, error out with 412
LOG.error('Missing required headers.')
return False, 'Missing required headers.'
def auth(env, start_response):
try:
project_id = env['HTTP_X_PROJECT_ID']
token = ''
cache_key = ''
valid = False
if 'HTTP_X_AUTH_TOKEN' in env:
cache_key = env['HTTP_X_AUTH_TOKEN']
valid, token = token_validation.validate_client_token(redis_client,
auth_url, project_id, cache_key)
if valid:
LOG.debug(('App: Auth Token validated.'))
start_response('204 No Content',
[])
return []
# validate the client and fill out the env
valid, usertoken, cache_key = \
token_validation.validate_client_impersonation(
redis_client, auth_url, project_id, Admintoken)
if valid and usertoken and usertoken['token']:
token = usertoken['token']
# env['X-AUTH-TOKEN'] = token
LOG.debug(('App: Auth Token validated.'))
start_response('204 No Content',
[('X-AUTH-TOKEN', cache_key)])
return []
# Validation failed. Error out as a 401
LOG.error(('App: Auth Token validation failed.'))
return _http_unauthorized(start_response)
except (KeyError, LookupError):
# Header failure, error out with 412
LOG.error(('App: Missing required headers.'))
return _http_precondition_failed(start_response)
