From 5b4eee16b8de2ba55db34321f9aafe99e3d811e3 Mon Sep 17 00:00:00 2001
From: Samantha Blanco <spblanco.1@gmail.com>
Date: Fri, 3 Nov 2017 15:04:39 -0400
Subject: [PATCH] Add noauth

Adds noauth option for testing.

Change-Id: Idd0ee60ffdc824c9693e998595577b5eca3a24b6
---
 charts/promenade/values.yaml         |  2 +-
 etc/promenade/noauth-api-paste.ini   | 27 ++++++++++++++
 examples/basic/armada-resources.yaml |  2 +-
 promenade/control/middleware.py      | 53 ++++++++++++++++++++++++++++
 tools/dev/server.sh                  |  2 +-
 5 files changed, 83 insertions(+), 3 deletions(-)
 create mode 100644 etc/promenade/noauth-api-paste.ini

diff --git a/charts/promenade/values.yaml b/charts/promenade/values.yaml
index e58383d0..00d1842b 100644
--- a/charts/promenade/values.yaml
+++ b/charts/promenade/values.yaml
@@ -20,7 +20,7 @@ conf:
       paste.filter_factory: keystonemiddleware.auth_token:filter_factory
     filter:noauth:
       forged_roles: admin
-      paste.filter_factory: promenade.control.middleware:no_auth_filter_factory
+      paste.filter_factory: promenade.control.middleware:noauth_filter_factory
     app:promenade-api:
       paste.app_factory: promenade.promenade:paste_start_promenade
 
diff --git a/etc/promenade/noauth-api-paste.ini b/etc/promenade/noauth-api-paste.ini
new file mode 100644
index 00000000..d8ef0b84
--- /dev/null
+++ b/etc/promenade/noauth-api-paste.ini
@@ -0,0 +1,27 @@
+# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#PasteDeploy Configuration File
+#Used to configure uWSGI middleware pipeline
+
+[filter:noauth]
+forged_roles = admin
+paste.filter_factory = promenade.control.middleware:no_auth_filter_factory
+
+[app:promenade-api]
+disable = keystone
+paste.app_factory = promenade.promenade:paste_start_promenade
+
+[pipeline:main]
+pipeline = noauth promenade-api
diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml
index c966c504..91d08e5a 100644
--- a/examples/basic/armada-resources.yaml
+++ b/examples/basic/armada-resources.yaml
@@ -1070,7 +1070,7 @@ data:
     conf:
       paste:
         pipeline:main:
-          pipeline: promenade-api
+          pipeline: noauth promenade-api
     images:
       tags:
         api: quay.io/attcomdev/promenade:latest
diff --git a/promenade/control/middleware.py b/promenade/control/middleware.py
index 9c0ecd10..34b51e0c 100644
--- a/promenade/control/middleware.py
+++ b/promenade/control/middleware.py
@@ -124,4 +124,57 @@ class LoggingMiddleware(object):
         resp.append_header('X-Promenade-Req', ctx.request_id)
         self.logger.info(
             '%s %s - %s', req.method, req.uri, resp.status, extra=extra)
+
         self.logger.debug('Response body:\n%s', resp.body, extra=extra)
+
+
+class NoAuthFilter(object):
+    """PasteDeploy filter for NoAuth to be used in testing."""
+
+    def __init__(self, app, forged_roles):
+        self.app = app
+        self.forged_roles = forged_roles
+
+    def __call__(self, environ, start_response):
+        """Forge headers to make unauthenticated requests look authenticated.
+
+        If the request has a X-AUTH-TOKEN header, assume it is a valid request
+        and noop. Otherwise forge Keystone middleware headers so the request
+        looks valid with the configured forged roles.
+        """
+        if 'HTTP_X_AUTH_TOKEN' in environ:
+            return self.app(environ, start_response)
+
+        environ['HTTP_X_IDENTITY_STATUS'] = 'Confirmed'
+
+        for envvar in [
+                'USER_NAME', 'USER_ID', 'USER_DOMAIN_ID', 'PROJECT_ID',
+                'PROJECT_DOMAIN_NAME'
+        ]:
+            varname = "HTTP_X_%s" % envvar
+            environ[varname] = 'noauth'
+
+        if self.forged_roles:
+            if 'admin' in self.forged_roles:
+                environ['HTTP_X_IS_ADMIN_PROJECT'] = 'True'
+            else:
+                environ['HTTP_X_IS_ADMIN_PROJECT'] = 'False'
+            environ['HTTP_X_ROLES'] = ','.join(self.forged_roles)
+        else:
+            environ['HTTP_X_IS_ADMIN_PROJECT'] = 'True'
+            environ['HTTP_X_ROLES'] = 'admin'
+
+        return self.app(environ, start_response)
+
+
+def noauth_filter_factory(global_conf, forged_roles):
+    """Create a NoAuth paste deploy filter
+
+    :param forged_roles: A space seperated list for roles to forge on requests
+    """
+    forged_roles = forged_roles.split()
+
+    def filter(app):
+        return NoAuthFilter(app, forged_roles)
+
+    return filter
diff --git a/tools/dev/server.sh b/tools/dev/server.sh
index c11a5f3b..b8f00f59 100755
--- a/tools/dev/server.sh
+++ b/tools/dev/server.sh
@@ -13,6 +13,6 @@ export PROMENADE_DEBUG=${PROMENADE_DEBUG:-1}
 exec docker run \
     --rm -it \
     --publish 9000:9000 \
-    --volume "${SOURCE_DIR}/etc/promenade":/etc/promenade \
+    --volume "${SOURCE_DIR}/etc/promenade/noauth-api-paste.ini":/etc/promenade/api-paste.ini:ro \
     quay.io/attcomdev/promenade:latest \
         server