diff options
| author | Zuul <zuul@review.opendev.org> | 2022-10-26 02:21:25 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2022-10-26 02:21:25 +0000 |
| commit | 99959a3fa34b88abc6e17d6ddd117aa012d19320 (patch) | |
| tree | b851d1c248b0aa067c26bf2442a78bed3b1ff07b | |
| parent | 75573b7aec3c47a17a41fbd5263a02da55a0c751 (diff) | |
| parent | 55ec721fa8f0ca8cdc33b80b04121fbc807b91d6 (diff) | |
| download | zuul-99959a3fa34b88abc6e17d6ddd117aa012d19320.tar.gz | |
Merge "Simplify tenant_authorizatons check"
| -rw-r--r-- | tests/unit/test_web.py | 15 | ||||
| -rwxr-xr-x | zuul/web/__init__.py | 30 |
2 files changed, 9 insertions, 36 deletions
diff --git a/tests/unit/test_web.py b/tests/unit/test_web.py index de704a1b1..b468109f9 100644 --- a/tests/unit/test_web.py +++ b/tests/unit/test_web.py @@ -2946,20 +2946,9 @@ class TestTenantScopedWebApiWithAuthRules(BaseTestWeb): data['zuul']['scope'], "%s got %s" % (authz['sub'], data)) - req = self.get_url('/api/tenant/tenant-two/authorizations', + req = self.get_url('/api/tenant/unknown/authorizations', headers={'Authorization': 'Bearer %s' % token}) - self.assertEqual(200, req.status_code, req.text) - data = req.json() - self.assertTrue('zuul' in data, - "%s got %s" % (authz['sub'], data)) - self.assertTrue('admin' in data['zuul'], - "%s got %s" % (authz['sub'], data)) - self.assertEqual('tenant-two' in test_user['zuul.admin'], - data['zuul']['admin'], - "%s got %s" % (authz['sub'], data)) - self.assertEqual(['tenant-two', ], - data['zuul']['scope'], - "%s got %s" % (authz['sub'], data)) + self.assertEqual(404, req.status_code, req.text) def test_authorizations_no_header(self): """Test that missing Authorization header results in HTTP 401""" diff --git a/zuul/web/__init__.py b/zuul/web/__init__.py index b64faf202..210c68ad9 100755 --- a/zuul/web/__init__.py +++ b/zuul/web/__init__.py @@ -890,7 +890,7 @@ class ZuulWebAPI(object): @cherrypy.expose @cherrypy.tools.json_out(content_type='application/json; charset=utf-8') @cherrypy.tools.handle_options(allowed_methods=['GET', ]) - def tenant_authorizations(self, tenant): + def tenant_authorizations(self, tenant_name): basic_error = self._basic_auth_header_check() if basic_error is not None: return basic_error @@ -898,29 +898,12 @@ class ZuulWebAPI(object): claims, token_error = self._auth_token_check() if token_error is not None: return token_error - try: - admin_tenants = self._authorizations() - except exceptions.AuthTokenException as e: - for header, contents in e.getAdditionalHeaders().items(): - cherrypy.response.headers[header] = contents - cherrypy.response.status = e.HTTPError - return {'description': e.error_description, - 'error': e.error, - 'realm': e.realm} + tenant = self._getTenantOrRaise(tenant_name) + admin = self._is_authorized(tenant, claims) resp = cherrypy.response resp.headers['Access-Control-Allow-Origin'] = '*' - return {'zuul': {'admin': tenant in admin_tenants, - 'scope': [tenant, ]}, } - - def _authorizations(self): - rawToken = cherrypy.request.headers['Authorization'][len('Bearer '):] - claims = self.zuulweb.authenticators.authenticate(rawToken) - - if 'zuul' in claims and 'admin' in claims.get('zuul', {}): - return claims['zuul']['admin'] - - return [n for n, t in self.zuulweb.abide.tenants.items() - if self._is_authorized(t, claims)] + return {'zuul': {'admin': admin, + 'scope': [tenant_name, ]}, } def _tenants(self): result = [] @@ -1897,7 +1880,8 @@ class ZuulWeb(object): if self.authenticators.authenticators: # route order is important, put project actions before the more # generic tenant/{tenant}/project/{project} route - route_map.connect('api', '/api/tenant/{tenant}/authorizations', + route_map.connect('api', + '/api/tenant/{tenant_name}/authorizations', controller=api, action='tenant_authorizations') route_map.connect('api', '/api/tenant/{tenant_name}/promote', |