Override the token server setting with crum also. (ansible#2183)

* Override the token server setting with crum also. * Add integration test for token server munging. No-Issue Signed-off-by: James Tanner <[email protected]>
chr-stian · Jun 20, 2024 · 09edfc7 · 09edfc7
1 parent c71bb79
commit 09edfc7
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 1 deletion.
diff --git a/galaxy_ng/app/dynaconf_hooks.py b/galaxy_ng/app/dynaconf_hooks.py
@@ -698,7 +698,7 @@ def alter_hostname_settings(
         """
 
         # we only want to modify these settings base on request headers
-        ALLOWED_KEYS = ['CONTENT_ORIGIN', 'ANSIBLE_API_HOSTNAME']
+        ALLOWED_KEYS = ['CONTENT_ORIGIN', 'ANSIBLE_API_HOSTNAME', 'TOKEN_SERVER']
 
         # If app is starting up or key is not on allowed list bypass and just return the value
         if not apps.ready or key.upper() not in ALLOWED_KEYS:
@@ -711,6 +711,8 @@ def alter_hostname_settings(
             proto = headers.get("X-Forwarded-Proto", "http")
             host = headers.get("Host", "localhost:5001")
             baseurl = proto + "://" + host
+            if key.upper() == 'TOKEN_SERVER':
+                baseurl += '/token/'
             return baseurl
 
         return value.value

diff --git a/galaxy_ng/tests/integration/dab/test_url_resolution.py b/galaxy_ng/tests/integration/dab/test_url_resolution.py
@@ -1,5 +1,6 @@
 import os
 import pytest
+import requests
 
 
 @pytest.mark.deployment_standalone
@@ -41,3 +42,34 @@ def test_dab_collection_download_url_hostnames(settings, galaxy_client, publishe
         assert dl_resp.status_code == 200
         assert dl_resp.headers.get('Content-Type') == 'application/gzip'
         assert dl_resp.url.startswith("http://localhost:5001")
+
+
+@pytest.mark.deployment_standalone
+@pytest.mark.skipif(
+    not os.getenv("ENABLE_DAB_TESTS"),
+    reason="Skipping test because ENABLE_DAB_TESTS is not set"
+)
+def test_dab_token_server_hostnames(settings, galaxy_client):
+    """
+    The www-authenticate header from /v2/ should preserve the original hostname
+    """
+
+    v2_hosts = [
+        'jwtproxy:8080',
+        'localhost:5001',
+    ]
+
+    for v2_host in v2_hosts:
+        rr = requests.get('http://' + v2_host + '/v2/')
+        headers = {}
+        for k, v in dict(rr.headers).items():
+            headers[k.lower()] = v
+
+        # Bearer realm="http://jwtproxy:8080/token/",service="jwtproxy:8080"
+        auth = headers['www-authenticate']
+        auth_parts = auth.split(',')
+        bearer_realm = auth_parts[0].split('"')[1]
+        service = auth_parts[1].split('"')[1]
+
+        assert bearer_realm == 'http://' + v2_host + '/token/'
+        assert service == v2_host