Fix HTTP server library handling of credentials

Currently the http library only checks credentials when authentication
is required. This means that any credentials are accepted on the root
resource, for example, which makes problems hard to diagnose - the
user/pw works for all queries, until one tries to do a modification at
which point fails.

This patch changes the PreHandleRequest() function to not ignore
credentials when passed, even if we don't require authentication. This
makes the behavior of RAPI more predictable.

Signed-off-by: Iustin Pop <iustin@google.com>
Reviewed-by: Guido Trotter <ultrotter@google.com>

diff --git a/lib/http/auth.py b/lib/http/auth.py
index b9a66a5..8a8d720 100644 (file)
--- a/lib/http/auth.py
+++ b/lib/http/auth.py
@@ -101,10 +101,14 @@ class HttpServerRequestAuthentication(object):
     """
     realm = self.GetAuthRealm(req)
 
-    # Authentication required?
-    if realm is None:
+    # Authentication not required, and no credentials given?
+    if realm is None and http.HTTP_AUTHORIZATION not in req.request_headers:
       return
 
+    if realm is None: # in case we don't require auth but someone
+                      # passed the crendentials anyway
+      realm = "Unspecified"
+
     # Check "Authorization" header
     if self._CheckAuthorization(req):
       # User successfully authenticated