2 files changed, 23 insertions, 12 deletions

diff --git a/custodia/httpd/authenticators.py b/custodia/httpd/authenticators.py
index 1b76287..cf8402f 100644
--- a/custodia/httpd/authenticators.py
+++ b/custodia/httpd/authenticators.py
@@ -28,7 +28,9 @@ class SimpleCredsAuth(HTTPAuthenticator):
         uid = int(request['creds']['gid'])
         gid = int(request['creds']['uid'])
         if self._gid == gid or self._uid == uid:
-            request['valid_auth'] = True
+            return True
+        else:
+            return False
 
 
 class SimpleHeaderAuth(HTTPAuthenticator):
@@ -44,22 +46,22 @@ class SimpleHeaderAuth(HTTPAuthenticator):
 
     def handle(self, request):
         if self.name not in request['headers']:
-            return
+            return False
         value = request['headers'][self.name]
         if self.value is None:
             # Any value is accepted
             pass
         elif isinstance(self.value, str):
             if value != self.value:
-                return
+                return False
         elif isinstance(self.value, list):
             if value not in self.value:
-                return
+                return False
         else:
-            return
+            return False
 
-        request['valid_auth'] = True
         request['remote_user'] = value
+        return True
 
 
 class SimpleNULLAuth(HTTPAuthenticator):
@@ -74,8 +76,9 @@ class SimpleNULLAuth(HTTPAuthenticator):
         path = request.get('path', '')
         while path != '':
             if path in self.paths:
-                request['valid_auth'] = True
+                return True
             if path == '/':
                 path = ''
             else:
                 path, _ = os.path.split(path)
+        return None
diff --git a/custodia/httpd/server.py b/custodia/httpd/server.py
index 0e58f0d..a5e59a9 100644
--- a/custodia/httpd/server.py
+++ b/custodia/httpd/server.py
@@ -55,9 +55,12 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer):
     correct consumer based on the server configuration, that is provided
     at initialization time.
 
-    When authentication is performed the request dictionary will have
-    a 'valid_auth' boolean member set to True if authentication was
-    successful. Additional attributes may be set by authentication plugins.
+    When authentication is performed all the authenticators are executed.
+    If any returns False, authentication fails and a 403 error is raised.
+    If none of them positively succeeds and they all return None then also
+    authentication fails and a 403 error is raised. Authentication plugins
+    can add attributes to the request object for use of authorization or
+    other plugins.
 
     Once authentication is successful the pipeline will parse the path
     component and find the consumer plugin that handles the provided path
@@ -92,9 +95,14 @@ class ForkingLocalHTTPServer(ForkingMixIn, UnixStreamServer):
         authers = self.config.get('authenticators')
         if authers is None:
             raise HTTPError(403)
+        valid_once = False
         for auth in authers:
-            authers[auth].handle(request)
-        if 'valid_auth' not in request or request['valid_auth'] is not True:
+            valid = authers[auth].handle(request)
+            if valid is False:
+                raise HTTPError(403)
+            elif valid is True:
+                valid_once = True
+        if valid_once is not True:
             raise HTTPError(403)
 
         # Select consumer