1
=== removed file 'bin/swauth-add-account'
2
--- bin/swauth-add-account	2011-04-18 16:08:48 +0000
3
+++ bin/swauth-add-account	1970-01-01 00:00:00 +0000
4
@@ -1,68 +0,0 @@
5
1
#!/usr/bin/env python
6
2
# Copyright (c) 2010 OpenStack, LLC.
7
3
#
8
4
# Licensed under the Apache License, Version 2.0 (the "License");
9
5
# you may not use this file except in compliance with the License.
10
6
# You may obtain a copy of the License at
11
7
#
12
8
#    http://www.apache.org/licenses/LICENSE-2.0
13
9
#
14
10
# Unless required by applicable law or agreed to in writing, software
15
11
# distributed under the License is distributed on an "AS IS" BASIS,
16
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
17
13
# implied.
18
14
# See the License for the specific language governing permissions and
19
15
# limitations under the License.
20
16
21
17
import gettext
22
18
from optparse import OptionParser
23
19
from os.path import basename
24
20
from sys import argv, exit
25
21
26
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
27
23
from swift.common.utils import urlparse
28
24
29
25
30
26
if __name__ == '__main__':
31
27
    gettext.install('swift', unicode=1)
32
28
    parser = OptionParser(usage='Usage: %prog [options] <account>')
33
29
    parser.add_option('-s', '--suffix', dest='suffix',
34
30
        default='', help='The suffix to use with the reseller prefix as the '
35
31
        'storage account name (default: <randomly-generated-uuid4>) Note: If '
36
32
        'the account already exists, this will have no effect on existing '
37
33
        'service URLs. Those will need to be updated with '
38
34
        'swauth-set-account-service')
39
35
    parser.add_option('-A', '--admin-url', dest='admin_url',
40
36
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
41
37
        'subsystem (default: http://127.0.0.1:8080/auth/)')
42
38
    parser.add_option('-U', '--admin-user', dest='admin_user',
43
39
        default='.super_admin', help='The user with admin rights to add users '
44
40
        '(default: .super_admin).')
45
41
    parser.add_option('-K', '--admin-key', dest='admin_key',
46
42
        help='The key for the user with admin rights to add users.')
47
43
    args = argv[1:]
48
44
    if not args:
49
45
        args.append('-h')
50
46
    (options, args) = parser.parse_args(args)
51
47
    if len(args) != 1:
52
48
        parser.parse_args(['-h'])
53
49
    account = args[0]
54
50
    parsed = urlparse(options.admin_url)
55
51
    if parsed.scheme not in ('http', 'https'):
56
52
        raise Exception('Cannot handle protocol scheme %s for url %s' %
57
53
                        (parsed.scheme, repr(options.admin_url)))
58
54
    parsed_path = parsed.path
59
55
    if not parsed_path:
60
56
        parsed_path = '/'
61
57
    elif parsed_path[-1] != '/':
62
58
        parsed_path += '/'
63
59
    path = '%sv2/%s' % (parsed_path, account)
64
60
    headers = {'X-Auth-Admin-User': options.admin_user,
65
61
               'X-Auth-Admin-Key': options.admin_key}
66
62
    if options.suffix:
67
63
        headers['X-Account-Suffix'] = options.suffix
68
64
    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
69
65
                        ssl=(parsed.scheme == 'https'))
70
66
    resp = conn.getresponse()
71
67
    if resp.status // 100 != 2:
72
68
        exit('Account creation failed: %s %s' % (resp.status, resp.reason))
73
69
0
74
=== removed file 'bin/swauth-add-user'
75
--- bin/swauth-add-user	2011-04-18 16:08:48 +0000
76
+++ bin/swauth-add-user	1970-01-01 00:00:00 +0000
77
@@ -1,93 +0,0 @@
78
1
#!/usr/bin/env python
79
2
# Copyright (c) 2010 OpenStack, LLC.
80
3
#
81
4
# Licensed under the Apache License, Version 2.0 (the "License");
82
5
# you may not use this file except in compliance with the License.
83
6
# You may obtain a copy of the License at
84
7
#
85
8
#    http://www.apache.org/licenses/LICENSE-2.0
86
9
#
87
10
# Unless required by applicable law or agreed to in writing, software
88
11
# distributed under the License is distributed on an "AS IS" BASIS,
89
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
90
13
# implied.
91
14
# See the License for the specific language governing permissions and
92
15
# limitations under the License.
93
16
94
17
import gettext
95
18
from optparse import OptionParser
96
19
from os.path import basename
97
20
from sys import argv, exit
98
21
99
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
100
23
from swift.common.utils import urlparse
101
24
102
25
103
26
if __name__ == '__main__':
104
27
    gettext.install('swift', unicode=1)
105
28
    parser = OptionParser(
106
29
        usage='Usage: %prog [options] <account> <user> <password>')
107
30
    parser.add_option('-a', '--admin', dest='admin', action='store_true',
108
31
        default=False, help='Give the user administrator access; otherwise '
109
32
        'the user will only have access to containers specifically allowed '
110
33
        'with ACLs.')
111
34
    parser.add_option('-r', '--reseller-admin', dest='reseller_admin',
112
35
        action='store_true', default=False, help='Give the user full reseller '
113
36
        'administrator access, giving them full access to all accounts within '
114
37
        'the reseller, including the ability to create new accounts. Creating '
115
38
        'a new reseller admin requires super_admin rights.')
116
39
    parser.add_option('-s', '--suffix', dest='suffix',
117
40
        default='', help='The suffix to use with the reseller prefix as the '
118
41
        'storage account name (default: <randomly-generated-uuid4>) Note: If '
119
42
        'the account already exists, this will have no effect on existing '
120
43
        'service URLs. Those will need to be updated with '
121
44
        'swauth-set-account-service')
122
45
    parser.add_option('-A', '--admin-url', dest='admin_url',
123
46
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
124
47
        'subsystem (default: http://127.0.0.1:8080/auth/')
125
48
    parser.add_option('-U', '--admin-user', dest='admin_user',
126
49
        default='.super_admin', help='The user with admin rights to add users '
127
50
        '(default: .super_admin).')
128
51
    parser.add_option('-K', '--admin-key', dest='admin_key',
129
52
        help='The key for the user with admin rights to add users.')
130
53
    args = argv[1:]
131
54
    if not args:
132
55
        args.append('-h')
133
56
    (options, args) = parser.parse_args(args)
134
57
    if len(args) != 3:
135
58
        parser.parse_args(['-h'])
136
59
    account, user, password = args
137
60
    parsed = urlparse(options.admin_url)
138
61
    if parsed.scheme not in ('http', 'https'):
139
62
        raise Exception('Cannot handle protocol scheme %s for url %s' %
140
63
                        (parsed.scheme, repr(options.admin_url)))
141
64
    parsed_path = parsed.path
142
65
    if not parsed_path:
143
66
        parsed_path = '/'
144
67
    elif parsed_path[-1] != '/':
145
68
        parsed_path += '/'
146
69
    # Ensure the account exists
147
70
    path = '%sv2/%s' % (parsed_path, account)
148
71
    headers = {'X-Auth-Admin-User': options.admin_user,
149
72
               'X-Auth-Admin-Key': options.admin_key}
150
73
    if options.suffix:
151
74
        headers['X-Account-Suffix'] = options.suffix
152
75
    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
153
76
                        ssl=(parsed.scheme == 'https'))
154
77
    resp = conn.getresponse()
155
78
    if resp.status // 100 != 2:
156
79
        print 'Account creation failed: %s %s' % (resp.status, resp.reason)
157
80
    # Add the user
158
81
    path = '%sv2/%s/%s' % (parsed_path, account, user)
159
82
    headers = {'X-Auth-Admin-User': options.admin_user,
160
83
               'X-Auth-Admin-Key': options.admin_key,
161
84
               'X-Auth-User-Key': password}
162
85
    if options.admin:
163
86
        headers['X-Auth-User-Admin'] = 'true'
164
87
    if options.reseller_admin:
165
88
        headers['X-Auth-User-Reseller-Admin'] = 'true'
166
89
    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
167
90
                        ssl=(parsed.scheme == 'https'))
168
91
    resp = conn.getresponse()
169
92
    if resp.status // 100 != 2:
170
93
        exit('User creation failed: %s %s' % (resp.status, resp.reason))
171
94
0
172
=== removed file 'bin/swauth-cleanup-tokens'
173
--- bin/swauth-cleanup-tokens	2011-04-18 16:08:48 +0000
174
+++ bin/swauth-cleanup-tokens	1970-01-01 00:00:00 +0000
175
@@ -1,118 +0,0 @@
176
1
#!/usr/bin/env python
177
2
# Copyright (c) 2010 OpenStack, LLC.
178
3
#
179
4
# Licensed under the Apache License, Version 2.0 (the "License");
180
5
# you may not use this file except in compliance with the License.
181
6
# You may obtain a copy of the License at
182
7
#
183
8
#    http://www.apache.org/licenses/LICENSE-2.0
184
9
#
185
10
# Unless required by applicable law or agreed to in writing, software
186
11
# distributed under the License is distributed on an "AS IS" BASIS,
187
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
188
13
# implied.
189
14
# See the License for the specific language governing permissions and
190
15
# limitations under the License.
191
16
192
17
try:
193
18
    import simplejson as json
194
19
except ImportError:
195
20
    import json
196
21
import gettext
197
22
import re
198
23
from datetime import datetime, timedelta
199
24
from optparse import OptionParser
200
25
from sys import argv, exit
201
26
from time import sleep, time
202
27
203
28
from swift.common.client import Connection, ClientException
204
29
205
30
206
31
if __name__ == '__main__':
207
32
    gettext.install('swift', unicode=1)
208
33
    parser = OptionParser(usage='Usage: %prog [options]')
209
34
    parser.add_option('-t', '--token-life', dest='token_life',
210
35
        default='86400', help='The expected life of tokens; token objects '
211
36
        'modified more than this number of seconds ago will be checked for '
212
37
        'expiration (default: 86400).')
213
38
    parser.add_option('-s', '--sleep', dest='sleep',
214
39
        default='0.1', help='The number of seconds to sleep between token '
215
40
        'checks (default: 0.1)')
216
41
    parser.add_option('-v', '--verbose', dest='verbose', action='store_true',
217
42
        default=False, help='Outputs everything done instead of just the '
218
43
        'deletions.')
219
44
    parser.add_option('-A', '--admin-url', dest='admin_url',
220
45
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
221
46
        'subsystem (default: http://127.0.0.1:8080/auth/)')
222
47
    parser.add_option('-K', '--admin-key', dest='admin_key',
223
48
        help='The key for .super_admin.')
224
49
    args = argv[1:]
225
50
    if not args:
226
51
        args.append('-h')
227
52
    (options, args) = parser.parse_args(args)
228
53
    if len(args) != 0:
229
54
        parser.parse_args(['-h'])
230
55
    options.admin_url = options.admin_url.rstrip('/')
231
56
    if not options.admin_url.endswith('/v1.0'):
232
57
        options.admin_url += '/v1.0'
233
58
    options.admin_user = '.super_admin:.super_admin'
234
59
    options.token_life = timedelta(0, float(options.token_life))
235
60
    options.sleep = float(options.sleep)
236
61
    conn = Connection(options.admin_url, options.admin_user, options.admin_key)
237
62
    for x in xrange(16):
238
63
        container = '.token_%x' % x
239
64
        marker = None
240
65
        while True:
241
66
            if options.verbose:
242
67
                print 'GET %s?marker=%s' % (container, marker)
243
68
            try:
244
69
                objs = conn.get_container(container, marker=marker)[1]
245
70
            except ClientException, e:
246
71
                if e.http_status == 404:
247
72
                    exit('Container %s not found. swauth-prep needs to be '
248
73
                        'rerun' % (container))
249
74
                else:
250
75
                    exit('Object listing on container %s failed with status '
251
76
                        'code %d' % (container, e.http_status))
252
77
            if objs:
253
78
                marker = objs[-1]['name']
254
79
            else:
255
80
                if options.verbose:
256
81
                    print 'No more objects in %s' % container
257
82
                break
258
83
            for obj in objs:
259
84
                last_modified = datetime(*map(int, re.split('[^\d]',
260
85
                                              obj['last_modified'])[:-1]))
261
86
                ago = datetime.utcnow() - last_modified
262
87
                if ago > options.token_life:
263
88
                    if options.verbose:
264
89
                        print '%s/%s last modified %ss ago; investigating' % \
265
90
                              (container, obj['name'],
266
91
                               ago.days * 86400 + ago.seconds)
267
92
                        print 'GET %s/%s' % (container, obj['name'])
268
93
                    detail = conn.get_object(container, obj['name'])[1]
269
94
                    detail = json.loads(detail)
270
95
                    if detail['expires'] < time():
271
96
                        if options.verbose:
272
97
                            print '%s/%s expired %ds ago; deleting' % \
273
98
                                  (container, obj['name'],
274
99
                                   time() - detail['expires'])
275
100
                        print 'DELETE %s/%s' % (container, obj['name'])
276
101
                        try:
277
102
                            conn.delete_object(container, obj['name'])
278
103
                        except ClientException, e:
279
104
                            if e.http_status != 404:
280
105
                                print 'DELETE of %s/%s failed with status ' \
281
106
                                    'code %d' % (container, obj['name'],
282
107
                                    e.http_status)
283
108
                    elif options.verbose:
284
109
                        print "%s/%s won't expire for %ds; skipping" % \
285
110
                              (container, obj['name'],
286
111
                               detail['expires'] - time())
287
112
                elif options.verbose:
288
113
                    print '%s/%s last modified %ss ago; skipping' % \
289
114
                          (container, obj['name'],
290
115
                           ago.days * 86400 + ago.seconds)
291
116
                sleep(options.sleep)
292
117
    if options.verbose:
293
118
        print 'Done.'
294
119
0
295
=== removed file 'bin/swauth-delete-account'
296
--- bin/swauth-delete-account	2011-04-18 16:08:48 +0000
297
+++ bin/swauth-delete-account	1970-01-01 00:00:00 +0000
298
@@ -1,60 +0,0 @@
299
1
#!/usr/bin/env python
300
2
# Copyright (c) 2010 OpenStack, LLC.
301
3
#
302
4
# Licensed under the Apache License, Version 2.0 (the "License");
303
5
# you may not use this file except in compliance with the License.
304
6
# You may obtain a copy of the License at
305
7
#
306
8
#    http://www.apache.org/licenses/LICENSE-2.0
307
9
#
308
10
# Unless required by applicable law or agreed to in writing, software
309
11
# distributed under the License is distributed on an "AS IS" BASIS,
310
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
311
13
# implied.
312
14
# See the License for the specific language governing permissions and
313
15
# limitations under the License.
314
16
315
17
import gettext
316
18
from optparse import OptionParser
317
19
from os.path import basename
318
20
from sys import argv, exit
319
21
320
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
321
23
from swift.common.utils import urlparse
322
24
323
25
324
26
if __name__ == '__main__':
325
27
    gettext.install('swift', unicode=1)
326
28
    parser = OptionParser(usage='Usage: %prog [options] <account>')
327
29
    parser.add_option('-A', '--admin-url', dest='admin_url',
328
30
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
329
31
        'subsystem (default: http://127.0.0.1:8080/auth/')
330
32
    parser.add_option('-U', '--admin-user', dest='admin_user',
331
33
        default='.super_admin', help='The user with admin rights to add users '
332
34
        '(default: .super_admin).')
333
35
    parser.add_option('-K', '--admin-key', dest='admin_key',
334
36
        help='The key for the user with admin rights to add users.')
335
37
    args = argv[1:]
336
38
    if not args:
337
39
        args.append('-h')
338
40
    (options, args) = parser.parse_args(args)
339
41
    if len(args) != 1:
340
42
        parser.parse_args(['-h'])
341
43
    account = args[0]
342
44
    parsed = urlparse(options.admin_url)
343
45
    if parsed.scheme not in ('http', 'https'):
344
46
        raise Exception('Cannot handle protocol scheme %s for url %s' %
345
47
                        (parsed.scheme, repr(options.admin_url)))
346
48
    parsed_path = parsed.path
347
49
    if not parsed_path:
348
50
        parsed_path = '/'
349
51
    elif parsed_path[-1] != '/':
350
52
        parsed_path += '/'
351
53
    path = '%sv2/%s' % (parsed_path, account)
352
54
    headers = {'X-Auth-Admin-User': options.admin_user,
353
55
               'X-Auth-Admin-Key': options.admin_key}
354
56
    conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers,
355
57
                        ssl=(parsed.scheme == 'https'))
356
58
    resp = conn.getresponse()
357
59
    if resp.status // 100 != 2:
358
60
        exit('Account deletion failed: %s %s' % (resp.status, resp.reason))
359
61
0
360
=== removed file 'bin/swauth-delete-user'
361
--- bin/swauth-delete-user	2011-04-18 16:08:48 +0000
362
+++ bin/swauth-delete-user	1970-01-01 00:00:00 +0000
363
@@ -1,60 +0,0 @@
364
1
#!/usr/bin/env python
365
2
# Copyright (c) 2010 OpenStack, LLC.
366
3
#
367
4
# Licensed under the Apache License, Version 2.0 (the "License");
368
5
# you may not use this file except in compliance with the License.
369
6
# You may obtain a copy of the License at
370
7
#
371
8
#    http://www.apache.org/licenses/LICENSE-2.0
372
9
#
373
10
# Unless required by applicable law or agreed to in writing, software
374
11
# distributed under the License is distributed on an "AS IS" BASIS,
375
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
376
13
# implied.
377
14
# See the License for the specific language governing permissions and
378
15
# limitations under the License.
379
16
380
17
import gettext
381
18
from optparse import OptionParser
382
19
from os.path import basename
383
20
from sys import argv, exit
384
21
385
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
386
23
from swift.common.utils import urlparse
387
24
388
25
389
26
if __name__ == '__main__':
390
27
    gettext.install('swift', unicode=1)
391
28
    parser = OptionParser(usage='Usage: %prog [options] <account> <user>')
392
29
    parser.add_option('-A', '--admin-url', dest='admin_url',
393
30
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
394
31
        'subsystem (default: http://127.0.0.1:8080/auth/')
395
32
    parser.add_option('-U', '--admin-user', dest='admin_user',
396
33
        default='.super_admin', help='The user with admin rights to add users '
397
34
        '(default: .super_admin).')
398
35
    parser.add_option('-K', '--admin-key', dest='admin_key',
399
36
        help='The key for the user with admin rights to add users.')
400
37
    args = argv[1:]
401
38
    if not args:
402
39
        args.append('-h')
403
40
    (options, args) = parser.parse_args(args)
404
41
    if len(args) != 2:
405
42
        parser.parse_args(['-h'])
406
43
    account, user = args
407
44
    parsed = urlparse(options.admin_url)
408
45
    if parsed.scheme not in ('http', 'https'):
409
46
        raise Exception('Cannot handle protocol scheme %s for url %s' %
410
47
                        (parsed.scheme, repr(options.admin_url)))
411
48
    parsed_path = parsed.path
412
49
    if not parsed_path:
413
50
        parsed_path = '/'
414
51
    elif parsed_path[-1] != '/':
415
52
        parsed_path += '/'
416
53
    path = '%sv2/%s/%s' % (parsed_path, account, user)
417
54
    headers = {'X-Auth-Admin-User': options.admin_user,
418
55
               'X-Auth-Admin-Key': options.admin_key}
419
56
    conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers,
420
57
                        ssl=(parsed.scheme == 'https'))
421
58
    resp = conn.getresponse()
422
59
    if resp.status // 100 != 2:
423
60
        exit('User deletion failed: %s %s' % (resp.status, resp.reason))
424
61
0
425
=== removed file 'bin/swauth-list'
426
--- bin/swauth-list	2011-04-18 16:08:48 +0000
427
+++ bin/swauth-list	1970-01-01 00:00:00 +0000
428
@@ -1,86 +0,0 @@
429
1
#!/usr/bin/env python
430
2
# Copyright (c) 2010 OpenStack, LLC.
431
3
#
432
4
# Licensed under the Apache License, Version 2.0 (the "License");
433
5
# you may not use this file except in compliance with the License.
434
6
# You may obtain a copy of the License at
435
7
#
436
8
#    http://www.apache.org/licenses/LICENSE-2.0
437
9
#
438
10
# Unless required by applicable law or agreed to in writing, software
439
11
# distributed under the License is distributed on an "AS IS" BASIS,
440
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
441
13
# implied.
442
14
# See the License for the specific language governing permissions and
443
15
# limitations under the License.
444
16
445
17
try:
446
18
    import simplejson as json
447
19
except ImportError:
448
20
    import json
449
21
import gettext
450
22
from optparse import OptionParser
451
23
from os.path import basename
452
24
from sys import argv, exit
453
25
454
26
from swift.common.bufferedhttp import http_connect_raw as http_connect
455
27
from swift.common.utils import urlparse
456
28
457
29
458
30
if __name__ == '__main__':
459
31
    gettext.install('swift', unicode=1)
460
32
    parser = OptionParser(usage='''
461
33
Usage: %prog [options] [account] [user]
462
34
463
35
If [account] and [user] are omitted, a list of accounts will be output.
464
36
465
37
If [account] is included but not [user], an account's information will be
466
38
output, including a list of users within the account.
467
39
468
40
If [account] and [user] are included, the user's information will be output,
469
41
including a list of groups the user belongs to.
470
42
471
43
If the [user] is '.groups', the active groups for the account will be listed.
472
44
'''.strip())
473
45
    parser.add_option('-p', '--plain-text', dest='plain_text',
474
46
        action='store_true', default=False, help='Changes the output from '
475
47
        'JSON to plain text. This will cause an account to list only the '
476
48
        'users and a user to list only the groups.')
477
49
    parser.add_option('-A', '--admin-url', dest='admin_url',
478
50
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
479
51
        'subsystem (default: http://127.0.0.1:8080/auth/')
480
52
    parser.add_option('-U', '--admin-user', dest='admin_user',
481
53
        default='.super_admin', help='The user with admin rights to add users '
482
54
        '(default: .super_admin).')
483
55
    parser.add_option('-K', '--admin-key', dest='admin_key',
484
56
        help='The key for the user with admin rights to add users.')
485
57
    args = argv[1:]
486
58
    if not args:
487
59
        args.append('-h')
488
60
    (options, args) = parser.parse_args(args)
489
61
    if len(args) > 2:
490
62
        parser.parse_args(['-h'])
491
63
    parsed = urlparse(options.admin_url)
492
64
    if parsed.scheme not in ('http', 'https'):
493
65
        raise Exception('Cannot handle protocol scheme %s for url %s' %
494
66
                        (parsed.scheme, repr(options.admin_url)))
495
67
    parsed_path = parsed.path
496
68
    if not parsed_path:
497
69
        parsed_path = '/'
498
70
    elif parsed_path[-1] != '/':
499
71
        parsed_path += '/'
500
72
    path = '%sv2/%s' % (parsed_path, '/'.join(args))
501
73
    headers = {'X-Auth-Admin-User': options.admin_user,
502
74
               'X-Auth-Admin-Key': options.admin_key}
503
75
    conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers,
504
76
                        ssl=(parsed.scheme == 'https'))
505
77
    resp = conn.getresponse()
506
78
    body = resp.read()
507
79
    if resp.status // 100 != 2:
508
80
        exit('List failed: %s %s' % (resp.status, resp.reason))
509
81
    if options.plain_text:
510
82
        info = json.loads(body)
511
83
        for group in info[['accounts', 'users', 'groups'][len(args)]]:
512
84
            print group['name']
513
85
    else:
514
86
        print body
515
87
0
516
=== removed file 'bin/swauth-prep'
517
--- bin/swauth-prep	2011-04-18 16:08:48 +0000
518
+++ bin/swauth-prep	1970-01-01 00:00:00 +0000
519
@@ -1,59 +0,0 @@
520
1
#!/usr/bin/env python
521
2
# Copyright (c) 2010 OpenStack, LLC.
522
3
#
523
4
# Licensed under the Apache License, Version 2.0 (the "License");
524
5
# you may not use this file except in compliance with the License.
525
6
# You may obtain a copy of the License at
526
7
#
527
8
#    http://www.apache.org/licenses/LICENSE-2.0
528
9
#
529
10
# Unless required by applicable law or agreed to in writing, software
530
11
# distributed under the License is distributed on an "AS IS" BASIS,
531
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
532
13
# implied.
533
14
# See the License for the specific language governing permissions and
534
15
# limitations under the License.
535
16
536
17
import gettext
537
18
from optparse import OptionParser
538
19
from os.path import basename
539
20
from sys import argv, exit
540
21
541
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
542
23
from swift.common.utils import urlparse
543
24
544
25
545
26
if __name__ == '__main__':
546
27
    gettext.install('swift', unicode=1)
547
28
    parser = OptionParser(usage='Usage: %prog [options]')
548
29
    parser.add_option('-A', '--admin-url', dest='admin_url',
549
30
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
550
31
        'subsystem (default: http://127.0.0.1:8080/auth/')
551
32
    parser.add_option('-U', '--admin-user', dest='admin_user',
552
33
        default='.super_admin', help='The user with admin rights to add users '
553
34
        '(default: .super_admin).')
554
35
    parser.add_option('-K', '--admin-key', dest='admin_key',
555
36
        help='The key for the user with admin rights to add users.')
556
37
    args = argv[1:]
557
38
    if not args:
558
39
        args.append('-h')
559
40
    (options, args) = parser.parse_args(args)
560
41
    if args:
561
42
        parser.parse_args(['-h'])
562
43
    parsed = urlparse(options.admin_url)
563
44
    if parsed.scheme not in ('http', 'https'):
564
45
        raise Exception('Cannot handle protocol scheme %s for url %s' %
565
46
                        (parsed.scheme, repr(options.admin_url)))
566
47
    parsed_path = parsed.path
567
48
    if not parsed_path:
568
49
        parsed_path = '/'
569
50
    elif parsed_path[-1] != '/':
570
51
        parsed_path += '/'
571
52
    path = '%sv2/.prep' % parsed_path
572
53
    headers = {'X-Auth-Admin-User': options.admin_user,
573
54
               'X-Auth-Admin-Key': options.admin_key}
574
55
    conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers,
575
56
                        ssl=(parsed.scheme == 'https'))
576
57
    resp = conn.getresponse()
577
58
    if resp.status // 100 != 2:
578
59
        exit('Auth subsystem prep failed: %s %s' % (resp.status, resp.reason))
579
60
0
580
=== removed file 'bin/swauth-set-account-service'
581
--- bin/swauth-set-account-service	2011-04-18 16:08:48 +0000
582
+++ bin/swauth-set-account-service	1970-01-01 00:00:00 +0000
583
@@ -1,73 +0,0 @@
584
1
#!/usr/bin/env python
585
2
# Copyright (c) 2010 OpenStack, LLC.
586
3
#
587
4
# Licensed under the Apache License, Version 2.0 (the "License");
588
5
# you may not use this file except in compliance with the License.
589
6
# You may obtain a copy of the License at
590
7
#
591
8
#    http://www.apache.org/licenses/LICENSE-2.0
592
9
#
593
10
# Unless required by applicable law or agreed to in writing, software
594
11
# distributed under the License is distributed on an "AS IS" BASIS,
595
12
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
596
13
# implied.
597
14
# See the License for the specific language governing permissions and
598
15
# limitations under the License.
599
16
600
17
try:
601
18
    import simplejson as json
602
19
except ImportError:
603
20
    import json
604
21
import gettext
605
22
from optparse import OptionParser
606
23
from os.path import basename
607
24
from sys import argv, exit
608
25
609
26
from swift.common.bufferedhttp import http_connect_raw as http_connect
610
27
from swift.common.utils import urlparse
611
28
612
29
613
30
if __name__ == '__main__':
614
31
    gettext.install('swift', unicode=1)
615
32
    parser = OptionParser(usage='''
616
33
Usage: %prog [options] <account> <service> <name> <value>
617
34
618
35
Sets a service URL for an account. Can only be set by a reseller admin.
619
36
620
37
Example: %prog -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162
621
38
'''.strip())
622
39
    parser.add_option('-A', '--admin-url', dest='admin_url',
623
40
        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
624
41
        'subsystem (default: http://127.0.0.1:8080/auth/)')
625
42
    parser.add_option('-U', '--admin-user', dest='admin_user',
626
43
        default='.super_admin', help='The user with admin rights to add users '
627
44
        '(default: .super_admin).')
628
45
    parser.add_option('-K', '--admin-key', dest='admin_key',
629
46
        help='The key for the user with admin rights to add users.')
630
47
    args = argv[1:]
631
48
    if not args:
632
49
        args.append('-h')
633
50
    (options, args) = parser.parse_args(args)
634
51
    if len(args) != 4:
635
52
        parser.parse_args(['-h'])
636
53
    account, service, name, url = args
637
54
    parsed = urlparse(options.admin_url)
638
55
    if parsed.scheme not in ('http', 'https'):
639
56
        raise Exception('Cannot handle protocol scheme %s for url %s' %
640
57
                        (parsed.scheme, repr(options.admin_url)))
641
58
    parsed_path = parsed.path
642
59
    if not parsed_path:
643
60
        parsed_path = '/'
644
61
    elif parsed_path[-1] != '/':
645
62
        parsed_path += '/'
646
63
    path = '%sv2/%s/.services' % (parsed_path, account)
647
64
    body = json.dumps({service: {name: url}})
648
65
    headers = {'Content-Length': str(len(body)),
649
66
               'X-Auth-Admin-User': options.admin_user,
650
67
               'X-Auth-Admin-Key': options.admin_key}
651
68
    conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers,
652
69
                        ssl=(parsed.scheme == 'https'))
653
70
    conn.send(body)
654
71
    resp = conn.getresponse()
655
72
    if resp.status // 100 != 2:
656
73
        exit('Service set failed: %s %s' % (resp.status, resp.reason))
657
74
0
658
=== modified file 'doc/source/admin_guide.rst'
659
--- doc/source/admin_guide.rst	2011-03-31 22:32:41 +0000
660
+++ doc/source/admin_guide.rst	2011-06-09 21:09:39 +0000
661
@@ -222,22 +222,6 @@
662
222
    Sample represents 1.00% of the object partition space
222
    Sample represents 1.00% of the object partition space
663
223
223
664
224
224
665
225
------------------------------------
666
226
Additional Cleanup Script for Swauth
667
227
------------------------------------
668
228
669
229
With Swauth, you'll want to install a cronjob to clean up any
670
230
orphaned expired tokens. These orphaned tokens can occur when a "stampede"
671
231
occurs where a single user authenticates several times concurrently. Generally,
672
232
these orphaned tokens don't pose much of an issue, but it's good to clean them
673
233
up once a "token life" period (default: 1 day or 86400 seconds).
674
234
675
235
This should be as simple as adding `swauth-cleanup-tokens -A
676
236
https://<PROXY_HOSTNAME>:8080/auth/ -K swauthkey > /dev/null` to a crontab
677
237
entry on one of the proxies that is running Swauth; but run
678
238
`swauth-cleanup-tokens` with no arguments for detailed help on the options
679
239
available.
680
240
681
241
------------------------
225
------------------------
682
242
Debugging Tips and Tools
226
Debugging Tips and Tools
683
243
------------------------
227
------------------------
684
244
228
685
=== modified file 'doc/source/deployment_guide.rst'
686
--- doc/source/deployment_guide.rst	2011-01-25 00:28:22 +0000
687
+++ doc/source/deployment_guide.rst	2011-06-09 21:09:39 +0000
688
@@ -549,35 +549,17 @@
689
549
                                               are even callable
549
                                               are even callable
690
550
============================  ===============  =============================
550
============================  ===============  =============================
691
551
551
711
552
[auth]
552
[tempauth]
693
553
694
554
============  ===================================  ========================
695
555
Option        Default                              Description
696
556
------------  -----------------------------------  ------------------------
697
557
use                                                Entry point for paste.deploy 
698
558
                                                   to use for auth.  To
699
559
                                                   use the swift dev auth,
700
560
                                                   set to:
701
561
                                                   `egg:swift#auth`
702
562
ip            127.0.0.1                            IP address of auth
703
563
                                                   server
704
564
port          11000                                Port of auth server
705
565
ssl           False                                If True, use SSL to
706
566
                                                   connect to auth
707
567
node_timeout  10                                   Request timeout
708
568
============  ===================================  ========================
709
569
710
570
[swauth]
712
571
553
713
572
=====================  =============================== =======================
554
=====================  =============================== =======================
714
573
Option                 Default                         Description
555
Option                 Default                         Description
715
574
---------------------  ------------------------------- -----------------------
556
---------------------  ------------------------------- -----------------------
716
575
use                                                    Entry point for
557
use                                                    Entry point for
717
576
                                                       paste.deploy to use for
558
                                                       paste.deploy to use for
719
577
                                                       auth. To use the swauth
559
                                                       auth. To use tempauth
720
578
                                                       set to:
560
                                                       set to:
723
579
                                                       `egg:swift#swauth`
561
                                                       `egg:swift#tempauth`
724
580
set log_name           auth-server                     Label used when logging
562
set log_name           tempauth                        Label used when logging
725
581
set log_facility       LOG_LOCAL0                      Syslog log facility
563
set log_facility       LOG_LOCAL0                      Syslog log facility
726
582
set log_level          INFO                            Log level
564
set log_level          INFO                            Log level
727
583
set log_headers        True                            If True, log headers in
565
set log_headers        True                            If True, log headers in
728
@@ -593,16 +575,39 @@
729
593
                                                       reserves anything
575
                                                       reserves anything
730
594
                                                       beginning with the
576
                                                       beginning with the
731
595
                                                       letter `v`.
577
                                                       letter `v`.
732
596
default_swift_cluster  local#http://127.0.0.1:8080/v1  The default Swift
733
597
                                                       cluster to place newly
734
598
                                                       created accounts on.
735
599
token_life             86400                           The number of seconds a
578
token_life             86400                           The number of seconds a
736
600
                                                       token is valid.
579
                                                       token is valid.
737
601
node_timeout           10                              Request timeout
738
602
super_admin_key        None                            The key for the
739
603
                                                       .super_admin account.
740
604
=====================  =============================== =======================
580
=====================  =============================== =======================
741
605
581
742
582
Additionally, you need to list all the accounts/users you want here. The format
743
583
is::
744
584
745
585
    user_<account>_<user> = <key> [group] [group] [...] [storage_url]
746
586
747
587
There are special groups of::
748
588
749
589
    .reseller_admin = can do anything to any account for this auth
750
590
    .admin = can do anything within the account
751
591
752
592
If neither of these groups are specified, the user can only access containers
753
593
that have been explicitly allowed for them by a .admin or .reseller_admin.
754
594
755
595
The trailing optional storage_url allows you to specify an alternate url to
756
596
hand back to the user upon authentication. If not specified, this defaults to::
757
597
758
598
    http[s]://<ip>:<port>/v1/<reseller_prefix>_<account>
759
599
760
600
Where http or https depends on whether cert_file is specified in the [DEFAULT]
761
601
section, <ip> and <port> are based on the [DEFAULT] section's bind_ip and
762
602
bind_port (falling back to 127.0.0.1 and 8080), <reseller_prefix> is from this
763
603
section, and <account> is from the user_<account>_<user> name.
764
604
765
605
Here are example entries, required for running the tests::
766
606
767
607
    user_admin_admin = admin .admin .reseller_admin
768
608
    user_test_tester = testing .admin
769
609
    user_test2_tester2 = testing2 .admin
770
610
    user_test_tester3 = testing3
771
606
611
772
607
------------------------
612
------------------------
773
608
Memcached Considerations
613
Memcached Considerations
774
609
614
775
=== modified file 'doc/source/development_auth.rst'
776
--- doc/source/development_auth.rst	2011-03-14 02:56:37 +0000
777
+++ doc/source/development_auth.rst	2011-06-09 21:09:39 +0000
778
@@ -6,7 +6,7 @@
779
6
Creating Your Own Auth Server and Middleware
6
Creating Your Own Auth Server and Middleware
780
7
--------------------------------------------
7
--------------------------------------------
781
8
8
783
9
The included swift/common/middleware/swauth.py is a good example of how to
9
The included swift/common/middleware/tempauth.py is a good example of how to
784
10
create an auth subsystem with proxy server auth middleware. The main points are
10
create an auth subsystem with proxy server auth middleware. The main points are
785
11
that the auth middleware can reject requests up front, before they ever get to
11
that the auth middleware can reject requests up front, before they ever get to
786
12
the Swift Proxy application, and afterwards when the proxy issues callbacks to
12
the Swift Proxy application, and afterwards when the proxy issues callbacks to
787
@@ -27,7 +27,7 @@
788
27
environ['REMOTE_USER'] set to the authenticated user string but often more
27
environ['REMOTE_USER'] set to the authenticated user string but often more
789
28
information is needed than just that.
28
information is needed than just that.
790
29
29
792
30
The included Swauth will set the REMOTE_USER to a comma separated list of
30
The included TempAuth will set the REMOTE_USER to a comma separated list of
793
31
groups the user belongs to. The first group will be the "user's group", a group
31
groups the user belongs to. The first group will be the "user's group", a group
794
32
that only the user belongs to. The second group will be the "account's group",
32
that only the user belongs to. The second group will be the "account's group",
795
33
a group that includes all users for that auth account (different than the
33
a group that includes all users for that auth account (different than the
796
@@ -37,7 +37,7 @@
797
37
37
798
38
It is highly recommended that authentication server implementers prefix their
38
It is highly recommended that authentication server implementers prefix their
799
39
tokens and Swift storage accounts they create with a configurable reseller
39
tokens and Swift storage accounts they create with a configurable reseller
801
40
prefix (`AUTH_` by default with the included Swauth). This prefix will avoid
40
prefix (`AUTH_` by default with the included TempAuth). This prefix will avoid
802
41
conflicts with other authentication servers that might be using the same
41
conflicts with other authentication servers that might be using the same
803
42
Swift cluster. Otherwise, the Swift cluster will have to try all the resellers
42
Swift cluster. Otherwise, the Swift cluster will have to try all the resellers
804
43
until one validates a token or all fail.
43
until one validates a token or all fail.
805
@@ -46,14 +46,14 @@
806
46
'.' as that is reserved for internal Swift use (such as the .r for referrer
46
'.' as that is reserved for internal Swift use (such as the .r for referrer
807
47
designations as you'll see later).
47
designations as you'll see later).
808
48
48
810
49
Example Authentication with Swauth:
49
Example Authentication with TempAuth:
811
50
50
813
51
    * Token AUTH_tkabcd is given to the Swauth middleware in a request's
51
    * Token AUTH_tkabcd is given to the TempAuth middleware in a request's
814
52
      X-Auth-Token header.
52
      X-Auth-Token header.
816
53
    * The Swauth middleware validates the token AUTH_tkabcd and discovers
53
    * The TempAuth middleware validates the token AUTH_tkabcd and discovers
817
54
      it matches the "tester" user within the "test" account for the storage
54
      it matches the "tester" user within the "test" account for the storage
818
55
      account "AUTH_storage_xyz".
55
      account "AUTH_storage_xyz".
820
56
    * The Swauth server sets the REMOTE_USER to
56
    * The TempAuth middleware sets the REMOTE_USER to
821
57
      "test:tester,test,AUTH_storage_xyz"
57
      "test:tester,test,AUTH_storage_xyz"
822
58
    * Now this user will have full access (via authorization procedures later)
58
    * Now this user will have full access (via authorization procedures later)
823
59
      to the AUTH_storage_xyz Swift storage account and access to containers in
59
      to the AUTH_storage_xyz Swift storage account and access to containers in
824
60
60
825
=== modified file 'doc/source/development_saio.rst'
826
--- doc/source/development_saio.rst	2011-05-18 15:26:52 +0000
827
+++ doc/source/development_saio.rst	2011-06-09 21:09:39 +0000
828
@@ -265,16 +265,18 @@
829
265
        log_facility = LOG_LOCAL1
265
        log_facility = LOG_LOCAL1
830
266
266
831
267
        [pipeline:main]
267
        [pipeline:main]
833
268
        pipeline = healthcheck cache swauth proxy-server
268
        pipeline = healthcheck cache tempauth proxy-server
834
269
        
269
        
835
270
        [app:proxy-server]
270
        [app:proxy-server]
836
271
        use = egg:swift#proxy
271
        use = egg:swift#proxy
837
272
        allow_account_management = true
272
        allow_account_management = true
838
273
273
843
274
        [filter:swauth]
274
        [filter:tempauth]
844
275
        use = egg:swift#swauth
275
        use = egg:swift#tempauth
845
276
        # Highly recommended to change this.
276
        user_admin_admin = admin .admin .reseller_admin
846
277
        super_admin_key = swauthkey
277
        user_test_tester = testing .admin
847
278
        user_test2_tester2 = testing2 .admin
848
279
        user_test_tester3 = testing3
849
278
280
850
279
        [filter:healthcheck]
281
        [filter:healthcheck]
851
280
        use = egg:swift#healthcheck
282
        use = egg:swift#healthcheck
852
@@ -558,8 +560,10 @@
853
558
------------------------------------
560
------------------------------------
854
559
561
855
560
  #. Create `~/bin/resetswift.` 
562
  #. Create `~/bin/resetswift.` 
858
561
  If you are using a loopback device substitute `/dev/sdb1` with `/srv/swift-disk`.
563
859
562
  If you did not set up rsyslog for individual logging, remove the `find /var/log/swift...` line::
564
     If you are using a loopback device substitute `/dev/sdb1` with `/srv/swift-disk`.
860
565
861
566
     If you did not set up rsyslog for individual logging, remove the `find /var/log/swift...` line::
862
563
  
567
  
863
564
        #!/bin/bash
568
        #!/bin/bash
864
565
569
865
@@ -608,18 +612,6 @@
866
608
612
867
609
        swift-init main start
613
        swift-init main start
868
610
614
869
611
  #. Create `~/bin/recreateaccounts`::
870
612
  
871
613
        #!/bin/bash
872
614
873
615
        # Replace swauthkey with whatever your super_admin key is (recorded in
874
616
        # /etc/swift/proxy-server.conf).
875
617
        swauth-prep -K swauthkey
876
618
        swauth-add-user -K swauthkey -a test tester testing
877
619
        swauth-add-user -K swauthkey -a test2 tester2 testing2
878
620
        swauth-add-user -K swauthkey test tester3 testing3
879
621
        swauth-add-user -K swauthkey -a -r reseller reseller reseller
880
622
881
623
  #. Create `~/bin/startrest`::
615
  #. Create `~/bin/startrest`::
882
624
616
883
625
        #!/bin/bash
617
        #!/bin/bash
884
626
618
885
=== modified file 'doc/source/howto_installmultinode.rst'
886
--- doc/source/howto_installmultinode.rst	2011-05-17 03:59:57 +0000
887
+++ doc/source/howto_installmultinode.rst	2011-06-09 21:09:39 +0000
888
@@ -13,7 +13,7 @@
889
13
Basic architecture and terms
13
Basic architecture and terms
890
14
----------------------------
14
----------------------------
891
15
- *node* - a host machine running one or more Swift services
15
- *node* - a host machine running one or more Swift services
893
16
- *Proxy node* - node that runs Proxy services; also runs Swauth
16
- *Proxy node* - node that runs Proxy services; also runs TempAuth
894
17
- *Storage node* - node that runs Account, Container, and Object services
17
- *Storage node* - node that runs Account, Container, and Object services
895
18
- *ring* - a set of mappings of Swift data to physical devices
18
- *ring* - a set of mappings of Swift data to physical devices
896
19
19
897
@@ -23,7 +23,7 @@
898
23
23
899
24
  - Runs the swift-proxy-server processes which proxy requests to the
24
  - Runs the swift-proxy-server processes which proxy requests to the
900
25
    appropriate Storage nodes. The proxy server will also contain
25
    appropriate Storage nodes. The proxy server will also contain
902
26
    the Swauth service as WSGI middleware.
26
    the TempAuth service as WSGI middleware.
903
27
27
904
28
- five Storage nodes
28
- five Storage nodes
905
29
29
906
@@ -130,17 +130,15 @@
907
130
        user = swift
130
        user = swift
908
131
        
131
        
909
132
        [pipeline:main]
132
        [pipeline:main]
911
133
        pipeline = healthcheck cache swauth proxy-server
133
        pipeline = healthcheck cache tempauth proxy-server
912
134
        
134
        
913
135
        [app:proxy-server]
135
        [app:proxy-server]
914
136
        use = egg:swift#proxy
136
        use = egg:swift#proxy
915
137
        allow_account_management = true
137
        allow_account_management = true
916
138
        
138
        
922
139
        [filter:swauth]
139
        [filter:tempauth]
923
140
        use = egg:swift#swauth
140
        use = egg:swift#tempauth
924
141
        default_swift_cluster = local#https://$PROXY_LOCAL_NET_IP:8080/v1
141
        user_system_root = testpass .admin https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
920
142
        # Highly recommended to change this key to something else!
921
143
        super_admin_key = swauthkey
925
144
        
142
        
926
145
        [filter:healthcheck]
143
        [filter:healthcheck]
927
146
        use = egg:swift#healthcheck
144
        use = egg:swift#healthcheck
928
@@ -366,16 +364,6 @@
929
366
364
930
367
You run these commands from the Proxy node.
365
You run these commands from the Proxy node.
931
368
366
932
369
#. Create a user with administrative privileges (account = system,
933
370
   username = root, password = testpass).  Make sure to replace 
934
371
   ``swauthkey`` with whatever super_admin key you assigned in
935
372
   the proxy-server.conf file
936
373
   above.  *Note: None of the values of 
937
374
   account, username, or password are special - they can be anything.*::
938
375
939
376
        swauth-prep -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey
940
377
        swauth-add-user -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey -a system root testpass
941
378
942
379
#. Get an X-Storage-Url and X-Auth-Token::
367
#. Get an X-Storage-Url and X-Auth-Token::
943
380
368
944
381
        curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testpass' https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
369
        curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testpass' https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
945
@@ -430,45 +418,16 @@
946
430
        use = egg:swift#memcache
418
        use = egg:swift#memcache
947
431
        memcache_servers = $PROXY_LOCAL_NET_IP:11211
419
        memcache_servers = $PROXY_LOCAL_NET_IP:11211
948
432
420
968
433
#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf::
421
#. Change the storage url for any users to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf::
969
434
422
970
435
        [filter:swauth]
423
        [filter:tempauth]
971
436
        use = egg:swift#swauth
424
        use = egg:swift#tempauth
972
437
        default_swift_cluster = local#http://<LOAD_BALANCER_HOSTNAME>/v1
425
        user_system_root = testpass .admin http[s]://<LOAD_BALANCER_HOSTNAME>:<PORT>/v1/AUTH_system
954
438
        # Highly recommended to change this key to something else!
955
439
        super_admin_key = swauthkey
956
440
957
441
#. The above will make new accounts with the new default_swift_cluster URL, however it won't change any existing accounts. You can change a service URL for existing accounts with::
958
442
959
443
    First retreve what the URL was::
960
444
961
445
         swauth-list -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey <account>
962
446
963
447
     And then update it with::
964
448
965
449
         swauth-set-account-service -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey <account> storage local <new_url_for_the_account>
966
450
967
451
    Make the <new_url_for_the_account> look just like it's original URL but with the host:port update you want.
973
452
426
974
453
#. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well. 
427
#. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well. 
975
454
428
976
455
#. After you sync all the nodes, make sure the admin has the keys in /etc/swift and the ownership for the ring file is correct. 
429
#. After you sync all the nodes, make sure the admin has the keys in /etc/swift and the ownership for the ring file is correct. 
977
456
430
978
457
Additional Cleanup Script for Swauth
979
458
------------------------------------
980
459
981
460
With Swauth, you'll want to install a cronjob to clean up any
982
461
orphaned expired tokens. These orphaned tokens can occur when a "stampede"
983
462
occurs where a single user authenticates several times concurrently. Generally,
984
463
these orphaned tokens don't pose much of an issue, but it's good to clean them
985
464
up once a "token life" period (default: 1 day or 86400 seconds).
986
465
987
466
This should be as simple as adding `swauth-cleanup-tokens -A
988
467
https://<PROXY_HOSTNAME>:8080/auth/ -K swauthkey > /dev/null` to a crontab
989
468
entry on one of the proxies that is running Swauth; but run
990
469
`swauth-cleanup-tokens` with no arguments for detailed help on the options
991
470
available.
992
471
993
472
Troubleshooting Notes
431
Troubleshooting Notes
994
473
---------------------
432
---------------------
995
474
If you see problems, look in var/log/syslog (or messages on some distros). 
433
If you see problems, look in var/log/syslog (or messages on some distros). 
996
475
434
997
=== modified file 'doc/source/misc.rst'
998
--- doc/source/misc.rst	2011-03-24 03:37:07 +0000
999
+++ doc/source/misc.rst	2011-06-09 21:09:39 +0000
1000
@@ -33,12 +33,12 @@
1001
33
    :members:
33
    :members:
1002
34
    :show-inheritance:
34
    :show-inheritance:
1003
35
35
1010
36
.. _common_swauth:
36
.. _common_tempauth:
1011
37
37
1012
38
Swauth
38
TempAuth
1013
39
======
39
========
1014
40
40
1015
41
.. automodule:: swift.common.middleware.swauth
41
.. automodule:: swift.common.middleware.tempauth
1016
42
    :members:
42
    :members:
1017
43
    :show-inheritance:
43
    :show-inheritance:
1018
44
44
1019
45
45
1020
=== modified file 'doc/source/overview_auth.rst'
1021
--- doc/source/overview_auth.rst	2011-03-14 02:56:37 +0000
1022
+++ doc/source/overview_auth.rst	2011-06-09 21:09:39 +0000
1023
@@ -2,9 +2,9 @@
1024
2
The Auth System
2
The Auth System
1025
3
===============
3
===============
1026
4
4
1030
5
------
5
--------
1031
6
Swauth
6
TempAuth
1032
7
------
7
--------
1033
8
8
1034
9
The auth system for Swift is loosely based on the auth system from the existing
9
The auth system for Swift is loosely based on the auth system from the existing
1035
10
Rackspace architecture -- actually from a few existing auth systems -- and is
10
Rackspace architecture -- actually from a few existing auth systems -- and is
1036
@@ -27,7 +27,7 @@
1037
27
Swift will make calls to the auth system, giving the auth token to be
27
Swift will make calls to the auth system, giving the auth token to be
1038
28
validated. For a valid token, the auth system responds with an overall
28
validated. For a valid token, the auth system responds with an overall
1039
29
expiration in seconds from now. Swift will cache the token up to the expiration
29
expiration in seconds from now. Swift will cache the token up to the expiration
1041
30
time. The included Swauth also has the concept of admin and non-admin users
30
time. The included TempAuth also has the concept of admin and non-admin users
1042
31
within an account. Admin users can do anything within the account. Non-admin
31
within an account. Admin users can do anything within the account. Non-admin
1043
32
users can only perform operations per container based on the container's
32
users can only perform operations per container based on the container's
1044
33
X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see
33
X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see
1045
@@ -40,152 +40,9 @@
1046
40
Extending Auth
40
Extending Auth
1047
41
--------------
41
--------------
1048
42
42
1051
43
Swauth is written as wsgi middleware, so implementing your own auth is as easy
43
TempAuth is written as wsgi middleware, so implementing your own auth is as
1052
44
as writing new wsgi middleware, and plugging it in to the proxy server.
44
easy as writing new wsgi middleware, and plugging it in to the proxy server.
1053
45
The KeyStone project and the Swauth project are examples of additional auth
1054
46
services.
1055
45
47
1056
46
Also, see :doc:`development_auth`.
48
Also, see :doc:`development_auth`.
1057
47
1058
48
1059
49
--------------
1060
50
Swauth Details
1061
51
--------------
1062
52
1063
53
The Swauth system is included at swift/common/middleware/swauth.py; a scalable
1064
54
authentication and authorization system that uses Swift itself as its backing
1065
55
store. This section will describe how it stores its data.
1066
56
1067
57
At the topmost level, the auth system has its own Swift account it stores its
1068
58
own account information within. This Swift account is known as
1069
59
self.auth_account in the code and its name is in the format
1070
60
self.reseller_prefix + ".auth". In this text, we'll refer to this account as
1071
61
<auth_account>.
1072
62
1073
63
The containers whose names do not begin with a period represent the accounts
1074
64
within the auth service. For example, the <auth_account>/test container would
1075
65
represent the "test" account.
1076
66
1077
67
The objects within each container represent the users for that auth service
1078
68
account. For example, the <auth_account>/test/bob object would represent the
1079
69
user "bob" within the auth service account of "test". Each of these user
1080
70
objects contain a JSON dictionary of the format::
1081
71
1082
72
    {"auth": "<auth_type>:<auth_value>", "groups": <groups_array>}
1083
73
1084
74
The `<auth_type>` can only be `plaintext` at this time, and the `<auth_value>`
1085
75
is the plain text password itself.
1086
76
1087
77
The `<groups_array>` contains at least two groups. The first is a unique group
1088
78
identifying that user and it's name is of the format `<user>:<account>`. The
1089
79
second group is the `<account>` itself. Additional groups of `.admin` for
1090
80
account administrators and `.reseller_admin` for reseller administrators may
1091
81
exist. Here's an example user JSON dictionary::
1092
82
1093
83
    {"auth": "plaintext:testing",
1094
84
     "groups": ["name": "test:tester", "name": "test", "name": ".admin"]}
1095
85
1096
86
To map an auth service account to a Swift storage account, the Service Account
1097
87
Id string is stored in the `X-Container-Meta-Account-Id` header for the
1098
88
<auth_account>/<account> container. To map back the other way, an
1099
89
<auth_account>/.account_id/<account_id> object is created with the contents of
1100
90
the corresponding auth service's account name.
1101
91
1102
92
Also, to support a future where the auth service will support multiple Swift
1103
93
clusters or even multiple services for the same auth service account, an
1104
94
<auth_account>/<account>/.services object is created with its contents having a
1105
95
JSON dictionary of the format::
1106
96
1107
97
    {"storage": {"default": "local", "local": <url>}}
1108
98
1109
99
The "default" is always "local" right now, and "local" is always the single
1110
100
Swift cluster URL; but in the future there can be more than one cluster with
1111
101
various names instead of just "local", and the "default" key's value will
1112
102
contain the primary cluster to use for that account. Also, there may be more
1113
103
services in addition to the current "storage" service right now.
1114
104
1115
105
Here's an example .services dictionary at the moment::
1116
106
1117
107
    {"storage":
1118
108
        {"default": "local",
1119
109
         "local": "http://127.0.0.1:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}}
1120
110
1121
111
But, here's an example of what the dictionary may look like in the future::
1122
112
1123
113
    {"storage":
1124
114
        {"default": "dfw",
1125
115
         "dfw": "http://dfw.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
1126
116
         "ord": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
1127
117
         "sat": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"},
1128
118
     "servers":
1129
119
        {"default": "dfw",
1130
120
         "dfw": "http://dfw.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
1131
121
         "ord": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
1132
122
         "sat": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}}
1133
123
1134
124
Lastly, the tokens themselves are stored as objects in the
1135
125
`<auth_account>/.token_[0-f]` containers. The names of the objects are the
1136
126
token strings themselves, such as `AUTH_tked86bbd01864458aa2bd746879438d5a`.
1137
127
The exact `.token_[0-f]` container chosen is based on the final digit of the
1138
128
token name, such as `.token_a` for the token
1139
129
`AUTH_tked86bbd01864458aa2bd746879438d5a`. The contents of the token objects
1140
130
are JSON dictionaries of the format::
1141
131
1142
132
    {"account": <account>,
1143
133
     "user": <user>,
1144
134
     "account_id": <account_id>,
1145
135
     "groups": <groups_array>,
1146
136
     "expires": <time.time() value>}
1147
137
1148
138
The `<account>` is the auth service account's name for that token. The `<user>`
1149
139
is the user within the account for that token. The `<account_id>` is the
1150
140
same as the `X-Container-Meta-Account-Id` for the auth service's account,
1151
141
as described above. The `<groups_array>` is the user's groups, as described
1152
142
above with the user object. The "expires" value indicates when the token is no
1153
143
longer valid, as compared to Python's time.time() value.
1154
144
1155
145
Here's an example token object's JSON dictionary::
1156
146
1157
147
    {"account": "test",
1158
148
     "user": "tester",
1159
149
     "account_id": "AUTH_8980f74b1cda41e483cbe0a925f448a9",
1160
150
     "groups": ["name": "test:tester", "name": "test", "name": ".admin"],
1161
151
     "expires": 1291273147.1624689}
1162
152
1163
153
To easily map a user to an already issued token, the token name is stored in
1164
154
the user object's `X-Object-Meta-Auth-Token` header.
1165
155
1166
156
Here is an example full listing of an <auth_account>::
1167
157
1168
158
    .account_id
1169
159
        AUTH_2282f516-559f-4966-b239-b5c88829e927
1170
160
        AUTH_f6f57a3c-33b5-4e85-95a5-a801e67505c8
1171
161
        AUTH_fea96a36-c177-4ca4-8c7e-b8c715d9d37b
1172
162
    .token_0
1173
163
    .token_1
1174
164
    .token_2
1175
165
    .token_3
1176
166
    .token_4
1177
167
    .token_5
1178
168
    .token_6
1179
169
        AUTH_tk9d2941b13d524b268367116ef956dee6
1180
170
    .token_7
1181
171
    .token_8
1182
172
        AUTH_tk93627c6324c64f78be746f1e6a4e3f98
1183
173
    .token_9
1184
174
    .token_a
1185
175
    .token_b
1186
176
    .token_c
1187
177
    .token_d
1188
178
    .token_e
1189
179
        AUTH_tk0d37d286af2c43ffad06e99112b3ec4e
1190
180
    .token_f
1191
181
        AUTH_tk766bbde93771489982d8dc76979d11cf
1192
182
    reseller
1193
183
        .services
1194
184
        reseller
1195
185
    test
1196
186
        .services
1197
187
        tester
1198
188
        tester3
1199
189
    test2
1200
190
        .services
1201
191
        tester2
1202
192
49
1203
=== modified file 'etc/proxy-server.conf-sample'
1204
--- etc/proxy-server.conf-sample	2011-03-25 08:33:46 +0000
1205
+++ etc/proxy-server.conf-sample	2011-06-09 21:09:39 +0000
1206
@@ -13,7 +13,7 @@
1207
13
# log_level = INFO
13
# log_level = INFO
1208
14
14
1209
15
[pipeline:main]
15
[pipeline:main]
1211
16
pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server
16
pipeline = catch_errors healthcheck cache ratelimit tempauth proxy-server
1212
17
17
1213
18
[app:proxy-server]
18
[app:proxy-server]
1214
19
use = egg:swift#proxy
19
use = egg:swift#proxy
1215
@@ -41,10 +41,10 @@
1216
41
# 'false' no one, even authorized, can.
41
# 'false' no one, even authorized, can.
1217
42
# allow_account_management = false
42
# allow_account_management = false
1218
43
43
1221
44
[filter:swauth]
44
[filter:tempauth]
1222
45
use = egg:swift#swauth
45
use = egg:swift#tempauth
1223
46
# You can override the default log routing for this filter here:
46
# You can override the default log routing for this filter here:
1225
47
# set log_name = auth-server
47
# set log_name = tempauth
1226
48
# set log_facility = LOG_LOCAL0
48
# set log_facility = LOG_LOCAL0
1227
49
# set log_level = INFO
49
# set log_level = INFO
1228
50
# set log_headers = False
50
# set log_headers = False
1229
@@ -54,21 +54,28 @@
1230
54
# multiple auth systems are in use for one Swift cluster.
54
# multiple auth systems are in use for one Swift cluster.
1231
55
# reseller_prefix = AUTH
55
# reseller_prefix = AUTH
1232
56
# The auth prefix will cause requests beginning with this prefix to be routed
56
# The auth prefix will cause requests beginning with this prefix to be routed
1234
57
# to the auth subsystem, for granting tokens, creating accounts, users, etc.
57
# to the auth subsystem, for granting tokens, etc.
1235
58
# auth_prefix = /auth/
58
# auth_prefix = /auth/
1236
59
# Cluster strings are of the format name#url where name is a short name for the
1237
60
# Swift cluster and url is the url to the proxy server(s) for the cluster.
1238
61
# default_swift_cluster = local#http://127.0.0.1:8080/v1
1239
62
# You may also use the format name#url#url where the first url is the one
1240
63
# given to users to access their account (public url) and the second is the one
1241
64
# used by swauth itself to create and delete accounts (private url). This is
1242
65
# useful when a load balancer url should be used by users, but swauth itself is
1243
66
# behind the load balancer. Example:
1244
67
# default_swift_cluster = local#https://public.com:8080/v1#http://private.com:8080/v1
1245
68
# token_life = 86400
59
# token_life = 86400
1249
69
# node_timeout = 10
60
# Lastly, you need to list all the accounts/users you want here. The format is:
1250
70
# Highly recommended to change this.
61
#   user_<account>_<user> = <key> [group] [group] [...] [storage_url]
1251
71
super_admin_key = swauthkey
62
# There are special groups of:
1252
63
#   .reseller_admin = can do anything to any account for this auth
1253
64
#   .admin = can do anything within the account
1254
65
# If neither of these groups are specified, the user can only access containers
1255
66
# that have been explicitly allowed for them by a .admin or .reseller_admin.
1256
67
# The trailing optional storage_url allows you to specify an alternate url to
1257
68
# hand back to the user upon authentication. If not specified, this defaults to
1258
69
# http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https
1259
70
# depends on whether cert_file is specified in the [DEFAULT] section, <ip> and
1260
71
# <port> are based on the [DEFAULT] section's bind_ip and bind_port (falling
1261
72
# back to 127.0.0.1 and 8080), <reseller_prefix> is from this section, and
1262
73
# <account> is from the user_<account>_<user> name.
1263
74
# Here are example entries, required for running the tests:
1264
75
user_admin_admin = admin .admin .reseller_admin
1265
76
user_test_tester = testing .admin
1266
77
user_test2_tester2 = testing2 .admin
1267
78
user_test_tester3 = testing3
1268
72
79
1269
73
[filter:healthcheck]
80
[filter:healthcheck]
1270
74
use = egg:swift#healthcheck
81
use = egg:swift#healthcheck
1271
75
82
1272
=== modified file 'setup.py'
1273
--- setup.py	2011-05-26 09:25:39 +0000
1274
+++ setup.py	2011-06-09 21:09:39 +0000
1275
@@ -96,10 +96,6 @@
1276
96
        'bin/swift-log-stats-collector',
96
        'bin/swift-log-stats-collector',
1277
97
        'bin/swift-account-stats-logger',
97
        'bin/swift-account-stats-logger',
1278
98
        'bin/swift-container-stats-logger',
98
        'bin/swift-container-stats-logger',
1279
99
        'bin/swauth-add-account', 'bin/swauth-add-user',
1280
100
        'bin/swauth-cleanup-tokens', 'bin/swauth-delete-account',
1281
101
        'bin/swauth-delete-user', 'bin/swauth-list', 'bin/swauth-prep',
1282
102
        'bin/swauth-set-account-service',
1283
103
        ],
99
        ],
1284
104
    entry_points={
100
    entry_points={
1285
105
        'paste.app_factory': [
101
        'paste.app_factory': [
1286
@@ -109,7 +105,6 @@
1287
109
            'account=swift.account.server:app_factory',
105
            'account=swift.account.server:app_factory',
1288
110
            ],
106
            ],
1289
111
        'paste.filter_factory': [
107
        'paste.filter_factory': [
1290
112
            'swauth=swift.common.middleware.swauth:filter_factory',
1291
113
            'healthcheck=swift.common.middleware.healthcheck:filter_factory',
108
            'healthcheck=swift.common.middleware.healthcheck:filter_factory',
1292
114
            'memcache=swift.common.middleware.memcache:filter_factory',
109
            'memcache=swift.common.middleware.memcache:filter_factory',
1293
115
            'ratelimit=swift.common.middleware.ratelimit:filter_factory',
110
            'ratelimit=swift.common.middleware.ratelimit:filter_factory',
1294
@@ -118,6 +113,7 @@
1295
118
            'domain_remap=swift.common.middleware.domain_remap:filter_factory',
113
            'domain_remap=swift.common.middleware.domain_remap:filter_factory',
1296
119
            'swift3=swift.common.middleware.swift3:filter_factory',
114
            'swift3=swift.common.middleware.swift3:filter_factory',
1297
120
            'staticweb=swift.common.middleware.staticweb:filter_factory',
115
            'staticweb=swift.common.middleware.staticweb:filter_factory',
1298
116
            'tempauth=swift.common.middleware.tempauth:filter_factory',
1299
121
            ],
117
            ],
1300
122
        },
118
        },
1301
123
    )
119
    )
1302
124
120
1303
=== modified file 'swift/common/middleware/staticweb.py'
1304
--- swift/common/middleware/staticweb.py	2011-03-25 19:21:35 +0000
1305
+++ swift/common/middleware/staticweb.py	2011-06-09 21:09:39 +0000
1306
@@ -28,7 +28,7 @@
1307
28
    ...
28
    ...
1308
29
29
1309
30
    [pipeline:main]
30
    [pipeline:main]
1311
31
    pipeline = healthcheck cache swauth staticweb proxy-server
31
    pipeline = healthcheck cache tempauth staticweb proxy-server
1312
32
32
1313
33
    ...
33
    ...
1314
34
34
1315
35
35
1316
=== removed file 'swift/common/middleware/swauth.py'
1317
--- swift/common/middleware/swauth.py	2011-05-09 20:21:34 +0000
1318
+++ swift/common/middleware/swauth.py	1970-01-01 00:00:00 +0000
1319
@@ -1,1374 +0,0 @@
1320
1
# Copyright (c) 2010 OpenStack, LLC.
1321
2
#
1322
3
# Licensed under the Apache License, Version 2.0 (the "License");
1323
4
# you may not use this file except in compliance with the License.
1324
5
# You may obtain a copy of the License at
1325
6
#
1326
7
#    http://www.apache.org/licenses/LICENSE-2.0
1327
8
#
1328
9
# Unless required by applicable law or agreed to in writing, software
1329
10
# distributed under the License is distributed on an "AS IS" BASIS,
1330
11
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
1331
12
# implied.
1332
13
# See the License for the specific language governing permissions and
1333
14
# limitations under the License.
1334
15
1335
16
try:
1336
17
    import simplejson as json
1337
18
except ImportError:
1338
19
    import json
1339
20
from httplib import HTTPConnection, HTTPSConnection
1340
21
from time import gmtime, strftime, time
1341
22
from traceback import format_exc
1342
23
from urllib import quote, unquote
1343
24
from uuid import uuid4
1344
25
from hashlib import md5, sha1
1345
26
import hmac
1346
27
import base64
1347
28
1348
29
from eventlet.timeout import Timeout
1349
30
from eventlet import TimeoutError
1350
31
from webob import Response, Request
1351
32
from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPConflict, \
1352
33
    HTTPCreated, HTTPForbidden, HTTPNoContent, HTTPNotFound, \
1353
34
    HTTPServiceUnavailable, HTTPUnauthorized
1354
35
1355
36
from swift.common.bufferedhttp import http_connect_raw as http_connect
1356
37
from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
1357
38
from swift.common.utils import cache_from_env, get_logger, split_path, urlparse
1358
39
1359
40
1360
41
class Swauth(object):
1361
42
    """
1362
43
    Scalable authentication and authorization system that uses Swift as its
1363
44
    backing store.
1364
45
1365
46
    :param app: The next WSGI app in the pipeline
1366
47
    :param conf: The dict of configuration values
1367
48
    """
1368
49
1369
50
    def __init__(self, app, conf):
1370
51
        self.app = app
1371
52
        self.conf = conf
1372
53
        self.logger = get_logger(conf, log_route='swauth')
1373
54
        self.log_headers = conf.get('log_headers') == 'True'
1374
55
        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
1375
56
        if self.reseller_prefix and self.reseller_prefix[-1] != '_':
1376
57
            self.reseller_prefix += '_'
1377
58
        self.auth_prefix = conf.get('auth_prefix', '/auth/')
1378
59
        if not self.auth_prefix:
1379
60
            self.auth_prefix = '/auth/'
1380
61
        if self.auth_prefix[0] != '/':
1381
62
            self.auth_prefix = '/' + self.auth_prefix
1382
63
        if self.auth_prefix[-1] != '/':
1383
64
            self.auth_prefix += '/'
1384
65
        self.auth_account = '%s.auth' % self.reseller_prefix
1385
66
        self.default_swift_cluster = conf.get('default_swift_cluster',
1386
67
            'local#http://127.0.0.1:8080/v1')
1387
68
        # This setting is a little messy because of the options it has to
1388
69
        # provide. The basic format is cluster_name#url, such as the default
1389
70
        # value of local#http://127.0.0.1:8080/v1.
1390
71
        # If the URL given to the user needs to differ from the url used by
1391
72
        # Swauth to create/delete accounts, there's a more complex format:
1392
73
        # cluster_name#url#url, such as
1393
74
        # local#https://public.com:8080/v1#http://private.com:8080/v1.
1394
75
        cluster_parts = self.default_swift_cluster.split('#', 2)
1395
76
        self.dsc_name = cluster_parts[0]
1396
77
        if len(cluster_parts) == 3:
1397
78
            self.dsc_url = cluster_parts[1].rstrip('/')
1398
79
            self.dsc_url2 = cluster_parts[2].rstrip('/')
1399
80
        elif len(cluster_parts) == 2:
1400
81
            self.dsc_url = self.dsc_url2 = cluster_parts[1].rstrip('/')
1401
82
        else:
1402
83
            raise Exception('Invalid cluster format')
1403
84
        self.dsc_parsed = urlparse(self.dsc_url)
1404
85
        if self.dsc_parsed.scheme not in ('http', 'https'):
1405
86
            raise Exception('Cannot handle protocol scheme %s for url %s' %
1406
87
                            (self.dsc_parsed.scheme, repr(self.dsc_url)))
1407
88
        self.dsc_parsed2 = urlparse(self.dsc_url2)
1408
89
        if self.dsc_parsed2.scheme not in ('http', 'https'):
1409
90
            raise Exception('Cannot handle protocol scheme %s for url %s' %
1410
91
                            (self.dsc_parsed2.scheme, repr(self.dsc_url2)))
1411
92
        self.super_admin_key = conf.get('super_admin_key')
1412
93
        if not self.super_admin_key:
1413
94
            msg = _('No super_admin_key set in conf file! Exiting.')
1414
95
            try:
1415
96
                self.logger.critical(msg)
1416
97
            except Exception:
1417
98
                pass
1418
99
            raise ValueError(msg)
1419
100
        self.token_life = int(conf.get('token_life', 86400))
1420
101
        self.timeout = int(conf.get('node_timeout', 10))
1421
102
        self.itoken = None
1422
103
        self.itoken_expires = None
1423
104
1424
105
    def __call__(self, env, start_response):
1425
106
        """
1426
107
        Accepts a standard WSGI application call, authenticating the request
1427
108
        and installing callback hooks for authorization and ACL header
1428
109
        validation. For an authenticated request, REMOTE_USER will be set to a
1429
110
        comma separated list of the user's groups.
1430
111
1431
112
        With a non-empty reseller prefix, acts as the definitive auth service
1432
113
        for just tokens and accounts that begin with that prefix, but will deny
1433
114
        requests outside this prefix if no other auth middleware overrides it.
1434
115
1435
116
        With an empty reseller prefix, acts as the definitive auth service only
1436
117
        for tokens that validate to a non-empty set of groups. For all other
1437
118
        requests, acts as the fallback auth service when no other auth
1438
119
        middleware overrides it.
1439
120
1440
121
        Alternatively, if the request matches the self.auth_prefix, the request
1441
122
        will be routed through the internal auth request handler (self.handle).
1442
123
        This is to handle creating users, accounts, granting tokens, etc.
1443
124
        """
1444
125
        if 'HTTP_X_CF_TRANS_ID' not in env:
1445
126
            env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4())
1446
127
        if env.get('PATH_INFO', '').startswith(self.auth_prefix):
1447
128
            return self.handle(env, start_response)
1448
129
        s3 = env.get('HTTP_AUTHORIZATION')
1449
130
        token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
1450
131
        if s3 or (token and token.startswith(self.reseller_prefix)):
1451
132
            # Note: Empty reseller_prefix will match all tokens.
1452
133
            groups = self.get_groups(env, token)
1453
134
            if groups:
1454
135
                env['REMOTE_USER'] = groups
1455
136
                user = groups and groups.split(',', 1)[0] or ''
1456
137
                # We know the proxy logs the token, so we augment it just a bit
1457
138
                # to also log the authenticated user.
1458
139
                env['HTTP_X_AUTH_TOKEN'] = \
1459
140
                    '%s,%s' % (user, 's3' if s3 else token)
1460
141
                env['swift.authorize'] = self.authorize
1461
142
                env['swift.clean_acl'] = clean_acl
1462
143
            else:
1463
144
                # Unauthorized token
1464
145
                if self.reseller_prefix:
1465
146
                    # Because I know I'm the definitive auth for this token, I
1466
147
                    # can deny it outright.
1467
148
                    return HTTPUnauthorized()(env, start_response)
1468
149
                # Because I'm not certain if I'm the definitive auth for empty
1469
150
                # reseller_prefixed tokens, I won't overwrite swift.authorize.
1470
151
                elif 'swift.authorize' not in env:
1471
152
                    env['swift.authorize'] = self.denied_response
1472
153
        else:
1473
154
            if self.reseller_prefix:
1474
155
                # With a non-empty reseller_prefix, I would like to be called
1475
156
                # back for anonymous access to accounts I know I'm the
1476
157
                # definitive auth for.
1477
158
                try:
1478
159
                    version, rest = split_path(env.get('PATH_INFO', ''),
1479
160
                                               1, 2, True)
1480
161
                except ValueError:
1481
162
                    return HTTPNotFound()(env, start_response)
1482
163
                if rest and rest.startswith(self.reseller_prefix):
1483
164
                    # Handle anonymous access to accounts I'm the definitive
1484
165
                    # auth for.
1485
166
                    env['swift.authorize'] = self.authorize
1486
167
                    env['swift.clean_acl'] = clean_acl
1487
168
                # Not my token, not my account, I can't authorize this request,
1488
169
                # deny all is a good idea if not already set...
1489
170
                elif 'swift.authorize' not in env:
1490
171
                    env['swift.authorize'] = self.denied_response
1491
172
            # Because I'm not certain if I'm the definitive auth for empty
1492
173
            # reseller_prefixed accounts, I won't overwrite swift.authorize.
1493
174
            elif 'swift.authorize' not in env:
1494
175
                env['swift.authorize'] = self.authorize
1495
176
                env['swift.clean_acl'] = clean_acl
1496
177
        return self.app(env, start_response)
1497
178
1498
179
    def get_groups(self, env, token):
1499
180
        """
1500
181
        Get groups for the given token.
1501
182
1502
183
        :param env: The current WSGI environment dictionary.
1503
184
        :param token: Token to validate and return a group string for.
1504
185
1505
186
        :returns: None if the token is invalid or a string containing a comma
1506
187
                  separated list of groups the authenticated user is a member
1507
188
                  of. The first group in the list is also considered a unique
1508
189
                  identifier for that user.
1509
190
        """
1510
191
        groups = None
1511
192
        memcache_client = cache_from_env(env)
1512
193
        if memcache_client:
1513
194
            memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
1514
195
            cached_auth_data = memcache_client.get(memcache_key)
1515
196
            if cached_auth_data:
1516
197
                expires, groups = cached_auth_data
1517
198
                if expires < time():
1518
199
                    groups = None
1519
200
1520
201
        if env.get('HTTP_AUTHORIZATION'):
1521
202
            account = env['HTTP_AUTHORIZATION'].split(' ')[1]
1522
203
            account, user, sign = account.split(':')
1523
204
            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
1524
205
            resp = self.make_request(env, 'GET', path).get_response(self.app)
1525
206
            if resp.status_int // 100 != 2:
1526
207
                return None
1527
208
1528
209
            if 'x-object-meta-account-id' in resp.headers:
1529
210
                account_id = resp.headers['x-object-meta-account-id']
1530
211
            else:
1531
212
                path = quote('/v1/%s/%s' % (self.auth_account, account))
1532
213
                resp2 = self.make_request(env, 'HEAD',
1533
214
                                          path).get_response(self.app)
1534
215
                if resp2.status_int // 100 != 2:
1535
216
                    return None
1536
217
                account_id = resp2.headers['x-container-meta-account-id']
1537
218
1538
219
            path = env['PATH_INFO']
1539
220
            env['PATH_INFO'] = path.replace("%s:%s" % (account, user),
1540
221
                                            account_id, 1)
1541
222
            detail = json.loads(resp.body)
1542
223
1543
224
            password = detail['auth'].split(':')[-1]
1544
225
            msg = base64.urlsafe_b64decode(unquote(token))
1545
226
            s = base64.encodestring(hmac.new(detail['auth'].split(':')[-1],
1546
227
                                             msg, sha1).digest()).strip()
1547
228
            if s != sign:
1548
229
                return None
1549
230
            groups = [g['name'] for g in detail['groups']]
1550
231
            if '.admin' in groups:
1551
232
                groups.remove('.admin')
1552
233
                groups.append(account_id)
1553
234
            groups = ','.join(groups)
1554
235
            return groups
1555
236
1556
237
        if not groups:
1557
238
            path = quote('/v1/%s/.token_%s/%s' %
1558
239
                         (self.auth_account, token[-1], token))
1559
240
            resp = self.make_request(env, 'GET', path).get_response(self.app)
1560
241
            if resp.status_int // 100 != 2:
1561
242
                return None
1562
243
            detail = json.loads(resp.body)
1563
244
            if detail['expires'] < time():
1564
245
                self.make_request(env, 'DELETE', path).get_response(self.app)
1565
246
                return None
1566
247
            groups = [g['name'] for g in detail['groups']]
1567
248
            if '.admin' in groups:
1568
249
                groups.remove('.admin')
1569
250
                groups.append(detail['account_id'])
1570
251
            groups = ','.join(groups)
1571
252
            if memcache_client:
1572
253
                memcache_client.set(memcache_key, (detail['expires'], groups),
1573
254
                                    timeout=float(detail['expires'] - time()))
1574
255
        return groups
1575
256
1576
257
    def authorize(self, req):
1577
258
        """
1578
259
        Returns None if the request is authorized to continue or a standard
1579
260
        WSGI response callable if not.
1580
261
        """
1581
262
        try:
1582
263
            version, account, container, obj = split_path(req.path, 1, 4, True)
1583
264
        except ValueError:
1584
265
            return HTTPNotFound(request=req)
1585
266
        if not account or not account.startswith(self.reseller_prefix):
1586
267
            return self.denied_response(req)
1587
268
        user_groups = (req.remote_user or '').split(',')
1588
269
        if '.reseller_admin' in user_groups and \
1589
270
                account != self.reseller_prefix and \
1590
271
                account[len(self.reseller_prefix)] != '.':
1591
272
            return None
1592
273
        if account in user_groups and \
1593
274
                (req.method not in ('DELETE', 'PUT') or container):
1594
275
            # If the user is admin for the account and is not trying to do an
1595
276
            # account DELETE or PUT...
1596
277
            return None
1597
278
        referrers, groups = parse_acl(getattr(req, 'acl', None))
1598
279
        if referrer_allowed(req.referer, referrers):
1599
280
            if obj or '.rlistings' in groups:
1600
281
                return None
1601
282
            return self.denied_response(req)
1602
283
        if not req.remote_user:
1603
284
            return self.denied_response(req)
1604
285
        for user_group in user_groups:
1605
286
            if user_group in groups:
1606
287
                return None
1607
288
        return self.denied_response(req)
1608
289
1609
290
    def denied_response(self, req):
1610
291
        """
1611
292
        Returns a standard WSGI response callable with the status of 403 or 401
1612
293
        depending on whether the REMOTE_USER is set or not.
1613
294
        """
1614
295
        if req.remote_user:
1615
296
            return HTTPForbidden(request=req)
1616
297
        else:
1617
298
            return HTTPUnauthorized(request=req)
1618
299
1619
300
    def handle(self, env, start_response):
1620
301
        """
1621
302
        WSGI entry point for auth requests (ones that match the
1622
303
        self.auth_prefix).
1623
304
        Wraps env in webob.Request object and passes it down.
1624
305
1625
306
        :param env: WSGI environment dictionary
1626
307
        :param start_response: WSGI callable
1627
308
        """
1628
309
        try:
1629
310
            req = Request(env)
1630
311
            if self.auth_prefix:
1631
312
                req.path_info_pop()
1632
313
            req.bytes_transferred = '-'
1633
314
            req.client_disconnect = False
1634
315
            if 'x-storage-token' in req.headers and \
1635
316
                    'x-auth-token' not in req.headers:
1636
317
                req.headers['x-auth-token'] = req.headers['x-storage-token']
1637
318
            if 'eventlet.posthooks' in env:
1638
319
                env['eventlet.posthooks'].append(
1639
320
                    (self.posthooklogger, (req,), {}))
1640
321
                return self.handle_request(req)(env, start_response)
1641
322
            else:
1642
323
                # Lack of posthook support means that we have to log on the
1643
324
                # start of the response, rather than after all the data has
1644
325
                # been sent. This prevents logging client disconnects
1645
326
                # differently than full transmissions.
1646
327
                response = self.handle_request(req)(env, start_response)
1647
328
                self.posthooklogger(env, req)
1648
329
                return response
1649
330
        except (Exception, TimeoutError):
1650
331
            print "EXCEPTION IN handle: %s: %s" % (format_exc(), env)
1651
332
            start_response('500 Server Error',
1652
333
                           [('Content-Type', 'text/plain')])
1653
334
            return ['Internal server error.\n']
1654
335
1655
336
    def handle_request(self, req):
1656
337
        """
1657
338
        Entry point for auth requests (ones that match the self.auth_prefix).
1658
339
        Should return a WSGI-style callable (such as webob.Response).
1659
340
1660
341
        :param req: webob.Request object
1661
342
        """
1662
343
        req.start_time = time()
1663
344
        handler = None
1664
345
        try:
1665
346
            version, account, user, _junk = split_path(req.path_info,
1666
347
                minsegs=1, maxsegs=4, rest_with_last=True)
1667
348
        except ValueError:
1668
349
            return HTTPNotFound(request=req)
1669
350
        if version in ('v1', 'v1.0', 'auth'):
1670
351
            if req.method == 'GET':
1671
352
                handler = self.handle_get_token
1672
353
        elif version == 'v2':
1673
354
            req.path_info_pop()
1674
355
            if req.method == 'GET':
1675
356
                if not account and not user:
1676
357
                    handler = self.handle_get_reseller
1677
358
                elif account:
1678
359
                    if not user:
1679
360
                        handler = self.handle_get_account
1680
361
                    elif account == '.token':
1681
362
                        req.path_info_pop()
1682
363
                        handler = self.handle_validate_token
1683
364
                    else:
1684
365
                        handler = self.handle_get_user
1685
366
            elif req.method == 'PUT':
1686
367
                if not user:
1687
368
                    handler = self.handle_put_account
1688
369
                else:
1689
370
                    handler = self.handle_put_user
1690
371
            elif req.method == 'DELETE':
1691
372
                if not user:
1692
373
                    handler = self.handle_delete_account
1693
374
                else:
1694
375
                    handler = self.handle_delete_user
1695
376
            elif req.method == 'POST':
1696
377
                if account == '.prep':
1697
378
                    handler = self.handle_prep
1698
379
                elif user == '.services':
1699
380
                    handler = self.handle_set_services
1700
381
        if not handler:
1701
382
            req.response = HTTPBadRequest(request=req)
1702
383
        else:
1703
384
            req.response = handler(req)
1704
385
        return req.response
1705
386
1706
387
    def handle_prep(self, req):
1707
388
        """
1708
389
        Handles the POST v2/.prep call for preparing the backing store Swift
1709
390
        cluster for use with the auth subsystem. Can only be called by
1710
391
        .super_admin.
1711
392
1712
393
        :param req: The webob.Request to process.
1713
394
        :returns: webob.Response, 204 on success
1714
395
        """
1715
396
        if not self.is_super_admin(req):
1716
397
            return HTTPForbidden(request=req)
1717
398
        path = quote('/v1/%s' % self.auth_account)
1718
399
        resp = self.make_request(req.environ, 'PUT',
1719
400
                                 path).get_response(self.app)
1720
401
        if resp.status_int // 100 != 2:
1721
402
            raise Exception('Could not create the main auth account: %s %s' %
1722
403
                            (path, resp.status))
1723
404
        path = quote('/v1/%s/.account_id' % self.auth_account)
1724
405
        resp = self.make_request(req.environ, 'PUT',
1725
406
                                 path).get_response(self.app)
1726
407
        if resp.status_int // 100 != 2:
1727
408
            raise Exception('Could not create container: %s %s' %
1728
409
                            (path, resp.status))
1729
410
        for container in xrange(16):
1730
411
            path = quote('/v1/%s/.token_%x' % (self.auth_account, container))
1731
412
            resp = self.make_request(req.environ, 'PUT',
1732
413
                                     path).get_response(self.app)
1733
414
            if resp.status_int // 100 != 2:
1734
415
                raise Exception('Could not create container: %s %s' %
1735
416
                                (path, resp.status))
1736
417
        return HTTPNoContent(request=req)
1737
418
1738
419
    def handle_get_reseller(self, req):
1739
420
        """
1740
421
        Handles the GET v2 call for getting general reseller information
1741
422
        (currently just a list of accounts). Can only be called by a
1742
423
        .reseller_admin.
1743
424
1744
425
        On success, a JSON dictionary will be returned with a single `accounts`
1745
426
        key whose value is list of dicts. Each dict represents an account and
1746
427
        currently only contains the single key `name`. For example::
1747
428
1748
429
            {"accounts": [{"name": "reseller"}, {"name": "test"},
1749
430
                          {"name": "test2"}]}
1750
431
1751
432
        :param req: The webob.Request to process.
1752
433
        :returns: webob.Response, 2xx on success with a JSON dictionary as
1753
434
                  explained above.
1754
435
        """
1755
436
        if not self.is_reseller_admin(req):
1756
437
            return HTTPForbidden(request=req)
1757
438
        listing = []
1758
439
        marker = ''
1759
440
        while True:
1760
441
            path = '/v1/%s?format=json&marker=%s' % (quote(self.auth_account),
1761
442
                                                     quote(marker))
1762
443
            resp = self.make_request(req.environ, 'GET',
1763
444
                                     path).get_response(self.app)
1764
445
            if resp.status_int // 100 != 2:
1765
446
                raise Exception('Could not list main auth account: %s %s' %
1766
447
                                (path, resp.status))
1767
448
            sublisting = json.loads(resp.body)
1768
449
            if not sublisting:
1769
450
                break
1770
451
            for container in sublisting:
1771
452
                if container['name'][0] != '.':
1772
453
                    listing.append({'name': container['name']})
1773
454
            marker = sublisting[-1]['name']
1774
455
        return Response(body=json.dumps({'accounts': listing}))
1775
456
1776
457
    def handle_get_account(self, req):
1777
458
        """
1778
459
        Handles the GET v2/<account> call for getting account information.
1779
460
        Can only be called by an account .admin.
1780
461
1781
462
        On success, a JSON dictionary will be returned containing the keys
1782
463
        `account_id`, `services`, and `users`. The `account_id` is the value
1783
464
        used when creating service accounts. The `services` value is a dict as
1784
465
        described in the :func:`handle_get_token` call. The `users` value is a
1785
466
        list of dicts, each dict representing a user and currently only
1786
467
        containing the single key `name`. For example::
1787
468
1788
469
             {"account_id": "AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162",
1789
470
              "services": {"storage": {"default": "local",
1790
471
                           "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}},
1791
472
              "users": [{"name": "tester"}, {"name": "tester3"}]}
1792
473
1793
474
        :param req: The webob.Request to process.
1794
475
        :returns: webob.Response, 2xx on success with a JSON dictionary as
1795
476
                  explained above.
1796
477
        """
1797
478
        account = req.path_info_pop()
1798
479
        if req.path_info or not account or account[0] == '.':
1799
480
            return HTTPBadRequest(request=req)
1800
481
        if not self.is_account_admin(req, account):
1801
482
            return HTTPForbidden(request=req)
1802
483
        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
1803
484
        resp = self.make_request(req.environ, 'GET',
1804
485
                                 path).get_response(self.app)
1805
486
        if resp.status_int == 404:
1806
487
            return HTTPNotFound(request=req)
1807
488
        if resp.status_int // 100 != 2:
1808
489
            raise Exception('Could not obtain the .services object: %s %s' %
1809
490
                            (path, resp.status))
1810
491
        services = json.loads(resp.body)
1811
492
        listing = []
1812
493
        marker = ''
1813
494
        while True:
1814
495
            path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
1815
496
                (self.auth_account, account)), quote(marker))
1816
497
            resp = self.make_request(req.environ, 'GET',
1817
498
                                     path).get_response(self.app)
1818
499
            if resp.status_int == 404:
1819
500
                return HTTPNotFound(request=req)
1820
501
            if resp.status_int // 100 != 2:
1821
502
                raise Exception('Could not list in main auth account: %s %s' %
1822
503
                                (path, resp.status))
1823
504
            account_id = resp.headers['X-Container-Meta-Account-Id']
1824
505
            sublisting = json.loads(resp.body)
1825
506
            if not sublisting:
1826
507
                break
1827
508
            for obj in sublisting:
1828
509
                if obj['name'][0] != '.':
1829
510
                    listing.append({'name': obj['name']})
1830
511
            marker = sublisting[-1]['name']
1831
512
        return Response(body=json.dumps({'account_id': account_id,
1832
513
                                    'services': services, 'users': listing}))
1833
514
1834
515
    def handle_set_services(self, req):
1835
516
        """
1836
517
        Handles the POST v2/<account>/.services call for setting services
1837
518
        information. Can only be called by a reseller .admin.
1838
519
1839
520
        In the :func:`handle_get_account` (GET v2/<account>) call, a section of
1840
521
        the returned JSON dict is `services`. This section looks something like
1841
522
        this::
1842
523
1843
524
              "services": {"storage": {"default": "local",
1844
525
                            "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}}
1845
526
1846
527
        Making use of this section is described in :func:`handle_get_token`.
1847
528
1848
529
        This function allows setting values within this section for the
1849
530
        <account>, allowing the addition of new service end points or updating
1850
531
        existing ones.
1851
532
1852
533
        The body of the POST request should contain a JSON dict with the
1853
534
        following format::
1854
535
1855
536
            {"service_name": {"end_point_name": "end_point_value"}}
1856
537
1857
538
        There can be multiple services and multiple end points in the same
1858
539
        call.
1859
540
1860
541
        Any new services or end points will be added to the existing set of
1861
542
        services and end points. Any existing services with the same service
1862
543
        name will be merged with the new end points. Any existing end points
1863
544
        with the same end point name will have their values updated.
1864
545
1865
546
        The updated services dictionary will be returned on success.
1866
547
1867
548
        :param req: The webob.Request to process.
1868
549
        :returns: webob.Response, 2xx on success with the udpated services JSON
1869
550
                  dict as described above
1870
551
        """
1871
552
        if not self.is_reseller_admin(req):
1872
553
            return HTTPForbidden(request=req)
1873
554
        account = req.path_info_pop()
1874
555
        if req.path_info != '/.services' or not account or account[0] == '.':
1875
556
            return HTTPBadRequest(request=req)
1876
557
        try:
1877
558
            new_services = json.loads(req.body)
1878
559
        except ValueError, err:
1879
560
            return HTTPBadRequest(body=str(err))
1880
561
        # Get the current services information
1881
562
        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
1882
563
        resp = self.make_request(req.environ, 'GET',
1883
564
                                 path).get_response(self.app)
1884
565
        if resp.status_int == 404:
1885
566
            return HTTPNotFound(request=req)
1886
567
        if resp.status_int // 100 != 2:
1887
568
            raise Exception('Could not obtain services info: %s %s' %
1888
569
                            (path, resp.status))
1889
570
        services = json.loads(resp.body)
1890
571
        for new_service, value in new_services.iteritems():
1891
572
            if new_service in services:
1892
573
                services[new_service].update(value)
1893
574
            else:
1894
575
                services[new_service] = value
1895
576
        # Save the new services information
1896
577
        services = json.dumps(services)
1897
578
        resp = self.make_request(req.environ, 'PUT', path,
1898
579
                                 services).get_response(self.app)
1899
580
        if resp.status_int // 100 != 2:
1900
581
            raise Exception('Could not save .services object: %s %s' %
1901
582
                            (path, resp.status))
1902
583
        return Response(request=req, body=services)
1903
584
1904
585
    def handle_put_account(self, req):
1905
586
        """
1906
587
        Handles the PUT v2/<account> call for adding an account to the auth
1907
588
        system. Can only be called by a .reseller_admin.
1908
589
1909
590
        By default, a newly created UUID4 will be used with the reseller prefix
1910
591
        as the account id used when creating corresponding service accounts.
1911
592
        However, you can provide an X-Account-Suffix header to replace the
1912
593
        UUID4 part.
1913
594
1914
595
        :param req: The webob.Request to process.
1915
596
        :returns: webob.Response, 2xx on success.
1916
597
        """
1917
598
        if not self.is_reseller_admin(req):
1918
599
            return HTTPForbidden(request=req)
1919
600
        account = req.path_info_pop()
1920
601
        if req.path_info or not account or account[0] == '.':
1921
602
            return HTTPBadRequest(request=req)
1922
603
        # Ensure the container in the main auth account exists (this
1923
604
        # container represents the new account)
1924
605
        path = quote('/v1/%s/%s' % (self.auth_account, account))
1925
606
        resp = self.make_request(req.environ, 'HEAD',
1926
607
                                 path).get_response(self.app)
1927
608
        if resp.status_int == 404:
1928
609
            resp = self.make_request(req.environ, 'PUT',
1929
610
                                     path).get_response(self.app)
1930
611
            if resp.status_int // 100 != 2:
1931
612
                raise Exception('Could not create account within main auth '
1932
613
                    'account: %s %s' % (path, resp.status))
1933
614
        elif resp.status_int // 100 == 2:
1934
615
            if 'x-container-meta-account-id' in resp.headers:
1935
616
                # Account was already created
1936
617
                return HTTPAccepted(request=req)
1937
618
        else:
1938
619
            raise Exception('Could not verify account within main auth '
1939
620
                'account: %s %s' % (path, resp.status))
1940
621
        account_suffix = req.headers.get('x-account-suffix')
1941
622
        if not account_suffix:
1942
623
            account_suffix = str(uuid4())
1943
624
        # Create the new account in the Swift cluster
1944
625
        path = quote('%s/%s%s' % (self.dsc_parsed2.path,
1945
626
                                  self.reseller_prefix, account_suffix))
1946
627
        try:
1947
628
            conn = self.get_conn()
1948
629
            conn.request('PUT', path,
1949
630
                        headers={'X-Auth-Token': self.get_itoken(req.environ)})
1950
631
            resp = conn.getresponse()
1951
632
            resp.read()
1952
633
            if resp.status // 100 != 2:
1953
634
                raise Exception('Could not create account on the Swift '
1954
635
                    'cluster: %s %s %s' % (path, resp.status, resp.reason))
1955
636
        except (Exception, TimeoutError):
1956
637
            self.logger.error(_('ERROR: Exception while trying to communicate '
1957
638
                'with %(scheme)s://%(host)s:%(port)s/%(path)s'),
1958
639
                {'scheme': self.dsc_parsed2.scheme,
1959
640
                 'host': self.dsc_parsed2.hostname,
1960
641
                 'port': self.dsc_parsed2.port, 'path': path})
1961
642
            raise
1962
643
        # Record the mapping from account id back to account name
1963
644
        path = quote('/v1/%s/.account_id/%s%s' %
1964
645
                     (self.auth_account, self.reseller_prefix, account_suffix))
1965
646
        resp = self.make_request(req.environ, 'PUT', path,
1966
647
                                 account).get_response(self.app)
1967
648
        if resp.status_int // 100 != 2:
1968
649
            raise Exception('Could not create account id mapping: %s %s' %
1969
650
                            (path, resp.status))
1970
651
        # Record the cluster url(s) for the account
1971
652
        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
1972
653
        services = {'storage': {}}
1973
654
        services['storage'][self.dsc_name] = '%s/%s%s' % (self.dsc_url,
1974
655
            self.reseller_prefix, account_suffix)
1975
656
        services['storage']['default'] = self.dsc_name
1976
657
        resp = self.make_request(req.environ, 'PUT', path,
1977
658
                                 json.dumps(services)).get_response(self.app)
1978
659
        if resp.status_int // 100 != 2:
1979
660
            raise Exception('Could not create .services object: %s %s' %
1980
661
                            (path, resp.status))
1981
662
        # Record the mapping from account name to the account id
1982
663
        path = quote('/v1/%s/%s' % (self.auth_account, account))
1983
664
        resp = self.make_request(req.environ, 'POST', path,
1984
665
            headers={'X-Container-Meta-Account-Id': '%s%s' %
1985
666
            (self.reseller_prefix, account_suffix)}).get_response(self.app)
1986
667
        if resp.status_int // 100 != 2:
1987
668
            raise Exception('Could not record the account id on the account: '
1988
669
                            '%s %s' % (path, resp.status))
1989
670
        return HTTPCreated(request=req)
1990
671
1991
672
    def handle_delete_account(self, req):
1992
673
        """
1993
674
        Handles the DELETE v2/<account> call for removing an account from the
1994
675
        auth system. Can only be called by a .reseller_admin.
1995
676
1996
677
        :param req: The webob.Request to process.
1997
678
        :returns: webob.Response, 2xx on success.
1998
679
        """
1999
680
        if not self.is_reseller_admin(req):
2000
681
            return HTTPForbidden(request=req)
2001
682
        account = req.path_info_pop()
2002
683
        if req.path_info or not account or account[0] == '.':
2003
684
            return HTTPBadRequest(request=req)
2004
685
        # Make sure the account has no users and get the account_id
2005
686
        marker = ''
2006
687
        while True:
2007
688
            path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
2008
689
                (self.auth_account, account)), quote(marker))
2009
690
            resp = self.make_request(req.environ, 'GET',
2010
691
                                     path).get_response(self.app)
2011
692
            if resp.status_int == 404:
2012
693
                return HTTPNotFound(request=req)
2013
694
            if resp.status_int // 100 != 2:
2014
695
                raise Exception('Could not list in main auth account: %s %s' %
2015
696
                                (path, resp.status))
2016
697
            account_id = resp.headers['x-container-meta-account-id']
2017
698
            sublisting = json.loads(resp.body)
2018
699
            if not sublisting:
2019
700
                break
2020
701
            for obj in sublisting:
2021
702
                if obj['name'][0] != '.':
2022
703
                    return HTTPConflict(request=req)
2023
704
            marker = sublisting[-1]['name']
2024
705
        # Obtain the listing of services the account is on.
2025
706
        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
2026
707
        resp = self.make_request(req.environ, 'GET',
2027
708
                                 path).get_response(self.app)
2028
709
        if resp.status_int // 100 != 2 and resp.status_int != 404:
2029
710
            raise Exception('Could not obtain .services object: %s %s' %
2030
711
                            (path, resp.status))
2031
712
        if resp.status_int // 100 == 2:
2032
713
            services = json.loads(resp.body)
2033
714
            # Delete the account on each cluster it is on.
2034
715
            deleted_any = False
2035
716
            for name, url in services['storage'].iteritems():
2036
717
                if name != 'default':
2037
718
                    parsed = urlparse(url)
2038
719
                    conn = self.get_conn(parsed)
2039
720
                    conn.request('DELETE', parsed.path,
2040
721
                        headers={'X-Auth-Token': self.get_itoken(req.environ)})
2041
722
                    resp = conn.getresponse()
2042
723
                    resp.read()
2043
724
                    if resp.status == 409:
2044
725
                        if deleted_any:
2045
726
                            raise Exception('Managed to delete one or more '
2046
727
                                'service end points, but failed with: '
2047
728
                                '%s %s %s' % (url, resp.status, resp.reason))
2048
729
                        else:
2049
730
                            return HTTPConflict(request=req)
2050
731
                    if resp.status // 100 != 2 and resp.status != 404:
2051
732
                        raise Exception('Could not delete account on the '
2052
733
                            'Swift cluster: %s %s %s' %
2053
734
                            (url, resp.status, resp.reason))
2054
735
                    deleted_any = True
2055
736
            # Delete the .services object itself.
2056
737
            path = quote('/v1/%s/%s/.services' %
2057
738
                         (self.auth_account, account))
2058
739
            resp = self.make_request(req.environ, 'DELETE',
2059
740
                                     path).get_response(self.app)
2060
741
            if resp.status_int // 100 != 2 and resp.status_int != 404:
2061
742
                raise Exception('Could not delete .services object: %s %s' %
2062
743
                                (path, resp.status))
2063
744
        # Delete the account id mapping for the account.
2064
745
        path = quote('/v1/%s/.account_id/%s' %
2065
746
                     (self.auth_account, account_id))
2066
747
        resp = self.make_request(req.environ, 'DELETE',
2067
748
                                 path).get_response(self.app)
2068
749
        if resp.status_int // 100 != 2 and resp.status_int != 404:
2069
750
            raise Exception('Could not delete account id mapping: %s %s' %
2070
751
                            (path, resp.status))
2071
752
        # Delete the account marker itself.
2072
753
        path = quote('/v1/%s/%s' % (self.auth_account, account))
2073
754
        resp = self.make_request(req.environ, 'DELETE',
2074
755
                                 path).get_response(self.app)
2075
756
        if resp.status_int // 100 != 2 and resp.status_int != 404:
2076
757
            raise Exception('Could not delete account marked: %s %s' %
2077
758
                            (path, resp.status))
2078
759
        return HTTPNoContent(request=req)
2079
760
2080
761
    def handle_get_user(self, req):
2081
762
        """
2082
763
        Handles the GET v2/<account>/<user> call for getting user information.
2083
764
        Can only be called by an account .admin.
2084
765
2085
766
        On success, a JSON dict will be returned as described::
2086
767
2087
768
            {"groups": [  # List of groups the user is a member of
2088
769
                {"name": "<act>:<usr>"},
2089
770
                    # The first group is a unique user identifier
2090
771
                {"name": "<account>"},
2091
772
                    # The second group is the auth account name
2092
773
                {"name": "<additional-group>"}
2093
774
                    # There may be additional groups, .admin being a special
2094
775
                    # group indicating an account admin and .reseller_admin
2095
776
                    # indicating a reseller admin.
2096
777
             ],
2097
778
             "auth": "plaintext:<key>"
2098
779
             # The auth-type and key for the user; currently only plaintext is
2099
780
             # implemented.
2100
781
            }
2101
782
2102
783
        For example::
2103
784
2104
785
            {"groups": [{"name": "test:tester"}, {"name": "test"},
2105
786
                        {"name": ".admin"}],
2106
787
             "auth": "plaintext:testing"}
2107
788
2108
789
        If the <user> in the request is the special user `.groups`, the JSON
2109
790
        dict will contain a single key of `groups` whose value is a list of
2110
791
        dicts representing the active groups within the account. Each dict
2111
792
        currently has the single key `name`. For example::
2112
793
2113
794
            {"groups": [{"name": ".admin"}, {"name": "test"},
2114
795
                        {"name": "test:tester"}, {"name": "test:tester3"}]}
2115
796
2116
797
        :param req: The webob.Request to process.
2117
798
        :returns: webob.Response, 2xx on success with a JSON dictionary as
2118
799
                  explained above.
2119
800
        """
2120
801
        account = req.path_info_pop()
2121
802
        user = req.path_info_pop()
2122
803
        if req.path_info or not account or account[0] == '.' or not user or \
2123
804
                (user[0] == '.' and user != '.groups'):
2124
805
            return HTTPBadRequest(request=req)
2125
806
        if not self.is_account_admin(req, account):
2126
807
            return HTTPForbidden(request=req)
2127
808
        if user == '.groups':
2128
809
            # TODO: This could be very slow for accounts with a really large
2129
810
            # number of users. Speed could be improved by concurrently
2130
811
            # requesting user group information. Then again, I don't *know*
2131
812
            # it's slow for `normal` use cases, so testing should be done.
2132
813
            groups = set()
2133
814
            marker = ''
2134
815
            while True:
2135
816
                path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
2136
817
                    (self.auth_account, account)), quote(marker))
2137
818
                resp = self.make_request(req.environ, 'GET',
2138
819
                                         path).get_response(self.app)
2139
820
                if resp.status_int == 404:
2140
821
                    return HTTPNotFound(request=req)
2141
822
                if resp.status_int // 100 != 2:
2142
823
                    raise Exception('Could not list in main auth account: '
2143
824
                                    '%s %s' % (path, resp.status))
2144
825
                sublisting = json.loads(resp.body)
2145
826
                if not sublisting:
2146
827
                    break
2147
828
                for obj in sublisting:
2148
829
                    if obj['name'][0] != '.':
2149
830
                        path = quote('/v1/%s/%s/%s' % (self.auth_account,
2150
831
                                                       account, obj['name']))
2151
832
                        resp = self.make_request(req.environ, 'GET',
2152
833
                                                 path).get_response(self.app)
2153
834
                        if resp.status_int // 100 != 2:
2154
835
                            raise Exception('Could not retrieve user object: '
2155
836
                                            '%s %s' % (path, resp.status))
2156
837
                        groups.update(g['name']
2157
838
                            for g in json.loads(resp.body)['groups'])
2158
839
                marker = sublisting[-1]['name']
2159
840
            body = json.dumps({'groups':
2160
841
                                [{'name': g} for g in sorted(groups)]})
2161
842
        else:
2162
843
            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2163
844
            resp = self.make_request(req.environ, 'GET',
2164
845
                                     path).get_response(self.app)
2165
846
            if resp.status_int == 404:
2166
847
                return HTTPNotFound(request=req)
2167
848
            if resp.status_int // 100 != 2:
2168
849
                raise Exception('Could not retrieve user object: %s %s' %
2169
850
                                (path, resp.status))
2170
851
            body = resp.body
2171
852
            display_groups = [g['name'] for g in json.loads(body)['groups']]
2172
853
            if ('.admin' in display_groups and
2173
854
                not self.is_reseller_admin(req)) or \
2174
855
               ('.reseller_admin' in display_groups and
2175
856
                not self.is_super_admin(req)):
2176
857
                return HTTPForbidden(request=req)
2177
858
        return Response(body=body)
2178
859
2179
860
    def handle_put_user(self, req):
2180
861
        """
2181
862
        Handles the PUT v2/<account>/<user> call for adding a user to an
2182
863
        account.
2183
864
2184
865
        X-Auth-User-Key represents the user's key, X-Auth-User-Admin may be set
2185
866
        to `true` to create an account .admin, and X-Auth-User-Reseller-Admin
2186
867
        may be set to `true` to create a .reseller_admin.
2187
868
2188
869
        Can only be called by an account .admin unless the user is to be a
2189
870
        .reseller_admin, in which case the request must be by .super_admin.
2190
871
2191
872
        :param req: The webob.Request to process.
2192
873
        :returns: webob.Response, 2xx on success.
2193
874
        """
2194
875
        # Validate path info
2195
876
        account = req.path_info_pop()
2196
877
        user = req.path_info_pop()
2197
878
        key = req.headers.get('x-auth-user-key')
2198
879
        admin = req.headers.get('x-auth-user-admin') == 'true'
2199
880
        reseller_admin = \
2200
881
            req.headers.get('x-auth-user-reseller-admin') == 'true'
2201
882
        if reseller_admin:
2202
883
            admin = True
2203
884
        if req.path_info or not account or account[0] == '.' or not user or \
2204
885
                user[0] == '.' or not key:
2205
886
            return HTTPBadRequest(request=req)
2206
887
        if reseller_admin:
2207
888
            if not self.is_super_admin(req):
2208
889
                return HTTPForbidden(request=req)
2209
890
        elif not self.is_account_admin(req, account):
2210
891
            return HTTPForbidden(request=req)
2211
892
2212
893
        path = quote('/v1/%s/%s' % (self.auth_account, account))
2213
894
        resp = self.make_request(req.environ, 'HEAD',
2214
895
                                 path).get_response(self.app)
2215
896
        if resp.status_int // 100 != 2:
2216
897
            raise Exception('Could not retrieve account id value: %s %s' %
2217
898
                            (path, resp.status))
2218
899
        headers = {'X-Object-Meta-Account-Id':
2219
900
                        resp.headers['x-container-meta-account-id']}
2220
901
        # Create the object in the main auth account (this object represents
2221
902
        # the user)
2222
903
        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2223
904
        groups = ['%s:%s' % (account, user), account]
2224
905
        if admin:
2225
906
            groups.append('.admin')
2226
907
        if reseller_admin:
2227
908
            groups.append('.reseller_admin')
2228
909
        resp = self.make_request(req.environ, 'PUT', path,
2229
910
            json.dumps({'auth': 'plaintext:%s' % key,
2230
911
                        'groups': [{'name': g} for g in groups]}),
2231
912
            headers=headers).get_response(self.app)
2232
913
        if resp.status_int == 404:
2233
914
            return HTTPNotFound(request=req)
2234
915
        if resp.status_int // 100 != 2:
2235
916
            raise Exception('Could not create user object: %s %s' %
2236
917
                            (path, resp.status))
2237
918
        return HTTPCreated(request=req)
2238
919
2239
920
    def handle_delete_user(self, req):
2240
921
        """
2241
922
        Handles the DELETE v2/<account>/<user> call for deleting a user from an
2242
923
        account.
2243
924
2244
925
        Can only be called by an account .admin.
2245
926
2246
927
        :param req: The webob.Request to process.
2247
928
        :returns: webob.Response, 2xx on success.
2248
929
        """
2249
930
        # Validate path info
2250
931
        account = req.path_info_pop()
2251
932
        user = req.path_info_pop()
2252
933
        if req.path_info or not account or account[0] == '.' or not user or \
2253
934
                user[0] == '.':
2254
935
            return HTTPBadRequest(request=req)
2255
936
        if not self.is_account_admin(req, account):
2256
937
            return HTTPForbidden(request=req)
2257
938
        # Delete the user's existing token, if any.
2258
939
        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2259
940
        resp = self.make_request(req.environ, 'HEAD',
2260
941
                                 path).get_response(self.app)
2261
942
        if resp.status_int == 404:
2262
943
            return HTTPNotFound(request=req)
2263
944
        elif resp.status_int // 100 != 2:
2264
945
            raise Exception('Could not obtain user details: %s %s' %
2265
946
                            (path, resp.status))
2266
947
        candidate_token = resp.headers.get('x-object-meta-auth-token')
2267
948
        if candidate_token:
2268
949
            path = quote('/v1/%s/.token_%s/%s' %
2269
950
                (self.auth_account, candidate_token[-1], candidate_token))
2270
951
            resp = self.make_request(req.environ, 'DELETE',
2271
952
                                     path).get_response(self.app)
2272
953
            if resp.status_int // 100 != 2 and resp.status_int != 404:
2273
954
                raise Exception('Could not delete possibly existing token: '
2274
955
                                '%s %s' % (path, resp.status))
2275
956
        # Delete the user entry itself.
2276
957
        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2277
958
        resp = self.make_request(req.environ, 'DELETE',
2278
959
                                 path).get_response(self.app)
2279
960
        if resp.status_int // 100 != 2 and resp.status_int != 404:
2280
961
            raise Exception('Could not delete the user object: %s %s' %
2281
962
                            (path, resp.status))
2282
963
        return HTTPNoContent(request=req)
2283
964
2284
965
    def handle_get_token(self, req):
2285
966
        """
2286
967
        Handles the various `request for token and service end point(s)` calls.
2287
968
        There are various formats to support the various auth servers in the
2288
969
        past. Examples::
2289
970
2290
971
            GET <auth-prefix>/v1/<act>/auth
2291
972
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <usr>
2292
973
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
2293
974
            GET <auth-prefix>/auth
2294
975
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
2295
976
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
2296
977
            GET <auth-prefix>/v1.0
2297
978
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
2298
979
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
2299
980
2300
981
        On successful authentication, the response will have X-Auth-Token and
2301
982
        X-Storage-Token set to the token to use with Swift and X-Storage-URL
2302
983
        set to the URL to the default Swift cluster to use.
2303
984
2304
985
        The response body will be set to the account's services JSON object as
2305
986
        described here::
2306
987
2307
988
            {"storage": {     # Represents the Swift storage service end points
2308
989
                "default": "cluster1", # Indicates which cluster is the default
2309
990
                "cluster1": "<URL to use with Swift>",
2310
991
                    # A Swift cluster that can be used with this account,
2311
992
                    # "cluster1" is the name of the cluster which is usually a
2312
993
                    # location indicator (like "dfw" for a datacenter region).
2313
994
                "cluster2": "<URL to use with Swift>"
2314
995
                    # Another Swift cluster that can be used with this account,
2315
996
                    # there will always be at least one Swift cluster to use or
2316
997
                    # this whole "storage" dict won't be included at all.
2317
998
             },
2318
999
             "servers": {       # Represents the Nova server service end points
2319
1000
                # Expected to be similar to the "storage" dict, but not
2320
1001
                # implemented yet.
2321
1002
             },
2322
1003
             # Possibly other service dicts, not implemented yet.
2323
1004
            }
2324
1005
2325
1006
        :param req: The webob.Request to process.
2326
1007
        :returns: webob.Response, 2xx on success with data set as explained
2327
1008
                  above.
2328
1009
        """
2329
1010
        # Validate the request info
2330
1011
        try:
2331
1012
            pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3,
2332
1013
                                  rest_with_last=True)
2333
1014
        except ValueError:
2334
1015
            return HTTPNotFound(request=req)
2335
1016
        if pathsegs[0] == 'v1' and pathsegs[2] == 'auth':
2336
1017
            account = pathsegs[1]
2337
1018
            user = req.headers.get('x-storage-user')
2338
1019
            if not user:
2339
1020
                user = req.headers.get('x-auth-user')
2340
1021
                if not user or ':' not in user:
2341
1022
                    return HTTPUnauthorized(request=req)
2342
1023
                account2, user = user.split(':', 1)
2343
1024
                if account != account2:
2344
1025
                    return HTTPUnauthorized(request=req)
2345
1026
            key = req.headers.get('x-storage-pass')
2346
1027
            if not key:
2347
1028
                key = req.headers.get('x-auth-key')
2348
1029
        elif pathsegs[0] in ('auth', 'v1.0'):
2349
1030
            user = req.headers.get('x-auth-user')
2350
1031
            if not user:
2351
1032
                user = req.headers.get('x-storage-user')
2352
1033
            if not user or ':' not in user:
2353
1034
                return HTTPUnauthorized(request=req)
2354
1035
            account, user = user.split(':', 1)
2355
1036
            key = req.headers.get('x-auth-key')
2356
1037
            if not key:
2357
1038
                key = req.headers.get('x-storage-pass')
2358
1039
        else:
2359
1040
            return HTTPBadRequest(request=req)
2360
1041
        if not all((account, user, key)):
2361
1042
            return HTTPUnauthorized(request=req)
2362
1043
        if user == '.super_admin' and key == self.super_admin_key:
2363
1044
            token = self.get_itoken(req.environ)
2364
1045
            url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix)
2365
1046
            return Response(request=req,
2366
1047
              body=json.dumps({'storage': {'default': 'local', 'local': url}}),
2367
1048
              headers={'x-auth-token': token, 'x-storage-token': token,
2368
1049
                       'x-storage-url': url})
2369
1050
        # Authenticate user
2370
1051
        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2371
1052
        resp = self.make_request(req.environ, 'GET',
2372
1053
                                 path).get_response(self.app)
2373
1054
        if resp.status_int == 404:
2374
1055
            return HTTPUnauthorized(request=req)
2375
1056
        if resp.status_int // 100 != 2:
2376
1057
            raise Exception('Could not obtain user details: %s %s' %
2377
1058
                            (path, resp.status))
2378
1059
        user_detail = json.loads(resp.body)
2379
1060
        if not self.credentials_match(user_detail, key):
2380
1061
            return HTTPUnauthorized(request=req)
2381
1062
        # See if a token already exists and hasn't expired
2382
1063
        token = None
2383
1064
        candidate_token = resp.headers.get('x-object-meta-auth-token')
2384
1065
        if candidate_token:
2385
1066
            path = quote('/v1/%s/.token_%s/%s' %
2386
1067
                (self.auth_account, candidate_token[-1], candidate_token))
2387
1068
            resp = self.make_request(req.environ, 'GET',
2388
1069
                                     path).get_response(self.app)
2389
1070
            if resp.status_int // 100 == 2:
2390
1071
                token_detail = json.loads(resp.body)
2391
1072
                if token_detail['expires'] > time():
2392
1073
                    token = candidate_token
2393
1074
                else:
2394
1075
                    self.make_request(req.environ, 'DELETE',
2395
1076
                                      path).get_response(self.app)
2396
1077
            elif resp.status_int != 404:
2397
1078
                raise Exception('Could not detect whether a token already '
2398
1079
                                'exists: %s %s' % (path, resp.status))
2399
1080
        # Create a new token if one didn't exist
2400
1081
        if not token:
2401
1082
            # Retrieve account id, we'll save this in the token
2402
1083
            path = quote('/v1/%s/%s' % (self.auth_account, account))
2403
1084
            resp = self.make_request(req.environ, 'HEAD',
2404
1085
                                     path).get_response(self.app)
2405
1086
            if resp.status_int // 100 != 2:
2406
1087
                raise Exception('Could not retrieve account id value: '
2407
1088
                                '%s %s' % (path, resp.status))
2408
1089
            account_id = \
2409
1090
                resp.headers['x-container-meta-account-id']
2410
1091
            # Generate new token
2411
1092
            token = '%stk%s' % (self.reseller_prefix, uuid4().hex)
2412
1093
            # Save token info
2413
1094
            path = quote('/v1/%s/.token_%s/%s' %
2414
1095
                         (self.auth_account, token[-1], token))
2415
1096
            resp = self.make_request(req.environ, 'PUT', path,
2416
1097
                json.dumps({'account': account, 'user': user,
2417
1098
                'account_id': account_id,
2418
1099
                'groups': user_detail['groups'],
2419
1100
                'expires': time() + self.token_life})).get_response(self.app)
2420
1101
            if resp.status_int // 100 != 2:
2421
1102
                raise Exception('Could not create new token: %s %s' %
2422
1103
                                (path, resp.status))
2423
1104
            # Record the token with the user info for future use.
2424
1105
            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
2425
1106
            resp = self.make_request(req.environ, 'POST', path,
2426
1107
                headers={'X-Object-Meta-Auth-Token': token}
2427
1108
                ).get_response(self.app)
2428
1109
            if resp.status_int // 100 != 2:
2429
1110
                raise Exception('Could not save new token: %s %s' %
2430
1111
                                (path, resp.status))
2431
1112
        # Get the services information
2432
1113
        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
2433
1114
        resp = self.make_request(req.environ, 'GET',
2434
1115
                                 path).get_response(self.app)
2435
1116
        if resp.status_int // 100 != 2:
2436
1117
            raise Exception('Could not obtain services info: %s %s' %
2437
1118
                            (path, resp.status))
2438
1119
        detail = json.loads(resp.body)
2439
1120
        url = detail['storage'][detail['storage']['default']]
2440
1121
        return Response(request=req, body=resp.body,
2441
1122
            headers={'x-auth-token': token, 'x-storage-token': token,
2442
1123
                     'x-storage-url': url})
2443
1124
2444
1125
    def handle_validate_token(self, req):
2445
1126
        """
2446
1127
        Handles the GET v2/.token/<token> call for validating a token, usually
2447
1128
        called by a service like Swift.
2448
1129
2449
1130
        On a successful validation, X-Auth-TTL will be set for how much longer
2450
1131
        this token is valid and X-Auth-Groups will contain a comma separated
2451
1132
        list of groups the user belongs to.
2452
1133
2453
1134
        The first group listed will be a unique identifier for the user the
2454
1135
        token represents.
2455
1136
2456
1137
        .reseller_admin is a special group that indicates the user should be
2457
1138
        allowed to do anything on any account.
2458
1139
2459
1140
        :param req: The webob.Request to process.
2460
1141
        :returns: webob.Response, 2xx on success with data set as explained
2461
1142
                  above.
2462
1143
        """
2463
1144
        token = req.path_info_pop()
2464
1145
        if req.path_info or not token.startswith(self.reseller_prefix):
2465
1146
            return HTTPBadRequest(request=req)
2466
1147
        expires = groups = None
2467
1148
        memcache_client = cache_from_env(req.environ)
2468
1149
        if memcache_client:
2469
1150
            memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
2470
1151
            cached_auth_data = memcache_client.get(memcache_key)
2471
1152
            if cached_auth_data:
2472
1153
                expires, groups = cached_auth_data
2473
1154
                if expires < time():
2474
1155
                    groups = None
2475
1156
        if not groups:
2476
1157
            path = quote('/v1/%s/.token_%s/%s' %
2477
1158
                         (self.auth_account, token[-1], token))
2478
1159
            resp = self.make_request(req.environ, 'GET',
2479
1160
                                     path).get_response(self.app)
2480
1161
            if resp.status_int // 100 != 2:
2481
1162
                return HTTPNotFound(request=req)
2482
1163
            detail = json.loads(resp.body)
2483
1164
            expires = detail['expires']
2484
1165
            if expires < time():
2485
1166
                self.make_request(req.environ, 'DELETE',
2486
1167
                                  path).get_response(self.app)
2487
1168
                return HTTPNotFound(request=req)
2488
1169
            groups = [g['name'] for g in detail['groups']]
2489
1170
            if '.admin' in groups:
2490
1171
                groups.remove('.admin')
2491
1172
                groups.append(detail['account_id'])
2492
1173
            groups = ','.join(groups)
2493
1174
        return HTTPNoContent(headers={'X-Auth-TTL': expires - time(),
2494
1175
                                      'X-Auth-Groups': groups})
2495
1176
2496
1177
    def make_request(self, env, method, path, body=None, headers=None):
2497
1178
        """
2498
1179
        Makes a new webob.Request based on the current env but with the
2499
1180
        parameters specified.
2500
1181
2501
1182
        :param env: Current WSGI environment dictionary
2502
1183
        :param method: HTTP method of new request
2503
1184
        :param path: HTTP path of new request
2504
1185
        :param body: HTTP body of new request; None by default
2505
1186
        :param headers: Extra HTTP headers of new request; None by default
2506
1187
2507
1188
        :returns: webob.Request object
2508
1189
        """
2509
1190
        newenv = {'REQUEST_METHOD': method, 'HTTP_USER_AGENT': 'Swauth'}
2510
1191
        for name in ('swift.cache', 'HTTP_X_CF_TRANS_ID'):
2511
1192
            if name in env:
2512
1193
                newenv[name] = env[name]
2513
1194
        if not headers:
2514
1195
            headers = {}
2515
1196
        if body:
2516
1197
            return Request.blank(path, environ=newenv, body=body,
2517
1198
                                 headers=headers)
2518
1199
        else:
2519
1200
            return Request.blank(path, environ=newenv, headers=headers)
2520
1201
2521
1202
    def get_conn(self, urlparsed=None):
2522
1203
        """
2523
1204
        Returns an HTTPConnection based on the urlparse result given or the
2524
1205
        default Swift cluster (internal url) urlparse result.
2525
1206
2526
1207
        :param urlparsed: The result from urlparse.urlparse or None to use the
2527
1208
                          default Swift cluster's value
2528
1209
        """
2529
1210
        if not urlparsed:
2530
1211
            urlparsed = self.dsc_parsed2
2531
1212
        if urlparsed.scheme == 'http':
2532
1213
            return HTTPConnection(urlparsed.netloc)
2533
1214
        else:
2534
1215
            return HTTPSConnection(urlparsed.netloc)
2535
1216
2536
1217
    def get_itoken(self, env):
2537
1218
        """
2538
1219
        Returns the current internal token to use for the auth system's own
2539
1220
        actions with other services. Each process will create its own
2540
1221
        itoken and the token will be deleted and recreated based on the
2541
1222
        token_life configuration value. The itoken information is stored in
2542
1223
        memcache because the auth process that is asked by Swift to validate
2543
1224
        the token may not be the same as the auth process that created the
2544
1225
        token.
2545
1226
        """
2546
1227
        if not self.itoken or self.itoken_expires < time():
2547
1228
            self.itoken = '%sitk%s' % (self.reseller_prefix, uuid4().hex)
2548
1229
            memcache_key = '%s/auth/%s' % (self.reseller_prefix, self.itoken)
2549
1230
            self.itoken_expires = time() + self.token_life - 60
2550
1231
            memcache_client = cache_from_env(env)
2551
1232
            if not memcache_client:
2552
1233
                raise Exception(
2553
1234
                    'No memcache set up; required for Swauth middleware')
2554
1235
            memcache_client.set(memcache_key, (self.itoken_expires,
2555
1236
                '.auth,.reseller_admin,%s.auth' % self.reseller_prefix),
2556
1237
                timeout=self.token_life)
2557
1238
        return self.itoken
2558
1239
2559
1240
    def get_admin_detail(self, req):
2560
1241
        """
2561
1242
        Returns the dict for the user specified as the admin in the request
2562
1243
        with the addition of an `account` key set to the admin user's account.
2563
1244
2564
1245
        :param req: The webob request to retrieve X-Auth-Admin-User and
2565
1246
                    X-Auth-Admin-Key from.
2566
1247
        :returns: The dict for the admin user with the addition of the
2567
1248
                  `account` key.
2568
1249
        """
2569
1250
        if ':' not in req.headers.get('x-auth-admin-user', ''):
2570
1251
            return None
2571
1252
        admin_account, admin_user = \
2572
1253
            req.headers.get('x-auth-admin-user').split(':', 1)
2573
1254
        path = quote('/v1/%s/%s/%s' % (self.auth_account, admin_account,
2574
1255
                                       admin_user))
2575
1256
        resp = self.make_request(req.environ, 'GET',
2576
1257
                                 path).get_response(self.app)
2577
1258
        if resp.status_int == 404:
2578
1259
            return None
2579
1260
        if resp.status_int // 100 != 2:
2580
1261
            raise Exception('Could not get admin user object: %s %s' %
2581
1262
                            (path, resp.status))
2582
1263
        admin_detail = json.loads(resp.body)
2583
1264
        admin_detail['account'] = admin_account
2584
1265
        return admin_detail
2585
1266
2586
1267
    def credentials_match(self, user_detail, key):
2587
1268
        """
2588
1269
        Returns True if the key is valid for the user_detail. Currently, this
2589
1270
        only supports plaintext key matching.
2590
1271
2591
1272
        :param user_detail: The dict for the user.
2592
1273
        :param key: The key to validate for the user.
2593
1274
        :returns: True if the key is valid for the user, False if not.
2594
1275
        """
2595
1276
        return user_detail and user_detail.get('auth') == 'plaintext:%s' % key
2596
1277
2597
1278
    def is_super_admin(self, req):
2598
1279
        """
2599
1280
        Returns True if the admin specified in the request represents the
2600
1281
        .super_admin.
2601
1282
2602
1283
        :param req: The webob.Request to check.
2603
1284
        :param returns: True if .super_admin.
2604
1285
        """
2605
1286
        return req.headers.get('x-auth-admin-user') == '.super_admin' and \
2606
1287
               req.headers.get('x-auth-admin-key') == self.super_admin_key
2607
1288
2608
1289
    def is_reseller_admin(self, req, admin_detail=None):
2609
1290
        """
2610
1291
        Returns True if the admin specified in the request represents a
2611
1292
        .reseller_admin.
2612
1293
2613
1294
        :param req: The webob.Request to check.
2614
1295
        :param admin_detail: The previously retrieved dict from
2615
1296
                             :func:`get_admin_detail` or None for this function
2616
1297
                             to retrieve the admin_detail itself.
2617
1298
        :param returns: True if .reseller_admin.
2618
1299
        """
2619
1300
        if self.is_super_admin(req):
2620
1301
            return True
2621
1302
        if not admin_detail:
2622
1303
            admin_detail = self.get_admin_detail(req)
2623
1304
        if not self.credentials_match(admin_detail,
2624
1305
                                      req.headers.get('x-auth-admin-key')):
2625
1306
            return False
2626
1307
        return '.reseller_admin' in (g['name'] for g in admin_detail['groups'])
2627
1308
2628
1309
    def is_account_admin(self, req, account):
2629
1310
        """
2630
1311
        Returns True if the admin specified in the request represents a .admin
2631
1312
        for the account specified.
2632
1313
2633
1314
        :param req: The webob.Request to check.
2634
1315
        :param account: The account to check for .admin against.
2635
1316
        :param returns: True if .admin.
2636
1317
        """
2637
1318
        if self.is_super_admin(req):
2638
1319
            return True
2639
1320
        admin_detail = self.get_admin_detail(req)
2640
1321
        if admin_detail:
2641
1322
            if self.is_reseller_admin(req, admin_detail=admin_detail):
2642
1323
                return True
2643
1324
            if not self.credentials_match(admin_detail,
2644
1325
                                          req.headers.get('x-auth-admin-key')):
2645
1326
                return False
2646
1327
            return admin_detail and admin_detail['account'] == account and \
2647
1328
                   '.admin' in (g['name'] for g in admin_detail['groups'])
2648
1329
        return False
2649
1330
2650
1331
    def posthooklogger(self, env, req):
2651
1332
        if not req.path.startswith(self.auth_prefix):
2652
1333
            return
2653
1334
        response = getattr(req, 'response', None)
2654
1335
        if not response:
2655
1336
            return
2656
1337
        trans_time = '%.4f' % (time() - req.start_time)
2657
1338
        the_request = quote(unquote(req.path))
2658
1339
        if req.query_string:
2659
1340
            the_request = the_request + '?' + req.query_string
2660
1341
        # remote user for zeus
2661
1342
        client = req.headers.get('x-cluster-client-ip')
2662
1343
        if not client and 'x-forwarded-for' in req.headers:
2663
1344
            # remote user for other lbs
2664
1345
            client = req.headers['x-forwarded-for'].split(',')[0].strip()
2665
1346
        logged_headers = None
2666
1347
        if self.log_headers:
2667
1348
            logged_headers = '\n'.join('%s: %s' % (k, v)
2668
1349
                                       for k, v in req.headers.items())
2669
1350
        status_int = response.status_int
2670
1351
        if getattr(req, 'client_disconnect', False) or \
2671
1352
                getattr(response, 'client_disconnect', False):
2672
1353
            status_int = 499
2673
1354
        self.logger.info(' '.join(quote(str(x)) for x in (client or '-',
2674
1355
            req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()),
2675
1356
            req.method, the_request, req.environ['SERVER_PROTOCOL'],
2676
1357
            status_int, req.referer or '-', req.user_agent or '-',
2677
1358
            req.headers.get('x-auth-token',
2678
1359
                req.headers.get('x-auth-admin-user', '-')),
2679
1360
            getattr(req, 'bytes_transferred', 0) or '-',
2680
1361
            getattr(response, 'bytes_transferred', 0) or '-',
2681
1362
            req.headers.get('etag', '-'),
2682
1363
            req.headers.get('x-trans-id', '-'), logged_headers or '-',
2683
1364
            trans_time)))
2684
1365
2685
1366
2686
1367
def filter_factory(global_conf, **local_conf):
2687
1368
    """Returns a WSGI filter app for use with paste.deploy."""
2688
1369
    conf = global_conf.copy()
2689
1370
    conf.update(local_conf)
2690
1371
2691
1372
    def auth_filter(app):
2692
1373
        return Swauth(app, conf)
2693
1374
    return auth_filter
2694
1375
0
2695
=== added file 'swift/common/middleware/tempauth.py'
2696
--- swift/common/middleware/tempauth.py	1970-01-01 00:00:00 +0000
2697
+++ swift/common/middleware/tempauth.py	2011-06-09 21:09:39 +0000
2698
@@ -0,0 +1,482 @@
2699
1
# Copyright (c) 2011 OpenStack, LLC.
2700
2
#
2701
3
# Licensed under the Apache License, Version 2.0 (the "License");
2702
4
# you may not use this file except in compliance with the License.
2703
5
# You may obtain a copy of the License at
2704
6
#
2705
7
#    http://www.apache.org/licenses/LICENSE-2.0
2706
8
#
2707
9
# Unless required by applicable law or agreed to in writing, software
2708
10
# distributed under the License is distributed on an "AS IS" BASIS,
2709
11
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
2710
12
# implied.
2711
13
# See the License for the specific language governing permissions and
2712
14
# limitations under the License.
2713
15
2714
16
from time import gmtime, strftime, time
2715
17
from traceback import format_exc
2716
18
from urllib import quote, unquote
2717
19
from uuid import uuid4
2718
20
from hashlib import sha1
2719
21
import hmac
2720
22
import base64
2721
23
2722
24
from eventlet import TimeoutError
2723
25
from webob import Response, Request
2724
26
from webob.exc import HTTPBadRequest, HTTPForbidden, HTTPNotFound, \
2725
27
    HTTPUnauthorized
2726
28
2727
29
from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
2728
30
from swift.common.utils import cache_from_env, get_logger, split_path
2729
31
2730
32
2731
33
class TempAuth(object):
2732
34
    """
2733
35
    Test authentication and authorization system.
2734
36
2735
37
    Add to your pipeline in proxy-server.conf, such as::
2736
38
2737
39
        [pipeline:main]
2738
40
        pipeline = catch_errors cache tempauth proxy-server
2739
41
2740
42
    And add a tempauth filter section, such as::
2741
43
2742
44
        [filter:tempauth]
2743
45
        use = egg:swift#tempauth
2744
46
        user_admin_admin = admin .admin .reseller_admin
2745
47
        user_test_tester = testing .admin
2746
48
        user_test2_tester2 = testing2 .admin
2747
49
        user_test_tester3 = testing3
2748
50
2749
51
    See the proxy-server.conf-sample for more information.
2750
52
2751
53
    :param app: The next WSGI app in the pipeline
2752
54
    :param conf: The dict of configuration values
2753
55
    """
2754
56
2755
57
    def __init__(self, app, conf):
2756
58
        self.app = app
2757
59
        self.conf = conf
2758
60
        self.logger = get_logger(conf, log_route='tempauth')
2759
61
        self.log_headers = conf.get('log_headers') == 'True'
2760
62
        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
2761
63
        if self.reseller_prefix and self.reseller_prefix[-1] != '_':
2762
64
            self.reseller_prefix += '_'
2763
65
        self.auth_prefix = conf.get('auth_prefix', '/auth/')
2764
66
        if not self.auth_prefix:
2765
67
            self.auth_prefix = '/auth/'
2766
68
        if self.auth_prefix[0] != '/':
2767
69
            self.auth_prefix = '/' + self.auth_prefix
2768
70
        if self.auth_prefix[-1] != '/':
2769
71
            self.auth_prefix += '/'
2770
72
        self.token_life = int(conf.get('token_life', 86400))
2771
73
        self.users = {}
2772
74
        for conf_key in conf:
2773
75
            if conf_key.startswith('user_'):
2774
76
                values = conf[conf_key].split()
2775
77
                if not values:
2776
78
                    raise ValueError('%s has no key set' % conf_key)
2777
79
                key = values.pop(0)
2778
80
                if values and '://' in values[-1]:
2779
81
                    url = values.pop()
2780
82
                else:
2781
83
                    url = 'https://' if 'cert_file' in conf else 'http://'
2782
84
                    ip = conf.get('bind_ip', '127.0.0.1')
2783
85
                    if ip == '0.0.0.0':
2784
86
                        ip = '127.0.0.1'
2785
87
                    url += ip
2786
88
                    url += ':' + conf.get('bind_port', 80) + '/v1/' + \
2787
89
                           self.reseller_prefix + conf_key.split('_')[1]
2788
90
                groups = values
2789
91
                self.users[conf_key.split('_', 1)[1].replace('_', ':')] = {
2790
92
                    'key': key, 'url': url, 'groups': values}
2791
93
        self.created_accounts = False
2792
94
2793
95
    def __call__(self, env, start_response):
2794
96
        """
2795
97
        Accepts a standard WSGI application call, authenticating the request
2796
98
        and installing callback hooks for authorization and ACL header
2797
99
        validation. For an authenticated request, REMOTE_USER will be set to a
2798
100
        comma separated list of the user's groups.
2799
101
2800
102
        With a non-empty reseller prefix, acts as the definitive auth service
2801
103
        for just tokens and accounts that begin with that prefix, but will deny
2802
104
        requests outside this prefix if no other auth middleware overrides it.
2803
105
2804
106
        With an empty reseller prefix, acts as the definitive auth service only
2805
107
        for tokens that validate to a non-empty set of groups. For all other
2806
108
        requests, acts as the fallback auth service when no other auth
2807
109
        middleware overrides it.
2808
110
2809
111
        Alternatively, if the request matches the self.auth_prefix, the request
2810
112
        will be routed through the internal auth request handler (self.handle).
2811
113
        This is to handle granting tokens, etc.
2812
114
        """
2813
115
        # Ensure the accounts we handle have been created
2814
116
        if not self.created_accounts and self.users:
2815
117
            newenv = {'REQUEST_METHOD': 'HEAD', 'HTTP_USER_AGENT': 'TempAuth'}
2816
118
            for name in ('swift.cache', 'HTTP_X_TRANS_ID'):
2817
119
                if name in env:
2818
120
                    newenv[name] = env[name]
2819
121
            for key, value in self.users.iteritems():
2820
122
                account_id = value['url'].rsplit('/', 1)[-1]
2821
123
                newenv['REQUEST_METHOD'] = 'HEAD'
2822
124
                resp = Request.blank('/v1/' + account_id,
2823
125
                                     environ=newenv).get_response(self.app)
2824
126
                if resp.status_int // 100 != 2:
2825
127
                    newenv['REQUEST_METHOD'] = 'PUT'
2826
128
                    resp = Request.blank('/v1/' + account_id,
2827
129
                                         environ=newenv).get_response(self.app)
2828
130
                    if resp.status_int // 100 != 2:
2829
131
                        raise Exception('Could not create account %s for user '
2830
132
                            '%s' % (account_id, key))
2831
133
            self.created_accounts = True
2832
134
2833
135
        if env.get('PATH_INFO', '').startswith(self.auth_prefix):
2834
136
            return self.handle(env, start_response)
2835
137
        s3 = env.get('HTTP_AUTHORIZATION')
2836
138
        token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
2837
139
        if s3 or (token and token.startswith(self.reseller_prefix)):
2838
140
            # Note: Empty reseller_prefix will match all tokens.
2839
141
            groups = self.get_groups(env, token)
2840
142
            if groups:
2841
143
                env['REMOTE_USER'] = groups
2842
144
                user = groups and groups.split(',', 1)[0] or ''
2843
145
                # We know the proxy logs the token, so we augment it just a bit
2844
146
                # to also log the authenticated user.
2845
147
                env['HTTP_X_AUTH_TOKEN'] = \
2846
148
                    '%s,%s' % (user, 's3' if s3 else token)
2847
149
                env['swift.authorize'] = self.authorize
2848
150
                env['swift.clean_acl'] = clean_acl
2849
151
            else:
2850
152
                # Unauthorized token
2851
153
                if self.reseller_prefix:
2852
154
                    # Because I know I'm the definitive auth for this token, I
2853
155
                    # can deny it outright.
2854
156
                    return HTTPUnauthorized()(env, start_response)
2855
157
                # Because I'm not certain if I'm the definitive auth for empty
2856
158
                # reseller_prefixed tokens, I won't overwrite swift.authorize.
2857
159
                elif 'swift.authorize' not in env:
2858
160
                    env['swift.authorize'] = self.denied_response
2859
161
        else:
2860
162
            if self.reseller_prefix:
2861
163
                # With a non-empty reseller_prefix, I would like to be called
2862
164
                # back for anonymous access to accounts I know I'm the
2863
165
                # definitive auth for.
2864
166
                try:
2865
167
                    version, rest = split_path(env.get('PATH_INFO', ''),
2866
168
                                               1, 2, True)
2867
169
                except ValueError:
2868
170
                    return HTTPNotFound()(env, start_response)
2869
171
                if rest and rest.startswith(self.reseller_prefix):
2870
172
                    # Handle anonymous access to accounts I'm the definitive
2871
173
                    # auth for.
2872
174
                    env['swift.authorize'] = self.authorize
2873
175
                    env['swift.clean_acl'] = clean_acl
2874
176
                # Not my token, not my account, I can't authorize this request,
2875
177
                # deny all is a good idea if not already set...
2876
178
                elif 'swift.authorize' not in env:
2877
179
                    env['swift.authorize'] = self.denied_response
2878
180
            # Because I'm not certain if I'm the definitive auth for empty
2879
181
            # reseller_prefixed accounts, I won't overwrite swift.authorize.
2880
182
            elif 'swift.authorize' not in env:
2881
183
                env['swift.authorize'] = self.authorize
2882
184
                env['swift.clean_acl'] = clean_acl
2883
185
        return self.app(env, start_response)
2884
186
2885
187
    def get_groups(self, env, token):
2886
188
        """
2887
189
        Get groups for the given token.
2888
190
2889
191
        :param env: The current WSGI environment dictionary.
2890
192
        :param token: Token to validate and return a group string for.
2891
193
2892
194
        :returns: None if the token is invalid or a string containing a comma
2893
195
                  separated list of groups the authenticated user is a member
2894
196
                  of. The first group in the list is also considered a unique
2895
197
                  identifier for that user.
2896
198
        """
2897
199
        groups = None
2898
200
        memcache_client = cache_from_env(env)
2899
201
        if not memcache_client:
2900
202
            raise Exception('Memcache required')
2901
203
        memcache_token_key = '%s/token/%s' % (self.reseller_prefix, token)
2902
204
        cached_auth_data = memcache_client.get(memcache_token_key)
2903
205
        if cached_auth_data:
2904
206
            expires, groups = cached_auth_data
2905
207
            if expires < time():
2906
208
                groups = None
2907
209
2908
210
        if env.get('HTTP_AUTHORIZATION'):
2909
211
            account_user, sign = \
2910
212
                env['HTTP_AUTHORIZATION'].split(' ')[1].rsplit(':', 1)
2911
213
            if account_user not in self.users:
2912
214
                return None
2913
215
            account, user = account_user.split(':', 1)
2914
216
            account_id = self.users[account_user]['url'].rsplit('/', 1)[-1]
2915
217
            path = env['PATH_INFO']
2916
218
            env['PATH_INFO'] = path.replace(account_user, account_id, 1)
2917
219
            msg = base64.urlsafe_b64decode(unquote(token))
2918
220
            key = self.users[account_user]['key']
2919
221
            s = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
2920
222
            if s != sign:
2921
223
                return None
2922
224
            groups = [account, account_user]
2923
225
            groups.extend(self.users[account_user]['groups'])
2924
226
            if '.admin' in groups:
2925
227
                groups.remove('.admin')
2926
228
                groups.append(account_id)
2927
229
            groups = ','.join(groups)
2928
230
2929
231
        return groups
2930
232
2931
233
    def authorize(self, req):
2932
234
        """
2933
235
        Returns None if the request is authorized to continue or a standard
2934
236
        WSGI response callable if not.
2935
237
        """
2936
238
        try:
2937
239
            version, account, container, obj = split_path(req.path, 1, 4, True)
2938
240
        except ValueError:
2939
241
            return HTTPNotFound(request=req)
2940
242
        if not account or not account.startswith(self.reseller_prefix):
2941
243
            return self.denied_response(req)
2942
244
        user_groups = (req.remote_user or '').split(',')
2943
245
        if '.reseller_admin' in user_groups and \
2944
246
                account != self.reseller_prefix and \
2945
247
                account[len(self.reseller_prefix)] != '.':
2946
248
            return None
2947
249
        if account in user_groups and \
2948
250
                (req.method not in ('DELETE', 'PUT') or container):
2949
251
            # If the user is admin for the account and is not trying to do an
2950
252
            # account DELETE or PUT...
2951
253
            return None
2952
254
        referrers, groups = parse_acl(getattr(req, 'acl', None))
2953
255
        if referrer_allowed(req.referer, referrers):
2954
256
            if obj or '.rlistings' in groups:
2955
257
                return None
2956
258
            return self.denied_response(req)
2957
259
        if not req.remote_user:
2958
260
            return self.denied_response(req)
2959
261
        for user_group in user_groups:
2960
262
            if user_group in groups:
2961
263
                return None
2962
264
        return self.denied_response(req)
2963
265
2964
266
    def denied_response(self, req):
2965
267
        """
2966
268
        Returns a standard WSGI response callable with the status of 403 or 401
2967
269
        depending on whether the REMOTE_USER is set or not.
2968
270
        """
2969
271
        if req.remote_user:
2970
272
            return HTTPForbidden(request=req)
2971
273
        else:
2972
274
            return HTTPUnauthorized(request=req)
2973
275
2974
276
    def handle(self, env, start_response):
2975
277
        """
2976
278
        WSGI entry point for auth requests (ones that match the
2977
279
        self.auth_prefix).
2978
280
        Wraps env in webob.Request object and passes it down.
2979
281
2980
282
        :param env: WSGI environment dictionary
2981
283
        :param start_response: WSGI callable
2982
284
        """
2983
285
        try:
2984
286
            req = Request(env)
2985
287
            if self.auth_prefix:
2986
288
                req.path_info_pop()
2987
289
            req.bytes_transferred = '-'
2988
290
            req.client_disconnect = False
2989
291
            if 'x-storage-token' in req.headers and \
2990
292
                    'x-auth-token' not in req.headers:
2991
293
                req.headers['x-auth-token'] = req.headers['x-storage-token']
2992
294
            if 'eventlet.posthooks' in env:
2993
295
                env['eventlet.posthooks'].append(
2994
296
                    (self.posthooklogger, (req,), {}))
2995
297
                return self.handle_request(req)(env, start_response)
2996
298
            else:
2997
299
                # Lack of posthook support means that we have to log on the
2998
300
                # start of the response, rather than after all the data has
2999
301
                # been sent. This prevents logging client disconnects
3000
302
                # differently than full transmissions.
3001
303
                response = self.handle_request(req)(env, start_response)
3002
304
                self.posthooklogger(env, req)
3003
305
                return response
3004
306
        except (Exception, TimeoutError):
3005
307
            print "EXCEPTION IN handle: %s: %s" % (format_exc(), env)
3006
308
            start_response('500 Server Error',
3007
309
                           [('Content-Type', 'text/plain')])
3008
310
            return ['Internal server error.\n']
3009
311
3010
312
    def handle_request(self, req):
3011
313
        """
3012
314
        Entry point for auth requests (ones that match the self.auth_prefix).
3013
315
        Should return a WSGI-style callable (such as webob.Response).
3014
316
3015
317
        :param req: webob.Request object
3016
318
        """
3017
319
        req.start_time = time()
3018
320
        handler = None
3019
321
        try:
3020
322
            version, account, user, _junk = split_path(req.path_info,
3021
323
                minsegs=1, maxsegs=4, rest_with_last=True)
3022
324
        except ValueError:
3023
325
            return HTTPNotFound(request=req)
3024
326
        if version in ('v1', 'v1.0', 'auth'):
3025
327
            if req.method == 'GET':
3026
328
                handler = self.handle_get_token
3027
329
        if not handler:
3028
330
            req.response = HTTPBadRequest(request=req)
3029
331
        else:
3030
332
            req.response = handler(req)
3031
333
        return req.response
3032
334
3033
335
    def handle_get_token(self, req):
3034
336
        """
3035
337
        Handles the various `request for token and service end point(s)` calls.
3036
338
        There are various formats to support the various auth servers in the
3037
339
        past. Examples::
3038
340
3039
341
            GET <auth-prefix>/v1/<act>/auth
3040
342
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <usr>
3041
343
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
3042
344
            GET <auth-prefix>/auth
3043
345
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
3044
346
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
3045
347
            GET <auth-prefix>/v1.0
3046
348
                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
3047
349
                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
3048
350
3049
351
        On successful authentication, the response will have X-Auth-Token and
3050
352
        X-Storage-Token set to the token to use with Swift and X-Storage-URL
3051
353
        set to the URL to the default Swift cluster to use.
3052
354
3053
355
        :param req: The webob.Request to process.
3054
356
        :returns: webob.Response, 2xx on success with data set as explained
3055
357
                  above.
3056
358
        """
3057
359
        # Validate the request info
3058
360
        try:
3059
361
            pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3,
3060
362
                                  rest_with_last=True)
3061
363
        except ValueError:
3062
364
            return HTTPNotFound(request=req)
3063
365
        if pathsegs[0] == 'v1' and pathsegs[2] == 'auth':
3064
366
            account = pathsegs[1]
3065
367
            user = req.headers.get('x-storage-user')
3066
368
            if not user:
3067
369
                user = req.headers.get('x-auth-user')
3068
370
                if not user or ':' not in user:
3069
371
                    return HTTPUnauthorized(request=req)
3070
372
                account2, user = user.split(':', 1)
3071
373
                if account != account2:
3072
374
                    return HTTPUnauthorized(request=req)
3073
375
            key = req.headers.get('x-storage-pass')
3074
376
            if not key:
3075
377
                key = req.headers.get('x-auth-key')
3076
378
        elif pathsegs[0] in ('auth', 'v1.0'):
3077
379
            user = req.headers.get('x-auth-user')
3078
380
            if not user:
3079
381
                user = req.headers.get('x-storage-user')
3080
382
            if not user or ':' not in user:
3081
383
                return HTTPUnauthorized(request=req)
3082
384
            account, user = user.split(':', 1)
3083
385
            key = req.headers.get('x-auth-key')
3084
386
            if not key:
3085
387
                key = req.headers.get('x-storage-pass')
3086
388
        else:
3087
389
            return HTTPBadRequest(request=req)
3088
390
        if not all((account, user, key)):
3089
391
            return HTTPUnauthorized(request=req)
3090
392
        # Authenticate user
3091
393
        account_user = account + ':' + user
3092
394
        if account_user not in self.users:
3093
395
            return HTTPUnauthorized(request=req)
3094
396
        if self.users[account_user]['key'] != key:
3095
397
            return HTTPUnauthorized(request=req)
3096
398
        # Get memcache client
3097
399
        memcache_client = cache_from_env(req.environ)
3098
400
        if not memcache_client:
3099
401
            raise Exception('Memcache required')
3100
402
        # See if a token already exists and hasn't expired
3101
403
        token = None
3102
404
        memcache_user_key = '%s/user/%s' % (self.reseller_prefix, account_user)
3103
405
        candidate_token = memcache_client.get(memcache_user_key)
3104
406
        if candidate_token:
3105
407
            memcache_token_key = \
3106
408
                '%s/token/%s' % (self.reseller_prefix, candidate_token)
3107
409
            cached_auth_data = memcache_client.get(memcache_token_key)
3108
410
            if cached_auth_data:
3109
411
                expires, groups = cached_auth_data
3110
412
                if expires > time():
3111
413
                    token = candidate_token
3112
414
        # Create a new token if one didn't exist
3113
415
        if not token:
3114
416
            # Generate new token
3115
417
            token = '%stk%s' % (self.reseller_prefix, uuid4().hex)
3116
418
            expires = time() + self.token_life
3117
419
            groups = [account, account_user]
3118
420
            groups.extend(self.users[account_user]['groups'])
3119
421
            if '.admin' in groups:
3120
422
                groups.remove('.admin')
3121
423
                account_id = self.users[account_user]['url'].rsplit('/', 1)[-1]
3122
424
                groups.append(account_id)
3123
425
            groups = ','.join(groups)
3124
426
            # Save token
3125
427
            memcache_token_key = '%s/token/%s' % (self.reseller_prefix, token)
3126
428
            memcache_client.set(memcache_token_key, (expires, groups),
3127
429
                                timeout=float(expires - time()))
3128
430
            # Record the token with the user info for future use.
3129
431
            memcache_user_key = \
3130
432
                '%s/user/%s' % (self.reseller_prefix, account_user)
3131
433
            memcache_client.set(memcache_user_key, token,
3132
434
                                timeout=float(expires - time()))
3133
435
        return Response(request=req,
3134
436
            headers={'x-auth-token': token, 'x-storage-token': token,
3135
437
                     'x-storage-url': self.users[account_user]['url']})
3136
438
3137
439
    def posthooklogger(self, env, req):
3138
440
        if not req.path.startswith(self.auth_prefix):
3139
441
            return
3140
442
        response = getattr(req, 'response', None)
3141
443
        if not response:
3142
444
            return
3143
445
        trans_time = '%.4f' % (time() - req.start_time)
3144
446
        the_request = quote(unquote(req.path))
3145
447
        if req.query_string:
3146
448
            the_request = the_request + '?' + req.query_string
3147
449
        # remote user for zeus
3148
450
        client = req.headers.get('x-cluster-client-ip')
3149
451
        if not client and 'x-forwarded-for' in req.headers:
3150
452
            # remote user for other lbs
3151
453
            client = req.headers['x-forwarded-for'].split(',')[0].strip()
3152
454
        logged_headers = None
3153
455
        if self.log_headers:
3154
456
            logged_headers = '\n'.join('%s: %s' % (k, v)
3155
457
                                       for k, v in req.headers.items())
3156
458
        status_int = response.status_int
3157
459
        if getattr(req, 'client_disconnect', False) or \
3158
460
                getattr(response, 'client_disconnect', False):
3159
461
            status_int = 499
3160
462
        self.logger.info(' '.join(quote(str(x)) for x in (client or '-',
3161
463
            req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()),
3162
464
            req.method, the_request, req.environ['SERVER_PROTOCOL'],
3163
465
            status_int, req.referer or '-', req.user_agent or '-',
3164
466
            req.headers.get('x-auth-token',
3165
467
                req.headers.get('x-auth-admin-user', '-')),
3166
468
            getattr(req, 'bytes_transferred', 0) or '-',
3167
469
            getattr(response, 'bytes_transferred', 0) or '-',
3168
470
            req.headers.get('etag', '-'),
3169
471
            req.headers.get('x-trans-id', '-'), logged_headers or '-',
3170
472
            trans_time)))
3171
473
3172
474
3173
475
def filter_factory(global_conf, **local_conf):
3174
476
    """Returns a WSGI filter app for use with paste.deploy."""
3175
477
    conf = global_conf.copy()
3176
478
    conf.update(local_conf)
3177
479
3178
480
    def auth_filter(app):
3179
481
        return TempAuth(app, conf)
3180
482
    return auth_filter
3181
0
483
3182
=== modified file 'test/probe/common.py'
3183
--- test/probe/common.py	2011-03-14 02:56:37 +0000
3184
+++ test/probe/common.py	2011-06-09 21:09:39 +0000
3185
@@ -13,29 +13,16 @@
3186
13
# See the License for the specific language governing permissions and
13
# See the License for the specific language governing permissions and
3187
14
# limitations under the License.
14
# limitations under the License.
3188
15
15
3190
16
from os import environ, kill
16
from os import kill
3191
17
from signal import SIGTERM
17
from signal import SIGTERM
3192
18
from subprocess import call, Popen
18
from subprocess import call, Popen
3193
19
from time import sleep
19
from time import sleep
3194
20
from ConfigParser import ConfigParser
3195
21
20
3196
22
from swift.common.bufferedhttp import http_connect_raw as http_connect
21
from swift.common.bufferedhttp import http_connect_raw as http_connect
3197
23
from swift.common.client import get_auth
22
from swift.common.client import get_auth
3198
24
from swift.common.ring import Ring
23
from swift.common.ring import Ring
3199
25
24
3200
26
25
3201
27
SUPER_ADMIN_KEY = None
3202
28
3203
29
c = ConfigParser()
3204
30
PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE',
3205
31
                                     '/etc/swift/proxy-server.conf')
3206
32
if c.read(PROXY_SERVER_CONF_FILE):
3207
33
    conf = dict(c.items('filter:swauth'))
3208
34
    SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey')
3209
35
else:
3210
36
    exit('Unable to read config file: %s' % PROXY_SERVER_CONF_FILE)
3211
37
3212
38
3213
39
def kill_pids(pids):
26
def kill_pids(pids):
3214
40
    for pid in pids.values():
27
    for pid in pids.values():
3215
41
        try:
28
        try:
3216
@@ -48,8 +35,6 @@
3217
48
    call(['resetswift'])
35
    call(['resetswift'])
3218
49
    pids = {}
36
    pids = {}
3219
50
    try:
37
    try:
3220
51
        pids['proxy'] = Popen(['swift-proxy-server',
3221
52
                               '/etc/swift/proxy-server.conf']).pid
3222
53
        port2server = {}
38
        port2server = {}
3223
54
        for s, p in (('account', 6002), ('container', 6001), ('object', 6000)):
39
        for s, p in (('account', 6002), ('container', 6001), ('object', 6000)):
3224
55
            for n in xrange(1, 5):
40
            for n in xrange(1, 5):
3225
@@ -57,14 +42,27 @@
3226
57
                    Popen(['swift-%s-server' % s,
42
                    Popen(['swift-%s-server' % s,
3227
58
                           '/etc/swift/%s-server/%d.conf' % (s, n)]).pid
43
                           '/etc/swift/%s-server/%d.conf' % (s, n)]).pid
3228
59
                port2server[p + (n * 10)] = '%s%d' % (s, n)
44
                port2server[p + (n * 10)] = '%s%d' % (s, n)
3229
45
        pids['proxy'] = Popen(['swift-proxy-server',
3230
46
                               '/etc/swift/proxy-server.conf']).pid
3231
60
        account_ring = Ring('/etc/swift/account.ring.gz')
47
        account_ring = Ring('/etc/swift/account.ring.gz')
3232
61
        container_ring = Ring('/etc/swift/container.ring.gz')
48
        container_ring = Ring('/etc/swift/container.ring.gz')
3233
62
        object_ring = Ring('/etc/swift/object.ring.gz')
49
        object_ring = Ring('/etc/swift/object.ring.gz')
3239
63
        sleep(5)
50
        attempt = 0
3240
64
        call(['recreateaccounts'])
51
        while True:
3241
65
        url, token = get_auth('http://127.0.0.1:8080/auth/v1.0',
52
            attempt += 1
3242
66
                              'test:tester', 'testing')
53
            try:
3243
67
        account = url.split('/')[-1]
54
                url, token = get_auth('http://127.0.0.1:8080/auth/v1.0',
3244
55
                                      'test:tester', 'testing')
3245
56
                account = url.split('/')[-1]
3246
57
                break
3247
58
            except Exception, err:
3248
59
                if attempt > 9:
3249
60
                    print err
3250
61
                    print 'Giving up after %s retries.' % attempt
3251
62
                    raise err
3252
63
                print err
3253
64
                print 'Retrying in 1 second...'
3254
65
                sleep(1)
3255
68
    except BaseException, err:
66
    except BaseException, err:
3256
69
        kill_pids(pids)
67
        kill_pids(pids)
3257
70
        raise err
68
        raise err
3258
71
69
3259
=== renamed file 'test/unit/common/middleware/test_swauth.py' => 'test/unit/common/middleware/test_tempauth.py'
3260
--- test/unit/common/middleware/test_swauth.py	2011-04-01 21:17:47 +0000
3261
+++ test/unit/common/middleware/test_tempauth.py	2011-06-09 21:09:39 +0000
3262
@@ -1,4 +1,4 @@
3264
1
# Copyright (c) 2010 OpenStack, LLC.
1
# Copyright (c) 2011 OpenStack, LLC.
3265
2
#
2
#
3266
3
# Licensed under the Apache License, Version 2.0 (the "License");
3
# Licensed under the Apache License, Version 2.0 (the "License");
3267
4
# you may not use this file except in compliance with the License.
4
# you may not use this file except in compliance with the License.
3268
@@ -23,7 +23,7 @@
3269
23
23
3270
24
from webob import Request, Response
24
from webob import Request, Response
3271
25
25
3273
26
from swift.common.middleware import swauth as auth
26
from swift.common.middleware import tempauth as auth
3274
27
27
3275
28
28
3276
29
class FakeMemcache(object):
29
class FakeMemcache(object):
3277
@@ -102,85 +102,49 @@
3278
102
class TestAuth(unittest.TestCase):
102
class TestAuth(unittest.TestCase):
3279
103
103
3280
104
    def setUp(self):
104
    def setUp(self):
3283
105
        self.test_auth = \
105
        self.test_auth = auth.filter_factory({})(FakeApp())
3282
106
            auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp())
3284
107
106
3295
108
    def test_super_admin_key_required(self):
107
    def _make_request(self, path, **kwargs):
3296
109
        app = FakeApp()
108
        req = Request.blank(path, **kwargs)
3297
110
        exc = None
109
        req.environ['swift.cache'] = FakeMemcache()
3298
111
        try:
110
        return req
3289
112
            auth.filter_factory({})(app)
3290
113
        except ValueError, err:
3291
114
            exc = err
3292
115
        self.assertEquals(str(exc),
3293
116
                          'No super_admin_key set in conf file! Exiting.')
3294
117
        auth.filter_factory({'super_admin_key': 'supertest'})(app)
3299
118
111
3300
119
    def test_reseller_prefix_init(self):
112
    def test_reseller_prefix_init(self):
3301
120
        app = FakeApp()
113
        app = FakeApp()
3303
121
        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
114
        ath = auth.filter_factory({})(app)
3304
122
        self.assertEquals(ath.reseller_prefix, 'AUTH_')
115
        self.assertEquals(ath.reseller_prefix, 'AUTH_')
3307
123
        ath = auth.filter_factory({'super_admin_key': 'supertest',
116
        ath = auth.filter_factory({'reseller_prefix': 'TEST'})(app)
3306
124
                                   'reseller_prefix': 'TEST'})(app)
3308
125
        self.assertEquals(ath.reseller_prefix, 'TEST_')
117
        self.assertEquals(ath.reseller_prefix, 'TEST_')
3311
126
        ath = auth.filter_factory({'super_admin_key': 'supertest',
118
        ath = auth.filter_factory({'reseller_prefix': 'TEST_'})(app)
3310
127
                                   'reseller_prefix': 'TEST_'})(app)
3312
128
        self.assertEquals(ath.reseller_prefix, 'TEST_')
119
        self.assertEquals(ath.reseller_prefix, 'TEST_')
3313
129
120
3314
130
    def test_auth_prefix_init(self):
121
    def test_auth_prefix_init(self):
3315
131
        app = FakeApp()
122
        app = FakeApp()
3355
132
        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
123
        ath = auth.filter_factory({})(app)
3356
133
        self.assertEquals(ath.auth_prefix, '/auth/')
124
        self.assertEquals(ath.auth_prefix, '/auth/')
3357
134
        ath = auth.filter_factory({'super_admin_key': 'supertest',
125
        ath = auth.filter_factory({'auth_prefix': ''})(app)
3358
135
                                   'auth_prefix': ''})(app)
126
        self.assertEquals(ath.auth_prefix, '/auth/')
3359
136
        self.assertEquals(ath.auth_prefix, '/auth/')
127
        ath = auth.filter_factory({'auth_prefix': '/test/'})(app)
3360
137
        ath = auth.filter_factory({'super_admin_key': 'supertest',
128
        self.assertEquals(ath.auth_prefix, '/test/')
3361
138
                                   'auth_prefix': '/test/'})(app)
129
        ath = auth.filter_factory({'auth_prefix': '/test'})(app)
3362
139
        self.assertEquals(ath.auth_prefix, '/test/')
130
        self.assertEquals(ath.auth_prefix, '/test/')
3363
140
        ath = auth.filter_factory({'super_admin_key': 'supertest',
131
        ath = auth.filter_factory({'auth_prefix': 'test/'})(app)
3364
141
                                   'auth_prefix': '/test'})(app)
132
        self.assertEquals(ath.auth_prefix, '/test/')
3365
142
        self.assertEquals(ath.auth_prefix, '/test/')
133
        ath = auth.filter_factory({'auth_prefix': 'test'})(app)
3366
143
        ath = auth.filter_factory({'super_admin_key': 'supertest',
134
        self.assertEquals(ath.auth_prefix, '/test/')
3328
144
                                   'auth_prefix': 'test/'})(app)
3329
145
        self.assertEquals(ath.auth_prefix, '/test/')
3330
146
        ath = auth.filter_factory({'super_admin_key': 'supertest',
3331
147
                                   'auth_prefix': 'test'})(app)
3332
148
        self.assertEquals(ath.auth_prefix, '/test/')
3333
149
3334
150
    def test_default_swift_cluster_init(self):
3335
151
        app = FakeApp()
3336
152
        self.assertRaises(Exception, auth.filter_factory({
3337
153
            'super_admin_key': 'supertest',
3338
154
            'default_swift_cluster': 'local#badscheme://host/path'}), app)
3339
155
        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
3340
156
        self.assertEquals(ath.default_swift_cluster,
3341
157
                          'local#http://127.0.0.1:8080/v1')
3342
158
        ath = auth.filter_factory({'super_admin_key': 'supertest',
3343
159
            'default_swift_cluster': 'local#http://host/path'})(app)
3344
160
        self.assertEquals(ath.default_swift_cluster,
3345
161
                          'local#http://host/path')
3346
162
        ath = auth.filter_factory({'super_admin_key': 'supertest',
3347
163
            'default_swift_cluster': 'local#https://host/path/'})(app)
3348
164
        self.assertEquals(ath.dsc_url, 'https://host/path')
3349
165
        self.assertEquals(ath.dsc_url2, 'https://host/path')
3350
166
        ath = auth.filter_factory({'super_admin_key': 'supertest',
3351
167
            'default_swift_cluster':
3352
168
                'local#https://host/path/#http://host2/path2/'})(app)
3353
169
        self.assertEquals(ath.dsc_url, 'https://host/path')
3354
170
        self.assertEquals(ath.dsc_url2, 'http://host2/path2')
3367
171
135
3368
172
    def test_top_level_ignore(self):
136
    def test_top_level_ignore(self):
3370
173
        resp = Request.blank('/').get_response(self.test_auth)
137
        resp = self._make_request('/').get_response(self.test_auth)
3371
174
        self.assertEquals(resp.status_int, 404)
138
        self.assertEquals(resp.status_int, 404)
3372
175
139
3373
176
    def test_anon(self):
140
    def test_anon(self):
3375
177
        resp = Request.blank('/v1/AUTH_account').get_response(self.test_auth)
141
        resp = self._make_request('/v1/AUTH_account').get_response(self.test_auth)
3376
178
        self.assertEquals(resp.status_int, 401)
142
        self.assertEquals(resp.status_int, 401)
3377
179
        self.assertEquals(resp.environ['swift.authorize'],
143
        self.assertEquals(resp.environ['swift.authorize'],
3378
180
                          self.test_auth.authorize)
144
                          self.test_auth.authorize)
3379
181
145
3380
182
    def test_auth_deny_non_reseller_prefix(self):
146
    def test_auth_deny_non_reseller_prefix(self):
3382
183
        resp = Request.blank('/v1/BLAH_account',
147
        resp = self._make_request('/v1/BLAH_account',
3383
184
            headers={'X-Auth-Token': 'BLAH_t'}).get_response(self.test_auth)
148
            headers={'X-Auth-Token': 'BLAH_t'}).get_response(self.test_auth)
3384
185
        self.assertEquals(resp.status_int, 401)
149
        self.assertEquals(resp.status_int, 401)
3385
186
        self.assertEquals(resp.environ['swift.authorize'],
150
        self.assertEquals(resp.environ['swift.authorize'],
3386
@@ -188,7 +152,7 @@
3387
188
152
3388
189
    def test_auth_deny_non_reseller_prefix_no_override(self):
153
    def test_auth_deny_non_reseller_prefix_no_override(self):
3389
190
        fake_authorize = lambda x: Response(status='500 Fake')
154
        fake_authorize = lambda x: Response(status='500 Fake')
3391
191
        resp = Request.blank('/v1/BLAH_account',
155
        resp = self._make_request('/v1/BLAH_account',
3392
192
            headers={'X-Auth-Token': 'BLAH_t'},
156
            headers={'X-Auth-Token': 'BLAH_t'},
3393
193
            environ={'swift.authorize': fake_authorize}
157
            environ={'swift.authorize': fake_authorize}
3394
194
            ).get_response(self.test_auth)
158
            ).get_response(self.test_auth)
3395
@@ -200,192 +164,74 @@
3396
200
        # outright but set up a denial swift.authorize and pass the request on
164
        # outright but set up a denial swift.authorize and pass the request on
3397
201
        # down the chain.
165
        # down the chain.
3398
202
        local_app = FakeApp()
166
        local_app = FakeApp()
3402
203
        local_auth = auth.filter_factory({'super_admin_key': 'supertest',
167
        local_auth = auth.filter_factory({'reseller_prefix': ''})(local_app)
3403
204
                                          'reseller_prefix': ''})(local_app)
168
        resp = self._make_request('/v1/account',
3401
205
        resp = Request.blank('/v1/account',
3404
206
            headers={'X-Auth-Token': 't'}).get_response(local_auth)
169
            headers={'X-Auth-Token': 't'}).get_response(local_auth)
3405
207
        self.assertEquals(resp.status_int, 401)
170
        self.assertEquals(resp.status_int, 401)
3408
208
        # one for checking auth, two for request passed along
171
        self.assertEquals(local_app.calls, 1)
3407
209
        self.assertEquals(local_app.calls, 2)
3409
210
        self.assertEquals(resp.environ['swift.authorize'],
172
        self.assertEquals(resp.environ['swift.authorize'],
3410
211
                          local_auth.denied_response)
173
                          local_auth.denied_response)
3411
212
174
3412
213
    def test_auth_no_reseller_prefix_allow(self):
3413
214
        # Ensures that when we have no reseller prefix, we can still allow
3414
215
        # access if our auth server accepts requests
3415
216
        local_app = FakeApp(iter([
3416
217
            ('200 Ok', {},
3417
218
             json.dumps({'account': 'act', 'user': 'act:usr',
3418
219
                         'account_id': 'AUTH_cfa',
3419
220
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3420
221
                                    {'name': '.admin'}],
3421
222
                         'expires': time() + 60})),
3422
223
            ('204 No Content', {}, '')]))
3423
224
        local_auth = auth.filter_factory({'super_admin_key': 'supertest',
3424
225
                                          'reseller_prefix': ''})(local_app)
3425
226
        resp = Request.blank('/v1/act',
3426
227
            headers={'X-Auth-Token': 't'}).get_response(local_auth)
3427
228
        self.assertEquals(resp.status_int, 204)
3428
229
        self.assertEquals(local_app.calls, 2)
3429
230
        self.assertEquals(resp.environ['swift.authorize'],
3430
231
                          local_auth.authorize)
3431
232
3432
233
    def test_auth_no_reseller_prefix_no_token(self):
175
    def test_auth_no_reseller_prefix_no_token(self):
3433
234
        # Check that normally we set up a call back to our authorize.
176
        # Check that normally we set up a call back to our authorize.
3434
235
        local_auth = \
177
        local_auth = \
3438
236
            auth.filter_factory({'super_admin_key': 'supertest',
178
            auth.filter_factory({'reseller_prefix': ''})(FakeApp(iter([])))
3439
237
                                 'reseller_prefix': ''})(FakeApp(iter([])))
179
        resp = self._make_request('/v1/account').get_response(local_auth)
3437
238
        resp = Request.blank('/v1/account').get_response(local_auth)
3440
239
        self.assertEquals(resp.status_int, 401)
180
        self.assertEquals(resp.status_int, 401)
3441
240
        self.assertEquals(resp.environ['swift.authorize'],
181
        self.assertEquals(resp.environ['swift.authorize'],
3442
241
                          local_auth.authorize)
182
                          local_auth.authorize)
3443
242
        # Now make sure we don't override an existing swift.authorize when we
183
        # Now make sure we don't override an existing swift.authorize when we
3444
243
        # have no reseller prefix.
184
        # have no reseller prefix.
3445
244
        local_auth = \
185
        local_auth = \
3448
245
            auth.filter_factory({'super_admin_key': 'supertest',
186
            auth.filter_factory({'reseller_prefix': ''})(FakeApp())
3447
246
                                 'reseller_prefix': ''})(FakeApp())
3449
247
        local_authorize = lambda req: Response('test')
187
        local_authorize = lambda req: Response('test')
3451
248
        resp = Request.blank('/v1/account', environ={'swift.authorize':
188
        resp = self._make_request('/v1/account', environ={'swift.authorize':
3452
249
            local_authorize}).get_response(local_auth)
189
            local_authorize}).get_response(local_auth)
3453
250
        self.assertEquals(resp.status_int, 200)
190
        self.assertEquals(resp.status_int, 200)
3454
251
        self.assertEquals(resp.environ['swift.authorize'], local_authorize)
191
        self.assertEquals(resp.environ['swift.authorize'], local_authorize)
3455
252
192
3456
253
    def test_auth_fail(self):
193
    def test_auth_fail(self):
3554
254
        resp = Request.blank('/v1/AUTH_cfa',
194
        resp = self._make_request('/v1/AUTH_cfa',
3555
255
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
195
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
3556
256
        self.assertEquals(resp.status_int, 401)
196
        self.assertEquals(resp.status_int, 401)
3460
257
3461
258
    def test_auth_success(self):
3462
259
        self.test_auth.app = FakeApp(iter([
3463
260
            ('200 Ok', {},
3464
261
             json.dumps({'account': 'act', 'user': 'act:usr',
3465
262
                         'account_id': 'AUTH_cfa',
3466
263
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3467
264
                                    {'name': '.admin'}],
3468
265
                         'expires': time() + 60})),
3469
266
            ('204 No Content', {}, '')]))
3470
267
        resp = Request.blank('/v1/AUTH_cfa',
3471
268
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
3472
269
        self.assertEquals(resp.status_int, 204)
3473
270
        self.assertEquals(self.test_auth.app.calls, 2)
3474
271
3475
272
    def test_auth_memcache(self):
3476
273
        # First run our test without memcache, showing we need to return the
3477
274
        # token contents twice.
3478
275
        self.test_auth.app = FakeApp(iter([
3479
276
            ('200 Ok', {},
3480
277
             json.dumps({'account': 'act', 'user': 'act:usr',
3481
278
                         'account_id': 'AUTH_cfa',
3482
279
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3483
280
                                    {'name': '.admin'}],
3484
281
                         'expires': time() + 60})),
3485
282
            ('204 No Content', {}, ''),
3486
283
            ('200 Ok', {},
3487
284
             json.dumps({'account': 'act', 'user': 'act:usr',
3488
285
                         'account_id': 'AUTH_cfa',
3489
286
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3490
287
                                    {'name': '.admin'}],
3491
288
                         'expires': time() + 60})),
3492
289
            ('204 No Content', {}, '')]))
3493
290
        resp = Request.blank('/v1/AUTH_cfa',
3494
291
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
3495
292
        self.assertEquals(resp.status_int, 204)
3496
293
        resp = Request.blank('/v1/AUTH_cfa',
3497
294
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
3498
295
        self.assertEquals(resp.status_int, 204)
3499
296
        self.assertEquals(self.test_auth.app.calls, 4)
3500
297
        # Now run our test with memcache, showing we no longer need to return
3501
298
        # the token contents twice.
3502
299
        self.test_auth.app = FakeApp(iter([
3503
300
            ('200 Ok', {},
3504
301
             json.dumps({'account': 'act', 'user': 'act:usr',
3505
302
                         'account_id': 'AUTH_cfa',
3506
303
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3507
304
                                    {'name': '.admin'}],
3508
305
                         'expires': time() + 60})),
3509
306
            ('204 No Content', {}, ''),
3510
307
            # Don't need a second token object returned if memcache is used
3511
308
            ('204 No Content', {}, '')]))
3512
309
        fake_memcache = FakeMemcache()
3513
310
        resp = Request.blank('/v1/AUTH_cfa',
3514
311
            headers={'X-Auth-Token': 'AUTH_t'},
3515
312
            environ={'swift.cache': fake_memcache}
3516
313
            ).get_response(self.test_auth)
3517
314
        self.assertEquals(resp.status_int, 204)
3518
315
        resp = Request.blank('/v1/AUTH_cfa',
3519
316
            headers={'X-Auth-Token': 'AUTH_t'},
3520
317
            environ={'swift.cache': fake_memcache}
3521
318
            ).get_response(self.test_auth)
3522
319
        self.assertEquals(resp.status_int, 204)
3523
320
        self.assertEquals(self.test_auth.app.calls, 3)
3524
321
3525
322
    def test_auth_just_expired(self):
3526
323
        self.test_auth.app = FakeApp(iter([
3527
324
            # Request for token (which will have expired)
3528
325
            ('200 Ok', {},
3529
326
             json.dumps({'account': 'act', 'user': 'act:usr',
3530
327
                         'account_id': 'AUTH_cfa',
3531
328
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3532
329
                                    {'name': '.admin'}],
3533
330
                         'expires': time() - 1})),
3534
331
            # Request to delete token
3535
332
            ('204 No Content', {}, '')]))
3536
333
        resp = Request.blank('/v1/AUTH_cfa',
3537
334
            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)
3538
335
        self.assertEquals(resp.status_int, 401)
3539
336
        self.assertEquals(self.test_auth.app.calls, 2)
3540
337
3541
338
    def test_middleware_storage_token(self):
3542
339
        self.test_auth.app = FakeApp(iter([
3543
340
            ('200 Ok', {},
3544
341
             json.dumps({'account': 'act', 'user': 'act:usr',
3545
342
                         'account_id': 'AUTH_cfa',
3546
343
                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
3547
344
                                    {'name': '.admin'}],
3548
345
                         'expires': time() + 60})),
3549
346
            ('204 No Content', {}, '')]))
3550
347
        resp = Request.blank('/v1/AUTH_cfa',
3551
348
            headers={'X-Storage-Token': 'AUTH_t'}).get_response(self.test_auth)
3552
349
        self.assertEquals(resp.status_int, 204)
3553
350
        self.assertEquals(self.test_auth.app.calls, 2)
3557
351
197
3558
352
    def test_authorize_bad_path(self):
198
    def test_authorize_bad_path(self):
3560
353
        req = Request.blank('/badpath')
199
        req = self._make_request('/badpath')
3561
354
        resp = self.test_auth.authorize(req)
200
        resp = self.test_auth.authorize(req)
3562
355
        self.assertEquals(resp.status_int, 401)
201
        self.assertEquals(resp.status_int, 401)
3564
356
        req = Request.blank('/badpath')
202
        req = self._make_request('/badpath')
3565
357
        req.remote_user = 'act:usr,act,AUTH_cfa'
203
        req.remote_user = 'act:usr,act,AUTH_cfa'
3566
358
        resp = self.test_auth.authorize(req)
204
        resp = self.test_auth.authorize(req)
3567
359
        self.assertEquals(resp.status_int, 403)
205
        self.assertEquals(resp.status_int, 403)
3568
360
206
3569
361
    def test_authorize_account_access(self):
207
    def test_authorize_account_access(self):
3571
362
        req = Request.blank('/v1/AUTH_cfa')
208
        req = self._make_request('/v1/AUTH_cfa')
3572
363
        req.remote_user = 'act:usr,act,AUTH_cfa'
209
        req.remote_user = 'act:usr,act,AUTH_cfa'
3573
364
        self.assertEquals(self.test_auth.authorize(req), None)
210
        self.assertEquals(self.test_auth.authorize(req), None)
3575
365
        req = Request.blank('/v1/AUTH_cfa')
211
        req = self._make_request('/v1/AUTH_cfa')
3576
366
        req.remote_user = 'act:usr,act'
212
        req.remote_user = 'act:usr,act'
3577
367
        resp = self.test_auth.authorize(req)
213
        resp = self.test_auth.authorize(req)
3578
368
        self.assertEquals(resp.status_int, 403)
214
        self.assertEquals(resp.status_int, 403)
3579
369
215
3580
370
    def test_authorize_acl_group_access(self):
216
    def test_authorize_acl_group_access(self):
3582
371
        req = Request.blank('/v1/AUTH_cfa')
217
        req = self._make_request('/v1/AUTH_cfa')
3583
372
        req.remote_user = 'act:usr,act'
218
        req.remote_user = 'act:usr,act'
3584
373
        resp = self.test_auth.authorize(req)
219
        resp = self.test_auth.authorize(req)
3585
374
        self.assertEquals(resp.status_int, 403)
220
        self.assertEquals(resp.status_int, 403)
3587
375
        req = Request.blank('/v1/AUTH_cfa')
221
        req = self._make_request('/v1/AUTH_cfa')
3588
376
        req.remote_user = 'act:usr,act'
222
        req.remote_user = 'act:usr,act'
3589
377
        req.acl = 'act'
223
        req.acl = 'act'
3590
378
        self.assertEquals(self.test_auth.authorize(req), None)
224
        self.assertEquals(self.test_auth.authorize(req), None)
3592
379
        req = Request.blank('/v1/AUTH_cfa')
225
        req = self._make_request('/v1/AUTH_cfa')
3593
380
        req.remote_user = 'act:usr,act'
226
        req.remote_user = 'act:usr,act'
3594
381
        req.acl = 'act:usr'
227
        req.acl = 'act:usr'
3595
382
        self.assertEquals(self.test_auth.authorize(req), None)
228
        self.assertEquals(self.test_auth.authorize(req), None)
3597
383
        req = Request.blank('/v1/AUTH_cfa')
229
        req = self._make_request('/v1/AUTH_cfa')
3598
384
        req.remote_user = 'act:usr,act'
230
        req.remote_user = 'act:usr,act'
3599
385
        req.acl = 'act2'
231
        req.acl = 'act2'
3600
386
        resp = self.test_auth.authorize(req)
232
        resp = self.test_auth.authorize(req)
3601
387
        self.assertEquals(resp.status_int, 403)
233
        self.assertEquals(resp.status_int, 403)
3603
388
        req = Request.blank('/v1/AUTH_cfa')
234
        req = self._make_request('/v1/AUTH_cfa')
3604
389
        req.remote_user = 'act:usr,act'
235
        req.remote_user = 'act:usr,act'
3605
390
        req.acl = 'act:usr2'
236
        req.acl = 'act:usr2'
3606
391
        resp = self.test_auth.authorize(req)
237
        resp = self.test_auth.authorize(req)
3607
@@ -393,105 +239,105 @@
3608
393
239
3609
394
    def test_deny_cross_reseller(self):
240
    def test_deny_cross_reseller(self):
3610
395
        # Tests that cross-reseller is denied, even if ACLs/group names match
241
        # Tests that cross-reseller is denied, even if ACLs/group names match
3612
396
        req = Request.blank('/v1/OTHER_cfa')
242
        req = self._make_request('/v1/OTHER_cfa')
3613
397
        req.remote_user = 'act:usr,act,AUTH_cfa'
243
        req.remote_user = 'act:usr,act,AUTH_cfa'
3614
398
        req.acl = 'act'
244
        req.acl = 'act'
3615
399
        resp = self.test_auth.authorize(req)
245
        resp = self.test_auth.authorize(req)
3616
400
        self.assertEquals(resp.status_int, 403)
246
        self.assertEquals(resp.status_int, 403)
3617
401
247
3618
402
    def test_authorize_acl_referrer_access(self):
248
    def test_authorize_acl_referrer_access(self):
3620
403
        req = Request.blank('/v1/AUTH_cfa/c')
249
        req = self._make_request('/v1/AUTH_cfa/c')
3621
404
        req.remote_user = 'act:usr,act'
250
        req.remote_user = 'act:usr,act'
3622
405
        resp = self.test_auth.authorize(req)
251
        resp = self.test_auth.authorize(req)
3623
406
        self.assertEquals(resp.status_int, 403)
252
        self.assertEquals(resp.status_int, 403)
3625
407
        req = Request.blank('/v1/AUTH_cfa/c')
253
        req = self._make_request('/v1/AUTH_cfa/c')
3626
408
        req.remote_user = 'act:usr,act'
254
        req.remote_user = 'act:usr,act'
3627
409
        req.acl = '.r:*,.rlistings'
255
        req.acl = '.r:*,.rlistings'
3628
410
        self.assertEquals(self.test_auth.authorize(req), None)
256
        self.assertEquals(self.test_auth.authorize(req), None)
3630
411
        req = Request.blank('/v1/AUTH_cfa/c')
257
        req = self._make_request('/v1/AUTH_cfa/c')
3631
412
        req.remote_user = 'act:usr,act'
258
        req.remote_user = 'act:usr,act'
3632
413
        req.acl = '.r:*'  # No listings allowed
259
        req.acl = '.r:*'  # No listings allowed
3633
414
        resp = self.test_auth.authorize(req)
260
        resp = self.test_auth.authorize(req)
3634
415
        self.assertEquals(resp.status_int, 403)
261
        self.assertEquals(resp.status_int, 403)
3636
416
        req = Request.blank('/v1/AUTH_cfa/c')
262
        req = self._make_request('/v1/AUTH_cfa/c')
3637
417
        req.remote_user = 'act:usr,act'
263
        req.remote_user = 'act:usr,act'
3638
418
        req.acl = '.r:.example.com,.rlistings'
264
        req.acl = '.r:.example.com,.rlistings'
3639
419
        resp = self.test_auth.authorize(req)
265
        resp = self.test_auth.authorize(req)
3640
420
        self.assertEquals(resp.status_int, 403)
266
        self.assertEquals(resp.status_int, 403)
3642
421
        req = Request.blank('/v1/AUTH_cfa/c')
267
        req = self._make_request('/v1/AUTH_cfa/c')
3643
422
        req.remote_user = 'act:usr,act'
268
        req.remote_user = 'act:usr,act'
3644
423
        req.referer = 'http://www.example.com/index.html'
269
        req.referer = 'http://www.example.com/index.html'
3645
424
        req.acl = '.r:.example.com,.rlistings'
270
        req.acl = '.r:.example.com,.rlistings'
3646
425
        self.assertEquals(self.test_auth.authorize(req), None)
271
        self.assertEquals(self.test_auth.authorize(req), None)
3648
426
        req = Request.blank('/v1/AUTH_cfa/c')
272
        req = self._make_request('/v1/AUTH_cfa/c')
3649
427
        resp = self.test_auth.authorize(req)
273
        resp = self.test_auth.authorize(req)
3650
428
        self.assertEquals(resp.status_int, 401)
274
        self.assertEquals(resp.status_int, 401)
3652
429
        req = Request.blank('/v1/AUTH_cfa/c')
275
        req = self._make_request('/v1/AUTH_cfa/c')
3653
430
        req.acl = '.r:*,.rlistings'
276
        req.acl = '.r:*,.rlistings'
3654
431
        self.assertEquals(self.test_auth.authorize(req), None)
277
        self.assertEquals(self.test_auth.authorize(req), None)
3656
432
        req = Request.blank('/v1/AUTH_cfa/c')
278
        req = self._make_request('/v1/AUTH_cfa/c')
3657
433
        req.acl = '.r:*'  # No listings allowed
279
        req.acl = '.r:*'  # No listings allowed
3658
434
        resp = self.test_auth.authorize(req)
280
        resp = self.test_auth.authorize(req)
3659
435
        self.assertEquals(resp.status_int, 401)
281
        self.assertEquals(resp.status_int, 401)
3661
436
        req = Request.blank('/v1/AUTH_cfa/c')
282
        req = self._make_request('/v1/AUTH_cfa/c')
3662
437
        req.acl = '.r:.example.com,.rlistings'
283
        req.acl = '.r:.example.com,.rlistings'
3663
438
        resp = self.test_auth.authorize(req)
284
        resp = self.test_auth.authorize(req)
3664
439
        self.assertEquals(resp.status_int, 401)
285
        self.assertEquals(resp.status_int, 401)
3666
440
        req = Request.blank('/v1/AUTH_cfa/c')
286
        req = self._make_request('/v1/AUTH_cfa/c')
3667
441
        req.referer = 'http://www.example.com/index.html'
287
        req.referer = 'http://www.example.com/index.html'
3668
442
        req.acl = '.r:.example.com,.rlistings'
288
        req.acl = '.r:.example.com,.rlistings'
3669
443
        self.assertEquals(self.test_auth.authorize(req), None)
289
        self.assertEquals(self.test_auth.authorize(req), None)
3670
444
290
3671
445
    def test_account_put_permissions(self):
291
    def test_account_put_permissions(self):
3673
446
        req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
292
        req = self._make_request('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
3674
447
        req.remote_user = 'act:usr,act'
293
        req.remote_user = 'act:usr,act'
3675
448
        resp = self.test_auth.authorize(req)
294
        resp = self.test_auth.authorize(req)
3676
449
        self.assertEquals(resp.status_int, 403)
295
        self.assertEquals(resp.status_int, 403)
3677
450
296
3679
451
        req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
297
        req = self._make_request('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
3680
452
        req.remote_user = 'act:usr,act,AUTH_other'
298
        req.remote_user = 'act:usr,act,AUTH_other'
3681
453
        resp = self.test_auth.authorize(req)
299
        resp = self.test_auth.authorize(req)
3682
454
        self.assertEquals(resp.status_int, 403)
300
        self.assertEquals(resp.status_int, 403)
3683
455
301
3684
456
        # Even PUTs to your own account as account admin should fail
302
        # Even PUTs to your own account as account admin should fail
3686
457
        req = Request.blank('/v1/AUTH_old', environ={'REQUEST_METHOD': 'PUT'})
303
        req = self._make_request('/v1/AUTH_old', environ={'REQUEST_METHOD': 'PUT'})
3687
458
        req.remote_user = 'act:usr,act,AUTH_old'
304
        req.remote_user = 'act:usr,act,AUTH_old'
3688
459
        resp = self.test_auth.authorize(req)
305
        resp = self.test_auth.authorize(req)
3689
460
        self.assertEquals(resp.status_int, 403)
306
        self.assertEquals(resp.status_int, 403)
3690
461
307
3692
462
        req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
308
        req = self._make_request('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
3693
463
        req.remote_user = 'act:usr,act,.reseller_admin'
309
        req.remote_user = 'act:usr,act,.reseller_admin'
3694
464
        resp = self.test_auth.authorize(req)
310
        resp = self.test_auth.authorize(req)
3695
465
        self.assertEquals(resp, None)
311
        self.assertEquals(resp, None)
3696
466
312
3697
467
        # .super_admin is not something the middleware should ever see or care
313
        # .super_admin is not something the middleware should ever see or care
3698
468
        # about
314
        # about
3700
469
        req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
315
        req = self._make_request('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})
3701
470
        req.remote_user = 'act:usr,act,.super_admin'
316
        req.remote_user = 'act:usr,act,.super_admin'
3702
471
        resp = self.test_auth.authorize(req)
317
        resp = self.test_auth.authorize(req)
3703
472
        self.assertEquals(resp.status_int, 403)
318
        self.assertEquals(resp.status_int, 403)
3704
473
319
3705
474
    def test_account_delete_permissions(self):
320
    def test_account_delete_permissions(self):
3707
475
        req = Request.blank('/v1/AUTH_new',
321
        req = self._make_request('/v1/AUTH_new',
3708
476
                            environ={'REQUEST_METHOD': 'DELETE'})
322
                            environ={'REQUEST_METHOD': 'DELETE'})
3709
477
        req.remote_user = 'act:usr,act'
323
        req.remote_user = 'act:usr,act'
3710
478
        resp = self.test_auth.authorize(req)
324
        resp = self.test_auth.authorize(req)
3711
479
        self.assertEquals(resp.status_int, 403)
325
        self.assertEquals(resp.status_int, 403)
3712
480
326
3714
481
        req = Request.blank('/v1/AUTH_new',
327
        req = self._make_request('/v1/AUTH_new',
3715
482
                            environ={'REQUEST_METHOD': 'DELETE'})
328
                            environ={'REQUEST_METHOD': 'DELETE'})
3716
483
        req.remote_user = 'act:usr,act,AUTH_other'
329
        req.remote_user = 'act:usr,act,AUTH_other'
3717
484
        resp = self.test_auth.authorize(req)
330
        resp = self.test_auth.authorize(req)
3718
485
        self.assertEquals(resp.status_int, 403)
331
        self.assertEquals(resp.status_int, 403)
3719
486
332
3720
487
        # Even DELETEs to your own account as account admin should fail
333
        # Even DELETEs to your own account as account admin should fail
3722
488
        req = Request.blank('/v1/AUTH_old',
334
        req = self._make_request('/v1/AUTH_old',
3723
489
                            environ={'REQUEST_METHOD': 'DELETE'})
335
                            environ={'REQUEST_METHOD': 'DELETE'})
3724
490
        req.remote_user = 'act:usr,act,AUTH_old'
336
        req.remote_user = 'act:usr,act,AUTH_old'
3725
491
        resp = self.test_auth.authorize(req)
337
        resp = self.test_auth.authorize(req)
3726
492
        self.assertEquals(resp.status_int, 403)
338
        self.assertEquals(resp.status_int, 403)
3727
493
339
3729
494
        req = Request.blank('/v1/AUTH_new',
340
        req = self._make_request('/v1/AUTH_new',
3730
495
                            environ={'REQUEST_METHOD': 'DELETE'})
341
                            environ={'REQUEST_METHOD': 'DELETE'})
3731
496
        req.remote_user = 'act:usr,act,.reseller_admin'
342
        req.remote_user = 'act:usr,act,.reseller_admin'
3732
497
        resp = self.test_auth.authorize(req)
343
        resp = self.test_auth.authorize(req)
3733
@@ -499,7 +345,7 @@
3734
499
345
3735
500
        # .super_admin is not something the middleware should ever see or care
346
        # .super_admin is not something the middleware should ever see or care
3736
501
        # about
347
        # about
3738
502
        req = Request.blank('/v1/AUTH_new',
348
        req = self._make_request('/v1/AUTH_new',
3739
503
                            environ={'REQUEST_METHOD': 'DELETE'})
349
                            environ={'REQUEST_METHOD': 'DELETE'})
3740
504
        req.remote_user = 'act:usr,act,.super_admin'
350
        req.remote_user = 'act:usr,act,.super_admin'
3741
505
        resp = self.test_auth.authorize(req)
351
        resp = self.test_auth.authorize(req)
3742
@@ -507,2715 +353,36 @@
3743
507
        self.assertEquals(resp.status_int, 403)
353
        self.assertEquals(resp.status_int, 403)
3744
508
354
3745
509
    def test_get_token_fail(self):
355
    def test_get_token_fail(self):
3747
510
        resp = Request.blank('/auth/v1.0').get_response(self.test_auth)
356
        resp = self._make_request('/auth/v1.0').get_response(self.test_auth)
3748
511
        self.assertEquals(resp.status_int, 401)
357
        self.assertEquals(resp.status_int, 401)
3750
512
        resp = Request.blank('/auth/v1.0',
358
        resp = self._make_request('/auth/v1.0',
3751
513
            headers={'X-Auth-User': 'act:usr',
359
            headers={'X-Auth-User': 'act:usr',
3752
514
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
360
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3753
515
        self.assertEquals(resp.status_int, 401)
361
        self.assertEquals(resp.status_int, 401)
3754
516
362
3755
517
    def test_get_token_fail_invalid_key(self):
3756
518
        self.test_auth.app = FakeApp(iter([
3757
519
            # GET of user object
3758
520
            ('200 Ok', {},
3759
521
             json.dumps({"auth": "plaintext:key",
3760
522
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3761
523
                                    {'name': ".admin"}]}))]))
3762
524
        resp = Request.blank('/auth/v1.0',
3763
525
            headers={'X-Auth-User': 'act:usr',
3764
526
                     'X-Auth-Key': 'invalid'}).get_response(self.test_auth)
3765
527
        self.assertEquals(resp.status_int, 401)
3766
528
        self.assertEquals(self.test_auth.app.calls, 1)
3767
529
3768
530
    def test_get_token_fail_invalid_x_auth_user_format(self):
363
    def test_get_token_fail_invalid_x_auth_user_format(self):
3770
531
        resp = Request.blank('/auth/v1/act/auth',
364
        resp = self._make_request('/auth/v1/act/auth',
3771
532
            headers={'X-Auth-User': 'usr',
365
            headers={'X-Auth-User': 'usr',
3772
533
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
366
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3773
534
        self.assertEquals(resp.status_int, 401)
367
        self.assertEquals(resp.status_int, 401)
3774
535
368
3775
536
    def test_get_token_fail_non_matching_account_in_request(self):
369
    def test_get_token_fail_non_matching_account_in_request(self):
3777
537
        resp = Request.blank('/auth/v1/act/auth',
370
        resp = self._make_request('/auth/v1/act/auth',
3778
538
            headers={'X-Auth-User': 'act2:usr',
371
            headers={'X-Auth-User': 'act2:usr',
3779
539
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
372
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3780
540
        self.assertEquals(resp.status_int, 401)
373
        self.assertEquals(resp.status_int, 401)
3781
541
374
3782
542
    def test_get_token_fail_bad_path(self):
375
    def test_get_token_fail_bad_path(self):
3784
543
        resp = Request.blank('/auth/v1/act/auth/invalid',
376
        resp = self._make_request('/auth/v1/act/auth/invalid',
3785
544
            headers={'X-Auth-User': 'act:usr',
377
            headers={'X-Auth-User': 'act:usr',
3786
545
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
378
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3787
546
        self.assertEquals(resp.status_int, 400)
379
        self.assertEquals(resp.status_int, 400)
3788
547
380
3789
548
    def test_get_token_fail_missing_key(self):
381
    def test_get_token_fail_missing_key(self):
3791
549
        resp = Request.blank('/auth/v1/act/auth',
382
        resp = self._make_request('/auth/v1/act/auth',
3792
550
            headers={'X-Auth-User': 'act:usr'}).get_response(self.test_auth)
383
            headers={'X-Auth-User': 'act:usr'}).get_response(self.test_auth)
3793
551
        self.assertEquals(resp.status_int, 401)
384
        self.assertEquals(resp.status_int, 401)
3794
552
385
3795
553
    def test_get_token_fail_get_user_details(self):
3796
554
        self.test_auth.app = FakeApp(iter([
3797
555
            ('503 Service Unavailable', {}, '')]))
3798
556
        resp = Request.blank('/auth/v1.0',
3799
557
            headers={'X-Auth-User': 'act:usr',
3800
558
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3801
559
        self.assertEquals(resp.status_int, 500)
3802
560
        self.assertEquals(self.test_auth.app.calls, 1)
3803
561
3804
562
    def test_get_token_fail_get_account(self):
3805
563
        self.test_auth.app = FakeApp(iter([
3806
564
            # GET of user object
3807
565
            ('200 Ok', {},
3808
566
             json.dumps({"auth": "plaintext:key",
3809
567
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3810
568
                                    {'name': ".admin"}]})),
3811
569
            # GET of account
3812
570
            ('503 Service Unavailable', {}, '')]))
3813
571
        resp = Request.blank('/auth/v1.0',
3814
572
            headers={'X-Auth-User': 'act:usr',
3815
573
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3816
574
        self.assertEquals(resp.status_int, 500)
3817
575
        self.assertEquals(self.test_auth.app.calls, 2)
3818
576
3819
577
    def test_get_token_fail_put_new_token(self):
3820
578
        self.test_auth.app = FakeApp(iter([
3821
579
            # GET of user object
3822
580
            ('200 Ok', {},
3823
581
             json.dumps({"auth": "plaintext:key",
3824
582
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3825
583
                                    {'name': ".admin"}]})),
3826
584
            # GET of account
3827
585
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3828
586
            # PUT of new token
3829
587
            ('503 Service Unavailable', {}, '')]))
3830
588
        resp = Request.blank('/auth/v1.0',
3831
589
            headers={'X-Auth-User': 'act:usr',
3832
590
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3833
591
        self.assertEquals(resp.status_int, 500)
3834
592
        self.assertEquals(self.test_auth.app.calls, 3)
3835
593
3836
594
    def test_get_token_fail_post_to_user(self):
3837
595
        self.test_auth.app = FakeApp(iter([
3838
596
            # GET of user object
3839
597
            ('200 Ok', {},
3840
598
             json.dumps({"auth": "plaintext:key",
3841
599
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3842
600
                                    {'name': ".admin"}]})),
3843
601
            # GET of account
3844
602
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3845
603
            # PUT of new token
3846
604
            ('201 Created', {}, ''),
3847
605
            # POST of token to user object
3848
606
            ('503 Service Unavailable', {}, '')]))
3849
607
        resp = Request.blank('/auth/v1.0',
3850
608
            headers={'X-Auth-User': 'act:usr',
3851
609
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3852
610
        self.assertEquals(resp.status_int, 500)
3853
611
        self.assertEquals(self.test_auth.app.calls, 4)
3854
612
3855
613
    def test_get_token_fail_get_services(self):
3856
614
        self.test_auth.app = FakeApp(iter([
3857
615
            # GET of user object
3858
616
            ('200 Ok', {},
3859
617
             json.dumps({"auth": "plaintext:key",
3860
618
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3861
619
                                    {'name': ".admin"}]})),
3862
620
            # GET of account
3863
621
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3864
622
            # PUT of new token
3865
623
            ('201 Created', {}, ''),
3866
624
            # POST of token to user object
3867
625
            ('204 No Content', {}, ''),
3868
626
            # GET of services object
3869
627
            ('503 Service Unavailable', {}, '')]))
3870
628
        resp = Request.blank('/auth/v1.0',
3871
629
            headers={'X-Auth-User': 'act:usr',
3872
630
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3873
631
        self.assertEquals(resp.status_int, 500)
3874
632
        self.assertEquals(self.test_auth.app.calls, 5)
3875
633
3876
634
    def test_get_token_fail_get_existing_token(self):
3877
635
        self.test_auth.app = FakeApp(iter([
3878
636
            # GET of user object
3879
637
            ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'},
3880
638
             json.dumps({"auth": "plaintext:key",
3881
639
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3882
640
                                    {'name': ".admin"}]})),
3883
641
            # GET of token
3884
642
            ('503 Service Unavailable', {}, '')]))
3885
643
        resp = Request.blank('/auth/v1.0',
3886
644
            headers={'X-Auth-User': 'act:usr',
3887
645
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3888
646
        self.assertEquals(resp.status_int, 500)
3889
647
        self.assertEquals(self.test_auth.app.calls, 2)
3890
648
3891
649
    def test_get_token_success_v1_0(self):
3892
650
        self.test_auth.app = FakeApp(iter([
3893
651
            # GET of user object
3894
652
            ('200 Ok', {},
3895
653
             json.dumps({"auth": "plaintext:key",
3896
654
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3897
655
                                    {'name': ".admin"}]})),
3898
656
            # GET of account
3899
657
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3900
658
            # PUT of new token
3901
659
            ('201 Created', {}, ''),
3902
660
            # POST of token to user object
3903
661
            ('204 No Content', {}, ''),
3904
662
            # GET of services object
3905
663
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
3906
664
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
3907
665
        resp = Request.blank('/auth/v1.0',
3908
666
            headers={'X-Auth-User': 'act:usr',
3909
667
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
3910
668
        self.assertEquals(resp.status_int, 200)
3911
669
        self.assert_(resp.headers.get('x-auth-token',
3912
670
            '').startswith('AUTH_tk'), resp.headers.get('x-auth-token'))
3913
671
        self.assertEquals(resp.headers.get('x-auth-token'),
3914
672
                          resp.headers.get('x-storage-token'))
3915
673
        self.assertEquals(resp.headers.get('x-storage-url'),
3916
674
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
3917
675
        self.assertEquals(json.loads(resp.body),
3918
676
            {"storage": {"default": "local",
3919
677
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
3920
678
        self.assertEquals(self.test_auth.app.calls, 5)
3921
679
3922
680
    def test_get_token_success_v1_act_auth(self):
3923
681
        self.test_auth.app = FakeApp(iter([
3924
682
            # GET of user object
3925
683
            ('200 Ok', {},
3926
684
             json.dumps({"auth": "plaintext:key",
3927
685
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3928
686
                                    {'name': ".admin"}]})),
3929
687
            # GET of account
3930
688
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3931
689
            # PUT of new token
3932
690
            ('201 Created', {}, ''),
3933
691
            # POST of token to user object
3934
692
            ('204 No Content', {}, ''),
3935
693
            # GET of services object
3936
694
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
3937
695
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
3938
696
        resp = Request.blank('/auth/v1/act/auth',
3939
697
            headers={'X-Storage-User': 'usr',
3940
698
                     'X-Storage-Pass': 'key'}).get_response(self.test_auth)
3941
699
        self.assertEquals(resp.status_int, 200)
3942
700
        self.assert_(resp.headers.get('x-auth-token',
3943
701
            '').startswith('AUTH_tk'), resp.headers.get('x-auth-token'))
3944
702
        self.assertEquals(resp.headers.get('x-auth-token'),
3945
703
                          resp.headers.get('x-storage-token'))
3946
704
        self.assertEquals(resp.headers.get('x-storage-url'),
3947
705
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
3948
706
        self.assertEquals(json.loads(resp.body),
3949
707
            {"storage": {"default": "local",
3950
708
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
3951
709
        self.assertEquals(self.test_auth.app.calls, 5)
3952
710
3953
711
    def test_get_token_success_storage_instead_of_auth(self):
3954
712
        self.test_auth.app = FakeApp(iter([
3955
713
            # GET of user object
3956
714
            ('200 Ok', {},
3957
715
             json.dumps({"auth": "plaintext:key",
3958
716
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3959
717
                                    {'name': ".admin"}]})),
3960
718
            # GET of account
3961
719
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3962
720
            # PUT of new token
3963
721
            ('201 Created', {}, ''),
3964
722
            # POST of token to user object
3965
723
            ('204 No Content', {}, ''),
3966
724
            # GET of services object
3967
725
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
3968
726
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
3969
727
        resp = Request.blank('/auth/v1.0',
3970
728
            headers={'X-Storage-User': 'act:usr',
3971
729
                     'X-Storage-Pass': 'key'}).get_response(self.test_auth)
3972
730
        self.assertEquals(resp.status_int, 200)
3973
731
        self.assert_(resp.headers.get('x-auth-token',
3974
732
            '').startswith('AUTH_tk'), resp.headers.get('x-auth-token'))
3975
733
        self.assertEquals(resp.headers.get('x-auth-token'),
3976
734
                          resp.headers.get('x-storage-token'))
3977
735
        self.assertEquals(resp.headers.get('x-storage-url'),
3978
736
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
3979
737
        self.assertEquals(json.loads(resp.body),
3980
738
            {"storage": {"default": "local",
3981
739
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
3982
740
        self.assertEquals(self.test_auth.app.calls, 5)
3983
741
3984
742
    def test_get_token_success_v1_act_auth_auth_instead_of_storage(self):
3985
743
        self.test_auth.app = FakeApp(iter([
3986
744
            # GET of user object
3987
745
            ('200 Ok', {},
3988
746
             json.dumps({"auth": "plaintext:key",
3989
747
                         "groups": [{'name': "act:usr"}, {'name': "act"},
3990
748
                                    {'name': ".admin"}]})),
3991
749
            # GET of account
3992
750
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
3993
751
            # PUT of new token
3994
752
            ('201 Created', {}, ''),
3995
753
            # POST of token to user object
3996
754
            ('204 No Content', {}, ''),
3997
755
            # GET of services object
3998
756
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
3999
757
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
4000
758
        resp = Request.blank('/auth/v1/act/auth',
4001
759
            headers={'X-Auth-User': 'act:usr',
4002
760
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
4003
761
        self.assertEquals(resp.status_int, 200)
4004
762
        self.assert_(resp.headers.get('x-auth-token',
4005
763
            '').startswith('AUTH_tk'), resp.headers.get('x-auth-token'))
4006
764
        self.assertEquals(resp.headers.get('x-auth-token'),
4007
765
                          resp.headers.get('x-storage-token'))
4008
766
        self.assertEquals(resp.headers.get('x-storage-url'),
4009
767
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
4010
768
        self.assertEquals(json.loads(resp.body),
4011
769
            {"storage": {"default": "local",
4012
770
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
4013
771
        self.assertEquals(self.test_auth.app.calls, 5)
4014
772
4015
773
    def test_get_token_success_existing_token(self):
4016
774
        self.test_auth.app = FakeApp(iter([
4017
775
            # GET of user object
4018
776
            ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'},
4019
777
             json.dumps({"auth": "plaintext:key",
4020
778
                         "groups": [{'name': "act:usr"}, {'name': "act"},
4021
779
                                    {'name': ".admin"}]})),
4022
780
            # GET of token
4023
781
            ('200 Ok', {}, json.dumps({"account": "act", "user": "usr",
4024
782
             "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"},
4025
783
             {'name': "key"}, {'name': ".admin"}],
4026
784
             "expires": 9999999999.9999999})),
4027
785
            # GET of services object
4028
786
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4029
787
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
4030
788
        resp = Request.blank('/auth/v1.0',
4031
789
            headers={'X-Auth-User': 'act:usr',
4032
790
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
4033
791
        self.assertEquals(resp.status_int, 200)
4034
792
        self.assertEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest')
4035
793
        self.assertEquals(resp.headers.get('x-auth-token'),
4036
794
                          resp.headers.get('x-storage-token'))
4037
795
        self.assertEquals(resp.headers.get('x-storage-url'),
4038
796
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
4039
797
        self.assertEquals(json.loads(resp.body),
4040
798
            {"storage": {"default": "local",
4041
799
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
4042
800
        self.assertEquals(self.test_auth.app.calls, 3)
4043
801
4044
802
    def test_get_token_success_existing_token_expired(self):
4045
803
        self.test_auth.app = FakeApp(iter([
4046
804
            # GET of user object
4047
805
            ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'},
4048
806
             json.dumps({"auth": "plaintext:key",
4049
807
                         "groups": [{'name': "act:usr"}, {'name': "act"},
4050
808
                                    {'name': ".admin"}]})),
4051
809
            # GET of token
4052
810
            ('200 Ok', {}, json.dumps({"account": "act", "user": "usr",
4053
811
             "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"},
4054
812
             {'name': "key"}, {'name': ".admin"}],
4055
813
             "expires": 0.0})),
4056
814
            # DELETE of expired token
4057
815
            ('204 No Content', {}, ''),
4058
816
            # GET of account
4059
817
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
4060
818
            # PUT of new token
4061
819
            ('201 Created', {}, ''),
4062
820
            # POST of token to user object
4063
821
            ('204 No Content', {}, ''),
4064
822
            # GET of services object
4065
823
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4066
824
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
4067
825
        resp = Request.blank('/auth/v1.0',
4068
826
            headers={'X-Auth-User': 'act:usr',
4069
827
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
4070
828
        self.assertEquals(resp.status_int, 200)
4071
829
        self.assertNotEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest')
4072
830
        self.assertEquals(resp.headers.get('x-auth-token'),
4073
831
                          resp.headers.get('x-storage-token'))
4074
832
        self.assertEquals(resp.headers.get('x-storage-url'),
4075
833
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
4076
834
        self.assertEquals(json.loads(resp.body),
4077
835
            {"storage": {"default": "local",
4078
836
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
4079
837
        self.assertEquals(self.test_auth.app.calls, 7)
4080
838
4081
839
    def test_get_token_success_existing_token_expired_fail_deleting_old(self):
4082
840
        self.test_auth.app = FakeApp(iter([
4083
841
            # GET of user object
4084
842
            ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'},
4085
843
             json.dumps({"auth": "plaintext:key",
4086
844
                         "groups": [{'name': "act:usr"}, {'name': "act"},
4087
845
                                    {'name': ".admin"}]})),
4088
846
            # GET of token
4089
847
            ('200 Ok', {}, json.dumps({"account": "act", "user": "usr",
4090
848
             "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"},
4091
849
             {'name': "key"}, {'name': ".admin"}],
4092
850
             "expires": 0.0})),
4093
851
            # DELETE of expired token
4094
852
            ('503 Service Unavailable', {}, ''),
4095
853
            # GET of account
4096
854
            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
4097
855
            # PUT of new token
4098
856
            ('201 Created', {}, ''),
4099
857
            # POST of token to user object
4100
858
            ('204 No Content', {}, ''),
4101
859
            # GET of services object
4102
860
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4103
861
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))]))
4104
862
        resp = Request.blank('/auth/v1.0',
4105
863
            headers={'X-Auth-User': 'act:usr',
4106
864
                     'X-Auth-Key': 'key'}).get_response(self.test_auth)
4107
865
        self.assertEquals(resp.status_int, 200)
4108
866
        self.assertNotEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest')
4109
867
        self.assertEquals(resp.headers.get('x-auth-token'),
4110
868
                          resp.headers.get('x-storage-token'))
4111
869
        self.assertEquals(resp.headers.get('x-storage-url'),
4112
870
                          'http://127.0.0.1:8080/v1/AUTH_cfa')
4113
871
        self.assertEquals(json.loads(resp.body),
4114
872
            {"storage": {"default": "local",
4115
873
             "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})
4116
874
        self.assertEquals(self.test_auth.app.calls, 7)
4117
875
4118
876
    def test_prep_success(self):
4119
877
        list_to_iter = [
4120
878
            # PUT of .auth account
4121
879
            ('201 Created', {}, ''),
4122
880
            # PUT of .account_id container
4123
881
            ('201 Created', {}, '')]
4124
882
        # PUT of .token* containers
4125
883
        for x in xrange(16):
4126
884
            list_to_iter.append(('201 Created', {}, ''))
4127
885
        self.test_auth.app = FakeApp(iter(list_to_iter))
4128
886
        resp = Request.blank('/auth/v2/.prep',
4129
887
            environ={'REQUEST_METHOD': 'POST'},
4130
888
            headers={'X-Auth-Admin-User': '.super_admin',
4131
889
                     'X-Auth-Admin-Key': 'supertest'}
4132
890
            ).get_response(self.test_auth)
4133
891
        self.assertEquals(resp.status_int, 204)
4134
892
        self.assertEquals(self.test_auth.app.calls, 18)
4135
893
4136
894
    def test_prep_bad_method(self):
4137
895
        resp = Request.blank('/auth/v2/.prep',
4138
896
            headers={'X-Auth-Admin-User': '.super_admin',
4139
897
                     'X-Auth-Admin-Key': 'supertest'}
4140
898
            ).get_response(self.test_auth)
4141
899
        self.assertEquals(resp.status_int, 400)
4142
900
        resp = Request.blank('/auth/v2/.prep',
4143
901
            environ={'REQUEST_METHOD': 'HEAD'},
4144
902
            headers={'X-Auth-Admin-User': '.super_admin',
4145
903
                     'X-Auth-Admin-Key': 'supertest'}
4146
904
            ).get_response(self.test_auth)
4147
905
        self.assertEquals(resp.status_int, 400)
4148
906
        resp = Request.blank('/auth/v2/.prep',
4149
907
            environ={'REQUEST_METHOD': 'PUT'},
4150
908
            headers={'X-Auth-Admin-User': '.super_admin',
4151
909
                     'X-Auth-Admin-Key': 'supertest'}
4152
910
            ).get_response(self.test_auth)
4153
911
        self.assertEquals(resp.status_int, 400)
4154
912
4155
913
    def test_prep_bad_creds(self):
4156
914
        resp = Request.blank('/auth/v2/.prep',
4157
915
            environ={'REQUEST_METHOD': 'POST'},
4158
916
            headers={'X-Auth-Admin-User': 'super_admin',
4159
917
                     'X-Auth-Admin-Key': 'supertest'}
4160
918
            ).get_response(self.test_auth)
4161
919
        self.assertEquals(resp.status_int, 403)
4162
920
        resp = Request.blank('/auth/v2/.prep',
4163
921
            environ={'REQUEST_METHOD': 'POST'},
4164
922
            headers={'X-Auth-Admin-User': '.super_admin',
4165
923
                     'X-Auth-Admin-Key': 'upertest'}
4166
924
            ).get_response(self.test_auth)
4167
925
        self.assertEquals(resp.status_int, 403)
4168
926
        resp = Request.blank('/auth/v2/.prep',
4169
927
            environ={'REQUEST_METHOD': 'POST'},
4170
928
            headers={'X-Auth-Admin-User': '.super_admin'}
4171
929
            ).get_response(self.test_auth)
4172
930
        self.assertEquals(resp.status_int, 403)
4173
931
        resp = Request.blank('/auth/v2/.prep',
4174
932
            environ={'REQUEST_METHOD': 'POST'},
4175
933
            headers={'X-Auth-Admin-Key': 'supertest'}
4176
934
            ).get_response(self.test_auth)
4177
935
        self.assertEquals(resp.status_int, 403)
4178
936
        resp = Request.blank('/auth/v2/.prep',
4179
937
            environ={'REQUEST_METHOD': 'POST'}).get_response(self.test_auth)
4180
938
        self.assertEquals(resp.status_int, 403)
4181
939
4182
940
    def test_prep_fail_account_create(self):
4183
941
        self.test_auth.app = FakeApp(iter([
4184
942
            # PUT of .auth account
4185
943
            ('503 Service Unavailable', {}, '')]))
4186
944
        resp = Request.blank('/auth/v2/.prep',
4187
945
            environ={'REQUEST_METHOD': 'POST'},
4188
946
            headers={'X-Auth-Admin-User': '.super_admin',
4189
947
                     'X-Auth-Admin-Key': 'supertest'}
4190
948
            ).get_response(self.test_auth)
4191
949
        self.assertEquals(resp.status_int, 500)
4192
950
        self.assertEquals(self.test_auth.app.calls, 1)
4193
951
4194
952
    def test_prep_fail_token_container_create(self):
4195
953
        self.test_auth.app = FakeApp(iter([
4196
954
            # PUT of .auth account
4197
955
            ('201 Created', {}, ''),
4198
956
            # PUT of .token container
4199
957
            ('503 Service Unavailable', {}, '')]))
4200
958
        resp = Request.blank('/auth/v2/.prep',
4201
959
            environ={'REQUEST_METHOD': 'POST'},
4202
960
            headers={'X-Auth-Admin-User': '.super_admin',
4203
961
                     'X-Auth-Admin-Key': 'supertest'}
4204
962
            ).get_response(self.test_auth)
4205
963
        self.assertEquals(resp.status_int, 500)
4206
964
        self.assertEquals(self.test_auth.app.calls, 2)
4207
965
4208
966
    def test_prep_fail_account_id_container_create(self):
4209
967
        self.test_auth.app = FakeApp(iter([
4210
968
            # PUT of .auth account
4211
969
            ('201 Created', {}, ''),
4212
970
            # PUT of .token container
4213
971
            ('201 Created', {}, ''),
4214
972
            # PUT of .account_id container
4215
973
            ('503 Service Unavailable', {}, '')]))
4216
974
        resp = Request.blank('/auth/v2/.prep',
4217
975
            environ={'REQUEST_METHOD': 'POST'},
4218
976
            headers={'X-Auth-Admin-User': '.super_admin',
4219
977
                     'X-Auth-Admin-Key': 'supertest'}
4220
978
            ).get_response(self.test_auth)
4221
979
        self.assertEquals(resp.status_int, 500)
4222
980
        self.assertEquals(self.test_auth.app.calls, 3)
4223
981
4224
982
    def test_get_reseller_success(self):
4225
983
        self.test_auth.app = FakeApp(iter([
4226
984
            # GET of .auth account (list containers)
4227
985
            ('200 Ok', {}, json.dumps([
4228
986
                {"name": ".token", "count": 0, "bytes": 0},
4229
987
                {"name": ".account_id", "count": 0, "bytes": 0},
4230
988
                {"name": "act", "count": 0, "bytes": 0}])),
4231
989
            # GET of .auth account (list containers continuation)
4232
990
            ('200 Ok', {}, '[]')]))
4233
991
        resp = Request.blank('/auth/v2',
4234
992
            headers={'X-Auth-Admin-User': '.super_admin',
4235
993
                     'X-Auth-Admin-Key': 'supertest'}
4236
994
            ).get_response(self.test_auth)
4237
995
        self.assertEquals(resp.status_int, 200)
4238
996
        self.assertEquals(json.loads(resp.body),
4239
997
                          {"accounts": [{"name": "act"}]})
4240
998
        self.assertEquals(self.test_auth.app.calls, 2)
4241
999
4242
1000
        self.test_auth.app = FakeApp(iter([
4243
1001
            # GET of user object
4244
1002
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
4245
1003
             {"name": "test"}, {"name": ".admin"},
4246
1004
             {"name": ".reseller_admin"}], "auth": "plaintext:key"})),
4247
1005
            # GET of .auth account (list containers)
4248
1006
            ('200 Ok', {}, json.dumps([
4249
1007
                {"name": ".token", "count": 0, "bytes": 0},
4250
1008
                {"name": ".account_id", "count": 0, "bytes": 0},
4251
1009
                {"name": "act", "count": 0, "bytes": 0}])),
4252
1010
            # GET of .auth account (list containers continuation)
4253
1011
            ('200 Ok', {}, '[]')]))
4254
1012
        resp = Request.blank('/auth/v2',
4255
1013
            headers={'X-Auth-Admin-User': 'act:adm',
4256
1014
                     'X-Auth-Admin-Key': 'key'}
4257
1015
            ).get_response(self.test_auth)
4258
1016
        self.assertEquals(resp.status_int, 200)
4259
1017
        self.assertEquals(json.loads(resp.body),
4260
1018
                          {"accounts": [{"name": "act"}]})
4261
1019
        self.assertEquals(self.test_auth.app.calls, 3)
4262
1020
4263
1021
    def test_get_reseller_fail_bad_creds(self):
4264
1022
        self.test_auth.app = FakeApp(iter([
4265
1023
            # GET of user object
4266
1024
            ('404 Not Found', {}, '')]))
4267
1025
        resp = Request.blank('/auth/v2',
4268
1026
            headers={'X-Auth-Admin-User': 'super:admin',
4269
1027
                     'X-Auth-Admin-Key': 'supertest'}
4270
1028
            ).get_response(self.test_auth)
4271
1029
        self.assertEquals(resp.status_int, 403)
4272
1030
        self.assertEquals(self.test_auth.app.calls, 1)
4273
1031
4274
1032
        self.test_auth.app = FakeApp(iter([
4275
1033
            # GET of user object (account admin, but not reseller admin)
4276
1034
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
4277
1035
             {"name": "test"}, {"name": ".admin"}],
4278
1036
             "auth": "plaintext:key"}))]))
4279
1037
        resp = Request.blank('/auth/v2',
4280
1038
            headers={'X-Auth-Admin-User': 'act:adm',
4281
1039
                     'X-Auth-Admin-Key': 'key'}
4282
1040
            ).get_response(self.test_auth)
4283
1041
        self.assertEquals(resp.status_int, 403)
4284
1042
        self.assertEquals(self.test_auth.app.calls, 1)
4285
1043
4286
1044
        self.test_auth.app = FakeApp(iter([
4287
1045
            # GET of user object (regular user)
4288
1046
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
4289
1047
             {"name": "test"}], "auth": "plaintext:key"}))]))
4290
1048
        resp = Request.blank('/auth/v2',
4291
1049
            headers={'X-Auth-Admin-User': 'act:usr',
4292
1050
                     'X-Auth-Admin-Key': 'key'}
4293
1051
            ).get_response(self.test_auth)
4294
1052
        self.assertEquals(resp.status_int, 403)
4295
1053
        self.assertEquals(self.test_auth.app.calls, 1)
4296
1054
4297
1055
    def test_get_reseller_fail_listing(self):
4298
1056
        self.test_auth.app = FakeApp(iter([
4299
1057
            # GET of .auth account (list containers)
4300
1058
            ('503 Service Unavailable', {}, '')]))
4301
1059
        resp = Request.blank('/auth/v2',
4302
1060
            headers={'X-Auth-Admin-User': '.super_admin',
4303
1061
                     'X-Auth-Admin-Key': 'supertest'}
4304
1062
            ).get_response(self.test_auth)
4305
1063
        self.assertEquals(resp.status_int, 500)
4306
1064
        self.assertEquals(self.test_auth.app.calls, 1)
4307
1065
4308
1066
        self.test_auth.app = FakeApp(iter([
4309
1067
            # GET of .auth account (list containers)
4310
1068
            ('200 Ok', {}, json.dumps([
4311
1069
                {"name": ".token", "count": 0, "bytes": 0},
4312
1070
                {"name": ".account_id", "count": 0, "bytes": 0},
4313
1071
                {"name": "act", "count": 0, "bytes": 0}])),
4314
1072
            # GET of .auth account (list containers continuation)
4315
1073
            ('503 Service Unavailable', {}, '')]))
4316
1074
        resp = Request.blank('/auth/v2',
4317
1075
            headers={'X-Auth-Admin-User': '.super_admin',
4318
1076
                     'X-Auth-Admin-Key': 'supertest'}
4319
1077
            ).get_response(self.test_auth)
4320
1078
        self.assertEquals(resp.status_int, 500)
4321
1079
        self.assertEquals(self.test_auth.app.calls, 2)
4322
1080
4323
1081
    def test_get_account_success(self):
4324
1082
        self.test_auth.app = FakeApp(iter([
4325
1083
            # GET of .services object
4326
1084
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4327
1085
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4328
1086
            # GET of account container (list objects)
4329
1087
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4330
1088
             json.dumps([
4331
1089
                {"name": ".services", "hash": "etag", "bytes": 112,
4332
1090
                 "content_type": "application/octet-stream",
4333
1091
                 "last_modified": "2010-12-03T17:16:27.618110"},
4334
1092
                {"name": "tester", "hash": "etag", "bytes": 104,
4335
1093
                 "content_type": "application/octet-stream",
4336
1094
                 "last_modified": "2010-12-03T17:16:27.736680"},
4337
1095
                {"name": "tester3", "hash": "etag", "bytes": 86,
4338
1096
                 "content_type": "application/octet-stream",
4339
1097
                 "last_modified": "2010-12-03T17:16:28.135530"}])),
4340
1098
            # GET of account container (list objects continuation)
4341
1099
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')]))
4342
1100
        resp = Request.blank('/auth/v2/act',
4343
1101
            headers={'X-Auth-Admin-User': '.super_admin',
4344
1102
                     'X-Auth-Admin-Key': 'supertest'}
4345
1103
            ).get_response(self.test_auth)
4346
1104
        self.assertEquals(resp.status_int, 200)
4347
1105
        self.assertEquals(json.loads(resp.body),
4348
1106
            {'account_id': 'AUTH_cfa',
4349
1107
             'services': {'storage':
4350
1108
                            {'default': 'local',
4351
1109
                             'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'}},
4352
1110
             'users': [{'name': 'tester'}, {'name': 'tester3'}]})
4353
1111
        self.assertEquals(self.test_auth.app.calls, 3)
4354
1112
4355
1113
        self.test_auth.app = FakeApp(iter([
4356
1114
            # GET of user object
4357
1115
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
4358
1116
             {"name": "test"}, {"name": ".admin"}],
4359
1117
             "auth": "plaintext:key"})),
4360
1118
            # GET of .services object
4361
1119
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4362
1120
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4363
1121
            # GET of account container (list objects)
4364
1122
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4365
1123
             json.dumps([
4366
1124
                {"name": ".services", "hash": "etag", "bytes": 112,
4367
1125
                 "content_type": "application/octet-stream",
4368
1126
                 "last_modified": "2010-12-03T17:16:27.618110"},
4369
1127
                {"name": "tester", "hash": "etag", "bytes": 104,
4370
1128
                 "content_type": "application/octet-stream",
4371
1129
                 "last_modified": "2010-12-03T17:16:27.736680"},
4372
1130
                {"name": "tester3", "hash": "etag", "bytes": 86,
4373
1131
                 "content_type": "application/octet-stream",
4374
1132
                 "last_modified": "2010-12-03T17:16:28.135530"}])),
4375
1133
            # GET of account container (list objects continuation)
4376
1134
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')]))
4377
1135
        resp = Request.blank('/auth/v2/act',
4378
1136
            headers={'X-Auth-Admin-User': 'act:adm',
4379
1137
                     'X-Auth-Admin-Key': 'key'}
4380
1138
            ).get_response(self.test_auth)
4381
1139
        self.assertEquals(resp.status_int, 200)
4382
1140
        self.assertEquals(json.loads(resp.body),
4383
1141
            {'account_id': 'AUTH_cfa',
4384
1142
             'services': {'storage':
4385
1143
                            {'default': 'local',
4386
1144
                             'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'}},
4387
1145
             'users': [{'name': 'tester'}, {'name': 'tester3'}]})
4388
1146
        self.assertEquals(self.test_auth.app.calls, 4)
4389
1147
4390
1148
    def test_get_account_fail_bad_account_name(self):
4391
1149
        resp = Request.blank('/auth/v2/.token',
4392
1150
            headers={'X-Auth-Admin-User': '.super_admin',
4393
1151
                     'X-Auth-Admin-Key': 'supertest'}
4394
1152
            ).get_response(self.test_auth)
4395
1153
        self.assertEquals(resp.status_int, 400)
4396
1154
        resp = Request.blank('/auth/v2/.anything',
4397
1155
            headers={'X-Auth-Admin-User': '.super_admin',
4398
1156
                     'X-Auth-Admin-Key': 'supertest'}
4399
1157
            ).get_response(self.test_auth)
4400
1158
        self.assertEquals(resp.status_int, 400)
4401
1159
4402
1160
    def test_get_account_fail_creds(self):
4403
1161
        self.test_auth.app = FakeApp(iter([
4404
1162
            # GET of user object
4405
1163
            ('404 Not Found', {}, '')]))
4406
1164
        resp = Request.blank('/auth/v2/act',
4407
1165
            headers={'X-Auth-Admin-User': 'super:admin',
4408
1166
                     'X-Auth-Admin-Key': 'supertest'}
4409
1167
            ).get_response(self.test_auth)
4410
1168
        self.assertEquals(resp.status_int, 403)
4411
1169
        self.assertEquals(self.test_auth.app.calls, 1)
4412
1170
4413
1171
        self.test_auth.app = FakeApp(iter([
4414
1172
            # GET of user object (account admin, but wrong account)
4415
1173
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"},
4416
1174
             {"name": "test"}, {"name": ".admin"}],
4417
1175
             "auth": "plaintext:key"}))]))
4418
1176
        resp = Request.blank('/auth/v2/act',
4419
1177
            headers={'X-Auth-Admin-User': 'act2:adm',
4420
1178
                     'X-Auth-Admin-Key': 'key'}
4421
1179
            ).get_response(self.test_auth)
4422
1180
        self.assertEquals(resp.status_int, 403)
4423
1181
        self.assertEquals(self.test_auth.app.calls, 1)
4424
1182
4425
1183
        self.test_auth.app = FakeApp(iter([
4426
1184
            # GET of user object (regular user)
4427
1185
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
4428
1186
             {"name": "test"}], "auth": "plaintext:key"}))]))
4429
1187
        resp = Request.blank('/auth/v2/act',
4430
1188
            headers={'X-Auth-Admin-User': 'act:usr',
4431
1189
                     'X-Auth-Admin-Key': 'key'}
4432
1190
            ).get_response(self.test_auth)
4433
1191
        self.assertEquals(resp.status_int, 403)
4434
1192
        self.assertEquals(self.test_auth.app.calls, 1)
4435
1193
4436
1194
    def test_get_account_fail_get_services(self):
4437
1195
        self.test_auth.app = FakeApp(iter([
4438
1196
            # GET of .services object
4439
1197
            ('503 Service Unavailable', {}, '')]))
4440
1198
        resp = Request.blank('/auth/v2/act',
4441
1199
            headers={'X-Auth-Admin-User': '.super_admin',
4442
1200
                     'X-Auth-Admin-Key': 'supertest'}
4443
1201
            ).get_response(self.test_auth)
4444
1202
        self.assertEquals(resp.status_int, 500)
4445
1203
        self.assertEquals(self.test_auth.app.calls, 1)
4446
1204
4447
1205
        self.test_auth.app = FakeApp(iter([
4448
1206
            # GET of .services object
4449
1207
            ('404 Not Found', {}, '')]))
4450
1208
        resp = Request.blank('/auth/v2/act',
4451
1209
            headers={'X-Auth-Admin-User': '.super_admin',
4452
1210
                     'X-Auth-Admin-Key': 'supertest'}
4453
1211
            ).get_response(self.test_auth)
4454
1212
        self.assertEquals(resp.status_int, 404)
4455
1213
        self.assertEquals(self.test_auth.app.calls, 1)
4456
1214
4457
1215
    def test_get_account_fail_listing(self):
4458
1216
        self.test_auth.app = FakeApp(iter([
4459
1217
            # GET of .services object
4460
1218
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4461
1219
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4462
1220
            # GET of account container (list objects)
4463
1221
            ('503 Service Unavailable', {}, '')]))
4464
1222
        resp = Request.blank('/auth/v2/act',
4465
1223
            headers={'X-Auth-Admin-User': '.super_admin',
4466
1224
                     'X-Auth-Admin-Key': 'supertest'}
4467
1225
            ).get_response(self.test_auth)
4468
1226
        self.assertEquals(resp.status_int, 500)
4469
1227
        self.assertEquals(self.test_auth.app.calls, 2)
4470
1228
4471
1229
        self.test_auth.app = FakeApp(iter([
4472
1230
            # GET of .services object
4473
1231
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4474
1232
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4475
1233
            # GET of account container (list objects)
4476
1234
            ('404 Not Found', {}, '')]))
4477
1235
        resp = Request.blank('/auth/v2/act',
4478
1236
            headers={'X-Auth-Admin-User': '.super_admin',
4479
1237
                     'X-Auth-Admin-Key': 'supertest'}
4480
1238
            ).get_response(self.test_auth)
4481
1239
        self.assertEquals(resp.status_int, 404)
4482
1240
        self.assertEquals(self.test_auth.app.calls, 2)
4483
1241
4484
1242
        self.test_auth.app = FakeApp(iter([
4485
1243
            # GET of .services object
4486
1244
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4487
1245
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4488
1246
            # GET of account container (list objects)
4489
1247
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4490
1248
             json.dumps([
4491
1249
                {"name": ".services", "hash": "etag", "bytes": 112,
4492
1250
                 "content_type": "application/octet-stream",
4493
1251
                 "last_modified": "2010-12-03T17:16:27.618110"},
4494
1252
                {"name": "tester", "hash": "etag", "bytes": 104,
4495
1253
                 "content_type": "application/octet-stream",
4496
1254
                 "last_modified": "2010-12-03T17:16:27.736680"},
4497
1255
                {"name": "tester3", "hash": "etag", "bytes": 86,
4498
1256
                 "content_type": "application/octet-stream",
4499
1257
                 "last_modified": "2010-12-03T17:16:28.135530"}])),
4500
1258
            # GET of account container (list objects continuation)
4501
1259
            ('503 Service Unavailable', {}, '')]))
4502
1260
        resp = Request.blank('/auth/v2/act',
4503
1261
            headers={'X-Auth-Admin-User': '.super_admin',
4504
1262
                     'X-Auth-Admin-Key': 'supertest'}
4505
1263
            ).get_response(self.test_auth)
4506
1264
        self.assertEquals(resp.status_int, 500)
4507
1265
        self.assertEquals(self.test_auth.app.calls, 3)
4508
1266
4509
1267
    def test_set_services_new_service(self):
4510
1268
        self.test_auth.app = FakeApp(iter([
4511
1269
            # GET of .services object
4512
1270
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4513
1271
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4514
1272
            # PUT of new .services object
4515
1273
            ('204 No Content', {}, '')]))
4516
1274
        resp = Request.blank('/auth/v2/act/.services',
4517
1275
            environ={'REQUEST_METHOD': 'POST'},
4518
1276
            headers={'X-Auth-Admin-User': '.super_admin',
4519
1277
                     'X-Auth-Admin-Key': 'supertest'},
4520
1278
            body=json.dumps({'new_service': {'new_endpoint': 'new_value'}})
4521
1279
            ).get_response(self.test_auth)
4522
1280
        self.assertEquals(resp.status_int, 200)
4523
1281
        self.assertEquals(json.loads(resp.body),
4524
1282
            {'storage': {'default': 'local',
4525
1283
                         'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'},
4526
1284
             'new_service': {'new_endpoint': 'new_value'}})
4527
1285
        self.assertEquals(self.test_auth.app.calls, 2)
4528
1286
4529
1287
    def test_set_services_new_endpoint(self):
4530
1288
        self.test_auth.app = FakeApp(iter([
4531
1289
            # GET of .services object
4532
1290
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4533
1291
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4534
1292
            # PUT of new .services object
4535
1293
            ('204 No Content', {}, '')]))
4536
1294
        resp = Request.blank('/auth/v2/act/.services',
4537
1295
            environ={'REQUEST_METHOD': 'POST'},
4538
1296
            headers={'X-Auth-Admin-User': '.super_admin',
4539
1297
                     'X-Auth-Admin-Key': 'supertest'},
4540
1298
            body=json.dumps({'storage': {'new_endpoint': 'new_value'}})
4541
1299
            ).get_response(self.test_auth)
4542
1300
        self.assertEquals(resp.status_int, 200)
4543
1301
        self.assertEquals(json.loads(resp.body),
4544
1302
            {'storage': {'default': 'local',
4545
1303
                         'local': 'http://127.0.0.1:8080/v1/AUTH_cfa',
4546
1304
                         'new_endpoint': 'new_value'}})
4547
1305
        self.assertEquals(self.test_auth.app.calls, 2)
4548
1306
4549
1307
    def test_set_services_update_endpoint(self):
4550
1308
        self.test_auth.app = FakeApp(iter([
4551
1309
            # GET of .services object
4552
1310
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4553
1311
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4554
1312
            # PUT of new .services object
4555
1313
            ('204 No Content', {}, '')]))
4556
1314
        resp = Request.blank('/auth/v2/act/.services',
4557
1315
            environ={'REQUEST_METHOD': 'POST'},
4558
1316
            headers={'X-Auth-Admin-User': '.super_admin',
4559
1317
                     'X-Auth-Admin-Key': 'supertest'},
4560
1318
            body=json.dumps({'storage': {'local': 'new_value'}})
4561
1319
            ).get_response(self.test_auth)
4562
1320
        self.assertEquals(resp.status_int, 200)
4563
1321
        self.assertEquals(json.loads(resp.body),
4564
1322
            {'storage': {'default': 'local',
4565
1323
                         'local': 'new_value'}})
4566
1324
        self.assertEquals(self.test_auth.app.calls, 2)
4567
1325
4568
1326
    def test_set_services_fail_bad_creds(self):
4569
1327
        self.test_auth.app = FakeApp(iter([
4570
1328
            # GET of user object
4571
1329
            ('404 Not Found', {}, '')]))
4572
1330
        resp = Request.blank('/auth/v2/act/.services',
4573
1331
            environ={'REQUEST_METHOD': 'POST'},
4574
1332
            headers={'X-Auth-Admin-User': 'super:admin',
4575
1333
                     'X-Auth-Admin-Key': 'supertest'},
4576
1334
            body=json.dumps({'storage': {'local': 'new_value'}})
4577
1335
            ).get_response(self.test_auth)
4578
1336
        self.assertEquals(resp.status_int, 403)
4579
1337
        self.assertEquals(self.test_auth.app.calls, 1)
4580
1338
4581
1339
        self.test_auth.app = FakeApp(iter([
4582
1340
            # GET of user object (account admin, but not reseller admin)
4583
1341
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
4584
1342
             {"name": "test"}, {"name": ".admin"}],
4585
1343
             "auth": "plaintext:key"}))]))
4586
1344
        resp = Request.blank('/auth/v2/act/.services',
4587
1345
            environ={'REQUEST_METHOD': 'POST'},
4588
1346
            headers={'X-Auth-Admin-User': 'act:adm',
4589
1347
                     'X-Auth-Admin-Key': 'key'},
4590
1348
            body=json.dumps({'storage': {'local': 'new_value'}})
4591
1349
            ).get_response(self.test_auth)
4592
1350
        self.assertEquals(resp.status_int, 403)
4593
1351
        self.assertEquals(self.test_auth.app.calls, 1)
4594
1352
4595
1353
        self.test_auth.app = FakeApp(iter([
4596
1354
            # GET of user object (regular user)
4597
1355
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
4598
1356
             {"name": "test"}], "auth": "plaintext:key"}))]))
4599
1357
        resp = Request.blank('/auth/v2/act/.services',
4600
1358
            environ={'REQUEST_METHOD': 'POST'},
4601
1359
            headers={'X-Auth-Admin-User': 'act:usr',
4602
1360
                     'X-Auth-Admin-Key': 'key'},
4603
1361
            body=json.dumps({'storage': {'local': 'new_value'}})
4604
1362
            ).get_response(self.test_auth)
4605
1363
        self.assertEquals(resp.status_int, 403)
4606
1364
        self.assertEquals(self.test_auth.app.calls, 1)
4607
1365
4608
1366
    def test_set_services_fail_bad_account_name(self):
4609
1367
        resp = Request.blank('/auth/v2/.act/.services',
4610
1368
            environ={'REQUEST_METHOD': 'POST'},
4611
1369
            headers={'X-Auth-Admin-User': '.super_admin',
4612
1370
                     'X-Auth-Admin-Key': 'supertest'},
4613
1371
            body=json.dumps({'storage': {'local': 'new_value'}})
4614
1372
            ).get_response(self.test_auth)
4615
1373
        self.assertEquals(resp.status_int, 400)
4616
1374
4617
1375
    def test_set_services_fail_bad_json(self):
4618
1376
        resp = Request.blank('/auth/v2/act/.services',
4619
1377
            environ={'REQUEST_METHOD': 'POST'},
4620
1378
            headers={'X-Auth-Admin-User': '.super_admin',
4621
1379
                     'X-Auth-Admin-Key': 'supertest'},
4622
1380
            body='garbage'
4623
1381
            ).get_response(self.test_auth)
4624
1382
        self.assertEquals(resp.status_int, 400)
4625
1383
        resp = Request.blank('/auth/v2/act/.services',
4626
1384
            environ={'REQUEST_METHOD': 'POST'},
4627
1385
            headers={'X-Auth-Admin-User': '.super_admin',
4628
1386
                     'X-Auth-Admin-Key': 'supertest'},
4629
1387
            body=''
4630
1388
            ).get_response(self.test_auth)
4631
1389
        self.assertEquals(resp.status_int, 400)
4632
1390
4633
1391
    def test_set_services_fail_get_services(self):
4634
1392
        self.test_auth.app = FakeApp(iter([
4635
1393
            # GET of .services object
4636
1394
            ('503 Unavailable', {}, '')]))
4637
1395
        resp = Request.blank('/auth/v2/act/.services',
4638
1396
            environ={'REQUEST_METHOD': 'POST'},
4639
1397
            headers={'X-Auth-Admin-User': '.super_admin',
4640
1398
                     'X-Auth-Admin-Key': 'supertest'},
4641
1399
            body=json.dumps({'new_service': {'new_endpoint': 'new_value'}})
4642
1400
            ).get_response(self.test_auth)
4643
1401
        self.assertEquals(resp.status_int, 500)
4644
1402
        self.assertEquals(self.test_auth.app.calls, 1)
4645
1403
4646
1404
        self.test_auth.app = FakeApp(iter([
4647
1405
            # GET of .services object
4648
1406
            ('404 Not Found', {}, '')]))
4649
1407
        resp = Request.blank('/auth/v2/act/.services',
4650
1408
            environ={'REQUEST_METHOD': 'POST'},
4651
1409
            headers={'X-Auth-Admin-User': '.super_admin',
4652
1410
                     'X-Auth-Admin-Key': 'supertest'},
4653
1411
            body=json.dumps({'new_service': {'new_endpoint': 'new_value'}})
4654
1412
            ).get_response(self.test_auth)
4655
1413
        self.assertEquals(resp.status_int, 404)
4656
1414
        self.assertEquals(self.test_auth.app.calls, 1)
4657
1415
4658
1416
    def test_set_services_fail_put_services(self):
4659
1417
        self.test_auth.app = FakeApp(iter([
4660
1418
            # GET of .services object
4661
1419
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4662
1420
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4663
1421
            # PUT of new .services object
4664
1422
            ('503 Unavailable', {}, '')]))
4665
1423
        resp = Request.blank('/auth/v2/act/.services',
4666
1424
            environ={'REQUEST_METHOD': 'POST'},
4667
1425
            headers={'X-Auth-Admin-User': '.super_admin',
4668
1426
                     'X-Auth-Admin-Key': 'supertest'},
4669
1427
            body=json.dumps({'new_service': {'new_endpoint': 'new_value'}})
4670
1428
            ).get_response(self.test_auth)
4671
1429
        self.assertEquals(resp.status_int, 500)
4672
1430
        self.assertEquals(self.test_auth.app.calls, 2)
4673
1431
4674
1432
    def test_put_account_success(self):
4675
1433
        conn = FakeConn(iter([
4676
1434
            # PUT of storage account itself
4677
1435
            ('201 Created', {}, '')]))
4678
1436
        self.test_auth.get_conn = lambda: conn
4679
1437
        self.test_auth.app = FakeApp(iter([
4680
1438
            # Initial HEAD of account container to check for pre-existence
4681
1439
            ('404 Not Found', {}, ''),
4682
1440
            # PUT of account container
4683
1441
            ('204 No Content', {}, ''),
4684
1442
            # PUT of .account_id mapping object
4685
1443
            ('204 No Content', {}, ''),
4686
1444
            # PUT of .services object
4687
1445
            ('204 No Content', {}, ''),
4688
1446
            # POST to account container updating X-Container-Meta-Account-Id
4689
1447
            ('204 No Content', {}, '')]))
4690
1448
        resp = Request.blank('/auth/v2/act',
4691
1449
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4692
1450
            headers={'X-Auth-Admin-User': '.super_admin',
4693
1451
                     'X-Auth-Admin-Key': 'supertest'}
4694
1452
            ).get_response(self.test_auth)
4695
1453
        self.assertEquals(resp.status_int, 201)
4696
1454
        self.assertEquals(self.test_auth.app.calls, 5)
4697
1455
        self.assertEquals(conn.calls, 1)
4698
1456
4699
1457
    def test_put_account_success_preexist_but_not_completed(self):
4700
1458
        conn = FakeConn(iter([
4701
1459
            # PUT of storage account itself
4702
1460
            ('201 Created', {}, '')]))
4703
1461
        self.test_auth.get_conn = lambda: conn
4704
1462
        self.test_auth.app = FakeApp(iter([
4705
1463
            # Initial HEAD of account container to check for pre-existence
4706
1464
            # We're going to show it as existing this time, but with no
4707
1465
            # X-Container-Meta-Account-Id, indicating a failed previous attempt
4708
1466
            ('200 Ok', {}, ''),
4709
1467
            # PUT of .account_id mapping object
4710
1468
            ('204 No Content', {}, ''),
4711
1469
            # PUT of .services object
4712
1470
            ('204 No Content', {}, ''),
4713
1471
            # POST to account container updating X-Container-Meta-Account-Id
4714
1472
            ('204 No Content', {}, '')]))
4715
1473
        resp = Request.blank('/auth/v2/act',
4716
1474
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4717
1475
            headers={'X-Auth-Admin-User': '.super_admin',
4718
1476
                     'X-Auth-Admin-Key': 'supertest'}
4719
1477
            ).get_response(self.test_auth)
4720
1478
        self.assertEquals(resp.status_int, 201)
4721
1479
        self.assertEquals(self.test_auth.app.calls, 4)
4722
1480
        self.assertEquals(conn.calls, 1)
4723
1481
4724
1482
    def test_put_account_success_preexist_and_completed(self):
4725
1483
        self.test_auth.app = FakeApp(iter([
4726
1484
            # Initial HEAD of account container to check for pre-existence
4727
1485
            # We're going to show it as existing this time, and with an
4728
1486
            # X-Container-Meta-Account-Id, indicating it already exists
4729
1487
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '')]))
4730
1488
        resp = Request.blank('/auth/v2/act',
4731
1489
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4732
1490
            headers={'X-Auth-Admin-User': '.super_admin',
4733
1491
                     'X-Auth-Admin-Key': 'supertest'}
4734
1492
            ).get_response(self.test_auth)
4735
1493
        self.assertEquals(resp.status_int, 202)
4736
1494
        self.assertEquals(self.test_auth.app.calls, 1)
4737
1495
4738
1496
    def test_put_account_success_with_given_suffix(self):
4739
1497
        conn = FakeConn(iter([
4740
1498
            # PUT of storage account itself
4741
1499
            ('201 Created', {}, '')]))
4742
1500
        self.test_auth.get_conn = lambda: conn
4743
1501
        self.test_auth.app = FakeApp(iter([
4744
1502
            # Initial HEAD of account container to check for pre-existence
4745
1503
            ('404 Not Found', {}, ''),
4746
1504
            # PUT of account container
4747
1505
            ('204 No Content', {}, ''),
4748
1506
            # PUT of .account_id mapping object
4749
1507
            ('204 No Content', {}, ''),
4750
1508
            # PUT of .services object
4751
1509
            ('204 No Content', {}, ''),
4752
1510
            # POST to account container updating X-Container-Meta-Account-Id
4753
1511
            ('204 No Content', {}, '')]))
4754
1512
        resp = Request.blank('/auth/v2/act',
4755
1513
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4756
1514
            headers={'X-Auth-Admin-User': '.super_admin',
4757
1515
                     'X-Auth-Admin-Key': 'supertest',
4758
1516
                     'X-Account-Suffix': 'test-suffix'}
4759
1517
            ).get_response(self.test_auth)
4760
1518
        self.assertEquals(resp.status_int, 201)
4761
1519
        self.assertEquals(conn.request_path, '/v1/AUTH_test-suffix')
4762
1520
        self.assertEquals(self.test_auth.app.calls, 5)
4763
1521
        self.assertEquals(conn.calls, 1)
4764
1522
4765
1523
    def test_put_account_fail_bad_creds(self):
4766
1524
        self.test_auth.app = FakeApp(iter([
4767
1525
            # GET of user object
4768
1526
            ('404 Not Found', {}, '')]))
4769
1527
        resp = Request.blank('/auth/v2/act',
4770
1528
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4771
1529
            headers={'X-Auth-Admin-User': 'super:admin',
4772
1530
                     'X-Auth-Admin-Key': 'supertest'},
4773
1531
            ).get_response(self.test_auth)
4774
1532
        self.assertEquals(resp.status_int, 403)
4775
1533
        self.assertEquals(self.test_auth.app.calls, 1)
4776
1534
4777
1535
        self.test_auth.app = FakeApp(iter([
4778
1536
            # GET of user object (account admin, but not reseller admin)
4779
1537
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
4780
1538
             {"name": "test"}, {"name": ".admin"}],
4781
1539
             "auth": "plaintext:key"}))]))
4782
1540
        resp = Request.blank('/auth/v2/act',
4783
1541
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4784
1542
            headers={'X-Auth-Admin-User': 'act:adm',
4785
1543
                     'X-Auth-Admin-Key': 'key'},
4786
1544
            ).get_response(self.test_auth)
4787
1545
        self.assertEquals(resp.status_int, 403)
4788
1546
        self.assertEquals(self.test_auth.app.calls, 1)
4789
1547
4790
1548
        self.test_auth.app = FakeApp(iter([
4791
1549
            # GET of user object (regular user)
4792
1550
            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
4793
1551
             {"name": "test"}], "auth": "plaintext:key"}))]))
4794
1552
        resp = Request.blank('/auth/v2/act',
4795
1553
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4796
1554
            headers={'X-Auth-Admin-User': 'act:usr',
4797
1555
                     'X-Auth-Admin-Key': 'key'},
4798
1556
            ).get_response(self.test_auth)
4799
1557
        self.assertEquals(resp.status_int, 403)
4800
1558
        self.assertEquals(self.test_auth.app.calls, 1)
4801
1559
4802
1560
    def test_put_account_fail_invalid_account_name(self):
4803
1561
        resp = Request.blank('/auth/v2/.act',
4804
1562
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4805
1563
            headers={'X-Auth-Admin-User': '.super_admin',
4806
1564
                     'X-Auth-Admin-Key': 'supertest'},
4807
1565
            ).get_response(self.test_auth)
4808
1566
        self.assertEquals(resp.status_int, 400)
4809
1567
4810
1568
    def test_put_account_fail_on_initial_account_head(self):
4811
1569
        self.test_auth.app = FakeApp(iter([
4812
1570
            # Initial HEAD of account container to check for pre-existence
4813
1571
            ('503 Service Unavailable', {}, '')]))
4814
1572
        resp = Request.blank('/auth/v2/act',
4815
1573
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4816
1574
            headers={'X-Auth-Admin-User': '.super_admin',
4817
1575
                     'X-Auth-Admin-Key': 'supertest'}
4818
1576
            ).get_response(self.test_auth)
4819
1577
        self.assertEquals(resp.status_int, 500)
4820
1578
        self.assertEquals(self.test_auth.app.calls, 1)
4821
1579
4822
1580
    def test_put_account_fail_on_account_marker_put(self):
4823
1581
        self.test_auth.app = FakeApp(iter([
4824
1582
            # Initial HEAD of account container to check for pre-existence
4825
1583
            ('404 Not Found', {}, ''),
4826
1584
            # PUT of account container
4827
1585
            ('503 Service Unavailable', {}, '')]))
4828
1586
        resp = Request.blank('/auth/v2/act',
4829
1587
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4830
1588
            headers={'X-Auth-Admin-User': '.super_admin',
4831
1589
                     'X-Auth-Admin-Key': 'supertest'}
4832
1590
            ).get_response(self.test_auth)
4833
1591
        self.assertEquals(resp.status_int, 500)
4834
1592
        self.assertEquals(self.test_auth.app.calls, 2)
4835
1593
4836
1594
    def test_put_account_fail_on_storage_account_put(self):
4837
1595
        conn = FakeConn(iter([
4838
1596
            # PUT of storage account itself
4839
1597
            ('503 Service Unavailable', {}, '')]))
4840
1598
        self.test_auth.get_conn = lambda: conn
4841
1599
        self.test_auth.app = FakeApp(iter([
4842
1600
            # Initial HEAD of account container to check for pre-existence
4843
1601
            ('404 Not Found', {}, ''),
4844
1602
            # PUT of account container
4845
1603
            ('204 No Content', {}, '')]))
4846
1604
        resp = Request.blank('/auth/v2/act',
4847
1605
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4848
1606
            headers={'X-Auth-Admin-User': '.super_admin',
4849
1607
                     'X-Auth-Admin-Key': 'supertest'}
4850
1608
            ).get_response(self.test_auth)
4851
1609
        self.assertEquals(resp.status_int, 500)
4852
1610
        self.assertEquals(conn.calls, 1)
4853
1611
        self.assertEquals(self.test_auth.app.calls, 2)
4854
1612
4855
1613
    def test_put_account_fail_on_account_id_mapping(self):
4856
1614
        conn = FakeConn(iter([
4857
1615
            # PUT of storage account itself
4858
1616
            ('201 Created', {}, '')]))
4859
1617
        self.test_auth.get_conn = lambda: conn
4860
1618
        self.test_auth.app = FakeApp(iter([
4861
1619
            # Initial HEAD of account container to check for pre-existence
4862
1620
            ('404 Not Found', {}, ''),
4863
1621
            # PUT of account container
4864
1622
            ('204 No Content', {}, ''),
4865
1623
            # PUT of .account_id mapping object
4866
1624
            ('503 Service Unavailable', {}, '')]))
4867
1625
        resp = Request.blank('/auth/v2/act',
4868
1626
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4869
1627
            headers={'X-Auth-Admin-User': '.super_admin',
4870
1628
                     'X-Auth-Admin-Key': 'supertest'}
4871
1629
            ).get_response(self.test_auth)
4872
1630
        self.assertEquals(resp.status_int, 500)
4873
1631
        self.assertEquals(conn.calls, 1)
4874
1632
        self.assertEquals(self.test_auth.app.calls, 3)
4875
1633
4876
1634
    def test_put_account_fail_on_services_object(self):
4877
1635
        conn = FakeConn(iter([
4878
1636
            # PUT of storage account itself
4879
1637
            ('201 Created', {}, '')]))
4880
1638
        self.test_auth.get_conn = lambda: conn
4881
1639
        self.test_auth.app = FakeApp(iter([
4882
1640
            # Initial HEAD of account container to check for pre-existence
4883
1641
            ('404 Not Found', {}, ''),
4884
1642
            # PUT of account container
4885
1643
            ('204 No Content', {}, ''),
4886
1644
            # PUT of .account_id mapping object
4887
1645
            ('204 No Content', {}, ''),
4888
1646
            # PUT of .services object
4889
1647
            ('503 Service Unavailable', {}, '')]))
4890
1648
        resp = Request.blank('/auth/v2/act',
4891
1649
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4892
1650
            headers={'X-Auth-Admin-User': '.super_admin',
4893
1651
                     'X-Auth-Admin-Key': 'supertest'}
4894
1652
            ).get_response(self.test_auth)
4895
1653
        self.assertEquals(resp.status_int, 500)
4896
1654
        self.assertEquals(conn.calls, 1)
4897
1655
        self.assertEquals(self.test_auth.app.calls, 4)
4898
1656
4899
1657
    def test_put_account_fail_on_post_mapping(self):
4900
1658
        conn = FakeConn(iter([
4901
1659
            # PUT of storage account itself
4902
1660
            ('201 Created', {}, '')]))
4903
1661
        self.test_auth.get_conn = lambda: conn
4904
1662
        self.test_auth.app = FakeApp(iter([
4905
1663
            # Initial HEAD of account container to check for pre-existence
4906
1664
            ('404 Not Found', {}, ''),
4907
1665
            # PUT of account container
4908
1666
            ('204 No Content', {}, ''),
4909
1667
            # PUT of .account_id mapping object
4910
1668
            ('204 No Content', {}, ''),
4911
1669
            # PUT of .services object
4912
1670
            ('204 No Content', {}, ''),
4913
1671
            # POST to account container updating X-Container-Meta-Account-Id
4914
1672
            ('503 Service Unavailable', {}, '')]))
4915
1673
        resp = Request.blank('/auth/v2/act',
4916
1674
            environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()},
4917
1675
            headers={'X-Auth-Admin-User': '.super_admin',
4918
1676
                     'X-Auth-Admin-Key': 'supertest'}
4919
1677
            ).get_response(self.test_auth)
4920
1678
        self.assertEquals(resp.status_int, 500)
4921
1679
        self.assertEquals(conn.calls, 1)
4922
1680
        self.assertEquals(self.test_auth.app.calls, 5)
4923
1681
4924
1682
    def test_delete_account_success(self):
4925
1683
        conn = FakeConn(iter([
4926
1684
            # DELETE of storage account itself
4927
1685
            ('204 No Content', {}, '')]))
4928
1686
        self.test_auth.get_conn = lambda x: conn
4929
1687
        self.test_auth.app = FakeApp(iter([
4930
1688
            # Account's container listing, checking for users
4931
1689
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4932
1690
             json.dumps([
4933
1691
                {"name": ".services", "hash": "etag", "bytes": 112,
4934
1692
                 "content_type": "application/octet-stream",
4935
1693
                 "last_modified": "2010-12-03T17:16:27.618110"}])),
4936
1694
            # Account's container listing, checking for users (continuation)
4937
1695
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'),
4938
1696
            # GET the .services object
4939
1697
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4940
1698
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4941
1699
            # DELETE the .services object
4942
1700
            ('204 No Content', {}, ''),
4943
1701
            # DELETE the .account_id mapping object
4944
1702
            ('204 No Content', {}, ''),
4945
1703
            # DELETE the account container
4946
1704
            ('204 No Content', {}, '')]))
4947
1705
        resp = Request.blank('/auth/v2/act',
4948
1706
            environ={'REQUEST_METHOD': 'DELETE',
4949
1707
                     'swift.cache': FakeMemcache()},
4950
1708
            headers={'X-Auth-Admin-User': '.super_admin',
4951
1709
                     'X-Auth-Admin-Key': 'supertest'}
4952
1710
            ).get_response(self.test_auth)
4953
1711
        self.assertEquals(resp.status_int, 204)
4954
1712
        self.assertEquals(self.test_auth.app.calls, 6)
4955
1713
        self.assertEquals(conn.calls, 1)
4956
1714
4957
1715
    def test_delete_account_success_missing_services(self):
4958
1716
        self.test_auth.app = FakeApp(iter([
4959
1717
            # Account's container listing, checking for users
4960
1718
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4961
1719
             json.dumps([
4962
1720
                {"name": ".services", "hash": "etag", "bytes": 112,
4963
1721
                 "content_type": "application/octet-stream",
4964
1722
                 "last_modified": "2010-12-03T17:16:27.618110"}])),
4965
1723
            # Account's container listing, checking for users (continuation)
4966
1724
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'),
4967
1725
            # GET the .services object
4968
1726
            ('404 Not Found', {}, ''),
4969
1727
            # DELETE the .account_id mapping object
4970
1728
            ('204 No Content', {}, ''),
4971
1729
            # DELETE the account container
4972
1730
            ('204 No Content', {}, '')]))
4973
1731
        resp = Request.blank('/auth/v2/act',
4974
1732
            environ={'REQUEST_METHOD': 'DELETE',
4975
1733
                     'swift.cache': FakeMemcache()},
4976
1734
            headers={'X-Auth-Admin-User': '.super_admin',
4977
1735
                     'X-Auth-Admin-Key': 'supertest'}
4978
1736
            ).get_response(self.test_auth)
4979
1737
        self.assertEquals(resp.status_int, 204)
4980
1738
        self.assertEquals(self.test_auth.app.calls, 5)
4981
1739
4982
1740
    def test_delete_account_success_missing_storage_account(self):
4983
1741
        conn = FakeConn(iter([
4984
1742
            # DELETE of storage account itself
4985
1743
            ('404 Not Found', {}, '')]))
4986
1744
        self.test_auth.get_conn = lambda x: conn
4987
1745
        self.test_auth.app = FakeApp(iter([
4988
1746
            # Account's container listing, checking for users
4989
1747
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'},
4990
1748
             json.dumps([
4991
1749
                {"name": ".services", "hash": "etag", "bytes": 112,
4992
1750
                 "content_type": "application/octet-stream",
4993
1751
                 "last_modified": "2010-12-03T17:16:27.618110"}])),
4994
1752
            # Account's container listing, checking for users (continuation)
4995
1753
            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'),
4996
1754
            # GET the .services object
4997
1755
            ('200 Ok', {}, json.dumps({"storage": {"default": "local",
4998
1756
                "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})),
4999
1757
            # DELETE the .services object
5000
1758
            ('204 No Content', {}, ''),
Status:	Merged
Approved by:	David Goetz on 2011-06-09
Approved revision:	307
Merged at revision:	306
Proposed branch:	lp:~gholt/swift/deswauth
Merge into:	lp:~hudson-openstack/swift/trunk
Diff against target:	6463 lines (+675/-5219) 22 files modified bin/swauth-add-account (+0/-68) bin/swauth-add-user (+0/-93) bin/swauth-cleanup-tokens (+0/-118) bin/swauth-delete-account (+0/-60) bin/swauth-delete-user (+0/-60) bin/swauth-list (+0/-86) bin/swauth-prep (+0/-59) bin/swauth-set-account-service (+0/-73) doc/source/admin_guide.rst (+0/-16) doc/source/deployment_guide.rst (+33/-28) doc/source/development_auth.rst (+7/-7) doc/source/development_saio.rst (+11/-19) doc/source/howto_installmultinode.rst (+11/-52) doc/source/misc.rst (+6/-6) doc/source/overview_auth.rst (+8/-151) etc/proxy-server.conf-sample (+24/-17) setup.py (+1/-5) swift/common/middleware/staticweb.py (+1/-1) swift/common/middleware/swauth.py (+0/-1374) swift/common/middleware/tempauth.py (+482/-0) test/probe/common.py (+19/-21) test/unit/common/middleware/test_tempauth.py (+72/-2905)
To merge this branch:	bzr merge lp:~gholt/swift/deswauth
Related bugs:	Link a bug report
Reviewer	Date Requested	Status
David Goetz (community)		Approve on 2011-06-09
John Dickinson	2011-05-26	Approve on 2011-06-06
Review via email: mp+62392@code.launchpad.net