x
/
swauth
Code Issues Proposed changes

Allowing /not/ setting super_admin_key... 

Allowing /not/ setting super_admin_key to disable Swauth administration
features. Fixes #6
This commit is contained in:
gholt 2011-06-05 03:10:02 +00:00
parent 894f58a1bc
commit 62e74cb585
3 changed files with 26 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
etc/proxy-server.conf-sample
View File

@ -38,7 +38,8 @@ use = egg:swauth#swauth
# default_swift_cluster = local#https://public.com:8080/v1#http://private.com:8080/v1
# token_life = 86400
# node_timeout = 10
# Highly recommended to change this.
# Highly recommended to change this. If you comment this out, the Swauth
# administration features will be disabled for this proxy.
super_admin_key = swauthkey
[filter:ratelimit]

12
swauth/middleware.py
View File

@ -110,12 +110,12 @@ class Swauth(object):
(self.dsc_parsed2.scheme, repr(self.dsc_url2)))
self.super_admin_key = conf.get('super_admin_key')
if not self.super_admin_key:
msg = _('No super_admin_key set in conf file! Exiting.')
msg = _('No super_admin_key set in conf file; Swauth '
'administration features will be disabled.')
try:
self.logger.critical(msg)
self.logger.warn(msg)
except Exception:
pass
raise ValueError(msg)
self.token_life = int(conf.get('token_life', 86400))
self.timeout = int(conf.get('node_timeout', 10))
self.itoken = None
@ -382,6 +382,8 @@ class Swauth(object):
if req.method == 'GET':
handler = self.handle_get_token
elif version == 'v2':
if not self.super_admin_key:
return HTTPNotFound(request=req)
req.path_info_pop()
if req.method == 'GET':
if not account and not user:
@ -1076,7 +1078,8 @@ class Swauth(object):
return HTTPBadRequest(request=req)
if not all((account, user, key)):
return HTTPUnauthorized(request=req)
if user == '.super_admin' and key == self.super_admin_key:
if user == '.super_admin' and self.super_admin_key and \
key == self.super_admin_key:
token = self.get_itoken(req.environ)
url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix)
return Response(request=req,
@ -1321,6 +1324,7 @@ class Swauth(object):
:param returns: True if .super_admin.
"""
return req.headers.get('x-auth-admin-user') == '.super_admin' and \
self.super_admin_key and \
req.headers.get('x-auth-admin-key') == self.super_admin_key
def is_reseller_admin(self, req, admin_detail=None):

26
test_swauth/unit/test_middleware.py
View File

@ -111,16 +111,8 @@ class TestAuth(unittest.TestCase):
self.test_auth = \
auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp())
def test_super_admin_key_required(self):
app = FakeApp()
exc = None
try:
auth.filter_factory({})(app)
except ValueError, err:
exc = err
self.assertEquals(str(exc),
'No super_admin_key set in conf file! Exiting.')
auth.filter_factory({'super_admin_key': 'supertest'})(app)
def test_super_admin_key_not_required(self):
auth.filter_factory({})(FakeApp())
def test_reseller_prefix_init(self):
app = FakeApp()
@ -2243,6 +2235,20 @@ class TestAuth(unittest.TestCase):
"auth": "plaintext:key"}))
self.assertEquals(self.test_auth.app.calls, 1)
def test_get_user_fail_no_super_admin_key(self):
local_auth = auth.filter_factory({})(FakeApp(iter([
# GET of user object (but we should never get here)
('200 Ok', {}, json.dumps(
{"groups": [{"name": "act:usr"}, {"name": "act"},
{"name": ".admin"}],
"auth": "plaintext:key"}))])))
resp = Request.blank('/auth/v2/act/usr',
headers={'X-Auth-Admin-User': '.super_admin',
'X-Auth-Admin-Key': 'supertest'}
).get_response(local_auth)
self.assertEquals(resp.status_int, 404)
self.assertEquals(local_auth.app.calls, 0)
def test_get_user_groups_success(self):
self.test_auth.app = FakeApp(iter([
# GET of account container (list objects)