Allowing /not/ setting super_admin_key...
Allowing /not/ setting super_admin_key to disable Swauth administration features. Fixes #6
This commit is contained in:
parent
894f58a1bc
commit
62e74cb585
|
@ -38,7 +38,8 @@ use = egg:swauth#swauth
|
|||
# default_swift_cluster = local#https://public.com:8080/v1#http://private.com:8080/v1
|
||||
# token_life = 86400
|
||||
# node_timeout = 10
|
||||
# Highly recommended to change this.
|
||||
# Highly recommended to change this. If you comment this out, the Swauth
|
||||
# administration features will be disabled for this proxy.
|
||||
super_admin_key = swauthkey
|
||||
|
||||
[filter:ratelimit]
|
||||
|
|
|
@ -110,12 +110,12 @@ class Swauth(object):
|
|||
(self.dsc_parsed2.scheme, repr(self.dsc_url2)))
|
||||
self.super_admin_key = conf.get('super_admin_key')
|
||||
if not self.super_admin_key:
|
||||
msg = _('No super_admin_key set in conf file! Exiting.')
|
||||
msg = _('No super_admin_key set in conf file; Swauth '
|
||||
'administration features will be disabled.')
|
||||
try:
|
||||
self.logger.critical(msg)
|
||||
self.logger.warn(msg)
|
||||
except Exception:
|
||||
pass
|
||||
raise ValueError(msg)
|
||||
self.token_life = int(conf.get('token_life', 86400))
|
||||
self.timeout = int(conf.get('node_timeout', 10))
|
||||
self.itoken = None
|
||||
|
@ -382,6 +382,8 @@ class Swauth(object):
|
|||
if req.method == 'GET':
|
||||
handler = self.handle_get_token
|
||||
elif version == 'v2':
|
||||
if not self.super_admin_key:
|
||||
return HTTPNotFound(request=req)
|
||||
req.path_info_pop()
|
||||
if req.method == 'GET':
|
||||
if not account and not user:
|
||||
|
@ -1076,7 +1078,8 @@ class Swauth(object):
|
|||
return HTTPBadRequest(request=req)
|
||||
if not all((account, user, key)):
|
||||
return HTTPUnauthorized(request=req)
|
||||
if user == '.super_admin' and key == self.super_admin_key:
|
||||
if user == '.super_admin' and self.super_admin_key and \
|
||||
key == self.super_admin_key:
|
||||
token = self.get_itoken(req.environ)
|
||||
url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix)
|
||||
return Response(request=req,
|
||||
|
@ -1321,6 +1324,7 @@ class Swauth(object):
|
|||
:param returns: True if .super_admin.
|
||||
"""
|
||||
return req.headers.get('x-auth-admin-user') == '.super_admin' and \
|
||||
self.super_admin_key and \
|
||||
req.headers.get('x-auth-admin-key') == self.super_admin_key
|
||||
|
||||
def is_reseller_admin(self, req, admin_detail=None):
|
||||
|
|
|
@ -111,16 +111,8 @@ class TestAuth(unittest.TestCase):
|
|||
self.test_auth = \
|
||||
auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp())
|
||||
|
||||
def test_super_admin_key_required(self):
|
||||
app = FakeApp()
|
||||
exc = None
|
||||
try:
|
||||
auth.filter_factory({})(app)
|
||||
except ValueError, err:
|
||||
exc = err
|
||||
self.assertEquals(str(exc),
|
||||
'No super_admin_key set in conf file! Exiting.')
|
||||
auth.filter_factory({'super_admin_key': 'supertest'})(app)
|
||||
def test_super_admin_key_not_required(self):
|
||||
auth.filter_factory({})(FakeApp())
|
||||
|
||||
def test_reseller_prefix_init(self):
|
||||
app = FakeApp()
|
||||
|
@ -2243,6 +2235,20 @@ class TestAuth(unittest.TestCase):
|
|||
"auth": "plaintext:key"}))
|
||||
self.assertEquals(self.test_auth.app.calls, 1)
|
||||
|
||||
def test_get_user_fail_no_super_admin_key(self):
|
||||
local_auth = auth.filter_factory({})(FakeApp(iter([
|
||||
# GET of user object (but we should never get here)
|
||||
('200 Ok', {}, json.dumps(
|
||||
{"groups": [{"name": "act:usr"}, {"name": "act"},
|
||||
{"name": ".admin"}],
|
||||
"auth": "plaintext:key"}))])))
|
||||
resp = Request.blank('/auth/v2/act/usr',
|
||||
headers={'X-Auth-Admin-User': '.super_admin',
|
||||
'X-Auth-Admin-Key': 'supertest'}
|
||||
).get_response(local_auth)
|
||||
self.assertEquals(resp.status_int, 404)
|
||||
self.assertEquals(local_auth.app.calls, 0)
|
||||
|
||||
def test_get_user_groups_success(self):
|
||||
self.test_auth.app = FakeApp(iter([
|
||||
# GET of account container (list objects)
|
||||
|
|
Loading…
Reference in New Issue