From 134e864fa132b4d29e8fed6c54526cf1777307b2 Mon Sep 17 00:00:00 2001
From: Samuel Merritt <sam@swiftstack.com>
Date: Fri, 11 Jul 2014 11:27:11 -0700
Subject: [PATCH] Add POST and DELETE to tempurl default methods

The tempurl middleware supports any configured HTTP methods, but the
default set was only GET, PUT, and HEAD, so cluster operators had to
take action to enable POST and DELETE. This commit changes the
defaults to include POST and DELETE.

Note that this doesn't affect any existing temporary URLs at all; the
method is baked into the signature (temp_url_sig query param), so no
new access is granted to a holder of a temporary URL by this
change. It simply gives more flexibility to creators of temporary
URLs.

Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
---
 etc/proxy-server.conf-sample                |  2 +-
 swift/common/middleware/tempurl.py          |  5 +++--
 test/unit/common/middleware/test_tempurl.py | 19 ++++++++++---------
 3 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 0e10892a73..12f4eac57e 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -415,7 +415,7 @@ use = egg:swift#staticweb
 [filter:tempurl]
 use = egg:swift#tempurl
 # The methods allowed with Temp URLs.
-# methods = GET HEAD PUT
+# methods = GET HEAD PUT POST DELETE
 #
 # The headers to remove from incoming requests. Simply a whitespace delimited
 # list of header names and names can optionally end with '*' to indicate a
diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py
index 517bb332d7..1f10b31ed4 100644
--- a/swift/common/middleware/tempurl.py
+++ b/swift/common/middleware/tempurl.py
@@ -212,7 +212,8 @@ class TempURL(object):
     :param conf: The configuration dict for the middleware.
     """
 
-    def __init__(self, app, conf, methods=('GET', 'HEAD', 'PUT')):
+    def __init__(self, app, conf,
+                 methods=('GET', 'HEAD', 'PUT', 'POST', 'DELETE')):
         #: The next WSGI application/filter in the paste.deploy pipeline.
         self.app = app
         #: The filter configuration dict.
@@ -513,7 +514,7 @@ def filter_factory(global_conf, **local_conf):
     conf = global_conf.copy()
     conf.update(local_conf)
 
-    methods = conf.get('methods', 'GET HEAD PUT').split()
+    methods = conf.get('methods', 'GET HEAD PUT POST DELETE').split()
     register_swift_info('tempurl', methods=methods)
 
     return lambda app: TempURL(app, conf, methods=methods)
diff --git a/test/unit/common/middleware/test_tempurl.py b/test/unit/common/middleware/test_tempurl.py
index bb73993731..e9d166b5ff 100644
--- a/test/unit/common/middleware/test_tempurl.py
+++ b/test/unit/common/middleware/test_tempurl.py
@@ -487,7 +487,8 @@ class TestTempURL(unittest.TestCase):
         self.assertEquals(resp.status_int, 401)
         self.assertTrue('Www-Authenticate' in resp.headers)
 
-    def test_post_not_allowed(self):
+    def test_post_when_forbidden_by_config(self):
+        self.tempurl.methods.remove('POST')
         method = 'POST'
         expires = int(time() + 86400)
         path = '/v1/a/c/o'
@@ -504,7 +505,8 @@ class TestTempURL(unittest.TestCase):
         self.assertTrue('Temp URL invalid' in resp.body)
         self.assertTrue('Www-Authenticate' in resp.headers)
 
-    def test_delete_not_allowed(self):
+    def test_delete_when_forbidden_by_config(self):
+        self.tempurl.methods.remove('DELETE')
         method = 'DELETE'
         expires = int(time() + 86400)
         path = '/v1/a/c/o'
@@ -521,8 +523,7 @@ class TestTempURL(unittest.TestCase):
         self.assertTrue('Temp URL invalid' in resp.body)
         self.assertTrue('Www-Authenticate' in resp.headers)
 
-    def test_delete_allowed_with_conf(self):
-        self.tempurl.methods.append('DELETE')
+    def test_delete_allowed(self):
         method = 'DELETE'
         expires = int(time() + 86400)
         path = '/v1/a/c/o'
@@ -708,9 +709,9 @@ class TestTempURL(unittest.TestCase):
         self.assertEquals(self.tempurl._get_account({
             'REQUEST_METHOD': 'PUT', 'PATH_INFO': '/v1/a/c/o'}), 'a')
         self.assertEquals(self.tempurl._get_account({
-            'REQUEST_METHOD': 'POST', 'PATH_INFO': '/v1/a/c/o'}), None)
+            'REQUEST_METHOD': 'POST', 'PATH_INFO': '/v1/a/c/o'}), 'a')
         self.assertEquals(self.tempurl._get_account({
-            'REQUEST_METHOD': 'DELETE', 'PATH_INFO': '/v1/a/c/o'}), None)
+            'REQUEST_METHOD': 'DELETE', 'PATH_INFO': '/v1/a/c/o'}), 'a')
         self.assertEquals(self.tempurl._get_account({
             'REQUEST_METHOD': 'UNKNOWN', 'PATH_INFO': '/v1/a/c/o'}), None)
         self.assertEquals(self.tempurl._get_account({
@@ -953,14 +954,14 @@ class TestSwiftInfo(unittest.TestCase):
         swift_info = utils.get_swift_info()
         self.assertTrue('tempurl' in swift_info)
         self.assertEqual(set(swift_info['tempurl']['methods']),
-                         set(('GET', 'HEAD', 'PUT')))
+                         set(('GET', 'HEAD', 'PUT', 'POST', 'DELETE')))
 
     def test_non_default_methods(self):
-        tempurl.filter_factory({'methods': 'GET HEAD PUT POST DELETE'})
+        tempurl.filter_factory({'methods': 'GET HEAD PUT DELETE BREW'})
         swift_info = utils.get_swift_info()
         self.assertTrue('tempurl' in swift_info)
         self.assertEqual(set(swift_info['tempurl']['methods']),
-                         set(('GET', 'HEAD', 'PUT', 'POST', 'DELETE')))
+                         set(('GET', 'HEAD', 'PUT', 'DELETE', 'BREW')))
 
 
 if __name__ == '__main__':