Add test that a tempurl POST cannot set a DLO manifest header

Follow up to [1] to add tests for tempurl POSTs not being allowed to set a DLO manifest header. [1] I11e68830009d3f6bff44ae4011a41b67139146f6 Change-Id: I7c0ad5a936f71e56c599b8495a586913d3334422 Related-Bug: 1453948
2015-08-26 16:30:23 +01:00 · 2015-08-26 16:30:23 +01:00 · 58a10a5fff
commit 58a10a5fff
parent d4409c0a04
3 changed files with 52 additions and 13 deletions
--- a/test/functional/swift_test_client.py
+++ b/test/functional/swift_test_client.py
@ -1018,3 +1018,26 @@ class File(Base):
            raise ResponseError(self.conn.response)
        self.md5 = self.compute_md5sum(six.StringIO(data))
        return resp
+
+    def post(self, hdrs=None, parms=None, cfg=None, return_resp=False):
+        if hdrs is None:
+            hdrs = {}
+        if parms is None:
+            parms = {}
+        if cfg is None:
+            cfg = {}
+
+        headers = self.make_headers(cfg=cfg)
+        headers.update(hdrs)
+
+        self.conn.make_request('POST', self.path, hdrs=headers,
+                               parms=parms, cfg=cfg)
+
+        if self.conn.response.status not in (201, 202):
+            raise ResponseError(self.conn.response, 'POST',
+                                self.conn.make_path(self.path))
+
+        if return_resp:
+            return self.conn.response
+
+        return True
--- a/test/functional/tests.py
+++ b/test/functional/tests.py
@ -3197,6 +3197,22 @@ class TestTempurl(Base):
        else:
            self.fail('request did not error')

+        # try again using a tempurl POST to an already created object
+        new_obj.write('', {}, parms=put_parms, cfg={'no_auth_token': True})
+        expires = int(time.time()) + 86400
+        sig = self.tempurl_sig(
+            'POST', expires, self.env.conn.make_path(new_obj.path),
+            self.env.tempurl_key)
+        post_parms = {'temp_url_sig': sig,
+                      'temp_url_expires': str(expires)}
+        try:
+            new_obj.post({'x-object-manifest': '%s/foo' % other_container},
+                         parms=post_parms, cfg={'no_auth_token': True})
+        except ResponseError as e:
+            self.assertEqual(e.status, 400)
+        else:
+            self.fail('request did not error')
+
    def test_HEAD(self):
        expires = int(time.time()) + 86400
        sig = self.tempurl_sig(
--- a/test/unit/common/middleware/test_tempurl.py
+++ b/test/unit/common/middleware/test_tempurl.py
@ -737,17 +737,17 @@ class TestTempURL(unittest.TestCase):

    def test_disallowed_header_object_manifest(self):
        self.tempurl = tempurl.filter_factory({})(self.auth)
-        method = 'PUT'
        expires = int(time() + 86400)
        path = '/v1/a/c/o'
        key = 'abc'
+        for method in ('PUT', 'POST'):
            hmac_body = '%s\n%s\n%s' % (method, expires, path)
            sig = hmac.new(key, hmac_body, sha1).hexdigest()
            req = self._make_request(
-            path, method='PUT', keys=[key],
+                path, method=method, keys=[key],
                headers={'x-object-manifest': 'private/secret'},
-            environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
-                sig, expires)})
+                environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s'
+                                         % (sig, expires)})
            resp = req.get_response(self.tempurl)
            self.assertEquals(resp.status_int, 400)
            self.assertTrue('header' in resp.body)