From 157c3c91eef6ec06f09a1ae0a11d9644faafb6ec Mon Sep 17 00:00:00 2001 From: Christian Schwede Date: Fri, 8 Mar 2013 19:33:27 +0100 Subject: [PATCH] Add tests and doc entry for request.environ[reseller_request] The recent account_quotas (https://review.openstack.org/23434) patch added a new setting request.environ[reseller_request]. This patch adds tests for tempauth and keystoneauth as well as an updated overview_auth.rst. Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6 --- AUTHORS | 1 + doc/source/overview_auth.rst | 10 ++++++++++ test/unit/common/middleware/test_keystoneauth.py | 7 +++++++ test/unit/common/middleware/test_tempauth.py | 10 ++++++++++ 4 files changed, 28 insertions(+) diff --git a/AUTHORS b/AUTHORS index 4068c819c1..bd85666e36 100644 --- a/AUTHORS +++ b/AUTHORS @@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl) Li Riqiang (lrqrun@gmail.com) Victor Rodionov (victor.rodionov@nexenta.com) Brent Roskos (broskos@internap.com) +Christian Schwede (info@cschwede.de) Michael Shuler (mshuler@rackspace.com) Andrew Clay Shafer (acs@parvuscaptus.com) Scott Simpson (sasimpson@gmail.com) diff --git a/doc/source/overview_auth.rst b/doc/source/overview_auth.rst index a042593642..77f0153119 100644 --- a/doc/source/overview_auth.rst +++ b/doc/source/overview_auth.rst @@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to True, the proxy will return additional header information in some requests, such as the X-Container-Sync-Key for a container GET or HEAD. +Users with the special group ``.reseller_admin`` can operate on any account. +For an example usage please see :mod:`swift.common.middleware.tempauth`. +If a request is coming from a reseller the auth system sets the request environ +reseller_request to True. This can be used by other middlewares. + TempAuth will now allow OPTIONS requests to go through without a token. The user starts a session by sending a ReST request to the auth system to @@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to other users on containers, see the documentation on ACL here :mod:`swift.common.middleware.acl`. +Users with the Keystone role defined in ``reseller_admin_role`` +(``ResellerAdmin`` by default) can operate on any account. The auth system +sets the request environ reseller_request to True if a request is coming +from an user with this role. This can be used by other middlewares. + -------------- Extending Auth -------------- diff --git a/test/unit/common/middleware/test_keystoneauth.py b/test/unit/common/middleware/test_keystoneauth.py index a8c49eb944..2e0c5a150a 100644 --- a/test/unit/common/middleware/test_keystoneauth.py +++ b/test/unit/common/middleware/test_keystoneauth.py @@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase): resp = req.get_response(self._get_successful_middleware()) self.assertEqual(resp.status_int, 200) + def test_detect_reseller_request(self): + role = self.test_auth.reseller_admin_role + headers = self._get_identity_headers(role=role) + req = self._make_request('/v1/AUTH_acct/c', headers) + resp = req.get_response(self._get_successful_middleware()) + self.assertTrue(req.environ.get('reseller_request')) + def test_confirmed_identity_is_not_authorized(self): headers = self._get_identity_headers() req = self._make_request('/v1/AUTH_acct/c', headers) diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py index 07b9dd5873..329a5fa42b 100644 --- a/test/unit/common/middleware/test_tempauth.py +++ b/test/unit/common/middleware/test_tempauth.py @@ -16,6 +16,7 @@ import unittest from contextlib import contextmanager from base64 import b64encode +from time import time from swift.common.middleware import tempauth as auth from swift.common.swob import Request, Response @@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase): req.acl = '.r:.example.com,.rlistings' self.assertEquals(self.test_auth.authorize(req), None) + def test_detect_reseller_request(self): + req = self._make_request('/v1/AUTH_admin', + headers={'X-Auth-Token': 'AUTH_t'}) + cache_key = 'AUTH_/token/AUTH_t' + cache_entry = (time()+3600, '.reseller_admin') + req.environ['swift.cache'].set(cache_key, cache_entry) + resp = req.get_response(self.test_auth) + self.assertTrue(req.environ.get('reseller_request', False)) + def test_account_put_permissions(self): req = self._make_request('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'})