Merge "Add tests and doc entry for request.environ[reseller_request]"

AUTHORS

@@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
 Li Riqiang (lrqrun@gmail.com)
 Victor Rodionov (victor.rodionov@nexenta.com)
 Brent Roskos (broskos@internap.com)
+Christian Schwede (info@cschwede.de)
 Michael Shuler (mshuler@rackspace.com)
 Andrew Clay Shafer (acs@parvuscaptus.com)
 Scott Simpson (sasimpson@gmail.com)

doc/source/overview_auth.rst

@@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
 True, the proxy will return additional header information in some requests,
 such as the X-Container-Sync-Key for a container GET or HEAD.
 
+Users with the special group ``.reseller_admin`` can operate on any account.
+For an example usage please see :mod:`swift.common.middleware.tempauth`.
+If a request is coming from a reseller the auth system sets the request environ
+reseller_request to True. This can be used by other middlewares.
+
 TempAuth will now allow OPTIONS requests to go through without a token.
 
 The user starts a session by sending a ReST request to the auth system to
@@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
 other users on containers, see the documentation on ACL here
 :mod:`swift.common.middleware.acl`.
 
+Users with the Keystone role defined in ``reseller_admin_role``
+(``ResellerAdmin`` by default) can operate on any account. The auth system
+sets the request environ reseller_request to True if a request is coming
+from an user with this role. This can be used by other middlewares.
+
 --------------
 Extending Auth
 --------------

test/unit/common/middleware/test_keystoneauth.py

@@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
         resp = req.get_response(self._get_successful_middleware())
         self.assertEqual(resp.status_int, 200)
 
+    def test_detect_reseller_request(self):
+        role = self.test_auth.reseller_admin_role
+        headers = self._get_identity_headers(role=role)
+        req = self._make_request('/v1/AUTH_acct/c', headers)
+        resp = req.get_response(self._get_successful_middleware())
+        self.assertTrue(req.environ.get('reseller_request'))
+
     def test_confirmed_identity_is_not_authorized(self):
         headers = self._get_identity_headers()
         req = self._make_request('/v1/AUTH_acct/c', headers)

test/unit/common/middleware/test_tempauth.py

@@ -16,6 +16,7 @@
 import unittest
 from contextlib import contextmanager
 from base64 import b64encode
+from time import time
 
 from swift.common.middleware import tempauth as auth
 from swift.common.swob import Request, Response
@@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
         req.acl = '.r:.example.com,.rlistings'
         self.assertEquals(self.test_auth.authorize(req), None)
 
+    def test_detect_reseller_request(self):
+        req = self._make_request('/v1/AUTH_admin',
+                                 headers={'X-Auth-Token': 'AUTH_t'})
+        cache_key = 'AUTH_/token/AUTH_t'
+        cache_entry = (time()+3600, '.reseller_admin')
+        req.environ['swift.cache'].set(cache_key, cache_entry)
+        resp = req.get_response(self.test_auth)
+        self.assertTrue(req.environ.get('reseller_request', False))
+
     def test_account_put_permissions(self):
         req = self._make_request('/v1/AUTH_new',
                                  environ={'REQUEST_METHOD': 'PUT'})