From bd22dbe712b04af2014724565eb3c6ead3d9a77a Mon Sep 17 00:00:00 2001 From: gholt Date: Mon, 14 Mar 2011 02:56:37 +0000 Subject: [PATCH] Removing DevAuth --- bin/swift-auth-add-user | 73 -- bin/swift-auth-recreate-accounts | 53 - bin/swift-auth-server | 22 - bin/swift-auth-to-swauth | 44 - bin/swift-auth-update-reseller-prefixes | 48 - doc/source/admin_guide.rst | 16 +- doc/source/auth.rst | 15 - doc/source/development_auth.rst | 38 +- doc/source/development_saio.rst | 49 +- doc/source/howto_cyberduck.rst | 160 --- doc/source/howto_installmultinode.rst | 128 +-- doc/source/images/howto_cyberduck_config.png | Bin 40503 -> 0 bytes doc/source/index.rst | 9 - doc/source/overview_auth.rst | 98 +- etc/auth-server.conf-sample | 30 - etc/proxy-server.conf-sample | 38 +- etc/stats.conf-sample | 5 +- setup.py | 5 - swift/auth/__init__.py | 0 swift/auth/server.py | 693 ------------- swift/common/middleware/auth.py | 213 ---- test/functional/sample.conf | 8 +- test/probe/common.py | 42 +- test/unit/auth/__init__.py | 0 test/unit/auth/test_server.py | 977 ------------------- test/unit/common/middleware/test_auth.py | 471 --------- 26 files changed, 128 insertions(+), 3107 deletions(-) delete mode 100755 bin/swift-auth-add-user delete mode 100755 bin/swift-auth-recreate-accounts delete mode 100755 bin/swift-auth-server delete mode 100755 bin/swift-auth-to-swauth delete mode 100755 bin/swift-auth-update-reseller-prefixes delete mode 100644 doc/source/auth.rst delete mode 100644 doc/source/howto_cyberduck.rst delete mode 100644 doc/source/images/howto_cyberduck_config.png delete mode 100644 etc/auth-server.conf-sample delete mode 100644 swift/auth/__init__.py delete mode 100644 swift/auth/server.py delete mode 100644 swift/common/middleware/auth.py delete mode 100644 test/unit/auth/__init__.py delete mode 100644 test/unit/auth/test_server.py delete mode 100644 test/unit/common/middleware/test_auth.py diff --git a/bin/swift-auth-add-user b/bin/swift-auth-add-user deleted file mode 100755 index 6b997d8ccd..0000000000 --- a/bin/swift-auth-add-user +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from ConfigParser import ConfigParser -from optparse import OptionParser -from os.path import basename -from sys import argv, exit - -from swift.common.bufferedhttp import http_connect_raw as http_connect - - -if __name__ == '__main__': - default_conf = '/etc/swift/auth-server.conf' - parser = OptionParser( - usage='Usage: %prog [options] ') - parser.add_option('-c', '--conf', dest='conf', default=default_conf, - help='Configuration file to determine how to connect to the local ' - 'auth server (default: %s).' % default_conf) - parser.add_option('-a', '--admin', dest='admin', action='store_true', - default=False, help='Give the user administrator access; otherwise ' - 'the user will only have access to containers specifically allowed ' - 'with ACLs.') - parser.add_option('-r', '--reseller-admin', dest='reseller_admin', - action='store_true', default=False, help='Give the user full reseller ' - 'administrator access, giving them full access to all accounts within ' - 'the reseller, including the ability to create new accounts. Creating ' - 'a new reseller admin requires super_admin rights.') - parser.add_option('-U', '--admin-user', dest='admin_user', - default='.super_admin', help='The user with admin rights to add users ' - '(default: .super_admin).') - parser.add_option('-K', '--admin-key', dest='admin_key', - help='The key for the user with admin rights to add users.') - args = argv[1:] - if not args: - args.append('-h') - (options, args) = parser.parse_args(args) - if len(args) != 3: - parser.parse_args(['-h']) - account, user, password = args - c = ConfigParser() - if not c.read(options.conf): - exit('Unable to read conf file: %s' % options.conf) - conf = dict(c.items('app:auth-server')) - host = conf.get('bind_ip', '127.0.0.1') - port = int(conf.get('bind_port', 11000)) - ssl = conf.get('cert_file') is not None - path = '/account/%s/%s' % (account, user) - headers = {'X-Auth-Admin-User': options.admin_user, - 'X-Auth-Admin-Key': options.admin_key, - 'X-Auth-User-Key': password} - if options.admin: - headers['X-Auth-User-Admin'] = 'true' - if options.reseller_admin: - headers['X-Auth-User-Reseller-Admin'] = 'true' - conn = http_connect(host, port, 'PUT', path, headers, ssl=ssl) - resp = conn.getresponse() - if resp.status == 204: - print resp.getheader('x-storage-url') - else: - print 'Update failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swift-auth-recreate-accounts b/bin/swift-auth-recreate-accounts deleted file mode 100755 index 430940f44e..0000000000 --- a/bin/swift-auth-recreate-accounts +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from ConfigParser import ConfigParser -from optparse import OptionParser -from sys import argv, exit - -from swift.common.bufferedhttp import http_connect_raw as http_connect - -if __name__ == '__main__': - default_conf = '/etc/swift/auth-server.conf' - parser = OptionParser(usage='Usage: %prog [options]') - parser.add_option('-c', '--conf', dest='conf', default=default_conf, - help='Configuration file to determine how to connect to the local ' - 'auth server (default: %s).' % default_conf) - parser.add_option('-U', '--admin-user', dest='admin_user', - default='.super_admin', help='The user with admin rights to recreate ' - 'accounts (default: .super_admin).') - parser.add_option('-K', '--admin-key', dest='admin_key', - help='The key for the user with admin rights to recreate accounts.') - args = argv[1:] - if not args: - args.append('-h') - (options, args) = parser.parse_args(args) - c = ConfigParser() - if not c.read(options.conf): - exit('Unable to read conf file: %s' % options.conf) - conf = dict(c.items('app:auth-server')) - host = conf.get('bind_ip', '127.0.0.1') - port = int(conf.get('bind_port', 11000)) - ssl = conf.get('cert_file') is not None - path = '/recreate_accounts' - conn = http_connect(host, port, 'POST', path, ssl=ssl, - headers={'X-Auth-Admin-User': options.admin_user, - 'X-Auth-Admin-Key': options.admin_key}) - resp = conn.getresponse() - if resp.status == 200: - print resp.read() - else: - print 'Recreating accounts failed. (%d)' % resp.status diff --git a/bin/swift-auth-server b/bin/swift-auth-server deleted file mode 100755 index 10c0fba073..0000000000 --- a/bin/swift-auth-server +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from swift.common.utils import parse_options -from swift.common.wsgi import run_wsgi - -if __name__ == '__main__': - conf_file, options = parse_options() - run_wsgi(conf_file, 'auth-server', default_port=11000, **options) diff --git a/bin/swift-auth-to-swauth b/bin/swift-auth-to-swauth deleted file mode 100755 index e1010c315a..0000000000 --- a/bin/swift-auth-to-swauth +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import gettext -from subprocess import call -from sys import argv, exit - -import sqlite3 - - -if __name__ == '__main__': - gettext.install('swift', unicode=1) - if len(argv) != 2: - exit('Syntax: %s ' % argv[0]) - _junk, auth_db = argv - conn = sqlite3.connect(auth_db) - try: - listing = conn.execute('SELECT account, cfaccount, user, password, ' - 'admin, reseller_admin FROM account') - except sqlite3.OperationalError, err: - listing = conn.execute('SELECT account, cfaccount, user, password, ' - '"f", "f" FROM account') - for account, cfaccount, user, password, admin, reseller_admin in listing: - cmd = ['swauth-add-user', '-K', '', '-s', - cfaccount.split('_', 1)[1]] - if admin == 't': - cmd.append('-a') - if reseller_admin == 't': - cmd.append('-r') - cmd.extend([account, user, password]) - print ' '.join(cmd) diff --git a/bin/swift-auth-update-reseller-prefixes b/bin/swift-auth-update-reseller-prefixes deleted file mode 100755 index 52b6345e99..0000000000 --- a/bin/swift-auth-update-reseller-prefixes +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/python -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from os.path import basename -from sys import argv, exit - -from swift.common.db import get_db_connection - - -if __name__ == '__main__': - app = basename(argv[0]) - if len(argv) != 3: - exit(''' -Syntax : %s -Example: %s /etc/swift/auth.db AUTH'''.strip() % (app, app)) - db = argv[1] - new_prefix = argv[2].rstrip('_') - print 'Updating %s' % db - conn = get_db_connection(db) - rows = conn.execute('SELECT url, cfaccount FROM account').fetchall() - for row in rows: - old_prefix = '' - uuid = row[1] - if '_' in row[1]: - old_prefix, uuid = row[1].split('_', 1) - new_cfaccount = '%s_%s' % (new_prefix, uuid) - new_url = row[0].replace(row[1], new_cfaccount) - print '%s ->\n%s' % (row[0], new_url) - print '%s ->\n%s' % (row[1], new_cfaccount) - print - conn.execute('''UPDATE account SET url = ?, cfaccount = ? - WHERE url = ? AND cfaccount = ?''', - (new_url, new_cfaccount, row[0], row[1])) - conn.commit() - print 'Updated %s rows.' % len(rows) diff --git a/doc/source/admin_guide.rst b/doc/source/admin_guide.rst index 05580a143e..bb3eef6fa6 100644 --- a/doc/source/admin_guide.rst +++ b/doc/source/admin_guide.rst @@ -159,15 +159,12 @@ of the cluster, we need to run the swift-stats-report tool to check the health of each of these containers and objects. These tools need direct access to the entire cluster and to the ring files -(installing them on an auth server or a proxy server will probably do). Both +(installing them on a proxy server will probably do). Both swift-stats-populate and swift-stats-report use the same configuration file, /etc/swift/stats.conf. Example conf file:: [stats] - # For DevAuth: - auth_url = http://saio:11000/v1.0 - # For Swauth: - # auth_url = http://saio:11000/auth/v1.0 + auth_url = http://saio:11000/auth/v1.0 auth_user = test:tester auth_key = testing @@ -236,15 +233,16 @@ then be graphed to see how cluster performance is trending. Additional Cleanup Script for Swauth ------------------------------------ -If you decide to use Swauth, you'll want to install a cronjob to clean up any +With Swauth, you'll want to install a cronjob to clean up any orphaned expired tokens. These orphaned tokens can occur when a "stampede" occurs where a single user authenticates several times concurrently. Generally, these orphaned tokens don't pose much of an issue, but it's good to clean them up once a "token life" period (default: 1 day or 86400 seconds). -This should be as simple as adding `swauth-cleanup-tokens -K swauthkey > -/dev/null` to a crontab entry on one of the proxies that is running Swauth; but -run `swauth-cleanup-tokens` with no arguments for detailed help on the options +This should be as simple as adding `swauth-cleanup-tokens -A +https://:8080/auth/ -K swauthkey > /dev/null` to a crontab +entry on one of the proxies that is running Swauth; but run +`swauth-cleanup-tokens` with no arguments for detailed help on the options available. ------------------------ diff --git a/doc/source/auth.rst b/doc/source/auth.rst deleted file mode 100644 index feb3be8a99..0000000000 --- a/doc/source/auth.rst +++ /dev/null @@ -1,15 +0,0 @@ -.. _auth: - -************************* -Developer's Authorization -************************* - -.. _auth_server: - -Auth Server -=========== - -.. automodule:: swift.auth.server - :members: - :undoc-members: - :show-inheritance: diff --git a/doc/source/development_auth.rst b/doc/source/development_auth.rst index 0f28750bd3..e0f3fcc7ba 100644 --- a/doc/source/development_auth.rst +++ b/doc/source/development_auth.rst @@ -6,13 +6,11 @@ Auth Server and Middleware Creating Your Own Auth Server and Middleware -------------------------------------------- -The included swift/auth/server.py and swift/common/middleware/auth.py are good -minimal examples of how to create an external auth server and proxy server auth -middleware. Also, see swift/common/middleware/swauth.py for -a more complete implementation. The main points are that the auth middleware -can reject requests up front, before they ever get to the Swift Proxy -application, and afterwards when the proxy issues callbacks to verify -authorization. +The included swift/common/middleware/swauth.py is a good example of how to +create an auth subsystem with proxy server auth middleware. The main points are +that the auth middleware can reject requests up front, before they ever get to +the Swift Proxy application, and afterwards when the proxy issues callbacks to +verify authorization. It's generally good to separate the authentication and authorization procedures. Authentication verifies that a request actually comes from who it @@ -29,7 +27,7 @@ specific information, it just passes it along. Convention has environ['REMOTE_USER'] set to the authenticated user string but often more information is needed than just that. -The included DevAuth will set the REMOTE_USER to a comma separated list of +The included Swauth will set the REMOTE_USER to a comma separated list of groups the user belongs to. The first group will be the "user's group", a group that only the user belongs to. The second group will be the "account's group", a group that includes all users for that auth account (different than the @@ -39,7 +37,7 @@ will be omitted. It is highly recommended that authentication server implementers prefix their tokens and Swift storage accounts they create with a configurable reseller -prefix (`AUTH_` by default with the included DevAuth). This prefix will avoid +prefix (`AUTH_` by default with the included Swauth). This prefix will avoid conflicts with other authentication servers that might be using the same Swift cluster. Otherwise, the Swift cluster will have to try all the resellers until one validates a token or all fail. @@ -48,22 +46,20 @@ A restriction with group names is that no group name should begin with a period '.' as that is reserved for internal Swift use (such as the .r for referrer designations as you'll see later). -Example Authentication with DevAuth: +Example Authentication with Swauth: - * Token AUTH_tkabcd is given to the DevAuth middleware in a request's + * Token AUTH_tkabcd is given to the Swauth middleware in a request's X-Auth-Token header. - * The DevAuth middleware makes a validate token AUTH_tkabcd call to the - external DevAuth server. - * The external DevAuth server validates the token AUTH_tkabcd and discovers + * The Swauth middleware validates the token AUTH_tkabcd and discovers it matches the "tester" user within the "test" account for the storage account "AUTH_storage_xyz". - * The external DevAuth server responds with "X-Auth-Groups: - test:tester,test,AUTH_storage_xyz" + * The Swauth server sets the REMOTE_USER to + "test:tester,test,AUTH_storage_xyz" * Now this user will have full access (via authorization procedures later) to the AUTH_storage_xyz Swift storage account and access to containers in other storage accounts, provided the storage account begins with the same `AUTH_` reseller prefix and the container has an ACL specifying at least - one of those three groups returned. + one of those three groups. Authorization is performed through callbacks by the Swift Proxy server to the WSGI environment's swift.authorize value, if one is set. The swift.authorize @@ -283,11 +279,9 @@ sometimes that's less important than meeting certain ACL requirements. Integrating With repoze.what ---------------------------- -Here's an example of integration with repoze.what, though honestly it just does -what the default swift/common/middleware/auth.py does in a slightly different -way. I'm no repoze.what expert by any stretch; this is just included here to -hopefully give folks a start on their own code if they want to use -repoze.what:: +Here's an example of integration with repoze.what, though honestly I'm no +repoze.what expert by any stretch; this is just included here to hopefully give +folks a start on their own code if they want to use repoze.what:: from time import time diff --git a/doc/source/development_saio.rst b/doc/source/development_saio.rst index f7963b1b24..2959261aa1 100644 --- a/doc/source/development_saio.rst +++ b/doc/source/development_saio.rst @@ -215,22 +215,6 @@ Configuring each node Sample configuration files are provided with all defaults in line-by-line comments. - #. If you're going to use the DevAuth (the default swift-auth-server), create - `/etc/swift/auth-server.conf` (you can skip this if you're going to use - Swauth):: - - [DEFAULT] - user = - - [pipeline:main] - pipeline = auth-server - - [app:auth-server] - use = egg:swift#auth - default_cluster_url = http://127.0.0.1:8080/v1 - # Highly recommended to change this. - super_admin_key = devauth - #. Create `/etc/swift/proxy-server.conf`:: [DEFAULT] @@ -238,20 +222,12 @@ Sample configuration files are provided with all defaults in line-by-line commen user = [pipeline:main] - # For DevAuth: - pipeline = healthcheck cache auth proxy-server - # For Swauth: - # pipeline = healthcheck cache swauth proxy-server + pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true - # Only needed for DevAuth - [filter:auth] - use = egg:swift#auth - - # Only needed for Swauth [filter:swauth] use = egg:swift#swauth # Highly recommended to change this. @@ -573,14 +549,12 @@ Setting up scripts for running Swift #!/bin/bash swift-init main start - # The auth-server line is only needed for DevAuth: - swift-init auth-server start - #. For Swauth (not needed for DevAuth), create `~/bin/recreateaccounts`:: + #. Create `~/bin/recreateaccounts`:: #!/bin/bash - # Replace devauth with whatever your super_admin key is (recorded in + # Replace swauthkey with whatever your super_admin key is (recorded in # /etc/swift/proxy-server.conf). swauth-prep -K swauthkey swauth-add-user -K swauthkey -a test tester testing @@ -592,24 +566,17 @@ Setting up scripts for running Swift #!/bin/bash - # Replace devauth with whatever your super_admin key is (recorded in - # /etc/swift/auth-server.conf). This swift-auth-recreate-accounts line - # is only needed for DevAuth: - swift-auth-recreate-accounts -K devauth swift-init rest start #. `chmod +x ~/bin/*` #. `remakerings` #. `cd ~/swift/trunk; ./.unittests` #. `startmain` (The ``Unable to increase file descriptor limit. Running as non-root?`` warnings are expected and ok.) - #. For Swauth: `recreateaccounts` - #. For DevAuth: `swift-auth-add-user -K devauth -a test tester testing` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:11000/v1.0`` # For Swauth, make the last URL `http://127.0.0.1:8080/auth/v1.0` + #. `recreateaccounts` + #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:8080/auth/v1.0`` #. Check that you can GET account: ``curl -v -H 'X-Auth-Token: ' `` - #. Check that `st` works: `st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat` # For Swauth, make the URL `http://127.0.0.1:8080/auth/v1.0` - #. For DevAuth: `swift-auth-add-user -K devauth -a test2 tester2 testing2` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. For DevAuth: `swift-auth-add-user -K devauth test tester3 testing3` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` # For Swauth, add auth_prefix = /auth/ and change auth_port = 8080. + #. Check that `st` works: `st -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat` + #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` #. `cd ~/swift/trunk; ./.functests` (Note: functional tests will first delete everything in the configured accounts.) #. `cd ~/swift/trunk; ./.probetests` (Note: probe tests will reset your @@ -634,7 +601,7 @@ If all doesn't go as planned, and tests fail, or you can't auth, or something do #. Everything is logged in /var/log/syslog, so that is a good first place to look for errors (most likely python tracebacks). #. Make sure all of the server processes are running. For the base - functionality, the Proxy, Account, Container, Object and Auth servers + functionality, the Proxy, Account, Container, and Object servers should be running #. If one of the servers are not running, and no errors are logged to syslog, it may be useful to try to start the server manually, for example: diff --git a/doc/source/howto_cyberduck.rst b/doc/source/howto_cyberduck.rst deleted file mode 100644 index 7fdf9ea630..0000000000 --- a/doc/source/howto_cyberduck.rst +++ /dev/null @@ -1,160 +0,0 @@ -=============================== -Talking to Swift with Cyberduck -=============================== - -.. note:: - Put together by Caleb Tennis, thanks Caleb! - - -#. Install Swift, or have credentials for an existing Swift installation. If - you plan to install Swift on your own server, follow the general guidelines - in the section following this one. (This documentation assumes the use of - the DevAuth auth server; if you're using Swauth, you should change all auth - URLs /v1.0 to /auth/v1.0) - -#. Verify you can connect using the standard Swift Tool `st` from your - "public" URL (yes I know this resolves privately inside EC2):: - - ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ st -A https://ec2-184-72-156-130.compute-1.amazonaws.com:11000/v1.0 -U a3:b3 -K c3 stat - Account: 06228ccf-6d0a-4395-889e-e971e8de8781 - Containers: 0 - Objects: 0 - Bytes: 0 - - .. note:: - - The Swift Tool `st` can be copied from Swift sources to most any - machine with Python installed. You can grab it from - http://bazaar.launchpad.net/%7Ehudson-openstack/swift/trunk/annotate/head%3A/bin/st - if you don't have the Swift code handy. - -#. Download and extract the Cyberduck sources (3.5.1 as of this writing). They - should be available at http://trac.cyberduck.ch/ - -#. Edit the Cyberduck source. Look for lib/cloudfiles.properties, and edit - this file. Change auth_url to your public auth URL (note the https):: - - auth_url=https://ec2-184-72-156-130.compute-1.amazonaws.com:11000/v1.0 - -#. Edit source/ch/cyberduck/core/Protocol.java. Look for the line saying - "storage.clouddrive.com". Just above that, change:: - - public boolean isHostnameConfigurable() { - return true; - } - -#. In the root directory, run "make" to rebuild Cyberduck. When done, type: - `open build/Release/Cyberduck.app/` to start the program. - -#. Go to "Open Connection", select Rackspace Cloud Files, and connect. - - .. image:: images/howto_cyberduck_config.png - -#. If you get SSL errors, make sure your auth and proxy server are both setup - for SSL. If you get certificate errors (specifically, 'unable to find valid - certification path to requested target'), you are using a self signed - certificate, you need to perform a few more steps: - - .. note:: - - For some folks, just telling the OS to trust the cert works fine, for - others use the following steps. - -#. As outlined here: http://blogs.sun.com/andreas/entry/no_more_unable_to_find, - download http://blogs.sun.com/andreas/resource/InstallCert.java, run "javac - InstallCert.java" to compile it, then run "java InstallCert - https://your-auth-server-url:8080". This script will pull down that - certificate and put it into a Java cert store, in your local directory. The - file is jssecacerts. - -#. You need to move that file to $JAVA_HOME/jre/lib/security, so your java run - time picks it up. - -#. Restart Cyberduck, and it should now allow you to use that certificate - without an error. - - ---------------------------------------- -Installing Swift For Use With Cyberduck ---------------------------------------- - -#. Both the proxy and auth servers will ultimately need to be running with - SSL. You will need a key and certificate to do this, self signed is ok (but - a little more work getting Cyberduck to accept it). Put these in - /etc/swift/cert.crt and /etc/swift/cert.key. - - .. note:: - - Creating a self-signed cert can usually be done with:: - - cd /etc/swift - openssl req -new -x509 -nodes -out cert.crt -keyout cert.key - -#. Example proxy-server config:: - - [DEFAULT] - cert_file = /etc/swift/cert.crt - key_file = /etc/swift/cert.key - - [pipeline:main] - pipeline = healthcheck cache auth proxy-server - - [app:proxy-server] - use = egg:swift#proxy - - [filter:auth] - use = egg:swift#auth - ssl = true - - [filter:healthcheck] - use = egg:swift#healthcheck - - [filter:cache] - use = egg:swift#memcache - -#. Example auth-server config:: - - [DEFAULT] - cert_file = /etc/swift/cert.crt - key_file = /etc/swift/cert.key - - [pipeline:main] - pipeline = auth-server - - [app:auth-server] - use = egg:swift#auth - super_admin_key = devauth - default_cluster_url = https://ec2-184-72-156-130.compute-1.amazonaws.com:8080/v1 - -#. Use swift-auth-add-user to create a new account and admin user:: - - ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ swift-auth-add-user -K devauth -a a3 b3 c3 - https://ec2-184-72-156-130.compute-1.amazonaws.com:8080/v1/06228ccf-6d0a-4395-889e-e971e8de8781 - - .. note:: - It's important that the URL that is given back to you be accessible - publicly. This URL is tied to this account, and will be served - back to Cyberduck after authorization. If this URL gives back - something like: http://127.0.0.1/v1/... this won't work, because - Cyberduck will attempt to connect to 127.0.0.1. - - This URL is specified in the auth-server config's - default_cluster_url. However, once you have created an - account/user, this URL is fixed and won't change even if you change - that configuration item. You will have to use sqlite to manually - edit the auth.db in order to change it (limitation of using the - development auth server, but perhaps someone will patch in this - ability someday). - -#. Verify you can connect using the standard Swift Tool `st`:: - - ubuntu@domU-12-31-39-03-CD-06:/home/swift/swift/bin$ st -A https://127.0.0.1:11000/v1.0 -U a3:b3 -K c3 stat - Account: 06228ccf-6d0a-4395-889e-e971e8de8781 - Containers: 0 - Objects: 0 - Bytes: 0 - -.. note:: - - Please let me know if you find any changes that need to be made: ctennis on - IRC diff --git a/doc/source/howto_installmultinode.rst b/doc/source/howto_installmultinode.rst index a314474993..ddc1ddd044 100644 --- a/doc/source/howto_installmultinode.rst +++ b/doc/source/howto_installmultinode.rst @@ -13,8 +13,7 @@ Prerequisites Basic architecture and terms ---------------------------- - *node* - a host machine running one or more Swift services -- *Proxy node* - node that runs Proxy services; can also run Swauth -- *Auth node* - node that runs the Auth service; only required for DevAuth +- *Proxy node* - node that runs Proxy services; also runs Swauth - *Storage node* - node that runs Account, Container, and Object services - *ring* - a set of mappings of Swift data to physical devices @@ -23,15 +22,9 @@ This document shows a cluster using the following types of nodes: - one Proxy node - Runs the swift-proxy-server processes which proxy requests to the - appropriate Storage nodes. For Swauth, the proxy server will also contain + appropriate Storage nodes. The proxy server will also contain the Swauth service as WSGI middleware. -- one Auth node - - - Runs the swift-auth-server which controls authentication and - authorization for all requests. This can be on the same node as a - Proxy node. This is only required for DevAuth. - - five Storage nodes - Runs the swift-account-server, swift-container-server, and @@ -92,7 +85,6 @@ General OS configuration and partitioning for each node export STORAGE_LOCAL_NET_IP=10.1.2.3 export PROXY_LOCAL_NET_IP=10.1.2.4 - export AUTH_LOCAL_NET_IP=10.1.2.5 .. note:: The random string of text in /etc/swift/swift.conf is @@ -136,26 +128,14 @@ Configure the Proxy node bind_port = 8080 workers = 8 user = swift - # For non-local Auth server - ip = $AUTH_LOCAL_NET_IP - [pipeline:main] - # For DevAuth: - pipeline = healthcheck cache auth proxy-server - # For Swauth: - # pipeline = healthcheck cache swauth proxy-server + pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true - # Only needed for DevAuth - [filter:auth] - use = egg:swift#auth - ssl = true - - # Only needed for Swauth [filter:swauth] use = egg:swift#swauth default_swift_cluster = local#https://$PROXY_LOCAL_NET_IP:8080/v1 @@ -228,42 +208,6 @@ Configure the Proxy node swift-init proxy start -Configure the Auth node ------------------------ - -.. note:: Only required for DevAuth; you can skip this section for Swauth. - -#. If this node is not running on the same node as a proxy, create a - self-signed cert as you did for the Proxy node - -#. Install swift-auth service:: - - apt-get install swift-auth - -#. Create /etc/swift/auth-server.conf:: - - cat >/etc/swift/auth-server.conf <:8080/v1 - # Highly recommended to change this key to something else! - super_admin_key = devauth - EOF - -#. Start Auth services:: - - swift-init auth start - chown swift:swift /etc/swift/auth.db - swift-init auth restart # 1.1.0 workaround because swift creates auth.db owned as root - Configure the Storage nodes --------------------------- @@ -418,26 +362,21 @@ replicator, updater, or auditor.:: Create Swift admin account and test ----------------------------------- -You run these commands from the Auth node. - -.. note:: For Swauth, replace the https://:11000/v1.0 with - https://:8080/auth/v1.0 +You run these commands from the Proxy node. #. Create a user with administrative privileges (account = system, username = root, password = testpass). Make sure to replace - ``devauth`` (or ``swauthkey``) with whatever super_admin key you assigned in - the auth-server.conf file (or proxy-server.conf file in the case of Swauth) + ``swauthkey`` with whatever super_admin key you assigned in + the proxy-server.conf file above. *Note: None of the values of account, username, or password are special - they can be anything.*:: - # For DevAuth: - swift-auth-add-user -K devauth -a system root testpass - # For Swauth: - swauth-add-user -K swauthkey -a system root testpass + swauth-prep -A https://:8080/auth/ -K swauthkey + swauth-add-user -A https://:8080/auth/ -K swauthkey -a system root testpass #. Get an X-Storage-Url and X-Auth-Token:: - curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testpass' https://:11000/v1.0 + curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testpass' https://:8080/auth/v1.0 #. Check that you can HEAD the account:: @@ -445,32 +384,32 @@ You run these commands from the Auth node. #. Check that ``st`` works (at this point, expect zero containers, zero objects, and zero bytes):: - st -A https://:11000/v1.0 -U system:root -K testpass stat + st -A https://:8080/auth/v1.0 -U system:root -K testpass stat #. Use ``st`` to upload a few files named 'bigfile[1-2].tgz' to a container named 'myfiles':: - st -A https://:11000/v1.0 -U system:root -K testpass upload myfiles bigfile1.tgz - st -A https://:11000/v1.0 -U system:root -K testpass upload myfiles bigfile2.tgz + st -A https://:8080/auth/v1.0 -U system:root -K testpass upload myfiles bigfile1.tgz + st -A https://:8080/auth/v1.0 -U system:root -K testpass upload myfiles bigfile2.tgz #. Use ``st`` to download all files from the 'myfiles' container:: - st -A https://:11000/v1.0 -U system:root -K testpass download myfiles + st -A https://:8080/auth/v1.0 -U system:root -K testpass download myfiles #. Use ``st`` to save a backup of your builder files to a container named 'builders'. Very important not to lose your builders!:: - st -A https://:11000/v1.0 -U system:root -K testpass upload builders /etc/swift/*.builder + st -A https://:8080/auth/v1.0 -U system:root -K testpass upload builders /etc/swift/*.builder #. Use ``st`` to list your containers:: - st -A https://:11000/v1.0 -U system:root -K testpass list + st -A https://:8080/auth/v1.0 -U system:root -K testpass list #. Use ``st`` to list the contents of your 'builders' container:: - st -A https://:11000/v1.0 -U system:root -K testpass list builders + st -A https://:8080/auth/v1.0 -U system:root -K testpass list builders #. Use ``st`` to download all files from the 'builders' container:: - st -A https://:11000/v1.0 -U system:root -K testpass download builders + st -A https://:8080/auth/v1.0 -U system:root -K testpass download builders .. _add-proxy-server: @@ -489,31 +428,25 @@ See :ref:`config-proxy` for the initial setup, and then follow these additional use = egg:swift#memcache memcache_servers = :11211 -#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/auth-server.conf (for DevAuth) or in /etc/swift/proxy-server.conf (for Swauth):: +#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf:: - # For DevAuth, in /etc/swift/auth-server.conf - [app:auth-server] - use = egg:swift#auth - default_cluster_url = https:///v1 - # Highly recommended to change this key to something else! - super_admin_key = devauth - - # For Swauth, in /etc/swift/proxy-server.conf [filter:swauth] use = egg:swift#swauth default_swift_cluster = local#http:///v1 # Highly recommended to change this key to something else! super_admin_key = swauthkey -#. For DevAuth, after you change the default_cluster_url setting, you have to delete the auth database and recreate the Swift users, or manually update the auth database with the correct URL for each account. +#. The above will make new accounts with the new default_swift_cluster URL, however it won't change any existing accounts. You can change a service URL for existing accounts with:: - For Swauth, you can change a service URL with:: + First retreve what the URL was:: - swauth-set-account-service -K swauthkey storage local + swauth-list -A https://:8080/auth/ -K swauthkey - You can obtain old service URLs with:: - - swauth-list -K swauthkey + And then update it with:: + + swauth-set-account-service -A https://:8080/auth/ -K swauthkey storage local + + Make the look just like it's original URL but with the host:port update you want. #. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well. @@ -522,15 +455,16 @@ See :ref:`config-proxy` for the initial setup, and then follow these additional Additional Cleanup Script for Swauth ------------------------------------ -If you decide to use Swauth, you'll want to install a cronjob to clean up any +With Swauth, you'll want to install a cronjob to clean up any orphaned expired tokens. These orphaned tokens can occur when a "stampede" occurs where a single user authenticates several times concurrently. Generally, these orphaned tokens don't pose much of an issue, but it's good to clean them up once a "token life" period (default: 1 day or 86400 seconds). -This should be as simple as adding `swauth-cleanup-tokens -K swauthkey > -/dev/null` to a crontab entry on one of the proxies that is running Swauth; but -run `swauth-cleanup-tokens` with no arguments for detailed help on the options +This should be as simple as adding `swauth-cleanup-tokens -A +https://:8080/auth/ -K swauthkey > /dev/null` to a crontab +entry on one of the proxies that is running Swauth; but run +`swauth-cleanup-tokens` with no arguments for detailed help on the options available. Troubleshooting Notes diff --git a/doc/source/images/howto_cyberduck_config.png b/doc/source/images/howto_cyberduck_config.png deleted file mode 100644 index 1612bbe0e6aedc62ae284f4d2f1aa6ceeea66afc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 40503 zcmV*EKx@B=P)4Tx0C)k_S!Yxg%d+m79og(n&N=6tgX9d7GlH z!S@g>;`uLn{Qd=#$)11fB$NIA#=oBh>4^-i9}pEDOitLn`M+#Jf@6^PwR_MZEip9M zV#ha3$T{Op);B}09LTv99=z)_L3AMLHXggRU)YHQ9FRbYsX=sCBq%UL@9<95B zk#`39hDTf3{Y6hs^w+aMFcG1j^@%e0qvui}*>uNeR0zE>GRDRp!2$^GjEc22Krj+f z&}5>&o#S6J%iccvf6-ysH^9*3w+u`d5N)zE76amQzMwF(9UG9bU?pG%f`Jc+0g*@> z3M9c^pa=B-Y9)a$AS0Yugck*Zz%+tGkRD-3pD+aT{3WONZxqAbett;5|E-Y+cp%KxGH4+2nA4FFr|KQs~Kp;@T`sGISM ziH!ZN5505200N*!B9s+y0e&EYyk|L}1k`~xFaV~&64(J}upfyZeja-l+~6sm$6pf;!r8i0nO*U$ts3w?vuVH8Y+ z8DLIW2$qIbU>(>Dwu9YZKR5zTgj3-xxBxDLYv5+M3m$}Dz~k^dyn+HKN)!`{7bS^O zLFu6^Q7$N7R3s`Hm4V7fm7(fT?Wlg#Gt@Y00reA&Mbo2s(2_`;8l&yeUg!vPGWsOC z5PcQhjJ}6{hMqt#p|>z33%cw5P2tw?lz48u z9NrM`f)B+X!ROXxC}=1IDby$|DZD8XD6%QaDcUKXP)t#55NHX)1Py{6 zA&_vGP(Y|7^b+0?zEe_C@=>Z%T2ls4rcf48UZ=cIIYIf8NJkVS>JeRuF~lrlC9#wE zn)sbWA_UN$ zbUkz*=~49j^m_DO^hfE->3iv?7_bb&3?>YL44DkI438O>80i=l7#$en8H*V2Fpe{! zn1q;2n1Y$InHrf!nAVv&nRS?bnA4f-n4dDQvaqvgv-q%Nu++1>U|DD7VKrb4V$ES~ zVSUerW)owxW{YDhVe4gEU}s=gXZK>yU~go9!vS-MaoBJi;JD23kYk0Di_?fRobxj$q2od= zLNmfF!Y0Cr!qvj>L`Wi9A`v2GBF{y!qAH?6q8CJm#9%Q+F@Lclu_xlNxRQ8)_yzG{ z35f~)WVPgk6qD3msUuP?Qj5|8(k{|D(*4p~GKw<6GUYOFW$9#1 zWsk_V%YKs+lk<`*l6x*sk~fq;B;P9kRY6?AN1;UFl_I^Ox#DrfZpB|p%1V(+bxO0! z0?HoB#mX;L7*woOPO98j#i;749#Xxn`cq9wEn2Nn?TfmkdXV}x^_e}wdwlkk@A;^~ zr$N>z)fm_0(e%)~q&cp|t3}o-)B2#zukEc}q5VlmR3}iUMrTo1MmJLTrtYeqn%+UZ zPJNWVk$#5$V*@$^dxJuQQA0jMKf`LnB_l}>u!6^_J^IWUAEm@dlCB>`)&tn2UmwGhgC;?$6Uv8CuygHPJ_;D&H>J? zE;ttlmkO7aeFppT_D#7ex~92~xCy((yAAAT+aJ9DjyttG*}cgFpknE;gjq0$ydWS*LTKG!|#mWtiP6jzW+jiUO-{M*FfXI zi-D^_mO+(4+rf^(^&$8WkC3)dy3nA|dtqE*@nOT^;^ArG;}L2Rc@ayIW|0+9P?TF# zYcvD0IeZu+5_2qOB33iDD0VH*A+9N&Ha;}|VS-pfdcvnf!^A5G&BD`l6Q#-0v6 zJ(8o9b2XPXH!=6)8S^vEXL-(MoL$ay&l|{B$iH}wa4zQDc){L+*7E}APoLi`^e=o- zq+3*9%u$?Pyn4a=!qXD%lDdnW7c(!eUkbSNs??~oxlE`m|1$P+?B(flhw}a_Dp#s1 z*eWtBepQB6j$gI8dap{ks_GiYwd`uRI;MKI#8jPO`4Fo~b_bI=CKleXhZy zVWiQlvAap7sqTj0jpCd1H#3@{=7i>@7XOyEetgzg@Vzn~*Bjm@%YQ`Gt+SQ*bKl|4m*FSBq2`dbtQwv)fMh=e)?BI`jSPO5R-ln{$r}y3XG$ zY%IE7TzjFeq~YStOSenA%LXnFmycW-t(dNyz52Q8+qISI<(hA`U+TVJr*4pGv}g*t zar9)W>Z_Kn*VcNp*TbclA!b!m2+_Bh@1?TzhA?=QK3V_@(>$6(pRlt-?Q zRi4m4SsdyeE_@pC%-}iG^Vt`-MzUUdzEXINdHwQD4H8fG?zDe9<;}m(CdiwUKz!{dA{@Lg`p1B9}aSQwl4?o8&axQj%30h)UYW?bpL{Is5 z)9+uGb5~?np8VMVV|LYXwR??i&10=%ZQ*CsI{QZ57XSA4uK($P1h7GNf%hRs$P2m) z3&W)-VN?s^e;&*n_8#sAzLnw;VUEZ{@~7&d;io-Ck7vkW;$*(X>c)=ZsOECyq2lf0 zPZAUr8WqVElNYa+q?QVj9*~uk%a&hJbXMw6;Zr@NHnvAoqfqmQwzW=$?z+B-L4n~1 zV_}mp(`vI>bAF3`mN{1a)*H4Wc6RnD4woJKoTgn+`}kbd-JJJFxu5VTCf9j(c|G&~ z==0Tg+n*|cBTytrAy_BGCe$Y^Iy^n1FtRafFnTzqIW{*gDBd_hBoUuDci>S{!@;8D z)I*^u`wp8PQ9CM;%5{t`4VSig{M(87^vR6(nJ-R0I@Ocao_+0fQBGFw;WII3L-YLd zJoJ;Y-PM>;`9gC zkD?!cOm@aTn9p|>BfbcJ8C}Z$s{M5d@xIeCVYzw5 z^9S{hTdVe~pVrcmd1HJ1^CsmlzpeId`R%yvTf6>;0VQAqvcL+-1}ecgvZp6QwJ-#G z!1qz=s5T_~dxc5H%3|kmt@x7^!30-I8=@u2p30Ltj^+$)6Wvq#6-GuTb!HcqgRI4D z?d;Du<~cXGaXietqI_!n<^t}5p+bqmX(FdZ&x>6WuaKyctdhDaT`qG;Hcu{1K2ae+ z(NRfXSxSXb6{vnvd!T-OPmxBtW`dT#wvCRKu81C^-Y@+rg8{=@qcg^dCT^x$X8e1x zduPoDEozaNiM4jOF|?JoW41@xFF6c5UU7@*gLWm*5p(n$%!oG!{J2#P6WVLR{#_x|M&XAf@GNHNR1;I2h~A+ z&=|A^)4(FIF6;`&!l&VCxDWmSZ==|eJkA~!jXHyBLh`onXhyU$+68?OeHlG~{)S{` zMwlqfMa)CYPpk;m5qlilik-!A;H;2L>ke)iFM;>Pm*Gb#I4Jf}6jO{5_z3}o>x7?_ zdX%}86GR!}G2$DN3@M#7Nu@(|iE4}5gSwAKlIAQepbe*;ptGZUM6XZZ!LWy+jZvMk zgUN{LDYF~%JQByWtW|7!Y@_T4Ie0mGIfJ?AxNdX%AsIw3Z#17E-v|Cafkwenp$y>! z5kFB!F@13v2_8vG$sbY^(hp>sWQ*mF%7-Y}E2=B;DHD{JRYp|@)$XeI?|G}Ss0C@W z>WJ#9>Y3}i8$=o&Gb%8yGwC&bZ?<91YN2Sk-|Cq4b(=SKwD!gh#~klDO*?Pz<8jq- z^WUH6-s!RADdgqtUG6jGC+;5`&>O@Q92U|W#ugqOF&HHjof7jhP9{D*;p2hGgZ#-K zQmz~cO;t~0Jie0tBD3#QYj%B3#hKE)%5$~n8;V*l^jz#I9V^eR+;@$o=2?A8qr#1` zmhc7sj&WXQ+UjdDjFLY1I8Q6JD~v@qHf9fr73mkfAyzDYLLyeuOUhbWTSi)zPmV#JLIF}( zRs5nfr#z!FtGcMRya%JfqA9MWt?i@}qIX@16n}CeK?qDcHGc+!& zDSRnX1evEwV_wJ6#hWD@OB_q`Jh*x&`>^nlj#Q^(KaUrst7lA{%*xu6{W<5-8OJ=< z{HcPv!sKH661huMrCa4974BDaul3eK^|}p5n}(XDTXS#0cM>{r-Di81`bQt+K5`%8 zdb;^y`qjO+wWDnleUoD|+4HX#iAijn0Vf9eo4? zCBqd)1I8Jq9AvTJjUb0^Lw=X0IAb>6=4 zYjIYI_{Hv0a@j_CUWHQS(<;AeOwIW^`TD_zfX1~OdCd|n_uAarmv3j@73mo0^6SCf zEAO-H|2a@Hxc3qK_`(qTaLF^V=N%({ukf$i-Uhv=8m$|5oLKl6GC4VI`>Ab~Va{s) z=tAx1zQy4$&zJhX-u!m@d+@Tv^88B4591%-R!^*PtkwUN{&{U(V7+7m-tgUcuqm~9 zd~^60`!Ang^}p7)%(vRMg|>5d{2%2jFSoOL0EnoIlpja8x4#PkfXfBoSI+kKM%niE zuggfXf&2sM4F3JUVn-N@)ZB|xchG-2{s+sRk5}gsWrzR(010qNS#tmY3ljhU3ljkV znw%H_0EUxEL_t(|+U&gxTvS(@FS?J8$w~U0d+y9R_ss9!nL9IQ&YW`$-Azu?)6>C_ zPTL(x!t}&w5|g&k&@rN-X_3Sz7`4Tq*7^j zcQ@D5)6|cNy}iAhN~KaF5C{a~{s3I6R;%H!Mx)`h2m}IwxIbtp z96vez6ksqI^ml`a^bPvEi|0WB(~s%L^ke!TLi!C9aKM=m2m}Ig9~f`}`^gQu!!qa{ zC`UQUQI7J-)zTkej{2WHNE)DWJcwGX!|ZC%Hl?jVq@c>2$`sVpRsm@tujatgP(d!GqUFuiw6X`}^;|x4U4&(N$9nb_4=}c(_Qczucg@ zD%My%fk6(faRL-XFu`eIY@-4g3vSgc^K z?%TJoqN3u;l`A&@H*Yed_14(f`qY&Wy03QJF)&Tnk>sXJJSayw%2ED9$iFBXE|gs< z>A6zcbERB<6+(sLYNdkwJyWlQzZFziCcg>_#obp5q$7EkY+3D>*B$KgdHw*fpZT6Z zh;{O(T?T_8E-tREt!;RC7`XN7)vMP8{Q2mLt}D$D4(oSM5||Dsk6v@aHJ*Ew+az@* zwVnF=j^_uLn|d2dDmrcVAHU5|TT&u1*zPtSl7LFd$aF0ql%xCyl7EyxbXIcZT-TMH zOILF*UCon{aQ@QO^cv;g{F6^=rJPA}FM-09vt3utbdH>Ax21}QKhM+6{`&()qjBo5 z1l%35_V)Jf+O;N>r#T-M(PjfV(u6~4U}yo~vS`iy$8RVj z5tV5?4STM zU*dimQ37XbLx6VSoiJQ*U-?Q)oQ`Mb$+*Hv4k9XPc)pL zpxM$k(lF8DvF^GO6hIA>-6K}*_UHU}SJR(e+kpdq`c=1O&^3N9DR&d9NethVPg(zm zl~?b62iWbM-EQeotM&BMi`+B2)b|rV8`cKuU+1`Q$`u~^>gwHa>)j&VMDd6q0Y1Am zkFXqtWSfS{=a$hu$d~ zJhMv`sU7VD4z-O9!2t``zaM493df)TYM`uhfmSQqF^`)URlt6Jw-}gV-9;71mDxK! z6eiR2qE6Nb`ii`7KY2ztv7@wGr|YIM&!6*`D3Z>$(@3NBp$>z2pn! zD4*u?dB;p!E3DfqhjxmFcU2GXuDKjnbD9062gAFmFt&PlN7c}_%Au%o>*uA`b-5=0 zgX$+dLU(;sPNTYhNKS##QU)ke*zVj_zb zPJsfbfim?9LoNpN_I7;z0yp=|vr1)8OeSK!^ABeC7qUg)p!tRw=QeB;!dAvX@ zRrb|{64AEOruyUCKy&W##$HD`kZehE;hF_s=Jxiw%V~ZKw*HFyUt2q=oJGFjU~YXw zN&K1x^roF4FW3gfu|-1lJ9EDV`Iot^M1LF6*>bd?x-y%koXK6|?<^qtYZ7y7sw*oi zOKO@VL@vwy6~}#%+XCq+-1-6}KtlAZ*N}{SUEElA{A-et^d=I|DOzaR)#CEp%##IT zkN9bQdC3>bQ9jM(e}Aw)BzJIC?%?V?%j)x%&^$}%dCS`KogYTT| z|K$Po>^Cm}`D|vV|Ffsc3`=wIp;lqcUo1444yP5Yvk^!3XKOT7FgfS_) zFHC)1J`u6PDNq14Q05(O@mF`oF5n!P`$1A0FYlxA%VpBmgCD?|1!sW(Wd(1N!&n(B zF+Lv2Hb3r#&548`xDWC=d3icv4!`)56;dIcKzpFctvSlaFC`@C_hqglJu-=;wIT(m zWlLV0Qp)bNQ|6K$Nx?Rdg(l@S)HKu-B!TAU?AAVK{E)&@7zO;clb)p zr5TyK`IJx&m5}xqXi5smII~ScyVMKHQ9hI8|8&^2BF7Q}qxbtCgMnDHOfMbLJ^fx0upe;Xz}*9`;tUf*uh(~Vbsar=w6(Pr z$QxLdc_L(Z?_l6Tee4&#p{miIiHH?WfdZ(3vdRrzKz4J(Q!iGfQgbz-OOT(~wt|uE zTwLa zienp#w5xC%pBSd^o^m4hCAU>}qKP{0+ zjvqhX*475*Ds%4Y@I?6bfq*#87n>C;FI{b&h*;qiD1aI$ySp=#ZucWAr0}!p*vHVJ zUyaHIX=nada^o@YUhuwPbNHGPB7werap@ zSA;2E%~w#(dEC71CCrT?#P%wj*q*Odl)%Bf$TNLJS`O+_a5F^-S>9iyv9My*z|oh)4XWwd(835ve~Ui(H0a&||WYZ_1e3bNvx1IHzh#Amj%47O%O zLR??vcWPz%Zu-(3KPGpFw0Ju=UalbKEeIh!C3KM&QqMB-Rlamw`e{6Tp#|hCyttnn zua9z+PjmUp8AG3zj%+T!0wIzQBmd(!Z$JIl|M>J@{{#H}hhM$ExpX+9;z~sMl})81 z8%r*S6U27G8+P{1?|!#c z8UArkFobVZpCs#I_Nc$C87hJR2k;Yw>@28(vg5`yW_ip!?!~Re^jLFrB_YSH7bLBx zK7xbTbM=z?b3yd^)u~nu=$zmB8vIxmo7F0l)D@jNdbSZ_h<%Zpx3vro;@={wThF!{ z41H%46VFw*_GzT)A3>aNRV&H8_K>SzJ9t6d*VlP;<2+!q6Rlc9UlEAsZ9Lj45g+}W zM6oeT?6_A@%qhpcj9T%Z>C>b1vR1iVT3>#lth3Ki4lGmhvOUz|doA(2NTyIoTE%CN zZVmeADCm_#R-f4+r}|kNAyv;L7Bxaj&c%k1WS^IUygZhqJI;;WM&k^li0j|398f$iTHrxQ{A1(l)V>S1UV;RZO07u?Y&iIvl3!>aa$=(k8Jll0wih{W zTbbPBzS_FIM88bwCfAh#C-1CO!l7s%B!Il{MN?U|$t5GZMJgyCw?aEsH~y0n_8m0J zQ9iTe@8wRt+AP4|*X0@DFyxa6`s z9N$W~i!BC?#$+XOi(akP4>(R(=|BXhCXdH50GFu;EDpIL{w40E_&PYFCU2Iy=@VT& z{iw{M*Jun@L2jY;{D8$Rej2gfGFkd9>RwrQcXwZ(#x!w$X*}uyi-+9gDs+)s)o!<) zsNC*C&N5vF{U){?orKh^rm` zjtY}I>`CoJ4V2@=x527iUoiYH+a>q*@QNqa{)qvnA?lo*9I#k{Rj*vRGCDdc?8I{O z)g(U%D`kuB7?|cw0XGEPbjJ@Sw~{ZDw%0uL`=T7>D1VglPipK(WcF0K{aCL(z0ZC^ zY0psce^V}vvSW}R@3p5Xh#Dv#yky_oYTuAQ^v8rcU_ao%{=3H=h!vnxsbXScy1KeX zMn-PmzU}dBDj?}!rWhXS=3!$U1z80hCfr30f%s7&R$|ZYx1Sxb=MCD=TkIFCB;-RF zvKI`Izwi^}c@}%F*?w-oe#T%wr6mlzxo~LB=Lx`m_r|JZjdgM*olduH+qS&CJg}>= zo)8Gc48n1Xz3jTZ;)cCy%wB!VUgZ)*w@KiIWA@6MM6GnxUUJ2rZLoipUi-~A-vImd z-xG+%YMK-S0|U*?&1=@IiHnQ7bm`KqTeq;b5D3JKK#|=px^=tWZl5I7xrFMm+vy$3 z%{#vZ#%pS70`@cAJ=jX?oxQYzYGY$#WMt$AAAAsuK)B%j_uq#< ztgI|U{FqQ$T3R9ijy+CMkWrMli;Ig23t6?&3U$<`8>k{^7P-_u1Gze%fJIqU>=KJ>3*e(6R}`^WsM`Hz z?XD;bl-t_c*#6d*d&Ql1xAJ-c;>QCvuVIVv>@8-8V;`4U4_Q*u>vZJX7qv#K)d?S~ z7}>kk{hqIF3#(8@{w?l)HsQkJess0$n7~5C=yh7PN~Kb&pe{*8!f%b5esZaWigl?= zmj~uV22B9kfR^rmr#I*wUm<}|tx}V~_QrF*a_po9C-SoCmW;GwsR`=Qi( zBv!^8&U5u`uxVYN2{e)ThZ86zr&tS9A4o0{Y zdJH|OVbsfd5C45P=~~7CC$%CTOeWY$MbtR^=3Fz8?|&SvkVj+nVg zT7bq;yQ~&nc06&RS5ogli+X-RfZCDyJ2U2t7y~MytnKELmyQJIxlMg9)@s#cchRvaE);f%J@5(PEuO#7d1! zp8Evy(`t224i$)%kgZ0rQzsx+I(6X}-Sq}wOdTIPVQfcidS=feu_7LKIG$VyOKN(@ z^DFNbtI@ea#-@qHV%1YAoA+sjRXRq%F1(5>0n=qEz{FRi-Z3k8FrS{E#Jk#+u9J6x zciG@cf|0GJ3QsZnjr+32pgMC5o;#3LFbnH$Z#R)NHdm})EWfY%Pm`Xj@D`v)tI{eFb^ zYFwmLz%K(}aX)GM zR>XtrjSk5q`dDPszACYn9vHFW%01$K7U{7NuqqK=9$sN7Ah0(guqq$$>sDyGBkp_t zh`_2uxIGC(VnrYjhzCrsoE3pUJT7qb?K_;FNa4P2ip9^D1`;a*@i!;~_Zxpt)bzR@d#-Wv`FL z2JiM^*|;~Rkyw8$tlFa;gch77HXf=m?61;e!0-@*E~!$RSgzSurgjbAmTMC$bxDH4 zcU77bwd#^qbz8SasTMXo1*#gys{{1Q{eJefJ|Rx_jX$$<2TbleN3eZc=r{lUE-ogV z9w-Kc&sG^N^WQ(aY(3%l+RF6|2vb4noO6-x@09bxtbRXDPqPRVJ0IE;JKvRcZ9Vgmk*^PON6O zZ@F_{a}y<6=ceTbrw0M{xxayIWbW8|r(f{$($A|3d$aTl-e0Jk?J4NoynBwV0f5eZDP@?gbObO6;BfU zKPY=Mvf;CnvhT{3=bKdRJvy!74#YYjn56x5|3|v%pWBYqY=0}ZX|Kb30Kd5vu&rYo zKz<`YVOKL9PtE-HlEOAudcDKJ5AQRpw6t`1c=-B52iz2Hjl}wh(I7V;sxc6|AVr)~ zqpP~qj{(EO3>6Z?p5yt&-B(Jwua@^*AwhnHKjQwx-qz`|Ij-YPCj1JPv57LkKW9`^kRU9^PE^PWzSm zn$&yl<*F4n*A}+)t*WXT9UZklbihsF)<~?67}YYe4gkdZ`H99R^~h}m;^AU!Z0!8` z^IZeCq~=@QgSX_C+Yovn4BnOv-nwMI)j2RG)?UxQbmhI+mVf)KHsWmG@mh6bw}C#s zvP?j%2D)g<@3m`S`&a9AF59s390?StR;iUr;(<`Bqid}LF6#pZqtiI0fvyYCNFBuL za9F^5bX7C2JxHw621c!1E?4P{kBV5EHCOBi#KQ$}>xBy!YSlOEG&dWxV~x6-G>kRq z$j>_U&1%(+ioWaTFJ1XOSLe63a^1<^qzZLamjO&tPhuqxuZ)Z|d561fO;lJ7ppGPj zov97H#j4>gRt;~m@(Zl|Hr9+}T`g9At81OpfuO??jNlK8#N>@wM@@RY$?7H?vw_Sy z=E;uMaf%aYBC$@6=Irg9fCaH-NUVq-6|ok|Zxr|5DCxaf+Iyp{?sg)GJ}>BhCZuZB3B}%0by?>)i@HRo6Y-_2Ns?!OMC*h0-v5qPV77Djpm>^>Os49r& zMe}1+0%a-+VjNVEAky0>)8O=UeUIBsM$;={W#%F!r18O7}DlciS?ZHMy~88g!A1u^Lj{t1NaH@v(oEX zlF`(bs~d9rf3~hBBwfC*Oj98-ng_jopv6`L3~t;<-i{)n-((svJA43W$^$s=^XvwN zq;AjhIUE6p1-S%#oO=l3IR{V0t>?_4`LNXa9p&AG;C=K zP-_RAF_i&NrguOix27!Q&)V(!XmV(RBWZdN=bKFWfOkzK);q%7wv^+RB@~(6gp!@X z&q9ID^7*hrZXyqw4u^%rrtS=Wa+c4hp9TJWPgxIBEKgXrETPJn$axLr3@VjUGFhxx*lz6n;RtU1Urm~!(Q1m5e&if~9{nynL6 zxxOrUzOUPb5aE1he2$@bv>=)n&yOw}opFq+FAJmjjA^hUZ%&a|Gdo95Nv>ygUC+97 z<1`I$06$Mku4iYP_-`ci?9m>cL`7tk70n8u0eAy~kHt{f^gD2U&34?_XEt z$8o!>m2m!2Rv5=EZP1!Jiy(xPq9}(3Wr?JWRx?7MdMY#xsJ43l+j9aFjaI8D;VsbFoK~z*>B?dk z%=V8X%dzGrn9(HFX}Yq*Ic{y6*{Z2K$Z?CB;7VOh0Eu&5jYOt3T21nX?7WNSDHCf$ zPC-F>2oS5y?#6>z9V)#Fpl6k9>wuc}%~9Cc(vWFlqg5p;C@4sABi1pSUQgM_B!ZZe zJJ|3HZ7_r!+6a%c(fd(>wCVXNcSY`_DpGP`la4V64`NMi8$I4W8kaBo&;Rc~JpF(F zR~G)u|Nl>WiWDiWqx;2IcU0Tn%P{(W+PFHSH>px5k`7GB4Z=?N=E?m$8mggpL>0Dc zI*V6u+>^nn1Jbk5zqaQ#nJk*T80b|iIxQA;Z6XMt3qR7?(`PVseBv|fe{aa>(P#z+ z2M2oU&*V0kJUmPY$DV7fwgz8;m2>F)z9V5i7nH?!qUHogzpyqqmI5MF_Q^DnSf>Po zton;3r0`emuK*i%1sOJ%g@=c)3MBIs6%cFef~UjJ@I@fc0nJ>MwKp%4o;9WhKM8{> z=!a1|w-QWKV+{<@1IV-ejI1mZGBC()6&9gq-vUV)^=prAs?< zm<=3LprFHk`of@uoRl!O1h}6D4rI5u^s}V`UKwV?-ut4xiM8$<5=<^7IJ4 z64+UNLyB!ur13O`faM=+0UARSfRy=q$aOlhu*~od4_7o8taGADG*<4#%kzFO5rT@oue&! zb?qLG3zzfPXyW{5zY$%aEKg54s#vQN{H17&18w zqN}mqH6JvwI=2mcEcZh!i(d?eXQxTL6wJ<;Qx|KYl&b0)FF`vhjd|tys1irJ*b_Ks zaeVsLz&WckTH)uR;3ww<#)um0K)<&3qQ=A;hhK$uvfIJP599wt#A+KytgJKnE{qnb znAn!QkaIzZNI$80H;$SW1qmS`L3GKXnU4^L=X5DM+YC+0buEJQU^1eFq%>GZ$um~4 zkM+bloL{E0jg6{6oi)J@nyfIOOhp0h&Ov1gQ*#R3h{Q&%Y;JyZmddIxh#}V~##oc( zGYj`+qeU4^$GB*z$vQeVM(z_vBL_2f9Nl}AT*3szs_zhW=;03fC8ql$4QD6eYlI!&E{c`-Y_Jtx`s* z31td>GfY{0T^j%+);||tU0-rFtn}K)rPuz~Yk&HSr~lIT&9&=GiEw?<)zE?~!FiYe z^?3htTUs3!>;3jLYO(GpRX7CVL(4gCi^hdm4>l5Fo#hjy5r}oiy%8(58$`4@z}V(X zXEWm__+;VL)(qxqgvt59igXsQnv)ajefhk4eAv_^FD<21XfaV@g<;clV$Ht?q9g;e z#iCVe#}TWgyKo2PvPJa<@>6nV1IGmvOZ6lctN&J=`9 z=7&T?M1&E>B0QzYiCHLQG-zQ^meh7fVkHqZ-WPqWSHKxjPVJjOL%VcDt>o#oGIZ13L@>C_pWa|h5Q!@x^Qfh6ErmG*Lq@+3D z=#(-~>zo!vNS4ZJhUf6a?N~2@$pU9VPIx`@{M{9|s zE_D_3EV0R=uG-^dTZ`e~k|&;y$eE-=c_-G<4)V;Yj8w*$smzxQV54j_${}+E8yO<$ za_T5uSSzDb8Ivf6UrzO=`M`9lGshR)a}PjLKF`VOets`v%2#A-2# zS8&|#qVgTF@I_HS1I=xm@Y-d4Q3;8+R9<4494NeLC}lc-;!Rl8LON$AG~y=Kczio{XiwY-&TT zl`#64lCTDw-cGQI+Jzeaxb3Gv2Y>jR$3vnMieC9=^gZK9R;yhoY_izE2%?JsF(R9NtYe|$ zeUCA#RH}E_P*fu1f)#~tL1J!J&~AUQj%d6?4dXc$FX8y%L?;#y!x!4xaK?D zVkCAb?X&`dl7(wW!I~3>XZ}G)$No1s?u}+@Of%wRvCuAR%@H2laPuQ*?}mH1nSlw^ za&y>F>`jJ+!cEvK4fatff7|&HF=4)Jo<628V~Hl_`KT({@w(akhVB;%K*@n(2X7%63_2ufI-M@ibGSq?h~Mjc^6+=W;th>Z>& zK$Agq*^Ze1Fv+Kf9ge)RM<_12AVzY6P?@Ztq*>99qRHy8y55votW0epVoj0TkN4Tr z`|Kx__6!vXZ~#Bk6!w%J`$4Haq2>Fvc|-rUzvrVw{`Br=3u)Xjy z{X0x-eFaclOSd&4xVsZvg1f^IEVu-BcXzi0cXx+C0u1i%?lQQ$dvN$C_rCYN_o{xV znmXsqIZV^Nd-dL{_uAu^LsEBuvZ!!!7FyH@$|Ck*{_Q!dIUgPw;zor5ZqJTrc`W>4 z?E;?9sLNB^pqB57o_XWK${8|~KiS-BgZk>jThArXO${MLU}y|qkCdvUsw4MqMY zM^#hP^K7|3wDULef3YB2i(C$`)u2R1z^79DR)sRmD`5y@&qOcEN7;VMHO_@N@sIpN ziu$h&<3t&t+w+PZ1$oyW&C5kB>Ban&T42U}I7iyWKNS`lyMLF@LAi+&B&`-=$+N~m znjQQSxlr|1XLZASSAlU>?RCv29P2g})E3dlHy$_v#VUIPF^*CE9!&fyhhS7jUPfL$ zfoCUvzkpY48(;<>jrkcn9L&~{#%Z8~6CA_;@5z6z2lnyV8l;$>DkS2SXck0)fv4iK z#dM*ZQ%7cP@mgOgub;I+Rlg*uP#jK~2zOfn_FQ+@x zpdeuz(DIn~XKOhB_L!BD!Z*Q#op*s$5Bn%5J3kwX=kHAn6ls`Es>dn8$3KZ0c{;2T zq_3P;NLV&==q-f341c~W@VYBdh7I#;nA4++f&FBQcrW#`)va< z!y677qRZ6QPX=9jjSs$T>V+rsM*kvT*XdcQTh3tLaOf#MRJ}sPJChgOx4IuWw-g8oBoPAciqz3AgQr@31t#yA{u5*`X(V3$-%V+aUnk4g*(0*E+vy3JRuAe?Z=#ZZs! z!_E%mVO>$)+cX{j1m04lcFrrZtN_|V)wyK-lo!>OyI*$T8)cu&3PdL#=*NUNVv9Ix zhNxGTm5?0orcz)5sMoB*vFIMxn<(mt3ADK>6nT2}Dl0HZ&Be)kL4@2G;c|aO8^)AD z$tb1*8YD5=NAGoZ8clZzenRpvlxVuyIy_+`0;Igz(B zMpnb$@iR$r(>QovkW-fWuS_fAK{HM{KIJp>EiIBpx{gY`yIPv3gX8U_Cb<(dLi`wa ztsBix%jsx9nYDKIHSLoR&g=BmG0ZPdq9^JDMKqz9C#TI*yOH%JX=g9v>D0%B$E!wu zW}El6hPbn^PnTC$SNHe+(+B+@T`Vr>1UCoyakPeYs*ebj-(96ndDmaz?cconxJU&L zV0Xns+gE@6yb+x}G(4brv;T55Z*G%$0<^MlrhDhOJSgABppol363w(Q129;lv$lRq z!?0}ZK5SHcSaI! zMAE8IMUT_9@63nJHqHS%%Dgj*5fh}FiPP+|W!WFj^l017ELv&77NbyQPVh@-T7zapY6W@;UZxCIFY?wCIA8^g z)J2o$Rl;gbLn~ALV|vMzPKi15;&gd@dFha6IWswKJLRfgQtvhMGwtC*$G1rfk5Zl) z)rTf+`<3dwC3tm+zuIl@3}W_F(u|F;F~D)L3MmXi(%?ir_4BwLEH{nx9-_3UM6)*9YPpSq6IBKT0?WO zLm!qcVkyiLbU=fpQNe0T^8jxQfoDN}aIMRWJ(R43@Iatt8NMrI zsEBR)Z^zrd1dlU8j57V`iD-huz_K{NesZ+DOrWbei{Kw|3<`?xi&&o&gZKv>KuA+)z9ovlQJsGn>N1!$Ni5s&((yoDw(FR0@3yN5G=l zw-mf8P{@K0xoI8uz@F-SI9x`T6+1U0Rk3L%e^~IoaQRx7||eZ$X*aIb2WO=NK>L&NDgk{2266I~;#IX?KX zH2L+gd6}(LUd>6*WD4u~J{M#jEfw{2{13rnY~H_VL#Cwh0p(o8ejA!7Nfs#K@Rhu` z#Ep0)+PSni)Oz|b0K)VIl#g4^`TC6CmoP2_r!+EOiFNr%XDP~@g_6Di5ooH{SwF~| zxi_kpL!KdsM)I=1@Ghs+DJphGVe=B;x$pti@*V~6-?pfI)~s3r zWrNqHn}i?5pbNPP;Xj8a>_g6y9F~nreKoCZh6|5>%9=YefUyS+>v)|8HB=S8Bh?ju zca2jpm#7%DA$U`zmYpv5b%hNdbWWH0Y?*NQa5TeQFpM>M=Z3Rn8Tz~DfYLddrI(!g zqnIS4w5IGPkz2FUPsM4U8f}&p5PnG`M}P{oGFwdm?`PZl<+QFY42o(Ee{|oP1SW!V zA)V>C<}G)VPttgvj;Ed(lC=?S)Z!_SW{>680p6MQCZ7YAs}w>>l)JH%nGR+-(91M| zf~Kr}{pCy2J98o>UP9MMf+-)wI~Zjtfji|~m3h@)suMsDV_;4JXQAaRx=d45246^*E9LY_|4IR6H-kBBvwBMlY?jEJW){xrC1E<^ z=;Pt-nF4C|>IEVbn$;c|n>b3V&FAF9MREx46@Zp_8Qe9~SniNdKV@ZjWK0>EszT{? z^Cd;mt}8zFmPHO1T*iB`skvLYk;@IciJXxuDr!XIJ5$^VWiecW9J4MNz4=}zfaD(d>*7sDo$Q8J|2kS z@|M%=3`_p$8Cjj0y2p#IF%=3ig~!D+=h?YUff+!L!JU-0VC$+VdHq^Lf7^~)7)!5m z#{a{=ljEA7E0sg~ns{>WfeOy}S#1mYGkHF{JFGzk-xVcv62?OOjK3 z_)vjkEuf3wz!CN5lon^&J3rsqQhs!ZociFKKDo5HHdNq7c#F_|@g9-Nz#xp2G@`GS z{N^V{;OtKmM+qBO3?^41nNU$VU2@h$aVxE4-pDMVE_*T*9OpTyT6Qg-Dklm2g-qZV zU#+psT!T6G=?ij&YvXctIpb%Vo@Fl;x7sSbcs@f|F{5l08Q?Cm>7%HVvgI7FKHWiV zuw|2G$t=OzIv}@;tko*g*{rX4CfPX~)AQ@@OXOXQWE9_ZV1N~*=$H)`J8>*W6)KcY zMSO58L#$V{)K@m6Kax>@0^4O35{eX$id_>4)F0e699gV1t213&hDR)Ws2vrm*P5-y z_+s&jQv%=@)`vpLa)^+ez|-g~MO0{SBGHtGU#4%Yh<CDs|>O;L&At#%unU~qoLlvSGJh6I6X1PG)S zE?dz*$%hX2kL>Fo71)0c|K>CN=j1K(i&ShfrPpsxj zWHa0mL%fZP^Gkp;)0l^;rCW3{o@K*P&Lt3mP!KY(&#TeF9VF4Pg!*e*kgJc+Y$o&2 zQu#YGH=wyUQ3G@Td4R(^p;~J4bR{J1G0VONS^M9I`Uv)<%4g>SAF{(;Ww9~)2!D|c z7qB)))IwIn{G>m;8hYDsxEiMz)Cg8VgvboKoh9G-(Qvs3~@qAcyvf7%98M0Hk~mxPZ6%o^;H?k5$hh&BN?6L6S{q z`wfd_SnHbf_;sq!y zEI?#<;lyzjfl^vHM0hf1?+uf(JQ_y&Lp)NV<#-~o{b$W_>O`zDWhPqdD7{2991O9F z^o^)Lbl^UE$_qKoJ9$p|-}ZA`D#*^hT|)?#)1HqZ*K>yodkC%5|N zTVsrwrjk-N$m)!7rPuL8A2La0LxBi2KOF!+x~wgy=|Rtat#siyI+vsDa74|^&bcz)6IDiG>air2)d zQv3uXH9h;z9fq2cKsYFjlXmp7fgc*kbJa~3333O=Ucb(yUgjqM=;M6))Dht!L*4c{ zLif_;0Y4S7d6sS4M@Rp_<%gYGz4@uaB6>SYSTbIZn62H1yPq<;`yKL*FE}l>dEq@H%BddtBOh=e5yy8 zU_$0F#*g7zSiO~t@_Vjj)k=ikK!2n+Vq=Uyfn90$2*icgN@er=1uSNT3yT9)-4tk& z<@XM$jaM%y)%E0xT8rbUPqv9CvevDv*F*8)xp^jmL!QdSvI(E5vdFV_h72w;sX zIFE!dIXQWuLbnyH!Zl;d!xhz+Fv@14WnxMh-J?sEe%;I~=z?PviMq@ehik`sx^Azg zYcT^uTo^3UEos1CnQWSB{9hhvJG5HE(GUwvAAN$$vM$%a`A0k3{Qo1D?qi|}xh2HK zegDsA^0=L9$jC%O{RdO~_;kT3s(b&u(M%lxCExrDK6v!ukMMZ!yqYFq? z`ZW#DIP2YJ9~$xBTbBApUhXw_c@64|!;#OHRt~-)x`CO9@G+`X{YhHr%Aa1}j&+z$=sI^?2j>&Rao)>P-HgAc z)-n?sIsvDQ8w>z(5OC*@{5GI$G(Sf*;pflt8KZrO8@~@e|!!nzsK_auj5Ok^+{@E1)>5fHV!$HERTGANu zKyiZ8m4k~eSeaiM8z-@*`U(Tir9Rvs4kLnNj=7-hSHG4F0NshDl_pg~E08;t1fx5? zg%x}EtM;v3pVf5VOZ+^4(Fn2UZD2meuL#P#G90AGWNE7%4uisDY?SsrKQ9MHgqKtVBP!n zSF7rYa_+lmK4Nb<{gT;g8cDN4wK!hax`EFff2=}0sAo9|Rq58|^z+5RE|Wtvc4u49 zUvTOBNTK#p^zXE+P1lT8vvf~9JiLd~+Q~eJ z!GQt04?2Hb0`$4<*P)2P>Op2)!Z4b&19B%byFX>yxRZZkXIFcZLn6SU((-hnL3e?9>^h@(9Oa})Vn4E_&MSCQVlf_u4?s-+&=`HlH>N#VA7{WhS z*!plHeXKVpJNag*`)ZFH(MvRKhPOJQvkycPnL#;5dgdLxvwhDd41%N&`I?#x^FPEk zJT4bxw(*rfRKZY6+`PvF49CCXciPuv<;$rpop^4Fdw~iqT_H%K2f?HSy)uD;LP8`U z%uW-z6Fr?JVR`F>@BW?7W9bUN2eY}!**F(V(b(sV`c30up_8St!GiNPOAdlSJy;zG z05Z(SEJ$d@o2DsJAtXqHBZ-NtL>M0D@Fx416Vcdm2by=nf*9!O(N?VJ2Z#tr}`6) z+QMLR@WXUWn^~=@w~!m_ATUk?NT4K;H9ymr)X(%F?(%!yY68yp`1cf2?R;qxy`TUn z3U2b<=>SLHBJMSh$nB_LY5jcseF(WMxo|g3A!M$gHVGk5MZngkklVk&KJ*7*pAnj7oR3- zRFg3F<`W3j#S=H0Z8~l=tw0Z393hvr<+M1?>Z98ZpI>&sYs%CnXs-NXS0xY51kRZS zLUK;R%c?ZAO#N)`wkN6$*7e%}6^6nO;F!b~a_0!_Q& z2R-+`=sclumEJZ{#kzNyD4iFZiW23aeL)(;Vwwc6h+9tJRm?dv<>C6zwMpM{UD(d{ z=O64=IhajfKl96#t5EnCHt&SZe|Z7}0XQ~OC_k9U{$bSaxHE9J(%AX_=DiPqMcJf* z`$9uQGx$RT|2MCg?h-l?E`%6wj>b~k+iUN95N5w6Q9Zpb{LuVB5vHdw1pgi*SBX%4 zaPu4=c{$Aqd}PKLLx?yhowK(dQI;-|HjK&AXPm?$0zycga-}loGjb6l4nkMH<7beM z%P=N*^Mmqfbl0Bdy5i8@inH)C)a;%g!rGX zlP^cuRPwtXC5)2m$|;-eGl1}_X6?s6MaML7)&ln!1n%Fo8mh&p8iyF~41&(FESKnL z{Dg|9J4@}LuvhsxRx4|*ueogFf8GzvrVen>jONett@8qCQhXR$y&0exc688C;X#}} zJpij6KSIACQ|(zVL)Fd6EvD9)1Y(&Fm2iCsW<3A4PR!r`{ps#RAxGeI;_&Vcga{8b z0$7!F?@q#A4|`E0PGUujL3mDWWMrKoc>eP`E+7Tx9B`-c`-8RH>oCewm^jgtL0`xZ zF!;(M(T~KolnJnTCG>tEs1VZN9LHWN;WxVqMqp9#6hG4 zly?+AQcn#|2ECiBsjvU)Mf)&ZLUH~1%K|P4Lx?fTGx*V3Nwq(o5h46YYh343mi-ZW zJP$?EqRT%`NB{H-_QQ6M*y80JZF#5{HeY_FjMHh*8Mxa{2r(9%@`U3$V9Eyn}UE!XDIr4+F{LI7tB1zdJQm= zoGmHIZnaNMHFF5&{kh0_j6gquVnY4PkoEBhc%VX>6-`Tm_YWcWztI8=#D8N?oU#IIoWJ)j zF#Po%D>VNWdm6N;-mZZIUliEnRAWE{U;jHU|KvXWuXG2nqxp#i20D#InTIV5>~>!I zb^y<3wuWj6{ga!v-SfTzR4&CSid(NtLY z2a4c91=vp+L{&CRHGAEo>g5{MhP@#{K~Rz`l+SNBb{rWfzV26R;^uEh_MOk8H1}`% z{?!-NNO7D)q$Zebh?){c;xE5Sv{JS9R&YojFE8BAG`w2gZ0_sxGaK#KLptT4+gpE3 zmOouMYU7f?5RbOE^adi9m6isS3O%3JCM006*n;DEH){f87Z)rH`0^Ih(UhvHDll?; zPw@98dWpT9`tx6Brq*^WE_swoW^b4%hYHW7j9f;yi+MhzVDZVBN3oOHS0^&MGJftz9rO#eHYZ+Fa*do{#fhGv@uqjXK#Jo@?Gxe%sfn3nV>h zj)%T)Oe83Cx|_CsNtKk7d%c}ixbu1ia}opK7+{Sc^FtG_TO#BP(m*}fHGkNNC8KcX zthl|ux7W!8T-4XLM!N83_wr_^PP#5TQKn8x*~BUjp??>3YPewwnmrTMKd|)2k3$ZI z5C_l3hw3UT^F)_%|4124eP$tZ4rvKkY-7>VmEMdCTQ8hb(c_gL?Tt@A7oPhla1~CJ zx#oaxgSrm$Sk2gTBcr2%3CAZV%=#TjHzy~vi0UoJqsOgLF&n~#6(wZdU8U-kdc;I^ z99&#>%XRQI?EP(-vc+}1cayJAE`6G3fnF!W4O?Rkqcmi7wVe%PT=w~ERAaQfxs?s0 zapO^-ElgnV5u>QLH3NxhX-;}7w7BD>%shCc(}My71A&OBXWD97Ddoo%b@+UC8K%bR zu#^5cZ+EScDU44G?(Tkfwo96h?>`A&vm58Om81gePx3S+|5_t9Ka?T##`#BQ&-iiNrl*^b!*?epZ>1 zL*I-H_;~GpaJ}L6N|jIR_w+JqEyN3mlaTjZ@K| zbn(95S&P!Xje6q3Xk6NonTlW&O*8&eYDB@`6|N#1p&1--p0767{{Ah+l==~O#fFRY zH$A4PdUfK}(S&k8CpK<^yWcf?%yXNF`(CJse~-+nOf@HFcF5eagpGkUArefwENFE# zD=tn^MaAXo_kgiae2TBJ_E-$VbHQ2cep)8dR#l(SJ}w}Up5sooUwGfolH0O+_H)<{XZW(^f2;H?Lg0Tm;b&zB0D_#hj7o8R_zI-(TIxAboR7mgLAHpbr3Z(oBgR8$2)+N^Z+9iS9nUVrz=gTP_;sLsYl_mu`)FwJUk za(8$4TZL{@E$!<^g(GCI!fA;2cmR}F+-=16rdy>1?(vbrecr@+^|v&v$w(npnP5TK z@B6?g{^Sl<)?@&tZ)yBOs`{D6V`(0V3g~MP#3bdlbk6sL;wD$ufZYow&4PIWxbBHajPz}^hk5t{(4|43mXJL zth`J3L?+xJxjl*O6DL@8dfP=(`?SGp8FVU2)|NE&dYWmTrvc_}VtIu;S(~5Ys!v{2 z#UJH1<>b~Fvls0wY6!K@J_6l*XBj&W^h4fm&p?=3SNF#)tOk1Gdvca<$xp@~bKmw` z`3L-uW~kD58XFqE17Z96luLzmck*dtgID@f=-YB+UwwAE5$A!x`Rbxff2RDNhXspN z|EozFCKF%z819De8uV}MdrLr?i2m*4a!gI2R$&bvycn4jxDd@=?#IvVcrx~dVd;b8 zD_Udc(+XQnRD0gi6-jzzhzP+2Kp--M+R!p3K6mCgxGJXe29t(^=h8-R+?&}$3Ms6Qr zdDiPriH4FpU$GgZb1UCpD^78Tu8KF?q;?r6d$;V}7zNjxSzLH8_j`;f->B%Nc;6;B zdu31?8J6N-&son#M4N?(?sGR5pFtHp_c3&XKSP7R3}GRbIggVy@1stnzqz;>Ea8h( zMzSMUe)329AZc z+Fs`d+og)R#|W11^cCnPdUM|r*{H(Vh-J!6$*bPs!*~{xiTM%sXHiktE&l$ru&nU6 zs5TfFn4$NbDQzhn4NN+3Sn41>;JLguv{vOFCU8Al7_##0wBW!Bql?@deYc%T|Hr^n zl-mNmOa}~?@7Y-Y{{El+)u26DXM;RuoUpr-nedAtWkzF-O;ANe#oV0A5P^w9!Qb^T z5|>#BSLe?@>)ADXkV2p}Xb<^~cLO5@fTw1$q-X)p{M}$p(E^#7(w~?tE2RF}T@(lM zPnqDZLzNo|?_H+v%WuGiIpCQKtJMEs(9y3|UCGnof#1NcBh@xra>DLvbdpZ3*bTUt zd#w*Hk@(Po+|23x<@o;WtKB^()Ps|MYm1o=A9oY9j0XBJxJ|wvh8aveIZYQ$&1LP0 z7hbP_u+ies61j|j_sBwjHM1IA8ue8*26rDayGLPuy)6wYq%Eb4a z4A-`**TVlsO;cDs+1rJ$wQ2+$bZYl;h_&jQJ0)9eGb9A2NFzcugrcv1ALTkMrKcWQjV=%l1y6ulob zl#m}blRqgPx&_fg{j`A2HI0@crY63Bq3Sh6=HtT?zvK607m_~A{Ye3Ke1qyUcd~_^ zcgpkg9jEMD_mgl8q7T5_f}A&c5F3Cjkhhei{HQ>54}db=>c|K%Z|+0{66H?Fogcj; zU8}OyrSH2a$KM&VIcWqK=A*4Y1J1I&9hARz9H=T%^0Pm`pRQ?x=?B;Mp&EX7JG1jO zI=3`_{@TEn(Xk1vVI4C&E-BX3W-{Xtva4O_KrtM)1}uQdv=p>JOY%G?Dv>Jlmo+{rkUFthPtZ>X3qTRes zbCsy9%avKi`lW=6ryHv4wE$T;IVs8naM7TrMFcM_?85$jalGy6196w8uOHvi39e6% zb0f3kA82o0c^!&O77+|xSuJ*R{9vJoR|`x0GIaH-LI?Pp`o30@oXsXn@4w zb^F5O{qd4CdUA*o=vZa!S?{4W0r1_8pzoBqYTRu*SdZjq{=C%+3!8Y7jt$?tXM((1 zwBYI#5Ck~X7b2qqe7cOh_B!afp-NF-Z-N@X-o&AoUne7k99}tC5%*d+R2Q?S zKwPT}vEvu9({;F*e8(5!0$yO6A2u+$I1AO8P}iI+1mlgXFCZ2pZV35LUYnbni<3`x zbwM1WT?wBVqAHNmMm^;T5~H@Q*&e}R59ajc*QTE;;zFvi{6OG0@$%L zF)+7M0rp=tC<{HY6LN1n0I4mhskpb4oEHb!-+*gINe%T!zN12_(A6Vs()BvsHH6;~ zv8qm)pbW>8sTOwk$1|scKPcM%61cUkYTa|<)xpwPUPi5S;agjINjSJM7giJ2uYs{Q z8@0gF3pqM)s~{3;Y??gF+PXa0Bx&kzYwZus+^=oP{(7?4`S_Zzug>fI z(~51dMft_6m8MMhQK6{Y?_Po=sq54?HEg(`8H9~ zyP4~Iy!8hj`vG*xu4fW^J$?}DyV_oTs*IUa$j44HR7g}}J9BvyN)Tp`1H1#-ZN#QM z6Yfy_Mu-edwr{6BeEIT*B+`XRvPkXfMK3)Vy=+)2I9>c*npSw9sQ9t9vJls5Le85+ za+^in)2DDdrgYD5aH(&b`CSI_TTE$EPQSD6&ibi79^_a@uiZ0j*fsjUTnz$&K#4+h z6?m)&CL>+v{+b;yH)gv(19wV-buRT?M>}TUhn@#fLoMaUmo~0F zI*E&!F&9G$kMe^INy6Dtvvk7|OK#&`%i}S=iKy3p?-9A@${b$+>suqg%V=wBFyf4Y zizT3hnTBTi(wH_nVY~NH9uP z*qz_ju>StY9pBXXXbgk_E?(!w0ZcRJ&!pJrP_Xi?AskuuJx?%dk^Ru{O#^nkM@*6b>%LQ zzoJ&qIYRJt!rFYnk3l~0ORh-1$3^=+H4V+t$_MxJ)kgu5Te%l3pBmvD%q1J93n!iO zh1M4-%DSqT$Myh~xYNXk0;yHLYl+9dJ7UXuKoiue^z@y<*j{n)_wdMu7=lIJv2EEm z645doJ_olCYesi#HQ~&YR=v5`QV-A2uSs%20CO6(o~>9brPaNmGp8_E`$3YYa)-Ea z5*-GaiG-T0`5lE(Dc=68`2OpDk;iR(RoNmZR^|kT{H#mt=}F4=I%cvCG3WcS2Yn%x zRnIaIvfKw`$nk54cO@l__-H63n@SEH{_JTUfD4$PKUC&cnxFbM#KoyFjyYII+|dKO zd&jI-&<4&Yp5fLaUGUO733>zX`sr(Gre|g%eqebLF6nr=9-Rt-r1QBy*S%It8>PaD z+;ZB~I&ap6&^R*L#2j3l_YoIMZI=+`#XLJZn{oJexmU?7u=x%j^N9`*VGSYpyw67nJ~%}* zzkf>qg-pW#WIKG~8kJe3!u1cDWbwR}vy+n;IXWKDpdf^cG!Hn{cyoQdDYEGV@;oyj zh>ec!4kqDK`c~SaZH_#@B7*!!v5;cUf+m;x>#y`@4%=H)cgEX-%~=BqlBPv3nZxp9 z=FkVKDYz*t)V6MH1p1n8i0aIY3`pD8Lm++aw@KX#^*%9Z*4LRdOeFf({OQRcGekO3w?iopI*H} z7>|K7EVK}HLohEkknhJ5zkmP|l{>hyra-)Kf1Ve3i0D+(v?Z%9Sr#U07&O4uQ5=1I z+A1qi<)=X)w>v`Ezl#od_0yr&VbHnmBL*tspBG zSdT%O6;Xkuz$vROJk2)$^$w1$D;0Q}7)CbiH{NKjnonO9?AOu}oyzS#FQPX{1SeiO z2`q?nnfqAfQu0AhF?paE>6NMVC*Am34VUVE2`%8TTFFu75hz{OeRox_kFXFbyx^@l z@Lr8KkHOO2@`K4r#s|DwO6b`x@uRhxKFbh$Q75pSuH7fskiDP=kxJH-t~XkzfIuK9 z)w9!6+3Y#?y3D~*o{SF!E|&!ZC9QA>ndw(DRrsMFBj_p!VPu*(&e${PNh>!dY+@KY)WuvfH_W027GZ~BTD-;Er=9f1=m5S+r!;@g z#`rp&cOhu9%`=|mxHc8Bj7#SZ) z+;GZ%rXYXR1{;5&*6q^a*mr+4C@FAuV7e?0HfVZ!T6Na3M~e*{Fexg4vr`NsOSh9X z42h+v$|q%t5Dg8f@cmOfi<_G(Dw>=31}w^xjxsl>zW(-dTHP%Av-eH2D61RF5PMBo zqd7{+aIJ-X;X}MU#v>6;d6$RweD`JB2bxy!Y(TxpfM(Naae-F>hed|K1pz!>xH7RV zJr>Z6W3v#R3Rb%?iQe?%)B^ppF4rA=f%~Km=Mx#C=oS)P9CIhHbB@RgPv}ABKBSa^! z`&sGfpP88(H9$ILeMj+P`vFr1-o38rAGS@znZK$*r++{+_tFrzT46Uzf$W;*SMZ|0U#4w)W_K690yX4Kl)S4&v1u zKbIr}j0#v&o*;x(g-kYmqo*4;Tn7$>s>6L3xGfFfaaOAIf0(U}n%#4%zL$ow%qpwg zHRnmib7Y2d$aoWpM`ByCsVJKHmeOD0o00}8>3i7^3H4=$xmia-%0=1%RdiZ z!>QhN=+=U7B(-!K2fzQl2%Kki&C+%U($>_}6oLAZW0RLFV(;q%j_pFXW`4>LL`%ey z4kaSrDjxz-IR_)W?iUZw&UCf3o{+x8(GVV%Oldo+b`2OfI9$#u0FcSxu1!9^VtLUc zfPeqCgfN#^b7!yOGnN_{OvMd#kxNWAl+h1BlRk=T{tCI8?ce?1vyHR=Hn}IFr=_%N z|9tf++jyL7z^DCCbqe%JJ3@@Yv~#_sHsEPFCBpqxaViqr1+?X~<<{^gU<0d*JfhP8 z&eKhr$V{+jLH~szL5WWDZKJs&!4ij|zE(en^3vnQ%FX8nL7F+HZxNzOHFsZmnf`6i zud26Ajm*)Xfb1*APZt3x$P=_JNfPEP7C5J?Ev=F`NNnSSeqB4JF`4B^gh|-#NC{5~ z4-vyf0$n@sU@1nw{kMj?*qVP^A5evJz9ca|oqOuWP zJ0_7I2Ir)a&8nF+vDPSF*GbSED-0uMlZ|A8q2ADItolQ7{h+;mzL`9T*VNmrGG~-G5$*Xp+sftl91ocSqUu#`z!{*+J&x*2{Z6|8Tc<{Vw<0{>+5yLX78?GD2{ zeZEz58LweIJU{13mj%ZlIYKr>8l*U3(8blle+^`s6Y)FPhIVDqN`%nC)(r{HuSJ9M zq+E{pA7lQXqkqggugY#2CpR-wnJyWe$ssB#%9d^uCpr*lh-CbL9$cy4xn3(o+OAe+ zs)-Zq+WYJH;h{;QP*YD2{OvG*Xuz|A2`{9%9>s3G?dbj)yhiFU!8(c=u0f1VOvJ>* z^o+|W&hxvU8{qZg`4t&fE_i2BXgZUfyFt-a8axTBXJ=*oy?LMR1!iLWFT1(6n+J%k z1|;JRu!N8(E$&=V5|&)z!o*jzLi{@3-Y!_POO^gfD5;@Y7LK+A@cP(8U_DxTcdzN2 zVj3C}vTAp46!a6ej~%q8qNlemWTd746bx^fI)m{dvCRCJ@CG zy@x_2J$;+>!|kM+zT)64iI?AhH7NJbc4bm%$`4W4d{~ z+lk?v1^2DB9G0+L!vE|ERp#_+i)lHR$Lqt&HHjy$}o)OL35pun>v4dS~E zoeh_^m~k(^A~XfR5_F+IIseecve3OzEgfICS z-9au&^DExIJsf?_nbaTusKn1QrjvrSaCT3LhzQKPne4uc!H%}rA{nz0WHZeAoWcs| z?KcgNRKeq%oY&MWc(#3fGMHk*wq5&d!Qd5m(=q}w^RYgexTn@FS61+;dCQk4L?S>% z$L<)YimHj3MAR<#ire81>s#48_S5}M*@;PQD)UU6DXoEx0KKZ4I=Z)iDOO$P^!QS& zq|9MdBm|&;u34gm#y*{25d^Wq=WYm@-g}h$&KInfp7Yi&oma<>enmnvR}=YTb|*m8 zo|UbtFiK{+PY3+exZK0hrdBrkgESK{ak#G>RT3#1i(wTkLV{JEA3VzF zk8gE8aW43Ot$lS+l;OL!gh)ttN+T(?GzbDqC`jzmwRAT~i!{}(%sT6 zT_TbadS3m0^PQP9bN)N~$Ik3K&%FEWzE52Dbzk>$t%m94RZut%2HA+Ija~9qLSlJ* zBD{b2#9;}Vc;kmI2CXxCFbpQ;#@yy%#SM>)1O)!Ml6zeMuZnr(+e*n{t}gJ@H)!~h zPN^$e#jeE)Yr%w}($c5d`p8D&x@9Ji*SxWT`JZf*N%<_H_?EiEy_$b)cJh?%=2u!iQTSdc>zcgPUynK&+@ z*=nx*$LQ(gtetxD?IqT%@G&cf{if9kjcm#>=kmcZ1RmZY6}b+g-l(WfpJ%{D!~BW7 z2$P40huiEc`!0G?KWV@P}4c!9q#QtUFL0cnp^`v>lIh$nHAu^ z@8j>omFdWbO8aiI$e0S|PsS2|1!vR7$BR%z*{8Br2GWhpe|$OjRof!5J!s_H#iE>E z_qLc)_}#K*OFDQqE|YQMDFvBud<8rmj@M1KN(Qs9^0U}GIeAW7P*%o0YaXtC;3@{; znh7mEuprmTi+?p`F4pfbjH3$>nwBOKH_@@26;KL0BmC}5!$3@0Yj;?- z<_(={TVr**qq%yA^M$laMw7J$_$B{gw*`Et_#| z`1odyvKN#)zB~7Lls|UZKGRl$W&P}|pI&Co=m`~K^u2y^gqxVr<2y-km=_tk2vmrU zzV1@SB>tj?_)!xUC;+miRO%&rlit=J;dH z7ryQ6ja|FeJS&|^HhuY-CleWYM{AVQl!Yfg0`7uYb9|)X9N`~!^Z@bd#(w}0RwJTR zCOfZ^y+iCfnAn&cWyauKWHZrx$|+FYgfb|PE_0)xNKxHB-RuYUR+3n?y`ubbz>^OE zr#D`$jAmYayus$3`4$YG(->)PFT6!$xMU*S1h3kvW5|e2xyUSDo|<5kww{^PJyOZZ z$Oz7pyAgA@v*YwGa6g*sapix|AWrlulN~#FeVJlVN57DQO zjh}7DhyyfOl>_SI_<2EhNbmc~TABS|bihMx@z}dDy}@~iN%nFlR0_(b z`k4UCEpMow7H;|iBZToa>xA@vb57*`&Qqjmb{8}DPt4@B)wsWCE7`gRC!8DrV*le! z4z?o3Di&g%uGIVJS%6u(_Tei_s1I0W7$t9YJk2fwF$(I>XgGxQ7v%GpDC+ zap0QPR`^thcnD(xb_8tp*G}r%iEi19dlOv`akv)-Kj4ojA)$H|9M!fB@U)%$5dwG0 z-6oak&P~b4CZco{6JCbQ1QZxIPhLTv6g#Ai5(o>&-pd(MQc~^{NO*GRWE1np!X7_w zMlBt;Qxi%f0E+~RE`JxSP?79%K!1SIXuTkIeaolgc_?Ma_w^)w(2{TN{h!(1M?KPu zGkO5-`kY~CdK3KlsxM=qA&N1Z3fM#9S_K0$jHGNztwSK#!nMuV(t)UIHjX>oOBCRR7q?}*4_Z~qVw#v;c*FCG&OjR$|B zRuQc+U}@pz!%beRLCM^6x$ zXGLnP;8XW2AgJ82@6daUy6+k38|VVdnd6YZ$RsPp>`Hoq&>LeBuhDO9T8U5}XpB6G zB`JDWmRWa~vMCXou&{ku2vI0c2pa&5{%Ck0Y4!EqxUA?Cl@$*S&6$$VLFjME^-xQf za19R@myW7G$I@$?io=22OgDL32LU5x zpcms;(UlP^CdbZM>&rF*-1@+l2;U5_7bjyge4DbV%7%1r3J3~XJ-n!$rr~)AMABpZG9*mg>?o3o!^a~2bEOD?1w5IpyzGB}- zV|dM2hZ%Y!FSR;-8*|RrXD66teB}9(J)xmc{=|~H&1`qJ_{tR1&Ux(aayAEDx;qP^ zCdu5zMSg!z_^=Ibl;*A)sO2E2bM*E`vR^_j+Ciwj&TH2{u~)(kl=Ytou`~=?ph48K zxc#wxSQnnT1ns%MDB+|L(8|k84P0&O1qJSYB`27#IaS zwNS2+k&&V`sPApdfHHAvs*-sraJZ+XJyr9i(z*Cj!TQUR&CMH` zk|}8)nt1FkHZ{vbu_gMH8elJiQ5ENnbqc8u+Q^%^Jm=N8ku441N8&EBxjrG3T&>;A zcQ?Z71_Au@8K4jT$gUWX!X9dSHcTl(v`8)!at!oX2pS5D86!}7J5kbei(P;k22_VY)G%FjEB^!Ggg!qaWy z=9ZSiw&a7d>3zB!)6p7;Rw1kEcOL#uq+GxbE)OWo%a;+%A-Am~@tJ^1)+?G(_l)cQhZG|*1 zY9&ZSiZ&We9M*T8^Y1r>jWfT@5(!3q+MJhK>-S@W$H#Rg?}N0TQz3X+JXquA_C5VK z)&!W5g+!=?hA)~6t!vLK!;bI^bvoAcvva(f)sDSr4+lv3D~LKUm}&bqN^Wnc zgMddeGCt1H6Ko!(@Da$5;f23I`Pi}^XXlr@dIH`w)3^>t?%W#kkLFRDusE9B*xv`M z8N!|U$67n%dvoQIgxpT77p)(ymBe8+Tc7 z-D-Gd?n_}esCJ+Tc3CzO*OqJ&iiWqd0rtZxr_Cc_$;K<2$!esrfuUjDG9m#A0q3Pg z!H1AZ2@oi}vUZh}A}Az->SeMOoQOCttf>QJ7%K!{6G5@Gu9}sXKDb81j7gP=Hv$}F z;+ZZT%*CjJm*}uRzakBjHv)WYf4pQtw0V5G1R_dq+pH z#-Ze?iV{5vuzMPfB+iGcX~%{>mWYjHkI|m|V4!G(|68zsbbBT7mH@^J>J__f03=AF zH2xbTbTDww+X+&meK^ZiDfnOELP7UOl+6Bwe(uhWbt%NYW?{lsF|j{-?$8)0B{eI% zytn{?Kys0auobFB`zk#N2?;=Jdk9c3%6A{gr=&qMb@=3eawGMVv#&cMV(Jt&EQ8QAWbI_LDH zm$oK?hf;{_W`=J1cSK}2u^jK|wPFbWqyu0k8^?CfVXi`M{qlHe@R?v}eb;C(W+D$? z_UrWF@fonUsOMn?jyj0{%GbW3LbAEEtmJwsMfzea3W25RJUU>X=RKYSN8U5Ks>Y+5!d^yQP^ocITtn`liv}CG zo-CY&I@`p>e2xWaCUWzcE#UV8!EtDP+P2ZW=y4VsW~^^OP;q>8uECWo1-HZA#u-p~ z=$mPGT$>$OOHE9s!|K$vxUw=@eKcjhOflz4xe91w#1!aHkV<;eSiknQdjf+src?ZZ_mRO5=>-r%$L7eWUTW7_vww$dMTrzdqTm~7O`>m3GnZbZdw7YuqTnWV<9*%Z5ln57 znDOhRYZiUS>fkCd^Rc{0Q}m81EhCw3ab=5g(wSr~em z5-rIACIBE+i9uanUHMBfbgYfDqb0dwlOSK~VdN)>Lj&{G_*(FO^XY9*7;jUUCQiPi zxft>Lz&k5Y)?ajhmD3f3V`BSr5%#g6~UP>ybaGV`3wHgTu~3bQKam+57!C9dO5&#@Cz z)T=+F2Eq5*D#Mki!Dm3%l{i6vxagHI%kE!IupdCoE`*6=sC7Fl`> zv6mz)o7n`s%YVMO-eW(;*I^C|U}%}?#0;3VOO5wgqjr#%=dhd|(EG|5x@4(U=Rt0! zol6NYxn!Y4f zWXiI2X&>eDPyEEhI($U4Vr6%NtgijoWlB%R1m!&o=4*!_4+fOns<6ov=rb9tcm>7W zf_xuB_!3?z#A1flp9KUdUh$-kC0$2>+#<3cukdqw zHhf-3b&{tvSwMgy5c1@{CbUPlkj>fg1fH{J-{Ibb&|q}-tV~X7F@bHR3E&rFlCLzU z>?#5oUt#RSy{D%YG_SUQ*t@wA6Uc=qz^s%bTVdErG@mFx5?1bby??3D6(!dboug1N ztwwTQFD4`?MNV{U#&OA%fnds0<;bWAFNZax?D%6lc!uRl^=FA5TQth~`J{ar=7h9p zmF;rbp!^1&$-N0*hgjLjM{7*&yo4X{hMyM?ur%CqGy{ z12<}ZF5WnCIW5s(CI?x&D1Hl^v< za_a-zn6G-xBB#pY1&#}cQa|czv7M1}lEqKxy&J*bwTi=}mZU7?08@7jwu9H`k2bikunBVMY47y&ehdQ~fR;D{G{$d$Ey84&xahsZ{gB{Jhk9j?))LuA0D*E}rA8Lb}f z2U2iT9VlB-wC>=Zz+l6_VtO%59Ez!`cfYVu zYxtt(xj+8qRDKeT9-sPH+t_?qIg(|iTVzGhRNYU&<$(!v4)Rk)S^XzGS8)#tUTfl6S;)9Pu#ah>XaCr3NvDr<^ZXygzg;7E3hu z1tjFpk2#b3`2eXQQM6_2LUL}}pDhl(5A9CTtN9|iukf{VYQ12KzQQ2FW{%2l)}`3E zhwLOeX8f(8UW;K~#ss>|dlF-~J-mmg9rH`|Kud)N0i$$!nq7IT;}lWXLr%(2DTyvc&p)Iswp63$&lqFIM|0rvawgJW51M4 z;SJp1D2v3+qX=}iU2}DnE!(ED`13`E4`rKVm$qiaiA5{W3c<6pi#NpBheHwNUr&N7 zW3I6W$}1|`HTYD2N~+b5jz4=A?f5%S;yxtsG5UR4zN8)DY<|M^J}F!xP+n%+kj+0< zDOBMP_n-;XJg|hdco!nM9BTr{l?6spD$4y^uMsB&Zcj0udQL>8&*B2azgwAX; zag!Jyg1s1Ep@uVv=I_9XYX={lm7GbAo#tt1NjvkO>+F&%!p#-K>k6d|pW0;!620Y? zSb24)4pq<_hd|#sf`;%rq0_e#@56m(oYL94-fzX}2a4z`VPwpT&jh}MENmM0_WUwc zxkLcPm2BeDyBzGTXToDuz^nss>folUb9?GFdqL1mk;Kmo<^KI}0hM)DP@956rX33H z+3+aN>$Hyqy1^SXIJ?Qg9;^NPJn5^mtT>Wd+pMKoS!wXpbR`=vjM$}gbFMFk8pa#7 zUe0yr@W>2SQOusVF}=2@8nl_stEywU>s;)sylNr3sj^7I)U9*4G~TE!9{*>*Xrf|t zBC^?04kRP3WgmaSqN#+P{8x;_V7?7GsZ90J)UcHpWrTlb)FL<>G`oRIFK3GLJo@Lw z+=P-$7Xl%8Llj*Xzg;e+@iVSgN0GjEFZnb29%qT<2LdhYq4OSN2lWfHu5G_T`8)n& zRS6e(Mj*Ma0IWe6#{~KMCk+3-LP%B*;XaGButB; zD*+kPyUY`d?t`B5$NI-a&jYKHMHcD?4T@iGyk)Bj6MMp?vL9HKCJ%y<}loAv>~HQ-c>qYsW@1#c<-4%NSMDL^yjdxU5X2C7nlh+q&rH&668QqY3_ zO}8g1SyX+i1wJch?dnzW0xbaf=YK>B13P8`0d#-w!s=8qV_%>V^^c04<&+TF0 c@Tl8A<>sNY^W0M@4}h17qPjxG3$u{_0>SC!U;qFB diff --git a/doc/source/index.rst b/doc/source/index.rst index 3c23140e72..3091dfdf49 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -67,14 +67,6 @@ Administrator Documentation admin_guide debian_package_guide -End User Guides -=============== - -.. toctree:: - :maxdepth: 1 - - howto_cyberduck - Source Documentation ==================== @@ -87,7 +79,6 @@ Source Documentation container db object - auth misc diff --git a/doc/source/overview_auth.rst b/doc/source/overview_auth.rst index f9141509c2..027b77dfba 100644 --- a/doc/source/overview_auth.rst +++ b/doc/source/overview_auth.rst @@ -2,61 +2,57 @@ The Auth System =============== --------------- -Developer Auth --------------- - -The auth system for Swift is loosely based on the auth system from the existing -Rackspace architecture -- actually from a few existing auth systems -- and is -therefore a bit disjointed. The distilled points about it are: - -* The authentication/authorization part is outside Swift itself -* The user of Swift passes in an auth token with each request -* Swift validates each token with the external auth system and caches the - result -* The token does not change from request to request, but does expire - -The token can be passed into Swift using the X-Auth-Token or the -X-Storage-Token header. Both have the same format: just a simple string -representing the token. Some external systems use UUID tokens, some an MD5 hash -of something unique, some use "something else" but the salient point is that -the token is a string which can be sent as-is back to the auth system for -validation. - -Swift will make calls to the external auth system, giving the auth token to be -validated. For a valid token, the auth system responds with an overall -expiration in seconds from now. Swift will cache the token up to the expiration -time. The included devauth also has the concept of admin and non-admin users -within an account. Admin users can do anything within the account. Non-admin -users can only perform operations per container based on the container's -X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see -:mod:`swift.common.middleware.acl` - -The user starts a session by sending a ReST request to the external auth system -to receive the auth token and a URL to the Swift system. - --------------- -Extending Auth --------------- - -Auth is written as wsgi middleware, so implementing your own auth is as easy -as writing new wsgi middleware, and plugging it in to the proxy server. - -The current middleware is implemented in the DevAuthMiddleware class in -swift/common/middleware/auth.py, and should be a good starting place for -implementing your own auth. - -Also, see :doc:`development_auth`. - - ------ Swauth ------ -The Swauth system is an optional DevAuth replacement included at -swift/common/middleware/swauth.py; a scalable authentication and -authorization system that uses Swift itself as its backing store. This section -will describe how it stores its data. +The auth system for Swift is loosely based on the auth system from the existing +Rackspace architecture -- actually from a few existing auth systems -- and is +therefore a bit disjointed. The distilled points about it are: + +* The authentication/authorization part can be an external system or a + subsystem run within Swift as WSGI middleware +* The user of Swift passes in an auth token with each request +* Swift validates each token with the external auth system or auth subsystem + and caches the result +* The token does not change from request to request, but does expire + +The token can be passed into Swift using the X-Auth-Token or the +X-Storage-Token header. Both have the same format: just a simple string +representing the token. Some auth systems use UUID tokens, some an MD5 hash of +something unique, some use "something else" but the salient point is that the +token is a string which can be sent as-is back to the auth system for +validation. + +Swift will make calls to the auth system, giving the auth token to be +validated. For a valid token, the auth system responds with an overall +expiration in seconds from now. Swift will cache the token up to the expiration +time. The included Swauth also has the concept of admin and non-admin users +within an account. Admin users can do anything within the account. Non-admin +users can only perform operations per container based on the container's +X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see +:mod:`swift.common.middleware.acl` + +The user starts a session by sending a ReST request to the auth system to +receive the auth token and a URL to the Swift system. + +-------------- +Extending Auth +-------------- + +Swauth is written as wsgi middleware, so implementing your own auth is as easy +as writing new wsgi middleware, and plugging it in to the proxy server. + +Also, see :doc:`development_auth`. + + +-------------- +Swauth Details +-------------- + +The Swauth system is included at swift/common/middleware/swauth.py; a scalable +authentication and authorization system that uses Swift itself as its backing +store. This section will describe how it stores its data. At the topmost level, the auth system has its own Swift account it stores its own account information within. This Swift account is known as diff --git a/etc/auth-server.conf-sample b/etc/auth-server.conf-sample deleted file mode 100644 index 711f48d564..0000000000 --- a/etc/auth-server.conf-sample +++ /dev/null @@ -1,30 +0,0 @@ -# Only needed for DevAuth; Swauth is within the proxy-server.conf -[DEFAULT] -# bind_ip = 0.0.0.0 -# bind_port = 11000 -# workers = 1 -# user = swift -# swift_dir = /etc/swift -# cert_file = Default is no cert; format is path like /etc/swift/auth.crt -# key_file = Default is no key; format is path like /etc/swift/auth.key -# You can specify default log routing here if you want: -# log_name = swift -# log_facility = LOG_LOCAL0 -# log_level = INFO - -[pipeline:main] -pipeline = auth-server - -[app:auth-server] -use = egg:swift#auth -# Highly recommended to change this. -super_admin_key = devauth -# You can override the default log routing for this app here: -# set log_name = proxy-server -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = False -# reseller_prefix = AUTH -# default_cluster_url = http://127.0.0.1:8080/v1 -# token_life = 86400 -# node_timeout = 10 diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 3af7db0f8a..457aa42cf3 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -13,10 +13,7 @@ # log_level = INFO [pipeline:main] -# For DevAuth: -pipeline = catch_errors healthcheck cache ratelimit auth proxy-server -# For Swauth: -# pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server +pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server [app:proxy-server] use = egg:swift#proxy @@ -44,27 +41,6 @@ use = egg:swift#proxy # 'false' no one, even authorized, can. # allow_account_management = false -# Only needed for DevAuth -[filter:auth] -use = egg:swift#auth -# You can override the default log routing for this filter here: -# set log_name = auth-server -# set log_facility = LOG_LOCAL0 -# set log_level = INFO -# set log_headers = False -# The reseller prefix will verify a token begins with this prefix before even -# attempting to validate it with the external authentication server. Also, with -# authorization, only Swift storage accounts with this prefix will be -# authorized by this middleware. Useful if multiple auth systems are in use for -# one Swift cluster. -# reseller_prefix = AUTH -# ip = 127.0.0.1 -# port = 11000 -# ssl = false -# prefix = / -# node_timeout = 10 - -# Only needed for Swauth [filter:swauth] use = egg:swift#swauth # You can override the default log routing for this filter here: @@ -97,7 +73,7 @@ super_admin_key = swauthkey [filter:healthcheck] use = egg:swift#healthcheck # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = healthcheck # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False @@ -105,7 +81,7 @@ use = egg:swift#healthcheck [filter:cache] use = egg:swift#memcache # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = cache # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False @@ -116,7 +92,7 @@ use = egg:swift#memcache [filter:ratelimit] use = egg:swift#ratelimit # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = ratelimit # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False @@ -148,7 +124,7 @@ use = egg:swift#ratelimit [filter:domain_remap] use = egg:swift#domain_remap # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = domain_remap # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False @@ -159,7 +135,7 @@ use = egg:swift#domain_remap [filter:catch_errors] use = egg:swift#catch_errors # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = catch_errors # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False @@ -168,7 +144,7 @@ use = egg:swift#catch_errors # Note: this middleware requires python-dnspython use = egg:swift#cname_lookup # You can override the default log routing for this filter here: -# set log_name = auth-server +# set log_name = cname_lookup # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False diff --git a/etc/stats.conf-sample b/etc/stats.conf-sample index f89cb77d6d..e9bceadb1f 100644 --- a/etc/stats.conf-sample +++ b/etc/stats.conf-sample @@ -1,8 +1,5 @@ [stats] -# For DevAuth: -auth_url = http://saio:11000/auth -# For Swauth: -# auth_url = http://saio:8080/auth/v1.0 +auth_url = http://saio:8080/auth/v1.0 auth_user = test:tester auth_key = testing # swift_dir = /etc/swift diff --git a/setup.py b/setup.py index c80d62ddc8..3df7b7ea90 100644 --- a/setup.py +++ b/setup.py @@ -79,9 +79,6 @@ setup( 'bin/st', 'bin/swift-account-auditor', 'bin/swift-account-audit', 'bin/swift-account-reaper', 'bin/swift-account-replicator', 'bin/swift-account-server', - 'bin/swift-auth-add-user', - 'bin/swift-auth-recreate-accounts', 'bin/swift-auth-server', - 'bin/swift-auth-update-reseller-prefixes', 'bin/swift-container-auditor', 'bin/swift-container-replicator', 'bin/swift-container-server', 'bin/swift-container-updater', @@ -108,10 +105,8 @@ setup( 'object=swift.obj.server:app_factory', 'container=swift.container.server:app_factory', 'account=swift.account.server:app_factory', - 'auth=swift.auth.server:app_factory', ], 'paste.filter_factory': [ - 'auth=swift.common.middleware.auth:filter_factory', 'swauth=swift.common.middleware.swauth:filter_factory', 'healthcheck=swift.common.middleware.healthcheck:filter_factory', 'memcache=swift.common.middleware.memcache:filter_factory', diff --git a/swift/auth/__init__.py b/swift/auth/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/swift/auth/server.py b/swift/auth/server.py deleted file mode 100644 index 4f5ae4b21c..0000000000 --- a/swift/auth/server.py +++ /dev/null @@ -1,693 +0,0 @@ -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import with_statement -import os -import sys -from contextlib import contextmanager -from time import gmtime, strftime, time -from urllib import unquote, quote -from uuid import uuid4 -from hashlib import md5, sha1 -import hmac -import base64 - -import sqlite3 -from webob import Request, Response -from webob.exc import HTTPBadRequest, HTTPConflict, HTTPForbidden, \ - HTTPNoContent, HTTPUnauthorized, HTTPServiceUnavailable, HTTPNotFound - -from swift.common.bufferedhttp import http_connect_raw as http_connect -from swift.common.db import get_db_connection -from swift.common.utils import get_logger, split_path, urlparse - - -class AuthController(object): - """ - Sample implementation of an authorization server for development work. This - server only implements the basic functionality and isn't written for high - availability or to scale to thousands (or even hundreds) of requests per - second. It is mainly for use by developers working on the rest of the - system. - - The design of the auth system was restricted by a couple of existing - systems. - - This implementation stores an account name, user name, and password (in - plain text!) as well as a corresponding Swift cluster url and account hash. - One existing auth system used account, user, and password whereas another - used just account and an "API key". Here, we support both systems with - their various, sometimes colliding headers. - - The most common use case is by the end user: - - * The user makes a ReST call to the auth server requesting a token and url - to use to access the Swift cluster. - * The auth system validates the user info and returns a token and url for - the user to use with the Swift cluster. - * The user makes a ReST call to the Swift cluster using the url given with - the token as the X-Auth-Token header. - * The Swift cluster makes an ReST call to the auth server to validate the - token, caching the result for future requests up to the expiration the - auth server returns. - * The auth server validates the token given and returns the expiration for - the token. - * The Swift cluster completes the user's request. - - Another use case is creating a new user: - - * The developer makes a ReST call to create a new user. - * If the account for the user does not yet exist, the auth server makes - a ReST call to the Swift cluster to create a new account on its end. - * The auth server records the information in its database. - - A last use case is recreating existing accounts; this is really only useful - on a development system when the drives are reformatted quite often but - the auth server's database is retained: - - * A developer makes an ReST call to have the existing accounts recreated. - * For each account in its database, the auth server makes a ReST call to - the Swift cluster to create the specific account on its end. - - :param conf: The [auth-server] dictionary of the auth server configuration - file - - See the etc/auth-server.conf-sample for information on the possible - configuration parameters. - """ - - def __init__(self, conf): - self.logger = get_logger(conf, log_route='auth-server') - self.super_admin_key = conf.get('super_admin_key') - if not self.super_admin_key: - msg = _('No super_admin_key set in conf file! Exiting.') - try: - self.logger.critical(msg) - except Exception: - pass - raise ValueError(msg) - self.swift_dir = conf.get('swift_dir', '/etc/swift') - self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip() - if self.reseller_prefix and self.reseller_prefix[-1] != '_': - self.reseller_prefix += '_' - self.default_cluster_url = conf.get('default_cluster_url', - 'http://127.0.0.1:8080/v1').rstrip('/') - self.token_life = int(conf.get('token_life', 86400)) - self.log_headers = conf.get('log_headers') == 'True' - self.db_file = os.path.join(self.swift_dir, 'auth.db') - self.conn = get_db_connection(self.db_file, okay_to_create=True) - try: - self.conn.execute('SELECT admin FROM account LIMIT 1') - except sqlite3.OperationalError, err: - if str(err) == 'no such column: admin': - self.conn.execute("ALTER TABLE account ADD COLUMN admin TEXT") - self.conn.execute("UPDATE account SET admin = 't'") - try: - self.conn.execute('SELECT reseller_admin FROM account LIMIT 1') - except sqlite3.OperationalError, err: - if str(err) == 'no such column: reseller_admin': - self.conn.execute( - "ALTER TABLE account ADD COLUMN reseller_admin TEXT") - self.conn.execute('''CREATE TABLE IF NOT EXISTS account ( - account TEXT, url TEXT, cfaccount TEXT, - user TEXT, password TEXT, admin TEXT, - reseller_admin TEXT)''') - self.conn.execute('''CREATE INDEX IF NOT EXISTS ix_account_account - ON account (account)''') - try: - self.conn.execute('SELECT user FROM token LIMIT 1') - except sqlite3.OperationalError, err: - if str(err) == 'no such column: user': - self.conn.execute('DROP INDEX IF EXISTS ix_token_created') - self.conn.execute('DROP INDEX IF EXISTS ix_token_cfaccount') - self.conn.execute('DROP TABLE IF EXISTS token') - self.conn.execute('''CREATE TABLE IF NOT EXISTS token ( - token TEXT, created FLOAT, - account TEXT, user TEXT, cfaccount TEXT)''') - self.conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_token - ON token (token)''') - self.conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_created - ON token (created)''') - self.conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_account - ON token (account)''') - self.conn.commit() - for row in self.conn.execute('SELECT cfaccount FROM account'): - if not row[0].startswith(self.reseller_prefix): - previous_prefix = '' - if '_' in row[0]: - previous_prefix = row[0].split('_', 1)[0] - msg = (_(''' -THERE ARE ACCOUNTS IN YOUR auth.db THAT DO NOT BEGIN WITH YOUR NEW RESELLER -PREFIX OF "%(reseller)s". -YOU HAVE A FEW OPTIONS: - 1. RUN "swift-auth-update-reseller-prefixes %(db_file)s %(reseller)s", - "swift-init auth-server restart", AND - "swift-auth-recreate-accounts -K ..." TO CREATE FRESH ACCOUNTS. - OR - 2. REMOVE %(db_file)s, RUN "swift-init auth-server restart", AND RUN - "swift-auth-add-user ..." TO CREATE BRAND NEW ACCOUNTS THAT WAY. - OR - 3. ADD "reseller_prefix = %(previous)s" (WITHOUT THE QUOTES) TO YOUR - proxy-server.conf IN THE [filter:auth] SECTION AND TO YOUR - auth-server.conf IN THE [app:auth-server] SECTION AND RUN - "swift-init proxy-server restart" AND "swift-init auth-server restart" - TO REVERT BACK TO YOUR PREVIOUS RESELLER PREFIX. - - %(note)s - ''') % {'reseller': self.reseller_prefix.rstrip('_'), - 'db_file': self.db_file, - 'previous': previous_prefix, - 'note': previous_prefix and ' ' or _(''' - SINCE YOUR PREVIOUS RESELLER PREFIX WAS AN EMPTY STRING, IT IS NOT - RECOMMENDED TO PERFORM OPTION 3 AS THAT WOULD MAKE SUPPORTING MULTIPLE - RESELLERS MORE DIFFICULT. - ''').strip()}).strip() - self.logger.critical(_('CRITICAL: ') + ' '.join(msg.split())) - raise Exception('\n' + msg) - - def add_storage_account(self, account_name=''): - """ - Creates an account within the Swift cluster by making a ReST call. - - :param account_name: The desired name for the account; if omitted a - UUID4 will be used. - :returns: False upon failure, otherwise the name of the account - within the Swift cluster. - """ - orig_account_name = account_name - if not account_name: - account_name = '%s%s' % (self.reseller_prefix, uuid4().hex) - url = '%s/%s' % (self.default_cluster_url, account_name) - parsed = urlparse(url) - # Create a single use token. - token = '%stk%s' % (self.reseller_prefix, uuid4().hex) - with self.get_conn() as conn: - conn.execute(''' - INSERT INTO token - (token, created, account, user, cfaccount) VALUES - (?, ?, '.super_admin', '.single_use', '.reseller_admin')''', - (token, time())) - conn.commit() - if parsed.port is None: - port = {'http': 80, 'https': 443}.get(parsed.scheme, 80) - else: - port = parsed.port - conn = http_connect(parsed.hostname, port, 'PUT', parsed.path, - {'X-Auth-Token': token}, ssl=(parsed.scheme == 'https')) - resp = conn.getresponse() - resp.read() - if resp.status // 100 != 2: - self.logger.error(_('ERROR attempting to create account %(url)s:' \ - ' %(status)s %(reason)s') % - {'url': url, 'status': resp.status, 'reason': resp.reason}) - return False - return account_name - - @contextmanager - def get_conn(self): - """ - Returns a DB API connection instance to the auth server's SQLite - database. This is a contextmanager call to be use with the 'with' - statement. It takes no parameters. - """ - if not self.conn: - # We go ahead and make another db connection even if this is a - # reentry call; just in case we had an error that caused self.conn - # to become None. Even if we make an extra conn, we'll only keep - # one after the 'with' block. - self.conn = get_db_connection(self.db_file) - conn = self.conn - self.conn = None - try: - yield conn - conn.rollback() - self.conn = conn - except Exception, err: - try: - conn.close() - except Exception: - pass - self.conn = get_db_connection(self.db_file) - raise err - - def validate_s3_sign(self, request, token): - account, user, sign = \ - request.headers['Authorization'].split(' ')[-1].split(':') - msg = base64.urlsafe_b64decode(unquote(token)) - rv = False - with self.get_conn() as conn: - row = conn.execute(''' - SELECT password, cfaccount FROM account - WHERE account = ? AND user = ?''', - (account, user)).fetchone() - rv = (84000, account, user, row[1]) - if rv: - s = base64.encodestring(hmac.new(row[0], msg, - sha1).digest()).strip() - self.logger.info("orig %s, calc %s" % (sign, s)) - if sign != s: - rv = False - return rv - - def purge_old_tokens(self): - """ - Removes tokens that have expired from the auth server's database. This - is called by :func:`validate_token` and :func:`GET` to help keep the - database clean. - """ - with self.get_conn() as conn: - conn.execute('DELETE FROM token WHERE created < ?', - (time() - self.token_life,)) - conn.commit() - - def validate_token(self, token): - """ - Tests if the given token is a valid token - - :param token: The token to validate - :returns: (TTL, account, user, cfaccount) if valid, False otherwise. - cfaccount will be None for users without admin access for the - account. cfaccount will be .reseller_admin for users with - full reseller admin rights. - """ - begin = time() - self.purge_old_tokens() - rv = False - with self.get_conn() as conn: - row = conn.execute(''' - SELECT created, account, user, cfaccount FROM token - WHERE token = ?''', - (token,)).fetchone() - if row is not None: - created = row[0] - if time() - created < self.token_life: - rv = (self.token_life - (time() - created), row[1], row[2], - row[3]) - # Remove the token if it was expired or single use. - if not rv or rv[2] == '.single_use': - conn.execute(''' - DELETE FROM token WHERE token = ?''', (token,)) - conn.commit() - self.logger.info('validate_token(%s, _, _) = %s [%.02f]' % - (repr(token), repr(rv), time() - begin)) - return rv - - def create_user(self, account, user, password, admin=False, - reseller_admin=False): - """ - Handles the create_user call for developers, used to request a user be - added in the auth server database. If the account does not yet exist, - it will be created on the Swift cluster and the details recorded in the - auth server database. - - The url for the storage account is constructed now and stored - separately to support changing the configuration file's - default_cluster_url for directing new accounts to a different Swift - cluster while still supporting old accounts going to the Swift clusters - they were created on. - - Currently, updating a user's information (password, admin access) must - be done by directly updating the sqlite database. - - :param account: The name for the new account - :param user: The name for the new user - :param password: The password for the new account - :param admin: If true, the user will be granted full access to the - account; otherwise, another user will have to add the - user to the ACLs for containers to grant access. - :param reseller_admin: If true, the user will be granted full access to - all accounts within this reseller, including the - ability to create additional accounts. - - :returns: False if the create fails, 'already exists' if the user - already exists, or storage url if successful - """ - begin = time() - if not all((account, user, password)): - return False - with self.get_conn() as conn: - row = conn.execute( - 'SELECT url FROM account WHERE account = ? AND user = ?', - (account, user)).fetchone() - if row: - self.logger.info(_('ALREADY EXISTS create_user(%(account)s, ' - '%(user)s, _, %(admin)s, %(reseller_admin)s) ' - '[%(elapsed).02f]') % - {'account': repr(account), - 'user': repr(user), - 'admin': repr(admin), - 'reseller_admin': repr(reseller_admin), - 'elapsed': time() - begin}) - return 'already exists' - row = conn.execute( - 'SELECT url, cfaccount FROM account WHERE account = ?', - (account,)).fetchone() - if row: - url = row[0] - account_hash = row[1] - else: - account_hash = self.add_storage_account() - if not account_hash: - self.logger.info(_('FAILED create_user(%(account)s, ' - '%(user)s, _, %(admin)s, %(reseller_admin)s) ' - '[%(elapsed).02f]') % - {'account': repr(account), - 'user': repr(user), - 'admin': repr(admin), - 'reseller_admin': repr(reseller_admin), - 'elapsed': time() - begin}) - return False - url = self.default_cluster_url.rstrip('/') + '/' + account_hash - conn.execute('''INSERT INTO account - (account, url, cfaccount, user, password, admin, - reseller_admin) - VALUES (?, ?, ?, ?, ?, ?, ?)''', - (account, url, account_hash, user, password, - admin and 't' or '', reseller_admin and 't' or '')) - conn.commit() - self.logger.info(_('SUCCESS create_user(%(account)s, %(user)s, _, ' - '%(admin)s, %(reseller_admin)s) = %(url)s [%(elapsed).02f]') % - {'account': repr(account), 'user': repr(user), - 'admin': repr(admin), 'reseller_admin': repr(reseller_admin), - 'url': repr(url), 'elapsed': time() - begin}) - return url - - def recreate_accounts(self): - """ - Recreates the accounts from the existing auth database in the Swift - cluster. This is useful on a development system when the drives are - reformatted quite often but the auth server's database is retained. - - :returns: A string indicating accounts and failures - """ - begin = time() - with self.get_conn() as conn: - account_hashes = [r[0] for r in conn.execute( - 'SELECT distinct(cfaccount) FROM account').fetchall()] - failures = [] - for i, account_hash in enumerate(account_hashes): - if not self.add_storage_account(account_hash): - failures.append(account_hash) - rv = '%d accounts, failures %s' % (len(account_hashes), repr(failures)) - self.logger.info('recreate_accounts(_, _) = %s [%.02f]' % - (rv, time() - begin)) - return rv - - def is_account_admin(self, request, for_account): - """ - Returns True if the request represents coming from .super_admin, a - .reseller_admin, or an admin for the account specified. - """ - if request.headers.get('X-Auth-Admin-User') == '.super_admin' and \ - request.headers.get('X-Auth-Admin-Key') == self.super_admin_key: - return True - try: - account, user = \ - request.headers.get('X-Auth-Admin-User').split(':', 1) - except (AttributeError, ValueError): - return False - with self.get_conn() as conn: - row = conn.execute(''' - SELECT reseller_admin, admin FROM account - WHERE account = ? AND user = ? AND password = ?''', - (account, user, - request.headers.get('X-Auth-Admin-Key'))).fetchone() - if row: - if row[0] == 't': - return True - if row[1] == 't' and account == for_account: - return True - return False - - def handle_token(self, request): - """ - Handles ReST requests from Swift to validate tokens - - Valid URL paths: - * GET /token/ - - If the HTTP request returns with a 204, then the token is valid, the - TTL of the token will be available in the X-Auth-Ttl header, and a - comma separated list of the "groups" the user belongs to will be in the - X-Auth-Groups header. - - :param request: webob.Request object - """ - try: - _junk, token = split_path(request.path, minsegs=2) - except ValueError: - return HTTPBadRequest() - # Retrieves (TTL, account, user, cfaccount) if valid, False otherwise - headers = {} - if 'Authorization' in request.headers: - validation = self.validate_s3_sign(request, token) - if validation: - headers['X-Auth-Account-Suffix'] = validation[3] - else: - validation = self.validate_token(token) - if not validation: - return HTTPNotFound() - groups = ['%s:%s' % (validation[1], validation[2]), validation[1]] - if validation[3]: - # admin access to a cfaccount or ".reseller_admin" to access to all - # accounts, including creating new ones. - groups.append(validation[3]) - headers['X-Auth-TTL'] = validation[0] - headers['X-Auth-Groups'] = ','.join(groups) - return HTTPNoContent(headers=headers) - - def handle_add_user(self, request): - """ - Handles Rest requests from developers to have a user added. If the - account specified doesn't exist, it will also be added. Currently, - updating a user's information (password, admin access) must be done by - directly updating the sqlite database. - - Valid URL paths: - * PUT /account// - create the account - - Valid headers: - * X-Auth-User-Key: - * X-Auth-User-Admin: - * X-Auth-User-Reseller-Admin: - - If the HTTP request returns with a 204, then the user was added, - and the storage url will be available in the X-Storage-Url header. - - :param request: webob.Request object - """ - try: - _junk, account_name, user_name = \ - split_path(request.path, minsegs=3) - except ValueError: - return HTTPBadRequest() - create_reseller_admin = \ - request.headers.get('x-auth-user-reseller-admin') == 'true' - if create_reseller_admin and ( - request.headers.get('X-Auth-Admin-User') != '.super_admin' or - request.headers.get('X-Auth-Admin-Key') != self.super_admin_key): - return HTTPUnauthorized(request=request) - create_account_admin = \ - request.headers.get('x-auth-user-admin') == 'true' - if create_account_admin and \ - not self.is_account_admin(request, account_name): - return HTTPForbidden(request=request) - if 'X-Auth-User-Key' not in request.headers: - return HTTPBadRequest(body='X-Auth-User-Key is required') - password = request.headers['x-auth-user-key'] - storage_url = self.create_user(account_name, user_name, password, - create_account_admin, create_reseller_admin) - if storage_url == 'already exists': - return HTTPConflict(body=storage_url) - if not storage_url: - return HTTPServiceUnavailable() - return HTTPNoContent(headers={'x-storage-url': storage_url}) - - def handle_account_recreate(self, request): - """ - Handles ReST requests from developers to have accounts in the Auth - system recreated in Swift. I know this is bad ReST style, but this - isn't production right? :) - - Valid URL paths: - * POST /recreate_accounts - - :param request: webob.Request object - """ - if request.headers.get('X-Auth-Admin-User') != '.super_admin' or \ - request.headers.get('X-Auth-Admin-Key') != self.super_admin_key: - return HTTPUnauthorized(request=request) - result = self.recreate_accounts() - return Response(result, 200, request=request) - - def handle_auth(self, request): - """ - Handles ReST requests from end users for a Swift cluster url and auth - token. This can handle all the various headers and formats that - existing auth systems used, so it's a bit of a chameleon. - - Valid URL paths: - * GET /v1//auth - * GET /auth - * GET /v1.0 - - Valid headers: - * X-Auth-User: : - * X-Auth-Key: - * X-Storage-User: [:] - The [:] is only optional here if the - /v1//auth path is used. - * X-Storage-Pass: - - The (currently) preferred method is to use /v1.0 path and the - X-Auth-User and X-Auth-Key headers. - - :param request: A webob.Request instance. - """ - try: - pathsegs = split_path(request.path, minsegs=1, maxsegs=3, - rest_with_last=True) - except ValueError: - return HTTPBadRequest() - if pathsegs[0] == 'v1' and pathsegs[2] == 'auth': - account = pathsegs[1] - user = request.headers.get('x-storage-user') - if not user: - user = request.headers.get('x-auth-user') - if not user or ':' not in user: - return HTTPUnauthorized() - account2, user = user.split(':', 1) - if account != account2: - return HTTPUnauthorized() - password = request.headers.get('x-storage-pass') - if not password: - password = request.headers.get('x-auth-key') - elif pathsegs[0] in ('auth', 'v1.0'): - user = request.headers.get('x-auth-user') - if not user: - user = request.headers.get('x-storage-user') - if not user or ':' not in user: - return HTTPUnauthorized() - account, user = user.split(':', 1) - password = request.headers.get('x-auth-key') - if not password: - password = request.headers.get('x-storage-pass') - else: - return HTTPBadRequest() - if not all((account, user, password)): - return HTTPUnauthorized() - self.purge_old_tokens() - with self.get_conn() as conn: - row = conn.execute(''' - SELECT cfaccount, url, admin, reseller_admin FROM account - WHERE account = ? AND user = ? AND password = ?''', - (account, user, password)).fetchone() - if row is None: - return HTTPUnauthorized() - cfaccount = row[0] - url = row[1] - admin = row[2] == 't' - reseller_admin = row[3] == 't' - row = conn.execute(''' - SELECT token FROM token WHERE account = ? AND user = ?''', - (account, user)).fetchone() - if row: - token = row[0] - else: - token = '%stk%s' % (self.reseller_prefix, uuid4().hex) - token_cfaccount = '' - if admin: - token_cfaccount = cfaccount - if reseller_admin: - token_cfaccount = '.reseller_admin' - conn.execute(''' - INSERT INTO token - (token, created, account, user, cfaccount) - VALUES (?, ?, ?, ?, ?)''', - (token, time(), account, user, token_cfaccount)) - conn.commit() - return HTTPNoContent(headers={'x-auth-token': token, - 'x-storage-token': token, - 'x-storage-url': url}) - - def handleREST(self, env, start_response): - """ - Handles routing of ReST requests. This handler also logs all requests. - - :param env: WSGI environment - :param start_response: WSGI start_response function - """ - req = Request(env) - logged_headers = None - if self.log_headers: - logged_headers = '\n'.join('%s: %s' % (k, v) - for k, v in req.headers.items()).replace('"', "#042") - start_time = time() - # Figure out how to handle the request - try: - if req.method == 'GET' and req.path.startswith('/v1') or \ - req.path.startswith('/auth'): - handler = self.handle_auth - elif req.method == 'GET' and req.path.startswith('/token/'): - handler = self.handle_token - elif req.method == 'PUT' and req.path.startswith('/account/'): - handler = self.handle_add_user - elif req.method == 'POST' and \ - req.path == '/recreate_accounts': - handler = self.handle_account_recreate - else: - return HTTPBadRequest(request=env)(env, start_response) - response = handler(req) - except Exception: - self.logger.exception( - _('ERROR Unhandled exception in ReST request')) - return HTTPServiceUnavailable(request=req)(env, start_response) - trans_time = '%.4f' % (time() - start_time) - if not response.content_length and response.app_iter and \ - hasattr(response.app_iter, '__len__'): - response.content_length = sum(map(len, response.app_iter)) - the_request = '%s %s' % (req.method, quote(unquote(req.path))) - if req.query_string: - the_request = the_request + '?' + req.query_string - the_request += ' ' + req.environ['SERVER_PROTOCOL'] - client = req.headers.get('x-cluster-client-ip') - if not client and 'x-forwarded-for' in req.headers: - client = req.headers['x-forwarded-for'].split(',')[0].strip() - if not client: - client = req.remote_addr - self.logger.info( - '%s - - [%s] "%s" %s %s "%s" "%s" - - - - - - - - - "-" "%s" ' - '"%s" %s' % ( - client, - strftime('%d/%b/%Y:%H:%M:%S +0000', gmtime()), - the_request, - response.status_int, - response.content_length or '-', - req.referer or '-', - req.user_agent or '-', - req.remote_addr, - logged_headers or '-', - trans_time)) - return response(env, start_response) - - def __call__(self, env, start_response): - """ Used by the eventlet.wsgi.server """ - return self.handleREST(env, start_response) - - -def app_factory(global_conf, **local_conf): - conf = global_conf.copy() - conf.update(local_conf) - return AuthController(conf) diff --git a/swift/common/middleware/auth.py b/swift/common/middleware/auth.py deleted file mode 100644 index a51788f7b7..0000000000 --- a/swift/common/middleware/auth.py +++ /dev/null @@ -1,213 +0,0 @@ -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from time import time - -from eventlet.timeout import Timeout -from webob.exc import HTTPForbidden, HTTPUnauthorized, HTTPNotFound - -from swift.common.bufferedhttp import http_connect_raw as http_connect -from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed -from swift.common.utils import cache_from_env, split_path, TRUE_VALUES - - -class DevAuth(object): - """Auth Middleware that uses the dev auth server.""" - - def __init__(self, app, conf): - self.app = app - self.conf = conf - self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip() - if self.reseller_prefix and self.reseller_prefix[-1] != '_': - self.reseller_prefix += '_' - self.auth_host = conf.get('ip', '127.0.0.1') - self.auth_port = int(conf.get('port', 11000)) - self.ssl = conf.get('ssl', 'false').lower() in TRUE_VALUES - self.auth_prefix = conf.get('prefix', '/') - self.timeout = int(conf.get('node_timeout', 10)) - - def __call__(self, env, start_response): - """ - Accepts a standard WSGI application call, authenticating the request - and installing callback hooks for authorization and ACL header - validation. For an authenticated request, REMOTE_USER will be set to a - comma separated list of the user's groups. - - With a non-empty reseller prefix, acts as the definitive auth service - for just tokens and accounts that begin with that prefix, but will deny - requests outside this prefix if no other auth middleware overrides it. - - With an empty reseller prefix, acts as the definitive auth service only - for tokens that validate to a non-empty set of groups. For all other - requests, acts as the fallback auth service when no other auth - middleware overrides it. - """ - s3 = env.get('HTTP_AUTHORIZATION') - token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) - if s3 or (token and token.startswith(self.reseller_prefix)): - # Note: Empty reseller_prefix will match all tokens. - # Attempt to auth my token with my auth server - groups = self.get_groups(env, token, - memcache_client=cache_from_env(env)) - if groups: - env['REMOTE_USER'] = groups - user = groups and groups.split(',', 1)[0] or '' - # We know the proxy logs the token, so we augment it just a bit - # to also log the authenticated user. - env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token) - env['swift.authorize'] = self.authorize - env['swift.clean_acl'] = clean_acl - else: - # Unauthorized token - if self.reseller_prefix: - # Because I know I'm the definitive auth for this token, I - # can deny it outright. - return HTTPUnauthorized()(env, start_response) - # Because I'm not certain if I'm the definitive auth for empty - # reseller_prefixed tokens, I won't overwrite swift.authorize. - elif 'swift.authorize' not in env: - env['swift.authorize'] = self.denied_response - else: - if self.reseller_prefix: - # With a non-empty reseller_prefix, I would like to be called - # back for anonymous access to accounts I know I'm the - # definitive auth for. - try: - version, rest = split_path(env.get('PATH_INFO', ''), - 1, 2, True) - except ValueError: - return HTTPNotFound()(env, start_response) - if rest and rest.startswith(self.reseller_prefix): - # Handle anonymous access to accounts I'm the definitive - # auth for. - env['swift.authorize'] = self.authorize - env['swift.clean_acl'] = clean_acl - # Not my token, not my account, I can't authorize this request, - # deny all is a good idea if not already set... - elif 'swift.authorize' not in env: - env['swift.authorize'] = self.denied_response - # Because I'm not certain if I'm the definitive auth for empty - # reseller_prefixed accounts, I won't overwrite swift.authorize. - elif 'swift.authorize' not in env: - env['swift.authorize'] = self.authorize - env['swift.clean_acl'] = clean_acl - return self.app(env, start_response) - - def get_groups(self, env, token, memcache_client=None): - """ - Get groups for the given token. - - If memcache_client is set, token credentials will be cached - appropriately. - - With a cache miss, or no memcache_client, the configurated external - authentication server will be queried for the group information. - - :param token: Token to validate and return a group string for. - :param memcache_client: Memcached client to use for caching token - credentials; None if no caching is desired. - :returns: None if the token is invalid or a string containing a comma - separated list of groups the authenticated user is a member - of. The first group in the list is also considered a unique - identifier for that user. - """ - groups = None - key = '%s/token/%s' % (self.reseller_prefix, token) - cached_auth_data = memcache_client and memcache_client.get(key) - if cached_auth_data: - start, expiration, groups = cached_auth_data - if time() - start > expiration: - groups = None - - headers = {} - if env.get('HTTP_AUTHORIZATION'): - groups = None - headers["Authorization"] = env.get('HTTP_AUTHORIZATION') - - if not groups: - with Timeout(self.timeout): - conn = http_connect(self.auth_host, self.auth_port, 'GET', - '%stoken/%s' % (self.auth_prefix, token), - headers, ssl=self.ssl) - - resp = conn.getresponse() - resp.read() - conn.close() - if resp.status // 100 != 2: - return None - expiration = float(resp.getheader('x-auth-ttl')) - groups = resp.getheader('x-auth-groups') - if memcache_client: - memcache_client.set(key, (time(), expiration, groups), - timeout=expiration) - - if env.get('HTTP_AUTHORIZATION'): - account, user, sign = \ - env['HTTP_AUTHORIZATION'].split(' ')[-1].split(':') - cfaccount = resp.getheader('x-auth-account-suffix') - path = env['PATH_INFO'] - env['PATH_INFO'] = \ - path.replace("%s:%s" % (account, user), cfaccount, 1) - - return groups - - def authorize(self, req): - """ - Returns None if the request is authorized to continue or a standard - WSGI response callable if not. - """ - try: - version, account, container, obj = split_path(req.path, 1, 4, True) - except ValueError: - return HTTPNotFound(request=req) - if not account or not account.startswith(self.reseller_prefix): - return self.denied_response(req) - user_groups = (req.remote_user or '').split(',') - if '.reseller_admin' in user_groups: - return None - if account in user_groups and \ - (req.method not in ('DELETE', 'PUT') or container): - # If the user is admin for the account and is not trying to do an - # account DELETE or PUT... - return None - referrers, groups = parse_acl(getattr(req, 'acl', None)) - if referrer_allowed(req.referer, referrers): - return None - if not req.remote_user: - return self.denied_response(req) - for user_group in user_groups: - if user_group in groups: - return None - return self.denied_response(req) - - def denied_response(self, req): - """ - Returns a standard WSGI response callable with the status of 403 or 401 - depending on whether the REMOTE_USER is set or not. - """ - if req.remote_user: - return HTTPForbidden(request=req) - else: - return HTTPUnauthorized(request=req) - - -def filter_factory(global_conf, **local_conf): - """Returns a WSGI filter app for use with paste.deploy.""" - conf = global_conf.copy() - conf.update(local_conf) - - def auth_filter(app): - return DevAuth(app, conf) - return auth_filter diff --git a/test/functional/sample.conf b/test/functional/sample.conf index 602d7a4f29..00009c6db0 100644 --- a/test/functional/sample.conf +++ b/test/functional/sample.conf @@ -1,13 +1,9 @@ [func_test] # sample config auth_host = 127.0.0.1 -# For DevAuth: -auth_port = 11000 -# For Swauth: -# auth_port = 8080 +auth_port = 8080 auth_ssl = no -# For Swauth: -# auth_prefix = /auth/ +auth_prefix = /auth/ # Primary functional test account (needs admin access to the account) account = test diff --git a/test/probe/common.py b/test/probe/common.py index 08e8309a4b..b87699e8c8 100644 --- a/test/probe/common.py +++ b/test/probe/common.py @@ -25,24 +25,15 @@ from swift.common.ring import Ring SUPER_ADMIN_KEY = None -AUTH_TYPE = None c = ConfigParser() -AUTH_SERVER_CONF_FILE = environ.get('SWIFT_AUTH_SERVER_CONF_FILE', - '/etc/swift/auth-server.conf') -if c.read(AUTH_SERVER_CONF_FILE): - conf = dict(c.items('app:auth-server')) - SUPER_ADMIN_KEY = conf.get('super_admin_key', 'devauth') - AUTH_TYPE = 'devauth' +PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE', + '/etc/swift/proxy-server.conf') +if c.read(PROXY_SERVER_CONF_FILE): + conf = dict(c.items('filter:swauth')) + SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey') else: - PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE', - '/etc/swift/proxy-server.conf') - if c.read(PROXY_SERVER_CONF_FILE): - conf = dict(c.items('filter:swauth')) - SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey') - AUTH_TYPE = 'swauth' - else: - exit('Unable to read config file: %s' % AUTH_SERVER_CONF_FILE) + exit('Unable to read config file: %s' % PROXY_SERVER_CONF_FILE) def kill_pids(pids): @@ -57,9 +48,6 @@ def reset_environment(): call(['resetswift']) pids = {} try: - if AUTH_TYPE == 'devauth': - pids['auth'] = Popen(['swift-auth-server', - '/etc/swift/auth-server.conf']).pid pids['proxy'] = Popen(['swift-proxy-server', '/etc/swift/proxy-server.conf']).pid port2server = {} @@ -73,21 +61,9 @@ def reset_environment(): container_ring = Ring('/etc/swift/container.ring.gz') object_ring = Ring('/etc/swift/object.ring.gz') sleep(5) - if AUTH_TYPE == 'devauth': - conn = http_connect('127.0.0.1', '11000', 'POST', - '/recreate_accounts', - headers={'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': SUPER_ADMIN_KEY}) - resp = conn.getresponse() - if resp.status != 200: - raise Exception('Recreating accounts failed. (%d)' % - resp.status) - url, token = get_auth('http://127.0.0.1:11000/auth', 'test:tester', - 'testing') - elif AUTH_TYPE == 'swauth': - call(['recreateaccounts']) - url, token = get_auth('http://127.0.0.1:8080/auth/v1.0', - 'test:tester', 'testing') + call(['recreateaccounts']) + url, token = get_auth('http://127.0.0.1:8080/auth/v1.0', + 'test:tester', 'testing') account = url.split('/')[-1] except BaseException, err: kill_pids(pids) diff --git a/test/unit/auth/__init__.py b/test/unit/auth/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/test/unit/auth/test_server.py b/test/unit/auth/test_server.py deleted file mode 100644 index d58556ab22..0000000000 --- a/test/unit/auth/test_server.py +++ /dev/null @@ -1,977 +0,0 @@ -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import with_statement -import unittest -import os -from shutil import rmtree -from StringIO import StringIO -from uuid import uuid4 -from logging import StreamHandler - -import sqlite3 -from webob import Request - -from swift.auth import server as auth_server -from swift.common.db import DatabaseConnectionError, get_db_connection -from swift.common.utils import get_logger - - -class TestException(Exception): - pass - - -def fake_http_connect(*code_iter, **kwargs): - class FakeConn(object): - def __init__(self, status): - self.status = status - self.reason = 'Fake' - self.host = '1.2.3.4' - self.port = '1234' - def getresponse(self): - if 'slow' in kwargs: - sleep(0.2) - if 'raise_exc' in kwargs: - raise kwargs['raise_exc'] - return self - def getheaders(self): - return {'x-account-bytes-used': '20'} - def read(self, amt=None): - return '' - def getheader(self, name): - return self.getheaders().get(name.lower()) - code_iter = iter(code_iter) - def connect(*args, **kwargs): - connect.last_args = args - connect.last_kwargs = kwargs - return FakeConn(code_iter.next()) - return connect - - -class TestAuthServer(unittest.TestCase): - - def setUp(self): - self.ohttp_connect = auth_server.http_connect - self.testdir = os.path.join(os.path.dirname(__file__), - 'auth_server') - rmtree(self.testdir, ignore_errors=1) - os.mkdir(self.testdir) - self.conf = {'swift_dir': self.testdir, 'log_name': 'auth', - 'super_admin_key': 'testkey'} - self.controller = auth_server.AuthController(self.conf) - - def tearDown(self): - auth_server.http_connect = self.ohttp_connect - rmtree(self.testdir, ignore_errors=1) - - def test_get_conn(self): - with self.controller.get_conn() as conn: - pass - exc = False - try: - with self.controller.get_conn() as conn: - raise TestException('test') - except TestException: - exc = True - self.assert_(exc) - # We allow reentrant calls for the auth-server - with self.controller.get_conn() as conn1: - exc = False - try: - with self.controller.get_conn() as conn2: - self.assert_(conn1 is not conn2) - except DatabaseConnectionError: - exc = True - self.assert_(not exc) - self.controller.conn = None - with self.controller.get_conn() as conn: - self.assert_(conn is not None) - - def test_validate_token_non_existant_token(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing',).split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - token = res.headers['x-storage-token'] - self.assertEquals(self.controller.validate_token(token + 'bad'), False) - - def test_validate_token_good(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing',).split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - - def test_validate_token_expired(self): - orig_time = auth_server.time - try: - auth_server.time = lambda: 1 - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user('test', 'tester', - 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - auth_server.time = lambda: 1 + self.controller.token_life - self.assertEquals(self.controller.validate_token(token), False) - finally: - auth_server.time = orig_time - - def test_create_user_no_new_account(self): - auth_server.http_connect = fake_http_connect(201) - result = self.controller.create_user('', 'tester', 'testing') - self.assertFalse(result) - - def test_create_user_no_new_user(self): - auth_server.http_connect = fake_http_connect(201) - result = self.controller.create_user('test', '', 'testing') - self.assertFalse(result) - - def test_create_user_no_new_password(self): - auth_server.http_connect = fake_http_connect(201) - result = self.controller.create_user('test', 'tester', '') - self.assertFalse(result) - - def test_create_user_good(self): - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test', 'tester', 'testing') - self.assert_(url) - self.assertEquals('/'.join(url.split('/')[:-1]), - self.controller.default_cluster_url.rstrip('/'), repr(url)) - - def test_recreate_accounts_none(self): - auth_server.http_connect = fake_http_connect(201) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '0', repr(rv)) - self.assertEquals(rv.split()[-1], '[]', repr(rv)) - - def test_recreate_accounts_one(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '1', repr(rv)) - self.assertEquals(rv.split()[-1], '[]', repr(rv)) - - def test_recreate_accounts_several(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test1', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test2', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test3', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test4', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201, 201, 201, 201) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '4', repr(rv)) - self.assertEquals(rv.split()[-1], '[]', repr(rv)) - - def test_recreate_accounts_one_fail(self): - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test', 'tester', 'testing') - cfaccount = url.split('/')[-1] - auth_server.http_connect = fake_http_connect(500) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '1', repr(rv)) - self.assertEquals(rv.split()[-1], '[%s]' % repr(cfaccount), - repr(rv)) - - def test_recreate_accounts_several_fail(self): - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test1', 'tester', 'testing') - cfaccounts = [url.split('/')[-1]] - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test2', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test3', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test4', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(500, 500, 500, 500) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '4', repr(rv)) - failed = rv.split('[', 1)[-1][:-1].split(', ') - self.assertEquals(set(failed), set(repr(a) for a in cfaccounts)) - - def test_recreate_accounts_several_fail_some(self): - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test1', 'tester', 'testing') - cfaccounts = [url.split('/')[-1]] - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test2', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test3', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test4', 'tester', 'testing') - cfaccounts.append(url.split('/')[-1]) - auth_server.http_connect = fake_http_connect(500, 201, 500, 201) - rv = self.controller.recreate_accounts() - self.assertEquals(rv.split()[0], '4', repr(rv)) - failed = rv.split('[', 1)[-1][:-1].split(', ') - self.assertEquals( - len(set(repr(a) for a in cfaccounts) - set(failed)), 2) - - def test_auth_bad_path(self): - res = self.controller.handle_auth( - Request.blank('', environ={'REQUEST_METHOD': 'GET'})) - self.assertEquals(res.status_int, 400) - res = self.controller.handle_auth(Request.blank('/bad', - environ={'REQUEST_METHOD': 'GET'})) - self.assertEquals(res.status_int, 400) - - def test_auth_SOSO_missing_headers(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-Pass': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester'})) - self.assertEquals(res.status_int, 401) - - def test_auth_SOSO_bad_account(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/testbad/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1//auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_SOSO_bad_user(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'testerbad', - 'X-Storage-Pass': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': '', - 'X-Storage-Pass': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_SOSO_bad_password(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testingbad'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': ''})) - self.assertEquals(res.status_int, 401) - - def test_auth_SOSO_good(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'tester', - 'X-Storage-Pass': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - - def test_auth_SOSO_good_Mosso_headers(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:tester', - 'X-Auth-Key': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - - def test_auth_SOSO_bad_Mosso_headers(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing',).split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test2:tester', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': ':tester', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/v1/test/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_missing_headers(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:tester'})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_bad_header_format(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'badformat', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': '', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_bad_account(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'testbad:tester', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': ':tester', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_bad_user(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:testerbad', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:', - 'X-Auth-Key': 'testing'})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_bad_password(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:tester', - 'X-Auth-Key': 'testingbad'})) - self.assertEquals(res.status_int, 401) - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:tester', - 'X-Auth-Key': ''})) - self.assertEquals(res.status_int, 401) - - def test_auth_Mosso_good(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'test:tester', - 'X-Auth-Key': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - - def test_auth_Mosso_good_SOSO_header_names(self): - auth_server.http_connect = fake_http_connect(201) - cfaccount = self.controller.create_user( - 'test', 'tester', 'testing').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/auth', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Storage-User': 'test:tester', - 'X-Storage-Pass': 'testing'})) - token = res.headers['x-storage-token'] - ttl, _junk, _junk, _junk = self.controller.validate_token(token) - self.assert_(ttl > 0, repr(ttl)) - - def test_basic_logging(self): - log = StringIO() - log_handler = StreamHandler(log) - logger = get_logger(self.conf, 'auth-server', log_route='auth-server') - logger.logger.addHandler(log_handler) - try: - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test', 'tester', 'testing') - self.assertEquals(log.getvalue().rsplit(' ', 1)[0], - "SUCCESS create_user('test', 'tester', _, False, False) " - "= %s" % repr(url)) - log.truncate(0) - def start_response(*args): - pass - self.controller.handleREST({'REQUEST_METHOD': 'GET', - 'SCRIPT_NAME': '', - 'PATH_INFO': '/v1/test/auth', - 'QUERY_STRING': 'test=True', - 'SERVER_NAME': '127.0.0.1', - 'SERVER_PORT': '8080', - 'SERVER_PROTOCOL': 'HTTP/1.0', - 'CONTENT_LENGTH': '0', - 'wsgi.version': (1, 0), - 'wsgi.url_scheme': 'http', - 'wsgi.input': StringIO(), - 'wsgi.errors': StringIO(), - 'wsgi.multithread': False, - 'wsgi.multiprocess': False, - 'wsgi.run_once': False, - 'HTTP_X_FORWARDED_FOR': 'testhost', - 'HTTP_X_STORAGE_USER': 'tester', - 'HTTP_X_STORAGE_PASS': 'testing'}, - start_response) - logsegs = log.getvalue().split(' [', 1) - logsegs[1:] = logsegs[1].split('] ', 1) - logsegs[1] = '[01/Jan/2001:01:02:03 +0000]' - logsegs[2:] = logsegs[2].split(' ') - logsegs[-1] = '0.1234' - self.assertEquals(' '.join(logsegs), 'testhost - - ' - '[01/Jan/2001:01:02:03 +0000] "GET /v1/test/auth?test=True ' - 'HTTP/1.0" 204 - "-" "-" - - - - - - - - - "-" "None" "-" ' - '0.1234') - self.controller.log_headers = True - log.truncate(0) - self.controller.handleREST({'REQUEST_METHOD': 'GET', - 'SCRIPT_NAME': '', - 'PATH_INFO': '/v1/test/auth', - 'SERVER_NAME': '127.0.0.1', - 'SERVER_PORT': '8080', - 'SERVER_PROTOCOL': 'HTTP/1.0', - 'CONTENT_LENGTH': '0', - 'wsgi.version': (1, 0), - 'wsgi.url_scheme': 'http', - 'wsgi.input': StringIO(), - 'wsgi.errors': StringIO(), - 'wsgi.multithread': False, - 'wsgi.multiprocess': False, - 'wsgi.run_once': False, - 'HTTP_X_STORAGE_USER': 'tester', - 'HTTP_X_STORAGE_PASS': 'testing'}, - start_response) - logsegs = log.getvalue().split(' [', 1) - logsegs[1:] = logsegs[1].split('] ', 1) - logsegs[1] = '[01/Jan/2001:01:02:03 +0000]' - logsegs[2:] = logsegs[2].split(' ') - logsegs[-1] = '0.1234' - self.assertEquals(' '.join(logsegs), 'None - - [01/Jan/2001:' - '01:02:03 +0000] "GET /v1/test/auth HTTP/1.0" 204 - "-" "-" - ' - '- - - - - - - - "-" "None" "Content-Length: 0\n' - 'X-Storage-User: tester\nX-Storage-Pass: testing" 0.1234') - finally: - logger.logger.handlers.remove(log_handler) - - def test_unhandled_exceptions(self): - def request_causing_exception(*args, **kwargs): - pass - def start_response(*args): - pass - orig_Request = auth_server.Request - log = StringIO() - log_handler = StreamHandler(log) - logger = get_logger(self.conf, 'auth-server', log_route='auth-server') - logger.logger.addHandler(log_handler) - try: - auth_server.Request = request_causing_exception - self.controller.handleREST({'REQUEST_METHOD': 'GET', - 'SCRIPT_NAME': '', - 'PATH_INFO': '/v1/test/auth', - 'SERVER_NAME': '127.0.0.1', - 'SERVER_PORT': '8080', - 'SERVER_PROTOCOL': 'HTTP/1.0', - 'CONTENT_LENGTH': '0', - 'wsgi.version': (1, 0), - 'wsgi.url_scheme': 'http', - 'wsgi.input': StringIO(), - 'wsgi.errors': StringIO(), - 'wsgi.multithread': False, - 'wsgi.multiprocess': False, - 'wsgi.run_once': False, - 'HTTP_X_STORAGE_USER': 'tester', - 'HTTP_X_STORAGE_PASS': 'testing'}, - start_response) - self.assert_(log.getvalue().startswith( - 'ERROR Unhandled exception in ReST request'), - log.getvalue()) - log.truncate(0) - finally: - auth_server.Request = orig_Request - logger.logger.handlers.remove(log_handler) - - def test_upgrading_from_db1(self): - swift_dir = '/tmp/swift_test_auth_%s' % uuid4().hex - os.mkdir(swift_dir) - try: - # Create db1 - db_file = os.path.join(swift_dir, 'auth.db') - conn = get_db_connection(db_file, okay_to_create=True) - conn.execute('''CREATE TABLE IF NOT EXISTS account ( - account TEXT, url TEXT, cfaccount TEXT, - user TEXT, password TEXT)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_account_account - ON account (account)''') - conn.execute('''CREATE TABLE IF NOT EXISTS token ( - cfaccount TEXT, token TEXT, created FLOAT)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_cfaccount - ON token (cfaccount)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_created - ON token (created)''') - conn.execute('''INSERT INTO account - (account, url, cfaccount, user, password) - VALUES ('act', 'url', 'cfa', 'usr', 'pas')''') - conn.execute('''INSERT INTO token (cfaccount, token, created) - VALUES ('cfa', 'tok', '1')''') - conn.commit() - conn.close() - # Upgrade to current db - conf = {'swift_dir': swift_dir, 'super_admin_key': 'testkey'} - exc = None - try: - auth_server.AuthController(conf) - except Exception, err: - exc = err - self.assert_(str(err).strip().startswith('THERE ARE ACCOUNTS IN ' - 'YOUR auth.db THAT DO NOT BEGIN WITH YOUR NEW RESELLER'), err) - # Check new items exist and are correct - conn = get_db_connection(db_file) - row = conn.execute('SELECT admin FROM account').fetchone() - self.assertEquals(row[0], 't') - row = conn.execute('SELECT user FROM token').fetchone() - self.assert_(not row) - finally: - rmtree(swift_dir) - - def test_upgrading_from_db2(self): - swift_dir = '/tmp/swift_test_auth_%s' % uuid4().hex - os.mkdir(swift_dir) - try: - # Create db1 - db_file = os.path.join(swift_dir, 'auth.db') - conn = get_db_connection(db_file, okay_to_create=True) - conn.execute('''CREATE TABLE IF NOT EXISTS account ( - account TEXT, url TEXT, cfaccount TEXT, - user TEXT, password TEXT, admin TEXT)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_account_account - ON account (account)''') - conn.execute('''CREATE TABLE IF NOT EXISTS token ( - token TEXT, created FLOAT, - account TEXT, user TEXT, cfaccount TEXT)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_token - ON token (token)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_created - ON token (created)''') - conn.execute('''CREATE INDEX IF NOT EXISTS ix_token_account - ON token (account)''') - conn.execute('''INSERT INTO account - (account, url, cfaccount, user, password, admin) - VALUES ('act', 'url', 'cfa', 'us1', 'pas', '')''') - conn.execute('''INSERT INTO account - (account, url, cfaccount, user, password, admin) - VALUES ('act', 'url', 'cfa', 'us2', 'pas', 't')''') - conn.execute('''INSERT INTO token - (token, created, account, user, cfaccount) - VALUES ('tok', '1', 'act', 'us1', 'cfa')''') - conn.commit() - conn.close() - # Upgrade to current db - conf = {'swift_dir': swift_dir, 'super_admin_key': 'testkey'} - exc = None - try: - auth_server.AuthController(conf) - except Exception, err: - exc = err - self.assert_(str(err).strip().startswith('THERE ARE ACCOUNTS IN ' - 'YOUR auth.db THAT DO NOT BEGIN WITH YOUR NEW RESELLER'), err) - # Check new items exist and are correct - conn = get_db_connection(db_file) - row = conn.execute('''SELECT admin, reseller_admin - FROM account WHERE user = 'us1' ''').fetchone() - self.assert_(not row[0], row[0]) - self.assert_(not row[1], row[1]) - row = conn.execute('''SELECT admin, reseller_admin - FROM account WHERE user = 'us2' ''').fetchone() - self.assertEquals(row[0], 't') - self.assert_(not row[1], row[1]) - row = conn.execute('SELECT user FROM token').fetchone() - self.assert_(row) - finally: - rmtree(swift_dir) - - def test_create_user_twice(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('test', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - self.assertEquals( - self.controller.create_user('test', 'tester', 'testing'), - 'already exists') - req = Request.blank('/account/test/tester', - headers={'X-Auth-User-Key': 'testing'}) - resp = self.controller.handle_add_user(req) - self.assertEquals(resp.status_int, 409) - - - def test_create_2users_1account(self): - auth_server.http_connect = fake_http_connect(201) - url = self.controller.create_user('test', 'tester', 'testing') - auth_server.http_connect = fake_http_connect(201) - url2 = self.controller.create_user('test', 'tester2', 'testing2') - self.assertEquals(url, url2) - - def test_no_super_admin_key(self): - conf = {'swift_dir': self.testdir, 'log_name': 'auth'} - self.assertRaises(ValueError, auth_server.AuthController, conf) - conf['super_admin_key'] = 'testkey' - controller = auth_server.AuthController(conf) - self.assertEquals(controller.super_admin_key, conf['super_admin_key']) - - def test_add_storage_account(self): - auth_server.http_connect = fake_http_connect(201) - stgact = self.controller.add_storage_account() - self.assert_(stgact.startswith(self.controller.reseller_prefix), - stgact) - # Make sure token given is the expected single use token - token = auth_server.http_connect.last_args[-1]['X-Auth-Token'] - self.assert_(self.controller.validate_token(token)) - self.assert_(not self.controller.validate_token(token)) - auth_server.http_connect = fake_http_connect(201) - stgact = self.controller.add_storage_account('bob') - self.assertEquals(stgact, 'bob') - # Make sure token given is the expected single use token - token = auth_server.http_connect.last_args[-1]['X-Auth-Token'] - self.assert_(self.controller.validate_token(token)) - self.assert_(not self.controller.validate_token(token)) - - def test_regular_user(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('act', 'usr', 'pas').split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1.0', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'act:usr', 'X-Auth-Key': 'pas'})) - _junk, _junk, _junk, stgact = \ - self.controller.validate_token(res.headers['x-auth-token']) - self.assertEquals(stgact, '') - - def test_account_admin(self): - auth_server.http_connect = fake_http_connect(201) - stgact = self.controller.create_user( - 'act', 'usr', 'pas', admin=True).split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1.0', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'act:usr', 'X-Auth-Key': 'pas'})) - _junk, _junk, _junk, vstgact = \ - self.controller.validate_token(res.headers['x-auth-token']) - self.assertEquals(stgact, vstgact) - - def test_reseller_admin(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user( - 'act', 'usr', 'pas', reseller_admin=True).split('/')[-1] - res = self.controller.handle_auth(Request.blank('/v1.0', - environ={'REQUEST_METHOD': 'GET'}, - headers={'X-Auth-User': 'act:usr', 'X-Auth-Key': 'pas'})) - _junk, _junk, _junk, stgact = \ - self.controller.validate_token(res.headers['x-auth-token']) - self.assertEquals(stgact, '.reseller_admin') - - def test_is_account_admin(self): - req = Request.blank('/', headers={'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey'}) - self.assert_(self.controller.is_account_admin(req, 'any')) - req = Request.blank('/', headers={'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey2'}) - self.assert_(not self.controller.is_account_admin(req, 'any')) - req = Request.blank('/', headers={'X-Auth-Admin-User': '.super_admi', - 'X-Auth-Admin-Key': 'testkey'}) - self.assert_(not self.controller.is_account_admin(req, 'any')) - - auth_server.http_connect = fake_http_connect(201, 201) - self.controller.create_user( - 'act1', 'resadmin', 'pas', reseller_admin=True).split('/')[-1] - self.controller.create_user('act1', 'usr', 'pas').split('/')[-1] - self.controller.create_user( - 'act2', 'actadmin', 'pas', admin=True).split('/')[-1] - - req = Request.blank('/', headers={'X-Auth-Admin-User': 'act1:resadmin', - 'X-Auth-Admin-Key': 'pas'}) - self.assert_(self.controller.is_account_admin(req, 'any')) - self.assert_(self.controller.is_account_admin(req, 'act1')) - self.assert_(self.controller.is_account_admin(req, 'act2')) - - req = Request.blank('/', headers={'X-Auth-Admin-User': 'act1:usr', - 'X-Auth-Admin-Key': 'pas'}) - self.assert_(not self.controller.is_account_admin(req, 'any')) - self.assert_(not self.controller.is_account_admin(req, 'act1')) - self.assert_(not self.controller.is_account_admin(req, 'act2')) - - req = Request.blank('/', headers={'X-Auth-Admin-User': 'act2:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - self.assert_(not self.controller.is_account_admin(req, 'any')) - self.assert_(not self.controller.is_account_admin(req, 'act1')) - self.assert_(self.controller.is_account_admin(req, 'act2')) - - def test_handle_add_user_create_reseller_admin(self): - auth_server.http_connect = fake_http_connect(201) - self.controller.create_user('act', 'usr', 'pas') - self.controller.create_user('act', 'actadmin', 'pas', admin=True) - self.controller.create_user('act', 'resadmin', 'pas', - reseller_admin=True) - - req = Request.blank('/account/act/resadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Reseller-Admin': 'true'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/resadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Reseller-Admin': 'true', - 'X-Auth-Admin-User': 'act:usr', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/resadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Reseller-Admin': 'true', - 'X-Auth-Admin-User': 'act:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/resadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Reseller-Admin': 'true', - 'X-Auth-Admin-User': 'act:resadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/resadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Reseller-Admin': 'true', - 'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - def test_handle_add_user_create_account_admin(self): - auth_server.http_connect = fake_http_connect(201, 201) - self.controller.create_user('act', 'usr', 'pas') - self.controller.create_user('act', 'actadmin', 'pas', admin=True) - self.controller.create_user('act2', 'actadmin', 'pas', admin=True) - self.controller.create_user('act2', 'resadmin', 'pas', - reseller_admin=True) - - req = Request.blank('/account/act/actadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/actadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:usr', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/actadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act2:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/actadmin2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - req = Request.blank('/account/act/actadmin3', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act2:resadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - req = Request.blank('/account/act/actadmin4', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - def test_handle_add_user_create_normal_user(self): - auth_server.http_connect = fake_http_connect(201, 201) - self.controller.create_user('act', 'usr', 'pas') - self.controller.create_user('act', 'actadmin', 'pas', admin=True) - self.controller.create_user('act2', 'actadmin', 'pas', admin=True) - self.controller.create_user('act2', 'resadmin', 'pas', - reseller_admin=True) - - req = Request.blank('/account/act/usr2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/usr2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:usr', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/usr2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act2:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/account/act/usr2', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - req = Request.blank('/account/act/usr3', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act2:resadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - req = Request.blank('/account/act/usr4', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey'}) - resp = self.controller.handle_add_user(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - def test_handle_account_recreate_permissions(self): - auth_server.http_connect = fake_http_connect(201, 201) - self.controller.create_user('act', 'usr', 'pas') - self.controller.create_user('act', 'actadmin', 'pas', admin=True) - self.controller.create_user('act', 'resadmin', 'pas', - reseller_admin=True) - - req = Request.blank('/recreate_accounts', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true'}) - resp = self.controller.handle_account_recreate(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/recreate_accounts', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:usr', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_account_recreate(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/recreate_accounts', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:actadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_account_recreate(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/recreate_accounts', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': 'act:resadmin', - 'X-Auth-Admin-Key': 'pas'}) - resp = self.controller.handle_account_recreate(req) - self.assert_(resp.status_int // 100 == 4, resp.status_int) - - req = Request.blank('/recreate_accounts', - headers={'X-Auth-User-Key': 'pas', - 'X-Auth-User-Admin': 'true', - 'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': 'testkey'}) - resp = self.controller.handle_account_recreate(req) - self.assert_(resp.status_int // 100 == 2, resp.status_int) - - -if __name__ == '__main__': - unittest.main() diff --git a/test/unit/common/middleware/test_auth.py b/test/unit/common/middleware/test_auth.py deleted file mode 100644 index f6718f68bc..0000000000 --- a/test/unit/common/middleware/test_auth.py +++ /dev/null @@ -1,471 +0,0 @@ -# Copyright (c) 2010-2011 OpenStack, LLC. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or -# implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import with_statement -import logging -import os -import sys -import unittest -from contextlib import contextmanager - -import eventlet -from webob import Request - -from swift.common.middleware import auth - -# mocks -logging.getLogger().addHandler(logging.StreamHandler(sys.stdout)) - - -class FakeMemcache(object): - def __init__(self): - self.store = {} - - def get(self, key): - return self.store.get(key) - - def set(self, key, value, timeout=0): - self.store[key] = value - return True - - def incr(self, key, timeout=0): - self.store[key] = self.store.setdefault(key, 0) + 1 - return self.store[key] - - @contextmanager - def soft_lock(self, key, timeout=0, retries=5): - yield True - - def delete(self, key): - try: - del self.store[key] - except Exception: - pass - return True - - -def mock_http_connect(response, headers=None, with_exc=False): - class FakeConn(object): - def __init__(self, status, headers, with_exc): - self.status = status - self.reason = 'Fake' - self.host = '1.2.3.4' - self.port = '1234' - self.with_exc = with_exc - self.headers = headers - if self.headers is None: - self.headers = {} - - def getresponse(self): - if self.with_exc: - raise Exception('test') - return self - - def getheader(self, header): - return self.headers[header] - - def read(self, amt=None): - return '' - - def close(self): - return - - return lambda *args, **kwargs: FakeConn(response, headers, with_exc) - - -class Logger(object): - - def __init__(self): - self.error_value = None - self.exception_value = None - - def error(self, msg, *args, **kwargs): - self.error_value = (msg, args, kwargs) - - def exception(self, msg, *args, **kwargs): - _junk, exc, _junk = sys.exc_info() - self.exception_value = (msg, - '%s %s' % (exc.__class__.__name__, str(exc)), args, kwargs) - - -class FakeApp(object): - - def __init__(self): - self.i_was_called = False - - def __call__(self, env, start_response): - self.i_was_called = True - req = Request.blank('', environ=env) - if 'swift.authorize' in env: - resp = env['swift.authorize'](req) - if resp: - return resp(env, start_response) - return ['204 No Content'] - - -def start_response(*args): - pass - - -class TestAuth(unittest.TestCase): - - def setUp(self): - self.test_auth = auth.filter_factory({})(FakeApp()) - - def test_auth_deny_non_reseller_prefix(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/BLAH_account', - 'HTTP_X_AUTH_TOKEN': 'BLAH_t', 'swift.cache': FakeMemcache()} - result = ''.join(self.test_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('401'), result) - self.assertEquals(reqenv['swift.authorize'], - self.test_auth.denied_response) - finally: - auth.http_connect = old_http_connect - - def test_auth_deny_non_reseller_prefix_no_override(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - fake_authorize = lambda x: lambda x, y: ['500 Fake'] - reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/BLAH_account', - 'HTTP_X_AUTH_TOKEN': 'BLAH_t', 'swift.cache': FakeMemcache(), - 'swift.authorize': fake_authorize} - result = ''.join(self.test_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('500 Fake'), result) - self.assertEquals(reqenv['swift.authorize'], fake_authorize) - finally: - auth.http_connect = old_http_connect - - def test_auth_no_reseller_prefix_deny(self): - # Ensures that when we have no reseller prefix, we don't deny a request - # outright but set up a denial swift.authorize and pass the request on - # down the chain. - old_http_connect = auth.http_connect - try: - local_app = FakeApp() - local_auth = \ - auth.filter_factory({'reseller_prefix': ''})(local_app) - auth.http_connect = mock_http_connect(404) - reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/account', - 'HTTP_X_AUTH_TOKEN': 't', 'swift.cache': FakeMemcache()} - result = ''.join(local_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('401'), result) - self.assert_(local_app.i_was_called) - self.assertEquals(reqenv['swift.authorize'], - local_auth.denied_response) - finally: - auth.http_connect = old_http_connect - - def test_auth_no_reseller_prefix_allow(self): - # Ensures that when we have no reseller prefix, we can still allow - # access if our auth server accepts requests - old_http_connect = auth.http_connect - try: - local_app = FakeApp() - local_auth = \ - auth.filter_factory({'reseller_prefix': ''})(local_app) - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/act', - 'HTTP_X_AUTH_TOKEN': 't', 'swift.cache': None} - result = ''.join(local_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - self.assert_(local_app.i_was_called) - self.assertEquals(reqenv['swift.authorize'], - local_auth.authorize) - finally: - auth.http_connect = old_http_connect - - def test_auth_no_reseller_prefix_no_token(self): - # Check that normally we set up a call back to our authorize. - local_auth = \ - auth.filter_factory({'reseller_prefix': ''})(FakeApp()) - reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/account', - 'swift.cache': FakeMemcache()} - result = ''.join(local_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('401'), result) - self.assertEquals(reqenv['swift.authorize'], local_auth.authorize) - # Now make sure we don't override an existing swift.authorize when we - # have no reseller prefix. - local_authorize = lambda req: None - reqenv['swift.authorize'] = local_authorize - result = ''.join(local_auth(reqenv, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - self.assertEquals(reqenv['swift.authorize'], local_authorize) - - def test_auth_fail(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(404) - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'HTTP_X_AUTH_TOKEN': 'AUTH_t', 'swift.cache': FakeMemcache()}, - lambda x, y: None)) - self.assert_(result.startswith('401'), result) - finally: - auth.http_connect = old_http_connect - - def test_auth_success(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'PATH_INFO': '/v/AUTH_cfa', 'HTTP_X_AUTH_TOKEN': 'AUTH_t', - 'swift.cache': FakeMemcache()}, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - finally: - auth.http_connect = old_http_connect - - def test_auth_memcache(self): - old_http_connect = auth.http_connect - try: - fake_memcache = FakeMemcache() - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'PATH_INFO': '/v/AUTH_cfa', 'HTTP_X_AUTH_TOKEN': 'AUTH_t', - 'swift.cache': fake_memcache}, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - auth.http_connect = mock_http_connect(404) - # Should still be in memcache - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'PATH_INFO': '/v/AUTH_cfa', 'HTTP_X_AUTH_TOKEN': 'AUTH_t', - 'swift.cache': fake_memcache}, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - finally: - auth.http_connect = old_http_connect - - def test_auth_just_expired(self): - old_http_connect = auth.http_connect - try: - fake_memcache = FakeMemcache() - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '0', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'PATH_INFO': '/v/AUTH_cfa', 'HTTP_X_AUTH_TOKEN': 'AUTH_t', - 'swift.cache': fake_memcache}, lambda x, y: None)) - self.assert_(result.startswith('204'), result) - auth.http_connect = mock_http_connect(404) - # Should still be in memcache, but expired - result = ''.join(self.test_auth({'REQUEST_METHOD': 'GET', - 'HTTP_X_AUTH_TOKEN': 'AUTH_t', 'swift.cache': fake_memcache}, - lambda x, y: None)) - self.assert_(result.startswith('401'), result) - finally: - auth.http_connect = old_http_connect - - def test_middleware_success(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - req = Request.blank('/v/AUTH_cfa/c/o', - headers={'x-auth-token': 'AUTH_t'}) - req.environ['swift.cache'] = FakeMemcache() - result = ''.join(self.test_auth(req.environ, start_response)) - self.assert_(result.startswith('204'), result) - self.assertEquals(req.remote_user, 'act:usr,act,AUTH_cfa') - finally: - auth.http_connect = old_http_connect - - def test_middleware_no_header(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - req = Request.blank('/v/AUTH_cfa/c/o') - req.environ['swift.cache'] = FakeMemcache() - result = ''.join(self.test_auth(req.environ, start_response)) - self.assert_(result.startswith('401'), result) - self.assert_(not req.remote_user, req.remote_user) - finally: - auth.http_connect = old_http_connect - - def test_middleware_storage_token(self): - old_http_connect = auth.http_connect - try: - auth.http_connect = mock_http_connect(204, - {'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'}) - req = Request.blank('/v/AUTH_cfa/c/o', - headers={'x-storage-token': 'AUTH_t'}) - req.environ['swift.cache'] = FakeMemcache() - result = ''.join(self.test_auth(req.environ, start_response)) - self.assert_(result.startswith('204'), result) - self.assertEquals(req.remote_user, 'act:usr,act,AUTH_cfa') - finally: - auth.http_connect = old_http_connect - - def test_authorize_bad_path(self): - req = Request.blank('/badpath') - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 401) - req = Request.blank('/badpath') - req.remote_user = 'act:usr,act,AUTH_cfa' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - req = Request.blank('') - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 404) - req = Request.blank('') - req.environ['swift.cache'] = FakeMemcache() - result = ''.join(self.test_auth(req.environ, lambda x, y: None)) - self.assert_(result.startswith('404'), result) - - def test_authorize_account_access(self): - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act,AUTH_cfa' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - def test_authorize_acl_group_access(self): - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = 'act' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = 'act:usr' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = 'act2' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = 'act:usr2' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - def test_deny_cross_reseller(self): - # Tests that cross-reseller is denied, even if ACLs/group names match - req = Request.blank('/v1/OTHER_cfa') - req.remote_user = 'act:usr,act,AUTH_cfa' - req.acl = 'act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - def test_authorize_acl_referrer_access(self): - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = '.r:*' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.acl = '.r:.example.com' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - req = Request.blank('/v1/AUTH_cfa') - req.remote_user = 'act:usr,act' - req.referer = 'http://www.example.com/index.html' - req.acl = '.r:.example.com' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 401) - req = Request.blank('/v1/AUTH_cfa') - req.acl = '.r:*' - self.assertEquals(self.test_auth.authorize(req), None) - req = Request.blank('/v1/AUTH_cfa') - req.acl = '.r:.example.com' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 401) - req = Request.blank('/v1/AUTH_cfa') - req.referer = 'http://www.example.com/index.html' - req.acl = '.r:.example.com' - self.assertEquals(self.test_auth.authorize(req), None) - - def test_account_put_permissions(self): - req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) - req.remote_user = 'act:usr,act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) - req.remote_user = 'act:usr,act,AUTH_other' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - # Even PUTs to your own account as account admin should fail - req = Request.blank('/v1/AUTH_old', environ={'REQUEST_METHOD': 'PUT'}) - req.remote_user = 'act:usr,act,AUTH_old' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) - req.remote_user = 'act:usr,act,.reseller_admin' - resp = self.test_auth.authorize(req) - self.assertEquals(resp, None) - - # .super_admin is not something the middleware should ever see or care - # about - req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) - req.remote_user = 'act:usr,act,.super_admin' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - def test_account_delete_permissions(self): - req = Request.blank('/v1/AUTH_new', - environ={'REQUEST_METHOD': 'DELETE'}) - req.remote_user = 'act:usr,act' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - req = Request.blank('/v1/AUTH_new', - environ={'REQUEST_METHOD': 'DELETE'}) - req.remote_user = 'act:usr,act,AUTH_other' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - # Even DELETEs to your own account as account admin should fail - req = Request.blank('/v1/AUTH_old', - environ={'REQUEST_METHOD': 'DELETE'}) - req.remote_user = 'act:usr,act,AUTH_old' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - req = Request.blank('/v1/AUTH_new', - environ={'REQUEST_METHOD': 'DELETE'}) - req.remote_user = 'act:usr,act,.reseller_admin' - resp = self.test_auth.authorize(req) - self.assertEquals(resp, None) - - # .super_admin is not something the middleware should ever see or care - # about - req = Request.blank('/v1/AUTH_new', - environ={'REQUEST_METHOD': 'DELETE'}) - req.remote_user = 'act:usr,act,.super_admin' - resp = self.test_auth.authorize(req) - self.assertEquals(resp and resp.status_int, 403) - - -if __name__ == '__main__': - unittest.main()