after I was sure all cases were covered, I rearranged code to be more like greg's; added comments, and tests

This commit is contained in:
Clay Gerrard 2010-09-17 11:03:07 -05:00
parent d5770ee214
commit e911634dea
2 changed files with 100 additions and 63 deletions

View File

@ -38,14 +38,83 @@ class DevAuth(object):
conf.get('ssl', 'false').lower() in TRUE_VALUES
self.timeout = int(conf.get('node_timeout', 10))
def get_groups(self, token):
memcache_client = cache_from_env(env)
key = '%s/token/%s' % (self.reseller_prefix, token)
cached_auth_data = memcache_client.get(key)
if cached_auth_data:
start, expiration, groups = cached_auth_data
if time() - start > expiration:
groups = None
def __call__(self, env, start_response):
"""
Accepts a standard WSGI application call, authenticating the request
and installing callback hooks for authorization and ACL header
validation. For an authenticated request, REMOTE_USER will be set to a
comma separated list of the user's groups.
With out a reseller prefix, I act as the default auth service for
all requests, but I won't overwrite swift.authorize unless my auth
explictly grants groups to this token
As a reseller, I must respect that my auth server is not
authorative for all tokens, but I can set swift.authorize to
denied_reponse if it's not already set
"""
token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
if token and token.startswith(self.reseller_prefix):
# N.B. no reseller_prefix will match all tokens!
# attempt to auth my token with my auth server
groups = self.get_groups(token,
memcache_client=cache_from_env(env))
if groups:
env['REMOTE_USER'] = groups
user = groups and groups.split(',', 1)[0] or ''
env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token)
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
else:
# unauthorized token
if self.reseller_prefix:
# because I own this token, I can deny it outright
return HTTPUnauthorized()(env, start_response)
elif 'swift.authorize' not in env:
# default auth won't over-write swift.authorize
env['swift.authorize'] = self.denied_response
else:
if self.reseller_prefix:
# As a reseller, I would like to be calledback for annoynomous
# access to my accounts
version, rest = split_path(env.get('PATH_INFO', ''),
1, 2, True)
if rest and rest.startswith(self.reseller_prefix):
# handle annoynomous access to my reseller's accounts
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
elif 'swift.authorize' not in env:
# not my token, not my account, I can't authorize this
# request, deny all is a good idea if not already set...
env['swift.authorize'] = self.denied_response
elif 'swift.authorize' not in env:
# As a default auth, I'm willing to handle annoynomous requests
# for all accounts, but I won't over-write swift.authorize
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
return self.app(env, start_response)
def get_groups(self, token, memcache_client=None):
"""
Get groups for the given token, may use a memcache_client if set, and
update cache/expire old values; otherwise call auth_host and return
'x-auth-groups'
"""
groups = None
if memcache_client:
key = '%s/token/%s' % (self.reseller_prefix, token)
cached_auth_data = memcache_client.get(key)
if cached_auth_data:
start, expiration, groups = cached_auth_data
if time() - start > expiration:
groups = None
def set_memcache(expiration, groups, key=key):
memcache_client.set(key, (time(), expiration, groups),
timeout=expiration)
else:
set_memcache = lambda *args: None
if not groups:
with Timeout(self.timeout):
conn = http_connect(self.auth_host, self.auth_port, 'GET',
@ -55,63 +124,10 @@ class DevAuth(object):
conn.close()
if resp.status // 100 != 2:
return None
expiration = float(resp.getheader('x-auth-ttl'))
groups = resp.getheader('x-auth-groups')
memcache_client.set(key, (time(), expiration, groups),
timeout=expiration)
return groups
def __call__(self, env, start_response):
"""
Accepts a standard WSGI application call, authenticating the request
and installing callback hooks for authorization and ACL header
validation. For an authenticated request, REMOTE_USER will be set to a
comma separated list of the user's groups.
"""
token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
if not self.reseller_prefix:
# all requests belong to me
if token:
# I should attempt to auth any token
groups = self.get_groups(token)
else:
groups = None # no token is same as an unauthorized token
if groups:
env['REMOTE_USER'] = groups
user = groups and groups.split(',', 1)[0] or ''
env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token)
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
else:
# as a reseller, I must respect that just can my auth can't provide
# groups for a token, others may
if token and token.startswith(self.reseller_prefix)::
# attempt to auth my token with my auth server
groups = self.get_groups(token)
if groups:
# authenticated!
env['REMOTE_USER'] = groups
user = groups and groups.split(',', 1)[0] or ''
env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token)
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
else:
# I can't claim this token, but I might claim the annoynomous request
version, rest = split_path(env.get('PATH_INFO', ''), 1, 2, True)
if rest and rest.startswith(self.reseller_prefix):
# annoynomous access to my reseller's accounts
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
else:
# not my token, not my account
# good idea regardless...
if 'swift.authorize' not in env:
env['swift.authorize'] = self.denied_response
return self.app(env, start_response)
set_memcache(expiration, groups)
return groups
def authorize(self, req):
"""
@ -153,6 +169,7 @@ def filter_factory(global_conf, **local_conf):
"""Returns a WSGI filter app for use with paste.deploy."""
conf = global_conf.copy()
conf.update(local_conf)
def auth_filter(app):
return DevAuth(app, conf)
return auth_filter

View File

@ -164,6 +164,26 @@ class TestAuth(unittest.TestCase):
finally:
auth.http_connect = old_http_connect
def test_auth_no_reseller_prefix_allow(self):
# Ensures that when we have no reseller prefix, we can still allow
# access if our auth server accepts requests
old_http_connect = auth.http_connect
try:
local_app = FakeApp()
local_auth = \
auth.filter_factory({'reseller_prefix': ''})(local_app)
auth.http_connect = mock_http_connect(204,
{'x-auth-ttl': '1234', 'x-auth-groups': 'act:usr,act,AUTH_cfa'})
reqenv = {'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/act',
'HTTP_X_AUTH_TOKEN': 't', 'swift.cache': None}
result = ''.join(local_auth(reqenv, lambda x, y: None))
self.assert_(result.startswith('204'), result)
self.assert_(local_app.i_was_called)
self.assertEquals(reqenv['swift.authorize'],
local_auth.authorize)
finally:
auth.http_connect = old_http_connect
def test_auth_no_reseller_prefix_no_token(self):
# Check that normally we set up a call back to our authorize.
local_auth = \