diff --git a/bin/st b/bin/st index b41aca67ec..cab398910e 100755 --- a/bin/st +++ b/bin/st @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swauth-add-account b/bin/swauth-add-account new file mode 100755 index 0000000000..32aceffc7b --- /dev/null +++ b/bin/swauth-add-account @@ -0,0 +1,67 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-s', '--suffix', dest='suffix', + default='', help='The suffix to use with the reseller prefix as the ' + 'storage account name (default: ) Note: If ' + 'the account already exists, this will have no effect on existing ' + 'service URLs. Those will need to be updated with ' + 'swauth-set-account-service') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/)') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 1: + parser.parse_args(['-h']) + account = args[0] + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + if options.suffix: + headers['X-Account-Suffix'] = options.suffix + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account creation failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-add-user b/bin/swauth-add-user new file mode 100755 index 0000000000..a844ed2a37 --- /dev/null +++ b/bin/swauth-add-user @@ -0,0 +1,92 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser( + usage='Usage: %prog [options] ') + parser.add_option('-a', '--admin', dest='admin', action='store_true', + default=False, help='Give the user administrator access; otherwise ' + 'the user will only have access to containers specifically allowed ' + 'with ACLs.') + parser.add_option('-r', '--reseller-admin', dest='reseller_admin', + action='store_true', default=False, help='Give the user full reseller ' + 'administrator access, giving them full access to all accounts within ' + 'the reseller, including the ability to create new accounts. Creating ' + 'a new reseller admin requires super_admin rights.') + parser.add_option('-s', '--suffix', dest='suffix', + default='', help='The suffix to use with the reseller prefix as the ' + 'storage account name (default: ) Note: If ' + 'the account already exists, this will have no effect on existing ' + 'service URLs. Those will need to be updated with ' + 'swauth-set-account-service') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 3: + parser.parse_args(['-h']) + account, user, password = args + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + # Ensure the account exists + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + if options.suffix: + headers['X-Account-Suffix'] = options.suffix + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account creation failed: %s %s' % (resp.status, resp.reason) + # Add the user + path = '%sv2/%s/%s' % (parsed.path, account, user) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key, + 'X-Auth-User-Key': password} + if options.admin: + headers['X-Auth-User-Admin'] = 'true' + if options.reseller_admin: + headers['X-Auth-User-Reseller-Admin'] = 'true' + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'User creation failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-cleanup-tokens b/bin/swauth-cleanup-tokens new file mode 100755 index 0000000000..5666f801c2 --- /dev/null +++ b/bin/swauth-cleanup-tokens @@ -0,0 +1,104 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +import gettext +import re +from datetime import datetime, timedelta +from optparse import OptionParser +from sys import argv, exit +from time import sleep, time + +from swift.common.client import Connection + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage='Usage: %prog [options]') + parser.add_option('-t', '--token-life', dest='token_life', + default='86400', help='The expected life of tokens; token objects ' + 'modified more than this number of seconds ago will be checked for ' + 'expiration (default: 86400).') + parser.add_option('-s', '--sleep', dest='sleep', + default='0.1', help='The number of seconds to sleep between token ' + 'checks (default: 0.1)') + parser.add_option('-v', '--verbose', dest='verbose', action='store_true', + default=False, help='Outputs everything done instead of just the ' + 'deletions.') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/)') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for .super_admin.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 0: + parser.parse_args(['-h']) + options.admin_url = options.admin_url.rstrip('/') + if not options.admin_url.endswith('/v1.0'): + options.admin_url += '/v1.0' + options.admin_user = '.super_admin:.super_admin' + options.token_life = timedelta(0, float(options.token_life)) + options.sleep = float(options.sleep) + conn = Connection(options.admin_url, options.admin_user, options.admin_key) + for x in xrange(16): + container = '.token_%x' % x + marker = None + while True: + if options.verbose: + print 'GET %s?marker=%s' % (container, marker) + objs = conn.get_container(container, marker=marker)[1] + if objs: + marker = objs[-1]['name'] + else: + if options.verbose: + print 'No more objects in %s' % container + break + for obj in objs: + last_modified = datetime(*map(int, re.split('[^\d]', + obj['last_modified'])[:-1])) + ago = datetime.utcnow() - last_modified + if ago > options.token_life: + if options.verbose: + print '%s/%s last modified %ss ago; investigating' % \ + (container, obj['name'], + ago.days * 86400 + ago.seconds) + print 'GET %s/%s' % (container, obj['name']) + detail = conn.get_object(container, obj['name'])[1] + detail = json.loads(detail) + if detail['expires'] < time(): + if options.verbose: + print '%s/%s expired %ds ago; deleting' % \ + (container, obj['name'], + time() - detail['expires']) + print 'DELETE %s/%s' % (container, obj['name']) + conn.delete_object(container, obj['name']) + elif options.verbose: + print "%s/%s won't expire for %ds; skipping" % \ + (container, obj['name'], + detail['expires'] - time()) + elif options.verbose: + print '%s/%s last modified %ss ago; skipping' % \ + (container, obj['name'], + ago.days * 86400 + ago.seconds) + sleep(options.sleep) + if options.verbose: + print 'Done.' diff --git a/bin/swauth-delete-account b/bin/swauth-delete-account new file mode 100755 index 0000000000..c46e5e3b91 --- /dev/null +++ b/bin/swauth-delete-account @@ -0,0 +1,59 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 1: + parser.parse_args(['-h']) + account = args[0] + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account deletion failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-delete-user b/bin/swauth-delete-user new file mode 100755 index 0000000000..5ee162437c --- /dev/null +++ b/bin/swauth-delete-user @@ -0,0 +1,59 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 2: + parser.parse_args(['-h']) + account, user = args + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s/%s' % (parsed.path, account, user) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'User deletion failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-list b/bin/swauth-list new file mode 100755 index 0000000000..7433e3ddfd --- /dev/null +++ b/bin/swauth-list @@ -0,0 +1,85 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage=''' +Usage: %prog [options] [account] [user] + +If [account] and [user] are omitted, a list of accounts will be output. + +If [account] is included but not [user], an account's information will be +output, including a list of users within the account. + +If [account] and [user] are included, the user's information will be output, +including a list of groups the user belongs to. + +If the [user] is '.groups', the active groups for the account will be listed. +'''.strip()) + parser.add_option('-p', '--plain-text', dest='plain_text', + action='store_true', default=False, help='Changes the output from ' + 'JSON to plain text. This will cause an account to list only the ' + 'users and a user to list only the groups.') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) > 2: + parser.parse_args(['-h']) + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, '/'.join(args)) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'List failed: %s %s' % (resp.status, resp.reason) + body = resp.read() + if options.plain_text: + info = json.loads(body) + for group in info[['accounts', 'users', 'groups'][len(args)]]: + print group['name'] + else: + print body diff --git a/bin/swauth-prep b/bin/swauth-prep new file mode 100755 index 0000000000..5a931ae1d0 --- /dev/null +++ b/bin/swauth-prep @@ -0,0 +1,58 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage='Usage: %prog [options]') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if args: + parser.parse_args(['-h']) + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/.prep' % parsed.path + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Auth subsystem prep failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-set-account-service b/bin/swauth-set-account-service new file mode 100755 index 0000000000..32eb06dc6b --- /dev/null +++ b/bin/swauth-set-account-service @@ -0,0 +1,72 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +import gettext +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + parser = OptionParser(usage=''' +Usage: %prog [options] + +Sets a service URL for an account. Can only be set by a reseller admin. + +Example: %prog -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162 +'''.strip()) + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/)') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 4: + parser.parse_args(['-h']) + account, service, name, url = args + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s/.services' % (parsed.path, account) + body = json.dumps({service: {name: url}}) + headers = {'Content-Length': str(len(body)), + 'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers, + ssl=(parsed.scheme == 'https')) + conn.send(body) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Service set failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swift-account-audit b/bin/swift-account-audit index fe611562d7..81823722bf 100755 --- a/bin/swift-account-audit +++ b/bin/swift-account-audit @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-account-auditor b/bin/swift-account-auditor index 5707dfd515..3dc4c17609 100755 --- a/bin/swift-account-auditor +++ b/bin/swift-account-auditor @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-account-reaper b/bin/swift-account-reaper index 688b19b14d..c5df6f4c2f 100755 --- a/bin/swift-account-reaper +++ b/bin/swift-account-reaper @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-account-replicator b/bin/swift-account-replicator index 8edc7cf406..3978dc0bee 100755 --- a/bin/swift-account-replicator +++ b/bin/swift-account-replicator @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-account-server b/bin/swift-account-server index 8c627afa59..a4088fffb2 100755 --- a/bin/swift-account-server +++ b/bin/swift-account-server @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-account-stats-logger b/bin/swift-account-stats-logger index 7e9d26ba50..7b95b20249 100755 --- a/bin/swift-account-stats-logger +++ b/bin/swift-account-stats-logger @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-auth-add-user b/bin/swift-auth-add-user index d502dc83a8..6b997d8ccd 100755 --- a/bin/swift-auth-add-user +++ b/bin/swift-auth-add-user @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-auth-recreate-accounts b/bin/swift-auth-recreate-accounts index e17bf2da3b..430940f44e 100755 --- a/bin/swift-auth-recreate-accounts +++ b/bin/swift-auth-recreate-accounts @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-auth-server b/bin/swift-auth-server index 80c652f5b4..10c0fba073 100755 --- a/bin/swift-auth-server +++ b/bin/swift-auth-server @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-auth-to-swauth b/bin/swift-auth-to-swauth new file mode 100755 index 0000000000..a84c6cd1a5 --- /dev/null +++ b/bin/swift-auth-to-swauth @@ -0,0 +1,46 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import gettext +from subprocess import call +from sys import argv, exit + +import sqlite3 + + +if __name__ == '__main__': + gettext.install('swift', unicode=1) + if len(argv) != 4 or argv[1] != '-K': + exit('Syntax: %s -K ' % argv[0]) + _, _, super_admin_key, auth_db = argv + call(['swauth-prep', '-K', super_admin_key]) + conn = sqlite3.connect(auth_db) + for account, cfaccount, user, password, admin, reseller_admin in \ + conn.execute('SELECT account, cfaccount, user, password, admin, ' + 'reseller_admin FROM account'): + cmd = ['swauth-add-user', '-K', super_admin_key, '-s', + cfaccount.split('_', 1)[1]] + if admin == 't': + cmd.append('-a') + if reseller_admin == 't': + cmd.append('-r') + cmd.extend([account, user, password]) + print ' '.join(cmd) + call(cmd) + print '----------------------------------------------------------------' + print ' Assuming the above worked perfectly, you should copy and paste ' + print ' those lines into your ~/bin/recreateaccounts script.' + print '----------------------------------------------------------------' diff --git a/bin/swift-auth-update-reseller-prefixes b/bin/swift-auth-update-reseller-prefixes index 41a4bf6a76..52b6345e99 100755 --- a/bin/swift-auth-update-reseller-prefixes +++ b/bin/swift-auth-update-reseller-prefixes @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-bench b/bin/swift-bench index ab332482cd..447d82724d 100755 --- a/bin/swift-bench +++ b/bin/swift-bench @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ import uuid from optparse import OptionParser from swift.common.bench import BenchController -from swift.common.utils import readconf, NamedLogger +from swift.common.utils import readconf, LogAdapter, NamedFormatter # The defaults should be sufficient to run swift-bench on a SAIO CONF_DEFAULTS = { @@ -124,10 +124,11 @@ if __name__ == '__main__': 'critical': logging.CRITICAL}.get( options.log_level.lower(), logging.INFO)) loghandler = logging.StreamHandler() - logformat = logging.Formatter('%(asctime)s %(levelname)s %(message)s') - loghandler.setFormatter(logformat) logger.addHandler(loghandler) - logger = NamedLogger(logger, 'swift-bench') + logger = LogAdapter(logger) + logformat = NamedFormatter('swift-bench', logger, + fmt='%(server)s %(asctime)s %(levelname)s %(message)s') + loghandler.setFormatter(logformat) controller = BenchController(logger, options) controller.run() diff --git a/bin/swift-container-auditor b/bin/swift-container-auditor index 62ff797535..9c29d4400b 100755 --- a/bin/swift-container-auditor +++ b/bin/swift-container-auditor @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-container-replicator b/bin/swift-container-replicator index 34e1dae8c7..d8443afacd 100755 --- a/bin/swift-container-replicator +++ b/bin/swift-container-replicator @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-container-server b/bin/swift-container-server index c6d4cf154b..2dbfbba090 100755 --- a/bin/swift-container-server +++ b/bin/swift-container-server @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-container-updater b/bin/swift-container-updater index 28bdaf1eae..d1b1d5ffb5 100755 --- a/bin/swift-container-updater +++ b/bin/swift-container-updater @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-drive-audit b/bin/swift-drive-audit index cde28c1ed7..95143e8b56 100755 --- a/bin/swift-drive-audit +++ b/bin/swift-drive-audit @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-get-nodes b/bin/swift-get-nodes index f24dd48f96..b84119222c 100755 --- a/bin/swift-get-nodes +++ b/bin/swift-get-nodes @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-init b/bin/swift-init index bc2dea983e..1a6b272345 100755 --- a/bin/swift-init +++ b/bin/swift-init @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-log-stats-collector b/bin/swift-log-stats-collector index 950a0f5fe0..374af49a4f 100755 --- a/bin/swift-log-stats-collector +++ b/bin/swift-log-stats-collector @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-log-uploader b/bin/swift-log-uploader index e533cad824..9d0e27836c 100755 --- a/bin/swift-log-uploader +++ b/bin/swift-log-uploader @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-object-auditor b/bin/swift-object-auditor index 033249ecca..c7371bdfeb 100755 --- a/bin/swift-object-auditor +++ b/bin/swift-object-auditor @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-object-info b/bin/swift-object-info index 57f2522071..e7befddf8c 100755 --- a/bin/swift-object-info +++ b/bin/swift-object-info @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-object-replicator b/bin/swift-object-replicator index 53a48e3942..7ae5db81c1 100755 --- a/bin/swift-object-replicator +++ b/bin/swift-object-replicator @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-object-server b/bin/swift-object-server index 5984fe6c69..3f36882c5f 100755 --- a/bin/swift-object-server +++ b/bin/swift-object-server @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-object-updater b/bin/swift-object-updater index 6d68c57c6e..779a3b7306 100755 --- a/bin/swift-object-updater +++ b/bin/swift-object-updater @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-proxy-server b/bin/swift-proxy-server index baccf568e6..6dae54e156 100755 --- a/bin/swift-proxy-server +++ b/bin/swift-proxy-server @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-ring-builder b/bin/swift-ring-builder index 50353df256..c448bea5ca 100755 --- a/bin/swift-ring-builder +++ b/bin/swift-ring-builder @@ -1,5 +1,5 @@ #!/usr/bin/python -uO -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,20 +20,40 @@ from gzip import GzipFile from os import mkdir from os.path import basename, dirname, exists, join as pathjoin from sys import argv, exit +from textwrap import wrap from time import time from swift.common.ring import RingBuilder MAJOR_VERSION = 1 -MINOR_VERSION = 1 +MINOR_VERSION = 2 EXIT_RING_CHANGED = 0 EXIT_RING_UNCHANGED = 1 -EXIT_ERROR = 2 +EXIT_ERROR = 2 def search_devs(builder, search_value): - # dz-:/_ + """ +The can be of the form: + dz-:/_ + Any part is optional, but you must include at least one part. + Examples: + d74 Matches the device id 74 + z1 Matches devices in zone 1 + z1-1.2.3.4 Matches devices in zone 1 with the ip 1.2.3.4 + 1.2.3.4 Matches devices in any zone with the ip 1.2.3.4 + z1:5678 Matches devices in zone 1 using port 5678 + :5678 Matches devices that use port 5678 + /sdb1 Matches devices with the device name sdb1 + _shiny Matches devices with shiny in the meta data + _"snet: 5.6.7.8" Matches devices with snet: 5.6.7.8 in the meta data + Most specific example: + d74z1-1.2.3.4:5678/sdb1_"snet: 5.6.7.8" + Nerd explanation: + All items require their single character prefix except the ip, in which + case the - is optional unless the device id or zone is also included. + """ orig_search_value = search_value match = [] if search_value.startswith('d'): @@ -72,7 +92,8 @@ def search_devs(builder, search_value): match.append(('meta', search_value[1:])) search_value = '' if search_value: - raise ValueError('Invalid : %s' % repr(orig_search_value)) + raise ValueError('Invalid : %s' % + repr(orig_search_value)) devs = [] for dev in builder.devs: if not dev: @@ -89,142 +110,22 @@ def search_devs(builder, search_value): return devs -SEARCH_VALUE_HELP = ''' - The can be of the form: - dz-:/_ - Any part is optional, but you must include at least one part. - Examples: - d74 Matches the device id 74 - z1 Matches devices in zone 1 - z1-1.2.3.4 Matches devices in zone 1 with the ip 1.2.3.4 - 1.2.3.4 Matches devices in any zone with the ip 1.2.3.4 - z1:5678 Matches devices in zone 1 using port 5678 - :5678 Matches devices that use port 5678 - /sdb1 Matches devices with the device name sdb1 - _shiny Matches devices with shiny in the meta data - _"snet: 5.6.7.8" Matches devices with snet: 5.6.7.8 in the meta data - Most specific example: - d74z1-1.2.3.4:5678/sdb1_"snet: 5.6.7.8" - Nerd explanation: - All items require their single character prefix except the ip, in which - case the - is optional unless the device id or zone is also included. -'''.strip() +class Commands: -CREATE_HELP = ''' -swift-ring-builder create + def unknown(): + print 'Unknown command: %s' % argv[2] + exit(EXIT_ERROR) + + def create(): + """ +swift-ring-builder create + Creates with 2^ partitions and . is number of hours to restrict moving a partition more than once. -'''.strip() - -SEARCH_HELP = ''' -swift-ring-builder search - Shows information about matching devices. - - %(SEARCH_VALUE_HELP)s -'''.strip() % globals() - -ADD_HELP = ''' -swift-ring-builder add z-:/_ - Adds a device to the ring with the given information. No partitions will be - assigned to the new device until after running 'rebalance'. This is so you - can make multiple device changes and rebalance them all just once. -'''.strip() - -SET_WEIGHT_HELP = ''' -swift-ring-builder set_weight - Resets the device's weight. No partitions will be reassigned to or from the - device until after running 'rebalance'. This is so you can make multiple - device changes and rebalance them all just once. - - %(SEARCH_VALUE_HELP)s -'''.strip() % globals() - -SET_INFO_HELP = ''' -swift-ring-builder set_info - :/_ - Resets the device's information. This information isn't used to assign - partitions, so you can use 'write_ring' afterward to rewrite the current - ring with the newer device information. Any of the parts are optional - in the final :/_ parameter; just give what you - want to change. For instance set_info d74 _"snet: 5.6.7.8" would just - update the meta data for device id 74. - - %(SEARCH_VALUE_HELP)s -'''.strip() % globals() - -REMOVE_HELP = ''' -swift-ring-builder remove - Removes the device(s) from the ring. This should normally just be used for - a device that has failed. For a device you wish to decommission, it's best - to set its weight to 0, wait for it to drain all its data, then use this - remove command. This will not take effect until after running 'rebalance'. - This is so you can make multiple device changes and rebalance them all just - once. - - %(SEARCH_VALUE_HELP)s -'''.strip() % globals() - -SET_MIN_PART_HOURS_HELP = ''' -swift-ring-builder set_min_part_hours - Changes the to the given . This should be set to - however long a full replication/update cycle takes. We're working on a way - to determine this more easily than scanning logs. -'''.strip() - - -if __name__ == '__main__': - if len(argv) < 2: - print ''' -swift-ring-builder %(MAJOR_VERSION)s.%(MINOR_VERSION)s - -%(CREATE_HELP)s - -swift-ring-builder - Shows information about the ring and the devices within. - -%(SEARCH_HELP)s - -%(ADD_HELP)s - -%(SET_WEIGHT_HELP)s - -%(SET_INFO_HELP)s - -%(REMOVE_HELP)s - -swift-ring-builder rebalance - Attempts to rebalance the ring by reassigning partitions that haven't been - recently reassigned. - -swift-ring-builder validate - Just runs the validation routines on the ring. - -swift-ring-builder write_ring - Just rewrites the distributable ring file. This is done automatically after - a successful rebalance, so really this is only useful after one or more - 'set_info' calls when no rebalance is needed but you want to send out the - new device information. - -%(SET_MIN_PART_HOURS_HELP)s - -Quick list: create search add set_weight set_info remove rebalance write_ring - set_min_part_hours -Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error -'''.strip() % globals() - exit(EXIT_RING_UNCHANGED) - - if exists(argv[1]): - builder = pickle.load(open(argv[1], 'rb')) - for dev in builder.devs: - if dev and 'meta' not in dev: - dev['meta'] = '' - elif len(argv) < 3 or argv[2] != 'create': - print 'Ring Builder file does not exist: %s' % argv[1] - exit(EXIT_ERROR) - elif argv[2] == 'create': + """ if len(argv) < 6: - print CREATE_HELP + print Commands.create.__doc__.strip() exit(EXIT_RING_UNCHANGED) builder = RingBuilder(int(argv[3]), int(argv[4]), int(argv[5])) backup_dir = pathjoin(dirname(argv[1]), 'backups') @@ -238,19 +139,11 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_CHANGED) - backup_dir = pathjoin(dirname(argv[1]), 'backups') - try: - mkdir(backup_dir) - except OSError, err: - if err.errno != EEXIST: - raise - - ring_file = argv[1] - if ring_file.endswith('.builder'): - ring_file = ring_file[:-len('.builder')] - ring_file += '.ring.gz' - - if len(argv) == 2: + def default(): + """ +swift-ring-builder + Shows information about the ring and the devices within. + """ print '%s, build version %d' % (argv[1], builder.version) zones = 0 balance = 0 @@ -284,9 +177,15 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error dev['meta']) exit(EXIT_RING_UNCHANGED) - if argv[2] == 'search': + def search(): + """ +swift-ring-builder search + Shows information about matching devices. + """ if len(argv) < 4: - print SEARCH_HELP + print Commands.search.__doc__.strip() + print + print search_devs.__doc__.strip() exit(EXIT_RING_UNCHANGED) devs = search_devs(builder, argv[3]) if not devs: @@ -311,10 +210,16 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error dev['meta']) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'add': - # add z-:/_ + def add(): + """ +swift-ring-builder add z-:/_ + + Adds a device to the ring with the given information. No partitions will be + assigned to the new device until after running 'rebalance'. This is so you + can make multiple device changes and rebalance them all just once. + """ if len(argv) < 5: - print ADD_HELP + print Commands.add.__doc__.strip() exit(EXIT_RING_UNCHANGED) if not argv[3].startswith('z'): @@ -379,9 +284,17 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'set_weight': + def set_weight(): + """ +swift-ring-builder set_weight + Resets the device's weight. No partitions will be reassigned to or from the + device until after running 'rebalance'. This is so you can make multiple + device changes and rebalance them all just once. + """ if len(argv) != 5: - print SET_WEIGHT_HELP + print Commands.set_weight.__doc__.strip() + print + print search_devs.__doc__.strip() exit(EXIT_RING_UNCHANGED) devs = search_devs(builder, argv[3]) weight = float(argv[4]) @@ -404,9 +317,21 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'set_info': + def set_info(): + """ +swift-ring-builder set_info + :/_ + Resets the device's information. This information isn't used to assign + partitions, so you can use 'write_ring' afterward to rewrite the current + ring with the newer device information. Any of the parts are optional + in the final :/_ parameter; just give what you + want to change. For instance set_info d74 _"snet: 5.6.7.8" would just + update the meta data for device id 74. + """ if len(argv) != 5: - print SET_INFO_HELP + print Commands.set_info.__doc__.strip() + print + print search_devs.__doc__.strip() exit(EXIT_RING_UNCHANGED) devs = search_devs(builder, argv[3]) change_value = argv[4] @@ -471,9 +396,20 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'remove': + def remove(): + """ +swift-ring-builder remove + Removes the device(s) from the ring. This should normally just be used for + a device that has failed. For a device you wish to decommission, it's best + to set its weight to 0, wait for it to drain all its data, then use this + remove command. This will not take effect until after running 'rebalance'. + This is so you can make multiple device changes and rebalance them all just + once. + """ if len(argv) < 4: - print REMOVE_HELP + print Commands.remove.__doc__.strip() + print + print search_devs.__doc__.strip() exit(EXIT_RING_UNCHANGED) devs = search_devs(builder, argv[3]) if not devs: @@ -491,11 +427,17 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error for dev in devs: builder.remove_dev(dev['id']) print 'd%(id)sz%(zone)s-%(ip)s:%(port)s/%(device)s_"%(meta)s" ' \ - 'marked for removal and will be removed next rebalance.' % dev + 'marked for removal and will be removed next rebalance.' \ + % dev pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'rebalance': + def rebalance(): + """ +swift-ring-builder rebalance + Attempts to rebalance the ring by reassigning partitions that haven't been + recently reassigned. + """ devs_changed = builder.devs_changed last_balance = builder.get_balance() parts, balance = builder.rebalance() @@ -528,31 +470,50 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_CHANGED) - elif argv[2] == 'validate': + def validate(): + """ +swift-ring-builder validate + Just runs the validation routines on the ring. + """ builder.validate() exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'write_ring': + def write_ring(): + """ +swift-ring-builder write_ring + Just rewrites the distributable ring file. This is done automatically after + a successful rebalance, so really this is only useful after one or more + 'set_info' calls when no rebalance is needed but you want to send out the + new device information. + """ ring_data = builder.get_ring() if not ring_data._replica2part2dev_id: - if ring_data.devs: - print 'Warning: Writing a ring with no partition assignments but with devices; did you forget to run "rebalance"?' - else: - print 'Warning: Writing an empty ring' + if ring_data.devs: + print 'Warning: Writing a ring with no partition ' \ + 'assignments but with devices; did you forget to run ' \ + '"rebalance"?' + else: + print 'Warning: Writing an empty ring' pickle.dump(ring_data, GzipFile(pathjoin(backup_dir, '%d.' % time() + basename(ring_file)), 'wb'), protocol=2) pickle.dump(ring_data, GzipFile(ring_file, 'wb'), protocol=2) exit(EXIT_RING_CHANGED) - elif argv[2] == 'pretend_min_part_hours_passed': + def pretend_min_part_hours_passed(): builder.pretend_min_part_hours_passed() pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - elif argv[2] == 'set_min_part_hours': + def set_min_part_hours(): + """ +swift-ring-builder set_min_part_hours + Changes the to the given . This should be set to + however long a full replication/update cycle takes. We're working on a way + to determine this more easily than scanning logs. + """ if len(argv) < 4: - print SET_MIN_PART_HOURS_HELP + print Commands.set_min_part_hours.__doc__.strip() exit(EXIT_RING_UNCHANGED) builder.change_min_part_hours(int(argv[3])) print 'The minimum number of hours before a partition can be ' \ @@ -560,5 +521,51 @@ Exit codes: 0 = ring changed, 1 = ring did not change, 2 = error pickle.dump(builder, open(argv[1], 'wb'), protocol=2) exit(EXIT_RING_UNCHANGED) - print 'Unknown command: %s' % argv[2] - exit(EXIT_ERROR) + +if __name__ == '__main__': + if len(argv) < 2: + print "swift-ring-builder %(MAJOR_VERSION)s.%(MINOR_VERSION)s\n" % \ + globals() + print Commands.default.__doc__.strip() + print + cmds = [c for c, f in Commands.__dict__.iteritems() + if f.__doc__ and c[0] != '_' and c != 'default'] + cmds.sort() + for cmd in cmds: + print Commands.__dict__[cmd].__doc__.strip() + print + print search_devs.__doc__.strip() + print + for line in wrap(' '.join(cmds), 79, initial_indent='Quick list: ', + subsequent_indent=' '): + print line + print 'Exit codes: 0 = ring changed, 1 = ring did not change, ' \ + '2 = error' + exit(EXIT_RING_UNCHANGED) + + if exists(argv[1]): + builder = pickle.load(open(argv[1], 'rb')) + for dev in builder.devs: + if dev and 'meta' not in dev: + dev['meta'] = '' + elif len(argv) < 3 or argv[2] != 'create': + print 'Ring Builder file does not exist: %s' % argv[1] + exit(EXIT_ERROR) + + backup_dir = pathjoin(dirname(argv[1]), 'backups') + try: + mkdir(backup_dir) + except OSError, err: + if err.errno != EEXIST: + raise + + ring_file = argv[1] + if ring_file.endswith('.builder'): + ring_file = ring_file[:-len('.builder')] + ring_file += '.ring.gz' + + if len(argv) == 2: + command = "default" + else: + command = argv[2] + Commands.__dict__.get(command, Commands.unknown)() diff --git a/bin/swift-stats-populate b/bin/swift-stats-populate index 8ea210cb65..ba531ddc87 100755 --- a/bin/swift-stats-populate +++ b/bin/swift-stats-populate @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/bin/swift-stats-report b/bin/swift-stats-report index 3f735877cf..f2504280ba 100755 --- a/bin/swift-stats-report +++ b/bin/swift-stats-report @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/doc/source/admin_guide.rst b/doc/source/admin_guide.rst index 31c5f17123..068501a0b2 100644 --- a/doc/source/admin_guide.rst +++ b/doc/source/admin_guide.rst @@ -164,7 +164,10 @@ swift-stats-populate and swift-stats-report use the same configuration file, /etc/swift/stats.conf. Example conf file:: [stats] + # For DevAuth: auth_url = http://saio:11000/v1.0 + # For Swauth: + # auth_url = http://saio:11000/auth/v1.0 auth_user = test:tester auth_key = testing @@ -229,6 +232,21 @@ get performance timings (warning: the initial populate takes a while). These timings are dumped into a CSV file (/etc/swift/stats.csv by default) and can then be graphed to see how cluster performance is trending. +------------------------------------ +Additional Cleanup Script for Swauth +------------------------------------ + +If you decide to use Swauth, you'll want to install a cronjob to clean up any +orphaned expired tokens. These orphaned tokens can occur when a "stampede" +occurs where a single user authenticates several times concurrently. Generally, +these orphaned tokens don't pose much of an issue, but it's good to clean them +up once a "token life" period (default: 1 day or 86400 seconds). + +This should be as simple as adding `swauth-cleanup-tokens -K swauthkey > +/dev/null` to a crontab entry on one of the proxies that is running Swauth; but +run `swauth-cleanup-tokens` with no arguments for detailed help on the options +available. + ------------------------ Debugging Tips and Tools ------------------------ diff --git a/doc/source/conf.py b/doc/source/conf.py index 74dfce9947..88bc171e66 100644 --- a/doc/source/conf.py +++ b/doc/source/conf.py @@ -1,5 +1,5 @@ # -*- coding: utf-8 -*- -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/doc/source/deployment_guide.rst b/doc/source/deployment_guide.rst index 68f8c9b5c8..7af25ad631 100644 --- a/doc/source/deployment_guide.rst +++ b/doc/source/deployment_guide.rst @@ -229,7 +229,12 @@ Option Default Description log_name object-auditor Label used when logging log_facility LOG_LOCAL0 Syslog log facility log_level INFO Logging level -interval 1800 Minimum time for a pass to take +files_per_second 20 Maximum files audited per second. Should + be tuned according to individual system + specs. 0 is unlimited. +bytes_per_second 10000000 Maximum bytes audited per second. Should + be tuned according to individual system + specs. 0 is unlimited. ================== ============== ========================================== ------------------------------ @@ -484,6 +489,43 @@ ssl False If True, use SSL to node_timeout 10 Request timeout ============ =================================== ======================== +[swauth] + +===================== =============================== ======================= +Option Default Description +--------------------- ------------------------------- ----------------------- +use Entry point for + paste.deploy to use for + auth. To use the swauth + set to: + `egg:swift#swauth` +log_name auth-server Label used when logging +log_facility LOG_LOCAL0 Syslog log facility +log_level INFO Log level +log_headers True If True, log headers in + each request +reseller_prefix AUTH The naming scope for the + auth service. Swift + storage accounts and + auth tokens will begin + with this prefix. +auth_prefix /auth/ The HTTP request path + prefix for the auth + service. Swift itself + reserves anything + beginning with the + letter `v`. +default_swift_cluster local:http://127.0.0.1:8080/v1 The default Swift + cluster to place newly + created accounts on. +token_life 86400 The number of seconds a + token is valid. +node_timeout 10 Request timeout +super_admin_key None The key for the + .super_admin account. +===================== =============================== ======================= + + ------------------------ Memcached Considerations ------------------------ diff --git a/doc/source/development_auth.rst b/doc/source/development_auth.rst index 2ac1bdf261..0f28750bd3 100644 --- a/doc/source/development_auth.rst +++ b/doc/source/development_auth.rst @@ -8,7 +8,7 @@ Creating Your Own Auth Server and Middleware The included swift/auth/server.py and swift/common/middleware/auth.py are good minimal examples of how to create an external auth server and proxy server auth -middleware. Also, see the `Swauth `_ project for +middleware. Also, see swift/common/middleware/swauth.py for a more complete implementation. The main points are that the auth middleware can reject requests up front, before they ever get to the Swift Proxy application, and afterwards when the proxy issues callbacks to verify @@ -356,6 +356,7 @@ repoze.what:: self.auth_port = int(conf.get('port', 11000)) self.ssl = \ conf.get('ssl', 'false').lower() in ('true', 'on', '1', 'yes') + self.auth_prefix = conf.get('prefix', '/') self.timeout = int(conf.get('node_timeout', 10)) def authenticate(self, env, identity): @@ -371,7 +372,7 @@ repoze.what:: return user with Timeout(self.timeout): conn = http_connect(self.auth_host, self.auth_port, 'GET', - '/token/%s' % token, ssl=self.ssl) + '%stoken/%s' % (self.auth_prefix, token), ssl=self.ssl) resp = conn.getresponse() resp.read() conn.close() diff --git a/doc/source/development_guidelines.rst b/doc/source/development_guidelines.rst index 60a70bf68e..9abda8c90e 100644 --- a/doc/source/development_guidelines.rst +++ b/doc/source/development_guidelines.rst @@ -38,7 +38,7 @@ License and Copyright Every source file should have the following copyright and license statement at the top:: - # Copyright (c) 2010 OpenStack, LLC. + # Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/doc/source/development_saio.rst b/doc/source/development_saio.rst index 999d338fbf..072db9b327 100644 --- a/doc/source/development_saio.rst +++ b/doc/source/development_saio.rst @@ -216,7 +216,9 @@ Configuring each node Sample configuration files are provided with all defaults in line-by-line comments. - #. Create `/etc/swift/auth-server.conf`:: + #. If your going to use the DevAuth (the default swift-auth-server), create + `/etc/swift/auth-server.conf` (you can skip this if you're going to use + Swauth):: [DEFAULT] user = @@ -237,15 +239,25 @@ Sample configuration files are provided with all defaults in line-by-line commen user = [pipeline:main] + # For DevAuth: pipeline = healthcheck cache auth proxy-server + # For Swauth: + # pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true + # Only needed for DevAuth [filter:auth] use = egg:swift#auth + # Only needed for Swauth + [filter:swauth] + use = egg:swift#swauth + # Highly recommended to change this. + super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck @@ -562,18 +574,32 @@ Setting up scripts for running Swift #!/bin/bash + # The auth-server line is only needed for DevAuth: swift-init auth-server start swift-init proxy-server start swift-init account-server start swift-init container-server start swift-init object-server start + #. For Swauth (not needed for DevAuth), create `~/bin/recreateaccounts`:: + + #!/bin/bash + + # Replace devauth with whatever your super_admin key is (recorded in + # /etc/swift/proxy-server.conf). + swauth-prep -K swauthkey + swauth-add-user -K swauthkey -a test tester testing + swauth-add-user -K swauthkey -a test2 tester2 testing2 + swauth-add-user -K swauthkey test tester3 testing3 + swauth-add-user -K swauthkey -a -r reseller reseller reseller + #. Create `~/bin/startrest`:: #!/bin/bash # Replace devauth with whatever your super_admin key is (recorded in - # /etc/swift/auth-server.conf). + # /etc/swift/auth-server.conf). This swift-auth-recreate-accounts line + # is only needed for DevAuth: swift-auth-recreate-accounts -K devauth swift-init object-updater start swift-init container-updater start @@ -589,13 +615,14 @@ Setting up scripts for running Swift #. `remakerings` #. `cd ~/swift/trunk; ./.unittests` #. `startmain` (The ``Unable to increase file descriptor limit. Running as non-root?`` warnings are expected and ok.) - #. `swift-auth-add-user -K devauth -a test tester testing` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:11000/v1.0`` + #. For Swauth: `recreateaccounts` + #. For DevAuth: `swift-auth-add-user -K devauth -a test tester testing` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:11000/v1.0`` # For Swauth, make the last URL `http://127.0.0.1:8080/auth/v1.0` #. Check that you can GET account: ``curl -v -H 'X-Auth-Token: ' `` - #. Check that `st` works: `st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat` - #. `swift-auth-add-user -K devauth -a test2 tester2 testing2` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. `swift-auth-add-user -K devauth test tester3 testing3` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` + #. Check that `st` works: `st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat` # For Swauth, make the URL `http://127.0.0.1:8080/auth/v1.0` + #. For DevAuth: `swift-auth-add-user -K devauth -a test2 tester2 testing2` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. For DevAuth: `swift-auth-add-user -K devauth test tester3 testing3` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` # For Swauth, add auth_prefix = /auth/ and change auth_port = 8080. #. `cd ~/swift/trunk; ./.functests` (Note: functional tests will first delete everything in the configured accounts.) #. `cd ~/swift/trunk; ./.probetests` (Note: probe tests will reset your diff --git a/doc/source/howto_cyberduck.rst b/doc/source/howto_cyberduck.rst index 6af2f0e630..e9de135ff3 100644 --- a/doc/source/howto_cyberduck.rst +++ b/doc/source/howto_cyberduck.rst @@ -8,7 +8,9 @@ Talking to Swift with Cyberduck #. Install Swift, or have credentials for an existing Swift installation. If you plan to install Swift on your own server, follow the general guidelines - in the section following this one. + in the section following this one. (This documentation assumes the use of + the DevAuth auth server; if you're using Swauth, you should change all auth + URLs /v1.0 to /auth/v1.0) #. Verify you can connect using the standard Swift Tool `st` from your "public" URL (yes I know this resolves privately inside EC2):: diff --git a/doc/source/howto_installmultinode.rst b/doc/source/howto_installmultinode.rst index 82a3a88099..2a84357bb9 100644 --- a/doc/source/howto_installmultinode.rst +++ b/doc/source/howto_installmultinode.rst @@ -13,8 +13,8 @@ Prerequisites Basic architecture and terms ---------------------------- - *node* - a host machine running one or more Swift services -- *Proxy node* - node that runs Proxy services -- *Auth node* - node that runs the Auth service +- *Proxy node* - node that runs Proxy services; can also run Swauth +- *Auth node* - node that runs the Auth service; only required for DevAuth - *Storage node* - node that runs Account, Container, and Object services - *ring* - a set of mappings of Swift data to physical devices @@ -23,13 +23,14 @@ This document shows a cluster using the following types of nodes: - one Proxy node - Runs the swift-proxy-server processes which proxy requests to the - appropriate Storage nodes. + appropriate Storage nodes. For Swauth, the proxy server will also contain + the Swauth service as WSGI middleware. - one Auth node - Runs the swift-auth-server which controls authentication and authorization for all requests. This can be on the same node as a - Proxy node. + Proxy node. This is only required for DevAuth. - five Storage nodes @@ -120,16 +121,27 @@ Configure the Proxy node user = swift [pipeline:main] + # For DevAuth: pipeline = healthcheck cache auth proxy-server + # For Swauth: + # pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true + # Only needed for DevAuth [filter:auth] use = egg:swift#auth ssl = true + # Only needed for Swauth + [filter:swauth] + use = egg:swift#swauth + default_swift_cluster = https://:8080/v1 + # Highly recommended to change this key to something else! + super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck @@ -194,6 +206,8 @@ Configure the Proxy node Configure the Auth node ----------------------- +.. note:: Only required for DevAuth; you can skip this section for Swauth. + #. If this node is not running on the same node as a proxy, create a self-signed cert as you did for the Proxy node @@ -358,13 +372,20 @@ Create Swift admin account and test You run these commands from the Auth node. +.. note:: For Swauth, replace the https://:11000/v1.0 with + https://:8080/auth/v1.0 + #. Create a user with administrative privileges (account = system, username = root, password = testpass). Make sure to replace - ``devauth`` with whatever super_admin key you assigned in the - auth-server.conf file above. *Note: None of the values of + ``devauth`` (or ``swauthkey``) with whatever super_admin key you assigned in + the auth-server.conf file (or proxy-server.conf file in the case of Swauth) + above. *Note: None of the values of account, username, or password are special - they can be anything.*:: + # For DevAuth: swift-auth-add-user -K devauth -a system root testpass + # For Swauth: + swauth-add-user -K swauthkey -a system root testpass #. Get an X-Storage-Url and X-Auth-Token:: @@ -404,20 +425,50 @@ See :ref:`config-proxy` for the initial setup, and then follow these additional use = egg:swift#memcache memcache_servers = :11211 -#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/auth-server.conf:: +#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/auth-server.conf (for DevAuth) or in /etc/swift/proxy-server.conf (for Swauth):: + # For DevAuth, in /etc/swift/auth-server.conf [app:auth-server] use = egg:swift#auth default_cluster_url = https:///v1 # Highly recommended to change this key to something else! super_admin_key = devauth -#. After you change the default_cluster_url setting, you have to delete the auth database and recreate the Swift users, or manually update the auth database with the correct URL for each account. + # For Swauth, in /etc/swift/proxy-server.conf + [filter:swauth] + use = egg:swift#swauth + default_swift_cluster = local:http:///v1 + # Highly recommended to change this key to something else! + super_admin_key = swauthkey + +#. For DevAuth, after you change the default_cluster_url setting, you have to delete the auth database and recreate the Swift users, or manually update the auth database with the correct URL for each account. + + For Swauth, you can change a service URL with:: + + swauth-set-account-service -K swauthkey storage local + + You can obtain old service URLs with:: + + swauth-list -K swauthkey #. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well. #. After you sync all the nodes, make sure the admin has the keys in /etc/swift and the ownership for the ring file is correct. +Additional Cleanup Script for Swauth +------------------------------------ + +If you decide to use Swauth, you'll want to install a cronjob to clean up any +orphaned expired tokens. These orphaned tokens can occur when a "stampede" +occurs where a single user authenticates several times concurrently. Generally, +these orphaned tokens don't pose much of an issue, but it's good to clean them +up once a "token life" period (default: 1 day or 86400 seconds). + +This should be as simple as adding `swauth-cleanup-tokens -K swauthkey > +/dev/null` to a crontab entry on one of the proxies that is running Swauth; but +run `swauth-cleanup-tokens` with no arguments for detailed help on the options +available. + Troubleshooting Notes --------------------- If you see problems, look in var/log/syslog (or messages on some distros). diff --git a/doc/source/index.rst b/doc/source/index.rst index de07c132ea..3c23140e72 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -1,5 +1,5 @@ .. - Copyright 2010 OpenStack LLC + Copyright 2010-2011 OpenStack LLC All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may diff --git a/doc/source/misc.rst b/doc/source/misc.rst index a0311cbf5e..eaea545a0f 100644 --- a/doc/source/misc.rst +++ b/doc/source/misc.rst @@ -42,6 +42,15 @@ Auth :members: :show-inheritance: +.. _common_swauth: + +Swauth +====== + +.. automodule:: swift.common.middleware.swauth + :members: + :show-inheritance: + .. _acls: ACLs diff --git a/doc/source/overview_auth.rst b/doc/source/overview_auth.rst index 364a6928dc..f9141509c2 100644 --- a/doc/source/overview_auth.rst +++ b/doc/source/overview_auth.rst @@ -48,9 +48,148 @@ implementing your own auth. Also, see :doc:`development_auth`. ------------------- -History and Future ------------------- -What's established in Swift for authentication/authorization has history from -before Swift, so that won't be recorded here. +------ +Swauth +------ + +The Swauth system is an optional DevAuth replacement included at +swift/common/middleware/swauth.py; a scalable authentication and +authorization system that uses Swift itself as its backing store. This section +will describe how it stores its data. + +At the topmost level, the auth system has its own Swift account it stores its +own account information within. This Swift account is known as +self.auth_account in the code and its name is in the format +self.reseller_prefix + ".auth". In this text, we'll refer to this account as +. + +The containers whose names do not begin with a period represent the accounts +within the auth service. For example, the /test container would +represent the "test" account. + +The objects within each container represent the users for that auth service +account. For example, the /test/bob object would represent the +user "bob" within the auth service account of "test". Each of these user +objects contain a JSON dictionary of the format:: + + {"auth": ":", "groups": } + +The `` can only be `plaintext` at this time, and the `` +is the plain text password itself. + +The `` contains at least two groups. The first is a unique group +identifying that user and it's name is of the format `:`. The +second group is the `` itself. Additional groups of `.admin` for +account administrators and `.reseller_admin` for reseller administrators may +exist. Here's an example user JSON dictionary:: + + {"auth": "plaintext:testing", + "groups": ["name": "test:tester", "name": "test", "name": ".admin"]} + +To map an auth service account to a Swift storage account, the Service Account +Id string is stored in the `X-Container-Meta-Account-Id` header for the +/ container. To map back the other way, an +/.account_id/ object is created with the contents of +the corresponding auth service's account name. + +Also, to support a future where the auth service will support multiple Swift +clusters or even multiple services for the same auth service account, an +//.services object is created with its contents having a +JSON dictionary of the format:: + + {"storage": {"default": "local", "local": }} + +The "default" is always "local" right now, and "local" is always the single +Swift cluster URL; but in the future there can be more than one cluster with +various names instead of just "local", and the "default" key's value will +contain the primary cluster to use for that account. Also, there may be more +services in addition to the current "storage" service right now. + +Here's an example .services dictionary at the moment:: + + {"storage": + {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}} + +But, here's an example of what the dictionary may look like in the future:: + + {"storage": + {"default": "dfw", + "dfw": "http://dfw.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "ord": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "sat": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}, + "servers": + {"default": "dfw", + "dfw": "http://dfw.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "ord": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "sat": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}} + +Lastly, the tokens themselves are stored as objects in the +`/.token_[0-f]` containers. The names of the objects are the +token strings themselves, such as `AUTH_tked86bbd01864458aa2bd746879438d5a`. +The exact `.token_[0-f]` container chosen is based on the final digit of the +token name, such as `.token_a` for the token +`AUTH_tked86bbd01864458aa2bd746879438d5a`. The contents of the token objects +are JSON dictionaries of the format:: + + {"account": , + "user": , + "account_id": , + "groups": , + "expires": } + +The `` is the auth service account's name for that token. The `` +is the user within the account for that token. The `` is the +same as the `X-Container-Meta-Account-Id` for the auth service's account, +as described above. The `` is the user's groups, as described +above with the user object. The "expires" value indicates when the token is no +longer valid, as compared to Python's time.time() value. + +Here's an example token object's JSON dictionary:: + + {"account": "test", + "user": "tester", + "account_id": "AUTH_8980f74b1cda41e483cbe0a925f448a9", + "groups": ["name": "test:tester", "name": "test", "name": ".admin"], + "expires": 1291273147.1624689} + +To easily map a user to an already issued token, the token name is stored in +the user object's `X-Object-Meta-Auth-Token` header. + +Here is an example full listing of an :: + + .account_id + AUTH_2282f516-559f-4966-b239-b5c88829e927 + AUTH_f6f57a3c-33b5-4e85-95a5-a801e67505c8 + AUTH_fea96a36-c177-4ca4-8c7e-b8c715d9d37b + .token_0 + .token_1 + .token_2 + .token_3 + .token_4 + .token_5 + .token_6 + AUTH_tk9d2941b13d524b268367116ef956dee6 + .token_7 + .token_8 + AUTH_tk93627c6324c64f78be746f1e6a4e3f98 + .token_9 + .token_a + .token_b + .token_c + .token_d + .token_e + AUTH_tk0d37d286af2c43ffad06e99112b3ec4e + .token_f + AUTH_tk766bbde93771489982d8dc76979d11cf + reseller + .services + reseller + test + .services + tester + tester3 + test2 + .services + tester2 diff --git a/etc/auth-server.conf-sample b/etc/auth-server.conf-sample index 1309726985..27b6cf3e14 100644 --- a/etc/auth-server.conf-sample +++ b/etc/auth-server.conf-sample @@ -1,3 +1,4 @@ +# Only needed for DevAuth; Swauth is within the proxy-server.conf [DEFAULT] # bind_ip = 0.0.0.0 # bind_port = 11000 diff --git a/etc/object-server.conf-sample b/etc/object-server.conf-sample index d4523566bf..cc80c18c07 100644 --- a/etc/object-server.conf-sample +++ b/etc/object-server.conf-sample @@ -55,5 +55,5 @@ use = egg:swift#object [object-auditor] # log_name = object-auditor -# Will audit, at most, 1 object per device per interval -# interval = 1800 +# files_per_second = 20 +# bytes_per_second = 10000000 diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 220f003ba0..fda7d0d034 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -9,7 +9,10 @@ # key_file = /etc/swift/proxy.key [pipeline:main] +# For DevAuth: pipeline = catch_errors healthcheck cache ratelimit auth proxy-server +# For Swauth: +# pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server [app:proxy-server] use = egg:swift#proxy @@ -33,6 +36,7 @@ use = egg:swift#proxy # 'false' no one, even authorized, can. # allow_account_management = false +# Only needed for DevAuth [filter:auth] use = egg:swift#auth # The reseller prefix will verify a token begins with this prefix before even @@ -44,8 +48,38 @@ use = egg:swift#auth # ip = 127.0.0.1 # port = 11000 # ssl = false +# prefix = / # node_timeout = 10 +# Only needed for Swauth +[filter:swauth] +use = egg:swift#swauth +# log_name = auth-server +# log_facility = LOG_LOCAL0 +# log_level = INFO +# log_headers = False +# The reseller prefix will verify a token begins with this prefix before even +# attempting to validate it. Also, with authorization, only Swift storage +# accounts with this prefix will be authorized by this middleware. Useful if +# multiple auth systems are in use for one Swift cluster. +# reseller_prefix = AUTH +# The auth prefix will cause requests beginning with this prefix to be routed +# to the auth subsystem, for granting tokens, creating accounts, users, etc. +# auth_prefix = /auth/ +# Cluster strings are of the format name:url where name is a short name for the +# Swift cluster and url is the url to the proxy server(s) for the cluster. +# default_swift_cluster = local:http://127.0.0.1:8080/v1 +# You may also use the format name::url::url where the first url is the one +# given to users to access their account (public url) and the second is the one +# used by swauth itself to create and delete accounts (private url). This is +# useful when a load balancer url should be used by users, but swauth itself is +# behind the load balancer. Example: +# default_swift_cluster = local::https://public.com:8080/v1::http://private.com:8080/v1 +# token_life = 86400 +# node_timeout = 10 +# Highly recommended to change this. +super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck diff --git a/etc/stats.conf-sample b/etc/stats.conf-sample index 8ec18d4968..f89cb77d6d 100644 --- a/etc/stats.conf-sample +++ b/etc/stats.conf-sample @@ -1,5 +1,8 @@ [stats] +# For DevAuth: auth_url = http://saio:11000/auth +# For Swauth: +# auth_url = http://saio:8080/auth/v1.0 auth_user = test:tester auth_key = testing # swift_dir = /etc/swift diff --git a/setup.py b/setup.py index 6ce9c7b6b5..912213c1c9 100644 --- a/setup.py +++ b/setup.py @@ -1,5 +1,5 @@ #!/usr/bin/python -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ import subprocess from swift import __version__ as version + class local_sdist(sdist): """Customized sdist hook - builds the ChangeLog file from VC first""" @@ -79,6 +80,10 @@ setup( 'bin/swift-log-uploader', 'bin/swift-log-stats-collector', 'bin/swift-account-stats-logger', + 'bin/swauth-add-account', 'bin/swauth-add-user', + 'bin/swauth-cleanup-tokens', 'bin/swauth-delete-account', + 'bin/swauth-delete-user', 'bin/swauth-list', 'bin/swauth-prep', + 'bin/swauth-set-account-service', 'bin/swift-auth-to-swauth', ], entry_points={ 'paste.app_factory': [ @@ -90,6 +95,7 @@ setup( ], 'paste.filter_factory': [ 'auth=swift.common.middleware.auth:filter_factory', + 'swauth=swift.common.middleware.swauth:filter_factory', 'healthcheck=swift.common.middleware.healthcheck:filter_factory', 'memcache=swift.common.middleware.memcache:filter_factory', 'ratelimit=swift.common.middleware.ratelimit:filter_factory', diff --git a/swift/account/auditor.py b/swift/account/auditor.py index 36e1e0a0d8..1f24f93acc 100644 --- a/swift/account/auditor.py +++ b/swift/account/auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/account/reaper.py b/swift/account/reaper.py index 6d2112927f..02e32506f0 100644 --- a/swift/account/reaper.py +++ b/swift/account/reaper.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/account/replicator.py b/swift/account/replicator.py index 60c409d112..aa131c9c8d 100644 --- a/swift/account/replicator.py +++ b/swift/account/replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/account/server.py b/swift/account/server.py index 53d604ce93..a1e20c1f4f 100644 --- a/swift/account/server.py +++ b/swift/account/server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/auth/server.py b/swift/auth/server.py index 4ddf2e4647..fcfa9dd37b 100644 --- a/swift/auth/server.py +++ b/swift/auth/server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/bench.py b/swift/common/bench.py index b698ff310b..4abafeb947 100644 --- a/swift/common/bench.py +++ b/swift/common/bench.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/bufferedhttp.py b/swift/common/bufferedhttp.py index 81c54d0722..4fb090ca92 100644 --- a/swift/common/bufferedhttp.py +++ b/swift/common/bufferedhttp.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/client.py b/swift/common/client.py index 1acba8cb37..e3536e894f 100644 --- a/swift/common/client.py +++ b/swift/common/client.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/compressing_file_reader.py b/swift/common/compressing_file_reader.py index d6de9154eb..c581bddadd 100644 --- a/swift/common/compressing_file_reader.py +++ b/swift/common/compressing_file_reader.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/constraints.py b/swift/common/constraints.py index d91c136504..ad5a37b9a8 100644 --- a/swift/common/constraints.py +++ b/swift/common/constraints.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/daemon.py b/swift/common/daemon.py index 0f7df064c7..eee3428679 100644 --- a/swift/common/daemon.py +++ b/swift/common/daemon.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/db.py b/swift/common/db.py index 07bb00b390..b3c80dbc8c 100644 --- a/swift/common/db.py +++ b/swift/common/db.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/db_replicator.py b/swift/common/db_replicator.py index 0588b841a0..4c479a0ed0 100644 --- a/swift/common/db_replicator.py +++ b/swift/common/db_replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/direct_client.py b/swift/common/direct_client.py index 7952a1ceaf..68334a3ed4 100644 --- a/swift/common/direct_client.py +++ b/swift/common/direct_client.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/exceptions.py b/swift/common/exceptions.py index c498e2dae9..81f544bfae 100644 --- a/swift/common/exceptions.py +++ b/swift/common/exceptions.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/internal_proxy.py b/swift/common/internal_proxy.py index d305b81bc1..40c5185cfa 100644 --- a/swift/common/internal_proxy.py +++ b/swift/common/internal_proxy.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/memcached.py b/swift/common/memcached.py index 193456524a..17378e1aae 100644 --- a/swift/common/memcached.py +++ b/swift/common/memcached.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/acl.py b/swift/common/middleware/acl.py index 6403aed726..f6784953ac 100644 --- a/swift/common/middleware/acl.py +++ b/swift/common/middleware/acl.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/auth.py b/swift/common/middleware/auth.py index 66ff9b7ab4..59cf83ddba 100644 --- a/swift/common/middleware/auth.py +++ b/swift/common/middleware/auth.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +35,7 @@ class DevAuth(object): self.auth_host = conf.get('ip', '127.0.0.1') self.auth_port = int(conf.get('port', 11000)) self.ssl = conf.get('ssl', 'false').lower() in TRUE_VALUES + self.auth_prefix = conf.get('prefix', '/') self.timeout = int(conf.get('node_timeout', 10)) def __call__(self, env, start_response): @@ -139,7 +140,9 @@ class DevAuth(object): if not groups: with Timeout(self.timeout): conn = http_connect(self.auth_host, self.auth_port, 'GET', - '/token/%s' % token, headers, ssl=self.ssl) + '%stoken/%s' % (self.auth_prefix, token), + headers, ssl=self.ssl) + resp = conn.getresponse() resp.read() conn.close() @@ -166,9 +169,10 @@ class DevAuth(object): user_groups = (req.remote_user or '').split(',') if '.reseller_admin' in user_groups: return None - if account in user_groups and (req.method != 'PUT' or container): + if account in user_groups and \ + (req.method not in ('DELETE', 'PUT') or container): # If the user is admin for the account and is not trying to do an - # account PUT... + # account DELETE or PUT... return None referrers, groups = parse_acl(getattr(req, 'acl', None)) if referrer_allowed(req.referer, referrers): diff --git a/swift/common/middleware/catch_errors.py b/swift/common/middleware/catch_errors.py index 5fb8c33592..10d8614194 100644 --- a/swift/common/middleware/catch_errors.py +++ b/swift/common/middleware/catch_errors.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +26,11 @@ class CatchErrorMiddleware(object): def __init__(self, app, conf): self.app = app - self.logger = get_logger(conf) + # if the application already has a logger we should use that one + self.logger = getattr(app, 'logger', None) + if not self.logger: + # and only call get_logger if we have to + self.logger = get_logger(conf) def __call__(self, env, start_response): try: diff --git a/swift/common/middleware/cname_lookup.py b/swift/common/middleware/cname_lookup.py index be7071ba16..4690bf6c79 100644 --- a/swift/common/middleware/cname_lookup.py +++ b/swift/common/middleware/cname_lookup.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/domain_remap.py b/swift/common/middleware/domain_remap.py index e55394d84b..4812182587 100644 --- a/swift/common/middleware/domain_remap.py +++ b/swift/common/middleware/domain_remap.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/healthcheck.py b/swift/common/middleware/healthcheck.py index e0da092fc3..072ce24c85 100644 --- a/swift/common/middleware/healthcheck.py +++ b/swift/common/middleware/healthcheck.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/memcache.py b/swift/common/middleware/memcache.py index 0ec1288fd5..e2eca36d63 100644 --- a/swift/common/middleware/memcache.py +++ b/swift/common/middleware/memcache.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/middleware/swauth.py b/swift/common/middleware/swauth.py new file mode 100644 index 0000000000..961f3a3ba4 --- /dev/null +++ b/swift/common/middleware/swauth.py @@ -0,0 +1,1312 @@ +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +from httplib import HTTPConnection, HTTPSConnection +from time import gmtime, strftime, time +from traceback import format_exc +from urllib import quote, unquote +from urlparse import urlparse +from uuid import uuid4 + +from eventlet.timeout import Timeout +from webob import Response, Request +from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPConflict, \ + HTTPCreated, HTTPForbidden, HTTPNoContent, HTTPNotFound, \ + HTTPServiceUnavailable, HTTPUnauthorized + +from swift.common.bufferedhttp import http_connect_raw as http_connect +from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed +from swift.common.utils import cache_from_env, get_logger, split_path + + +class Swauth(object): + """ + Scalable authentication and authorization system that uses Swift as its + backing store. + + :param app: The next WSGI app in the pipeline + :param conf: The dict of configuration values + """ + + def __init__(self, app, conf): + self.app = app + self.conf = conf + self.logger = get_logger(conf) + self.log_headers = conf.get('log_headers') == 'True' + self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip() + if self.reseller_prefix and self.reseller_prefix[-1] != '_': + self.reseller_prefix += '_' + self.auth_prefix = conf.get('auth_prefix', '/auth/') + if not self.auth_prefix: + self.auth_prefix = '/auth/' + if self.auth_prefix[0] != '/': + self.auth_prefix = '/' + self.auth_prefix + if self.auth_prefix[-1] != '/': + self.auth_prefix += '/' + self.auth_account = '%s.auth' % self.reseller_prefix + self.default_swift_cluster = conf.get('default_swift_cluster', + 'local:http://127.0.0.1:8080/v1') + # This setting is a little messy because of the options it has to + # provide. The basic format is cluster_name:url, such as the default + # value of local:http://127.0.0.1:8080/v1. But, often the url given to + # the user needs to be different than the url used by Swauth to + # create/delete accounts. So there's a more complex format of + # cluster_name::url::url, such as + # local::https://public.com:8080/v1::http://private.com:8080/v1. + # The double colon is what sets the two apart. + if '::' in self.default_swift_cluster: + self.dsc_name, self.dsc_url, self.dsc_url2 = \ + self.default_swift_cluster.split('::', 2) + self.dsc_url = self.dsc_url.rstrip('/') + self.dsc_url2 = self.dsc_url2.rstrip('/') + else: + self.dsc_name, self.dsc_url = \ + self.default_swift_cluster.split(':', 1) + self.dsc_url = self.dsc_url2 = self.dsc_url.rstrip('/') + self.dsc_parsed = urlparse(self.dsc_url) + if self.dsc_parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (self.dsc_parsed.scheme, repr(self.dsc_url))) + self.dsc_parsed2 = urlparse(self.dsc_url2) + if self.dsc_parsed2.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (self.dsc_parsed2.scheme, repr(self.dsc_url2))) + self.super_admin_key = conf.get('super_admin_key') + if not self.super_admin_key: + msg = _('No super_admin_key set in conf file! Exiting.') + try: + self.logger.critical(msg) + except Exception: + pass + raise ValueError(msg) + self.token_life = int(conf.get('token_life', 86400)) + self.timeout = int(conf.get('node_timeout', 10)) + self.itoken = None + self.itoken_expires = None + + def __call__(self, env, start_response): + """ + Accepts a standard WSGI application call, authenticating the request + and installing callback hooks for authorization and ACL header + validation. For an authenticated request, REMOTE_USER will be set to a + comma separated list of the user's groups. + + With a non-empty reseller prefix, acts as the definitive auth service + for just tokens and accounts that begin with that prefix, but will deny + requests outside this prefix if no other auth middleware overrides it. + + With an empty reseller prefix, acts as the definitive auth service only + for tokens that validate to a non-empty set of groups. For all other + requests, acts as the fallback auth service when no other auth + middleware overrides it. + + Alternatively, if the request matches the self.auth_prefix, the request + will be routed through the internal auth request handler (self.handle). + This is to handle creating users, accounts, granting tokens, etc. + """ + if 'HTTP_X_CF_TRANS_ID' not in env: + env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4()) + if env.get('PATH_INFO', '').startswith(self.auth_prefix): + return self.handle(env, start_response) + token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) + if token and token.startswith(self.reseller_prefix): + # Note: Empty reseller_prefix will match all tokens. + groups = self.get_groups(env, token) + if groups: + env['REMOTE_USER'] = groups + user = groups and groups.split(',', 1)[0] or '' + # We know the proxy logs the token, so we augment it just a bit + # to also log the authenticated user. + env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token) + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + else: + # Unauthorized token + if self.reseller_prefix: + # Because I know I'm the definitive auth for this token, I + # can deny it outright. + return HTTPUnauthorized()(env, start_response) + # Because I'm not certain if I'm the definitive auth for empty + # reseller_prefixed tokens, I won't overwrite swift.authorize. + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.denied_response + else: + if self.reseller_prefix: + # With a non-empty reseller_prefix, I would like to be called + # back for anonymous access to accounts I know I'm the + # definitive auth for. + try: + version, rest = split_path(env.get('PATH_INFO', ''), + 1, 2, True) + except ValueError: + return HTTPNotFound()(env, start_response) + if rest and rest.startswith(self.reseller_prefix): + # Handle anonymous access to accounts I'm the definitive + # auth for. + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + # Not my token, not my account, I can't authorize this request, + # deny all is a good idea if not already set... + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.denied_response + # Because I'm not certain if I'm the definitive auth for empty + # reseller_prefixed accounts, I won't overwrite swift.authorize. + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + return self.app(env, start_response) + + def get_groups(self, env, token): + """ + Get groups for the given token. + + :param env: The current WSGI environment dictionary. + :param token: Token to validate and return a group string for. + + :returns: None if the token is invalid or a string containing a comma + separated list of groups the authenticated user is a member + of. The first group in the list is also considered a unique + identifier for that user. + """ + groups = None + memcache_client = cache_from_env(env) + if memcache_client: + memcache_key = '%s/auth/%s' % (self.reseller_prefix, token) + cached_auth_data = memcache_client.get(memcache_key) + if cached_auth_data: + expires, groups = cached_auth_data + if expires < time(): + groups = None + if not groups: + path = quote('/v1/%s/.token_%s/%s' % + (self.auth_account, token[-1], token)) + resp = self.make_request(env, 'GET', path).get_response(self.app) + if resp.status_int // 100 != 2: + return None + detail = json.loads(resp.body) + if detail['expires'] < time(): + self.make_request(env, 'DELETE', path).get_response(self.app) + return None + groups = [g['name'] for g in detail['groups']] + if '.admin' in groups: + groups.remove('.admin') + groups.append(detail['account_id']) + groups = ','.join(groups) + if memcache_client: + memcache_client.set(memcache_key, (detail['expires'], groups), + timeout=float(detail['expires'] - time())) + return groups + + def authorize(self, req): + """ + Returns None if the request is authorized to continue or a standard + WSGI response callable if not. + """ + try: + version, account, container, obj = split_path(req.path, 1, 4, True) + except ValueError: + return HTTPNotFound(request=req) + if not account or not account.startswith(self.reseller_prefix): + return self.denied_response(req) + user_groups = (req.remote_user or '').split(',') + if '.reseller_admin' in user_groups and \ + account != self.reseller_prefix and \ + account[len(self.reseller_prefix)].isalnum(): + return None + if account in user_groups and \ + (req.method not in ('DELETE', 'PUT') or container): + # If the user is admin for the account and is not trying to do an + # account DELETE or PUT... + return None + referrers, groups = parse_acl(getattr(req, 'acl', None)) + if referrer_allowed(req.referer, referrers): + return None + if not req.remote_user: + return self.denied_response(req) + for user_group in user_groups: + if user_group in groups: + return None + return self.denied_response(req) + + def denied_response(self, req): + """ + Returns a standard WSGI response callable with the status of 403 or 401 + depending on whether the REMOTE_USER is set or not. + """ + if req.remote_user: + return HTTPForbidden(request=req) + else: + return HTTPUnauthorized(request=req) + + def handle(self, env, start_response): + """ + WSGI entry point for auth requests (ones that match the + self.auth_prefix). + Wraps env in webob.Request object and passes it down. + + :param env: WSGI environment dictionary + :param start_response: WSGI callable + """ + try: + req = Request(env) + if self.auth_prefix: + req.path_info_pop() + req.bytes_transferred = '-' + req.client_disconnect = False + if 'x-storage-token' in req.headers and \ + 'x-auth-token' not in req.headers: + req.headers['x-auth-token'] = req.headers['x-storage-token'] + if 'eventlet.posthooks' in env: + env['eventlet.posthooks'].append( + (self.posthooklogger, (req,), {})) + return self.handle_request(req)(env, start_response) + else: + # Lack of posthook support means that we have to log on the + # start of the response, rather than after all the data has + # been sent. This prevents logging client disconnects + # differently than full transmissions. + response = self.handle_request(req)(env, start_response) + self.posthooklogger(env, req) + return response + except: + print "EXCEPTION IN handle: %s: %s" % (format_exc(), env) + start_response('500 Server Error', + [('Content-Type', 'text/plain')]) + return ['Internal server error.\n'] + + def handle_request(self, req): + """ + Entry point for auth requests (ones that match the self.auth_prefix). + Should return a WSGI-style callable (such as webob.Response). + + :param req: webob.Request object + """ + req.start_time = time() + handler = None + try: + version, account, user, _ = split_path(req.path_info, minsegs=1, + maxsegs=4, rest_with_last=True) + except ValueError: + return HTTPNotFound(request=req) + if version in ('v1', 'v1.0', 'auth'): + if req.method == 'GET': + handler = self.handle_get_token + elif version == 'v2': + req.path_info_pop() + if req.method == 'GET': + if not account and not user: + handler = self.handle_get_reseller + elif account: + if not user: + handler = self.handle_get_account + elif account == '.token': + req.path_info_pop() + handler = self.handle_validate_token + else: + handler = self.handle_get_user + elif req.method == 'PUT': + if not user: + handler = self.handle_put_account + else: + handler = self.handle_put_user + elif req.method == 'DELETE': + if not user: + handler = self.handle_delete_account + else: + handler = self.handle_delete_user + elif req.method == 'POST': + if account == '.prep': + handler = self.handle_prep + elif user == '.services': + handler = self.handle_set_services + if not handler: + req.response = HTTPBadRequest(request=req) + else: + req.response = handler(req) + return req.response + + def handle_prep(self, req): + """ + Handles the POST v2/.prep call for preparing the backing store Swift + cluster for use with the auth subsystem. Can only be called by + .super_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 204 on success + """ + if not self.is_super_admin(req): + return HTTPForbidden(request=req) + path = quote('/v1/%s' % self.auth_account) + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create the main auth account: %s %s' % + (path, resp.status)) + path = quote('/v1/%s/.account_id' % self.auth_account) + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create container: %s %s' % + (path, resp.status)) + for container in xrange(16): + path = quote('/v1/%s/.token_%x' % (self.auth_account, container)) + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create container: %s %s' % + (path, resp.status)) + return HTTPNoContent(request=req) + + def handle_get_reseller(self, req): + """ + Handles the GET v2 call for getting general reseller information + (currently just a list of accounts). Can only be called by a + .reseller_admin. + + On success, a JSON dictionary will be returned with a single `accounts` + key whose value is list of dicts. Each dict represents an account and + currently only contains the single key `name`. For example:: + + {"accounts": [{"name": "reseller"}, {"name": "test"}, + {"name": "test2"}]} + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with a JSON dictionary as + explained above. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + listing = [] + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote(self.auth_account), + quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not list main auth account: %s %s' % + (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for container in sublisting: + if container['name'][0] != '.': + listing.append({'name': container['name']}) + marker = sublisting[-1]['name'] + return Response(body=json.dumps({'accounts': listing})) + + def handle_get_account(self, req): + """ + Handles the GET v2/ call for getting account information. + Can only be called by an account .admin. + + On success, a JSON dictionary will be returned containing the keys + `account_id`, `services`, and `users`. The `account_id` is the value + used when creating service accounts. The `services` value is a dict as + described in the :func:`handle_get_token` call. The `users` value is a + list of dicts, each dict representing a user and currently only + containing the single key `name`. For example:: + + {"account_id": "AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162", + "services": {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162"}}, + "users": [{"name": "tester"}, {"name": "tester3"}]} + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with a JSON dictionary as + explained above. + """ + account = req.path_info_pop() + if req.path_info or not account.isalnum(): + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain the .services object: %s %s' % + (path, resp.status)) + services = json.loads(resp.body) + listing = [] + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: %s %s' % + (path, resp.status)) + account_id = resp.headers['X-Container-Meta-Account-Id'] + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + listing.append({'name': obj['name']}) + marker = sublisting[-1]['name'] + return Response(body=json.dumps({'account_id': account_id, + 'services': services, 'users': listing})) + + def handle_set_services(self, req): + """ + Handles the POST v2//.services call for setting services + information. Can only be called by a reseller .admin. + + In the :func:`handle_get_account` (GET v2/) call, a section of + the returned JSON dict is `services`. This section looks something like + this:: + + "services": {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162"}} + + Making use of this section is described in :func:`handle_get_token`. + + This function allows setting values within this section for the + , allowing the addition of new service end points or updating + existing ones. + + The body of the POST request should contain a JSON dict with the + following format:: + + {"service_name": {"end_point_name": "end_point_value"}} + + There can be multiple services and multiple end points in the same + call. + + Any new services or end points will be added to the existing set of + services and end points. Any existing services with the same service + name will be merged with the new end points. Any existing end points + with the same end point name will have their values updated. + + The updated services dictionary will be returned on success. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with the udpated services JSON + dict as described above + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + account = req.path_info_pop() + if req.path_info != '/.services' or not account.isalnum(): + return HTTPBadRequest(request=req) + try: + new_services = json.loads(req.body) + except ValueError, err: + return HTTPBadRequest(body=str(err)) + # Get the current services information + path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain services info: %s %s' % + (path, resp.status)) + services = json.loads(resp.body) + for new_service, value in new_services.iteritems(): + if new_service in services: + services[new_service].update(value) + else: + services[new_service] = value + # Save the new services information + services = json.dumps(services) + resp = self.make_request(req.environ, 'PUT', path, + services).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not save .services object: %s %s' % + (path, resp.status)) + return Response(request=req, body=services) + + def handle_put_account(self, req): + """ + Handles the PUT v2/ call for adding an account to the auth + system. Can only be called by a .reseller_admin. + + By default, a newly created UUID4 will be used with the reseller prefix + as the account id used when creating corresponding service accounts. + However, you can provide an X-Account-Suffix header to replace the + UUID4 part. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + account = req.path_info_pop() + if req.path_info or not account.isalnum(): + return HTTPBadRequest(request=req) + # Ensure the container in the main auth account exists (this + # container represents the new account) + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int == 404: + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create account within main auth ' + 'account: %s %s' % (path, resp.status)) + elif resp.status_int // 100 == 2: + if 'x-container-meta-account-id' in resp.headers: + # Account was already created + return HTTPAccepted(request=req) + else: + raise Exception('Could not verify account within main auth ' + 'account: %s %s' % (path, resp.status)) + account_suffix = req.headers.get('x-account-suffix') + if not account_suffix: + account_suffix = str(uuid4()) + # Create the new account in the Swift cluster + path = quote('%s/%s%s' % (self.dsc_parsed2.path, + self.reseller_prefix, account_suffix)) + try: + conn = self.get_conn() + conn.request('PUT', path, + headers={'X-Auth-Token': self.get_itoken(req.environ)}) + resp = conn.getresponse() + resp.read() + if resp.status // 100 != 2: + raise Exception('Could not create account on the Swift ' + 'cluster: %s %s %s' % (path, resp.status, resp.reason)) + except: + self.logger.error(_('ERROR: Exception while trying to communicate ' + 'with %(scheme)s://%(host)s:%(port)s/%(path)s'), + {'scheme': self.dsc_parsed2.scheme, + 'host': self.dsc_parsed2.hostname, + 'port': self.dsc_parsed2.port, 'path': path}) + raise + # Record the mapping from account id back to account name + path = quote('/v1/%s/.account_id/%s%s' % + (self.auth_account, self.reseller_prefix, account_suffix)) + resp = self.make_request(req.environ, 'PUT', path, + account).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create account id mapping: %s %s' % + (path, resp.status)) + # Record the cluster url(s) for the account + path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) + services = {'storage': {}} + services['storage'][self.dsc_name] = '%s/%s%s' % (self.dsc_url, + self.reseller_prefix, account_suffix) + services['storage']['default'] = self.dsc_name + resp = self.make_request(req.environ, 'PUT', path, + json.dumps(services)).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create .services object: %s %s' % + (path, resp.status)) + # Record the mapping from account name to the account id + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'POST', path, + headers={'X-Container-Meta-Account-Id': '%s%s' % + (self.reseller_prefix, account_suffix)}).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not record the account id on the account: ' + '%s %s' % (path, resp.status)) + return HTTPCreated(request=req) + + def handle_delete_account(self, req): + """ + Handles the DELETE v2/ call for removing an account from the + auth system. Can only be called by a .reseller_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + account = req.path_info_pop() + if req.path_info or not account.isalnum(): + return HTTPBadRequest(request=req) + # Make sure the account has no users and get the account_id + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: %s %s' % + (path, resp.status)) + account_id = resp.headers['x-container-meta-account-id'] + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + return HTTPConflict(request=req) + marker = sublisting[-1]['name'] + # Obtain the listing of services the account is on. + path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not obtain .services object: %s %s' % + (path, resp.status)) + if resp.status_int // 100 == 2: + services = json.loads(resp.body) + # Delete the account on each cluster it is on. + deleted_any = False + for name, url in services['storage'].iteritems(): + if name != 'default': + parsed = urlparse(url) + conn = self.get_conn(parsed) + conn.request('DELETE', parsed.path, + headers={'X-Auth-Token': self.get_itoken(req.environ)}) + resp = conn.getresponse() + resp.read() + if resp.status == 409: + if deleted_any: + raise Exception('Managed to delete one or more ' + 'service end points, but failed with: ' + '%s %s %s' % (url, resp.status, resp.reason)) + else: + return HTTPConflict(request=req) + if resp.status // 100 != 2 and resp.status != 404: + raise Exception('Could not delete account on the ' + 'Swift cluster: %s %s %s' % + (url, resp.status, resp.reason)) + deleted_any = True + # Delete the .services object itself. + path = quote('/v1/%s/%s/.services' % + (self.auth_account, account)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete .services object: %s %s' % + (path, resp.status)) + # Delete the account id mapping for the account. + path = quote('/v1/%s/.account_id/%s' % + (self.auth_account, account_id)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete account id mapping: %s %s' % + (path, resp.status)) + # Delete the account marker itself. + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete account marked: %s %s' % + (path, resp.status)) + return HTTPNoContent(request=req) + + def handle_get_user(self, req): + """ + Handles the GET v2// call for getting user information. + Can only be called by an account .admin. + + On success, a JSON dict will be returned as described:: + + {"groups": [ # List of groups the user is a member of + {"name": ":"}, + # The first group is a unique user identifier + {"name": ""}, + # The second group is the auth account name + {"name": ""} + # There may be additional groups, .admin being a special + # group indicating an account admin and .reseller_admin + # indicating a reseller admin. + ], + "auth": "plaintext:" + # The auth-type and key for the user; currently only plaintext is + # implemented. + } + + For example:: + + {"groups": [{"name": "test:tester"}, {"name": "test"}, + {"name": ".admin"}], + "auth": "plaintext:testing"} + + If the in the request is the special user `.groups`, the JSON + dict will contain a single key of `groups` whose value is a list of + dicts representing the active groups within the account. Each dict + currently has the single key `name`. For example:: + + {"groups": [{"name": ".admin"}, {"name": "test"}, + {"name": "test:tester"}, {"name": "test:tester3"}]} + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with a JSON dictionary as + explained above. + """ + account = req.path_info_pop() + user = req.path_info_pop() + if req.path_info or not account.isalnum() or \ + (not user.isalnum() and user != '.groups'): + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + if user == '.groups': + # TODO: This could be very slow for accounts with a really large + # number of users. Speed could be improved by concurrently + # requesting user group information. Then again, I don't *know* + # it's slow for `normal` use cases, so testing should be done. + groups = set() + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: ' + '%s %s' % (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + path = quote('/v1/%s/%s/%s' % (self.auth_account, + account, obj['name'])) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve user object: ' + '%s %s' % (path, resp.status)) + groups.update(g['name'] + for g in json.loads(resp.body)['groups']) + marker = sublisting[-1]['name'] + body = json.dumps({'groups': + [{'name': g} for g in sorted(groups)]}) + else: + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve user object: %s %s' % + (path, resp.status)) + body = resp.body + return Response(body=body) + + def handle_put_user(self, req): + """ + Handles the PUT v2// call for adding a user to an + account. + + X-Auth-User-Key represents the user's key, X-Auth-User-Admin may be set + to `true` to create an account .admin, and X-Auth-User-Reseller-Admin + may be set to `true` to create a .reseller_admin. + + Can only be called by an account .admin unless the user is to be a + .reseller_admin, in which case the request must be by .super_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + # Validate path info + account = req.path_info_pop() + user = req.path_info_pop() + key = req.headers.get('x-auth-user-key') + admin = req.headers.get('x-auth-user-admin') == 'true' + reseller_admin = \ + req.headers.get('x-auth-user-reseller-admin') == 'true' + if reseller_admin: + admin = True + if req.path_info or not account.isalnum() or not user.isalnum() or \ + not key: + return HTTPBadRequest(request=req) + if reseller_admin: + if not self.is_super_admin(req): + return HTTPForbidden(request=req) + elif not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + # Create the object in the main auth account (this object represents + # the user) + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + groups = ['%s:%s' % (account, user), account] + if admin: + groups.append('.admin') + if reseller_admin: + groups.append('.reseller_admin') + resp = self.make_request(req.environ, 'PUT', path, json.dumps({'auth': + 'plaintext:%s' % key, + 'groups': [{'name': g} for g in groups]})).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not create user object: %s %s' % + (path, resp.status)) + return HTTPCreated(request=req) + + def handle_delete_user(self, req): + """ + Handles the DELETE v2// call for deleting a user from an + account. + + Can only be called by an account .admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + # Validate path info + account = req.path_info_pop() + user = req.path_info_pop() + if req.path_info or not account.isalnum() or not user.isalnum(): + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + # Delete the user's existing token, if any. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + elif resp.status_int // 100 != 2: + raise Exception('Could not obtain user details: %s %s' % + (path, resp.status)) + candidate_token = resp.headers.get('x-object-meta-auth-token') + if candidate_token: + path = quote('/v1/%s/.token_%s/%s' % + (self.auth_account, candidate_token[-1], candidate_token)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete possibly existing token: ' + '%s %s' % (path, resp.status)) + # Delete the user entry itself. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete the user object: %s %s' % + (path, resp.status)) + return HTTPNoContent(request=req) + + def handle_get_token(self, req): + """ + Handles the various `request for token and service end point(s)` calls. + There are various formats to support the various auth servers in the + past. Examples:: + + GET /v1//auth + X-Auth-User: : or X-Storage-User: + X-Auth-Key: or X-Storage-Pass: + GET /auth + X-Auth-User: : or X-Storage-User: : + X-Auth-Key: or X-Storage-Pass: + GET /v1.0 + X-Auth-User: : or X-Storage-User: : + X-Auth-Key: or X-Storage-Pass: + + On successful authentication, the response will have X-Auth-Token and + X-Storage-Token set to the token to use with Swift and X-Storage-URL + set to the URL to the default Swift cluster to use. + + The response body will be set to the account's services JSON object as + described here:: + + {"storage": { # Represents the Swift storage service end points + "default": "cluster1", # Indicates which cluster is the default + "cluster1": "", + # A Swift cluster that can be used with this account, + # "cluster1" is the name of the cluster which is usually a + # location indicator (like "dfw" for a datacenter region). + "cluster2": "" + # Another Swift cluster that can be used with this account, + # there will always be at least one Swift cluster to use or + # this whole "storage" dict won't be included at all. + }, + "servers": { # Represents the Nova server service end points + # Expected to be similar to the "storage" dict, but not + # implemented yet. + }, + # Possibly other service dicts, not implemented yet. + } + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with data set as explained + above. + """ + # Validate the request info + try: + pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3, + rest_with_last=True) + except ValueError: + return HTTPNotFound(request=req) + if pathsegs[0] == 'v1' and pathsegs[2] == 'auth': + account = pathsegs[1] + user = req.headers.get('x-storage-user') + if not user: + user = req.headers.get('x-auth-user') + if not user or ':' not in user: + return HTTPUnauthorized(request=req) + account2, user = user.split(':', 1) + if account != account2: + return HTTPUnauthorized(request=req) + key = req.headers.get('x-storage-pass') + if not key: + key = req.headers.get('x-auth-key') + elif pathsegs[0] in ('auth', 'v1.0'): + user = req.headers.get('x-auth-user') + if not user: + user = req.headers.get('x-storage-user') + if not user or ':' not in user: + return HTTPUnauthorized(request=req) + account, user = user.split(':', 1) + key = req.headers.get('x-auth-key') + if not key: + key = req.headers.get('x-storage-pass') + else: + return HTTPBadRequest(request=req) + if not all((account, user, key)): + return HTTPUnauthorized(request=req) + if user == '.super_admin' and key == self.super_admin_key: + token = self.get_itoken(req.environ) + url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix) + return Response(request=req, + body=json.dumps({'storage': {'default': 'local', 'local': url}}), + headers={'x-auth-token': token, 'x-storage-token': token, + 'x-storage-url': url}) + # Authenticate user + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPUnauthorized(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain user details: %s %s' % + (path, resp.status)) + user_detail = json.loads(resp.body) + if not self.credentials_match(user_detail, key): + return HTTPUnauthorized(request=req) + # See if a token already exists and hasn't expired + token = None + candidate_token = resp.headers.get('x-object-meta-auth-token') + if candidate_token: + path = quote('/v1/%s/.token_%s/%s' % + (self.auth_account, candidate_token[-1], candidate_token)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 == 2: + token_detail = json.loads(resp.body) + if token_detail['expires'] > time(): + token = candidate_token + else: + self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + elif resp.status_int != 404: + raise Exception('Could not detect whether a token already ' + 'exists: %s %s' % (path, resp.status)) + # Create a new token if one didn't exist + if not token: + # Retrieve account id, we'll save this in the token + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve account id value: ' + '%s %s' % (path, resp.status)) + account_id = \ + resp.headers['x-container-meta-account-id'] + # Generate new token + token = '%stk%s' % (self.reseller_prefix, uuid4().hex) + # Save token info + path = quote('/v1/%s/.token_%s/%s' % + (self.auth_account, token[-1], token)) + resp = self.make_request(req.environ, 'PUT', path, + json.dumps({'account': account, 'user': user, + 'account_id': account_id, + 'groups': user_detail['groups'], + 'expires': time() + self.token_life})).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create new token: %s %s' % + (path, resp.status)) + # Record the token with the user info for future use. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'POST', path, + headers={'X-Object-Meta-Auth-Token': token} + ).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not save new token: %s %s' % + (path, resp.status)) + # Get the services information + path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain services info: %s %s' % + (path, resp.status)) + detail = json.loads(resp.body) + url = detail['storage'][detail['storage']['default']] + return Response(request=req, body=resp.body, + headers={'x-auth-token': token, 'x-storage-token': token, + 'x-storage-url': url}) + + def handle_validate_token(self, req): + """ + Handles the GET v2/.token/ call for validating a token, usually + called by a service like Swift. + + On a successful validation, X-Auth-TTL will be set for how much longer + this token is valid and X-Auth-Groups will contain a comma separated + list of groups the user belongs to. + + The first group listed will be a unique identifier for the user the + token represents. + + .reseller_admin is a special group that indicates the user should be + allowed to do anything on any account. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with data set as explained + above. + """ + token = req.path_info_pop() + if req.path_info or not token.startswith(self.reseller_prefix): + return HTTPBadRequest(request=req) + expires = groups = None + memcache_client = cache_from_env(req.environ) + if memcache_client: + memcache_key = '%s/auth/%s' % (self.reseller_prefix, token) + cached_auth_data = memcache_client.get(memcache_key) + if cached_auth_data: + expires, groups = cached_auth_data + if expires < time(): + groups = None + if not groups: + path = quote('/v1/%s/.token_%s/%s' % + (self.auth_account, token[-1], token)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + return HTTPNotFound(request=req) + detail = json.loads(resp.body) + expires = detail['expires'] + if expires < time(): + self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + return HTTPNotFound(request=req) + groups = [g['name'] for g in detail['groups']] + if '.admin' in groups: + groups.remove('.admin') + groups.append(detail['account_id']) + groups = ','.join(groups) + return HTTPNoContent(headers={'X-Auth-TTL': expires - time(), + 'X-Auth-Groups': groups}) + + def make_request(self, env, method, path, body=None, headers=None): + """ + Makes a new webob.Request based on the current env but with the + parameters specified. + + :param env: Current WSGI environment dictionary + :param method: HTTP method of new request + :param path: HTTP path of new request + :param body: HTTP body of new request; None by default + :param headers: Extra HTTP headers of new request; None by default + + :returns: webob.Request object + """ + newenv = {'REQUEST_METHOD': method} + for name in ('swift.cache', 'HTTP_X_CF_TRANS_ID'): + if name in env: + newenv[name] = env[name] + if not headers: + headers = {} + if body: + return Request.blank(path, environ=newenv, body=body, + headers=headers) + else: + return Request.blank(path, environ=newenv, headers=headers) + + def get_conn(self, urlparsed=None): + """ + Returns an HTTPConnection based on the urlparse result given or the + default Swift cluster (internal url) urlparse result. + + :param urlparsed: The result from urlparse.urlparse or None to use the + default Swift cluster's value + """ + if not urlparsed: + urlparsed = self.dsc_parsed2 + if urlparsed.scheme == 'http': + return HTTPConnection(urlparsed.netloc) + else: + return HTTPSConnection(urlparsed.netloc) + + def get_itoken(self, env): + """ + Returns the current internal token to use for the auth system's own + actions with other services. Each process will create its own + itoken and the token will be deleted and recreated based on the + token_life configuration value. The itoken information is stored in + memcache because the auth process that is asked by Swift to validate + the token may not be the same as the auth process that created the + token. + """ + if not self.itoken or self.itoken_expires < time(): + self.itoken = '%sitk%s' % (self.reseller_prefix, uuid4().hex) + memcache_key = '%s/auth/%s' % (self.reseller_prefix, self.itoken) + self.itoken_expires = time() + self.token_life - 60 + memcache_client = cache_from_env(env) + if not memcache_client: + raise Exception( + 'No memcache set up; required for Swauth middleware') + memcache_client.set(memcache_key, (self.itoken_expires, + '.auth,.reseller_admin,%s.auth' % self.reseller_prefix), + timeout=self.token_life) + return self.itoken + + def get_admin_detail(self, req): + """ + Returns the dict for the user specified as the admin in the request + with the addition of an `account` key set to the admin user's account. + + :param req: The webob request to retrieve X-Auth-Admin-User and + X-Auth-Admin-Key from. + :returns: The dict for the admin user with the addition of the + `account` key. + """ + if ':' not in req.headers.get('x-auth-admin-user', ''): + return None + admin_account, admin_user = \ + req.headers.get('x-auth-admin-user').split(':', 1) + path = quote('/v1/%s/%s/%s' % (self.auth_account, admin_account, + admin_user)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return None + if resp.status_int // 100 != 2: + raise Exception('Could not get admin user object: %s %s' % + (path, resp.status)) + admin_detail = json.loads(resp.body) + admin_detail['account'] = admin_account + return admin_detail + + def credentials_match(self, user_detail, key): + """ + Returns True if the key is valid for the user_detail. Currently, this + only supports plaintext key matching. + + :param user_detail: The dict for the user. + :param key: The key to validate for the user. + :returns: True if the key is valid for the user, False if not. + """ + return user_detail and user_detail.get('auth') == 'plaintext:%s' % key + + def is_super_admin(self, req): + """ + Returns True if the admin specified in the request represents the + .super_admin. + + :param req: The webob.Request to check. + :param returns: True if .super_admin. + """ + return req.headers.get('x-auth-admin-user') == '.super_admin' and \ + req.headers.get('x-auth-admin-key') == self.super_admin_key + + def is_reseller_admin(self, req, admin_detail=None): + """ + Returns True if the admin specified in the request represents a + .reseller_admin. + + :param req: The webob.Request to check. + :param admin_detail: The previously retrieved dict from + :func:`get_admin_detail` or None for this function + to retrieve the admin_detail itself. + :param returns: True if .reseller_admin. + """ + if self.is_super_admin(req): + return True + if not admin_detail: + admin_detail = self.get_admin_detail(req) + if not self.credentials_match(admin_detail, + req.headers.get('x-auth-admin-key')): + return False + return '.reseller_admin' in (g['name'] for g in admin_detail['groups']) + + def is_account_admin(self, req, account): + """ + Returns True if the admin specified in the request represents a .admin + for the account specified. + + :param req: The webob.Request to check. + :param account: The account to check for .admin against. + :param returns: True if .admin. + """ + if self.is_super_admin(req): + return True + admin_detail = self.get_admin_detail(req) + if admin_detail: + if self.is_reseller_admin(req, admin_detail=admin_detail): + return True + if not self.credentials_match(admin_detail, + req.headers.get('x-auth-admin-key')): + return False + return admin_detail and admin_detail['account'] == account and \ + '.admin' in (g['name'] for g in admin_detail['groups']) + return False + + def posthooklogger(self, env, req): + response = getattr(req, 'response', None) + if not response: + return + trans_time = '%.4f' % (time() - req.start_time) + the_request = quote(unquote(req.path)) + if req.query_string: + the_request = the_request + '?' + req.query_string + # remote user for zeus + client = req.headers.get('x-cluster-client-ip') + if not client and 'x-forwarded-for' in req.headers: + # remote user for other lbs + client = req.headers['x-forwarded-for'].split(',')[0].strip() + logged_headers = None + if self.log_headers: + logged_headers = '\n'.join('%s: %s' % (k, v) + for k, v in req.headers.items()) + status_int = response.status_int + if getattr(req, 'client_disconnect', False) or \ + getattr(response, 'client_disconnect', False): + status_int = 499 + self.logger.info(' '.join(quote(str(x)) for x in (client or '-', + req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()), + req.method, the_request, req.environ['SERVER_PROTOCOL'], + status_int, req.referer or '-', req.user_agent or '-', + req.headers.get('x-auth-token', + req.headers.get('x-auth-admin-user', '-')), + getattr(req, 'bytes_transferred', 0) or '-', + getattr(response, 'bytes_transferred', 0) or '-', + req.headers.get('etag', '-'), + req.headers.get('x-cf-trans-id', '-'), logged_headers or '-', + trans_time))) + + +def filter_factory(global_conf, **local_conf): + """Returns a WSGI filter app for use with paste.deploy.""" + conf = global_conf.copy() + conf.update(local_conf) + + def auth_filter(app): + return Swauth(app, conf) + return auth_filter diff --git a/swift/common/ring/builder.py b/swift/common/ring/builder.py index ea1e5a17d3..5b66b8a9bf 100644 --- a/swift/common/ring/builder.py +++ b/swift/common/ring/builder.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ # limitations under the License. from array import array -from random import randint +from random import randint, shuffle from time import time from swift.common.ring import RingData @@ -413,6 +413,7 @@ class RingBuilder(object): dev['parts_wanted'] += 1 dev['parts'] -= 1 reassign_parts.append(part) + shuffle(reassign_parts) return reassign_parts def _reassign_parts(self, reassign_parts): diff --git a/swift/common/ring/ring.py b/swift/common/ring/ring.py index fea22e8ffa..45ab407563 100644 --- a/swift/common/ring/ring.py +++ b/swift/common/ring/ring.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/common/utils.py b/swift/common/utils.py index da71253e7b..27125d2c25 100644 --- a/swift/common/utils.py +++ b/swift/common/utils.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -284,11 +284,15 @@ class LoggerFileObject(object): class LogAdapter(object): - """Cheesy version of the LoggerAdapter available in Python 3""" + """ + A Logger like object which performs some reformatting on calls to + :meth:`exception`. Can be used to store a threadlocal transaction id. + """ + + _txn_id = threading.local() def __init__(self, logger): self.logger = logger - self._txn_id = threading.local() for proxied_method in ('debug', 'log', 'warn', 'warning', 'error', 'critical', 'info'): setattr(self, proxied_method, getattr(logger, proxied_method)) @@ -306,7 +310,7 @@ class LogAdapter(object): return self.logger.getEffectiveLevel() def exception(self, msg, *args): - _, exc, _ = sys.exc_info() + _junk, exc, _junk = sys.exc_info() call = self.logger.error emsg = '' if isinstance(exc, OSError): @@ -316,9 +320,11 @@ class LogAdapter(object): call = self.logger.exception elif isinstance(exc, socket.error): if exc.errno == errno.ECONNREFUSED: - emsg = 'Connection refused' + emsg = _('Connection refused') elif exc.errno == errno.EHOSTUNREACH: - emsg = 'Host unreachable' + emsg = _('Host unreachable') + elif exc.errno == errno.ETIMEDOUT: + emsg = _('Connection timeout') else: call = self.logger.exception elif isinstance(exc, eventlet.Timeout): @@ -334,18 +340,45 @@ class LogAdapter(object): class NamedFormatter(logging.Formatter): - def __init__(self, server, logger): - logging.Formatter.__init__(self) + """ + NamedFormatter is used to add additional information to log messages. + Normally it will simply add the server name as an attribute on the + LogRecord and the default format string will include it at the + begining of the log message. Additionally, if the transaction id is + available and not already included in the message, NamedFormatter will + add it. + + NamedFormatter may be initialized with a format string which makes use + of the standard LogRecord attributes. In addition the format string + may include the following mapping key: + + +----------------+---------------------------------------------+ + | Format | Description | + +================+=============================================+ + | %(server)s | Name of the swift server doing logging | + +----------------+---------------------------------------------+ + + :param server: the swift server name, a string. + :param logger: a Logger or :class:`LogAdapter` instance, additional + context may be pulled from attributes on this logger if + available. + :param fmt: the format string used to construct the message, if none is + supplied it defaults to ``"%(server)s %(message)s"`` + """ + + def __init__(self, server, logger, + fmt="%(server)s %(message)s"): + logging.Formatter.__init__(self, fmt) self.server = server self.logger = logger def format(self, record): + record.server = self.server msg = logging.Formatter.format(self, record) if self.logger.txn_id and (record.levelno != logging.INFO or self.logger.txn_id not in msg): - return '%s %s (txn: %s)' % (self.server, msg, self.logger.txn_id) - else: - return '%s %s' % (self.server, msg) + msg = "%s (txn: %s)" % (msg, self.logger.txn_id) + return msg def get_logger(conf, name=None, log_to_console=False): @@ -365,6 +398,7 @@ def get_logger(conf, name=None, log_to_console=False): root_logger = logging.getLogger() if hasattr(get_logger, 'handler') and get_logger.handler: root_logger.removeHandler(get_logger.handler) + get_logger.handler.close() get_logger.handler = None if log_to_console: # check if a previous call to get_logger already added a console logger @@ -386,7 +420,10 @@ def get_logger(conf, name=None, log_to_console=False): root_logger.setLevel( getattr(logging, conf.get('log_level', 'INFO').upper(), logging.INFO)) adapted_logger = LogAdapter(root_logger) - get_logger.handler.setFormatter(NamedFormatter(name, adapted_logger)) + formatter = NamedFormatter(name, adapted_logger) + get_logger.handler.setFormatter(formatter) + if hasattr(get_logger, 'console'): + get_logger.console.setFormatter(formatter) return adapted_logger @@ -744,19 +781,22 @@ def audit_location_generator(devices, datadir, mount_check=True, logger=None): on devices :param logger: a logger object ''' - for device in os.listdir(devices): - if mount_check and not\ + device_dir = os.listdir(devices) + # randomize devices in case of process restart before sweep completed + shuffle(device_dir) + for device in device_dir: + if mount_check and not \ os.path.ismount(os.path.join(devices, device)): if logger: logger.debug( _('Skipping %s as it is not mounted'), device) continue - datadir = os.path.join(devices, device, datadir) - if not os.path.exists(datadir): + datadir_path = os.path.join(devices, device, datadir) + if not os.path.exists(datadir_path): continue - partitions = os.listdir(datadir) + partitions = os.listdir(datadir_path) for partition in partitions: - part_path = os.path.join(datadir, partition) + part_path = os.path.join(datadir_path, partition) if not os.path.isdir(part_path): continue suffixes = os.listdir(part_path) @@ -773,3 +813,30 @@ def audit_location_generator(devices, datadir, mount_check=True, logger=None): reverse=True): path = os.path.join(hash_path, fname) yield path, device, partition + + +def ratelimit_sleep(running_time, max_rate, incr_by=1): + ''' + Will eventlet.sleep() for the appropriate time so that the max_rate + is never exceeded. If max_rate is 0, will not ratelimit. The + maximum recommended rate should not exceed (1000 * incr_by) a second + as eventlet.sleep() does involve some overhead. Returns running_time + that should be used for subsequent calls. + + :param running_time: the running time of the next allowable request. Best + to start at zero. + :param max_rate: The maximum rate per second allowed for the process. + :param incr_by: How much to increment the counter. Useful if you want + to ratelimit 1024 bytes/sec and have differing sizes + of requests. Must be >= 0. + ''' + if not max_rate or incr_by <= 0: + return running_time + clock_accuracy = 1000.0 + now = time.time() * clock_accuracy + time_per_request = clock_accuracy * (float(incr_by) / max_rate) + if running_time < now: + running_time = now + elif running_time - now > time_per_request: + eventlet.sleep((running_time - now) / clock_accuracy) + return running_time + time_per_request diff --git a/swift/common/wsgi.py b/swift/common/wsgi.py index e8c512f2ee..9450bcf439 100644 --- a/swift/common/wsgi.py +++ b/swift/common/wsgi.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/container/auditor.py b/swift/container/auditor.py index 082e6e2b37..d1ceb4f98a 100644 --- a/swift/container/auditor.py +++ b/swift/container/auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/container/replicator.py b/swift/container/replicator.py index 0b344ecbcd..4cdc03b884 100644 --- a/swift/container/replicator.py +++ b/swift/container/replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/container/server.py b/swift/container/server.py index fc06194de6..7ba375ce33 100644 --- a/swift/container/server.py +++ b/swift/container/server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/container/updater.py b/swift/container/updater.py index 9056de3202..9dacea32d1 100644 --- a/swift/container/updater.py +++ b/swift/container/updater.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/obj/auditor.py b/swift/obj/auditor.py index 1d445ec65f..62fc747e86 100644 --- a/swift/obj/auditor.py +++ b/swift/obj/auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,7 +20,8 @@ from random import random from swift.obj import server as object_server from swift.obj.replicator import invalidate_hash -from swift.common.utils import get_logger, renamer, audit_location_generator +from swift.common.utils import get_logger, renamer, audit_location_generator, \ + ratelimit_sleep from swift.common.exceptions import AuditException from swift.common.daemon import Daemon @@ -34,39 +35,30 @@ class ObjectAuditor(Daemon): self.devices = conf.get('devices', '/srv/node') self.mount_check = conf.get('mount_check', 'true').lower() in \ ('true', 't', '1', 'on', 'yes', 'y') - self.interval = int(conf.get('interval', 1800)) + self.max_files_per_second = float(conf.get('files_per_second', 20)) + self.max_bytes_per_second = float(conf.get('bytes_per_second', + 10000000)) + self.files_running_time = 0 + self.bytes_running_time = 0 + self.bytes_processed = 0 + self.total_bytes_processed = 0 + self.total_files_processed = 0 self.passes = 0 self.quarantines = 0 self.errors = 0 + self.log_time = 3600 # once an hour - def run_forever(self): # pragma: no cover + def run_forever(self): """Run the object audit until stopped.""" - reported = time.time() - time.sleep(random() * self.interval) while True: - begin = time.time() - all_locs = audit_location_generator(self.devices, - object_server.DATADIR, - mount_check=self.mount_check, - logger=self.logger) - for path, device, partition in all_locs: - self.object_audit(path, device, partition) - if time.time() - reported >= 3600: # once an hour - self.logger.info(_('Since %(time)s: Locally: %(pass)d ' - 'passed audit, %(quar)d quarantined, %(error)d errors'), - {'time': time.ctime(reported), 'pass': self.passes, - 'quar': self.quarantines, 'error': self.errors}) - reported = time.time() - self.passes = 0 - self.quarantines = 0 - self.errors = 0 - elapsed = time.time() - begin - if elapsed < self.interval: - time.sleep(self.interval - elapsed) + self.run_once('forever') + self.total_bytes_processed = 0 + self.total_files_processed = 0 + time.sleep(30) - def run_once(self): + def run_once(self, mode='once'): """Run the object audit once.""" - self.logger.info(_('Begin object audit "once" mode')) + self.logger.info(_('Begin object audit "%s" mode' % mode)) begin = reported = time.time() all_locs = audit_location_generator(self.devices, object_server.DATADIR, @@ -74,18 +66,35 @@ class ObjectAuditor(Daemon): logger=self.logger) for path, device, partition in all_locs: self.object_audit(path, device, partition) - if time.time() - reported >= 3600: # once an hour - self.logger.info(_('Since %(time)s: Locally: %(pass)d ' - 'passed audit, %(quar)d quarantined, %(error)d errors'), - {'time': time.ctime(reported), 'pass': self.passes, - 'quar': self.quarantines, 'error': self.errors}) + self.files_running_time = ratelimit_sleep( + self.files_running_time, self.max_files_per_second) + self.total_files_processed += 1 + if time.time() - reported >= self.log_time: + self.logger.info(_( + 'Since %(start_time)s: Locally: %(passes)d passed audit, ' + '%(quars)d quarantined, %(errors)d errors ' + 'files/sec: %(frate).2f , bytes/sec: %(brate).2f') % { + 'start_time': time.ctime(reported), + 'passes': self.passes, + 'quars': self.quarantines, + 'errors': self.errors, + 'frate': self.passes / (time.time() - reported), + 'brate': self.bytes_processed / + (time.time() - reported)}) reported = time.time() self.passes = 0 self.quarantines = 0 self.errors = 0 + self.bytes_processed = 0 elapsed = time.time() - begin - self.logger.info( - _('Object audit "once" mode completed: %.02fs'), elapsed) + self.logger.info(_( + 'Object audit "%(mode)s" mode completed: %(elapsed).02fs. ' + 'Total files/sec: %(frate).2f , ' + 'Total bytes/sec: %(brate).2f ') % { + 'mode': mode, + 'elapsed': elapsed, + 'frate': self.total_files_processed / elapsed, + 'brate': self.total_bytes_processed / elapsed}) def object_audit(self, path, device, partition): """ @@ -102,7 +111,7 @@ class ObjectAuditor(Daemon): name = object_server.read_metadata(path)['name'] except Exception, exc: raise AuditException('Error when reading metadata: %s' % exc) - _, account, container, obj = name.split('/', 3) + _junk, account, container, obj = name.split('/', 3) df = object_server.DiskFile(self.devices, device, partition, account, container, obj, @@ -117,15 +126,20 @@ class ObjectAuditor(Daemon): os.path.getsize(df.data_file))) etag = md5() for chunk in df: + self.bytes_running_time = ratelimit_sleep( + self.bytes_running_time, self.max_bytes_per_second, + incr_by=len(chunk)) etag.update(chunk) + self.bytes_processed += len(chunk) + self.total_bytes_processed += len(chunk) etag = etag.hexdigest() if etag != df.metadata['ETag']: raise AuditException("ETag of %s does not match file's md5 of " "%s" % (df.metadata['ETag'], etag)) except AuditException, err: self.quarantines += 1 - self.logger.error(_('ERROR Object %(obj)s failed audit and will be ' - 'quarantined: %(err)s'), {'obj': path, 'err': err}) + self.logger.error(_('ERROR Object %(obj)s failed audit and will ' + 'be quarantined: %(err)s'), {'obj': path, 'err': err}) invalidate_hash(os.path.dirname(path)) renamer_path = os.path.dirname(path) renamer(renamer_path, os.path.join(self.devices, device, diff --git a/swift/obj/replicator.py b/swift/obj/replicator.py index ef02b9f3ec..ec76fb384c 100644 --- a/swift/obj/replicator.py +++ b/swift/obj/replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -179,7 +179,7 @@ def get_hashes(partition_dir, do_listdir=True, reclaim_age=ONE_WEEK): hashes[suffix] = hash_suffix(suffix_dir, reclaim_age) hashed += 1 except OSError: - logging.exception('Error hashing suffix') + logging.exception(_('Error hashing suffix')) hashes[suffix] = None else: del hashes[suffix] @@ -254,8 +254,8 @@ class ObjectReplicator(Daemon): continue self.logger.info(result) if ret_val: - self.logger.error(_('Bad rsync return code: %s -> %d'), - (str(args), ret_val)) + self.logger.error(_('Bad rsync return code: %(args)s -> %(ret)d'), + {'args': str(args), 'ret': ret_val}) elif results: self.logger.info( _("Successful rsync of %(src)s at %(dst)s (%(time).03f)"), @@ -407,7 +407,7 @@ class ObjectReplicator(Daemon): conn.getresponse().read() self.suffix_sync += len(suffixes) except (Exception, Timeout): - logging.exception("Error syncing with node: %s" % node) + self.logger.exception(_("Error syncing with node: %s") % node) self.suffix_count += len(local_hash) except (Exception, Timeout): self.logger.exception(_("Error syncing partition")) diff --git a/swift/obj/server.py b/swift/obj/server.py index 7c139d7775..c25d00b47b 100644 --- a/swift/obj/server.py +++ b/swift/obj/server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -72,6 +72,21 @@ def read_metadata(fd): return pickle.loads(metadata) +def write_metadata(fd, metadata): + """ + Helper function to write pickled metadata for an object file. + + :param fd: file descriptor to write the metadata + :param metadata: metadata to write + """ + metastr = pickle.dumps(metadata, PICKLE_PROTOCOL) + key = 0 + while metastr: + setxattr(fd, '%s%s' % (METADATA_KEY, key or ''), metastr[:254]) + metastr = metastr[254:] + key += 1 + + class DiskFile(object): """ Manage object files on disk. @@ -97,6 +112,7 @@ class DiskFile(object): self.metadata = {} self.meta_file = None self.data_file = None + self.fp = None if not os.path.exists(self.datadir): return files = sorted(os.listdir(self.datadir), reverse=True) @@ -203,17 +219,12 @@ class DiskFile(object): :params fd: file descriptor of the temp file :param tmppath: path to the temporary file being used - :param metadata: dictionary of metada to be written + :param metadata: dictionary of metadata to be written :param extention: extension to be used when making the file """ metadata['name'] = self.name timestamp = normalize_timestamp(metadata['X-Timestamp']) - metastr = pickle.dumps(metadata, PICKLE_PROTOCOL) - key = 0 - while metastr: - setxattr(fd, '%s%s' % (METADATA_KEY, key or ''), metastr[:254]) - metastr = metastr[254:] - key += 1 + write_metadata(fd, metadata) if 'Content-Length' in metadata: drop_buffer_cache(fd, 0, int(metadata['Content-Length'])) os.fsync(fd) diff --git a/swift/obj/updater.py b/swift/obj/updater.py index f958166679..a226d4523e 100644 --- a/swift/obj/updater.py +++ b/swift/obj/updater.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/proxy/server.py b/swift/proxy/server.py index 1cde24cfe6..e1d5824b4e 100644 --- a/swift/proxy/server.py +++ b/swift/proxy/server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -911,12 +911,14 @@ class ObjectController(Controller): self.account_name, self.container_name, self.object_name) req.headers['X-Timestamp'] = normalize_timestamp(time.time()) # Sometimes the 'content-type' header exists, but is set to None. + content_type_manually_set = True if not req.headers.get('content-type'): guessed_type, _junk = mimetypes.guess_type(req.path_info) if not guessed_type: req.headers['Content-Type'] = 'application/octet-stream' else: req.headers['Content-Type'] = guessed_type + content_type_manually_set = False error_response = check_object_creation(req, self.object_name) if error_response: return error_response @@ -950,17 +952,20 @@ class ObjectController(Controller): self.container_name = orig_container_name new_req = Request.blank(req.path_info, environ=req.environ, headers=req.headers) - if 'x-object-manifest' in source_resp.headers: - data_source = iter(['']) - new_req.content_length = 0 - new_req.headers['X-Object-Manifest'] = \ - source_resp.headers['x-object-manifest'] - else: - data_source = source_resp.app_iter - new_req.content_length = source_resp.content_length - new_req.etag = source_resp.etag + data_source = source_resp.app_iter + new_req.content_length = source_resp.content_length + if new_req.content_length is None: + # This indicates a transfer-encoding: chunked source object, + # which currently only happens because there are more than + # CONTAINER_LISTING_LIMIT segments in a segmented object. In + # this case, we're going to refuse to do the server-side copy. + return HTTPRequestEntityTooLarge(request=req) + new_req.etag = source_resp.etag # we no longer need the X-Copy-From header del new_req.headers['X-Copy-From'] + if not content_type_manually_set: + new_req.headers['Content-Type'] = \ + source_resp.headers['Content-Type'] for k, v in source_resp.headers.items(): if k.lower().startswith('x-object-meta-'): new_req.headers[k] = v @@ -1683,7 +1688,8 @@ class BaseApplication(object): def update_request(self, req): req.bytes_transferred = '-' req.client_disconnect = False - req.headers['x-cf-trans-id'] = 'tx' + str(uuid.uuid4()) + if 'x-cf-trans-id' not in req.headers: + req.headers['x-cf-trans-id'] = 'tx' + str(uuid.uuid4()) if 'x-storage-token' in req.headers and \ 'x-auth-token' not in req.headers: req.headers['x-auth-token'] = req.headers['x-storage-token'] diff --git a/swift/stats/access_processor.py b/swift/stats/access_processor.py index b7e475833f..558709dccf 100644 --- a/swift/stats/access_processor.py +++ b/swift/stats/access_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/stats/account_stats.py b/swift/stats/account_stats.py index ddf4192119..e402bd0bc8 100644 --- a/swift/stats/account_stats.py +++ b/swift/stats/account_stats.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/stats/log_processor.py b/swift/stats/log_processor.py index 2511f5e8d6..60101b7ca2 100644 --- a/swift/stats/log_processor.py +++ b/swift/stats/log_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/stats/log_uploader.py b/swift/stats/log_uploader.py index a8cc92739f..160c948f7f 100644 --- a/swift/stats/log_uploader.py +++ b/swift/stats/log_uploader.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/swift/stats/stats_processor.py b/swift/stats/stats_processor.py index a590a74108..7854c83572 100644 --- a/swift/stats/stats_processor.py +++ b/swift/stats/stats_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/functional/sample.conf b/test/functional/sample.conf index 983f2cf768..4067269af2 100644 --- a/test/functional/sample.conf +++ b/test/functional/sample.conf @@ -1,7 +1,12 @@ # sample config auth_host = 127.0.0.1 +# For DevAuth: auth_port = 11000 +# For Swauth: +# auth_port = 8080 auth_ssl = no +# For Swauth: +# auth_prefix = /auth/ # Primary functional test account (needs admin access to the account) account = test diff --git a/test/functional/swift.py b/test/functional/swift.py index e134de502f..f7d580b93d 100644 --- a/test/functional/swift.py +++ b/test/functional/swift.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -82,6 +82,7 @@ class Connection(object): self.auth_host = config['auth_host'] self.auth_port = int(config['auth_port']) self.auth_ssl = config['auth_ssl'] in ('on', 'true', 'yes', '1') + self.auth_prefix = config.get('auth_prefix', '/') self.account = config['account'] self.username = config['username'] @@ -105,11 +106,11 @@ class Connection(object): return headers = { - 'x-storage-user': self.username, - 'x-storage-pass': self.password, + 'x-auth-user': '%s:%s' % (self.account, self.username), + 'x-auth-key': self.password, } - path = '/v1/%s/auth' % (self.account) + path = '%sv1.0' % (self.auth_prefix) if self.auth_ssl: connection = httplib.HTTPSConnection(self.auth_host, port=self.auth_port) diff --git a/test/functional/tests.py b/test/functional/tests.py index f1ea6232b0..4cf090ae5d 100644 --- a/test/functional/tests.py +++ b/test/functional/tests.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/functionalnosetests/swift_testing.py b/test/functionalnosetests/swift_testing.py index 8bd46b462b..69553494b3 100644 --- a/test/functionalnosetests/swift_testing.py +++ b/test/functionalnosetests/swift_testing.py @@ -31,7 +31,10 @@ if not all([swift_test_auth, swift_test_user[0], swift_test_key[0]]): swift_test_auth = 'http' if conf.get('auth_ssl', 'no').lower() in ('yes', 'true', 'on', '1'): swift_test_auth = 'https' - swift_test_auth += '://%(auth_host)s:%(auth_port)s/v1.0' % conf + if 'auth_prefix' not in conf: + conf['auth_prefix'] = '/' + swift_test_auth += \ + '://%(auth_host)s:%(auth_port)s%(auth_prefix)sv1.0' % conf swift_test_user[0] = '%(account)s:%(username)s' % conf swift_test_key[0] = conf['password'] try: diff --git a/test/probe/common.py b/test/probe/common.py index 0bb6f42a57..c29f142713 100644 --- a/test/probe/common.py +++ b/test/probe/common.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,13 +24,25 @@ from swift.common.client import get_auth from swift.common.ring import Ring +SUPER_ADMIN_KEY = None +AUTH_TYPE = None + +c = ConfigParser() AUTH_SERVER_CONF_FILE = environ.get('SWIFT_AUTH_SERVER_CONF_FILE', '/etc/swift/auth-server.conf') -c = ConfigParser() -if not c.read(AUTH_SERVER_CONF_FILE): - exit('Unable to read config file: %s' % AUTH_SERVER_CONF_FILE) -conf = dict(c.items('app:auth-server')) -SUPER_ADMIN_KEY = conf.get('super_admin_key', 'devauth') +if c.read(AUTH_SERVER_CONF_FILE): + conf = dict(c.items('app:auth-server')) + SUPER_ADMIN_KEY = conf.get('super_admin_key', 'devauth') + AUTH_TYPE = 'devauth' +else: + PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE', + '/etc/swift/proxy-server.conf') + if c.read(PROXY_SERVER_CONF_FILE): + conf = dict(c.items('filter:swauth')) + SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey') + AUTH_TYPE = 'swauth' + else: + exit('Unable to read config file: %s' % AUTH_SERVER_CONF_FILE) def kill_pids(pids): @@ -45,8 +57,9 @@ def reset_environment(): call(['resetswift']) pids = {} try: - pids['auth'] = Popen(['swift-auth-server', - '/etc/swift/auth-server.conf']).pid + if AUTH_TYPE == 'devauth': + pids['auth'] = Popen(['swift-auth-server', + '/etc/swift/auth-server.conf']).pid pids['proxy'] = Popen(['swift-proxy-server', '/etc/swift/proxy-server.conf']).pid port2server = {} @@ -60,14 +73,21 @@ def reset_environment(): container_ring = Ring('/etc/swift/container.ring.gz') object_ring = Ring('/etc/swift/object.ring.gz') sleep(5) - conn = http_connect('127.0.0.1', '11000', 'POST', '/recreate_accounts', - headers={'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': SUPER_ADMIN_KEY}) - resp = conn.getresponse() - if resp.status != 200: - raise Exception('Recreating accounts failed. (%d)' % resp.status) - url, token = \ - get_auth('http://127.0.0.1:11000/auth', 'test:tester', 'testing') + if AUTH_TYPE == 'devauth': + conn = http_connect('127.0.0.1', '11000', 'POST', + '/recreate_accounts', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': SUPER_ADMIN_KEY}) + resp = conn.getresponse() + if resp.status != 200: + raise Exception('Recreating accounts failed. (%d)' % + resp.status) + url, token = get_auth('http://127.0.0.1:11000/auth', 'test:tester', + 'testing') + elif AUTH_TYPE == 'swauth': + call(['recreateaccounts']) + url, token = get_auth('http://127.0.0.1:8080/auth/v1.0', + 'test:tester', 'testing') account = url.split('/')[-1] except BaseException, err: kill_pids(pids) diff --git a/test/probe/test_account_failures.py b/test/probe/test_account_failures.py index 5ad2f965cb..807e397a57 100755 --- a/test/probe/test_account_failures.py +++ b/test/probe/test_account_failures.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/probe/test_container_failures.py b/test/probe/test_container_failures.py index b24e1bc169..656f637a15 100755 --- a/test/probe/test_container_failures.py +++ b/test/probe/test_container_failures.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/probe/test_object_async_update.py b/test/probe/test_object_async_update.py index 7db3a75fca..818f1dd740 100755 --- a/test/probe/test_object_async_update.py +++ b/test/probe/test_object_async_update.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/probe/test_object_handoff.py b/test/probe/test_object_handoff.py index 7086c11de8..ba81e4c559 100755 --- a/test/probe/test_object_handoff.py +++ b/test/probe/test_object_handoff.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/probe/test_running_with_each_type_down.py b/test/probe/test_running_with_each_type_down.py index 46fe1c5851..cb4a061540 100755 --- a/test/probe/test_running_with_each_type_down.py +++ b/test/probe/test_running_with_each_type_down.py @@ -1,5 +1,5 @@ #!/usr/bin/python -u -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/account/test_auditor.py b/test/unit/account/test_auditor.py index f7678ec1c1..31663d26a5 100644 --- a/test/unit/account/test_auditor.py +++ b/test/unit/account/test_auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/account/test_reaper.py b/test/unit/account/test_reaper.py index c69fc2229d..daa81d931b 100644 --- a/test/unit/account/test_reaper.py +++ b/test/unit/account/test_reaper.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/account/test_replicator.py b/test/unit/account/test_replicator.py index 6b3d045eaa..17f09a5e53 100644 --- a/test/unit/account/test_replicator.py +++ b/test/unit/account/test_replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/account/test_server.py b/test/unit/account/test_server.py index d7f52c280c..16800ca165 100644 --- a/test/unit/account/test_server.py +++ b/test/unit/account/test_server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/auth/test_server.py b/test/unit/auth/test_server.py index 1d691454b3..bd63b44b12 100644 --- a/test/unit/auth/test_server.py +++ b/test/unit/auth/test_server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_acl.py b/test/unit/common/middleware/test_acl.py index 03e76ce621..a6183eaad2 100644 --- a/test/unit/common/middleware/test_acl.py +++ b/test/unit/common/middleware/test_acl.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_auth.py b/test/unit/common/middleware/test_auth.py index b380d4f684..cabc7a9523 100644 --- a/test/unit/common/middleware/test_auth.py +++ b/test/unit/common/middleware/test_auth.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -432,6 +432,40 @@ class TestAuth(unittest.TestCase): resp = self.test_auth.authorize(req) self.assertEquals(resp and resp.status_int, 403) + def test_account_delete_permissions(self): + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp and resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,AUTH_other' + resp = self.test_auth.authorize(req) + self.assertEquals(resp and resp.status_int, 403) + + # Even DELETEs to your own account as account admin should fail + req = Request.blank('/v1/AUTH_old', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,AUTH_old' + resp = self.test_auth.authorize(req) + self.assertEquals(resp and resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp, None) + + # .super_admin is not something the middleware should ever see or care + # about + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,.super_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp and resp.status_int, 403) + if __name__ == '__main__': unittest.main() diff --git a/test/unit/common/middleware/test_cname_lookup.py b/test/unit/common/middleware/test_cname_lookup.py index fdf954253f..423726bb03 100644 --- a/test/unit/common/middleware/test_cname_lookup.py +++ b/test/unit/common/middleware/test_cname_lookup.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_domain_remap.py b/test/unit/common/middleware/test_domain_remap.py index a6beb561fb..fe079cbeda 100644 --- a/test/unit/common/middleware/test_domain_remap.py +++ b/test/unit/common/middleware/test_domain_remap.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_except.py b/test/unit/common/middleware/test_except.py index 25e9486ab0..89c6e9ea1f 100644 --- a/test/unit/common/middleware/test_except.py +++ b/test/unit/common/middleware/test_except.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_healthcheck.py b/test/unit/common/middleware/test_healthcheck.py index fc1a2a198a..81872b7ed0 100644 --- a/test/unit/common/middleware/test_healthcheck.py +++ b/test/unit/common/middleware/test_healthcheck.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_memcache.py b/test/unit/common/middleware/test_memcache.py index a6f9336fec..baf50c6f30 100644 --- a/test/unit/common/middleware/test_memcache.py +++ b/test/unit/common/middleware/test_memcache.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_ratelimit.py b/test/unit/common/middleware/test_ratelimit.py index 344708b289..3f993a0402 100644 --- a/test/unit/common/middleware/test_ratelimit.py +++ b/test/unit/common/middleware/test_ratelimit.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/middleware/test_swauth.py b/test/unit/common/middleware/test_swauth.py new file mode 100644 index 0000000000..00c010b9dc --- /dev/null +++ b/test/unit/common/middleware/test_swauth.py @@ -0,0 +1,3117 @@ +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +import unittest +from contextlib import contextmanager +from time import time + +from webob import Request, Response + +from swift.common.middleware import swauth as auth + + +class FakeMemcache(object): + + def __init__(self): + self.store = {} + + def get(self, key): + return self.store.get(key) + + def set(self, key, value, timeout=0): + self.store[key] = value + return True + + def incr(self, key, timeout=0): + self.store[key] = self.store.setdefault(key, 0) + 1 + return self.store[key] + + @contextmanager + def soft_lock(self, key, timeout=0, retries=5): + yield True + + def delete(self, key): + try: + del self.store[key] + except: + pass + return True + + +class FakeApp(object): + + def __init__(self, status_headers_body_iter=None): + self.calls = 0 + self.status_headers_body_iter = status_headers_body_iter + if not self.status_headers_body_iter: + self.status_headers_body_iter = iter([('404 Not Found', {}, '')]) + + def __call__(self, env, start_response): + self.calls += 1 + self.request = Request.blank('', environ=env) + if 'swift.authorize' in env: + resp = env['swift.authorize'](self.request) + if resp: + return resp(env, start_response) + status, headers, body = self.status_headers_body_iter.next() + return Response(status=status, headers=headers, + body=body)(env, start_response) + + +class FakeConn(object): + + def __init__(self, status_headers_body_iter=None): + self.calls = 0 + self.status_headers_body_iter = status_headers_body_iter + if not self.status_headers_body_iter: + self.status_headers_body_iter = iter([('404 Not Found', {}, '')]) + + def request(self, method, path, headers): + self.calls += 1 + self.request_path = path + self.status, self.headers, self.body = \ + self.status_headers_body_iter.next() + self.status, self.reason = self.status.split(' ', 1) + self.status = int(self.status) + + def getresponse(self): + return self + + def read(self): + body = self.body + self.body = '' + return body + + +class TestAuth(unittest.TestCase): + + def setUp(self): + self.test_auth = \ + auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp()) + + def test_super_admin_key_required(self): + app = FakeApp() + exc = None + try: + auth.filter_factory({})(app) + except ValueError, err: + exc = err + self.assertEquals(str(exc), + 'No super_admin_key set in conf file! Exiting.') + auth.filter_factory({'super_admin_key': 'supertest'})(app) + + def test_reseller_prefix_init(self): + app = FakeApp() + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.reseller_prefix, 'AUTH_') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': 'TEST'})(app) + self.assertEquals(ath.reseller_prefix, 'TEST_') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': 'TEST_'})(app) + self.assertEquals(ath.reseller_prefix, 'TEST_') + + def test_auth_prefix_init(self): + app = FakeApp() + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.auth_prefix, '/auth/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': ''})(app) + self.assertEquals(ath.auth_prefix, '/auth/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': '/test/'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': '/test'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': 'test/'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': 'test'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + + def test_default_swift_cluster_init(self): + app = FakeApp() + self.assertRaises(Exception, auth.filter_factory({ + 'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:badscheme://host/path'}), app) + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.default_swift_cluster, + 'local:http://127.0.0.1:8080/v1') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:http://host/path'})(app) + self.assertEquals(ath.default_swift_cluster, + 'local:http://host/path') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:https://host/path/'})(app) + self.assertEquals(ath.dsc_url, 'https://host/path') + self.assertEquals(ath.dsc_url2, 'https://host/path') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': + 'local::https://host/path/::http://host2/path2/'})(app) + self.assertEquals(ath.dsc_url, 'https://host/path') + self.assertEquals(ath.dsc_url2, 'http://host2/path2') + + def test_top_level_ignore(self): + resp = Request.blank('/').get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + + def test_anon(self): + resp = Request.blank('/v1/AUTH_account').get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + self.test_auth.authorize) + + def test_auth_deny_non_reseller_prefix(self): + resp = Request.blank('/v1/BLAH_account', + headers={'X-Auth-Token': 'BLAH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + self.test_auth.denied_response) + + def test_auth_deny_non_reseller_prefix_no_override(self): + fake_authorize = lambda x: Response(status='500 Fake') + resp = Request.blank('/v1/BLAH_account', + headers={'X-Auth-Token': 'BLAH_t'}, + environ={'swift.authorize': fake_authorize} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(resp.environ['swift.authorize'], fake_authorize) + + def test_auth_no_reseller_prefix_deny(self): + # Ensures that when we have no reseller prefix, we don't deny a request + # outright but set up a denial swift.authorize and pass the request on + # down the chain. + local_app = FakeApp() + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(local_app) + resp = Request.blank('/v1/account', + headers={'X-Auth-Token': 't'}).get_response(local_auth) + self.assertEquals(resp.status_int, 401) + # one for checking auth, two for request passed along + self.assertEquals(local_app.calls, 2) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.denied_response) + + def test_auth_no_reseller_prefix_allow(self): + # Ensures that when we have no reseller prefix, we can still allow + # access if our auth server accepts requests + local_app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(local_app) + resp = Request.blank('/v1/act', + headers={'X-Auth-Token': 't'}).get_response(local_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(local_app.calls, 2) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.authorize) + + def test_auth_no_reseller_prefix_no_token(self): + # Check that normally we set up a call back to our authorize. + local_auth = \ + auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(FakeApp(iter([]))) + resp = Request.blank('/v1/account').get_response(local_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.authorize) + # Now make sure we don't override an existing swift.authorize when we + # have no reseller prefix. + local_auth = \ + auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(FakeApp()) + local_authorize = lambda req: Response('test') + resp = Request.blank('/v1/account', environ={'swift.authorize': + local_authorize}).get_response(local_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.environ['swift.authorize'], local_authorize) + + def test_auth_fail(self): + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_auth_success(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_auth_memcache(self): + # First run our test without memcache, showing we need to return the + # token contents twice. + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, ''), + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 4) + # Now run our test with memcache, showing we no longer need to return + # the token contents twice. + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, ''), + # Don't need a second token object returned if memcache is used + ('204 No Content', {}, '')])) + fake_memcache = FakeMemcache() + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}, + environ={'swift.cache': fake_memcache} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}, + environ={'swift.cache': fake_memcache} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_auth_just_expired(self): + self.test_auth.app = FakeApp(iter([ + # Request for token (which will have expired) + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() - 1})), + # Request to delete token + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_middleware_storage_token(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Storage-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_authorize_bad_path(self): + req = Request.blank('/badpath') + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 401) + req = Request.blank('/badpath') + req.remote_user = 'act:usr,act,AUTH_cfa' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_authorize_account_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act,AUTH_cfa' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_authorize_acl_group_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act:usr' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act2' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act:usr2' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_deny_cross_reseller(self): + # Tests that cross-reseller is denied, even if ACLs/group names match + req = Request.blank('/v1/OTHER_cfa') + req.remote_user = 'act:usr,act,AUTH_cfa' + req.acl = 'act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_authorize_acl_referrer_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = '.r:*' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = '.r:.example.com' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.referer = 'http://www.example.com/index.html' + req.acl = '.r:.example.com' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 401) + req = Request.blank('/v1/AUTH_cfa') + req.acl = '.r:*' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.acl = '.r:.example.com' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 401) + req = Request.blank('/v1/AUTH_cfa') + req.referer = 'http://www.example.com/index.html' + req.acl = '.r:.example.com' + self.assertEquals(self.test_auth.authorize(req), None) + + def test_account_put_permissions(self): + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,AUTH_other' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + # Even PUTs to your own account as account admin should fail + req = Request.blank('/v1/AUTH_old', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,AUTH_old' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp, None) + + # .super_admin is not something the middleware should ever see or care + # about + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,.super_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_account_delete_permissions(self): + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,AUTH_other' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + # Even DELETEs to your own account as account admin should fail + req = Request.blank('/v1/AUTH_old', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,AUTH_old' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp, None) + + # .super_admin is not something the middleware should ever see or care + # about + req = Request.blank('/v1/AUTH_new', + environ={'REQUEST_METHOD': 'DELETE'}) + req.remote_user = 'act:usr,act,.super_admin' + resp = self.test_auth.authorize(req) + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_get_token_fail(self): + resp = Request.blank('/auth/v1.0').get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_invalid_key(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'invalid'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_token_fail_invalid_x_auth_user_format(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_non_matching_account_in_request(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act2:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_bad_path(self): + resp = Request.blank('/auth/v1/act/auth/invalid', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_get_token_fail_missing_key(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act:usr'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_get_user_details(self): + self.test_auth.app = FakeApp(iter([ + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_token_fail_get_account(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_get_token_fail_put_new_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_get_token_fail_post_to_user(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 4) + + def test_get_token_fail_get_services(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_token_fail_get_existing_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of token + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_get_token_success_v1_0(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_token_success_v1_act_auth(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Storage-User': 'usr', + 'X-Storage-Pass': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_token_success_storage_instead_of_auth(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Storage-User': 'act:usr', + 'X-Storage-Pass': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_token_success_v1_act_auth_auth_instead_of_storage(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_token_success_existing_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of token + ('200 Ok', {}, json.dumps({"account": "act", "user": "usr", + "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"}, + {'name': "key"}, {'name': ".admin"}], + "expires": 9999999999.9999999})), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest') + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_get_token_success_existing_token_expired(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of token + ('200 Ok', {}, json.dumps({"account": "act", "user": "usr", + "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"}, + {'name': "key"}, {'name': ".admin"}], + "expires": 0.0})), + # DELETE of expired token + ('204 No Content', {}, ''), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertNotEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest') + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 7) + + def test_get_token_success_existing_token_expired_fail_deleting_old(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + # GET of token + ('200 Ok', {}, json.dumps({"account": "act", "user": "usr", + "account_id": "AUTH_cfa", "groups": [{'name': "act:usr"}, + {'name': "key"}, {'name': ".admin"}], + "expires": 0.0})), + # DELETE of expired token + ('503 Service Unavailable', {}, ''), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertNotEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest') + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + self.assertEquals(self.test_auth.app.calls, 7) + + def test_prep_success(self): + list_to_iter = [ + # PUT of .auth account + ('201 Created', {}, ''), + # PUT of .account_id container + ('201 Created', {}, '')] + # PUT of .token* containers + for x in xrange(16): + list_to_iter.append(('201 Created', {}, '')) + self.test_auth.app = FakeApp(iter(list_to_iter)) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 18) + + def test_prep_bad_method(self): + resp = Request.blank('/auth/v2/.prep', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'HEAD'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_prep_bad_creds(self): + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': 'super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'upertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + + def test_prep_fail_account_create(self): + self.test_auth.app = FakeApp(iter([ + # PUT of .auth account + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_prep_fail_token_container_create(self): + self.test_auth.app = FakeApp(iter([ + # PUT of .auth account + ('201 Created', {}, ''), + # PUT of .token container + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_prep_fail_account_id_container_create(self): + self.test_auth.app = FakeApp(iter([ + # PUT of .auth account + ('201 Created', {}, ''), + # PUT of .token container + ('201 Created', {}, ''), + # PUT of .account_id container + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/.prep', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_get_reseller_success(self): + self.test_auth.app = FakeApp(iter([ + # GET of .auth account (list containers) + ('200 Ok', {}, json.dumps([ + {"name": ".token", "count": 0, "bytes": 0}, + {"name": ".account_id", "count": 0, "bytes": 0}, + {"name": "act", "count": 0, "bytes": 0}])), + # GET of .auth account (list containers continuation) + ('200 Ok', {}, '[]')])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {"accounts": [{"name": "act"}]}) + self.assertEquals(self.test_auth.app.calls, 2) + + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}, + {"name": ".reseller_admin"}], "auth": "plaintext:key"})), + # GET of .auth account (list containers) + ('200 Ok', {}, json.dumps([ + {"name": ".token", "count": 0, "bytes": 0}, + {"name": ".account_id", "count": 0, "bytes": 0}, + {"name": "act", "count": 0, "bytes": 0}])), + # GET of .auth account (list containers continuation) + ('200 Ok', {}, '[]')])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {"accounts": [{"name": "act"}]}) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_get_reseller_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_reseller_fail_listing(self): + self.test_auth.app = FakeApp(iter([ + # GET of .auth account (list containers) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of .auth account (list containers) + ('200 Ok', {}, json.dumps([ + {"name": ".token", "count": 0, "bytes": 0}, + {"name": ".account_id", "count": 0, "bytes": 0}, + {"name": "act", "count": 0, "bytes": 0}])), + # GET of .auth account (list containers continuation) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_get_account_success(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}, + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of account container (list objects continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {'account_id': 'AUTH_cfa', + 'services': {'storage': + {'default': 'local', + 'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'}}, + 'users': [{'name': 'tester'}, {'name': 'tester3'}]}) + self.assertEquals(self.test_auth.app.calls, 3) + + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"})), + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}, + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of account container (list objects continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {'account_id': 'AUTH_cfa', + 'services': {'storage': + {'default': 'local', + 'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'}}, + 'users': [{'name': 'tester'}, {'name': 'tester3'}]}) + self.assertEquals(self.test_auth.app.calls, 4) + + def test_get_account_fail_bad_account_name(self): + resp = Request.blank('/auth/v2/.token', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + resp = Request.blank('/auth/v2/.anything', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_get_account_fail_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but wrong account) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': 'act2:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_account_fail_get_services(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_account_fail_listing(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # GET of account container (list objects) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # GET of account container (list objects) + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 2) + + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}, + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of account container (list objects continuation) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_set_services_new_service(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # PUT of new .services object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'new_service': {'new_endpoint': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {'storage': {'default': 'local', + 'local': 'http://127.0.0.1:8080/v1/AUTH_cfa'}, + 'new_service': {'new_endpoint': 'new_value'}}) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_set_services_new_endpoint(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # PUT of new .services object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'storage': {'new_endpoint': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {'storage': {'default': 'local', + 'local': 'http://127.0.0.1:8080/v1/AUTH_cfa', + 'new_endpoint': 'new_value'}}) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_set_services_update_endpoint(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # PUT of new .services object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'storage': {'local': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(json.loads(resp.body), + {'storage': {'default': 'local', + 'local': 'new_value'}}) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_set_services_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'storage': {'local': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'}, + body=json.dumps({'storage': {'local': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}, + body=json.dumps({'storage': {'local': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_set_services_fail_bad_account_name(self): + resp = Request.blank('/auth/v2/.act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'storage': {'local': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_set_services_fail_bad_json(self): + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body='garbage' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body='' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_set_services_fail_get_services(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('503 Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'new_service': {'new_endpoint': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'new_service': {'new_endpoint': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_set_services_fail_put_services(self): + self.test_auth.app = FakeApp(iter([ + # GET of .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # PUT of new .services object + ('503 Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/.services', + environ={'REQUEST_METHOD': 'POST'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + body=json.dumps({'new_service': {'new_endpoint': 'new_value'}}) + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_put_account_success(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, ''), + # PUT of .account_id mapping object + ('204 No Content', {}, ''), + # PUT of .services object + ('204 No Content', {}, ''), + # POST to account container updating X-Container-Meta-Account-Id + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(self.test_auth.app.calls, 5) + self.assertEquals(conn.calls, 1) + + def test_put_account_success_preexist_but_not_completed(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + # We're going to show it as existing this time, but with no + # X-Container-Meta-Account-Id, indicating a failed previous attempt + ('200 Ok', {}, ''), + # PUT of .account_id mapping object + ('204 No Content', {}, ''), + # PUT of .services object + ('204 No Content', {}, ''), + # POST to account container updating X-Container-Meta-Account-Id + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(self.test_auth.app.calls, 4) + self.assertEquals(conn.calls, 1) + + def test_put_account_success_preexist_and_completed(self): + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + # We're going to show it as existing this time, and with an + # X-Container-Meta-Account-Id, indicating it already exists + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 202) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_account_success_with_given_suffix(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, ''), + # PUT of .account_id mapping object + ('204 No Content', {}, ''), + # PUT of .services object + ('204 No Content', {}, ''), + # POST to account container updating X-Container-Meta-Account-Id + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Account-Suffix': 'test-suffix'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(conn.request_path, '/v1/AUTH_test-suffix') + self.assertEquals(self.test_auth.app.calls, 5) + self.assertEquals(conn.calls, 1) + + def test_put_account_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_account_fail_invalid_account_name(self): + resp = Request.blank('/auth/v2/.act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_put_account_fail_on_initial_account_head(self): + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_account_fail_on_account_marker_put(self): + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_put_account_fail_on_storage_account_put(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('503 Service Unavailable', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(conn.calls, 1) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_put_account_fail_on_account_id_mapping(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, ''), + # PUT of .account_id mapping object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(conn.calls, 1) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_put_account_fail_on_services_object(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, ''), + # PUT of .account_id mapping object + ('204 No Content', {}, ''), + # PUT of .services object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(conn.calls, 1) + self.assertEquals(self.test_auth.app.calls, 4) + + def test_put_account_fail_on_post_mapping(self): + conn = FakeConn(iter([ + # PUT of storage account itself + ('201 Created', {}, '')])) + self.test_auth.get_conn = lambda: conn + self.test_auth.app = FakeApp(iter([ + # Initial HEAD of account container to check for pre-existence + ('404 Not Found', {}, ''), + # PUT of account container + ('204 No Content', {}, ''), + # PUT of .account_id mapping object + ('204 No Content', {}, ''), + # PUT of .services object + ('204 No Content', {}, ''), + # POST to account container updating X-Container-Meta-Account-Id + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'PUT', 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(conn.calls, 1) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_delete_account_success(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('204 No Content', {}, ''), + # DELETE the account container + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 6) + self.assertEquals(conn.calls, 1) + + def test_delete_account_success_missing_services(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('404 Not Found', {}, ''), + # DELETE the .account_id mapping object + ('204 No Content', {}, ''), + # DELETE the account container + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_delete_account_success_missing_storage_account(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('404 Not Found', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('204 No Content', {}, ''), + # DELETE the account container + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 6) + self.assertEquals(conn.calls, 1) + + def test_delete_account_success_missing_account_id_mapping(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('404 Not Found', {}, ''), + # DELETE the account container + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 6) + self.assertEquals(conn.calls, 1) + + def test_delete_account_success_missing_account_container_at_end(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('204 No Content', {}, ''), + # DELETE the account container + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 6) + self.assertEquals(conn.calls, 1) + + def test_delete_account_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_account_fail_invalid_account_name(self): + resp = Request.blank('/auth/v2/.act', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_delete_account_fail_not_found(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_account_fail_not_found_concurrency(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_delete_account_fail_list_account(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_account_fail_list_account_concurrency(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_delete_account_fail_has_users(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}]))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 409) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_account_fail_has_users2(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}]))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 409) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_delete_account_fail_get_services(self): + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_delete_account_fail_delete_storage_account(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('409 Conflict', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 409) + self.assertEquals(self.test_auth.app.calls, 3) + self.assertEquals(conn.calls, 1) + + def test_delete_account_fail_delete_storage_account2(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, ''), + # DELETE of storage account itself + ('409 Conflict', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa", + "other": "http://127.0.0.1:8080/v1/AUTH_cfa2"}}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + self.assertEquals(conn.calls, 2) + + def test_delete_account_fail_delete_storage_account3(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('503 Service Unavailable', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + self.assertEquals(conn.calls, 1) + + def test_delete_account_fail_delete_storage_account4(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, ''), + # DELETE of storage account itself + ('503 Service Unavailable', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa", + "other": "http://127.0.0.1:8080/v1/AUTH_cfa2"}}))])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + self.assertEquals(conn.calls, 2) + + def test_delete_account_fail_delete_services(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 4) + self.assertEquals(conn.calls, 1) + + def test_delete_account_fail_delete_account_id_mapping(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 5) + self.assertEquals(conn.calls, 1) + + def test_delete_account_fail_delete_account_container(self): + conn = FakeConn(iter([ + # DELETE of storage account itself + ('204 No Content', {}, '')])) + self.test_auth.get_conn = lambda x: conn + self.test_auth.app = FakeApp(iter([ + # Account's container listing, checking for users + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}])), + # Account's container listing, checking for users (continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]'), + # GET the .services object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}})), + # DELETE the .services object + ('204 No Content', {}, ''), + # DELETE the .account_id mapping object + ('204 No Content', {}, ''), + # DELETE the account container + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.cache': FakeMemcache()}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 6) + self.assertEquals(conn.calls, 1) + + def test_get_user_success(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.body, json.dumps( + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"})) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_user_groups_success(self): + self.test_auth.app = FakeApp(iter([ + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}, + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:tester"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"})), + # GET of user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:tester3"}, {"name": "act"}], + "auth": "plaintext:key3"})), + # GET of account container (list objects continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')])) + resp = Request.blank('/auth/v2/act/.groups', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.body, json.dumps( + {"groups": [{"name": ".admin"}, {"name": "act"}, + {"name": "act:tester"}, {"name": "act:tester3"}]})) + self.assertEquals(self.test_auth.app.calls, 4) + + def test_get_user_groups_success2(self): + self.test_auth.app = FakeApp(iter([ + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}])), + # GET of user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:tester"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"})), + # GET of account container (list objects continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:tester3"}, {"name": "act"}], + "auth": "plaintext:key3"})), + # GET of account container (list objects continuation) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, '[]')])) + resp = Request.blank('/auth/v2/act/.groups', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.body, json.dumps( + {"groups": [{"name": ".admin"}, {"name": "act"}, + {"name": "act:tester"}, {"name": "act:tester3"}]})) + self.assertEquals(self.test_auth.app.calls, 5) + + def test_get_user_fail_invalid_account(self): + resp = Request.blank('/auth/v2/.invalid/usr', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_get_user_fail_invalid_user(self): + resp = Request.blank('/auth/v2/act/.invalid', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_get_user_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': 'super:admin', + 'X-Auth-Admin-Key': 'supertest'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}, + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_user_account_admin_success(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"})), + # GET of requested user object + ('200 Ok', {}, json.dumps( + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.body, json.dumps( + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"})) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_get_user_groups_not_found(self): + self.test_auth.app = FakeApp(iter([ + # GET of account container (list objects) + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/.groups', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_user_groups_fail_listing(self): + self.test_auth.app = FakeApp(iter([ + # GET of account container (list objects) + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/.groups', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_user_groups_fail_get_user(self): + self.test_auth.app = FakeApp(iter([ + # GET of account container (list objects) + ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, + json.dumps([ + {"name": ".services", "hash": "etag", "bytes": 112, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.618110"}, + {"name": "tester", "hash": "etag", "bytes": 104, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:27.736680"}, + {"name": "tester3", "hash": "etag", "bytes": 86, + "content_type": "application/octet-stream", + "last_modified": "2010-12-03T17:16:28.135530"}])), + # GET of user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/.groups', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_get_user_not_found(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_user_fail(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_user_fail_invalid_account(self): + resp = Request.blank('/auth/v2/.invalid/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_put_user_fail_invalid_user(self): + resp = Request.blank('/auth/v2/act/.usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_put_user_fail_no_user_key(self): + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_put_user_reseller_admin_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object (reseller admin) + # This shouldn't actually get called, checked below + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:rdm"}, + {"name": "test"}, {"name": ".admin"}, + {"name": ".reseller_admin"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act:rdm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Reseller-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 0) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but not reseller admin) + # This shouldn't actually get called, checked below + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Reseller-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 0) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + # This shouldn't actually get called, checked below + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Reseller-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 0) + + def test_put_user_account_admin_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but wrong account) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act2:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_user_regular_fail_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but wrong account) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act2:adm', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_user_regular_success(self): + self.test_auth.app = FakeApp(iter([ + # PUT of user object + ('201 Created', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(json.loads(self.test_auth.app.request.body), + {"groups": [{"name": "act:usr"}, {"name": "act"}], + "auth": "plaintext:key"}) + + def test_put_user_account_admin_success(self): + self.test_auth.app = FakeApp(iter([ + # PUT of user object + ('201 Created', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(json.loads(self.test_auth.app.request.body), + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}], + "auth": "plaintext:key"}) + + def test_put_user_reseller_admin_success(self): + self.test_auth.app = FakeApp(iter([ + # PUT of user object + ('201 Created', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key', + 'X-Auth-User-Reseller-Admin': 'true'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 201) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(json.loads(self.test_auth.app.request.body), + {"groups": [{"name": "act:usr"}, {"name": "act"}, + {"name": ".admin"}, {"name": ".reseller_admin"}], + "auth": "plaintext:key"}) + + def test_put_user_fail_not_found(self): + self.test_auth.app = FakeApp(iter([ + # PUT of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_put_user_fail(self): + self.test_auth.app = FakeApp(iter([ + # PUT of user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'PUT'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest', + 'X-Auth-User-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_user_bad_creds(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object (account admin, but wrong account) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, + {"name": "test"}, {"name": ".admin"}], + "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': 'act2:adm', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + self.test_auth.app = FakeApp(iter([ + # GET of user object (regular user) + ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, + {"name": "test"}], "auth": "plaintext:key"}))])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 403) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_user_invalid_account(self): + resp = Request.blank('/auth/v2/.invalid/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_delete_user_invalid_user(self): + resp = Request.blank('/auth/v2/act/.invalid', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_delete_user_not_found(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_user_fail_head_user(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_delete_user_fail_delete_token(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tk'}, ''), + # DELETE of token + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_delete_user_fail_delete_user(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tk'}, ''), + # DELETE of token + ('204 No Content', {}, ''), + # DELETE of user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_delete_user_success(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tk'}, ''), + # DELETE of token + ('204 No Content', {}, ''), + # DELETE of user object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_delete_user_success_missing_user_at_end(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tk'}, ''), + # DELETE of token + ('204 No Content', {}, ''), + # DELETE of user object + ('404 Not Found', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_delete_user_success_missing_token(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tk'}, ''), + # DELETE of token + ('404 Not Found', {}, ''), + # DELETE of user object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 3) + + def test_delete_user_success_no_token(self): + self.test_auth.app = FakeApp(iter([ + # HEAD of user object + ('200 Ok', {}, ''), + # DELETE of user object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/act/usr', + environ={'REQUEST_METHOD': 'DELETE'}, + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_validate_token_bad_prefix(self): + resp = Request.blank('/auth/v2/.token/BAD_token' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_validate_token_tmi(self): + resp = Request.blank('/auth/v2/.token/AUTH_token/tmi' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_validate_token_bad_memcache(self): + fake_memcache = FakeMemcache() + fake_memcache.set('AUTH_/auth/AUTH_token', 'bogus') + resp = Request.blank('/auth/v2/.token/AUTH_token', + environ={'swift.cache': + fake_memcache}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_validate_token_from_memcache(self): + fake_memcache = FakeMemcache() + fake_memcache.set('AUTH_/auth/AUTH_token', (time() + 1, 'act:usr,act')) + resp = Request.blank('/auth/v2/.token/AUTH_token', + environ={'swift.cache': + fake_memcache}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(resp.headers.get('x-auth-groups'), 'act:usr,act') + self.assert_(float(resp.headers['x-auth-ttl']) < 1, + resp.headers['x-auth-ttl']) + + def test_validate_token_from_memcache_expired(self): + fake_memcache = FakeMemcache() + fake_memcache.set('AUTH_/auth/AUTH_token', (time() - 1, 'act:usr,act')) + resp = Request.blank('/auth/v2/.token/AUTH_token', + environ={'swift.cache': + fake_memcache}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assert_('x-auth-groups' not in resp.headers) + self.assert_('x-auth-ttl' not in resp.headers) + + def test_validate_token_from_object(self): + self.test_auth.app = FakeApp(iter([ + # GET of token object + ('200 Ok', {}, json.dumps({'groups': [{'name': 'act:usr'}, + {'name': 'act'}], 'expires': time() + 1}))])) + resp = Request.blank('/auth/v2/.token/AUTH_token' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(resp.headers.get('x-auth-groups'), 'act:usr,act') + self.assert_(float(resp.headers['x-auth-ttl']) < 1, + resp.headers['x-auth-ttl']) + + def test_validate_token_from_object_expired(self): + self.test_auth.app = FakeApp(iter([ + # GET of token object + ('200 Ok', {}, json.dumps({'groups': 'act:usr,act', + 'expires': time() - 1})), + # DELETE of expired token object + ('204 No Content', {}, '')])) + resp = Request.blank('/auth/v2/.token/AUTH_token' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertEquals(self.test_auth.app.calls, 2) + + def test_validate_token_from_object_with_admin(self): + self.test_auth.app = FakeApp(iter([ + # GET of token object + ('200 Ok', {}, json.dumps({'account_id': 'AUTH_cfa', 'groups': + [{'name': 'act:usr'}, {'name': 'act'}, {'name': '.admin'}], + 'expires': time() + 1}))])) + resp = Request.blank('/auth/v2/.token/AUTH_token' + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(resp.headers.get('x-auth-groups'), + 'act:usr,act,AUTH_cfa') + self.assert_(float(resp.headers['x-auth-ttl']) < 1, + resp.headers['x-auth-ttl']) + + def test_get_conn_default(self): + conn = self.test_auth.get_conn() + self.assertEquals(conn.__class__, auth.HTTPConnection) + self.assertEquals(conn.host, '127.0.0.1') + self.assertEquals(conn.port, 8080) + + def test_get_conn_default_https(self): + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:https://1.2.3.4/v1'})(FakeApp()) + conn = local_auth.get_conn() + self.assertEquals(conn.__class__, auth.HTTPSConnection) + self.assertEquals(conn.host, '1.2.3.4') + self.assertEquals(conn.port, 443) + + def test_get_conn_overridden(self): + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:https://1.2.3.4/v1'})(FakeApp()) + conn = \ + local_auth.get_conn(urlparsed=auth.urlparse('http://5.6.7.8/v1')) + self.assertEquals(conn.__class__, auth.HTTPConnection) + self.assertEquals(conn.host, '5.6.7.8') + self.assertEquals(conn.port, 80) + + def test_get_conn_overridden_https(self): + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:http://1.2.3.4/v1'})(FakeApp()) + conn = \ + local_auth.get_conn(urlparsed=auth.urlparse('https://5.6.7.8/v1')) + self.assertEquals(conn.__class__, auth.HTTPSConnection) + self.assertEquals(conn.host, '5.6.7.8') + self.assertEquals(conn.port, 443) + + def test_get_itoken_fail_no_memcache(self): + exc = None + try: + self.test_auth.get_itoken({}) + except Exception, err: + exc = err + self.assertEquals(str(exc), + 'No memcache set up; required for Swauth middleware') + + def test_get_itoken_success(self): + fmc = FakeMemcache() + itk = self.test_auth.get_itoken({'swift.cache': fmc}) + self.assert_(itk.startswith('AUTH_itk'), itk) + expires, groups = fmc.get('AUTH_/auth/%s' % itk) + self.assert_(expires > time(), expires) + self.assertEquals(groups, '.auth,.reseller_admin,AUTH_.auth') + + def test_get_admin_detail_fail_no_colon(self): + self.test_auth.app = FakeApp(iter([])) + self.assertEquals(self.test_auth.get_admin_detail(Request.blank('/')), + None) + self.assertEquals(self.test_auth.get_admin_detail(Request.blank('/', + headers={'X-Auth-Admin-User': 'usr'})), None) + self.assertRaises(StopIteration, self.test_auth.get_admin_detail, + Request.blank('/', headers={'X-Auth-Admin-User': 'act:usr'})) + + def test_get_admin_detail_fail_user_not_found(self): + self.test_auth.app = FakeApp(iter([('404 Not Found', {}, '')])) + self.assertEquals(self.test_auth.get_admin_detail(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:usr'})), None) + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_admin_detail_fail_get_user_error(self): + self.test_auth.app = FakeApp(iter([ + ('503 Service Unavailable', {}, '')])) + exc = None + try: + self.test_auth.get_admin_detail(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:usr'})) + except Exception, err: + exc = err + self.assertEquals(str(exc), 'Could not get admin user object: ' + '/v1/AUTH_.auth/act/usr 503 Service Unavailable') + self.assertEquals(self.test_auth.app.calls, 1) + + def test_get_admin_detail_success(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]}))])) + detail = self.test_auth.get_admin_detail(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:usr'})) + self.assertEquals(self.test_auth.app.calls, 1) + self.assertEquals(detail, {'account': 'act', + 'auth': 'plaintext:key', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}, + {'name': '.admin'}]}) + + def test_credentials_match_success(self): + self.assert_(self.test_auth.credentials_match( + {'auth': 'plaintext:key'}, 'key')) + + def test_credentials_match_fail_no_details(self): + self.assert_(not self.test_auth.credentials_match(None, 'notkey')) + + def test_credentials_match_fail_plaintext(self): + self.assert_(not self.test_auth.credentials_match( + {'auth': 'plaintext:key'}, 'notkey')) + + def test_is_super_admin_success(self): + self.assert_(self.test_auth.is_super_admin(Request.blank('/', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}))) + + def test_is_super_admin_fail_bad_key(self): + self.assert_(not self.test_auth.is_super_admin(Request.blank('/', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'bad'}))) + self.assert_(not self.test_auth.is_super_admin(Request.blank('/', + headers={'X-Auth-Admin-User': '.super_admin'}))) + self.assert_(not self.test_auth.is_super_admin(Request.blank('/'))) + + def test_is_super_admin_fail_bad_user(self): + self.assert_(not self.test_auth.is_super_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'bad', + 'X-Auth-Admin-Key': 'supertest'}))) + self.assert_(not self.test_auth.is_super_admin(Request.blank('/', + headers={'X-Auth-Admin-Key': 'supertest'}))) + self.assert_(not self.test_auth.is_super_admin(Request.blank('/'))) + + def test_is_reseller_admin_success_is_super_admin(self): + self.assert_(self.test_auth.is_reseller_admin(Request.blank('/', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}))) + + def test_is_reseller_admin_success_called_get_admin_detail(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:rdm'}, {'name': 'act'}, + {'name': '.admin'}, + {'name': '.reseller_admin'}]}))])) + self.assert_(self.test_auth.is_reseller_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:rdm', + 'X-Auth-Admin-Key': 'key'}))) + + def test_is_reseller_admin_fail_only_account_admin(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:adm'}, {'name': 'act'}, + {'name': '.admin'}]}))])) + self.assert_(not self.test_auth.is_reseller_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'}))) + + def test_is_reseller_admin_fail_regular_user(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}]}))])) + self.assert_(not self.test_auth.is_reseller_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}))) + + def test_is_reseller_admin_fail_bad_key(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:rdm'}, {'name': 'act'}, + {'name': '.admin'}, + {'name': '.reseller_admin'}]}))])) + self.assert_(not self.test_auth.is_reseller_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:rdm', + 'X-Auth-Admin-Key': 'bad'}))) + + def test_is_account_admin_success_is_super_admin(self): + self.assert_(self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': 'supertest'}), 'act')) + + def test_is_account_admin_success_is_reseller_admin(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:rdm'}, {'name': 'act'}, + {'name': '.admin'}, + {'name': '.reseller_admin'}]}))])) + self.assert_(self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:rdm', + 'X-Auth-Admin-Key': 'key'}), 'act')) + + def test_is_account_admin_success(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:adm'}, {'name': 'act'}, + {'name': '.admin'}]}))])) + self.assert_(self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:adm', + 'X-Auth-Admin-Key': 'key'}), 'act')) + + def test_is_account_admin_fail_account_admin_different_account(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act2:adm'}, {'name': 'act2'}, + {'name': '.admin'}]}))])) + self.assert_(not self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act2:adm', + 'X-Auth-Admin-Key': 'key'}), 'act')) + + def test_is_account_admin_fail_regular_user(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:usr'}, {'name': 'act'}]}))])) + self.assert_(not self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:usr', + 'X-Auth-Admin-Key': 'key'}), 'act')) + + def test_is_account_admin_fail_bad_key(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'auth': 'plaintext:key', + 'groups': [{'name': 'act:rdm'}, {'name': 'act'}, + {'name': '.admin'}, + {'name': '.reseller_admin'}]}))])) + self.assert_(not self.test_auth.is_account_admin(Request.blank('/', + headers={'X-Auth-Admin-User': 'act:rdm', + 'X-Auth-Admin-Key': 'bad'}), 'act')) + + def test_reseller_admin_but_account_is_internal_use_only(self): + req = Request.blank('/v1/AUTH_.auth', + environ={'REQUEST_METHOD': 'GET'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + def test_reseller_admin_but_account_is_exactly_reseller_prefix(self): + req = Request.blank('/v1/AUTH_', environ={'REQUEST_METHOD': 'GET'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp.status_int, 403) + + +if __name__ == '__main__': + unittest.main() diff --git a/test/unit/common/ring/test_builder.py b/test/unit/common/ring/test_builder.py index 2928558c8b..77be1df634 100644 --- a/test/unit/common/ring/test_builder.py +++ b/test/unit/common/ring/test_builder.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -125,6 +125,41 @@ class TestRingBuilder(unittest.TestCase): counts[dev_id] = counts.get(dev_id, 0) + 1 self.assertEquals(counts, {0: 256, 2: 256, 3: 256}) + def test_shuffled_gather(self): + if self._shuffled_gather_helper() and \ + self._shuffled_gather_helper(): + raise AssertionError('It is highly likely the ring is no ' + 'longer shuffling the set of partitions to reassign on a ' + 'rebalance.') + + def _shuffled_gather_helper(self): + rb = ring.RingBuilder(8, 3, 1) + rb.add_dev({'id': 0, 'zone': 0, 'weight': 1, 'ip': '127.0.0.1', + 'port': 10000, 'device': 'sda1'}) + rb.add_dev({'id': 1, 'zone': 1, 'weight': 1, 'ip': '127.0.0.1', + 'port': 10001, 'device': 'sda1'}) + rb.add_dev({'id': 2, 'zone': 2, 'weight': 1, 'ip': '127.0.0.1', + 'port': 10002, 'device': 'sda1'}) + rb.rebalance() + rb.add_dev({'id': 3, 'zone': 3, 'weight': 1, 'ip': '127.0.0.1', + 'port': 10003, 'device': 'sda1'}) + rb.pretend_min_part_hours_passed() + parts = rb._gather_reassign_parts() + max_run = 0 + run = 0 + last_part = 0 + for part in parts: + if part > last_part: + run += 1 + else: + if run > max_run: + max_run = run + run = 0 + last_part = part + if run > max_run: + max_run = run + return max_run > len(parts) / 2 + def test_rerebalance(self): rb = ring.RingBuilder(8, 3, 1) rb.add_dev({'id': 0, 'zone': 0, 'weight': 1, 'ip': '127.0.0.1', diff --git a/test/unit/common/ring/test_ring.py b/test/unit/common/ring/test_ring.py index 5c668c8c57..ad72a4c990 100644 --- a/test/unit/common/ring/test_ring.py +++ b/test/unit/common/ring/test_ring.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_bench.py b/test/unit/common/test_bench.py index 7b75aba79e..6cec05f3d3 100644 --- a/test/unit/common/test_bench.py +++ b/test/unit/common/test_bench.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_bufferedhttp.py b/test/unit/common/test_bufferedhttp.py index d453442f04..fbaa83f403 100644 --- a/test/unit/common/test_bufferedhttp.py +++ b/test/unit/common/test_bufferedhttp.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_client.py b/test/unit/common/test_client.py index 23d5c6d848..739cba75e3 100644 --- a/test/unit/common/test_client.py +++ b/test/unit/common/test_client.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_compressing_file_reader.py b/test/unit/common/test_compressing_file_reader.py index 5394a97a72..65c29554d7 100644 --- a/test/unit/common/test_compressing_file_reader.py +++ b/test/unit/common/test_compressing_file_reader.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_constraints.py b/test/unit/common/test_constraints.py index bcc590f1ee..b87d310ecb 100644 --- a/test/unit/common/test_constraints.py +++ b/test/unit/common/test_constraints.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_daemon.py b/test/unit/common/test_daemon.py index aa85987d25..015928f670 100644 --- a/test/unit/common/test_daemon.py +++ b/test/unit/common/test_daemon.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_db.py b/test/unit/common/test_db.py index ca1cb670f3..49bc8a9229 100644 --- a/test/unit/common/test_db.py +++ b/test/unit/common/test_db.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_db_replicator.py b/test/unit/common/test_db_replicator.py index 1ffe1e923b..9e77f2c92f 100644 --- a/test/unit/common/test_db_replicator.py +++ b/test/unit/common/test_db_replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_direct_client.py b/test/unit/common/test_direct_client.py index 35ed07ffd7..133e779ee5 100644 --- a/test/unit/common/test_direct_client.py +++ b/test/unit/common/test_direct_client.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_exceptions.py b/test/unit/common/test_exceptions.py index 35a5801e77..6e7691137a 100644 --- a/test/unit/common/test_exceptions.py +++ b/test/unit/common/test_exceptions.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_internal_proxy.py b/test/unit/common/test_internal_proxy.py index 248bf1cf23..719970118f 100644 --- a/test/unit/common/test_internal_proxy.py +++ b/test/unit/common/test_internal_proxy.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_memcached.py b/test/unit/common/test_memcached.py index d17f0089a3..43f11650cf 100644 --- a/test/unit/common/test_memcached.py +++ b/test/unit/common/test_memcached.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/common/test_utils.py b/test/unit/common/test_utils.py index b888686660..1f5a94edd5 100644 --- a/test/unit/common/test_utils.py +++ b/test/unit/common/test_utils.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,6 +21,7 @@ import mimetools import os import socket import sys +import time import unittest from getpass import getuser from shutil import rmtree @@ -34,6 +35,7 @@ from swift.common import utils class MockOs(): + def __init__(self, pass_funcs=[], called_funcs=[], raise_funcs=[]): self.closed_fds = [] for func in pass_funcs: @@ -183,12 +185,12 @@ class TestUtils(unittest.TestCase): print 'test2' self.assertEquals(sio.getvalue(), 'STDOUT: test2\n') sys.stderr = lfo - print >>sys.stderr, 'test4' + print >> sys.stderr, 'test4' self.assertEquals(sio.getvalue(), 'STDOUT: test2\nSTDOUT: test4\n') sys.stdout = orig_stdout print 'test5' self.assertEquals(sio.getvalue(), 'STDOUT: test2\nSTDOUT: test4\n') - print >>sys.stderr, 'test6' + print >> sys.stderr, 'test6' self.assertEquals(sio.getvalue(), 'STDOUT: test2\nSTDOUT: test4\n' 'STDOUT: test6\n') sys.stderr = orig_stderr @@ -316,7 +318,7 @@ Error: unable to locate %s def test_hash_path(self): # Yes, these tests are deliberately very fragile. We want to make sure - # that if someones changes the results hash_path produces, they know it. + # that if someones changes the results hash_path produces, they know it self.assertEquals(utils.hash_path('a'), '1c84525acb02107ea475dcd3d09c2c58') self.assertEquals(utils.hash_path('a', 'c'), @@ -355,10 +357,12 @@ log_name = yarr''' result = utils.readconf('/tmp/test', 'section2').get('log_name') expected = 'yarr' self.assertEquals(result, expected) - result = utils.readconf('/tmp/test', 'section1', log_name='foo').get('log_name') + result = utils.readconf('/tmp/test', 'section1', + log_name='foo').get('log_name') expected = 'foo' self.assertEquals(result, expected) - result = utils.readconf('/tmp/test', 'section1', defaults={'bar': 'baz'}) + result = utils.readconf('/tmp/test', 'section1', + defaults={'bar': 'baz'}) expected = {'log_name': 'section1', 'foo': 'bar', 'bar': 'baz'} self.assertEquals(result, expected) os.unlink('/tmp/test') @@ -438,5 +442,41 @@ log_name = yarr''' self.assertNotEquals(utils.get_logger.console, old_handler) logger.logger.removeHandler(utils.get_logger.console) + def test_ratelimit_sleep(self): + running_time = 0 + start = time.time() + for i in range(100): + running_time = utils.ratelimit_sleep(running_time, 0) + self.assertTrue(abs((time.time() - start) * 100) < 1) + + running_time = 0 + start = time.time() + for i in range(50): + running_time = utils.ratelimit_sleep(running_time, 200) + # make sure its accurate to 10th of a second + self.assertTrue(abs(25 - (time.time() - start) * 100) < 10) + + def test_ratelimit_sleep_with_sleep(self): + running_time = 0 + start = time.time() + for i in range(25): + running_time = utils.ratelimit_sleep(running_time, 50) + time.sleep(1.0 / 75) + # make sure its accurate to 10th of a second + self.assertTrue(abs(50 - (time.time() - start) * 100) < 10) + + def test_ratelimit_sleep_with_incr(self): + running_time = 0 + start = time.time() + vals = [5, 17, 0, 3, 11, 30, + 40, 4, 13, 2, -1] * 2 # adds up to 250 (with no -1) + total = 0 + for i in vals: + running_time = utils.ratelimit_sleep(running_time, + 500, incr_by=i) + total += i + self.assertTrue(abs(50 - (time.time() - start) * 100) < 10) + + if __name__ == '__main__': unittest.main() diff --git a/test/unit/container/test_auditor.py b/test/unit/container/test_auditor.py index 1093cc809d..220c80f14c 100644 --- a/test/unit/container/test_auditor.py +++ b/test/unit/container/test_auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/container/test_replicator.py b/test/unit/container/test_replicator.py index 8f7a032893..05ecd2938b 100644 --- a/test/unit/container/test_replicator.py +++ b/test/unit/container/test_replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/container/test_server.py b/test/unit/container/test_server.py index fdad12c0f8..2f9d5badea 100644 --- a/test/unit/container/test_server.py +++ b/test/unit/container/test_server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/container/test_updater.py b/test/unit/container/test_updater.py index a4c638c2ec..092944c4be 100644 --- a/test/unit/container/test_updater.py +++ b/test/unit/container/test_updater.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/obj/test_auditor.py b/test/unit/obj/test_auditor.py index cf8a2bc37c..9ee42cb3ec 100644 --- a/test/unit/obj/test_auditor.py +++ b/test/unit/obj/test_auditor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,14 +14,234 @@ # limitations under the License. # TODO: Tests - import unittest +import tempfile +import os +import time +from shutil import rmtree +from hashlib import md5 from swift.obj import auditor +from swift.obj.server import DiskFile, write_metadata +from swift.common.utils import hash_path, mkdirs, normalize_timestamp, renamer +from swift.obj.replicator import invalidate_hash +from swift.common.exceptions import AuditException + class TestAuditor(unittest.TestCase): - def test_placeholder(self): - pass + def setUp(self): + self.path_to_test_xfs = os.environ.get('PATH_TO_TEST_XFS') + if not self.path_to_test_xfs or \ + not os.path.exists(self.path_to_test_xfs): + print >> sys.stderr, 'WARNING: PATH_TO_TEST_XFS not set or not ' \ + 'pointing to a valid directory.\n' \ + 'Please set PATH_TO_TEST_XFS to a directory on an XFS file ' \ + 'system for testing.' + self.testdir = '/tmp/SWIFTUNITTEST' + else: + self.testdir = os.path.join(self.path_to_test_xfs, + 'tmp_test_object_auditor') + + self.devices = os.path.join(self.testdir, 'node') + rmtree(self.testdir, ignore_errors=1) + os.mkdir(self.testdir) + os.mkdir(self.devices) + os.mkdir(os.path.join(self.devices, 'sda')) + self.objects = os.path.join(self.devices, 'sda', 'objects') + + os.mkdir(os.path.join(self.devices, 'sdb')) + self.objects_2 = os.path.join(self.devices, 'sdb', 'objects') + + os.mkdir(self.objects) + self.parts = {} + for part in ['0', '1', '2', '3']: + self.parts[part] = os.path.join(self.objects, part) + os.mkdir(os.path.join(self.objects, part)) + + self.conf = dict( + devices=self.devices, + mount_check='false') + + def tearDown(self): + rmtree(self.testdir, ignore_errors=1) + + def test_object_audit_extra_data(self): + self.auditor = auditor.ObjectAuditor(self.conf) + cur_part = '0' + disk_file = DiskFile(self.devices, 'sda', cur_part, 'a', 'c', 'o') + data = '0' * 1024 + etag = md5() + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + timestamp = str(normalize_timestamp(time.time())) + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + pre_quarantines = self.auditor.quarantines + + self.auditor.object_audit( + os.path.join(disk_file.datadir, timestamp + '.data'), + 'sda', cur_part) + self.assertEquals(self.auditor.quarantines, pre_quarantines) + + os.write(fd, 'extra_data') + self.auditor.object_audit( + os.path.join(disk_file.datadir, timestamp + '.data'), + 'sda', cur_part) + self.assertEquals(self.auditor.quarantines, pre_quarantines + 1) + + def test_object_audit_diff_data(self): + self.auditor = auditor.ObjectAuditor(self.conf) + cur_part = '0' + disk_file = DiskFile(self.devices, 'sda', cur_part, 'a', 'c', 'o') + data = '0' * 1024 + etag = md5() + timestamp = str(normalize_timestamp(time.time())) + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + pre_quarantines = self.auditor.quarantines + + self.auditor.object_audit( + os.path.join(disk_file.datadir, timestamp + '.data'), + 'sda', cur_part) + self.assertEquals(self.auditor.quarantines, pre_quarantines) + etag = md5() + etag.update('1' + '0' * 1023) + etag = etag.hexdigest() + metadata['ETag'] = etag + write_metadata(fd, metadata) + + self.auditor.object_audit( + os.path.join(disk_file.datadir, timestamp + '.data'), + 'sda', cur_part) + self.assertEquals(self.auditor.quarantines, pre_quarantines + 1) + + def test_object_audit_no_meta(self): + self.auditor = auditor.ObjectAuditor(self.conf) + cur_part = '0' + disk_file = DiskFile(self.devices, 'sda', cur_part, 'a', 'c', 'o') + data = '0' * 1024 + etag = md5() + pre_quarantines = self.auditor.quarantines + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + timestamp = str(normalize_timestamp(time.time())) + os.fsync(fd) + invalidate_hash(os.path.dirname(disk_file.datadir)) + renamer(tmppath, os.path.join(disk_file.datadir, + timestamp + '.data')) + self.auditor.object_audit( + os.path.join(disk_file.datadir, timestamp + '.data'), + 'sda', cur_part) + self.assertEquals(self.auditor.quarantines, pre_quarantines + 1) + + def test_object_audit_bad_args(self): + self.auditor = auditor.ObjectAuditor(self.conf) + pre_errors = self.auditor.errors + self.auditor.object_audit(5, 'sda', '0') + self.assertEquals(self.auditor.errors, pre_errors + 1) + pre_errors = self.auditor.errors + self.auditor.object_audit('badpath', 'sda', '0') + self.assertEquals(self.auditor.errors, pre_errors) # just returns + + def test_object_run_once_pass(self): + self.auditor = auditor.ObjectAuditor(self.conf) + self.auditor.log_time = 0 + cur_part = '0' + timestamp = str(normalize_timestamp(time.time())) + pre_quarantines = self.auditor.quarantines + disk_file = DiskFile(self.devices, 'sda', cur_part, 'a', 'c', 'o') + data = '0' * 1024 + etag = md5() + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + disk_file.close() + self.auditor.run_once() + self.assertEquals(self.auditor.quarantines, pre_quarantines) + + def test_object_run_once_no_sda(self): + self.auditor = auditor.ObjectAuditor(self.conf) + cur_part = '0' + timestamp = str(normalize_timestamp(time.time())) + pre_quarantines = self.auditor.quarantines + disk_file = DiskFile(self.devices, 'sdb', cur_part, 'a', 'c', 'o') + data = '0' * 1024 + etag = md5() + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + disk_file.close() + os.write(fd, 'extra_data') + self.auditor.run_once() + self.assertEquals(self.auditor.quarantines, pre_quarantines + 1) + + def test_object_run_once_multi_devices(self): + self.auditor = auditor.ObjectAuditor(self.conf) + cur_part = '0' + timestamp = str(normalize_timestamp(time.time())) + pre_quarantines = self.auditor.quarantines + disk_file = DiskFile(self.devices, 'sda', cur_part, 'a', 'c', 'o') + data = '0' * 10 + etag = md5() + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + disk_file.close() + self.auditor.run_once() + disk_file = DiskFile(self.devices, 'sdb', cur_part, 'a', 'c', 'ob') + data = '1' * 10 + etag = md5() + with disk_file.mkstemp() as (fd, tmppath): + os.write(fd, data) + etag.update(data) + etag = etag.hexdigest() + metadata = { + 'ETag': etag, + 'X-Timestamp': timestamp, + 'Content-Length': str(os.fstat(fd).st_size), + } + disk_file.put(fd, tmppath, metadata) + disk_file.close() + os.write(fd, 'extra_data') + self.auditor.run_once() + self.assertEquals(self.auditor.quarantines, pre_quarantines + 1) if __name__ == '__main__': diff --git a/test/unit/obj/test_replicator.py b/test/unit/obj/test_replicator.py index 657570409d..36476ba213 100644 --- a/test/unit/obj/test_replicator.py +++ b/test/unit/obj/test_replicator.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/obj/test_server.py b/test/unit/obj/test_server.py index 90eed52977..64c58ff7ca 100644 --- a/test/unit/obj/test_server.py +++ b/test/unit/obj/test_server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/obj/test_updater.py b/test/unit/obj/test_updater.py index 9887c6fcaf..52e327d1b8 100644 --- a/test/unit/obj/test_updater.py +++ b/test/unit/obj/test_updater.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py index 4577cd4dac..4562652b87 100644 --- a/test/unit/proxy/test_server.py +++ b/test/unit/proxy/test_server.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -1264,6 +1264,7 @@ class TestObjectController(unittest.TestCase): with save_globals(): controller = proxy_server.ObjectController(self.app, 'account', 'container', 'object') + # initial source object PUT req = Request.blank('/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '0'}) self.app.update_request(req) @@ -1273,6 +1274,7 @@ class TestObjectController(unittest.TestCase): resp = controller.PUT(req) self.assertEquals(resp.status_int, 201) + # basic copy req = Request.blank('/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '0', 'X-Copy-From': 'c/o'}) @@ -1285,6 +1287,7 @@ class TestObjectController(unittest.TestCase): self.assertEquals(resp.status_int, 201) self.assertEquals(resp.headers['x-copied-from'], 'c/o') + # non-zero content length req = Request.blank('/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '5', 'X-Copy-From': 'c/o'}) @@ -1296,6 +1299,7 @@ class TestObjectController(unittest.TestCase): resp = controller.PUT(req) self.assertEquals(resp.status_int, 400) + # extra source path parsing req = Request.blank('/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '0', 'X-Copy-From': 'c/o/o2'}) @@ -1308,6 +1312,7 @@ class TestObjectController(unittest.TestCase): self.assertEquals(resp.status_int, 201) self.assertEquals(resp.headers['x-copied-from'], 'c/o/o2') + # space in soure path req = Request.blank('/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '0', 'X-Copy-From': 'c/o%20o2'}) @@ -1995,6 +2000,125 @@ class TestObjectController(unittest.TestCase): # will be sent in a single chunk. self.assertEquals(body, '19\r\n1234 1234 1234 1234 1234 \r\n0\r\n\r\n') + # Make a copy of the manifested object, which should + # error since the number of segments exceeds + # CONTAINER_LISTING_LIMIT. + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/segmented/copy HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\nX-Copy-From: segmented/name\r\nContent-Length: ' + '0\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 413' + self.assertEquals(headers[:len(exp)], exp) + body = fd.read() + # After adjusting the CONTAINER_LISTING_LIMIT, make a copy of + # the manifested object which should consolidate the segments. + proxy_server.CONTAINER_LISTING_LIMIT = 10000 + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/segmented/copy HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\nX-Copy-From: segmented/name\r\nContent-Length: ' + '0\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 201' + self.assertEquals(headers[:len(exp)], exp) + body = fd.read() + # Retrieve and validate the copy. + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('GET /v1/a/segmented/copy HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 200' + self.assertEquals(headers[:len(exp)], exp) + self.assert_('x-object-manifest:' not in headers.lower()) + self.assert_('Content-Length: 25\r' in headers) + body = fd.read() + self.assertEquals(body, '1234 1234 1234 1234 1234 ') + # Check copy content type + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/c/obj HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Storage-Token: ' + 't\r\nContent-Length: 0\r\nContent-Type: text/jibberish' + '\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 201' + self.assertEquals(headers[:len(exp)], exp) + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/c/obj2 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Storage-Token: ' + 't\r\nContent-Length: 0\r\nX-Copy-From: c/obj\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 201' + self.assertEquals(headers[:len(exp)], exp) + # Ensure getting the copied file gets original content-type + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('GET /v1/a/c/obj2 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 200' + self.assertEquals(headers[:len(exp)], exp) + self.assert_('Content-Type: text/jibberish' in headers) + # Check set content type + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/c/obj3 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Storage-Token: ' + 't\r\nContent-Length: 0\r\nContent-Type: foo/bar' + '\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 201' + self.assertEquals(headers[:len(exp)], exp) + # Ensure getting the copied file gets original content-type + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('GET /v1/a/c/obj3 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 200' + self.assertEquals(headers[:len(exp)], exp) + self.assert_('Content-Type: foo/bar' in + headers.split('\r\n'), repr(headers.split('\r\n'))) + # Check set content type with charset + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('PUT /v1/a/c/obj4 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Storage-Token: ' + 't\r\nContent-Length: 0\r\nContent-Type: foo/bar' + '; charset=UTF-8\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 201' + self.assertEquals(headers[:len(exp)], exp) + # Ensure getting the copied file gets original content-type + sock = connect_tcp(('localhost', prolis.getsockname()[1])) + fd = sock.makefile() + fd.write('GET /v1/a/c/obj4 HTTP/1.1\r\nHost: ' + 'localhost\r\nConnection: close\r\nX-Auth-Token: ' + 't\r\n\r\n') + fd.flush() + headers = readuntil2crlfs(fd) + exp = 'HTTP/1.1 200' + self.assertEquals(headers[:len(exp)], exp) + self.assert_('Content-Type: foo/bar; charset=UTF-8' in + headers.split('\r\n'), repr(headers.split('\r\n'))) finally: prospa.kill() acc1spa.kill() diff --git a/test/unit/stats/test_access_processor.py b/test/unit/stats/test_access_processor.py index 47013ca8ae..7317c365aa 100644 --- a/test/unit/stats/test_access_processor.py +++ b/test/unit/stats/test_access_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/stats/test_account_stats.py b/test/unit/stats/test_account_stats.py index e318739dda..204cda78d2 100644 --- a/test/unit/stats/test_account_stats.py +++ b/test/unit/stats/test_account_stats.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/stats/test_log_processor.py b/test/unit/stats/test_log_processor.py index 1a6450139f..75acc02123 100644 --- a/test/unit/stats/test_log_processor.py +++ b/test/unit/stats/test_log_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/stats/test_log_uploader.py b/test/unit/stats/test_log_uploader.py index 8e889ad918..3585111750 100644 --- a/test/unit/stats/test_log_uploader.py +++ b/test/unit/stats/test_log_uploader.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/test/unit/stats/test_stats_processor.py b/test/unit/stats/test_stats_processor.py index 4720d1f035..c3af1c1b69 100644 --- a/test/unit/stats/test_stats_processor.py +++ b/test/unit/stats/test_stats_processor.py @@ -1,4 +1,4 @@ -# Copyright (c) 2010 OpenStack, LLC. +# Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License.