diff --git a/policies/CWpolicy.json b/policies/CWpolicy.json deleted file mode 100644 index 7eb5dd3..0000000 --- a/policies/CWpolicy.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "is_anonymous": "identity:None", - "is_authenticated": "not rule:is_anonymous", - "swift_reseller": "role:ResellerAdmin", - "swift_operator": "role:swiftoperator or role:admin or role:Member", - - "swift_owner": "rule:swift_reseller or rule:swift_operator or is_admin:True", - - "reseller_request": "rule:swift_reseller", - "same_tenant": "account:%(account)s", - "tenant_mismatch": "not rule:same_tenant", - - "allowed_for_authenticated": "rule:swift_reseller or acl:check_cross_tenant or acl:check_is_public or (rule:same_tenant and rule:swift_operator) or (rule:same_tenant and acl:check_roles) or (rule:same_tenant and is_admin:True) or (rule:same_tenant and is_admin:False and acl:check_roles)", - - "allowed_for_anonymous": "is_authoritative:True and acl:check_is_public", - - "allowed_for_user": "(rule:is_authenticated and rule:allowed_for_authenticated) or rule:allowed_for_anonymous", - - "remove_only": "role:remove_only", - "upload_disabled": "role:upload_disabled", - "support": "role:support", - - "get_account": "rule:allowed_for_user or rule:support", - "post_account": "rule:allowed_for_user and not rule:remove_only", - "head_account": "rule:allowed_for_user or rule:support", - "delete_account": "rule:swift_reseller", - "options_account": "", - "get_container": "rule:allowed_for_user or rule:support", - "put_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "delete_container": "rule:allowed_for_user", - "post_container": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "head_container": "rule:allowed_for_user or rule:support", - "options_container": "", - "get_object": "rule:allowed_for_user and not rule:remove_only", - "put_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "copy_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "delete_object": "rule:allowed_for_user", - "head_object": "rule:allowed_for_user or rule:support", - "post_object": "rule:allowed_for_user and not rule:remove_only and not rule:upload_disabled", - "options_object": "" -} - diff --git a/tests/test_CWpolicy.sh b/tests/test_CWpolicy.sh deleted file mode 100755 index a145320..0000000 --- a/tests/test_CWpolicy.sh +++ /dev/null @@ -1,366 +0,0 @@ -#!/bin/sh - -CLEANUP=${CLEANUP-true} -# assuming a devstack with the following parameters, where swiftpolicy mw -# was added to the swift pipeline and using CWpolicy.json - -BASE_URL=http://localhost -OS_ADMIN=admin -OS_ADMIN_PASSWORD=admin -OS_ADMIN_TENANT=admin -OS_AUTH_URL=$BASE_URL:5000/v2.0 - -# CW related variables -CW_ROLE1=upload_disabled -CW_ROLE2=remove_only -CW_USER=cwuser -CW_SUPPORT=support - -setup () { - echo "***** SETUP ****" - echo ">> Create users, tenant and roles" - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone tenant-create --name $CW_USER 2>&1 >/dev/null - - CW_TID=$(OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone tenant-get $CW_USER |awk '{if ($2 == "id") {print $4}}') - - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE1 2>&1 >/dev/null - - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_ROLE2 2>&1 >/dev/null - - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-create --name $CW_SUPPORT 2>&1 >/dev/null - - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-create --name $CW_USER --tenant $CW_USER --pass $CW_USER --enabled true 2>&1 >/dev/null - - echo ">> Create support user" - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-create --name $CW_SUPPORT --pass $CW_SUPPORT --enabled true 2>&1 >/dev/null - - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_SUPPORT --tenant $CW_USER --role $CW_SUPPORT 2>&1 >/dev/null - - # Let's do regular stuff first - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role Member 2>&1 >/dev/null - -} - -tests () { - - echo "***** TESTS ****" - echo "testy test" > testytest - echo "*** Regular user - $CW_USER ***" - - echo ">> Testing uploading an object/container" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj1 container1 testytest 2>&1 >/dev/null - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj1 todelete testytest 2>&1 >/dev/null - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj2 todelete testytest 2>&1 >/dev/null - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name delobj3 todelete testytest 2>&1 >/dev/null - - echo ">> Testing list and stat" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift list container1 2>&1 >/dev/null - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift stat 2>&1 >/dev/null - - echo ">> Testing deleting delobj3" - OS_USERNAME=$CW_USER OS_TENANT_NAME=$CW_USER OS_PASSWORD=$CW_USER OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj3 - - echo ">> Testing download - object" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1 2>&1 >/dev/null - - echo ">> Testing download - container" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 2>&1 >/dev/null - - echo ">> Testing sharing temp URLs" - # Create the tempurl key - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift post -m Temp-URL-Key:test1 2>&1 >/dev/null - # get the url - TEMP_URL=$(swift-temp-url GET 6000 /v1/AUTH_$CW_TID/container1/obj1 test1) - # Download the file - wget $BASE_URL:8080$TEMP_URL - - - echo "" - echo "*** Now prevent uploads ***" - echo ">> Applying $CW_ROLE1" - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE1 2>&1 >/dev/null - echo ">> Testing upload" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Upload forbidden, all good" - else - echo "... FAIL - User can upload data" - fi; - # pass - echo ">> Testing listing container1" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift list container1 2>&1 >/dev/null - # pass - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift stat 2>&1 >/dev/null - # pass - echo ">> Testing deletion" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj2 2>&1 >/dev/null - # pass - echo ">> Testing download - object" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1 2>&1 >/dev/null - echo ">> Testing download - container" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 2>&1 >/dev/null - echo ">> Testing sharing temp URLs" - # Create the tempurl key - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift post -m Temp-URL-Key:test2 2>&1 >/dev/null - # get the url - TEMP_URL=$(swift-temp-url GET 6000 /v1/AUTH_$CW_TID/container1/obj1 test2) - # Download the file - wget $BASE_URL:8080$TEMP_URL - - - echo "" - echo "*** Now authorize file removal only ***" - echo ">> Applying $CW_ROLE2" - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-role-remove --user $CW_USER --tenant $CW_USER --role $CW_ROLE1 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-role-add --user $CW_USER --tenant $CW_USER --role $CW_ROLE2 2>&1 >/dev/null - - echo ">> Testing upload" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Upload forbidden, all good" - else - echo "... FAIL - User can upload data" - fi; - # pass - echo ">> Testing listing container1" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift list container1 2>&1 >/dev/null - # pass - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift stat - # pass - echo ">> Testing deleting delobj1" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1 2>&1 >/dev/null - # fail - echo ">> Testing downloading object" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Download forbidden, all good" - else - echo "... FAIL - User can download data" - fi; - echo ">> Testing downloading container" - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Download forbidden, all good" - else - echo "... FAIL - User can download data" - fi; - echo ">> Testing sharing temp URLs" - # get the url - TEMP_URL=$(swift-temp-url GET 6000 /v1/AUTH_$CW_TID/container1/obj1 test2) - # Download the file, shouldn't work - wget $BASE_URL:8080$TEMP_URL 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Share Download forbidden, all good" - else - echo "... FAIL - User can share data" - fi; - sleep 20 - # Create the tempurl key, shouldn't even work either - OS_USERNAME=$CW_USER \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_USER \ - OS_AUTH_URL=$OS_AUTH_URL swift post -m Temp-URL-Key:test3 2>&1 - if [ $? -ne 0 ]; then - echo "... Cannot change metadata, all good" - else - echo "... FAIL - User can change temp url key" - fi; - - - echo "" - echo "*** Testing support user ***" - echo ">> Testing upload" - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift upload --object-name obj2 container1 testytest 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Upload forbidden, all good" - else - echo "... FAIL - User can upload data" - fi; - # pass - echo ">> Testing listing container1" - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift list container1 2>&1 >/dev/null - # pass - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift stat 2>&1 >/dev/null - # fail - echo ">> Testing deleting delobj1" - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift delete todelete delobj1 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Delete forbidden, all good" - else - echo "... FAIL - User can delete data" - fi; - # fail - echo ">> Testing downloading object" - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 obj1 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Download forbidden, all good" - else - echo "... FAIL - User can download data" - fi; - echo ">> Testing downloading container" - OS_USERNAME=$CW_SUPPORT \ - OS_TENANT_NAME=$CW_USER \ - OS_PASSWORD=$CW_SUPPORT \ - OS_AUTH_URL=$OS_AUTH_URL swift download container1 2>&1 >/dev/null - if [ $? -ne 0 ]; then - echo "... Download forbidden, all good" - else - echo "... FAIL - User can download data" - fi; -} - - -# cleanup -cleanup () { - echo "**** CLEANUP *****" - rm testytest obj1 - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_SUPPORT 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone user-delete $CW_USER 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone tenant-delete $CW_USER 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE1 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_ROLE2 2>&1 >/dev/null - OS_USERNAME=$OS_ADMIN \ - OS_TENANT_NAME=$OS_ADMIN_TENANT \ - OS_PASSWORD=$OS_ADMIN_PASSWORD \ - OS_AUTH_URL=$OS_AUTH_URL keystone role-delete $CW_SUPPORT 2>&1 >/dev/null -} - -setup -tests - -if [ "$CLEANUP" = "true" ] -then - cleanup -fi