From 09590624eaf34c60920b804856b7992ad546b506 Mon Sep 17 00:00:00 2001 From: gholt Date: Tue, 27 Mar 2012 02:53:05 +0000 Subject: [PATCH] Added allow_overrides capability for tempurl/fo... Added allow_overrides capability for tempurl/formpost type middleware. Fixes #26 --- etc/proxy-server.conf-sample | 5 +++++ swauth/middleware.py | 4 ++++ test_swauth/unit/test_middleware.py | 31 +++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+) diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 3e083eb..c5c5808 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -50,6 +50,11 @@ use = egg:swauth#swauth # auth_type = plaintext # Used if the auth_type is sha1 or another method that can make use of a salt. # auth_type_salt = swauthsalt +# This allows middleware higher in the WSGI pipeline to override auth +# processing, useful for middleware such as tempurl and formpost. If you know +# you're not going to use such middleware and you want a bit of extra security, +# you can set this to false. +# allow_overrides = true # Highly recommended to change this. If you comment this out, the Swauth # administration features will be disabled for this proxy. super_admin_key = swauthkey diff --git a/swauth/middleware.py b/swauth/middleware.py index 1f6f002..8273afb 100644 --- a/swauth/middleware.py +++ b/swauth/middleware.py @@ -155,6 +155,8 @@ class Swauth(object): raise Exception('Invalid auth_type in config file: %s' % self.auth_type) self.auth_encoder.salt = conf.get('auth_type_salt', 'swauthsalt') + self.allow_overrides = \ + conf.get('allow_overrides', 't').lower() in TRUE_VALUES def __call__(self, env, start_response): """ @@ -176,6 +178,8 @@ class Swauth(object): will be routed through the internal auth request handler (self.handle). This is to handle creating users, accounts, granting tokens, etc. """ + if self.allow_overrides and env.get('swift.authorize_override', False): + return self.app(env, start_response) if 'HTTP_X_CF_TRANS_ID' not in env: env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4()) if not self.swauth_remote: diff --git a/test_swauth/unit/test_middleware.py b/test_swauth/unit/test_middleware.py index 577d166..27c0de8 100644 --- a/test_swauth/unit/test_middleware.py +++ b/test_swauth/unit/test_middleware.py @@ -3462,6 +3462,37 @@ class TestAuth(unittest.TestCase): resp = req.get_response(self.test_auth) self.assertEquals(resp.status_int, 204) + def _make_request(self, path, **kwargs): + req = Request.blank(path, **kwargs) + req.environ['swift.cache'] = FakeMemcache() + return req + + def test_override_asked_for_but_not_allowed(self): + self.test_auth = \ + auth.filter_factory({'allow_overrides': 'false'})(FakeApp()) + req = self._make_request('/v1/AUTH_account', + environ={'swift.authorize_override': True}) + resp = req.get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + self.test_auth.authorize) + + def test_override_asked_for_and_allowed(self): + self.test_auth = \ + auth.filter_factory({'allow_overrides': 'true'})(FakeApp()) + req = self._make_request('/v1/AUTH_account', + environ={'swift.authorize_override': True}) + resp = req.get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertTrue('swift.authorize' not in resp.environ) + + def test_override_default_allowed(self): + req = self._make_request('/v1/AUTH_account', + environ={'swift.authorize_override': True}) + resp = req.get_response(self.test_auth) + self.assertEquals(resp.status_int, 404) + self.assertTrue('swift.authorize' not in resp.environ) + if __name__ == '__main__': unittest.main()