x/swauth
Code Issues Proposed changes

Added allow_overrides capability for tempurl/fo...

Browse Source 
Added allow_overrides capability for tempurl/formpost type
middleware.

Fixes #26
This commit is contained in:
gholt 2012-03-27 02:53:05 +00:00
parent dfaf1e2317
commit 09590624ea
3 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
etc/proxy-server.conf-sample
View File

@ -50,6 +50,11 @@ use = egg:swauth#swauth
# auth_type = plaintext # auth_type = plaintext
# Used if the auth_type is sha1 or another method that can make use of a salt. # Used if the auth_type is sha1 or another method that can make use of a salt.
# auth_type_salt = swauthsalt # auth_type_salt = swauthsalt
# This allows middleware higher in the WSGI pipeline to override auth
# processing, useful for middleware such as tempurl and formpost. If you know
# you're not going to use such middleware and you want a bit of extra security,
# you can set this to false.
# allow_overrides = true
# Highly recommended to change this. If you comment this out, the Swauth # Highly recommended to change this. If you comment this out, the Swauth
# administration features will be disabled for this proxy. # administration features will be disabled for this proxy.
super_admin_key = swauthkey super_admin_key = swauthkey

4
swauth/middleware.py
View File

@ -155,6 +155,8 @@ class Swauth(object):
raise Exception('Invalid auth_type in config file: %s' raise Exception('Invalid auth_type in config file: %s'
% self.auth_type) % self.auth_type)
self.auth_encoder.salt = conf.get('auth_type_salt', 'swauthsalt') self.auth_encoder.salt = conf.get('auth_type_salt', 'swauthsalt')
self.allow_overrides = \
conf.get('allow_overrides', 't').lower() in TRUE_VALUES
def __call__(self, env, start_response): def __call__(self, env, start_response):
""" """
@ -176,6 +178,8 @@ class Swauth(object):
will be routed through the internal auth request handler (self.handle). will be routed through the internal auth request handler (self.handle).
This is to handle creating users, accounts, granting tokens, etc. This is to handle creating users, accounts, granting tokens, etc.
""" """
if self.allow_overrides and env.get('swift.authorize_override', False):
return self.app(env, start_response)
if 'HTTP_X_CF_TRANS_ID' not in env: if 'HTTP_X_CF_TRANS_ID' not in env:
env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4()) env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4())
if not self.swauth_remote: if not self.swauth_remote:

31
test_swauth/unit/test_middleware.py
View File

@ -3462,6 +3462,37 @@ class TestAuth(unittest.TestCase):
resp = req.get_response(self.test_auth) resp = req.get_response(self.test_auth)
self.assertEquals(resp.status_int, 204) self.assertEquals(resp.status_int, 204)
def _make_request(self, path, **kwargs):
req = Request.blank(path, **kwargs)
req.environ['swift.cache'] = FakeMemcache()
return req
def test_override_asked_for_but_not_allowed(self):
self.test_auth = \
auth.filter_factory({'allow_overrides': 'false'})(FakeApp())
req = self._make_request('/v1/AUTH_account',
environ={'swift.authorize_override': True})
resp = req.get_response(self.test_auth)
self.assertEquals(resp.status_int, 401)
self.assertEquals(resp.environ['swift.authorize'],
self.test_auth.authorize)
def test_override_asked_for_and_allowed(self):
self.test_auth = \
auth.filter_factory({'allow_overrides': 'true'})(FakeApp())
req = self._make_request('/v1/AUTH_account',
environ={'swift.authorize_override': True})
resp = req.get_response(self.test_auth)
self.assertEquals(resp.status_int, 404)
self.assertTrue('swift.authorize' not in resp.environ)
def test_override_default_allowed(self):
req = self._make_request('/v1/AUTH_account',
environ={'swift.authorize_override': True})
resp = req.get_response(self.test_auth)
self.assertEquals(resp.status_int, 404)
self.assertTrue('swift.authorize' not in resp.environ)
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()