def test_invalid_acls(self): if tf.skip: raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # needs to be an acceptable header size num_keys = 8 max_key_size = load_constraint('max_header_size') / num_keys acl = {'admin': [c * max_key_size for c in letters[:num_keys]]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 400) # and again a touch smaller acl = {'admin': [c * max_key_size for c in letters[:num_keys - 1]]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204)
def test_invalid_acls(self): if tf.skip: raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # needs to be an acceptable header size num_keys = 8 max_key_size = load_constraint('max_header_size') / num_keys acl = {'admin': [c * max_key_size for c in letters[:num_keys]]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 400) # and again a touch smaller acl = {'admin': [c * max_key_size for c in letters[:num_keys - 1]]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204)
def _make_user_and_sys_acl_headers_data(self): acl = { 'admin': ['AUTH_alice', 'AUTH_bob'], 'read-write': ['AUTH_carol'], 'read-only': [], } user_prefix = 'x-account-' # external, user-facing user_headers = {(user_prefix + 'access-control'): format_acl( version=2, acl_dict=acl)} sys_prefix = get_sys_meta_prefix('account') # internal, system-facing sys_headers = {(sys_prefix + 'core-access-control'): format_acl( version=2, acl_dict=acl)} return user_headers, sys_headers
def _make_request(self, path, **kwargs): # Our TestAccountAcls default request will have a valid auth token version, acct, _ = split_path(path, 1, 3, True) headers = kwargs.pop('headers', {'X-Auth-Token': 'AUTH_t'}) user_groups = kwargs.pop('user_groups', 'AUTH_firstacct') # The account being accessed will have account ACLs acl = {'admin': ['AUTH_admin'], 'read-write': ['AUTH_rw'], 'read-only': ['AUTH_ro']} header_data = {'core-access-control': format_acl(version=2, acl_dict=acl)} acls = kwargs.pop('acls', header_data) req = Request.blank(path, headers=headers, **kwargs) # Authorize the token by populating the request's cache req.environ['swift.cache'] = FakeMemcache() cache_key = 'AUTH_/token/AUTH_t' cache_entry = (time() + 3600, user_groups) req.environ['swift.cache'].set(cache_key, cache_entry) # Pretend get_account_info returned ACLs in sysmeta, and we cached that cache_key = 'account/%s' % acct cache_entry = {'sysmeta': acls} req.environ['swift.cache'].set(cache_key, cache_entry) return req
def add_acls_from_sys_metadata(self, resp): if resp.environ["REQUEST_METHOD"] in ("HEAD", "GET", "PUT", "POST"): prefix = get_sys_meta_prefix("account") + "core-" name = "access-control" (extname, intname) = ("x-account-" + name, prefix + name) acl_dict = parse_acl(version=2, data=resp.headers.pop(intname)) if acl_dict: # treat empty dict as empty header resp.headers[extname] = format_acl(version=2, acl_dict=acl_dict)
def add_acls_from_sys_metadata(self, resp): if resp.environ['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST'): prefix = get_sys_meta_prefix('account') + 'core-' name = 'access-control' (extname, intname) = ('x-account-' + name, prefix + name) acl_dict = parse_acl(version=2, data=resp.headers.pop(intname)) if acl_dict: # treat empty dict as empty header resp.headers[extname] = format_acl( version=2, acl_dict=acl_dict)
def add_acls_from_sys_metadata(self, resp): if resp.environ['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST'): prefix = get_sys_meta_prefix('account') + 'core-' name = 'access-control' (extname, intname) = ('x-account-' + name, prefix + name) acl_dict = parse_acl(version=2, data=resp.headers.pop(intname)) if acl_dict: # treat empty dict as empty header resp.headers[extname] = format_acl(version=2, acl_dict=acl_dict)
def test_admin_acl(self): if skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403) # grant admin access acl_user = swift_testing.swift_test_user[2] acl = {'admin': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin can read account headers resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) # including acls self.assertEqual(resp.getheader('X-Account-Access-Control'), acl_json_str) # admin can write account metadata value = str(uuid4()) headers = {'x-account-meta-test': value} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # admin can even revoke their own access headers = {'x-account-access-control': '{}'} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) # and again, cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403)
def test_admin_acl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403) # grant admin access acl_user = tf.swift_test_user[2] acl = {'admin': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin can read account headers resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) # including acls self.assertEqual(resp.getheader('X-Account-Access-Control'), acl_json_str) # admin can write account metadata value = str(uuid4()) headers = {'x-account-meta-test': value} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # admin can even revoke their own access headers = {'x-account-access-control': '{}'} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) # and again, cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403)
def test_admin_acl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request("GET", parsed.path, "", {"X-Auth-Token": token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({"X-Auth-Token": token}, **headers) conn.request("POST", parsed.path, "", new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEqual(resp.status, 403) # grant admin access acl_user = tf.swift_test_user[2] acl = {"admin": [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {"x-account-access-control": acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin can read account headers resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204)) # including acls self.assertEqual(resp.getheader("X-Account-Access-Control"), acl_json_str) # admin can write account metadata value = str(uuid4()) headers = {"x-account-meta-test": value} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204)) self.assertEqual(resp.getheader("X-Account-Meta-Test"), value) # admin can even revoke their own access headers = {"x-account-access-control": "{}"} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) # and again, cannot read account resp = retry(get, use_account=3) resp.read() self.assertEqual(resp.status, 403)
def test_format_v2_acl(self): tests = [ ({}, '{}'), ({'foo': 'bar'}, '{"foo":"bar"}'), ({'groups': ['a', 'b'], 'referrers': ['c.com', '-x.c.com']}, '{"groups":["a","b"],"referrers":["c.com","-x.c.com"]}'), ] for data, expected in tests: result = acl.format_acl(version=2, acl_dict=data) self.assertEquals(expected, result, 'data=%r: %r *!=* %r' % (data, result, expected))
def test_format_v2_acl(self): tests = [ ({}, '{}'), ({'foo': 'bar'}, '{"foo":"bar"}'), ({'groups': ['a', 'b'], 'referrers': ['c.com', '-x.c.com']}, '{"groups":["a","b"],"referrers":["c.com","-x.c.com"]}'), ] for data, expected in tests: result = acl.format_acl(version=2, acl_dict=data) self.assertEqual(expected, result, 'data=%r: %r *!=* %r' % (data, result, expected))
def test_invalid_acl_values(self): def post(url, token, parsed, conn, headers): new_headers = dict({"X-Auth-Token": token}, **headers) conn.request("POST", parsed.path, "", new_headers) return check_response(conn) acl = {"admin": "invalid_value"} headers = {"x-account-access-control": format_acl(version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 400) self.assertIsNone(resp.getheader("X-Account-Access-Control"))
def test_format_v1_acl(self): tests = [ ((['a', 'b'], ['c.com']), 'a,b,.r:c.com'), ((['a', 'b'], ['c.com', '-x.c.com']), 'a,b,.r:c.com,.r:-x.c.com'), ((['a', 'b'], None), 'a,b'), ((None, ['c.com']), '.r:c.com'), ((None, None), ''), ] for (groups, refs), expected in tests: result = acl.format_acl( version=1, groups=groups, referrers=refs, header_name='hdr') self.assertEquals(expected, result, 'groups=%r, refs=%r: %r != %r' % (groups, refs, result, expected))
def test_invalid_acl_values(self): def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) acl = {'admin': 'invalid_value'} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 400) self.assertIsNone(resp.getheader('X-Account-Access-Control'))
def test_read_only_acl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403) # grant read access acl_user = tf.swift_test_user[2] acl = {'read-only': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only can read account headers resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) # but not acls self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # read-only can not write metadata headers = {'x-account-meta-test': 'value'} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 403) # but they can read it headers = {'x-account-meta-test': 'value'} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) self.assertEqual(resp.getheader('X-Account-Meta-Test'), 'value')
def test_format_v1_acl(self): tests = [ ((['a', 'b'], ['c.com']), 'a,b,.r:c.com'), ((['a', 'b'], ['c.com', '-x.c.com']), 'a,b,.r:c.com,.r:-x.c.com'), ((['a', 'b'], None), 'a,b'), ((None, ['c.com']), '.r:c.com'), ((None, None), ''), ] for (groups, refs), expected in tests: result = acl.format_acl( version=1, groups=groups, referrers=refs, header_name='hdr') self.assertEqual(expected, result, 'groups=%r, refs=%r: %r != %r' % (groups, refs, result, expected))
def test_invalid_acl_values(self): def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) acl = {'admin': 'invalid_value'} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 400) self.assertEqual(resp.getheader('X-Account-Access-Control'), None)
def test_read_only_acl(self): if skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEquals(resp.status, 403) # grant read access acl_user = swift_testing.swift_test_user[2] acl = {'read-only': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only can read account headers resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) # but not acls self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # read-only can not write metadata headers = {'x-account-meta-test': 'value'} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 403) # but they can read it headers = {'x-account-meta-test': 'value'} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204)) self.assertEqual(resp.getheader('X-Account-Meta-Test'), 'value')
def test_read_only_acl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request("GET", parsed.path, "", {"X-Auth-Token": token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({"X-Auth-Token": token}, **headers) conn.request("POST", parsed.path, "", new_headers) return check_response(conn) # cannot read account resp = retry(get, use_account=3) resp.read() self.assertEqual(resp.status, 403) # grant read access acl_user = tf.swift_test_user[2] acl = {"read-only": [acl_user]} headers = {"x-account-access-control": format_acl(version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only can read account headers resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204)) # but not acls self.assertIsNone(resp.getheader("X-Account-Access-Control")) # read-only can not write metadata headers = {"x-account-meta-test": "value"} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 403) # but they can read it headers = {"x-account-meta-test": "value"} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204)) self.assertEqual(resp.getheader("X-Account-Meta-Test"), "value")
def test_account_acls(self): if tf.skip2: raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) def put(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('PUT', parsed.path, '', new_headers) return check_response(conn) def delete(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('DELETE', parsed.path, '', new_headers) return check_response(conn) def head(url, token, parsed, conn): conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) try: # User1 can POST to their own account (and reset the ACLs) resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User1 can GET their own empty account resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User2 can't GET User1's account resp = retry(get, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 403) # User1 is swift_owner of their own account, so they can POST an # ACL -- let's do this and make User2 (test_user[1]) an admin acl_user = tf.swift_test_user[1] acl = {'admin': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User1 can see the new header resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) data_from_headers = resp.getheader('x-account-access-control') expected = json.dumps(acl, separators=(',', ':')) self.assertEqual(data_from_headers, expected) # Now User2 should be able to GET the account and see the ACL resp = retry(head, use_account=2, url_account=1) resp.read() data_from_headers = resp.getheader('x-account-access-control') self.assertEqual(data_from_headers, expected) # Revoke User2's admin access, grant User2 read-write access acl = {'read-write': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can PUT and DELETE a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 201) resp = retry(delete, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 204) # Revoke User2's read-write access, grant User2 read-only access acl = {'read-only': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can't PUT a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 403) finally: # Make sure to clean up even if tests fail -- User2 should not # have access to User1's account in other functional tests! resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read()
def test_tempauth_account_acls(self): if skip: raise SkipTest # Determine whether this cluster has account ACLs; if not, skip test conn = Connection(get_config('func_test')) conn.authenticate() cluster_info = conn.cluster_info() if not cluster_info.get('tempauth', {}).get('account_acls'): raise SkipTest if 'keystoneauth' in cluster_info: # Unfortunate hack -- tempauth (with account ACLs) is expected # to play nice with Keystone (without account ACLs), but Zuul # functest framework doesn't give us an easy way to get a # tempauth user. raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) def put(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('PUT', parsed.path, '', new_headers) return check_response(conn) def delete(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('DELETE', parsed.path, '', new_headers) return check_response(conn) def head(url, token, parsed, conn): conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) try: # User1 can POST to their own account (and reset the ACLs) resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User1 can GET their own empty account resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User2 can't GET User1's account resp = retry(get, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 403) # User1 is swift_owner of their own account, so they can POST an # ACL -- let's do this and make User2 (test_user[1]) an admin acl_user = swift_testing.swift_test_user[1] acl = {'admin': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User1 can see the new header resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) data_from_headers = resp.getheader('x-account-access-control') expected = json.dumps(acl, separators=(',', ':')) self.assertEqual(data_from_headers, expected) # Now User2 should be able to GET the account and see the ACL resp = retry(head, use_account=2, url_account=1) resp.read() data_from_headers = resp.getheader('x-account-access-control') self.assertEqual(data_from_headers, expected) # Revoke User2's admin access, grant User2 read-write access acl = {'read-write': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can PUT and DELETE a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 201) resp = retry(delete, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 204) # Revoke User2's read-write access, grant User2 read-only access acl = {'read-only': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can't PUT a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 403) finally: # Make sure to clean up even if tests fail -- User2 should not # have access to User1's account in other functional tests! resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read()
def setUpClass(klass): klass.test_conf = klass._get_s3_sync_conf() # Get a reseller_admin token so we don't have to mess with any auth # silliness. klass.admin_conn = swiftclient.client.Connection( klass.SWIFT_CREDS['authurl'], klass.SWIFT_CREDS['admin']['user'], klass.SWIFT_CREDS['admin']['key'], retries=0) _, admin_token = klass.admin_conn.get_auth() # Get our s3 client biz s3 = [container for container in klass.test_conf['containers'] if container.get('protocol', 's3') == 's3'][0] klass.S3_CREDS.update({ 'endpoint': 'http://1space-s3proxy:%d' % klass.PORTS['s3'], 'user': s3['aws_identity'], 'key': s3['aws_secret'], }) session = boto3.session.Session( aws_access_key_id=s3['aws_identity'], aws_secret_access_key=s3['aws_secret']) conf = boto3.session.Config(s3={'addressing_style': 'path'}) klass.s3_client = session.client( 's3', config=conf, endpoint_url='http://1space-s3proxy:%d' % klass.PORTS['s3']) url_user_key_to_acct = {} # temporary for deduping account lookups for mapping in \ klass.test_conf['containers'] + klass.test_conf['migrations']: # Make sure we have a connection for any Swift account on either # "end". For remote ends, we have to auth once to find the account # name; we use url_user_key_to_acct to only do that once per input # tuple that could give us different answers. acct_utf8 = mapping['account'].encode('utf8') klass._add_conns_for_swift_acct(acct_utf8, admin_token) if mapping['protocol'] == 'swift': # Get conns for the other side, too if mapping.get('remote_account'): acct_utf8 = mapping['remote_account'].encode('utf8') else: if mapping.get('auth_type') == 'keystone_v2': conn_key = (mapping['aws_endpoint'], mapping['aws_identity'], mapping['aws_secret'], mapping['tenant_name']) elif mapping.get('auth_type') == 'keystone_v3': conn_key = (mapping['aws_endpoint'], mapping['aws_identity'], mapping['aws_secret'], mapping['project_name'], mapping['user_domain_name'], mapping['project_domain_name']) else: conn_key = (mapping['aws_endpoint'], mapping['aws_identity'], mapping['aws_secret']) acct_utf8 = url_user_key_to_acct.get(conn_key) if not acct_utf8: connection_kwargs = { 'authurl': mapping['aws_endpoint'], 'user': mapping['aws_identity'], 'key': mapping['aws_secret'], 'retries': 0 } if mapping.get('auth_type') == 'keystone_v2': connection_kwargs['os_options'] = { 'tenant_name': mapping.get('tenant_name'), } connection_kwargs['auth_version'] = '2' elif mapping.get('auth_type') == 'keystone_v3': connection_kwargs['os_options'] = { 'project_name': mapping.get('project_name'), 'user_domain_name': mapping.get( 'user_domain_name'), 'project_domain_name': mapping.get('project_domain_name') } connection_kwargs['auth_version'] = '3' # Need to auth to get acct name, then add it to the cache conn = swiftclient.client.Connection(**connection_kwargs) url, _ = conn.get_auth() acct_utf8 = urllib.unquote(url.rsplit('/')[-1]) url_user_key_to_acct[conn_key] = acct_utf8 klass._add_conns_for_swift_acct(acct_utf8, admin_token) # As a convenience for ourselves, we'll stick the resolved # remote Swift account name in the mapping as "aws_account" # (stored as Unicode string for consistency) mapping['aws_account'] = acct_utf8.decode('utf8') # Now maybe auto-create some containers if mapping.get('aws_bucket') == '/*': continue if container['aws_bucket'].startswith('no-auto-'): # Remove any no-auto create containers for swift if mapping['protocol'] == 'swift': try: conn = klass.conn_for_acct_noshunt( mapping['aws_account']) conn.delete_container(mapping['aws_bucket']) except swiftclient.exceptions.ClientException as e: if e.http_status == 404: continue raise else: if mapping['protocol'] == 'swift' and \ mapping.get('aws_bucket'): # For now, the aws_bucket is just a prefix, not a container # name for a swift destination that has a source container # of /*. So don't create a container of that name. if mapping.get('container') != '/*': acct = mapping.get('remote_bucket', mapping['aws_account']) conn = klass.conn_for_acct_noshunt(acct) conn.put_container(mapping['aws_bucket']) else: try: klass.s3_client.create_bucket( Bucket=mapping['aws_bucket']) except botocore.exceptions.ClientError as e: if e.response['Error']['Code'] == 409: pass if mapping.get('container') and mapping.get('container') != '/*': conn = klass.conn_for_acct_noshunt(mapping['account']) if mapping['container'].startswith('no-auto-'): try: conn.delete_container(mapping['container']) except swiftclient.exceptions.ClientException as e: if e.http_status != 404: raise else: conn.put_container(mapping['container']) klass.swift_src = klass.conn_for_acct('AUTH_test') klass.swift_dst = klass.conn_for_acct( u"AUTH_\u062aacct2".encode('utf8')) klass.swift_nuser = klass.conn_for_acct('AUTH_nacct') klass.swift_nuser2 = klass.conn_for_acct('AUTH_nacct2') klass.swift_nuser2 = klass.conn_for_acct('AUTH_nacct2') # We actually test auth through this connection, so give it real creds: klass.cloud_connector_client = swiftclient.Connection( 'http://cloud-connector:%d/auth/v1.0' % klass.PORTS['cloud_connector'], klass.SWIFT_CREDS['cloud-connector']['user'], klass.SWIFT_CREDS['cloud-connector']['key'], retries=0) # A test is going to need this Keystone user (tenant? whatever) able to # read/write this tempauth account. keystone_uuid = url_user_key_to_acct[( "http://1space-keystone:5000/v2.0", "tester", "testing", "test")].replace('KEY_', '') acl_dict = {'read-write': [keystone_uuid]} acl = format_acl(version=2, acl_dict=acl_dict) conn = klass.conn_for_acct(u"AUTH_\u062aacct2") conn.post_account({ACCOUNT_ACL_KEY: acl}) klass.statsd_server = utils.StatsdServer(port=21337) klass.statsd_server.serve() klass.aws_identity = os.environ.get('AWS_IDENTITY') klass.aws_bucket = os.environ.get('AWS_BUCKET', '1space-test') klass.aws_secret = os.environ.get('AWS_SECRET') klass.run_long_tests = os.environ.get('RUN_LONG_TESTS') if all((klass.aws_identity, klass.aws_bucket, klass.aws_secret)): klass.has_aws = True else: klass.has_aws = False
def test_tempauth_account_acls(self): if skip: raise SkipTest # Determine whether this cluster has account ACLs; if not, skip test conn = Connection(get_config('func_test')) conn.authenticate() status = conn.make_request('GET', '/info', cfg={'verbatim_path': True}) if status // 100 != 2: # Can't tell if account ACLs are enabled; skip tests proactively. raise SkipTest else: cluster_info = json.loads(conn.response.read()) if not cluster_info.get('tempauth', {}).get('account_acls'): raise SkipTest if 'keystoneauth' in cluster_info: # Unfortunate hack -- tempauth (with account ACLs) is expected # to play nice with Keystone (without account ACLs), but Zuul # functest framework doesn't give us an easy way to get a # tempauth user. raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) def put(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('PUT', parsed.path, '', new_headers) return check_response(conn) def delete(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('DELETE', parsed.path, '', new_headers) return check_response(conn) def head(url, token, parsed, conn): conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) try: # User1 can POST to their own account (and reset the ACLs) resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User1 can GET their own empty account resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User2 can't GET User1's account resp = retry(get, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 403) # User1 is swift_owner of their own account, so they can POST an # ACL -- let's do this and make User2 (test_user[1]) an admin acl_user = swift_testing.swift_test_user[1] acl = {'admin': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User1 can see the new header resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) data_from_headers = resp.getheader('x-account-access-control') expected = json.dumps(acl, separators=(',', ':')) self.assertEqual(data_from_headers, expected) # Now User2 should be able to GET the account and see the ACL resp = retry(head, use_account=2, url_account=1) resp.read() data_from_headers = resp.getheader('x-account-access-control') self.assertEqual(data_from_headers, expected) # Revoke User2's admin access, grant User2 read-write access acl = {'read-write': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can PUT and DELETE a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 201) resp = retry(delete, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 204) # Revoke User2's read-write access, grant User2 read-only access acl = {'read-only': [acl_user]} headers = { 'x-account-access-control': format_acl(version=2, acl_dict=acl) } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can't PUT a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 403) finally: # Make sure to clean up even if tests fail -- User2 should not # have access to User1's account in other functional tests! resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read()
def test_account_acls(self): if skip2: raise SkipTest def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) def put(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('PUT', parsed.path, '', new_headers) return check_response(conn) def delete(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('DELETE', parsed.path, '', new_headers) return check_response(conn) def head(url, token, parsed, conn): conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) try: # User1 can POST to their own account (and reset the ACLs) resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User1 can GET their own empty account resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) self.assertEqual(resp.getheader('X-Account-Access-Control'), None) # User2 can't GET User1's account resp = retry(get, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 403) # User1 is swift_owner of their own account, so they can POST an # ACL -- let's do this and make User2 (test_user[1]) an admin acl_user = swift_testing.swift_test_user[1] acl = {'admin': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User1 can see the new header resp = retry(get, use_account=1) resp.read() self.assertEqual(resp.status // 100, 2) data_from_headers = resp.getheader('x-account-access-control') expected = json.dumps(acl, separators=(',', ':')) self.assertEqual(data_from_headers, expected) # Now User2 should be able to GET the account and see the ACL resp = retry(head, use_account=2, url_account=1) resp.read() data_from_headers = resp.getheader('x-account-access-control') self.assertEqual(data_from_headers, expected) # Revoke User2's admin access, grant User2 read-write access acl = {'read-write': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can PUT and DELETE a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 201) resp = retry(delete, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 204) # Revoke User2's read-write access, grant User2 read-only access acl = {'read-only': [acl_user]} headers = {'x-account-access-control': format_acl( version=2, acl_dict=acl)} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # User2 can still GET the account, but not see the ACL # (since it's privileged data) resp = retry(head, use_account=2, url_account=1) resp.read() self.assertEqual(resp.status, 204) self.assertEqual(resp.getheader('x-account-access-control'), None) # User2 can't PUT a container resp = retry(put, use_account=2, url_account=1, resource='%(storage_url)s/mycontainer', headers={}) resp.read() self.assertEqual(resp.status, 403) finally: # Make sure to clean up even if tests fail -- User2 should not # have access to User1's account in other functional tests! resp = retry(post, headers={'X-Account-Access-Control': '{}'}, use_account=1) resp.read()
def test_protected_tempurl(self): if skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # add a account metadata, and temp-url-key to account value = str(uuid4()) headers = { 'x-account-meta-temp-url-key': 'secret', 'x-account-meta-test': value, } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # grant read-only access to tester3 acl_user = swift_testing.swift_test_user[2] acl = {'read-only': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # but not temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None) # grant read-write access to tester3 acl_user = swift_testing.swift_test_user[2] acl = {'read-write': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-write tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # but not temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None) # grant admin access to tester3 acl_user = swift_testing.swift_test_user[2] acl = {'admin': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # including temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), 'secret') # admin tester3 can even change temp-url-key secret = str(uuid4()) headers = { 'x-account-meta-temp-url-key': secret, } resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), secret)
def test_protected_tempurl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request('GET', parsed.path, '', {'X-Auth-Token': token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({'X-Auth-Token': token}, **headers) conn.request('POST', parsed.path, '', new_headers) return check_response(conn) # add an account metadata, and temp-url-key to account value = str(uuid4()) headers = { 'x-account-meta-temp-url-key': 'secret', 'x-account-meta-test': value, } resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # grant read-only access to tester3 acl_user = tf.swift_test_user[2] acl = {'read-only': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # but not temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None) # grant read-write access to tester3 acl_user = tf.swift_test_user[2] acl = {'read-write': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-write tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # but not temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None) # grant admin access to tester3 acl_user = tf.swift_test_user[2] acl = {'admin': [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {'x-account-access-control': acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Test'), value) # including temp-url-key self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), 'secret') # admin tester3 can even change temp-url-key secret = str(uuid4()) headers = { 'x-account-meta-temp-url-key': secret, } resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assert_(resp.status in (200, 204), 'Expected status in (200, 204), got %s' % resp.status) self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), secret)
def test_protected_tempurl(self): if tf.skip3: raise SkipTest def get(url, token, parsed, conn): conn.request("GET", parsed.path, "", {"X-Auth-Token": token}) return check_response(conn) def post(url, token, parsed, conn, headers): new_headers = dict({"X-Auth-Token": token}, **headers) conn.request("POST", parsed.path, "", new_headers) return check_response(conn) # add an account metadata, and temp-url-key to account value = str(uuid4()) headers = {"x-account-meta-temp-url-key": "secret", "x-account-meta-test": value} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # grant read-only access to tester3 acl_user = tf.swift_test_user[2] acl = {"read-only": [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {"x-account-access-control": acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-only tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status) self.assertEqual(resp.getheader("X-Account-Meta-Test"), value) # but not temp-url-key self.assertIsNone(resp.getheader("X-Account-Meta-Temp-Url-Key")) # grant read-write access to tester3 acl_user = tf.swift_test_user[2] acl = {"read-write": [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {"x-account-access-control": acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # read-write tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status) self.assertEqual(resp.getheader("X-Account-Meta-Test"), value) # but not temp-url-key self.assertIsNone(resp.getheader("X-Account-Meta-Temp-Url-Key")) # grant admin access to tester3 acl_user = tf.swift_test_user[2] acl = {"admin": [acl_user]} acl_json_str = format_acl(version=2, acl_dict=acl) headers = {"x-account-access-control": acl_json_str} resp = retry(post, headers=headers, use_account=1) resp.read() self.assertEqual(resp.status, 204) # admin tester3 can read account metadata resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status) self.assertEqual(resp.getheader("X-Account-Meta-Test"), value) # including temp-url-key self.assertEqual(resp.getheader("X-Account-Meta-Temp-Url-Key"), "secret") # admin tester3 can even change temp-url-key secret = str(uuid4()) headers = {"x-account-meta-temp-url-key": secret} resp = retry(post, headers=headers, use_account=3) resp.read() self.assertEqual(resp.status, 204) resp = retry(get, use_account=3) resp.read() self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status) self.assertEqual(resp.getheader("X-Account-Meta-Temp-Url-Key"), secret)