Пример #1
0
    def test_invalid_acls(self):
        if tf.skip:
            raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # needs to be an acceptable header size
        num_keys = 8
        max_key_size = load_constraint('max_header_size') / num_keys
        acl = {'admin': [c * max_key_size for c in letters[:num_keys]]}
        headers = {'x-account-access-control': format_acl(
            version=2, acl_dict=acl)}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 400)

        # and again a touch smaller
        acl = {'admin': [c * max_key_size for c in letters[:num_keys - 1]]}
        headers = {'x-account-access-control': format_acl(
            version=2, acl_dict=acl)}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)
Пример #2
0
    def test_invalid_acls(self):
        if tf.skip:
            raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # needs to be an acceptable header size
        num_keys = 8
        max_key_size = load_constraint('max_header_size') / num_keys
        acl = {'admin': [c * max_key_size for c in letters[:num_keys]]}
        headers = {
            'x-account-access-control': format_acl(version=2, acl_dict=acl)
        }
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 400)

        # and again a touch smaller
        acl = {'admin': [c * max_key_size for c in letters[:num_keys - 1]]}
        headers = {
            'x-account-access-control': format_acl(version=2, acl_dict=acl)
        }
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)
Пример #3
0
 def _make_user_and_sys_acl_headers_data(self):
     acl = {
         'admin': ['AUTH_alice', 'AUTH_bob'],
         'read-write': ['AUTH_carol'],
         'read-only': [],
     }
     user_prefix = 'x-account-'  # external, user-facing
     user_headers = {(user_prefix + 'access-control'): format_acl(
         version=2, acl_dict=acl)}
     sys_prefix = get_sys_meta_prefix('account')   # internal, system-facing
     sys_headers = {(sys_prefix + 'core-access-control'): format_acl(
         version=2, acl_dict=acl)}
     return user_headers, sys_headers
Пример #4
0
 def _make_user_and_sys_acl_headers_data(self):
     acl = {
         'admin': ['AUTH_alice', 'AUTH_bob'],
         'read-write': ['AUTH_carol'],
         'read-only': [],
     }
     user_prefix = 'x-account-'  # external, user-facing
     user_headers = {(user_prefix + 'access-control'): format_acl(
         version=2, acl_dict=acl)}
     sys_prefix = get_sys_meta_prefix('account')   # internal, system-facing
     sys_headers = {(sys_prefix + 'core-access-control'): format_acl(
         version=2, acl_dict=acl)}
     return user_headers, sys_headers
Пример #5
0
    def _make_request(self, path, **kwargs):
        # Our TestAccountAcls default request will have a valid auth token
        version, acct, _ = split_path(path, 1, 3, True)
        headers = kwargs.pop('headers', {'X-Auth-Token': 'AUTH_t'})
        user_groups = kwargs.pop('user_groups', 'AUTH_firstacct')

        # The account being accessed will have account ACLs
        acl = {'admin': ['AUTH_admin'], 'read-write': ['AUTH_rw'],
               'read-only': ['AUTH_ro']}
        header_data = {'core-access-control':
                       format_acl(version=2, acl_dict=acl)}
        acls = kwargs.pop('acls', header_data)

        req = Request.blank(path, headers=headers, **kwargs)

        # Authorize the token by populating the request's cache
        req.environ['swift.cache'] = FakeMemcache()
        cache_key = 'AUTH_/token/AUTH_t'
        cache_entry = (time() + 3600, user_groups)
        req.environ['swift.cache'].set(cache_key, cache_entry)

        # Pretend get_account_info returned ACLs in sysmeta, and we cached that
        cache_key = 'account/%s' % acct
        cache_entry = {'sysmeta': acls}
        req.environ['swift.cache'].set(cache_key, cache_entry)

        return req
Пример #6
0
 def add_acls_from_sys_metadata(self, resp):
     if resp.environ["REQUEST_METHOD"] in ("HEAD", "GET", "PUT", "POST"):
         prefix = get_sys_meta_prefix("account") + "core-"
         name = "access-control"
         (extname, intname) = ("x-account-" + name, prefix + name)
         acl_dict = parse_acl(version=2, data=resp.headers.pop(intname))
         if acl_dict:  # treat empty dict as empty header
             resp.headers[extname] = format_acl(version=2, acl_dict=acl_dict)
Пример #7
0
 def add_acls_from_sys_metadata(self, resp):
     if resp.environ['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST'):
         prefix = get_sys_meta_prefix('account') + 'core-'
         name = 'access-control'
         (extname, intname) = ('x-account-' + name, prefix + name)
         acl_dict = parse_acl(version=2, data=resp.headers.pop(intname))
         if acl_dict:  # treat empty dict as empty header
             resp.headers[extname] = format_acl(
                 version=2, acl_dict=acl_dict)
Пример #8
0
 def add_acls_from_sys_metadata(self, resp):
     if resp.environ['REQUEST_METHOD'] in ('HEAD', 'GET', 'PUT', 'POST'):
         prefix = get_sys_meta_prefix('account') + 'core-'
         name = 'access-control'
         (extname, intname) = ('x-account-' + name, prefix + name)
         acl_dict = parse_acl(version=2, data=resp.headers.pop(intname))
         if acl_dict:  # treat empty dict as empty header
             resp.headers[extname] = format_acl(version=2,
                                                acl_dict=acl_dict)
Пример #9
0
    def test_admin_acl(self):
        if skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)

        # grant admin access
        acl_user = swift_testing.swift_test_user[2]
        acl = {'admin': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        # including acls
        self.assertEqual(resp.getheader('X-Account-Access-Control'),
                         acl_json_str)

        # admin can write account metadata
        value = str(uuid4())
        headers = {'x-account-meta-test': value}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)

        # admin can even revoke their own access
        headers = {'x-account-access-control': '{}'}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)

        # and again, cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)
Пример #10
0
    def test_admin_acl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)

        # grant admin access
        acl_user = tf.swift_test_user[2]
        acl = {'admin': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        # including acls
        self.assertEqual(resp.getheader('X-Account-Access-Control'),
                         acl_json_str)

        # admin can write account metadata
        value = str(uuid4())
        headers = {'x-account-meta-test': value}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)

        # admin can even revoke their own access
        headers = {'x-account-access-control': '{}'}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)

        # and again, cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)
Пример #11
0
    def test_admin_acl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request("GET", parsed.path, "", {"X-Auth-Token": token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({"X-Auth-Token": token}, **headers)
            conn.request("POST", parsed.path, "", new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)

        # grant admin access
        acl_user = tf.swift_test_user[2]
        acl = {"admin": [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {"x-account-access-control": acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204))
        # including acls
        self.assertEqual(resp.getheader("X-Account-Access-Control"), acl_json_str)

        # admin can write account metadata
        value = str(uuid4())
        headers = {"x-account-meta-test": value}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204))
        self.assertEqual(resp.getheader("X-Account-Meta-Test"), value)

        # admin can even revoke their own access
        headers = {"x-account-access-control": "{}"}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)

        # and again, cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)
Пример #12
0
    def test_format_v2_acl(self):
        tests = [
            ({}, '{}'),
            ({'foo': 'bar'}, '{"foo":"bar"}'),
            ({'groups': ['a', 'b'], 'referrers': ['c.com', '-x.c.com']},
             '{"groups":["a","b"],"referrers":["c.com","-x.c.com"]}'),
        ]

        for data, expected in tests:
            result = acl.format_acl(version=2, acl_dict=data)
            self.assertEquals(expected, result,
                              'data=%r: %r *!=* %r' % (data, result, expected))
Пример #13
0
    def test_format_v2_acl(self):
        tests = [
            ({}, '{}'),
            ({'foo': 'bar'}, '{"foo":"bar"}'),
            ({'groups': ['a', 'b'], 'referrers': ['c.com', '-x.c.com']},
             '{"groups":["a","b"],"referrers":["c.com","-x.c.com"]}'),
        ]

        for data, expected in tests:
            result = acl.format_acl(version=2, acl_dict=data)
            self.assertEqual(expected, result,
                             'data=%r: %r *!=* %r' % (data, result, expected))
Пример #14
0
    def test_invalid_acl_values(self):
        def post(url, token, parsed, conn, headers):
            new_headers = dict({"X-Auth-Token": token}, **headers)
            conn.request("POST", parsed.path, "", new_headers)
            return check_response(conn)

        acl = {"admin": "invalid_value"}
        headers = {"x-account-access-control": format_acl(version=2, acl_dict=acl)}

        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 400)
        self.assertIsNone(resp.getheader("X-Account-Access-Control"))
Пример #15
0
    def test_format_v1_acl(self):
        tests = [
            ((['a', 'b'], ['c.com']), 'a,b,.r:c.com'),
            ((['a', 'b'], ['c.com', '-x.c.com']), 'a,b,.r:c.com,.r:-x.c.com'),
            ((['a', 'b'], None), 'a,b'),
            ((None, ['c.com']), '.r:c.com'),
            ((None, None), ''),
        ]

        for (groups, refs), expected in tests:
            result = acl.format_acl(
                version=1, groups=groups, referrers=refs, header_name='hdr')
            self.assertEquals(expected, result, 'groups=%r, refs=%r: %r != %r'
                              % (groups, refs, result, expected))
Пример #16
0
    def test_invalid_acl_values(self):
        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        acl = {'admin': 'invalid_value'}
        headers = {'x-account-access-control': format_acl(
            version=2, acl_dict=acl)}

        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 400)
        self.assertIsNone(resp.getheader('X-Account-Access-Control'))
Пример #17
0
    def test_read_only_acl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)

        # grant read access
        acl_user = tf.swift_test_user[2]
        acl = {'read-only': [acl_user]}
        headers = {
            'x-account-access-control': format_acl(version=2, acl_dict=acl)
        }
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        # but not acls
        self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

        # read-only can not write metadata
        headers = {'x-account-meta-test': 'value'}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)

        # but they can read it
        headers = {'x-account-meta-test': 'value'}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), 'value')
Пример #18
0
    def test_format_v1_acl(self):
        tests = [
            ((['a', 'b'], ['c.com']), 'a,b,.r:c.com'),
            ((['a', 'b'], ['c.com', '-x.c.com']), 'a,b,.r:c.com,.r:-x.c.com'),
            ((['a', 'b'], None), 'a,b'),
            ((None, ['c.com']), '.r:c.com'),
            ((None, None), ''),
        ]

        for (groups, refs), expected in tests:
            result = acl.format_acl(
                version=1, groups=groups, referrers=refs, header_name='hdr')
            self.assertEqual(expected, result, 'groups=%r, refs=%r: %r != %r'
                             % (groups, refs, result, expected))
Пример #19
0
    def test_invalid_acl_values(self):
        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        acl = {'admin': 'invalid_value'}
        headers = {'x-account-access-control': format_acl(
            version=2, acl_dict=acl)}

        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 400)
        self.assertEqual(resp.getheader('X-Account-Access-Control'), None)
Пример #20
0
    def test_read_only_acl(self):
        if skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEquals(resp.status, 403)

        # grant read access
        acl_user = swift_testing.swift_test_user[2]
        acl = {'read-only': [acl_user]}
        headers = {'x-account-access-control': format_acl(
            version=2, acl_dict=acl)}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        # but not acls
        self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

        # read-only can not write metadata
        headers = {'x-account-meta-test': 'value'}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)

        # but they can read it
        headers = {'x-account-meta-test': 'value'}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204))
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), 'value')
Пример #21
0
    def test_read_only_acl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request("GET", parsed.path, "", {"X-Auth-Token": token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({"X-Auth-Token": token}, **headers)
            conn.request("POST", parsed.path, "", new_headers)
            return check_response(conn)

        # cannot read account
        resp = retry(get, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)

        # grant read access
        acl_user = tf.swift_test_user[2]
        acl = {"read-only": [acl_user]}
        headers = {"x-account-access-control": format_acl(version=2, acl_dict=acl)}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only can read account headers
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204))
        # but not acls
        self.assertIsNone(resp.getheader("X-Account-Access-Control"))

        # read-only can not write metadata
        headers = {"x-account-meta-test": "value"}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 403)

        # but they can read it
        headers = {"x-account-meta-test": "value"}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204))
        self.assertEqual(resp.getheader("X-Account-Meta-Test"), "value")
Пример #22
0
    def test_account_acls(self):
        if tf.skip2:
            raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        def put(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('PUT', parsed.path, '', new_headers)
            return check_response(conn)

        def delete(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('DELETE', parsed.path, '', new_headers)
            return check_response(conn)

        def head(url, token, parsed, conn):
            conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        try:
            # User1 can POST to their own account (and reset the ACLs)
            resp = retry(post,
                         headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User1 can GET their own empty account
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User2 can't GET User1's account
            resp = retry(get, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 403)

            # User1 is swift_owner of their own account, so they can POST an
            # ACL -- let's do this and make User2 (test_user[1]) an admin
            acl_user = tf.swift_test_user[1]
            acl = {'admin': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User1 can see the new header
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            data_from_headers = resp.getheader('x-account-access-control')
            expected = json.dumps(acl, separators=(',', ':'))
            self.assertEqual(data_from_headers, expected)

            # Now User2 should be able to GET the account and see the ACL
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            data_from_headers = resp.getheader('x-account-access-control')
            self.assertEqual(data_from_headers, expected)

            # Revoke User2's admin access, grant User2 read-write access
            acl = {'read-write': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can PUT and DELETE a container
            resp = retry(put,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 201)
            resp = retry(delete,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 204)

            # Revoke User2's read-write access, grant User2 read-only access
            acl = {'read-only': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can't PUT a container
            resp = retry(put,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 403)

        finally:
            # Make sure to clean up even if tests fail -- User2 should not
            # have access to User1's account in other functional tests!
            resp = retry(post,
                         headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
Пример #23
0
    def test_tempauth_account_acls(self):
        if skip:
            raise SkipTest

        # Determine whether this cluster has account ACLs; if not, skip test
        conn = Connection(get_config('func_test'))
        conn.authenticate()
        cluster_info = conn.cluster_info()
        if not cluster_info.get('tempauth', {}).get('account_acls'):
            raise SkipTest
        if 'keystoneauth' in cluster_info:
            # Unfortunate hack -- tempauth (with account ACLs) is expected
            # to play nice with Keystone (without account ACLs), but Zuul
            # functest framework doesn't give us an easy way to get a
            # tempauth user.
            raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        def put(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('PUT', parsed.path, '', new_headers)
            return check_response(conn)

        def delete(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('DELETE', parsed.path, '', new_headers)
            return check_response(conn)

        def head(url, token, parsed, conn):
            conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        try:
            # User1 can POST to their own account (and reset the ACLs)
            resp = retry(post, headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User1 can GET their own empty account
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User2 can't GET User1's account
            resp = retry(get, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 403)

            # User1 is swift_owner of their own account, so they can POST an
            # ACL -- let's do this and make User2 (test_user[1]) an admin
            acl_user = swift_testing.swift_test_user[1]
            acl = {'admin': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User1 can see the new header
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            data_from_headers = resp.getheader('x-account-access-control')
            expected = json.dumps(acl, separators=(',', ':'))
            self.assertEqual(data_from_headers, expected)

            # Now User2 should be able to GET the account and see the ACL
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            data_from_headers = resp.getheader('x-account-access-control')
            self.assertEqual(data_from_headers, expected)

            # Revoke User2's admin access, grant User2 read-write access
            acl = {'read-write': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can PUT and DELETE a container
            resp = retry(put, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 201)
            resp = retry(delete, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 204)

            # Revoke User2's read-write access, grant User2 read-only access
            acl = {'read-only': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can't PUT a container
            resp = retry(put, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 403)

        finally:
            # Make sure to clean up even if tests fail -- User2 should not
            # have access to User1's account in other functional tests!
            resp = retry(post, headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
Пример #24
0
    def setUpClass(klass):
        klass.test_conf = klass._get_s3_sync_conf()

        # Get a reseller_admin token so we don't have to mess with any auth
        # silliness.
        klass.admin_conn = swiftclient.client.Connection(
            klass.SWIFT_CREDS['authurl'],
            klass.SWIFT_CREDS['admin']['user'],
            klass.SWIFT_CREDS['admin']['key'],
            retries=0)
        _, admin_token = klass.admin_conn.get_auth()

        # Get our s3 client biz
        s3 = [container for container in klass.test_conf['containers']
              if container.get('protocol', 's3') == 's3'][0]
        klass.S3_CREDS.update({
            'endpoint': 'http://1space-s3proxy:%d' % klass.PORTS['s3'],
            'user': s3['aws_identity'],
            'key': s3['aws_secret'],
        })
        session = boto3.session.Session(
            aws_access_key_id=s3['aws_identity'],
            aws_secret_access_key=s3['aws_secret'])
        conf = boto3.session.Config(s3={'addressing_style': 'path'})
        klass.s3_client = session.client(
            's3', config=conf,
            endpoint_url='http://1space-s3proxy:%d' % klass.PORTS['s3'])

        url_user_key_to_acct = {}  # temporary for deduping account lookups
        for mapping in \
                klass.test_conf['containers'] + klass.test_conf['migrations']:
            # Make sure we have a connection for any Swift account on either
            # "end".  For remote ends, we have to auth once to find the account
            # name; we use url_user_key_to_acct to only do that once per input
            # tuple that could give us different answers.
            acct_utf8 = mapping['account'].encode('utf8')
            klass._add_conns_for_swift_acct(acct_utf8, admin_token)

            if mapping['protocol'] == 'swift':
                # Get conns for the other side, too
                if mapping.get('remote_account'):
                    acct_utf8 = mapping['remote_account'].encode('utf8')
                else:
                    if mapping.get('auth_type') == 'keystone_v2':
                        conn_key = (mapping['aws_endpoint'],
                                    mapping['aws_identity'],
                                    mapping['aws_secret'],
                                    mapping['tenant_name'])
                    elif mapping.get('auth_type') == 'keystone_v3':
                        conn_key = (mapping['aws_endpoint'],
                                    mapping['aws_identity'],
                                    mapping['aws_secret'],
                                    mapping['project_name'],
                                    mapping['user_domain_name'],
                                    mapping['project_domain_name'])
                    else:
                        conn_key = (mapping['aws_endpoint'],
                                    mapping['aws_identity'],
                                    mapping['aws_secret'])
                    acct_utf8 = url_user_key_to_acct.get(conn_key)
                if not acct_utf8:
                    connection_kwargs = {
                        'authurl': mapping['aws_endpoint'],
                        'user': mapping['aws_identity'],
                        'key': mapping['aws_secret'],
                        'retries': 0
                    }

                    if mapping.get('auth_type') == 'keystone_v2':
                        connection_kwargs['os_options'] = {
                            'tenant_name': mapping.get('tenant_name'),
                        }
                        connection_kwargs['auth_version'] = '2'
                    elif mapping.get('auth_type') == 'keystone_v3':
                        connection_kwargs['os_options'] = {
                            'project_name': mapping.get('project_name'),
                            'user_domain_name': mapping.get(
                                'user_domain_name'),
                            'project_domain_name':
                            mapping.get('project_domain_name')
                        }
                        connection_kwargs['auth_version'] = '3'

                    # Need to auth to get acct name, then add it to the cache
                    conn = swiftclient.client.Connection(**connection_kwargs)
                    url, _ = conn.get_auth()
                    acct_utf8 = urllib.unquote(url.rsplit('/')[-1])
                    url_user_key_to_acct[conn_key] = acct_utf8
                klass._add_conns_for_swift_acct(acct_utf8, admin_token)
                # As a convenience for ourselves, we'll stick the resolved
                # remote Swift account name in the mapping as "aws_account"
                # (stored as Unicode string for consistency)
                mapping['aws_account'] = acct_utf8.decode('utf8')

            # Now maybe auto-create some containers
            if mapping.get('aws_bucket') == '/*':
                continue
            if container['aws_bucket'].startswith('no-auto-'):
                # Remove any no-auto create containers for swift
                if mapping['protocol'] == 'swift':
                    try:
                        conn = klass.conn_for_acct_noshunt(
                            mapping['aws_account'])
                        conn.delete_container(mapping['aws_bucket'])
                    except swiftclient.exceptions.ClientException as e:
                        if e.http_status == 404:
                            continue
                        raise
            else:
                if mapping['protocol'] == 'swift' and \
                        mapping.get('aws_bucket'):
                    # For now, the aws_bucket is just a prefix, not a container
                    # name for a swift destination that has a source container
                    # of /*.  So don't create a container of that name.
                    if mapping.get('container') != '/*':
                        acct = mapping.get('remote_bucket',
                                           mapping['aws_account'])
                        conn = klass.conn_for_acct_noshunt(acct)
                        conn.put_container(mapping['aws_bucket'])
                else:
                    try:
                        klass.s3_client.create_bucket(
                            Bucket=mapping['aws_bucket'])
                    except botocore.exceptions.ClientError as e:
                        if e.response['Error']['Code'] == 409:
                            pass
            if mapping.get('container') and mapping.get('container') != '/*':
                conn = klass.conn_for_acct_noshunt(mapping['account'])
                if mapping['container'].startswith('no-auto-'):
                    try:
                        conn.delete_container(mapping['container'])
                    except swiftclient.exceptions.ClientException as e:
                        if e.http_status != 404:
                            raise
                else:
                    conn.put_container(mapping['container'])

        klass.swift_src = klass.conn_for_acct('AUTH_test')
        klass.swift_dst = klass.conn_for_acct(
            u"AUTH_\u062aacct2".encode('utf8'))
        klass.swift_nuser = klass.conn_for_acct('AUTH_nacct')
        klass.swift_nuser2 = klass.conn_for_acct('AUTH_nacct2')
        klass.swift_nuser2 = klass.conn_for_acct('AUTH_nacct2')
        # We actually test auth through this connection, so give it real creds:
        klass.cloud_connector_client = swiftclient.Connection(
            'http://cloud-connector:%d/auth/v1.0' %
            klass.PORTS['cloud_connector'],
            klass.SWIFT_CREDS['cloud-connector']['user'],
            klass.SWIFT_CREDS['cloud-connector']['key'],
            retries=0)

        # A test is going to need this Keystone user (tenant? whatever) able to
        # read/write this tempauth account.
        keystone_uuid = url_user_key_to_acct[(
            "http://1space-keystone:5000/v2.0",
            "tester", "testing", "test")].replace('KEY_', '')
        acl_dict = {'read-write': [keystone_uuid]}
        acl = format_acl(version=2, acl_dict=acl_dict)
        conn = klass.conn_for_acct(u"AUTH_\u062aacct2")
        conn.post_account({ACCOUNT_ACL_KEY: acl})

        klass.statsd_server = utils.StatsdServer(port=21337)
        klass.statsd_server.serve()
        klass.aws_identity = os.environ.get('AWS_IDENTITY')
        klass.aws_bucket = os.environ.get('AWS_BUCKET', '1space-test')
        klass.aws_secret = os.environ.get('AWS_SECRET')
        klass.run_long_tests = os.environ.get('RUN_LONG_TESTS')
        if all((klass.aws_identity, klass.aws_bucket, klass.aws_secret)):
            klass.has_aws = True
        else:
            klass.has_aws = False
Пример #25
0
    def test_tempauth_account_acls(self):
        if skip:
            raise SkipTest

        # Determine whether this cluster has account ACLs; if not, skip test
        conn = Connection(get_config('func_test'))
        conn.authenticate()
        status = conn.make_request('GET', '/info', cfg={'verbatim_path': True})
        if status // 100 != 2:
            # Can't tell if account ACLs are enabled; skip tests proactively.
            raise SkipTest
        else:
            cluster_info = json.loads(conn.response.read())
            if not cluster_info.get('tempauth', {}).get('account_acls'):
                raise SkipTest
            if 'keystoneauth' in cluster_info:
                # Unfortunate hack -- tempauth (with account ACLs) is expected
                # to play nice with Keystone (without account ACLs), but Zuul
                # functest framework doesn't give us an easy way to get a
                # tempauth user.
                raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        def put(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('PUT', parsed.path, '', new_headers)
            return check_response(conn)

        def delete(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('DELETE', parsed.path, '', new_headers)
            return check_response(conn)

        def head(url, token, parsed, conn):
            conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        try:
            # User1 can POST to their own account (and reset the ACLs)
            resp = retry(post,
                         headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User1 can GET their own empty account
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User2 can't GET User1's account
            resp = retry(get, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 403)

            # User1 is swift_owner of their own account, so they can POST an
            # ACL -- let's do this and make User2 (test_user[1]) an admin
            acl_user = swift_testing.swift_test_user[1]
            acl = {'admin': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User1 can see the new header
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            data_from_headers = resp.getheader('x-account-access-control')
            expected = json.dumps(acl, separators=(',', ':'))
            self.assertEqual(data_from_headers, expected)

            # Now User2 should be able to GET the account and see the ACL
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            data_from_headers = resp.getheader('x-account-access-control')
            self.assertEqual(data_from_headers, expected)

            # Revoke User2's admin access, grant User2 read-write access
            acl = {'read-write': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can PUT and DELETE a container
            resp = retry(put,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 201)
            resp = retry(delete,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 204)

            # Revoke User2's read-write access, grant User2 read-only access
            acl = {'read-only': [acl_user]}
            headers = {
                'x-account-access-control': format_acl(version=2, acl_dict=acl)
            }
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can't PUT a container
            resp = retry(put,
                         use_account=2,
                         url_account=1,
                         resource='%(storage_url)s/mycontainer',
                         headers={})
            resp.read()
            self.assertEqual(resp.status, 403)

        finally:
            # Make sure to clean up even if tests fail -- User2 should not
            # have access to User1's account in other functional tests!
            resp = retry(post,
                         headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
Пример #26
0
    def test_account_acls(self):
        if skip2:
            raise SkipTest

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        def put(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('PUT', parsed.path, '', new_headers)
            return check_response(conn)

        def delete(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('DELETE', parsed.path, '', new_headers)
            return check_response(conn)

        def head(url, token, parsed, conn):
            conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        try:
            # User1 can POST to their own account (and reset the ACLs)
            resp = retry(post, headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User1 can GET their own empty account
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            self.assertEqual(resp.getheader('X-Account-Access-Control'), None)

            # User2 can't GET User1's account
            resp = retry(get, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 403)

            # User1 is swift_owner of their own account, so they can POST an
            # ACL -- let's do this and make User2 (test_user[1]) an admin
            acl_user = swift_testing.swift_test_user[1]
            acl = {'admin': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User1 can see the new header
            resp = retry(get, use_account=1)
            resp.read()
            self.assertEqual(resp.status // 100, 2)
            data_from_headers = resp.getheader('x-account-access-control')
            expected = json.dumps(acl, separators=(',', ':'))
            self.assertEqual(data_from_headers, expected)

            # Now User2 should be able to GET the account and see the ACL
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            data_from_headers = resp.getheader('x-account-access-control')
            self.assertEqual(data_from_headers, expected)

            # Revoke User2's admin access, grant User2 read-write access
            acl = {'read-write': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can PUT and DELETE a container
            resp = retry(put, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 201)
            resp = retry(delete, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 204)

            # Revoke User2's read-write access, grant User2 read-only access
            acl = {'read-only': [acl_user]}
            headers = {'x-account-access-control': format_acl(
                version=2, acl_dict=acl)}
            resp = retry(post, headers=headers, use_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)

            # User2 can still GET the account, but not see the ACL
            # (since it's privileged data)
            resp = retry(head, use_account=2, url_account=1)
            resp.read()
            self.assertEqual(resp.status, 204)
            self.assertEqual(resp.getheader('x-account-access-control'), None)

            # User2 can't PUT a container
            resp = retry(put, use_account=2, url_account=1,
                         resource='%(storage_url)s/mycontainer', headers={})
            resp.read()
            self.assertEqual(resp.status, 403)

        finally:
            # Make sure to clean up even if tests fail -- User2 should not
            # have access to User1's account in other functional tests!
            resp = retry(post, headers={'X-Account-Access-Control': '{}'},
                         use_account=1)
            resp.read()
Пример #27
0
    def test_protected_tempurl(self):
        if skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # add a account metadata, and temp-url-key to account
        value = str(uuid4())
        headers = {
            'x-account-meta-temp-url-key': 'secret',
            'x-account-meta-test': value,
        }
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # grant read-only access to tester3
        acl_user = swift_testing.swift_test_user[2]
        acl = {'read-only': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # but not temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None)

        # grant read-write access to tester3
        acl_user = swift_testing.swift_test_user[2]
        acl = {'read-write': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-write tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # but not temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None)

        # grant admin access to tester3
        acl_user = swift_testing.swift_test_user[2]
        acl = {'admin': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # including temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'),
                         'secret')

        # admin tester3 can even change temp-url-key
        secret = str(uuid4())
        headers = {
            'x-account-meta-temp-url-key': secret,
        }
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'),
                         secret)
Пример #28
0
    def test_protected_tempurl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request('GET', parsed.path, '', {'X-Auth-Token': token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({'X-Auth-Token': token}, **headers)
            conn.request('POST', parsed.path, '', new_headers)
            return check_response(conn)

        # add an account metadata, and temp-url-key to account
        value = str(uuid4())
        headers = {
            'x-account-meta-temp-url-key': 'secret',
            'x-account-meta-test': value,
        }
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # grant read-only access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {'read-only': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # but not temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None)

        # grant read-write access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {'read-write': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-write tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # but not temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), None)

        # grant admin access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {'admin': [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {'x-account-access-control': acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Test'), value)
        # including temp-url-key
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'),
                         'secret')

        # admin tester3 can even change temp-url-key
        secret = str(uuid4())
        headers = {
            'x-account-meta-temp-url-key': secret,
        }
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assert_(resp.status in (200, 204),
                     'Expected status in (200, 204), got %s' % resp.status)
        self.assertEqual(resp.getheader('X-Account-Meta-Temp-Url-Key'), secret)
Пример #29
0
    def test_protected_tempurl(self):
        if tf.skip3:
            raise SkipTest

        def get(url, token, parsed, conn):
            conn.request("GET", parsed.path, "", {"X-Auth-Token": token})
            return check_response(conn)

        def post(url, token, parsed, conn, headers):
            new_headers = dict({"X-Auth-Token": token}, **headers)
            conn.request("POST", parsed.path, "", new_headers)
            return check_response(conn)

        # add an account metadata, and temp-url-key to account
        value = str(uuid4())
        headers = {"x-account-meta-temp-url-key": "secret", "x-account-meta-test": value}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # grant read-only access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {"read-only": [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {"x-account-access-control": acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-only tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status)
        self.assertEqual(resp.getheader("X-Account-Meta-Test"), value)
        # but not temp-url-key
        self.assertIsNone(resp.getheader("X-Account-Meta-Temp-Url-Key"))

        # grant read-write access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {"read-write": [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {"x-account-access-control": acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # read-write tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status)
        self.assertEqual(resp.getheader("X-Account-Meta-Test"), value)
        # but not temp-url-key
        self.assertIsNone(resp.getheader("X-Account-Meta-Temp-Url-Key"))

        # grant admin access to tester3
        acl_user = tf.swift_test_user[2]
        acl = {"admin": [acl_user]}
        acl_json_str = format_acl(version=2, acl_dict=acl)
        headers = {"x-account-access-control": acl_json_str}
        resp = retry(post, headers=headers, use_account=1)
        resp.read()
        self.assertEqual(resp.status, 204)

        # admin tester3 can read account metadata
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status)
        self.assertEqual(resp.getheader("X-Account-Meta-Test"), value)
        # including temp-url-key
        self.assertEqual(resp.getheader("X-Account-Meta-Temp-Url-Key"), "secret")

        # admin tester3 can even change temp-url-key
        secret = str(uuid4())
        headers = {"x-account-meta-temp-url-key": secret}
        resp = retry(post, headers=headers, use_account=3)
        resp.read()
        self.assertEqual(resp.status, 204)
        resp = retry(get, use_account=3)
        resp.read()
        self.assertIn(resp.status, (200, 204), "Expected status in (200, 204), got %s" % resp.status)
        self.assertEqual(resp.getheader("X-Account-Meta-Temp-Url-Key"), secret)