示例#1
0
 def authorize(self, req):
     """
     Returns None if the request is authorized to continue or a standard
     WSGI response callable if not.
     """
     try:
         version, account, container, obj = split_path(req.path, 1, 4, True)
     except ValueError:
         return HTTPNotFound(request=req)
     if not account or not account.startswith(self.reseller_prefix):
         return self.denied_response(req)
     user_groups = (req.remote_user or '').split(',')
     if '.reseller_admin' in user_groups and \
             account != self.reseller_prefix and \
             account[len(self.reseller_prefix)] != '.':
         req.environ['chase_owner'] = True
         return None
     if account in user_groups and \
             (req.method not in ('DELETE', 'PUT') or container):
         # If the user is admin for the account and is not trying to do an
         # account DELETE or PUT...
         req.environ['chase_owner'] = True
         return None
     if (req.environ.get('chase_sync_key')
             and req.environ['chase_sync_key'] == req.headers.get(
                 'x-container-sync-key', None)
             and 'x-timestamp' in req.headers
             and (req.remote_addr in self.allowed_sync_hosts
                  or get_remote_client(req) in self.allowed_sync_hosts)):
         return None
     referrers, groups = parse_acl(getattr(req, 'acl', None))
     if referrer_allowed(req.referer, referrers):
         if obj or '.rlistings' in groups:
             return None
         return self.denied_response(req)
     if not req.remote_user:
         return self.denied_response(req)
     for user_group in user_groups:
         if user_group in groups:
             return None
     return self.denied_response(req)
示例#2
0
 def authorize(self, req):
     """
     Returns None if the request is authorized to continue or a standard
     WSGI response callable if not.
     """
     try:
         version, account, container, obj = split_path(req.path, 1, 4, True)
     except ValueError:
         return HTTPNotFound(request=req)
     if not account or not account.startswith(self.reseller_prefix):
         return self.denied_response(req)
     user_groups = (req.remote_user or '').split(',')
     if '.reseller_admin' in user_groups and \
             account != self.reseller_prefix and \
             account[len(self.reseller_prefix)] != '.':
         req.environ['chase_owner'] = True
         return None
     if account in user_groups and \
             (req.method not in ('DELETE', 'PUT') or container):
         # If the user is admin for the account and is not trying to do an
         # account DELETE or PUT...
         req.environ['chase_owner'] = True
         return None
     if (req.environ.get('chase_sync_key') and
         req.environ['chase_sync_key'] ==
             req.headers.get('x-container-sync-key', None) and
         'x-timestamp' in req.headers and
         (req.remote_addr in self.allowed_sync_hosts or
          get_remote_client(req) in self.allowed_sync_hosts)):
         return None
     referrers, groups = parse_acl(getattr(req, 'acl', None))
     if referrer_allowed(req.referer, referrers):
         if obj or '.rlistings' in groups:
             return None
         return self.denied_response(req)
     if not req.remote_user:
         return self.denied_response(req)
     for user_group in user_groups:
         if user_group in groups:
             return None
     return self.denied_response(req)
示例#3
0
 def _authorize_anon_object(self, req, account, container, obj):
     referrers, groups = parse_acl(getattr(req, 'acl', None))
     if referrer_allowed(req.referer, referrers):
         self.log.debug('anonymous request AUTHORIZED OKAY')
         return None
     return self.unauthorized(req)
示例#4
0
 def _authorize_anon_object(self, req, account, container, obj):
     referrers, groups = parse_acl(getattr(req, "acl", None))
     if referrer_allowed(req.referer, referrers):
         self.log.debug("anonymous request AUTHORIZED OKAY")
         return None
     return self.unauthorized(req)
示例#5
0
 def test_referrer_allowed(self):
     self.assert_(not acl.referrer_allowed('host', None))
     self.assert_(not acl.referrer_allowed('host', []))
     self.assert_(acl.referrer_allowed(None, ['*']))
     self.assert_(acl.referrer_allowed('', ['*']))
     self.assert_(not acl.referrer_allowed(None, ['specific.host']))
     self.assert_(not acl.referrer_allowed('', ['specific.host']))
     self.assert_(
         acl.referrer_allowed('http://www.example.com/index.html',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://[email protected]/index.html',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://*****:*****@www.example.com/index.html',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://www.example.com:8080/index.html',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://[email protected]:8080/index.html',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed(
             'http://*****:*****@www.example.com:8080/index.html',
             ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://*****:*****@www.example.com:8080',
                              ['.example.com']))
     self.assert_(
         acl.referrer_allowed('http://www.example.com', ['.example.com']))
     self.assert_(
         not acl.referrer_allowed('http://thief.example.com',
                                  ['.example.com', '-thief.example.com']))
     self.assert_(not acl.referrer_allowed('http://thief.example.com',
                                           ['*', '-thief.example.com']))
     self.assert_(
         acl.referrer_allowed('http://www.example.com',
                              ['.other.com', 'www.example.com']))
     self.assert_(
         acl.referrer_allowed('http://www.example.com',
                              ['-.example.com', 'www.example.com']))
     # This is considered a relative uri to the request uri, a mode not
     # currently supported.
     self.assert_(
         not acl.referrer_allowed('www.example.com', ['.example.com']))
     self.assert_(
         not acl.referrer_allowed('../index.html', ['.example.com']))
     self.assert_(acl.referrer_allowed('www.example.com', ['*']))
示例#6
0
 def test_referrer_allowed(self):
     self.assert_(not acl.referrer_allowed('host', None))
     self.assert_(not acl.referrer_allowed('host', []))
     self.assert_(acl.referrer_allowed(None, ['*']))
     self.assert_(acl.referrer_allowed('', ['*']))
     self.assert_(not acl.referrer_allowed(None, ['specific.host']))
     self.assert_(not acl.referrer_allowed('', ['specific.host']))
     self.assert_(acl.referrer_allowed('http://www.example.com/index.html',
                                       ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://[email protected]/index.html', ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://*****:*****@www.example.com/index.html', ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://www.example.com:8080/index.html', ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://[email protected]:8080/index.html', ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://*****:*****@www.example.com:8080/index.html',
         ['.example.com']))
     self.assert_(acl.referrer_allowed(
         'http://*****:*****@www.example.com:8080', ['.example.com']))
     self.assert_(acl.referrer_allowed('http://www.example.com',
                                       ['.example.com']))
     self.assert_(not acl.referrer_allowed('http://thief.example.com',
         ['.example.com', '-thief.example.com']))
     self.assert_(not acl.referrer_allowed('http://thief.example.com',
         ['*', '-thief.example.com']))
     self.assert_(acl.referrer_allowed('http://www.example.com',
         ['.other.com', 'www.example.com']))
     self.assert_(acl.referrer_allowed('http://www.example.com',
         ['-.example.com', 'www.example.com']))
     # This is considered a relative uri to the request uri, a mode not
     # currently supported.
     self.assert_(not acl.referrer_allowed('www.example.com',
                                           ['.example.com']))
     self.assert_(not acl.referrer_allowed('../index.html',
                                           ['.example.com']))
     self.assert_(acl.referrer_allowed('www.example.com', ['*']))