Add tests and doc entry for request.environ[reseller_request]

The recent account_quotas (https://review.openstack.org/23434)
patch added a new setting request.environ[reseller_request].
This patch adds tests for tempauth and keystoneauth as well as
an updated overview_auth.rst.

Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
This commit is contained in:
Christian Schwede 2013-03-08 19:33:27 +01:00
parent 5e427e5e3b
commit 157c3c91ee
4 changed files with 28 additions and 0 deletions

View File

@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
Li Riqiang (lrqrun@gmail.com) Li Riqiang (lrqrun@gmail.com)
Victor Rodionov (victor.rodionov@nexenta.com) Victor Rodionov (victor.rodionov@nexenta.com)
Brent Roskos (broskos@internap.com) Brent Roskos (broskos@internap.com)
Christian Schwede (info@cschwede.de)
Michael Shuler (mshuler@rackspace.com) Michael Shuler (mshuler@rackspace.com)
Andrew Clay Shafer (acs@parvuscaptus.com) Andrew Clay Shafer (acs@parvuscaptus.com)
Scott Simpson (sasimpson@gmail.com) Scott Simpson (sasimpson@gmail.com)

View File

@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
True, the proxy will return additional header information in some requests, True, the proxy will return additional header information in some requests,
such as the X-Container-Sync-Key for a container GET or HEAD. such as the X-Container-Sync-Key for a container GET or HEAD.
Users with the special group ``.reseller_admin`` can operate on any account.
For an example usage please see :mod:`swift.common.middleware.tempauth`.
If a request is coming from a reseller the auth system sets the request environ
reseller_request to True. This can be used by other middlewares.
TempAuth will now allow OPTIONS requests to go through without a token. TempAuth will now allow OPTIONS requests to go through without a token.
The user starts a session by sending a ReST request to the auth system to The user starts a session by sending a ReST request to the auth system to
@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
other users on containers, see the documentation on ACL here other users on containers, see the documentation on ACL here
:mod:`swift.common.middleware.acl`. :mod:`swift.common.middleware.acl`.
Users with the Keystone role defined in ``reseller_admin_role``
(``ResellerAdmin`` by default) can operate on any account. The auth system
sets the request environ reseller_request to True if a request is coming
from an user with this role. This can be used by other middlewares.
-------------- --------------
Extending Auth Extending Auth
-------------- --------------

View File

@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
resp = req.get_response(self._get_successful_middleware()) resp = req.get_response(self._get_successful_middleware())
self.assertEqual(resp.status_int, 200) self.assertEqual(resp.status_int, 200)
def test_detect_reseller_request(self):
role = self.test_auth.reseller_admin_role
headers = self._get_identity_headers(role=role)
req = self._make_request('/v1/AUTH_acct/c', headers)
resp = req.get_response(self._get_successful_middleware())
self.assertTrue(req.environ.get('reseller_request'))
def test_confirmed_identity_is_not_authorized(self): def test_confirmed_identity_is_not_authorized(self):
headers = self._get_identity_headers() headers = self._get_identity_headers()
req = self._make_request('/v1/AUTH_acct/c', headers) req = self._make_request('/v1/AUTH_acct/c', headers)

View File

@ -16,6 +16,7 @@
import unittest import unittest
from contextlib import contextmanager from contextlib import contextmanager
from base64 import b64encode from base64 import b64encode
from time import time
from swift.common.middleware import tempauth as auth from swift.common.middleware import tempauth as auth
from swift.common.swob import Request, Response from swift.common.swob import Request, Response
@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
req.acl = '.r:.example.com,.rlistings' req.acl = '.r:.example.com,.rlistings'
self.assertEquals(self.test_auth.authorize(req), None) self.assertEquals(self.test_auth.authorize(req), None)
def test_detect_reseller_request(self):
req = self._make_request('/v1/AUTH_admin',
headers={'X-Auth-Token': 'AUTH_t'})
cache_key = 'AUTH_/token/AUTH_t'
cache_entry = (time()+3600, '.reseller_admin')
req.environ['swift.cache'].set(cache_key, cache_entry)
resp = req.get_response(self.test_auth)
self.assertTrue(req.environ.get('reseller_request', False))
def test_account_put_permissions(self): def test_account_put_permissions(self):
req = self._make_request('/v1/AUTH_new', req = self._make_request('/v1/AUTH_new',
environ={'REQUEST_METHOD': 'PUT'}) environ={'REQUEST_METHOD': 'PUT'})