diff --git a/bin/swift-temp-url b/bin/swift-temp-url index da7595a753..1448f2601d 100755 --- a/bin/swift-temp-url +++ b/bin/swift-temp-url @@ -13,8 +13,7 @@ if __name__ == '__main__': print 'Syntax: %s ' % prog print print 'Where:' - print ' The method to allow, GET or PUT.' - print ' Note: HEAD will also be allowed.' + print ' The method to allow; GET for example.' print ' The number of seconds from now to allow requests.' print ' The full path to the resource.' print ' Example: /v1/AUTH_account/c/o' @@ -35,9 +34,6 @@ if __name__ == '__main__': 'temp_url_expires=1323482948' exit(1) method, seconds, path, key = argv[1:] - if method not in ('GET', 'PUT'): - print 'Please use either the GET or PUT method.' - exit(1) try: expires = int(time() + int(seconds)) except ValueError: diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index c05a345c88..edeaabbdaf 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -282,6 +282,8 @@ use = egg:swift#staticweb # Note: Put tempurl just before your auth filter(s) in the pipeline [filter:tempurl] use = egg:swift#tempurl +# The methods allowed with Temp URLs. +# methods = GET HEAD PUT # # The headers to remove from incoming requests. Simply a whitespace delimited # list of header names and names can optionally end with '*' to indicate a diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py index a4bd2612a5..ea2f0633c1 100644 --- a/swift/common/middleware/tempurl.py +++ b/swift/common/middleware/tempurl.py @@ -173,6 +173,9 @@ class TempURL(object): #: The filter configuration dict. self.conf = conf + #: The methods allowed with Temp URLs. + self.methods = conf.get('methods', 'GET HEAD PUT').split() + headers = DEFAULT_INCOMING_REMOVE_HEADERS if 'incoming_remove_headers' in conf: headers = conf['incoming_remove_headers'] @@ -290,14 +293,15 @@ class TempURL(object): def _get_account(self, env): """ - Returns just the account for the request, if it's an object GET, PUT, - or HEAD request; otherwise, None is returned. + Returns just the account for the request, if it's an object + request and one of the configured methods; otherwise, None is + returned. :param env: The WSGI environment for the request. :returns: Account str or None. """ account = None - if env['REQUEST_METHOD'] in ('GET', 'PUT', 'HEAD'): + if env['REQUEST_METHOD'] in self.methods: parts = env['PATH_INFO'].split('/', 4) # Must be five parts, ['', 'v1', 'a', 'c', 'o'], must be a v1 # request, have account, container, and object values, and the diff --git a/test/unit/common/middleware/test_tempurl.py b/test/unit/common/middleware/test_tempurl.py index 6345aa6369..23e3f2900c 100644 --- a/test/unit/common/middleware/test_tempurl.py +++ b/test/unit/common/middleware/test_tempurl.py @@ -336,6 +336,22 @@ class TestTempURL(unittest.TestCase): self.assertEquals(resp.status_int, 401) self.assertTrue('Temp URL invalid' in resp.body) + def test_delete_allowed_with_conf(self): + self.tempurl.methods.append('DELETE') + method = 'DELETE' + expires = int(time() + 86400) + path = '/v1/a/c/o' + key = 'abc' + hmac_body = '%s\n%s\n%s' % (method, expires, path) + sig = hmac.new(key, hmac_body, sha1).hexdigest() + req = self._make_request(path, + environ={'REQUEST_METHOD': 'DELETE', + 'QUERY_STRING': + 'temp_url_sig=%s&temp_url_expires=%s' % (sig, expires)}) + req.environ['swift.cache'].set('temp-url-key/a', key) + resp = req.get_response(self.tempurl) + self.assertEquals(resp.status_int, 404) + def test_unknown_not_allowed(self): method = 'UNKNOWN' expires = int(time() + 86400)