openstack/swift
Code Issues Proposed changes

Make swift-auth-to-swauth work with really old devauth dbs.

Browse Source 
Update swauth to accept non-alnum chars in account and user names.
This commit is contained in:
gholt 2011-02-17 21:57:04 +00:00 committed by Tarmac
commit 24a624345d
3 changed files with 39 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
bin/swift-auth-to-swauth
View File

@ -23,16 +23,18 @@ import sqlite3
if __name__ == '__main__':
gettext.install('swift', unicode=1)
if len(argv) != 4 or argv[1] != '-K':
exit('Syntax: %s -K <super_admin_key> <path to auth.db>' % argv[0])
_junk, _junk, super_admin_key, auth_db = argv
# This version will not attempt to prep swauth
# call(['swauth-prep', '-K', super_admin_key])
if len(argv) != 2:
exit('Syntax: %s <path_to_auth.db>' % argv[0])
_junk, auth_db = argv
conn = sqlite3.connect(auth_db)
for account, cfaccount, user, password, admin, reseller_admin in \
conn.execute('SELECT account, cfaccount, user, password, admin, '
'reseller_admin FROM account'):
cmd = ['swauth-add-user', '-K', super_admin_key, '-s',
try:
listing = conn.execute('SELECT account, cfaccount, user, password, '
'admin, reseller_admin FROM account')
except sqlite3.OperationalError, err:
listing = conn.execute('SELECT account, cfaccount, user, password, '
'"f", "f" FROM account')
for account, cfaccount, user, password, admin, reseller_admin in listing:
cmd = ['swauth-add-user', '-K', '<your_swauth_key>', '-s',
cfaccount.split('_', 1)[1]]
if admin == 't':
cmd.append('-a')
@ -40,9 +42,3 @@ if __name__ == '__main__':
cmd.append('-r')
cmd.extend([account, user, password])
print ' '.join(cmd)
# For this version, the script will only print out the commands
# call(cmd)
print '----------------------------------------------------------------'
print ' Assuming the above worked perfectly, you should copy and paste '
print ' those lines into your ~/bin/recreateaccounts script.'
print '----------------------------------------------------------------'

21
swift/common/middleware/swauth.py
View File

@ -268,7 +268,7 @@ class Swauth(object):
user_groups = (req.remote_user or '').split(',')
if '.reseller_admin' in user_groups and \
account != self.reseller_prefix and \
account[len(self.reseller_prefix)].isalnum():
account[len(self.reseller_prefix)] != '.':
return None
if account in user_groups and \
(req.method not in ('DELETE', 'PUT') or container):
@ -474,7 +474,7 @@ class Swauth(object):
explained above.
"""
account = req.path_info_pop()
if req.path_info or not account.isalnum():
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
@ -550,7 +550,7 @@ class Swauth(object):
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info != '/.services' or not account.isalnum():
if req.path_info != '/.services' or not account or account[0] == '.':
return HTTPBadRequest(request=req)
try:
new_services = json.loads(req.body)
@ -596,7 +596,7 @@ class Swauth(object):
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info or not account.isalnum():
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
# Ensure the container in the main auth account exists (this
# container represents the new account)
@ -678,7 +678,7 @@ class Swauth(object):
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info or not account.isalnum():
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
# Make sure the account has no users and get the account_id
marker = ''
@ -798,8 +798,8 @@ class Swauth(object):
"""
account = req.path_info_pop()
user = req.path_info_pop()
if req.path_info or not account.isalnum() or \
(not user.isalnum() and user != '.groups'):
if req.path_info or not account or account[0] == '.' or not user or \
(user[0] == '.' and user != '.groups'):
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
@ -873,8 +873,8 @@ class Swauth(object):
req.headers.get('x-auth-user-reseller-admin') == 'true'
if reseller_admin:
admin = True
if req.path_info or not account.isalnum() or not user.isalnum() or \
not key:
if req.path_info or not account or account[0] == '.' or not user or \
user[0] == '.' or not key:
return HTTPBadRequest(request=req)
if reseller_admin:
if not self.is_super_admin(req):
@ -922,7 +922,8 @@ class Swauth(object):
# Validate path info
account = req.path_info_pop()
user = req.path_info_pop()
if req.path_info or not account.isalnum() or not user.isalnum():
if req.path_info or not account or account[0] == '.' or not user or \
user[0] == '.':
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)

17
test/unit/common/middleware/test_swauth.py
View File

@ -2576,6 +2576,23 @@ class TestAuth(unittest.TestCase):
{"groups": [{"name": "act:usr"}, {"name": "act"}],
"auth": "plaintext:key"})
def test_put_user_special_chars_success(self):
self.test_auth.app = FakeApp(iter([
('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
# PUT of user object
('201 Created', {}, '')]))
resp = Request.blank('/auth/v2/act/u_s-r',
environ={'REQUEST_METHOD': 'PUT'},
headers={'X-Auth-Admin-User': '.super_admin',
'X-Auth-Admin-Key': 'supertest',
'X-Auth-User-Key': 'key'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 201)
self.assertEquals(self.test_auth.app.calls, 2)
self.assertEquals(json.loads(self.test_auth.app.request.body),
{"groups": [{"name": "act:u_s-r"}, {"name": "act"}],
"auth": "plaintext:key"})
def test_put_user_account_admin_success(self):
self.test_auth.app = FakeApp(iter([
('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),