From da27b3b7503bea823bd442f7d93eeed57d427932 Mon Sep 17 00:00:00 2001
From: gholt <gholt@rackspace.com>
Date: Fri, 11 Feb 2011 17:39:44 -0800
Subject: [PATCH] Make swift-auth-to-swauth work with really old devauth dbs;
 update swauth to accept non-alnum chars in account and user names.

---
 bin/swift-auth-to-swauth                   | 26 +++++++++-------------
 swift/common/middleware/swauth.py          | 21 ++++++++---------
 test/unit/common/middleware/test_swauth.py | 17 ++++++++++++++
 3 files changed, 39 insertions(+), 25 deletions(-)

diff --git a/bin/swift-auth-to-swauth b/bin/swift-auth-to-swauth
index 93cb4fe199..e1010c315a 100755
--- a/bin/swift-auth-to-swauth
+++ b/bin/swift-auth-to-swauth
@@ -23,16 +23,18 @@ import sqlite3
 
 if __name__ == '__main__':
     gettext.install('swift', unicode=1)
-    if len(argv) != 4 or argv[1] != '-K':
-        exit('Syntax: %s -K <super_admin_key> <path to auth.db>' % argv[0])
-    _junk, _junk, super_admin_key, auth_db = argv
-    # This version will not attempt to prep swauth
-    # call(['swauth-prep', '-K', super_admin_key])
+    if len(argv) != 2:
+        exit('Syntax: %s <path_to_auth.db>' % argv[0])
+    _junk, auth_db = argv
     conn = sqlite3.connect(auth_db)
-    for account, cfaccount, user, password, admin, reseller_admin in \
-            conn.execute('SELECT account, cfaccount, user, password, admin, '
-                         'reseller_admin FROM account'):
-        cmd = ['swauth-add-user', '-K', super_admin_key, '-s',
+    try:
+        listing = conn.execute('SELECT account, cfaccount, user, password, '
+                               'admin, reseller_admin FROM account')
+    except sqlite3.OperationalError, err:
+        listing = conn.execute('SELECT account, cfaccount, user, password, '
+                               '"f", "f" FROM account')
+    for account, cfaccount, user, password, admin, reseller_admin in listing:
+        cmd = ['swauth-add-user', '-K', '<your_swauth_key>', '-s',
                cfaccount.split('_', 1)[1]]
         if admin == 't':
             cmd.append('-a')
@@ -40,9 +42,3 @@ if __name__ == '__main__':
             cmd.append('-r')
         cmd.extend([account, user, password])
         print ' '.join(cmd)
-	# For this version, the script will only print out the commands
-        # call(cmd)
-    print '----------------------------------------------------------------'
-    print ' Assuming the above worked perfectly, you should copy and paste '
-    print ' those lines into your ~/bin/recreateaccounts script.'
-    print '----------------------------------------------------------------'
diff --git a/swift/common/middleware/swauth.py b/swift/common/middleware/swauth.py
index 9d585c0a6b..68b0d7afaf 100644
--- a/swift/common/middleware/swauth.py
+++ b/swift/common/middleware/swauth.py
@@ -268,7 +268,7 @@ class Swauth(object):
         user_groups = (req.remote_user or '').split(',')
         if '.reseller_admin' in user_groups and \
                 account != self.reseller_prefix and \
-                account[len(self.reseller_prefix)].isalnum():
+                account[len(self.reseller_prefix)] != '.':
             return None
         if account in user_groups and \
                 (req.method not in ('DELETE', 'PUT') or container):
@@ -474,7 +474,7 @@ class Swauth(object):
                   explained above.
         """
         account = req.path_info_pop()
-        if req.path_info or not account.isalnum():
+        if req.path_info or not account or account[0] == '.':
             return HTTPBadRequest(request=req)
         if not self.is_account_admin(req, account):
             return HTTPForbidden(request=req)
@@ -550,7 +550,7 @@ class Swauth(object):
         if not self.is_reseller_admin(req):
             return HTTPForbidden(request=req)
         account = req.path_info_pop()
-        if req.path_info != '/.services' or not account.isalnum():
+        if req.path_info != '/.services' or not account or account[0] == '.':
             return HTTPBadRequest(request=req)
         try:
             new_services = json.loads(req.body)
@@ -596,7 +596,7 @@ class Swauth(object):
         if not self.is_reseller_admin(req):
             return HTTPForbidden(request=req)
         account = req.path_info_pop()
-        if req.path_info or not account.isalnum():
+        if req.path_info or not account or account[0] == '.':
             return HTTPBadRequest(request=req)
         # Ensure the container in the main auth account exists (this
         # container represents the new account)
@@ -678,7 +678,7 @@ class Swauth(object):
         if not self.is_reseller_admin(req):
             return HTTPForbidden(request=req)
         account = req.path_info_pop()
-        if req.path_info or not account.isalnum():
+        if req.path_info or not account or account[0] == '.':
             return HTTPBadRequest(request=req)
         # Make sure the account has no users and get the account_id
         marker = ''
@@ -798,8 +798,8 @@ class Swauth(object):
         """
         account = req.path_info_pop()
         user = req.path_info_pop()
-        if req.path_info or not account.isalnum() or \
-                (not user.isalnum() and user != '.groups'):
+        if req.path_info or not account or account[0] == '.' or not user or \
+                (user[0] == '.' and user != '.groups'):
             return HTTPBadRequest(request=req)
         if not self.is_account_admin(req, account):
             return HTTPForbidden(request=req)
@@ -873,8 +873,8 @@ class Swauth(object):
             req.headers.get('x-auth-user-reseller-admin') == 'true'
         if reseller_admin:
             admin = True
-        if req.path_info or not account.isalnum() or not user.isalnum() or \
-                not key:
+        if req.path_info or not account or account[0] == '.' or not user or \
+                user[0] == '.' or not key:
             return HTTPBadRequest(request=req)
         if reseller_admin:
             if not self.is_super_admin(req):
@@ -922,7 +922,8 @@ class Swauth(object):
         # Validate path info
         account = req.path_info_pop()
         user = req.path_info_pop()
-        if req.path_info or not account.isalnum() or not user.isalnum():
+        if req.path_info or not account or account[0] == '.' or not user or \
+                user[0] == '.':
             return HTTPBadRequest(request=req)
         if not self.is_account_admin(req, account):
             return HTTPForbidden(request=req)
diff --git a/test/unit/common/middleware/test_swauth.py b/test/unit/common/middleware/test_swauth.py
index ce3681ac06..eeda4f0cbf 100644
--- a/test/unit/common/middleware/test_swauth.py
+++ b/test/unit/common/middleware/test_swauth.py
@@ -2576,6 +2576,23 @@ class TestAuth(unittest.TestCase):
             {"groups": [{"name": "act:usr"}, {"name": "act"}],
              "auth": "plaintext:key"})
 
+    def test_put_user_special_chars_success(self):
+        self.test_auth.app = FakeApp(iter([
+            ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),
+            # PUT of user object
+            ('201 Created', {}, '')]))
+        resp = Request.blank('/auth/v2/act/u_s-r',
+            environ={'REQUEST_METHOD': 'PUT'},
+            headers={'X-Auth-Admin-User': '.super_admin',
+                     'X-Auth-Admin-Key': 'supertest',
+                     'X-Auth-User-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 201)
+        self.assertEquals(self.test_auth.app.calls, 2)
+        self.assertEquals(json.loads(self.test_auth.app.request.body),
+            {"groups": [{"name": "act:u_s-r"}, {"name": "act"}],
+             "auth": "plaintext:key"})
+
     def test_put_user_account_admin_success(self):
         self.test_auth.app = FakeApp(iter([
             ('200 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''),