Now:

.super_admin may get any user info .reseller_admin may not get .reseller_admin info .admin may not get .reseller_admin or .admin info users can't get any user info
2011-04-01 22:37:52 +00:00 · 2011-04-01 22:37:52 +00:00 · 92dc9fa448
commit 92dc9fa448
parent fdc13c42e4 2f98e2fb69
2 changed files with 84 additions and 4 deletions
--- a/swift/common/middleware/swauth.py
+++ b/swift/common/middleware/swauth.py
@ -849,6 +849,12 @@ class Swauth(object):
                raise Exception('Could not retrieve user object: %s %s' %
                                (path, resp.status))
            body = resp.body
+            display_groups = [g['name'] for g in json.loads(body)['groups']]
+            if ('.admin' in display_groups and
+                not self.is_reseller_admin(req)) or \
+               ('.reseller_admin' in display_groups and
+                not self.is_super_admin(req)):
+                return HTTPForbidden(request=req)
        return Response(body=body)

    def handle_put_user(self, req):
--- a/test/unit/common/middleware/test_swauth.py
+++ b/test/unit/common/middleware/test_swauth.py
@ -2354,8 +2354,7 @@ class TestAuth(unittest.TestCase):
             "auth": "plaintext:key"})),
            # GET of requested user object
            ('200 Ok', {}, json.dumps(
-                {"groups": [{"name": "act:usr"}, {"name": "act"},
-                            {"name": ".admin"}],
+                {"groups": [{"name": "act:usr"}, {"name": "act"}],
                 "auth": "plaintext:key"}))]))
        resp = Request.blank('/auth/v2/act/usr',
            headers={'X-Auth-Admin-User': 'act:adm',
@ -2363,11 +2362,86 @@ class TestAuth(unittest.TestCase):
            ).get_response(self.test_auth)
        self.assertEquals(resp.status_int, 200)
        self.assertEquals(resp.body, json.dumps(
-            {"groups": [{"name": "act:usr"}, {"name": "act"},
-                        {"name": ".admin"}],
+            {"groups": [{"name": "act:usr"}, {"name": "act"}],
             "auth": "plaintext:key"}))
        self.assertEquals(self.test_auth.app.calls, 2)

+    def test_get_user_account_admin_fail_getting_account_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who is an .admin as well]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".admin"}],
+                 "auth": "plaintext:key"})),
+            # GET of user object (reseller admin check [and fail here])
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 3)
+
+    def test_get_user_account_admin_fail_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who is a .reseller_admin]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 2)
+
+    def test_get_user_reseller_admin_fail_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of user object (account admin check)
+            ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+             {"name": "test"}, {"name": ".reseller_admin"}],
+             "auth": "plaintext:key"})),
+            # GET of requested user object [who also is a .reseller_admin]
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': 'act:adm',
+                     'X-Auth-Admin-Key': 'key'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 403)
+        self.assertEquals(self.test_auth.app.calls, 2)
+
+    def test_get_user_super_admin_succeed_getting_reseller_admin(self):
+        self.test_auth.app = FakeApp(iter([
+            # GET of requested user object
+            ('200 Ok', {}, json.dumps(
+                {"groups": [{"name": "act:usr"}, {"name": "act"},
+                            {"name": ".reseller_admin"}],
+                 "auth": "plaintext:key"}))]))
+        resp = Request.blank('/auth/v2/act/usr',
+            headers={'X-Auth-Admin-User': '.super_admin',
+                     'X-Auth-Admin-Key': 'supertest'}
+            ).get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 200)
+        self.assertEquals(resp.body, json.dumps(
+            {"groups": [{"name": "act:usr"}, {"name": "act"},
+                        {"name": ".reseller_admin"}],
+             "auth": "plaintext:key"}))
+        self.assertEquals(self.test_auth.app.calls, 1)
+
    def test_get_user_groups_not_found(self):
        self.test_auth.app = FakeApp(iter([
            # GET of account container (list objects)