gluster-swift.git/test/unit/common/middleware/gswauth/swauth, branch master s3: Make s3 support configurable 2016-09-19T01:39:03+00:00 Prashanth Pai ppai@redhat.com 2016-08-05T08:55:08+00:00 2318a57a1ea632f77d5f78dc11023fb3b7fc2ad0 Amazon S3 compatibility: This change makes S3 support tunable using a config option and is turned off by default. This is a manual backport of this upstream swauth change: https://review.openstack.org/#/c/326336/ Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/15098 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com> 
Amazon S3 compatibility:
This change makes S3 support tunable using a config option and is
turned off by default.

This is a manual backport of this upstream swauth change:
https://review.openstack.org/#/c/326336/

Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/15098
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Don't include salt in HMAC computation 2016-09-13T14:00:49+00:00 Prashanth Pai ppai@redhat.com 2016-08-05T05:55:42+00:00 83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 Currently, the input to HMAC function is the entire stored credential in the format '<salt>$<hash>` but it should rather be only the hashed key/password. This is a minimal manual backport of this upstream swauth change: https://review.openstack.org/#/c/292529/ Change-Id: Ib119522d36359f87579ff8e4ada7331643695634 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/15097 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com> 
Currently, the input to HMAC function is the entire stored credential
in the format '<salt>$<hash>` but it should rather be only the hashed
key/password.

This is a minimal manual backport of this upstream swauth change:
https://review.openstack.org/#/c/292529/

Change-Id: Ib119522d36359f87579ff8e4ada7331643695634
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/15097
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Fix changing of auth_type in existing deployments 2016-03-18T19:43:08+00:00 Prashanth Pai ppai@redhat.com 2016-03-09T08:50:28+00:00 539d20e3b13096cfa9107fc2b619943c494c4ab3 This changes does two things: * Adds Sha512 as a supported auth_type. * Fixes breakage when auth_type is changed in existing deployments. If an existing gswauth deployment changes `auth_type` in conf file to a different one (for example: sha1 to sha512), all attempts to authorize existing/old users will fail because of change in encoder type. With this change, the credentials match is done using an encoder with which the password was initially encoded. This allows gswauth deployments to change auth_type and old users will still be able to authorize. A note on auth_type_salt: There's still a distinction between how salt is managed in gswauth and swauth: swauth will use a random salt if a salt is not set in conf file where as gswauth will default to 'gswauthsalt' if a salt is not set in conf file. This distinction is to ensure backward compatibility. This change is derived from following upstream changes in swauth repo: e14a7b3df86969d478090b314d9660b6d835afa7 https://review.openstack.org/#/c/285195/ https://review.openstack.org/#/c/285292/ Change-Id: I9a43adc4964d8e9f9f1faf73063a6dc1cd8ff354 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/13654 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com> 
This changes does two things:
* Adds Sha512 as a supported auth_type.
* Fixes breakage when auth_type is changed in existing deployments.

If an existing gswauth deployment changes `auth_type` in conf file to a
different one (for example: sha1 to sha512), all attempts to authorize
existing/old users will fail because of change in encoder type.

With this change, the credentials match is done using an encoder with
which the password was initially encoded. This allows gswauth deployments
to change auth_type and old users will still be able to authorize.

A note on auth_type_salt:
There's still a distinction between how salt is managed in gswauth and
swauth: swauth will use a random salt if a salt is not set in conf file
where as gswauth will default to 'gswauthsalt' if a salt is not set in
conf file. This distinction is to ensure backward compatibility.

This change is derived from following upstream changes in swauth repo:
e14a7b3df86969d478090b314d9660b6d835afa7
https://review.openstack.org/#/c/285195/
https://review.openstack.org/#/c/285292/

Change-Id: I9a43adc4964d8e9f9f1faf73063a6dc1cd8ff354
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/13654
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Don't pass unicode to hmac.new() 2016-03-15T13:05:41+00:00 Prashanth Pai ppai@redhat.com 2016-03-08T09:58:42+00:00 5078be08017a21d97a3cf3fa2ffe554ad7f3d2c9 This issue can be hit when swift3 middleware is in the pipeline. This change is a backport of the following swauth change: https://review.openstack.org/#/c/282191/ Change-Id: I323d3eeaf39e2019f8f8910bc53904ac94208ed2 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/13641 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com> 
This issue can be hit when swift3 middleware is in the pipeline.

This change is a backport of the following swauth change:
https://review.openstack.org/#/c/282191/

Change-Id: I323d3eeaf39e2019f8f8910bc53904ac94208ed2
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/13641
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Use correct content type on JSON responses 2016-03-11T18:24:43+00:00 Prashanth Pai ppai@redhat.com 2016-02-25T08:47:09+00:00 529526c68acb3acdf732d962b7cc8195081cbf56 Currently, in cases where swauth returns a JSON document as its body, it does not specify a content type, and swob defaults it to text/html. This change uses a standard content type of 'application/json' in each of these instances, and adjusts the tests accordingly. This is ported from following commit in swauth repo: 556aa156979741292bde78425f413f9dee639b4f Change-Id: Ib61370ba10b5e0364c2aed6321388715a6710355 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/13521 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com> 
Currently, in cases where swauth returns a JSON document as its body,
it does not specify a content type, and swob defaults it to text/html.

This change uses a standard content type of 'application/json' in each
of these instances, and adjusts the tests accordingly.

This is ported from following commit in swauth repo:
556aa156979741292bde78425f413f9dee639b4f

Change-Id: Ib61370ba10b5e0364c2aed6321388715a6710355
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/13521
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Fix bug where admin is able to delete reseller_admin 2014-01-10T20:52:53+00:00 Thiago da Silva thiago@redhat.com 2013-12-16T17:00:38+00:00 205a6e4aa7e86b1e82babd3fa64d2cf002ccdaef Changed the code to only allow the super_admin to delete a reseller_admin. This follows the same logic of user creation, where only the super_admin can create a reseller_admin. Also, took the opportunity to refactor some code and implemented get_user_detail method to remove duplicated code Bug 1260239: https://bugs.launchpad.net/gluster-swift/+bug/1260239 Change-Id: I9e4866cd7ad08698f427846be566ab2364ad4850 Signed-off-by: Thiago da Silva <thiago@redhat.com> Reviewed-on: http://review.gluster.org/6516 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Changed the code to only allow the super_admin to delete a reseller_admin.
This follows the same logic of user creation, where only the super_admin
can create a reseller_admin.

Also, took the opportunity to refactor some code and implemented
get_user_detail method to remove duplicated code

Bug 1260239: https://bugs.launchpad.net/gluster-swift/+bug/1260239

Change-Id: I9e4866cd7ad08698f427846be566ab2364ad4850
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Reviewed-on: http://review.gluster.org/6516
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Fix users not able to change their own password/key 2014-01-07T21:50:30+00:00 Prashanth Pai ppai@redhat.com 2014-01-02T06:50:20+00:00 94a3f539e75b069bb1f9df6f850adfe16d76b572 Users were not able to update their own password/key with the update operation resulting in 403 (HTTPForbidden). EXAMPLES: Command to update password/key of regular user: gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass Command to update password/key of account admin: gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass Command to update password/key of reseller_admin: gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass BUG: https://bugs.launchpad.net/gluster-swift/+bug/1262227 Change-Id: I604da5aee67099b29541eb7e51a040a041f1961b Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6650 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Users were not able to update their own password/key
with the update operation resulting in 403 (HTTPForbidden).

EXAMPLES:
Command to update password/key of regular user:
gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass

Command to update password/key of account admin:
gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass

Command to update password/key of reseller_admin:
gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass

BUG: https://bugs.launchpad.net/gluster-swift/+bug/1262227

Change-Id: I604da5aee67099b29541eb7e51a040a041f1961b
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6650
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
gswauth: Fix 403 being returned instead of 401 2013-12-18T12:12:43+00:00 Prashanth Pai ppai@redhat.com 2013-11-22T06:43:09+00:00 a8c84cb2da77ab294edbdc113985125f9a8acb95 - 401(Unauthorized) is to be returned when user credentials are wrong where as 403(Forbidden) is to be returned when user credentials are correct but the user doesn't have the priveleges to carry out the operation. - Also error messages displayed when using swauth-* command line utilities have been updated. Change-Id: I485786896ad14d3263f4325d1857cacc93adab96 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6336 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6447 Reviewed-by: Thiago Da Silva <thiago@redhat.com> Tested-by: Thiago Da Silva <thiago@redhat.com> 
- 401(Unauthorized) is to be returned when user credentials are
  wrong where as 403(Forbidden) is to be returned when user
  credentials are correct but the user doesn't have the priveleges
  to carry out the operation.

- Also error messages displayed when using swauth-* command line
  utilities have been updated.

Change-Id: I485786896ad14d3263f4325d1857cacc93adab96
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6336
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6447
Reviewed-by: Thiago Da Silva <thiago@redhat.com>
Tested-by: Thiago Da Silva <thiago@redhat.com>
fix issue with swauth-clean-token returning 403 errors 2013-12-05T17:18:30+00:00 Thiago da Silva thiago@redhat.com 2013-12-03T23:06:21+00:00 2d818c06b805b051996d605ef8ef5b5415bd6293 The issue was due to missing a necessary change that was made when changing the auth account name from .auth to metadata volume. the auth account has a group of the same name, so the .auth account also had a .auth group, so we needed to change that too to the metadata volume (e.g., gsmetadata) Change-Id: Iaa3b7a1b2628f5b863807932e863593be0011a82 Signed-off-by: Thiago da Silva <thiago@redhat.com> Reviewed-on: http://review.gluster.org/6416 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
The issue was due to missing a necessary change that was made when changing
the auth account name from .auth to metadata volume.

the auth account has a group of the same name, so the .auth account
also had a .auth group, so we needed to change that too to the
metadata volume (e.g., gsmetadata)

Change-Id: Iaa3b7a1b2628f5b863807932e863593be0011a82
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Reviewed-on: http://review.gluster.org/6416
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
fix error with swauth-clean-tokens 2013-11-20T03:10:36+00:00 Thiago da Silva thiago@redhat.com 2013-11-15T22:13:53+00:00 f8ae648c6d557689c8c67caef6a2c6b034b7aaba Error is caused by left-over code from swauth. It had hard-coded the auth account to .auth. Changed code to use volume specified in the config file Change-Id: Id00eb3964b6b26a84511e4753ab80b2dea5654da Signed-off-by: Thiago da Silva <thiago@redhat.com> Reviewed-on: http://review.gluster.org/6280 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com> 
Error is caused by left-over code from swauth. It had hard-coded
the auth account to .auth. Changed code to use volume specified
in the config file

Change-Id: Id00eb3964b6b26a84511e4753ab80b2dea5654da
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Reviewed-on: http://review.gluster.org/6280
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>