diff options
author | Prashanth Pai <ppai@redhat.com> | 2013-11-22 12:13:09 +0530 |
---|---|---|
committer | Luis Pabon <lpabon@redhat.com> | 2013-12-05 09:15:40 -0800 |
commit | fc9124caf45949dfcc0732536c6825c12d74582a (patch) | |
tree | ad9871cda75a8c5f08e4a06d88a38836b674c8c5 /gluster/swift/common/middleware/gswauth/swauth/middleware.py | |
parent | 0eb79aad3658ca519143029f219c9efe3591e724 (diff) |
gswauth: Fix 403 being returned instead of 401
- 401(Unauthorized) is to be returned when user credentials are
wrong where as 403(Forbidden) is to be returned when user
credentials are correct but the user doesn't have the priveleges
to carry out the operation.
- Also error messages displayed when using swauth-* command line
utilities have been updated.
Change-Id: I485786896ad14d3263f4325d1857cacc93adab96
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6336
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
Diffstat (limited to 'gluster/swift/common/middleware/gswauth/swauth/middleware.py')
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/middleware.py | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 996228d..c791423 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -419,7 +419,9 @@ class Swauth(object): Returns a standard WSGI response callable with the status of 403 or 401 depending on whether the REMOTE_USER is set or not. """ - if req.remote_user: + if not hasattr(req, 'credentials_valid'): + req.credentials_valid = None + if req.remote_user or req.credentials_valid: return HTTPForbidden(request=req) else: return HTTPUnauthorized(request=req) @@ -534,7 +536,7 @@ class Swauth(object): :returns: swob.Response, 204 on success """ if not self.is_super_admin(req): - return HTTPForbidden(request=req) + return HTTPUnauthorized(request=req) path = quote('/v1/%s/.account_id' % self.auth_account) resp = self.make_pre_authed_request( req.environ, 'PUT', path).get_response(self.app) @@ -568,7 +570,7 @@ class Swauth(object): explained above. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) listing = [] marker = '' while True: @@ -613,7 +615,7 @@ class Swauth(object): if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) path = quote('/v1/%s/%s/.services' % (self.auth_account, account)) resp = self.make_pre_authed_request( req.environ, 'GET', path).get_response(self.app) @@ -685,7 +687,7 @@ class Swauth(object): dict as described above """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info != '/.services' or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -731,7 +733,7 @@ class Swauth(object): :returns: swob.Response, 2xx on success. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -798,7 +800,7 @@ class Swauth(object): :returns: swob.Response, 2xx on success. """ if not self.is_reseller_admin(req): - return HTTPForbidden(request=req) + return self.denied_response(req) account = req.path_info_pop() if req.path_info or not account or account[0] == '.': return HTTPBadRequest(request=req) @@ -905,7 +907,7 @@ class Swauth(object): (user[0] == '.' and user != '.groups'): return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) if user == '.groups': # TODO: This could be very slow for accounts with a really large # number of users. Speed could be improved by concurrently @@ -990,9 +992,9 @@ class Swauth(object): return HTTPBadRequest(request=req) if reseller_admin: if not self.is_super_admin(req): - return HTTPForbidden(request=req) + return HTTPUnauthorized(request=req) elif not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) path = quote('/v1/%s/%s' % (self.auth_account, account)) resp = self.make_pre_authed_request( @@ -1040,7 +1042,7 @@ class Swauth(object): user[0] == '.': return HTTPBadRequest(request=req) if not self.is_account_admin(req, account): - return HTTPForbidden(request=req) + return self.denied_response(req) # Delete the user's existing token, if any. path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) resp = self.make_pre_authed_request( @@ -1423,6 +1425,7 @@ class Swauth(object): to retrieve the admin_detail itself. :param returns: True if .reseller_admin. """ + req.credentials_valid = False if self.is_super_admin(req): return True if not admin_detail: @@ -1430,6 +1433,7 @@ class Swauth(object): if not self.credentials_match(admin_detail, req.headers.get('x-auth-admin-key')): return False + req.credentials_valid = True return '.reseller_admin' in (g['name'] for g in admin_detail['groups']) def is_account_admin(self, req, account): @@ -1441,6 +1445,7 @@ class Swauth(object): :param account: The account to check for .admin against. :param returns: True if .admin. """ + req.credentials_valid = False if self.is_super_admin(req): return True admin_detail = self.get_admin_detail(req) @@ -1450,6 +1455,7 @@ class Swauth(object): if not self.credentials_match(admin_detail, req.headers.get('x-auth-admin-key')): return False + req.credentials_valid = True return admin_detail and admin_detail['account'] == account and \ '.admin' in (g['name'] for g in admin_detail['groups']) return False |