summaryrefslogtreecommitdiffstats
path: root/test/unit/common/middleware
diff options
context:
space:
mode:
authorPrashanth Pai <ppai@redhat.com>2014-01-02 12:20:20 +0530
committerLuis Pabon <lpabon@redhat.com>2014-01-07 13:50:30 -0800
commit94a3f539e75b069bb1f9df6f850adfe16d76b572 (patch)
tree61603e804fc97a878490d27201aa03f82b804c22 /test/unit/common/middleware
parentd1c7b1cc4b19a7a0c2c6a594dd47cf40f98223f9 (diff)
Fix users not able to change their own password/key
Users were not able to update their own password/key with the update operation resulting in 403 (HTTPForbidden). EXAMPLES: Command to update password/key of regular user: gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass Command to update password/key of account admin: gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass Command to update password/key of reseller_admin: gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass BUG: https://bugs.launchpad.net/gluster-swift/+bug/1262227 Change-Id: I604da5aee67099b29541eb7e51a040a041f1961b Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6650 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com>
Diffstat (limited to 'test/unit/common/middleware')
-rw-r--r--test/unit/common/middleware/gswauth/swauth/test_middleware.py171
1 files changed, 162 insertions, 9 deletions
diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
index f01c34f..bce734d 100644
--- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py
+++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
@@ -3242,6 +3242,10 @@ class TestAuth(unittest.TestCase):
def test_put_user_reseller_admin_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([
+ # Checking if user is changing his own key. This is called.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:rdm"},
+ {"name": "test"}, {"name": ".admin"},
+ {"name": ".reseller_admin"}], "auth": "plaintext:key"})),
# GET of user object (reseller admin)
# This shouldn't actually get called, checked
# below
@@ -3261,9 +3265,13 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401)
- self.assertEquals(self.test_auth.app.calls, 0)
+ self.assertEquals(self.test_auth.app.calls, 1)
self.test_auth.app = FakeApp(iter([
+ # Checking if user is changing his own key. This is called.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"}],
+ "auth": "plaintext:key"})),
# GET of user object (account admin, but not reseller admin)
# This shouldn't actually get called, checked
# below
@@ -3283,13 +3291,16 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401)
- self.assertEquals(self.test_auth.app.calls, 0)
+ self.assertEquals(self.test_auth.app.calls, 1)
self.test_auth.app = FakeApp(iter([
+ # Checking if user is changing his own key. This is called.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"})),
# GET of user object (regular user)
# This shouldn't actually get called, checked
# below
- ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr',
environ={
@@ -3304,7 +3315,7 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401)
- self.assertEquals(self.test_auth.app.calls, 0)
+ self.assertEquals(self.test_auth.app.calls, 1)
def test_put_user_account_admin_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([
@@ -3312,6 +3323,10 @@ class TestAuth(unittest.TestCase):
# account)
('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"},
{"name": "test"}, {"name": ".admin"}],
+ "auth": "plaintext:key"})),
+ # Checking if user is changing his own key.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr',
environ={
@@ -3326,11 +3341,14 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Admin': 'true'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403)
- self.assertEquals(self.test_auth.app.calls, 1)
+ self.assertEquals(self.test_auth.app.calls, 2)
self.test_auth.app = FakeApp(iter([
# GET of user object (regular user)
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"})),
+ # Checking if user is changing his own key.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr',
environ={
@@ -3345,7 +3363,7 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Admin': 'true'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403)
- self.assertEquals(self.test_auth.app.calls, 1)
+ self.assertEquals(self.test_auth.app.calls, 2)
def test_put_user_regular_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([
@@ -3353,6 +3371,10 @@ class TestAuth(unittest.TestCase):
# account)
('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"},
{"name": "test"}, {"name": ".admin"}],
+ "auth": "plaintext:key"})),
+ # Checking if user is changing his own key.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr',
environ={
@@ -3365,13 +3387,16 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Key': 'key'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403)
- self.assertEquals(self.test_auth.app.calls, 1)
+ self.assertEquals(self.test_auth.app.calls, 2)
self.test_auth.app = FakeApp(iter([
# GET of user object (regular user)
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"})),
+ # Checking if user is changing his own key.
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
- resp = Request.blank('/auth/v2/act/usr',
+ resp = Request.blank('/auth/v2/act2/usr',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
@@ -3382,7 +3407,7 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Key': 'key'}
).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403)
- self.assertEquals(self.test_auth.app.calls, 1)
+ self.assertEquals(self.test_auth.app.calls, 2)
def test_put_user_regular_success(self):
self.test_auth.app = FakeApp(iter([
@@ -3941,6 +3966,134 @@ class TestAuth(unittest.TestCase):
self.assert_(not self.test_auth.credentials_match(
{'auth': 'plaintext:key'}, 'notkey'))
+ def test_is_user_changing_own_key_err(self):
+ # User does not exist
+ self.test_auth.app = FakeApp(
+ iter([('404 Not Found', {}, '')]))
+ req = Request.blank('/auth/v2/act/usr',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:usr',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'key'})
+ self.assert_(
+ not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # user attempting to escalate himself as admin
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/usr',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:usr',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'key',
+ 'X-Auth-User-Admin': 'true'})
+ self.assert_(
+ not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # admin attempting to escalate himself as reseller_admin
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"}],
+ "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/adm',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:adm',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'key',
+ 'X-Auth-User-Reseller-Admin': 'true'})
+ self.assert_(
+ not self.test_auth.is_user_changing_own_key(req, 'act:adm'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # different user
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/usr2',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:usr',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'key'})
+ self.assert_(
+ not self.test_auth.is_user_changing_own_key(req, 'act:usr2'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # wrong key
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/usr',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:usr',
+ 'X-Auth-Admin-Key': 'wrongkey',
+ 'X-Auth-User-Key': 'newkey'})
+ self.assert_(
+ not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ def test_is_user_changing_own_key_sucess(self):
+ # regular user
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
+ {"name": "test"}], "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/usr',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:usr',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'newkey'})
+ self.assert_(
+ self.test_auth.is_user_changing_own_key(req, 'act:usr'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # account admin
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"}],
+ "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/adm',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:adm',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'newkey',
+ 'X-Auth-User-Admin': 'true'})
+ self.assert_(
+ self.test_auth.is_user_changing_own_key(req, 'act:adm'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
+ # reseller admin
+ self.test_auth.app = FakeApp(iter([
+ ('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
+ {"name": "test"}, {"name": ".admin"},
+ {"name": ".reseller_admin"}], "auth": "plaintext:key"}))]))
+ req = Request.blank('/auth/v2/act/adm',
+ environ={
+ 'REQUEST_METHOD': 'PUT'},
+ headers={
+ 'X-Auth-Admin-User': 'act:adm',
+ 'X-Auth-Admin-Key': 'key',
+ 'X-Auth-User-Key': 'newkey',
+ 'X-Auth-User-Reseller-Admin': 'true'})
+ self.assert_(
+ self.test_auth.is_user_changing_own_key(req, 'act:adm'))
+ self.assertEquals(self.test_auth.app.calls, 1)
+
def test_is_super_admin_success(self):
self.assert_(
self.test_auth.is_super_admin(
generated by cgit (git 2.34.1) at 2025-11-04 15:19:17 +0000