summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--gluster/swift/common/middleware/gswauth/swauth/middleware.py18
-rw-r--r--test/unit/common/middleware/gswauth/swauth/test_middleware.py39
2 files changed, 52 insertions, 5 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 48f1d71..7a6d713 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -148,6 +148,18 @@ class Swauth(object):
'Invalid auth_type in config file: %s'
% self.auth_type)
self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt')
+
+ # Due to security concerns, S3 support is disabled by default.
+ self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES
+ if self.s3_support and self.auth_type != 'Plaintext' \
+ and not self.auth_encoder.salt:
+ # In future, we may want to randomize salt generation rather than
+ # use a statically set salt as done today.
+ msg = _('S3 support requires salt to be manually set in conf '
+ 'file using auth_type_salt config option.')
+ self.logger.warning(msg)
+ self.s3_support = False
+
self.allow_overrides = \
conf.get('allow_overrides', 't').lower() in TRUE_VALUES
self.agent = '%(orig)s Swauth'
@@ -205,6 +217,9 @@ class Swauth(object):
elif env.get('PATH_INFO', '').startswith(self.auth_prefix):
return self.handle(env, start_response)
s3 = env.get('HTTP_AUTHORIZATION')
+ if s3 and not self.s3_support:
+ msg = 'S3 support is disabled in gswauth.'
+ return HTTPBadRequest(body=msg)(env, start_response)
token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
if token and len(token) > authtypes.MAX_TOKEN_LENGTH:
return HTTPBadRequest(body='Token exceeds maximum length.')(
@@ -284,6 +299,9 @@ class Swauth(object):
groups = None
if env.get('HTTP_AUTHORIZATION'):
+ if not self.s3_support:
+ self.logger.warning('S3 support is disabled in gswauth.')
+ return None
if self.swauth_remote:
# TODO: Support S3-style authorization with swauth_remote mode
self.logger.warn('S3-style authorization not supported yet '
diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
index e8c2001..608dba4 100644
--- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py
+++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
@@ -4836,15 +4836,41 @@ class TestAuth(unittest.TestCase):
resp.body,
'Token exceeds maximum length.')
- def test_crazy_authorization(self):
+ def test_s3_authorization_default_off(self):
+ self.assertFalse(self.test_auth.s3_support)
req = self._make_request('/v1/AUTH_account', headers={
- 'authorization': 'somebody elses header value'})
+ 'authorization': 's3_header'})
resp = req.get_response(self.test_auth)
- self.assertEquals(resp.status_int, 401)
- self.assertEquals(resp.environ['swift.authorize'],
- self.test_auth.denied_response)
+ self.assertEqual(resp.status_int, 400) # HTTPBadRequest
+ self.assertTrue(resp.environ.get('swift.authorize') is None)
+
+ def test_s3_turned_off_get_groups(self):
+ env = \
+ {'HTTP_AUTHORIZATION': 's3 header'}
+ token = 'whatever'
+ self.test_auth.logger = mock.Mock()
+ self.assertEqual(self.test_auth.get_groups(env, token), None)
+
+ def test_s3_enabled_when_conditions_are_met(self):
+ # auth_type_salt needs to be set
+ for atype in ('Sha1', 'Sha512'):
+ test_auth = \
+ auth.filter_factory({
+ 'super_admin_key': 'supertest',
+ 's3_support': 'on',
+ 'auth_type_salt': 'blah',
+ 'auth_type': atype})(FakeApp())
+ self.assertTrue(test_auth.s3_support)
+ # auth_type_salt need not be set for Plaintext
+ test_auth = \
+ auth.filter_factory({
+ 'super_admin_key': 'supertest',
+ 's3_support': 'on',
+ 'auth_type': 'Plaintext'})(FakeApp())
+ self.assertTrue(test_auth.s3_support)
def test_s3_creds_unicode(self):
+ self.test_auth.s3_support = True
self.test_auth.app = FakeApp(iter([
('200 Ok', {},
json.dumps({"auth": unicode("plaintext:key)"),
@@ -4857,8 +4883,10 @@ class TestAuth(unittest.TestCase):
token = 'UFVUCgoKRnJpLCAyNiBGZWIgMjAxNiAwNjo0NT'\
'ozNCArMDAwMAovY29udGFpbmVyMw=='
self.assertEqual(self.test_auth.get_groups(env, token), None)
+ self.test_auth.s3_support = False
def test_s3_only_hash_passed_to_hmac(self):
+ self.test_auth.s3_support = True
key = 'dadada'
salt = 'zuck'
key_hash = hashlib.sha1('%s%s' % (salt, key)).hexdigest()
@@ -4880,6 +4908,7 @@ class TestAuth(unittest.TestCase):
self.assertTrue(mock_hmac_new.called)
# Assert that string passed to hmac.new is only the hash
self.assertEqual(mock_hmac_new.call_args[0][0], key_hash)
+ self.test_auth.s3_support = False