diff options
Diffstat (limited to 'test/unit/proxy/controllers')
-rw-r--r-- | test/unit/proxy/controllers/test_account.py | 89 | ||||
-rwxr-xr-x | test/unit/proxy/controllers/test_obj.py | 13 |
2 files changed, 98 insertions, 4 deletions
diff --git a/test/unit/proxy/controllers/test_account.py b/test/unit/proxy/controllers/test_account.py index eefd57d..47f76dc 100644 --- a/test/unit/proxy/controllers/test_account.py +++ b/test/unit/proxy/controllers/test_account.py @@ -16,12 +16,14 @@ import mock import unittest -from swift.common.swob import Request +from swift.common.swob import Request, Response +from swift.common.middleware.acl import format_acl from swift.proxy import server as proxy_server from swift.proxy.controllers.base import headers_to_account_info from swift.common.constraints import MAX_ACCOUNT_NAME_LENGTH as MAX_ANAME_LEN from test.unit import fake_http_connect, FakeRing, FakeMemcache from swift.common.request_helpers import get_sys_meta_prefix +import swift.proxy.controllers.base class TestAccountController(unittest.TestCase): @@ -152,6 +154,91 @@ class TestAccountController(unittest.TestCase): self.assertEqual(context['headers'][user_meta_key], 'bar') self.assertNotEqual(context['headers']['x-timestamp'], '1.0') + def _make_user_and_sys_acl_headers_data(self): + acl = { + 'admin': ['AUTH_alice', 'AUTH_bob'], + 'read-write': ['AUTH_carol'], + 'read-only': [], + } + user_prefix = 'x-account-' # external, user-facing + user_headers = {(user_prefix + 'access-control'): format_acl( + version=2, acl_dict=acl)} + sys_prefix = get_sys_meta_prefix('account') # internal, system-facing + sys_headers = {(sys_prefix + 'core-access-control'): format_acl( + version=2, acl_dict=acl)} + return user_headers, sys_headers + + def test_account_acl_headers_translated_for_GET_HEAD(self): + # Verify that a GET/HEAD which receives X-Account-Sysmeta-Acl-* headers + # from the account server will remap those headers to X-Account-Acl-* + + hdrs_ext, hdrs_int = self._make_user_and_sys_acl_headers_data() + controller = proxy_server.AccountController(self.app, 'acct') + + for verb in ('GET', 'HEAD'): + req = Request.blank('/v1/acct', environ={'swift_owner': True}) + controller.GETorHEAD_base = lambda *_: Response( + headers=hdrs_int, environ={ + 'PATH_INFO': '/acct', + 'REQUEST_METHOD': verb, + }) + method = getattr(controller, verb) + resp = method(req) + for header, value in hdrs_ext.items(): + if value: + self.assertEqual(resp.headers.get(header), value) + else: + # blank ACLs should result in no header + self.assert_(header not in resp.headers) + + def test_add_acls_impossible_cases(self): + # For test coverage: verify that defensive coding does defend, in cases + # that shouldn't arise naturally + + # add_acls should do nothing if REQUEST_METHOD isn't HEAD/GET/PUT/POST + resp = Response() + controller = proxy_server.AccountController(self.app, 'a') + resp.environ['PATH_INFO'] = '/a' + resp.environ['REQUEST_METHOD'] = 'OPTIONS' + controller.add_acls_from_sys_metadata(resp) + self.assertEqual(1, len(resp.headers)) # we always get Content-Type + self.assertEqual(2, len(resp.environ)) + + def test_memcache_key_impossible_cases(self): + # For test coverage: verify that defensive coding does defend, in cases + # that shouldn't arise naturally + self.assertRaises( + ValueError, + lambda: swift.proxy.controllers.base.get_container_memcache_key( + '/a', None)) + + def test_stripping_swift_admin_headers(self): + # Verify that a GET/HEAD which receives privileged headers from the + # account server will strip those headers for non-swift_owners + + hdrs_ext, hdrs_int = self._make_user_and_sys_acl_headers_data() + headers = { + 'x-account-meta-harmless': 'hi mom', + 'x-account-meta-temp-url-key': 's3kr1t', + } + controller = proxy_server.AccountController(self.app, 'acct') + + for verb in ('GET', 'HEAD'): + for env in ({'swift_owner': True}, {'swift_owner': False}): + req = Request.blank('/v1/acct', environ=env) + controller.GETorHEAD_base = lambda *_: Response( + headers=headers, environ={ + 'PATH_INFO': '/acct', + 'REQUEST_METHOD': verb, + }) + method = getattr(controller, verb) + resp = method(req) + self.assertEqual(resp.headers.get('x-account-meta-harmless'), + 'hi mom') + privileged_header_present = ( + 'x-account-meta-temp-url-key' in resp.headers) + self.assertEqual(privileged_header_present, env['swift_owner']) + if __name__ == '__main__': unittest.main() diff --git a/test/unit/proxy/controllers/test_obj.py b/test/unit/proxy/controllers/test_obj.py index cae62b0..aada616 100755 --- a/test/unit/proxy/controllers/test_obj.py +++ b/test/unit/proxy/controllers/test_obj.py @@ -21,6 +21,7 @@ import mock import swift from swift.proxy import server as proxy_server +from swift.common.swob import HTTPException from test.unit import FakeRing, FakeMemcache, fake_http_connect @@ -44,7 +45,7 @@ class TestObjControllerWriteAffinity(unittest.TestCase): self.app = proxy_server.Application( None, FakeMemcache(), account_ring=FakeRing(), container_ring=FakeRing(), object_ring=FakeRing(max_more_nodes=9)) - self.app.request_node_count = lambda ring: 10000000 + self.app.request_node_count = lambda replicas: 10000000 self.app.sort_nodes = lambda l: l # stop shuffling the primary nodes def test_iter_nodes_local_first_noops_when_no_affinity(self): @@ -107,14 +108,20 @@ class TestObjController(unittest.TestCase): # and now test that we add the header to log_info req = swift.common.swob.Request.blank('/v1/a/c/o') req.headers['x-copy-from'] = 'somewhere' - controller.PUT(req) + try: + controller.PUT(req) + except HTTPException: + pass self.assertEquals( req.environ.get('swift.log_info'), ['x-copy-from:somewhere']) # and then check that we don't do that for originating POSTs req = swift.common.swob.Request.blank('/v1/a/c/o') req.method = 'POST' req.headers['x-copy-from'] = 'elsewhere' - controller.PUT(req) + try: + controller.PUT(req) + except HTTPException: + pass self.assertEquals(req.environ.get('swift.log_info'), None) |