From 2318a57a1ea632f77d5f78dc11023fb3b7fc2ad0 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Fri, 5 Aug 2016 14:25:08 +0530 Subject: s3: Make s3 support configurable Amazon S3 compatibility: This change makes S3 support tunable using a config option and is turned off by default. This is a manual backport of this upstream swauth change: https://review.openstack.org/#/c/326336/ Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17 Signed-off-by: Prashanth Pai Reviewed-on: http://review.gluster.org/15098 Reviewed-by: Thiago da Silva Tested-by: Thiago da Silva --- .../middleware/gswauth/swauth/test_middleware.py | 39 +++++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) (limited to 'test') diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py index e8c2001..608dba4 100644 --- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py +++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py @@ -4836,15 +4836,41 @@ class TestAuth(unittest.TestCase): resp.body, 'Token exceeds maximum length.') - def test_crazy_authorization(self): + def test_s3_authorization_default_off(self): + self.assertFalse(self.test_auth.s3_support) req = self._make_request('/v1/AUTH_account', headers={ - 'authorization': 'somebody elses header value'}) + 'authorization': 's3_header'}) resp = req.get_response(self.test_auth) - self.assertEquals(resp.status_int, 401) - self.assertEquals(resp.environ['swift.authorize'], - self.test_auth.denied_response) + self.assertEqual(resp.status_int, 400) # HTTPBadRequest + self.assertTrue(resp.environ.get('swift.authorize') is None) + + def test_s3_turned_off_get_groups(self): + env = \ + {'HTTP_AUTHORIZATION': 's3 header'} + token = 'whatever' + self.test_auth.logger = mock.Mock() + self.assertEqual(self.test_auth.get_groups(env, token), None) + + def test_s3_enabled_when_conditions_are_met(self): + # auth_type_salt needs to be set + for atype in ('Sha1', 'Sha512'): + test_auth = \ + auth.filter_factory({ + 'super_admin_key': 'supertest', + 's3_support': 'on', + 'auth_type_salt': 'blah', + 'auth_type': atype})(FakeApp()) + self.assertTrue(test_auth.s3_support) + # auth_type_salt need not be set for Plaintext + test_auth = \ + auth.filter_factory({ + 'super_admin_key': 'supertest', + 's3_support': 'on', + 'auth_type': 'Plaintext'})(FakeApp()) + self.assertTrue(test_auth.s3_support) def test_s3_creds_unicode(self): + self.test_auth.s3_support = True self.test_auth.app = FakeApp(iter([ ('200 Ok', {}, json.dumps({"auth": unicode("plaintext:key)"), @@ -4857,8 +4883,10 @@ class TestAuth(unittest.TestCase): token = 'UFVUCgoKRnJpLCAyNiBGZWIgMjAxNiAwNjo0NT'\ 'ozNCArMDAwMAovY29udGFpbmVyMw==' self.assertEqual(self.test_auth.get_groups(env, token), None) + self.test_auth.s3_support = False def test_s3_only_hash_passed_to_hmac(self): + self.test_auth.s3_support = True key = 'dadada' salt = 'zuck' key_hash = hashlib.sha1('%s%s' % (salt, key)).hexdigest() @@ -4880,6 +4908,7 @@ class TestAuth(unittest.TestCase): self.assertTrue(mock_hmac_new.called) # Assert that string passed to hmac.new is only the hash self.assertEqual(mock_hmac_new.call_args[0][0], key_hash) + self.test_auth.s3_support = False -- cgit