openstack/puppet-swift
Code Issues Proposed changes

Add tempauth middleware options

Browse Source 
Tempauth middleware template included only example entries

This commit provides most options to configure tempauth middleware,
especialy an array of accounts/users hash which defines the authenticated
list available by tempauth

It's add by default the admin account/user
  user_admin_admin = admin .admin .reseller_admin

Change-Id: Ib67d7deeeb2f98a464d18813ae4569c28a04472a
This commit is contained in:
Guilherme Maluf 2015-07-28 16:55:48 -03:00
parent da4a0dd2ae
commit 62ba90a475
4 changed files with 250 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
manifests/proxy/tempauth.pp
View File

@ -1,6 +1,107 @@
# == class: swift::proxy::tempauth
# This class manage tempauth middleware
#
class swift::proxy::tempauth() {
# [*reseller_prefix*]
# The naming scope for the auth service. Swift storage accounts and
# auth tokens will begin with this prefix.
# Optional. Defaults to 'undef'
# Example: 'AUTH'.
#
# [*auth_prefix*]
# The HTTP request path prefix for the auth service. Swift itself
# reserves anything beginning with the letter v.
# Optional. Defaults to 'undef'
# Example: '/auth/'
#
# [*token_life*]
# The number of seconds a token is valid.
# Optional. Integer value. Defaults to 'undef'.
# Example: 81600
#
# [*allow_overrides*]
# Allows middleware higher in the WSGI pipeline to override auth
# processing
# Optional. Boolean. Defaults to 'undef'
# Example: true
#
# [*storage_url_scheme*]
# Scheme to return with storage urls: http, https, or default
# Optional. Possible values: http, https or default. Defaults to 'undef'
#
# [*account_user_list*]
# List all the accounts/users you want in an array of hash format.
# 'user' and 'account' should not include '_' (TODO).
# Defaults to:
# account_user_list => [
# {
# 'user' => 'admin',
# 'account' => 'admin',
# 'key' => 'admin',
# 'groups' => [ 'admin', 'reseller_admin' ],
# }
# ]
#
# Example of two account/user:
# account_user_list => [
# {
# 'user' => 'admin',
# 'account' => 'admin',
# 'key' => 'admin',
# 'groups' => [ 'admin', 'reseller_admin' ],
# },
# {
# 'user' => 'foo',
# 'account' => 'bar',
# 'key' => 'pass',
# 'groups' => [],
# },
# ]
#
# it will gerenate these lines
# user_admin_admin = admin .admin .reseller_admin
# user_bar_foo = pass
#
# == Authors
#
# Guilherme Maluf Balzana <guimalufb@gmail.com>
#
class swift::proxy::tempauth (
$account_user_list = [
{
'user' => 'admin',
'account' => 'admin',
'key' => 'admin',
'groups' => [ 'admin', 'reseller_admin' ],
},
],
$reseller_prefix = undef,
$auth_prefix = undef,
$token_life = undef,
$allow_overrides = undef,
$storage_url_scheme = undef,
) {
validate_array($account_user_list)
if ($reseller_prefix) {
validate_string($reseller_prefix)
}
if ($token_life) {
validate_integer($token_life)
}
if ($auth_prefix) {
validate_re($auth_prefix,'\/(.*)+\/')
}
if ($allow_overrides) {
validate_bool($allow_overrides)
}
if ($storage_url_scheme) {
validate_re($storage_url_scheme, ['http','https','default'])
}
concat::fragment { 'swift-proxy-swauth':
target => '/etc/swift/proxy-server.conf',

103
spec/classes/swift_proxy_tempauth_spec.rb Normal file
View File

@ -0,0 +1,103 @@
require 'spec_helper'
describe 'swift::proxy::tempauth' do
let :default_params do {
'account_user_list' => [
{
'user' => 'admin',
'account' => 'admin',
'key' => 'admin',
'groups' => [ 'admin', 'reseller_admin' ],
},
]
}
end
let :params do default_params end
let :pre_condition do
'class { "concat::setup": }
concat { "/etc/swift/proxy-server.conf": }'
end
let :fragment_file do
"/var/lib/puppet/concat/_etc_swift_proxy-server.conf/fragments/01_swift-proxy-swauth"
end
it { is_expected.to contain_file(fragment_file).with_content(/[filter:tempauth]/) }
it { is_expected.to contain_file(fragment_file).with_content(/use = egg:swift#tempauth/) }
it { is_expected.to_not contain_file(fragment_file).with_content(/reseller_prefix/) }
it { is_expected.to_not contain_file(fragment_file).with_content(/token_life/) }
it { is_expected.to_not contain_file(fragment_file).with_content(/auth_prefix/) }
it { is_expected.to_not contain_file(fragment_file).with_content(/storage_url_scheme/) }
it { is_expected.to contain_file(fragment_file).with_content(
/user_admin_admin = admin \.admin \.reseller_admin/
) }
context 'declaring two users' do
let :params do {
'account_user_list' => [
{
'user' => 'admin',
'account' => 'admin',
'key' => 'admin',
'groups' => [ 'admin', 'reseller_admin' ],
},
{
'user' => 'foo',
'account' => 'bar',
'key' => 'pass',
'groups' => [ 'reseller_admin' ],
},
]
} end
it { is_expected.to contain_file(fragment_file).with_content(
/user_admin_admin = admin \.admin \.reseller_admin/
) }
it { is_expected.to contain_file(fragment_file).with_content(
/user_bar_foo = pass \.reseller_admin/
) }
end
context 'when group is empty' do
let :params do {
'account_user_list' => [
{
'user' => 'admin',
'account' => 'admin',
'key' => 'admin',
'groups' => [],
},
]
} end
it { is_expected.to contain_file(fragment_file).with_content(
/user_admin_admin = admin $/
) }
end
context 'when undef params are set' do
let :params do {
'reseller_prefix' => 'auth',
'token_life' => 81600,
'auth_prefix' => '/auth/',
'storage_url_scheme' => 'http',
}.merge(default_params)
end
it { is_expected.to contain_file(fragment_file).with_content(/reseller_prefix = AUTH/) }
it { is_expected.to contain_file(fragment_file).with_content(/token_life = 81600/) }
it { is_expected.to contain_file(fragment_file).with_content(/auth_prefix = \/auth\//) }
it { is_expected.to contain_file(fragment_file).with_content(/storage_url_scheme = http/) }
describe "invalid params" do
['account_user_list', 'token_life', 'auth_prefix', 'storage_url_scheme'].each do |param|
let :params do { param => 'foobar' }.merge(default_params) end
it "invalid #{param} should fail" do
expect { catalogue }.to raise_error(Puppet::Error)
end
end
end
end
end

20
templates/proxy/tempauth.conf.erb
View File

@ -1,8 +1,18 @@
[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
<% if @reseller_prefix -%>
reseller_prefix = <%= @reseller_prefix.upcase %>
<%end -%>
<% if @token_life -%>
token_life = <%= @token_life %>
<%end -%>
<% if @auth_prefix -%>
auth_prefix = <%= @auth_prefix %>
<%end -%>
<% if @storage_url_scheme -%>
storage_url_scheme = <%= @storage_url_scheme %>
<%end -%>
<% @account_user_list.each do |user| %>
user_<%= user['account'] %>_<%= user['user'] %> = <%= user['key'] %> <%= user['groups'].map { |g| '.' + g }.join(' ') %>
<% end %>

31
tests/all.pp
View File

@ -59,4 +59,33 @@ class { '::swift::proxy':
account_autocreate => true,
require => Class['swift::ringbuilder'],
}
class { ['::swift::proxy::healthcheck', '::swift::proxy::cache', '::swift::proxy::tempauth']: }
class { ['::swift::proxy::healthcheck', '::swift::proxy::cache']: }
class { '::swift::proxy::tempauth':
account_user_list => [
{
'user' => 'admin',
'account' => 'admin',
'key' => 'admin',
'groups' => [ 'admin', 'reseller_admin' ],
},
{
'user' => 'tester',
'account' => 'test',
'key' => 'testing',
'groups' => ['admin'],
},
{
'user' => 'tester2',
'account' => 'test2',
'key' => 'testing2',
'groups' => ['admin'],
},
{
'user' => 'tester',
'account' => 'test',
'key' => 'testing3',
'groups' => [],
},
]
}