Add tests and doc entry for request.environ[reseller_request]

The recent account_quotas (https://review.openstack.org/23434) patch added a new setting request.environ[reseller_request]. This patch adds tests for tempauth and keystoneauth as well as an updated overview_auth.rst. Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
2013-03-08 19:33:27 +01:00 · 2013-03-08 19:33:27 +01:00 · 157c3c91ee
parent 5e427e5e3b
commit 157c3c91ee
4 changed files with 28 additions and 0 deletions
--- a/1
+++ b/1
@ -79,6 +79,7 @@ Felipe Reyes (freyes@tty.cl)
 Li Riqiang (lrqrun@gmail.com)
 Victor Rodionov (victor.rodionov@nexenta.com)
 Brent Roskos (broskos@internap.com)
+Christian Schwede (info@cschwede.de)
 Michael Shuler (mshuler@rackspace.com)
 Andrew Clay Shafer (acs@parvuscaptus.com)
 Scott Simpson (sasimpson@gmail.com)
--- a/doc/source/overview_auth.rst
+++ b/doc/source/overview_auth.rst
@ -39,6 +39,11 @@ Additionally, if the auth system sets the request environ's swift_owner key to
 True, the proxy will return additional header information in some requests,
 such as the X-Container-Sync-Key for a container GET or HEAD.

+Users with the special group ``.reseller_admin`` can operate on any account.
+For an example usage please see :mod:`swift.common.middleware.tempauth`.
+If a request is coming from a reseller the auth system sets the request environ
+reseller_request to True. This can be used by other middlewares.
+
 TempAuth will now allow OPTIONS requests to go through without a token.

 The user starts a session by sending a ReST request to the auth system to
@ -130,6 +135,11 @@ This user who have one of those role will be able to give ACLs to
 other users on containers, see the documentation on ACL here
 :mod:`swift.common.middleware.acl`.

+Users with the Keystone role defined in ``reseller_admin_role``
+(``ResellerAdmin`` by default) can operate on any account. The auth system
+sets the request environ reseller_request to True if a request is coming
+from an user with this role. This can be used by other middlewares.
+
 --------------
 Extending Auth
 --------------
--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@ -79,6 +79,13 @@ class SwiftAuth(unittest.TestCase):
        resp = req.get_response(self._get_successful_middleware())
        self.assertEqual(resp.status_int, 200)

+    def test_detect_reseller_request(self):
+        role = self.test_auth.reseller_admin_role
+        headers = self._get_identity_headers(role=role)
+        req = self._make_request('/v1/AUTH_acct/c', headers)
+        resp = req.get_response(self._get_successful_middleware())
+        self.assertTrue(req.environ.get('reseller_request'))
+
    def test_confirmed_identity_is_not_authorized(self):
        headers = self._get_identity_headers()
        req = self._make_request('/v1/AUTH_acct/c', headers)
--- a/test/unit/common/middleware/test_tempauth.py
+++ b/test/unit/common/middleware/test_tempauth.py
@ -16,6 +16,7 @@
 import unittest
 from contextlib import contextmanager
 from base64 import b64encode
+from time import time

 from swift.common.middleware import tempauth as auth
 from swift.common.swob import Request, Response
@ -327,6 +328,15 @@ class TestAuth(unittest.TestCase):
        req.acl = '.r:.example.com,.rlistings'
        self.assertEquals(self.test_auth.authorize(req), None)

+    def test_detect_reseller_request(self):
+        req = self._make_request('/v1/AUTH_admin',
+                                 headers={'X-Auth-Token': 'AUTH_t'})
+        cache_key = 'AUTH_/token/AUTH_t'
+        cache_entry = (time()+3600, '.reseller_admin')
+        req.environ['swift.cache'].set(cache_key, cache_entry)
+        resp = req.get_response(self.test_auth)
+        self.assertTrue(req.environ.get('reseller_request', False))
+
    def test_account_put_permissions(self):
        req = self._make_request('/v1/AUTH_new',
                                 environ={'REQUEST_METHOD': 'PUT'})