Added public/private urls for swauth default swift cluster setting

etc/proxy-server.conf-sample

@@ -69,6 +69,12 @@ use = egg:swift#swauth
 # Cluster strings are of the format name:url where name is a short name for the
 # Swift cluster and url is the url to the proxy server(s) for the cluster.
 # default_swift_cluster = local:http://127.0.0.1:8080/v1
+# You may also use the format name::url::url where the first url is the one
+# given to users to access their account (public url) and the second is the one
+# used by swauth itself to create and delete accounts (private url). This is
+# useful when a load balancer url should be used by users, but swauth itself is
+# behind the load balancer. Example:
+# default_swift_cluster = local::https://public.com:8080/v1::http://private.com:8080/v1
 # token_life = 86400
 # node_timeout = 10
 # Highly recommended to change this.

swift/common/middleware/swauth.py

@@ -61,12 +61,32 @@ class Swauth(object):
             self.auth_prefix += '/'
         self.auth_account = '%s.auth' % self.reseller_prefix
         self.default_swift_cluster = conf.get('default_swift_cluster',
-            'local:http://127.0.0.1:8080/v1').rstrip('/')
-        self.dsc_name, self.dsc_url = self.default_swift_cluster.split(':', 1)
+            'local:http://127.0.0.1:8080/v1')
+        # This setting is a little messy because of the options it has to
+        # provide. The basic format is cluster_name:url, such as the default
+        # value of local:http://127.0.0.1:8080/v1. But, often the url given to
+        # the user needs to be different than the url used by Swauth to
+        # create/delete accounts. So there's a more complex format of
+        # cluster_name::url::url, such as
+        # local::https://public.com:8080/v1::http://private.com:8080/v1.
+        # The double colon is what sets the two apart.
+        if '::' in self.default_swift_cluster:
+            self.dsc_name, self.dsc_url, self.dsc_url2 = \
+                self.default_swift_cluster.split('::', 2)
+            self.dsc_url = self.dsc_url.rstrip('/')
+            self.dsc_url2 = self.dsc_url2.rstrip('/')
+        else:
+            self.dsc_name, self.dsc_url = \
+                self.default_swift_cluster.split(':', 1)
+            self.dsc_url = self.dsc_url2 = self.dsc_url.rstrip('/')
         self.dsc_parsed = urlparse(self.dsc_url)
         if self.dsc_parsed.scheme not in ('http', 'https'):
             raise Exception('Cannot handle protocol scheme %s for url %s' %
                             (self.dsc_parsed.scheme, repr(self.dsc_url)))
+        self.dsc_parsed2 = urlparse(self.dsc_url2)
+        if self.dsc_parsed2.scheme not in ('http', 'https'):
+            raise Exception('Cannot handle protocol scheme %s for url %s' %
+                            (self.dsc_parsed2.scheme, repr(self.dsc_url2)))
         self.super_admin_key = conf.get('super_admin_key')
         if not self.super_admin_key:
             msg = _('No super_admin_key set in conf file! Exiting.')
@@ -559,12 +579,12 @@ class Swauth(object):
         if not account_suffix:
             account_suffix = str(uuid4())
         # Create the new account in the Swift cluster
-        path = quote('%s/%s%s' % (self.dsc_parsed.path,
+        path = quote('%s/%s%s' % (self.dsc_parsed2.path,
                                   self.reseller_prefix, account_suffix))
         try:
             conn = self.get_conn()
             conn.request('PUT', path,
-                         headers={'X-Auth-Token': self.get_itoken(req.environ)})
+                        headers={'X-Auth-Token': self.get_itoken(req.environ)})
             resp = conn.getresponse()
             resp.read()
             if resp.status // 100 != 2:
@@ -573,9 +593,9 @@ class Swauth(object):
         except:
             self.logger.error(_('ERROR: Exception while trying to communicate '
                 'with %(scheme)s://%(host)s:%(port)s/%(path)s'),
-                {'scheme': self.dsc_parsed.scheme,
-                 'host': self.dsc_parsed.hostname,
-                 'port': self.dsc_parsed.port, 'path': path})
+                {'scheme': self.dsc_parsed2.scheme,
+                 'host': self.dsc_parsed2.hostname,
+                 'port': self.dsc_parsed2.port, 'path': path})
             raise
         # Record the mapping from account id back to account name
         path = quote('/v1/%s/.account_id/%s%s' %

test/unit/common/middleware/test_swauth.py

@@ -161,8 +161,13 @@ class TestAuth(unittest.TestCase):
                           'local:http://host/path')
         ath = auth.filter_factory({'super_admin_key': 'supertest',
             'default_swift_cluster': 'local:https://host/path/'})(app)
-        self.assertEquals(ath.default_swift_cluster,
-                          'local:https://host/path')
+        self.assertEquals(ath.dsc_url, 'https://host/path')
+        self.assertEquals(ath.dsc_url2, 'https://host/path')
+        ath = auth.filter_factory({'super_admin_key': 'supertest',
+            'default_swift_cluster':
+                'local::https://host/path/::http://host2/path2/'})(app)
+        self.assertEquals(ath.dsc_url, 'https://host/path')
+        self.assertEquals(ath.dsc_url2, 'http://host2/path2')
 
     def test_top_level_ignore(self):
         resp = Request.blank('/').get_response(self.test_auth)
@@ -3095,7 +3100,8 @@ class TestAuth(unittest.TestCase):
                      'X-Auth-Admin-Key': 'bad'}), 'act'))
 
     def test_reseller_admin_but_account_is_internal_use_only(self):
-        req = Request.blank('/v1/AUTH_.auth', environ={'REQUEST_METHOD': 'GET'})
+        req = Request.blank('/v1/AUTH_.auth',
+                            environ={'REQUEST_METHOD': 'GET'})
         req.remote_user = 'act:usr,act,.reseller_admin'
         resp = self.test_auth.authorize(req)
         self.assertEquals(resp.status_int, 403)