Use role in insensitive case in keystoneauth.

Using insensitive case could tolerate human error. For example, user maybe set like this "operator_roles = Admin, swiftoperator" - also fix a mistake in test, ['admin'] is correct value for roles, not 'admin' (it will be looped as ['a', 'd', 'm', 'i', 'n']) - add test for insensitive cases Fixes: bug #1013120 Change-Id: I56d71da8bc503e48e92dd743692ba6fc237f029e
2013-03-18 13:15:09 +08:00 · 2013-03-18 13:15:09 +08:00 · 7dd966192a
commit 7dd966192a
parent 85b7346808
2 changed files with 19 additions and 6 deletions
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@ -81,9 +81,9 @@ class KeystoneAuth(object):
        self.logger = swift_utils.get_logger(conf, log_route='keystoneauth')
        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH_').strip()
        self.operator_roles = conf.get('operator_roles',
-                                       'admin, swiftoperator')
+                                       'admin, swiftoperator').lower()
        self.reseller_admin_role = conf.get('reseller_admin_role',
-                                            'ResellerAdmin')
+                                            'ResellerAdmin').lower()
        config_is_admin = conf.get('is_admin', "false").lower()
        self.is_admin = swift_utils.config_true_value(config_is_admin)
        config_overrides = conf.get('allow_overrides', 't').lower()
@ -106,7 +106,8 @@ class KeystoneAuth(object):
            environ['keystone.identity'] = identity
            environ['REMOTE_USER'] = identity.get('tenant')
            environ['swift.authorize'] = self.authorize
-            if self.reseller_admin_role in identity.get('roles', []):
+            user_roles = (r.lower() for r in identity.get('roles', []))
+            if self.reseller_admin_role in user_roles:
                environ['reseller_request'] = True
        else:
            self.logger.debug('Authorizing as anonymous')
@ -175,7 +176,7 @@ class KeystoneAuth(object):
        except ValueError:
            return HTTPNotFound(request=req)

-        user_roles = env_identity.get('roles', [])
+        user_roles = [r.lower() for r in env_identity.get('roles', [])]

        # Give unconditional access to a user with the reseller_admin
        # role.
@ -230,7 +231,7 @@ class KeystoneAuth(object):

        # Check if we have the role in the userroles and allow it
        for user_role in user_roles:
-            if user_role in roles:
+            if user_role in (r.lower() for r in roles):
                log_msg = 'user %s:%s allowed in ACL: %s authorizing'
                self.logger.debug(log_msg % (tenant_name, user, user_role))
                return
--- a/test/unit/common/middleware/test_keystoneauth.py
+++ b/test/unit/common/middleware/test_keystoneauth.py
@ -206,8 +206,20 @@ class TestAuthorize(unittest.TestCase):
        req = self._check_authenticate(identity=identity)
        self.assertTrue(req.environ.get('swift_owner'))

+    def test_authorize_succeeds_for_insensitive_reseller_admin(self):
+        roles = [self.test_auth.reseller_admin_role.upper()]
+        identity = self._get_identity(roles=roles)
+        req = self._check_authenticate(identity=identity)
+        self.assertTrue(req.environ.get('swift_owner'))
+
    def test_authorize_succeeds_as_owner_for_operator_role(self):
-        roles = self.test_auth.operator_roles.split(',')[0]
+        roles = self.test_auth.operator_roles.split(',')
+        identity = self._get_identity(roles=roles)
+        req = self._check_authenticate(identity=identity)
+        self.assertTrue(req.environ.get('swift_owner'))
+
+    def test_authorize_succeeds_as_owner_for_insensitive_operator_role(self):
+        roles = [r.upper() for r in self.test_auth.operator_roles.split(',')]
        identity = self._get_identity(roles=roles)
        req = self._check_authenticate(identity=identity)
        self.assertTrue(req.environ.get('swift_owner'))