#!/usr/bin/python # Copyright (c) 2015 OpenStack Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. import unittest from six.moves.urllib.parse import urlparse, urlunparse import uuid from random import shuffle from keystoneclient.v3 import client from swiftclient import get_auth, http_connection import test.functional as tf def setUpModule(): tf.setup_package() def tearDownModule(): tf.teardown_package() TEST_CASE_FORMAT = ( 'http_method', 'header', 'account_name', 'container_name', 'object_name', 'prep_container_header', 'reseller_prefix', 'target_user_name', 'auth_user_name', 'service_user_name', 'expected') # http_method : HTTP methods such as PUT, GET, POST, HEAD and so on # header : headers for a request # account_name : Account name. Usually the name will be automatically # created by keystone # container_name : Container name. If 'UUID' is specified, a container # name will be created automatically # object_name : Object name. If 'UUID' is specified, a container # name will be created automatically # prep_container_header : headers which will be set on the container # reseller_prefix : Reseller prefix that will be used for request url. # Can be None or SERVICE to select the user account # prefix or the service prefix respectively # target_user_name : a user name which is used for getting the project id # of the target # auth_user_name : a user name which is used for getting a token for # X-Auth_Token # service_user_name : a user name which is used for getting a token for # X-Service-Token # expected : expected status code # # a combination of account_name, container_name and object_name # represents a target. # +------------+--------------+-----------+---------+ # |account_name|container_name|object_name| target | # +------------+--------------+-----------+---------+ # | None | None | None | account | # +------------+--------------+-----------+---------+ # | None | 'UUID' | None |container| # +------------+--------------+-----------+---------+ # | None | 'UUID' | 'UUID' | object | # +------------+--------------+-----------+---------+ # # The following users are required to run this functional test. # No.6, tester6, is added for this test. # +----+-----------+-------+---------+-------------+ # |No. | Domain |Project|User name| Role | # +----+-----------+-------+---------+-------------+ # | 1 | default | test | tester | admin | # +----+-----------+-------+---------+-------------+ # | 2 | default | test2 | tester2 | admin | # +----+-----------+-------+---------+-------------+ # | 3 | default | test | tester3 | _member_ | # +----+-----------+-------+---------+-------------+ # | 4 |test-domain| test4 | tester4 | admin | # +----+-----------+-------+---------+-------------+ # | 5 | default | test5 | tester5 | service | # +----+-----------+-------+---------+-------------+ # | 6 | default | test | tester6 |ResellerAdmin| # +----+-----------+-------+---------+-------------+ # A scenario of put for account, container and object with # several roles. RBAC_PUT = [ # PUT container in own account: ok ('PUT', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 201), ('PUT', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 201), # PUT container in other users account: not allowed for role admin ('PUT', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 403), ('PUT', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 403), # PUT container in other users account: not allowed for role _member_ ('PUT', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 403), ('PUT', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 403), # PUT container in other users account: allowed for role ResellerAdmin ('PUT', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 201), ('PUT', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 201), ('PUT', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 201), # PUT object in own account: ok ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 201), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 201), # PUT object in other users account: not allowed for role admin ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 403), # PUT object in other users account: not allowed for role _member_ ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 403), # PUT object in other users account: allowed for role ResellerAdmin ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 201), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 201), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 201) ] RBAC_PUT_WITH_SERVICE_PREFIX = [ # PUT container in own account: ok ('PUT', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 201), # PUT container in other users account: not allowed for role service ('PUT', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 403), ('PUT', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 401), ('PUT', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 403), ('PUT', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 403), ('PUT', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 403), # PUT object in own account: ok ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 201), # PUT object in other users account: not allowed for role service ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 401), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 403), # All following actions are using SERVICE prefix # PUT container in own account: ok ('PUT', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 201), # PUT container fails if wrong user, or only one token sent ('PUT', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('PUT', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 403), ('PUT', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('PUT', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 401), # PUT object in own account: ok ('PUT', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 201), # PUT object fails if wrong user, or only one token sent ('PUT', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('PUT', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('PUT', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 401), ] # A scenario of delete for account, container and object with # several roles. RBAC_DELETE = [ # DELETE container in own account: ok ('DELETE', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 204), ('DELETE', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 204), # DELETE container in other users account: not allowed for role admin ('DELETE', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 403), # DELETE container in other users account: not allowed for role _member_ ('DELETE', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 403), # DELETE container in other users account: allowed for role ResellerAdmin ('DELETE', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 204), ('DELETE', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 204), ('DELETE', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 204), # DELETE object in own account: ok ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 204), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 204), # DELETE object in other users account: not allowed for role admin ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 403), # DELETE object in other users account: not allowed for role _member_ ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 403), # DELETE object in other users account: allowed for role ResellerAdmin ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 204), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 204), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 204) ] RBAC_DELETE_WITH_SERVICE_PREFIX = [ # DELETE container in own account: ok ('DELETE', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 204), # DELETE container in other users account: not allowed for role service ('DELETE', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 401), ('DELETE', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 403), ('DELETE', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 403), # DELETE object in own account: ok ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 204), # DELETE object in other users account: not allowed for role service ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 401), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 403), # All following actions are using SERVICE prefix # DELETE container in own account: ok ('DELETE', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # DELETE container fails if wrong user, or only one token sent ('DELETE', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('DELETE', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 403), ('DELETE', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('DELETE', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 401), # DELETE object in own account: ok ('DELETE', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # DELETE object fails if wrong user, or only one token sent ('DELETE', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('DELETE', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('DELETE', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 401) ] # A scenario of get for account, container and object with # several roles. RBAC_GET = [ # GET own account: ok ('GET', None, None, None, None, None, None, 'tester', 'tester', None, 200), ('GET', None, None, None, None, None, None, 'tester', 'tester', 'tester', 200), # GET other users account: not allowed for role admin ('GET', None, None, None, None, None, None, 'tester2', 'tester', None, 403), ('GET', None, None, None, None, None, None, 'tester4', 'tester', None, 403), # GET other users account: not allowed for role _member_ ('GET', None, None, None, None, None, None, 'tester3', 'tester3', None, 403), ('GET', None, None, None, None, None, None, 'tester2', 'tester3', None, 403), ('GET', None, None, None, None, None, None, 'tester4', 'tester3', None, 403), # GET other users account: allowed for role ResellerAdmin ('GET', None, None, None, None, None, None, 'tester6', 'tester6', None, 200), ('GET', None, None, None, None, None, None, 'tester2', 'tester6', None, 200), ('GET', None, None, None, None, None, None, 'tester4', 'tester6', None, 200), # GET container in own account: ok ('GET', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 200), ('GET', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 200), # GET container in other users account: not allowed for role admin ('GET', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 403), # GET container in other users account: not allowed for role _member_ ('GET', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 403), # GET container in other users account: allowed for role ResellerAdmin ('GET', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 200), ('GET', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 200), ('GET', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 200), # GET object in own account: ok ('GET', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 200), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 200), # GET object in other users account: not allowed for role admin ('GET', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 403), # GET object in other users account: not allowed for role _member_ ('GET', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 403), # GET object in other users account: allowed for role ResellerAdmin ('GET', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 200), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 200), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 200) ] RBAC_GET_WITH_SERVICE_PREFIX = [ # GET own account: ok ('GET', None, None, None, None, None, None, 'tester', 'tester', 'tester5', 200), # GET other account: not allowed for role service ('GET', None, None, None, None, None, None, 'tester', 'tester3', 'tester5', 403), ('GET', None, None, None, None, None, None, 'tester', None, 'tester5', 401), ('GET', None, None, None, None, None, None, 'tester5', 'tester5', None, 403), ('GET', None, None, None, None, None, None, 'tester2', 'tester5', None, 403), ('GET', None, None, None, None, None, None, 'tester4', 'tester5', None, 403), # GET container in own account: ok ('GET', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 200), # GET container in other users account: not allowed for role service ('GET', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 403), ('GET', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 401), ('GET', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 403), # GET object in own account: ok ('GET', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 200), # GET object fails if wrong user, or only one token sent ('GET', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 401), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 403), # All following actions are using SERVICE prefix # GET own account: ok ('GET', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester5', 200), # GET other account: not allowed for role service ('GET', None, None, None, None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('GET', None, None, None, None, None, 'SERVICE', 'tester', 'tester', None, 403), ('GET', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('GET', None, None, None, None, None, 'SERVICE', 'tester', None, 'tester5', 401), # GET container in own account: ok ('GET', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 200), # GET container fails if wrong user, or only one token sent ('GET', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('GET', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 403), ('GET', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('GET', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 401), # GET object in own account: ok ('GET', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 200), # GET object fails if wrong user, or only one token sent ('GET', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('GET', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 403), ('GET', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('GET', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 401) ] # A scenario of head for account, container and object with # several roles. RBAC_HEAD = [ # HEAD own account: ok ('HEAD', None, None, None, None, None, None, 'tester', 'tester', None, 204), ('HEAD', None, None, None, None, None, None, 'tester', 'tester', 'tester', 204), # HEAD other users account: not allowed for role admin ('HEAD', None, None, None, None, None, None, 'tester2', 'tester', None, 403), ('HEAD', None, None, None, None, None, None, 'tester4', 'tester', None, 403), # HEAD other users account: not allowed for role _member_ ('HEAD', None, None, None, None, None, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, None, None, None, None, 'tester2', 'tester3', None, 403), ('HEAD', None, None, None, None, None, None, 'tester4', 'tester3', None, 403), # HEAD other users account: allowed for role ResellerAdmin ('HEAD', None, None, None, None, None, None, 'tester6', 'tester6', None, 204), ('HEAD', None, None, None, None, None, None, 'tester2', 'tester6', None, 204), ('HEAD', None, None, None, None, None, None, 'tester4', 'tester6', None, 204), # HEAD container in own account: ok ('HEAD', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 204), ('HEAD', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 204), # HEAD container in other users account: not allowed for role admin ('HEAD', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 403), # HEAD container in other users account: not allowed for role _member_ ('HEAD', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 403), # HEAD container in other users account: allowed for role ResellerAdmin ('HEAD', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 204), ('HEAD', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 204), ('HEAD', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 204), # HEAD object in own account: ok ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 200), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 200), # HEAD object in other users account: not allowed for role admin ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 403), # HEAD object in other users account: not allowed for role _member_ ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 403), # HEAD object in other users account: allowed for role ResellerAdmin ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 200), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 200), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 200) ] RBAC_HEAD_WITH_SERVICE_PREFIX = [ # HEAD own account: ok ('HEAD', None, None, None, None, None, None, 'tester', 'tester', 'tester5', 204), # HEAD other account: not allowed for role service ('HEAD', None, None, None, None, None, None, 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, None, None, None, None, 'tester', None, 'tester5', 401), ('HEAD', None, None, None, None, None, None, 'tester5', 'tester5', None, 403), ('HEAD', None, None, None, None, None, None, 'tester2', 'tester5', None, 403), ('HEAD', None, None, None, None, None, None, 'tester4', 'tester5', None, 403), # HEAD container in own account: ok ('HEAD', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 204), # HEAD container in other users account: not allowed for role service ('HEAD', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 401), ('HEAD', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 403), # HEAD object in own account: ok ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 200), # HEAD object fails if wrong user, or only one token sent ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 401), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 403), # All following actions are using SERVICE prefix # HEAD own account: ok ('HEAD', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # HEAD other account: not allowed for role service ('HEAD', None, None, None, None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, None, None, None, 'SERVICE', 'tester', 'tester', None, 403), ('HEAD', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('HEAD', None, None, None, None, None, 'SERVICE', 'tester', None, 'tester5', 401), # HEAD container in own account: ok ('HEAD', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # HEAD container in other users account: not allowed for role service ('HEAD', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 403), ('HEAD', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('HEAD', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 401), # HEAD object in own account: ok ('HEAD', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 200), # HEAD object fails if wrong user, or only one token sent ('HEAD', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('HEAD', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('HEAD', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 401) ] # A scenario of post for account, container and object with # several roles. RBAC_POST = [ # POST own account: ok ('POST', None, None, None, None, None, None, 'tester', 'tester', None, 204), ('POST', None, None, None, None, None, None, 'tester', 'tester', 'tester', 204), # POST other users account: not allowed for role admin ('POST', None, None, None, None, None, None, 'tester2', 'tester', None, 403), ('POST', None, None, None, None, None, None, 'tester4', 'tester', None, 403), # POST other users account: not allowed for role _member_ ('POST', None, None, None, None, None, None, 'tester3', 'tester3', None, 403), ('POST', None, None, None, None, None, None, 'tester2', 'tester3', None, 403), ('POST', None, None, None, None, None, None, 'tester4', 'tester3', None, 403), # POST other users account: allowed for role ResellerAdmin ('POST', None, None, None, None, None, None, 'tester6', 'tester6', None, 204), ('POST', None, None, None, None, None, None, 'tester2', 'tester6', None, 204), ('POST', None, None, None, None, None, None, 'tester4', 'tester6', None, 204), # POST container in own account: ok ('POST', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 204), ('POST', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 204), # POST container in other users account: not allowed for role admin ('POST', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 403), ('POST', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 403), # POST container in other users account: not allowed for role _member_ ('POST', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 403), ('POST', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 403), # POST container in other users account: allowed for role ResellerAdmin ('POST', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 204), ('POST', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 204), ('POST', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 204), # POST object in own account: ok ('POST', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 202), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 202), # POST object in other users account: not allowed for role admin ('POST', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 403), # POST object in other users account: not allowed for role _member_ ('POST', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 403), # POST object in other users account: allowed for role ResellerAdmin ('POST', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 202), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 202), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 202) ] RBAC_POST_WITH_SERVICE_PREFIX = [ # POST own account: ok ('POST', None, None, None, None, None, None, 'tester', 'tester', 'tester5', 204), # POST own account: ok ('POST', None, None, None, None, None, None, 'tester', 'tester3', 'tester5', 403), ('POST', None, None, None, None, None, None, 'tester', None, 'tester5', 401), ('POST', None, None, None, None, None, None, 'tester5', 'tester5', None, 403), ('POST', None, None, None, None, None, None, 'tester2', 'tester5', None, 403), ('POST', None, None, None, None, None, None, 'tester4', 'tester5', None, 403), # POST container in own account: ok ('POST', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 204), # POST container in other users account: not allowed for role service ('POST', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 403), ('POST', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 401), ('POST', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 403), ('POST', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 403), ('POST', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 403), # POST object in own account: ok ('POST', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 202), # POST object fails if wrong user, or only one token sent ('POST', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 401), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 403), # All following actions are using SERVICE prefix # POST own account: ok ('POST', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # POST other account: not allowed for role service ('POST', None, None, None, None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('POST', None, None, None, None, None, 'SERVICE', 'tester', 'tester', None, 403), ('POST', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('POST', None, None, None, None, None, 'SERVICE', 'tester', None, 'tester5', 401), # POST container in own account: ok ('POST', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 204), # POST container in other users account: not allowed for role service ('POST', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('POST', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 403), ('POST', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('POST', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 401), # POST object in own account: ok ('POST', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 202), # POST object fails if wrong user, or only one token sent ('POST', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 403), ('POST', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 403), ('POST', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 403), ('POST', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 401) ] # A scenario of options for account, container and object with # several roles. RBAC_OPTIONS = [ # OPTIONS request is always ok ('OPTIONS', None, None, None, None, None, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, None, None, None, None, 'tester2', 'tester', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester4', 'tester', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester2', 'tester3', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester4', 'tester3', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester6', 'tester6', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester2', 'tester6', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester4', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester2', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester4', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester2', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester4', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester6', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester2', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester4', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester6', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester6', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester6', None, 200), ('OPTIONS', None, None, None, None, {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, None, None, {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 200), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, None, None, None, None, 'tester', 'tester', None, 200), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, None, None, {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', 'tester', None, 200), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, None, None, {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 200), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', None, None, None, 'tester', 'tester', None, 401), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', None, {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', 'tester', None, 200), # Not OK for container: wrong origin ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', None, {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 401), # Not OK for object: missing X-Container-Meta-Access-Control-Allow-Origin ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 401), ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', 'UUID', {"X-Container-Meta-Access-Control-Allow-Origin": "*"}, None, 'tester', None, None, 200), # Not OK for object: wrong origin ('OPTIONS', {"Origin": "http://localhost", "Access-Control-Request-Method": "GET"}, None, 'UUID', 'UUID', {"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"}, None, 'tester', 'tester', None, 401) ] RBAC_OPTIONS_WITH_SERVICE_PREFIX = [ # OPTIONS request is always ok ('OPTIONS', None, None, None, None, None, None, 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, None, None, None, None, 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, None, None, None, None, 'tester', None, 'tester5', 200), ('OPTIONS', None, None, None, None, None, None, 'tester5', 'tester5', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester2', 'tester5', None, 200), ('OPTIONS', None, None, None, None, None, None, 'tester4', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester', None, 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester5', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester2', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester4', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester', None, 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester5', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester2', 'tester5', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester4', 'tester5', None, 200), ('OPTIONS', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, None, None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, None, None, None, 'SERVICE', 'tester', 'tester', None, 200), ('OPTIONS', None, None, None, None, None, 'SERVICE', 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, None, None, None, 'SERVICE', 'tester', None, 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', None, None, 'SERVICE', 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, 'UUID', None, None, 'SERVICE', 'tester', None, 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester3', 'tester5', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', 'tester', 'tester', 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, 'SERVICE', 'tester', None, 'tester5', 200) ] # A scenario of put for container ACL ACL_PUT = [ ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 201), ('PUT', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('PUT', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403) ] # A scenario of delete for container ACL ACL_DELETE = [ ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 204), ('DELETE', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('DELETE', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403) ] # A scenario of get for container ACL ACL_GET = [ ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('GET', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403) ] # A scenario of head for container ACL ACL_HEAD = [ ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 204), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('HEAD', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403) ] # A scenario of post for container ACL ACL_POST = [ ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 403), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202), ('POST', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings', 'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 202) ] # A scenario of options for container ACL ACL_OPTIONS = [ ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', None, None, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '%(test_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': 'test2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '*:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:*,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '.r:invalid.domain.com,.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Read': '.rlistings'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s:%(tester3_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '%(test_id)s'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': 'test2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester3'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:tester2'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '*:*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', {'X-Container-Write': '*'}, None, 'tester3', 'tester3', None, 200), ('OPTIONS', None, None, 'UUID', 'UUID', None, None, 'tester3', 'tester3', None, 200) ] # http_method : HTTP methods such as PUT, GET, POST, HEAD and so on # auth_user_name : a user name which is used for getting a token for # expected : expected status code TEST_CASE_INFO_FORMAT = ('http_method', 'auth_user_name', 'expected') RBAC_INFO_GET = [ ('GET', 'tester', 200), ('GET', 'tester6', 200), ('GET', 'tester3', 200), ('GET', None, 200) ] RBAC_INFO_HEAD = [ ('HEAD', 'tester', 200), ('HEAD', 'tester6', 200), ('HEAD', 'tester3', 200), ('HEAD', None, 200) ] RBAC_INFO_OPTIONS = [ ('OPTIONS', 'tester', 200), ('OPTIONS', 'tester6', 200), ('OPTIONS', 'tester3', 200), ('OPTIONS', None, 200) ] RBAC_INFO_GET_WITH_SERVICE_PREFIX = [ ('GET', 'tester5', 200) ] RBAC_INFO_HEAD_WITH_SERVICE_PREFIX = [ ('HEAD', 'tester5', 200) ] RBAC_INFO_OPTIONS_WITH_SERVICE_PREFIX = [ ('OPTIONS', 'tester5', 200) ] class BaseClient(object): def __init__(self): self._set_users() self.auth_url = tf.swift_test_auth self.insecure = tf.insecure self.auth_version = tf.swift_test_auth_version def _set_users(self): self.users = {} for index in range(6): self.users[tf.swift_test_user[index]] = { 'account': tf.swift_test_tenant[index], 'password': tf.swift_test_key[index], 'domain': tf.swift_test_domain[index]} class KeystoneClient(BaseClient): def get_id_info(self): id_info = {} for user_name, user_info in self.users.items(): if user_name != '': user_id, project_id = self._get_id(user_name) id_info[user_name + '_id'] = user_id id_info[user_info['account'] + '_id'] = project_id return id_info def _get_id(self, user_name): info = self.users.get(user_name) keystone_client = client.Client( auth_url=self.auth_url, version=(self.auth_version,), username=user_name, password=info['password'], project_name=info['account'], project_domain_name=info['domain'], user_domain_name=info['domain']) return keystone_client.user_id, keystone_client.project_id class SwiftClient(BaseClient): _tokens = {} def _get_auth(self, user_name): info = self.users.get(user_name) if info is None: return None, None os_options = {'user_domain_name': info['domain'], 'project_domain_name': info['domain']} authargs = dict(snet=False, tenant_name=info['account'], auth_version=self.auth_version, os_options=os_options, insecure=self.insecure) storage_url, token = get_auth( self.auth_url, user_name, info['password'], **authargs) return storage_url, token def auth(self, user_name): storage_url, token = SwiftClient._tokens.get(user_name, (None, None)) if not token: SwiftClient._tokens[user_name] = self._get_auth(user_name) storage_url, token = SwiftClient._tokens.get(user_name) return storage_url, token def send_request(self, method, url, token=None, headers=None, service_token=None): headers = {} if headers is None else headers.copy() headers.update({'Content-Type': 'application/json', 'Accept': 'application/json'}) if token: headers['X-Auth-Token'] = token if service_token: headers['X-Service-Token'] = service_token if self.insecure: parsed, conn = http_connection(url, insecure=self.insecure) else: parsed, conn = http_connection(url) conn.request(method, parsed.path, headers=headers) resp = conn.getresponse() return resp class BaseTestAC(unittest.TestCase): def setUp(self): self.reseller_admin = tf.swift_test_user[5] self.client = SwiftClient() def _create_resource_url(self, storage_url, account=None, container=None, obj=None, reseller_prefix=None): # e.g. # storage_url = 'http://localhost/v1/AUTH_xxx' # storage_url_list[:-1] is ['http:', '', 'localhost', 'v1'] # storage_url_list[-1] is 'AUTH_xxx' storage_url_list = storage_url.rstrip('/').split('/') base_url = '/'.join(storage_url_list[:-1]) if account is None: account = storage_url_list[-1] if reseller_prefix == 'SERVICE': # replace endpoint reseller prefix with service reseller prefix i = (account.index('_') + 1) if '_' in account else 0 account = tf.swift_test_service_prefix + account[i:] return '/'.join([part for part in (base_url, account, container, obj) if part]) def _put_container(self, storage_url, token, test_case): resource_url = self._create_resource_url( storage_url, test_case['account_name'], test_case['container_name'], reseller_prefix=test_case['reseller_prefix']) self.created_resources.append(resource_url) self.client.send_request('PUT', resource_url, token, headers=test_case['prep_container_header']) def _put_object(self, storage_url, token, test_case): resource_url = self._create_resource_url( storage_url, test_case['account_name'], test_case['container_name'], test_case['object_name'], reseller_prefix=test_case['reseller_prefix']) self.created_resources.append(resource_url) self.client.send_request('PUT', resource_url, token) def _get_storage_url_and_token(self, storage_url_user, token_user): storage_url, _junk = self.client.auth(storage_url_user) _junk, token = self.client.auth(token_user) return storage_url, token def _prepare(self, test_case): storage_url, reseller_token = self._get_storage_url_and_token( test_case['target_user_name'], self.reseller_admin) if test_case['http_method'] in ('GET', 'POST', 'DELETE', 'HEAD', 'OPTIONS'): temp_test_case = test_case.copy() if test_case['container_name'] is None: # When the target is for account, dummy container will be # created to create an account. This account is created by # account_autocreate. temp_test_case['container_name'] = uuid.uuid4().hex self._put_container(storage_url, reseller_token, temp_test_case) if test_case['object_name']: self._put_object(storage_url, reseller_token, test_case) elif test_case['http_method'] in ('PUT',): if test_case['object_name']: self._put_container(storage_url, reseller_token, test_case) def _execute(self, test_case): storage_url, token = self._get_storage_url_and_token( test_case['target_user_name'], test_case['auth_user_name']) service_user = test_case['service_user_name'] service_token = (None if service_user is None else self.client.auth(service_user)[1]) resource_url = self._create_resource_url( storage_url, test_case['account_name'], test_case['container_name'], test_case['object_name'], test_case['reseller_prefix']) if test_case['http_method'] in ('PUT'): self.created_resources.append(resource_url) resp = self.client.send_request(test_case['http_method'], resource_url, token, headers=test_case['header'], service_token=service_token) return resp.status def _cleanup(self): _junk, reseller_token = self.client.auth(self.reseller_admin) for resource_url in reversed(self.created_resources): resp = self.client.send_request('DELETE', resource_url, reseller_token) self.assertIn(resp.status, (204, 404)) def _convert_data(self, data): test_case = dict(zip(TEST_CASE_FORMAT, data)) if test_case['container_name'] == 'UUID': test_case['container_name'] = uuid.uuid4().hex if test_case['object_name'] == 'UUID': test_case['object_name'] = uuid.uuid4().hex return test_case def _run_scenario(self, scenario): for data in scenario: test_case = self._convert_data(data) self.created_resources = [] try: self._prepare(test_case) result = self._execute(test_case) self.assertEqual(test_case['expected'], result, 'Expected %s but got %s for test case %s' % (test_case['expected'], result, test_case)) finally: self._cleanup() class TestRBAC(BaseTestAC): def test_rbac(self): if any((tf.skip, tf.skip2, tf.skip3, tf.skip_if_not_v3, tf.skip_if_no_reseller_admin)): raise unittest.SkipTest scenario_rbac = RBAC_PUT + RBAC_DELETE + RBAC_GET +\ RBAC_HEAD + RBAC_POST + RBAC_OPTIONS shuffle(scenario_rbac) self._run_scenario(scenario_rbac) def test_rbac_with_service_prefix(self): if any((tf.skip, tf.skip2, tf.skip3, tf.skip_if_not_v3, tf.skip_service_tokens, tf.skip_if_no_reseller_admin)): raise unittest.SkipTest scenario_rbac = RBAC_PUT_WITH_SERVICE_PREFIX +\ RBAC_DELETE_WITH_SERVICE_PREFIX +\ RBAC_GET_WITH_SERVICE_PREFIX +\ RBAC_HEAD_WITH_SERVICE_PREFIX +\ RBAC_POST_WITH_SERVICE_PREFIX +\ RBAC_OPTIONS_WITH_SERVICE_PREFIX shuffle(scenario_rbac) self._run_scenario(scenario_rbac) class TestRBACInfo(BaseTestAC): def _get_info_url(self): storage_url, _junk = self.client.auth(self.reseller_admin) parsed_url = urlparse(storage_url) info_url_parts = ( parsed_url.scheme, parsed_url.netloc, '/info', '', '', '') return urlunparse(info_url_parts) def _prepare(self, test_case): pass def _execute(self, test_case): _junk, token = \ self.client.auth(test_case['auth_user_name']) resp = self.client.send_request(test_case['http_method'], self.info_url, token) return resp.status def _cleanup(self): pass def _convert_data(self, data): test_case = dict(zip(TEST_CASE_INFO_FORMAT, data)) return test_case def test_rbac_info(self): if any((tf.skip, tf.skip2, tf.skip3, tf.skip_if_not_v3, tf.skip_if_no_reseller_admin)): raise unittest.SkipTest self.info_url = self._get_info_url() scenario_rbac_info = RBAC_INFO_GET + RBAC_INFO_HEAD + RBAC_INFO_OPTIONS shuffle(scenario_rbac_info) self._run_scenario(scenario_rbac_info) def test_rbac_info_with_service_prefix(self): if any((tf.skip, tf.skip2, tf.skip3, tf.skip_if_not_v3, tf.skip_service_tokens, tf.skip_if_no_reseller_admin)): raise unittest.SkipTest self.info_url = self._get_info_url() scenario_rbac_info = RBAC_INFO_GET_WITH_SERVICE_PREFIX +\ RBAC_INFO_HEAD_WITH_SERVICE_PREFIX +\ RBAC_INFO_OPTIONS_WITH_SERVICE_PREFIX shuffle(scenario_rbac_info) self._run_scenario(scenario_rbac_info) class TestContainerACL(BaseTestAC): def _convert_data(self, data): test_case = super(TestContainerACL, self)._convert_data(data) prep_container_header = test_case['prep_container_header'] if prep_container_header is not None: for header, header_val in prep_container_header.items(): prep_container_header[header] = header_val % self.id_info return test_case def test_container_acl(self): if any((tf.skip, tf.skip2, tf.skip3, tf.skip_if_not_v3, tf.skip_if_no_reseller_admin)): raise unittest.SkipTest self.id_info = KeystoneClient().get_id_info() scenario_container_acl = ACL_PUT + ACL_DELETE + ACL_GET +\ ACL_HEAD + ACL_POST + ACL_OPTIONS shuffle(scenario_container_acl) self._run_scenario(scenario_container_acl) if __name__ == '__main__': unittest.main()