OpenStack Storage (Swift)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

3318 lines
107 KiB

#!/usr/bin/python
# Copyright (c) 2015 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import unittest
from six.moves.urllib.parse import urlparse, urlunparse
import uuid
from random import shuffle
try:
from keystoneclient.v3 import ksc
except ImportError:
ksc = None
from swiftclient import get_auth, http_connection
import test.functional as tf
def setUpModule():
tf.setup_package()
def tearDownModule():
tf.teardown_package()
TEST_CASE_FORMAT = (
'http_method', 'header', 'account_name', 'container_name', 'object_name',
'prep_container_header', 'reseller_prefix', 'target_user_name',
'auth_user_name', 'service_user_name', 'expected')
# http_method : HTTP methods such as PUT, GET, POST, HEAD and so on
# header : headers for a request
# account_name : Account name. Usually the name will be automatically
# created by keystone
# container_name : Container name. If 'UUID' is specified, a container
# name will be created automatically
# object_name : Object name. If 'UUID' is specified, a container
# name will be created automatically
# prep_container_header : headers which will be set on the container
# reseller_prefix : Reseller prefix that will be used for request url.
# Can be None or SERVICE to select the user account
# prefix or the service prefix respectively
# target_user_name : a user name which is used for getting the project id
# of the target
# auth_user_name : a user name which is used for getting a token for
# X-Auth_Token
# service_user_name : a user name which is used for getting a token for
# X-Service-Token
# expected : expected status code
#
# a combination of account_name, container_name and object_name
# represents a target.
# +------------+--------------+-----------+---------+
# |account_name|container_name|object_name| target |
# +------------+--------------+-----------+---------+
# | None | None | None | account |
# +------------+--------------+-----------+---------+
# | None | 'UUID' | None |container|
# +------------+--------------+-----------+---------+
# | None | 'UUID' | 'UUID' | object |
# +------------+--------------+-----------+---------+
#
# The following users are required to run this functional test.
# No.6, tester6, is added for this test.
# +----+-----------+-------+---------+-------------+
# |No. | Domain |Project|User name| Role |
# +----+-----------+-------+---------+-------------+
# | 1 | default | test | tester | admin |
# +----+-----------+-------+---------+-------------+
# | 2 | default | test2 | tester2 | admin |
# +----+-----------+-------+---------+-------------+
# | 3 | default | test | tester3 | _member_ |
# +----+-----------+-------+---------+-------------+
# | 4 |test-domain| test4 | tester4 | admin |
# +----+-----------+-------+---------+-------------+
# | 5 | default | test5 | tester5 | service |
# +----+-----------+-------+---------+-------------+
# | 6 | default | test | tester6 |ResellerAdmin|
# +----+-----------+-------+---------+-------------+
# A scenario of put for account, container and object with
# several roles.
RBAC_PUT = [
# PUT container in own account: ok
('PUT', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 201),
('PUT', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 201),
# PUT container in other users account: not allowed for role admin
('PUT', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 403),
# PUT container in other users account: not allowed for role _member_
('PUT', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 403),
# PUT container in other users account: allowed for role ResellerAdmin
('PUT', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 201),
('PUT', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 201),
('PUT', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 201),
# PUT object in own account: ok
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 201),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 201),
# PUT object in other users account: not allowed for role admin
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 403),
# PUT object in other users account: not allowed for role _member_
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 403),
# PUT object in other users account: allowed for role ResellerAdmin
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 201),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 201),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 201)
]
RBAC_PUT_WITH_SERVICE_PREFIX = [
# PUT container in own account: ok
('PUT', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 201),
# PUT container in other users account: not allowed for role service
('PUT', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 401),
('PUT', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 403),
('PUT', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 403),
# PUT object in own account: ok
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 201),
# PUT object in other users account: not allowed for role service
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 401),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 403),
# All following actions are using SERVICE prefix
# PUT container in own account: ok
('PUT', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 201),
# PUT container fails if wrong user, or only one token sent
('PUT', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('PUT', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 403),
('PUT', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('PUT', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# PUT object in own account: ok
('PUT', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 201),
# PUT object fails if wrong user, or only one token sent
('PUT', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('PUT', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 403),
('PUT', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('PUT', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 401),
]
# A scenario of delete for account, container and object with
# several roles.
RBAC_DELETE = [
# DELETE container in own account: ok
('DELETE', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 204),
('DELETE', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 204),
# DELETE container in other users account: not allowed for role admin
('DELETE', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 403),
# DELETE container in other users account: not allowed for role _member_
('DELETE', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 403),
# DELETE container in other users account: allowed for role ResellerAdmin
('DELETE', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 204),
('DELETE', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 204),
('DELETE', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 204),
# DELETE object in own account: ok
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 204),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 204),
# DELETE object in other users account: not allowed for role admin
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 403),
# DELETE object in other users account: not allowed for role _member_
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 403),
# DELETE object in other users account: allowed for role ResellerAdmin
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 204),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 204),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 204)
]
RBAC_DELETE_WITH_SERVICE_PREFIX = [
# DELETE container in own account: ok
('DELETE', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 204),
# DELETE container in other users account: not allowed for role service
('DELETE', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 401),
('DELETE', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 403),
('DELETE', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 403),
# DELETE object in own account: ok
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 204),
# DELETE object in other users account: not allowed for role service
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 401),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 403),
# All following actions are using SERVICE prefix
# DELETE container in own account: ok
('DELETE', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# DELETE container fails if wrong user, or only one token sent
('DELETE', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('DELETE', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 403),
('DELETE', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('DELETE', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# DELETE object in own account: ok
('DELETE', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# DELETE object fails if wrong user, or only one token sent
('DELETE', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('DELETE', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 403),
('DELETE', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('DELETE', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 401)
]
# A scenario of get for account, container and object with
# several roles.
RBAC_GET = [
# GET own account: ok
('GET', None, None, None, None, None,
None, 'tester', 'tester', None, 200),
('GET', None, None, None, None, None,
None, 'tester', 'tester', 'tester', 200),
# GET other users account: not allowed for role admin
('GET', None, None, None, None, None,
None, 'tester2', 'tester', None, 403),
('GET', None, None, None, None, None,
None, 'tester4', 'tester', None, 403),
# GET other users account: not allowed for role _member_
('GET', None, None, None, None, None,
None, 'tester3', 'tester3', None, 403),
('GET', None, None, None, None, None,
None, 'tester2', 'tester3', None, 403),
('GET', None, None, None, None, None,
None, 'tester4', 'tester3', None, 403),
# GET other users account: allowed for role ResellerAdmin
('GET', None, None, None, None, None,
None, 'tester6', 'tester6', None, 200),
('GET', None, None, None, None, None,
None, 'tester2', 'tester6', None, 200),
('GET', None, None, None, None, None,
None, 'tester4', 'tester6', None, 200),
# GET container in own account: ok
('GET', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 200),
('GET', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 200),
# GET container in other users account: not allowed for role admin
('GET', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 403),
('GET', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 403),
# GET container in other users account: not allowed for role _member_
('GET', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 403),
('GET', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 403),
('GET', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 403),
# GET container in other users account: allowed for role ResellerAdmin
('GET', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 200),
('GET', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 200),
('GET', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 200),
# GET object in own account: ok
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 200),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 200),
# GET object in other users account: not allowed for role admin
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 403),
# GET object in other users account: not allowed for role _member_
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 403),
# GET object in other users account: allowed for role ResellerAdmin
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 200),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 200),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 200)
]
RBAC_GET_WITH_SERVICE_PREFIX = [
# GET own account: ok
('GET', None, None, None, None, None,
None, 'tester', 'tester', 'tester5', 200),
# GET other account: not allowed for role service
('GET', None, None, None, None, None,
None, 'tester', 'tester3', 'tester5', 403),
('GET', None, None, None, None, None,
None, 'tester', None, 'tester5', 401),
('GET', None, None, None, None, None,
None, 'tester5', 'tester5', None, 403),
('GET', None, None, None, None, None,
None, 'tester2', 'tester5', None, 403),
('GET', None, None, None, None, None,
None, 'tester4', 'tester5', None, 403),
# GET container in own account: ok
('GET', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 200),
# GET container in other users account: not allowed for role service
('GET', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 403),
('GET', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 401),
('GET', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 403),
('GET', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 403),
('GET', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 403),
# GET object in own account: ok
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 200),
# GET object fails if wrong user, or only one token sent
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 401),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 403),
# All following actions are using SERVICE prefix
# GET own account: ok
('GET', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
# GET other account: not allowed for role service
('GET', None, None, None, None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('GET', None, None, None, None, None,
'SERVICE', 'tester', 'tester', None, 403),
('GET', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('GET', None, None, None, None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# GET container in own account: ok
('GET', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
# GET container fails if wrong user, or only one token sent
('GET', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('GET', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 403),
('GET', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('GET', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# GET object in own account: ok
('GET', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
# GET object fails if wrong user, or only one token sent
('GET', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('GET', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 403),
('GET', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('GET', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 401)
]
# A scenario of head for account, container and object with
# several roles.
RBAC_HEAD = [
# HEAD own account: ok
('HEAD', None, None, None, None, None,
None, 'tester', 'tester', None, 204),
('HEAD', None, None, None, None, None,
None, 'tester', 'tester', 'tester', 204),
# HEAD other users account: not allowed for role admin
('HEAD', None, None, None, None, None,
None, 'tester2', 'tester', None, 403),
('HEAD', None, None, None, None, None,
None, 'tester4', 'tester', None, 403),
# HEAD other users account: not allowed for role _member_
('HEAD', None, None, None, None, None,
None, 'tester3', 'tester3', None, 403),
('HEAD', None, None, None, None, None,
None, 'tester2', 'tester3', None, 403),
('HEAD', None, None, None, None, None,
None, 'tester4', 'tester3', None, 403),
# HEAD other users account: allowed for role ResellerAdmin
('HEAD', None, None, None, None, None,
None, 'tester6', 'tester6', None, 204),
('HEAD', None, None, None, None, None,
None, 'tester2', 'tester6', None, 204),
('HEAD', None, None, None, None, None,
None, 'tester4', 'tester6', None, 204),
# HEAD container in own account: ok
('HEAD', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 204),
('HEAD', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 204),
# HEAD container in other users account: not allowed for role admin
('HEAD', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 403),
# HEAD container in other users account: not allowed for role _member_
('HEAD', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 403),
# HEAD container in other users account: allowed for role ResellerAdmin
('HEAD', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 204),
('HEAD', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 204),
('HEAD', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 204),
# HEAD object in own account: ok
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 200),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 200),
# HEAD object in other users account: not allowed for role admin
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 403),
# HEAD object in other users account: not allowed for role _member_
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 403),
# HEAD object in other users account: allowed for role ResellerAdmin
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 200),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 200),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 200)
]
RBAC_HEAD_WITH_SERVICE_PREFIX = [
# HEAD own account: ok
('HEAD', None, None, None, None, None,
None, 'tester', 'tester', 'tester5', 204),
# HEAD other account: not allowed for role service
('HEAD', None, None, None, None, None,
None, 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, None, None, None,
None, 'tester', None, 'tester5', 401),
('HEAD', None, None, None, None, None,
None, 'tester5', 'tester5', None, 403),
('HEAD', None, None, None, None, None,
None, 'tester2', 'tester5', None, 403),
('HEAD', None, None, None, None, None,
None, 'tester4', 'tester5', None, 403),
# HEAD container in own account: ok
('HEAD', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 204),
# HEAD container in other users account: not allowed for role service
('HEAD', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 401),
('HEAD', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 403),
('HEAD', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 403),
# HEAD object in own account: ok
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 200),
# HEAD object fails if wrong user, or only one token sent
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 401),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 403),
# All following actions are using SERVICE prefix
# HEAD own account: ok
('HEAD', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# HEAD other account: not allowed for role service
('HEAD', None, None, None, None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, None, None, None,
'SERVICE', 'tester', 'tester', None, 403),
('HEAD', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('HEAD', None, None, None, None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# HEAD container in own account: ok
('HEAD', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# HEAD container in other users account: not allowed for role service
('HEAD', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 403),
('HEAD', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('HEAD', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# HEAD object in own account: ok
('HEAD', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
# HEAD object fails if wrong user, or only one token sent
('HEAD', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('HEAD', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 403),
('HEAD', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('HEAD', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 401)
]
# A scenario of post for account, container and object with
# several roles.
RBAC_POST = [
# POST own account: ok
('POST', None, None, None, None, None,
None, 'tester', 'tester', None, 204),
('POST', None, None, None, None, None,
None, 'tester', 'tester', 'tester', 204),
# POST other users account: not allowed for role admin
('POST', None, None, None, None, None,
None, 'tester2', 'tester', None, 403),
('POST', None, None, None, None, None,
None, 'tester4', 'tester', None, 403),
# POST other users account: not allowed for role _member_
('POST', None, None, None, None, None,
None, 'tester3', 'tester3', None, 403),
('POST', None, None, None, None, None,
None, 'tester2', 'tester3', None, 403),
('POST', None, None, None, None, None,
None, 'tester4', 'tester3', None, 403),
# POST other users account: allowed for role ResellerAdmin
('POST', None, None, None, None, None,
None, 'tester6', 'tester6', None, 204),
('POST', None, None, None, None, None,
None, 'tester2', 'tester6', None, 204),
('POST', None, None, None, None, None,
None, 'tester4', 'tester6', None, 204),
# POST container in own account: ok
('POST', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 204),
('POST', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 204),
# POST container in other users account: not allowed for role admin
('POST', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 403),
('POST', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 403),
# POST container in other users account: not allowed for role _member_
('POST', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 403),
('POST', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 403),
('POST', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 403),
# POST container in other users account: allowed for role ResellerAdmin
('POST', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 204),
('POST', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 204),
('POST', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 204),
# POST object in own account: ok
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 202),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 202),
# POST object in other users account: not allowed for role admin
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 403),
# POST object in other users account: not allowed for role _member_
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 403),
# POST object in other users account: allowed for role ResellerAdmin
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 202),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 202),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 202)
]
RBAC_POST_WITH_SERVICE_PREFIX = [
# POST own account: ok
('POST', None, None, None, None, None,
None, 'tester', 'tester', 'tester5', 204),
# POST own account: ok
('POST', None, None, None, None, None,
None, 'tester', 'tester3', 'tester5', 403),
('POST', None, None, None, None, None,
None, 'tester', None, 'tester5', 401),
('POST', None, None, None, None, None,
None, 'tester5', 'tester5', None, 403),
('POST', None, None, None, None, None,
None, 'tester2', 'tester5', None, 403),
('POST', None, None, None, None, None,
None, 'tester4', 'tester5', None, 403),
# POST container in own account: ok
('POST', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 204),
# POST container in other users account: not allowed for role service
('POST', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 403),
('POST', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 401),
('POST', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 403),
('POST', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 403),
('POST', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 403),
# POST object in own account: ok
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 202),
# POST object fails if wrong user, or only one token sent
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 401),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 403),
# All following actions are using SERVICE prefix
# POST own account: ok
('POST', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# POST other account: not allowed for role service
('POST', None, None, None, None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('POST', None, None, None, None, None,
'SERVICE', 'tester', 'tester', None, 403),
('POST', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('POST', None, None, None, None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# POST container in own account: ok
('POST', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 204),
# POST container in other users account: not allowed for role service
('POST', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('POST', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 403),
('POST', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('POST', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 401),
# POST object in own account: ok
('POST', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 202),
# POST object fails if wrong user, or only one token sent
('POST', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 403),
('POST', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 403),
('POST', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 403),
('POST', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 401)
]
# A scenario of options for account, container and object with
# several roles.
RBAC_OPTIONS = [
# OPTIONS request is always ok
('OPTIONS', None, None, None, None, None,
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, None, None, None,
None, 'tester2', 'tester', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester4', 'tester', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester3', 'tester3', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester2', 'tester3', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester4', 'tester3', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester6', 'tester6', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester2', 'tester6', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester4', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester2', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester4', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester3', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester2', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester4', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester6', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester2', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester4', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester3', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester3', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester6', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester6', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester6', None, 200),
('OPTIONS', None, None, None, None,
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, None, None,
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None,
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None,
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID',
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID',
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 200),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, None, None, None, None, 'tester', 'tester', None, 200),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, None, None,
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', 'tester', None, 200),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, None, None,
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 200),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', None, None, None, 'tester', 'tester', None, 401),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', None,
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', 'tester', None, 200),
# Not OK for container: wrong origin
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', None,
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 401),
# Not OK for object: missing X-Container-Meta-Access-Control-Allow-Origin
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', 'UUID', None, None, 'tester', 'tester', None, 401),
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', 'UUID',
{"X-Container-Meta-Access-Control-Allow-Origin": "*"},
None, 'tester', None, None, 200),
# Not OK for object: wrong origin
('OPTIONS',
{"Origin": "http://localhost", "Access-Control-Request-Method": "GET"},
None, 'UUID', 'UUID',
{"X-Container-Meta-Access-Control-Allow-Origin": "http://invalid.com"},
None, 'tester', 'tester', None, 401)
]
RBAC_OPTIONS_WITH_SERVICE_PREFIX = [
# OPTIONS request is always ok
('OPTIONS', None, None, None, None, None,
None, 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, None, None, None,
None, 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, None, None, None,
None, 'tester', None, 'tester5', 200),
('OPTIONS', None, None, None, None, None,
None, 'tester5', 'tester5', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester2', 'tester5', None, 200),
('OPTIONS', None, None, None, None, None,
None, 'tester4', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester', None, 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester5', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester2', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
None, 'tester4', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester', None, 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester5', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester2', 'tester5', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
None, 'tester4', 'tester5', None, 200),
('OPTIONS', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, None, None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, None, None, None,
'SERVICE', 'tester', 'tester', None, 200),
('OPTIONS', None, None, None, None, None,
'SERVICE', 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, None, None, None,
'SERVICE', 'tester', None, 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', None, None,
'SERVICE', 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, 'UUID', None, None,
'SERVICE', 'tester', None, 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester3', 'tester5', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', None, 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', 'tester', 'tester', 200),
('OPTIONS', None, None, 'UUID', 'UUID', None,
'SERVICE', 'tester', None, 'tester5', 200)
]
# A scenario of put for container ACL
ACL_PUT = [
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester3'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester3'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.rlistings'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester3'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:*'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester3'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:*'},
None, 'tester3', 'tester3', None, 201),
('PUT',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*'},
None, 'tester3', 'tester3', None, 403),
('PUT',
None,
None, 'UUID', 'UUID',
None,
None, 'tester3', 'tester3', None, 403)
]
# A scenario of delete for container ACL
ACL_DELETE = [
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester3'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester3'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.rlistings'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester3'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:*'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester3'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:*'},
None, 'tester3', 'tester3', None, 204),
('DELETE',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*'},
None, 'tester3', 'tester3', None, 403),
('DELETE',
None,
None, 'UUID', 'UUID',
None,
None, 'tester3', 'tester3', None, 403)
]
# A scenario of get for container ACL
ACL_GET = [
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:*'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': 'test2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '*:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '*:*'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '.r:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '.r:*,.rlistings'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '.r:invalid.domain.com'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '.r:invalid.domain.com,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Read': '.rlistings'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': 'test2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '*:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '*:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
{'X-Container-Write': '*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', None,
None,
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test:*'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': 'test2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester3'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*:*'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:*,.rlistings'},
None, 'tester3', 'tester3', None, 200),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.r:invalid.domain.com,.rlistings'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Read': '.rlistings'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s:%(tester3_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '%(test_id)s'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': 'test2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester3'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:tester2'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*:*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
{'X-Container-Write': '*'},
None, 'tester3', 'tester3', None, 403),
('GET',
None,
None, 'UUID', 'UUID',
None,
None, 'tester3', 'tester3', None, 403)
]
# A scenario of head for container ACL
ACL_HEAD = [
('HEAD',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:tester3'},
None, 'tester3', 'tester3', None, 204),
('HEAD',
None,
None, 'UUID', None,
{'X-Container-Read': 'test:%(tester3_id)s'},