Added allow_overrides capability for tempurl/fo...

Added allow_overrides capability for tempurl/formpost type middleware. Fixes #26
2012-03-27 02:53:05 +00:00 · 2012-03-27 02:53:05 +00:00 · 09590624ea
commit 09590624ea
parent dfaf1e2317
3 changed files with 40 additions and 0 deletions
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -50,6 +50,11 @@ use = egg:swauth#swauth
 #   auth_type = plaintext
 # Used if the auth_type is sha1 or another method that can make use of a salt.
 #   auth_type_salt = swauthsalt
+# This allows middleware higher in the WSGI pipeline to override auth
+# processing, useful for middleware such as tempurl and formpost. If you know
+# you're not going to use such middleware and you want a bit of extra security,
+# you can set this to false.
+#   allow_overrides = true
 # Highly recommended to change this. If you comment this out, the Swauth
 # administration features will be disabled for this proxy.
 super_admin_key = swauthkey
--- a/swauth/middleware.py
+++ b/swauth/middleware.py
@ -155,6 +155,8 @@ class Swauth(object):
            raise Exception('Invalid auth_type in config file: %s'
                             % self.auth_type)
        self.auth_encoder.salt = conf.get('auth_type_salt', 'swauthsalt')
+        self.allow_overrides = \
+            conf.get('allow_overrides', 't').lower() in TRUE_VALUES

    def __call__(self, env, start_response):
        """
@ -176,6 +178,8 @@ class Swauth(object):
        will be routed through the internal auth request handler (self.handle).
        This is to handle creating users, accounts, granting tokens, etc.
        """
+        if self.allow_overrides and env.get('swift.authorize_override', False):
+            return self.app(env, start_response)
        if 'HTTP_X_CF_TRANS_ID' not in env:
            env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4())
        if not self.swauth_remote:
--- a/test_swauth/unit/test_middleware.py
+++ b/test_swauth/unit/test_middleware.py
@ -3462,6 +3462,37 @@ class TestAuth(unittest.TestCase):
        resp = req.get_response(self.test_auth)
        self.assertEquals(resp.status_int, 204)

+    def _make_request(self, path, **kwargs):
+        req = Request.blank(path, **kwargs)
+        req.environ['swift.cache'] = FakeMemcache()
+        return req
+
+    def test_override_asked_for_but_not_allowed(self):
+        self.test_auth = \
+            auth.filter_factory({'allow_overrides': 'false'})(FakeApp())
+        req = self._make_request('/v1/AUTH_account',
+                                 environ={'swift.authorize_override': True})
+        resp = req.get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 401)
+        self.assertEquals(resp.environ['swift.authorize'],
+                          self.test_auth.authorize)
+
+    def test_override_asked_for_and_allowed(self):
+        self.test_auth = \
+            auth.filter_factory({'allow_overrides': 'true'})(FakeApp())
+        req = self._make_request('/v1/AUTH_account',
+                                 environ={'swift.authorize_override': True})
+        resp = req.get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 404)
+        self.assertTrue('swift.authorize' not in resp.environ)
+
+    def test_override_default_allowed(self):
+        req = self._make_request('/v1/AUTH_account',
+                                 environ={'swift.authorize_override': True})
+        resp = req.get_response(self.test_auth)
+        self.assertEquals(resp.status_int, 404)
+        self.assertTrue('swift.authorize' not in resp.environ)
+

 if __name__ == '__main__':
    unittest.main()