x/swift3
Code Issues Proposed changes

Raise SignatureDoesNotMatch for unauthorized requests

Browse Source 
HTTP_UNAUTHORIZED is returned only when the given signature is wrong.

Change-Id: I4353557c6826ded2157b3a5be2e1ec1850477958
This commit is contained in:
MORITA Kazutaka 2014-06-06 00:08:38 +09:00
parent aceaad2b75
commit 8857a09806
2 changed files with 48 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
swift3/middleware.py
View File

@ -69,7 +69,8 @@ from swift3.request import Request
from swift3.response import HTTPNoContent, HTTPOk, ErrorResponse, \
AccessDenied, BucketAlreadyExists, BucketNotEmpty, EntityTooLarge, \
InternalError, InvalidArgument, InvalidDigest, MalformedACLError, \
MethodNotAllowed, NoSuchBucket, NoSuchKey, S3NotImplemented
MethodNotAllowed, NoSuchBucket, NoSuchKey, S3NotImplemented, \
SignatureDoesNotMatch
XMLNS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
@ -231,7 +232,9 @@ class ServiceController(Controller):
status = resp.status_int
if status != HTTP_OK:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
if status == HTTP_FORBIDDEN:
raise AccessDenied()
else:
raise InternalError()
@ -292,7 +295,9 @@ class BucketController(Controller):
status = resp.status_int
if status != HTTP_OK:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
if status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -358,7 +363,9 @@ class BucketController(Controller):
status = resp.status_int
if status != HTTP_CREATED and status != HTTP_NO_CONTENT:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
if status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_ACCEPTED:
raise BucketAlreadyExists(req.container_name)
@ -375,7 +382,9 @@ class BucketController(Controller):
status = resp.status_int
if status != HTTP_NO_CONTENT:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
if status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -406,7 +415,9 @@ class ObjectController(Controller):
if is_success(status):
return resp
elif status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
elif status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchKey(req.object_name)
@ -433,7 +444,9 @@ class ObjectController(Controller):
status = resp.status_int
if status != HTTP_CREATED:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -467,7 +480,9 @@ class ObjectController(Controller):
status = resp.status_int
if status != HTTP_NO_CONTENT:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchKey(req.object_name)
@ -508,7 +523,9 @@ class AclController(Controller):
# Method must be GET or the body wont be returned to the caller
req.environ['REQUEST_METHOD'] = 'GET'
return get_acl(req.access_key, headers)
elif status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
elif status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchKey(req.object_name)
@ -524,7 +541,9 @@ class AclController(Controller):
if is_success(status):
return get_acl(req.access_key, headers)
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -555,7 +574,9 @@ class AclController(Controller):
status = resp.status_int
if status != HTTP_ACCEPTED:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
else:
raise InternalError()
@ -576,7 +597,9 @@ class LocationController(Controller):
status = resp.status_int
if status != HTTP_OK:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -608,7 +631,9 @@ class LoggingStatusController(Controller):
status = resp.status_int
if status != HTTP_OK:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)
@ -770,7 +795,9 @@ class VersioningController(Controller):
status = resp.status_int
if status != HTTP_OK:
if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
if status == HTTP_UNAUTHORIZED:
raise SignatureDoesNotMatch()
elif status == HTTP_FORBIDDEN:
raise AccessDenied()
elif status == HTTP_NOT_FOUND:
raise NoSuchBucket(req.container_name)

14
swift3/test/unit/test_swift3.py
View File

@ -204,7 +204,7 @@ class TestSwift3(unittest.TestCase):
def test_service_GET_error(self):
code = self._test_method_error('GET', '', swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('GET', '', swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
code = self._test_method_error('GET', '', swob.HTTPServerError)
@ -235,7 +235,7 @@ class TestSwift3(unittest.TestCase):
def test_bucket_GET_error(self):
code = self._test_method_error('GET', '/bucket', swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('GET', '/bucket', swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
code = self._test_method_error('GET', '/bucket', swob.HTTPNotFound)
@ -339,7 +339,7 @@ class TestSwift3(unittest.TestCase):
headers={'Content-Length': '-1'})
self.assertEqual(code, 'InvalidArgument')
code = self._test_method_error('PUT', '/bucket', swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('PUT', '/bucket', swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
code = self._test_method_error('PUT', '/bucket', swob.HTTPAccepted)
@ -357,7 +357,7 @@ class TestSwift3(unittest.TestCase):
def test_bucket_DELETE_error(self):
code = self._test_method_error('DELETE', '/bucket',
swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('DELETE', '/bucket', swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
code = self._test_method_error('DELETE', '/bucket', swob.HTTPNotFound)
@ -446,7 +446,7 @@ class TestSwift3(unittest.TestCase):
def test_object_GET_error(self):
code = self._test_method_error('GET', '/bucket/object',
swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('GET', '/bucket/object',
swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
@ -474,7 +474,7 @@ class TestSwift3(unittest.TestCase):
def test_object_PUT_error(self):
code = self._test_method_error('PUT', '/bucket/object',
swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('PUT', '/bucket/object',
swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')
@ -524,7 +524,7 @@ class TestSwift3(unittest.TestCase):
def test_object_DELETE_error(self):
code = self._test_method_error('DELETE', '/bucket/object',
swob.HTTPUnauthorized)
self.assertEquals(code, 'AccessDenied')
self.assertEquals(code, 'SignatureDoesNotMatch')
code = self._test_method_error('DELETE', '/bucket/object',
swob.HTTPForbidden)
self.assertEquals(code, 'AccessDenied')