Raise SignatureDoesNotMatch for unauthorized requests

HTTP_UNAUTHORIZED is returned only when the given signature is wrong. Change-Id: I4353557c6826ded2157b3a5be2e1ec1850477958
2014-06-06 00:08:38 +09:00 · 2014-06-06 00:08:38 +09:00 · 8857a09806
commit 8857a09806
parent aceaad2b75
2 changed files with 48 additions and 21 deletions
--- a/swift3/middleware.py
+++ b/swift3/middleware.py
@ -69,7 +69,8 @@ from swift3.request import Request
 from swift3.response import HTTPNoContent, HTTPOk, ErrorResponse, \
    AccessDenied, BucketAlreadyExists, BucketNotEmpty, EntityTooLarge, \
    InternalError, InvalidArgument, InvalidDigest, MalformedACLError, \
-    MethodNotAllowed, NoSuchBucket, NoSuchKey, S3NotImplemented
+    MethodNotAllowed, NoSuchBucket, NoSuchKey, S3NotImplemented, \
    SignatureDoesNotMatch
 XMLNS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
@ -231,7 +232,9 @@ class ServiceController(Controller):
        status = resp.status_int
        if status != HTTP_OK:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            if status == HTTP_FORBIDDEN:
                raise AccessDenied()
            else:
                raise InternalError()
@ -292,7 +295,9 @@ class BucketController(Controller):
        status = resp.status_int
        if status != HTTP_OK:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            if status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -358,7 +363,9 @@ class BucketController(Controller):
        status = resp.status_int
        if status != HTTP_CREATED and status != HTTP_NO_CONTENT:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            if status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_ACCEPTED:
                raise BucketAlreadyExists(req.container_name)
@ -375,7 +382,9 @@ class BucketController(Controller):
        status = resp.status_int
        if status != HTTP_NO_CONTENT:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            if status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -406,7 +415,9 @@ class ObjectController(Controller):
        if is_success(status):
            return resp
-        elif status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+        elif status == HTTP_UNAUTHORIZED:
            raise SignatureDoesNotMatch()
        elif status == HTTP_FORBIDDEN:
            raise AccessDenied()
        elif status == HTTP_NOT_FOUND:
            raise NoSuchKey(req.object_name)
@ -433,7 +444,9 @@ class ObjectController(Controller):
        status = resp.status_int
        if status != HTTP_CREATED:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -467,7 +480,9 @@ class ObjectController(Controller):
        status = resp.status_int
        if status != HTTP_NO_CONTENT:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchKey(req.object_name)
@ -508,7 +523,9 @@ class AclController(Controller):
                # Method must be GET or the body wont be returned to the caller
                req.environ['REQUEST_METHOD'] = 'GET'
                return get_acl(req.access_key, headers)
-            elif status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            elif status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchKey(req.object_name)
@ -524,7 +541,9 @@ class AclController(Controller):
            if is_success(status):
                return get_acl(req.access_key, headers)
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -555,7 +574,9 @@ class AclController(Controller):
            status = resp.status_int
            if status != HTTP_ACCEPTED:
-                if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+                if status == HTTP_UNAUTHORIZED:
                    raise SignatureDoesNotMatch()
                elif status == HTTP_FORBIDDEN:
                    raise AccessDenied()
                else:
                    raise InternalError()
@ -576,7 +597,9 @@ class LocationController(Controller):
        status = resp.status_int
        if status != HTTP_OK:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -608,7 +631,9 @@ class LoggingStatusController(Controller):
        status = resp.status_int
        if status != HTTP_OK:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
@ -770,7 +795,9 @@ class VersioningController(Controller):
        status = resp.status_int
        if status != HTTP_OK:
-            if status in (HTTP_UNAUTHORIZED, HTTP_FORBIDDEN):
+            if status == HTTP_UNAUTHORIZED:
                raise SignatureDoesNotMatch()
            elif status == HTTP_FORBIDDEN:
                raise AccessDenied()
            elif status == HTTP_NOT_FOUND:
                raise NoSuchBucket(req.container_name)
--- a/swift3/test/unit/test_swift3.py
+++ b/swift3/test/unit/test_swift3.py
@ -204,7 +204,7 @@ class TestSwift3(unittest.TestCase):
    def test_service_GET_error(self):
        code = self._test_method_error('GET', '', swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('GET', '', swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
        code = self._test_method_error('GET', '', swob.HTTPServerError)
@ -235,7 +235,7 @@ class TestSwift3(unittest.TestCase):
    def test_bucket_GET_error(self):
        code = self._test_method_error('GET', '/bucket', swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('GET', '/bucket', swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
        code = self._test_method_error('GET', '/bucket', swob.HTTPNotFound)
@ -339,7 +339,7 @@ class TestSwift3(unittest.TestCase):
                                       headers={'Content-Length': '-1'})
        self.assertEqual(code, 'InvalidArgument')
        code = self._test_method_error('PUT', '/bucket', swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('PUT', '/bucket', swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
        code = self._test_method_error('PUT', '/bucket', swob.HTTPAccepted)
@ -357,7 +357,7 @@ class TestSwift3(unittest.TestCase):
    def test_bucket_DELETE_error(self):
        code = self._test_method_error('DELETE', '/bucket',
                                       swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('DELETE', '/bucket', swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
        code = self._test_method_error('DELETE', '/bucket', swob.HTTPNotFound)
@ -446,7 +446,7 @@ class TestSwift3(unittest.TestCase):
    def test_object_GET_error(self):
        code = self._test_method_error('GET', '/bucket/object',
                                       swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('GET', '/bucket/object',
                                       swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
@ -474,7 +474,7 @@ class TestSwift3(unittest.TestCase):
    def test_object_PUT_error(self):
        code = self._test_method_error('PUT', '/bucket/object',
                                       swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('PUT', '/bucket/object',
                                       swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')
@ -524,7 +524,7 @@ class TestSwift3(unittest.TestCase):
    def test_object_DELETE_error(self):
        code = self._test_method_error('DELETE', '/bucket/object',
                                       swob.HTTPUnauthorized)
-        self.assertEquals(code, 'AccessDenied')
+        self.assertEquals(code, 'SignatureDoesNotMatch')
        code = self._test_method_error('DELETE', '/bucket/object',
                                       swob.HTTPForbidden)
        self.assertEquals(code, 'AccessDenied')