x/swiftonfile
Code Issues Proposed changes

Fix users not able to change their own password/key

Browse Source 
Users were not able to update their own password/key
with the update operation resulting in 403 (HTTPForbidden).

EXAMPLES:
Command to update password/key of regular user:
gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass

Command to update password/key of account admin:
gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass

Command to update password/key of reseller_admin:
gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass

BUG: https://bugs.launchpad.net/gluster-swift/+bug/1262227

Change-Id: I604da5aee67099b29541eb7e51a040a041f1961b
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/6650
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
This commit is contained in:
Prashanth Pai 2014-01-02 12:20:20 +05:30 committed by Luis Pabon
parent d1c7b1cc4b
commit 94a3f539e7
6 changed files with 323 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
doc/markdown/auth_guide.md
View File

@ -144,6 +144,26 @@ Example:
gswauth-add-user -K gswauthkey -a test ana anapwd gswauth-add-user -K gswauthkey -a test ana anapwd
~~~ ~~~
**Change password examples**
Command to update password/key of regular user:
~~~
gswauth-add-user -U account1:user1 -K old_pass account1 user1 new_pass
~~~
Command to update password/key of account admin:
~~~
gswauth-add-user -U account1:admin -K old_pass -a account1 admin new_pass
~~~
Command to update password/key of reseller_admin:
~~~
gswauth-add-user -U account1:radmin -K old_pass -r account1 radmin new_pass
~~~
#### gswauth-delete-account: #### gswauth-delete-account:
Delete an account. An account cannot be deleted if it still contains users, an error will be returned. Delete an account. An account cannot be deleted if it still contains users, an error will be returned.

30
gluster/swift/common/middleware/gswauth/bin/gswauth-add-user
View File

@ -60,20 +60,28 @@ if __name__ == '__main__':
parsed_path = '/' parsed_path = '/'
elif parsed_path[-1] != '/': elif parsed_path[-1] != '/':
parsed_path += '/' parsed_path += '/'
# Ensure the account exists # Check if user is changing his own password. This is carried out by
path = '%sv2/%s' % (parsed_path, account) # making sure that the user changing the password and the user whose
headers = {'X-Auth-Admin-User': options.admin_user, # password is being changed are the same.
'X-Auth-Admin-Key': options.admin_key} # If not, ensure that the account exists before creating new user.
conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers, if not options.admin_user == (account + ':' + user):
ssl=(parsed.scheme == 'https')) # GET the account
resp = conn.getresponse() path = '%sv2/%s' % (parsed_path, account)
if resp.status // 100 != 2: headers = {'X-Auth-Admin-User': options.admin_user,
headers['Content-Length'] = '0' 'X-Auth-Admin-Key': options.admin_key}
conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers,
ssl=(parsed.scheme == 'https')) ssl=(parsed.scheme == 'https'))
resp = conn.getresponse() resp = conn.getresponse()
if resp.status // 100 != 2: if resp.status // 100 != 2:
print 'Account creation failed: %s %s' % (resp.status, resp.reason) # If the GET operation fails, it means the account does not exist.
# Now we create the account by sending a PUT request.
headers['Content-Length'] = '0'
conn = http_connect(parsed.hostname, parsed.port, 'PUT', path,
headers, ssl=(parsed.scheme == 'https'))
resp = conn.getresponse()
if resp.status // 100 != 2:
print 'Account creation failed: %s %s' % \
(resp.status, resp.reason)
# Add the user # Add the user
path = '%sv2/%s/%s' % (parsed_path, account, user) path = '%sv2/%s/%s' % (parsed_path, account, user)
headers = {'X-Auth-Admin-User': options.admin_user, headers = {'X-Auth-Admin-User': options.admin_user,

51
gluster/swift/common/middleware/gswauth/swauth/middleware.py
View File

@ -972,9 +972,19 @@ class Swauth(object):
X-Auth-User-Reseller-Admin may be set to `true` to create a X-Auth-User-Reseller-Admin may be set to `true` to create a
.reseller_admin. .reseller_admin.
Creating users
**************
Can only be called by an account .admin unless the user is to be a Can only be called by an account .admin unless the user is to be a
.reseller_admin, in which case the request must be by .super_admin. .reseller_admin, in which case the request must be by .super_admin.
Changing password/key
*********************
1) reseller_admin key can be changed by super_admin and by himself.
2) admin key can be changed by any admin in same account,
reseller_admin, super_admin and himself.
3) Regular user key can be changed by any admin in his account,
reseller_admin, super_admin and himself.
:param req: The swob.Request to process. :param req: The swob.Request to process.
:returns: swob.Response, 2xx on success. :returns: swob.Response, 2xx on success.
""" """
@ -990,11 +1000,14 @@ class Swauth(object):
if req.path_info or not account or account[0] == '.' or not user or \ if req.path_info or not account or account[0] == '.' or not user or \
user[0] == '.' or not key: user[0] == '.' or not key:
return HTTPBadRequest(request=req) return HTTPBadRequest(request=req)
user_arg = account + ':' + user
if reseller_admin: if reseller_admin:
if not self.is_super_admin(req): if not self.is_super_admin(req) and\
return HTTPUnauthorized(request=req) not self.is_user_changing_own_key(req, user_arg):
elif not self.is_account_admin(req, account): return HTTPUnauthorized(request=req)
return self.denied_response(req) elif not self.is_account_admin(req, account) and\
not self.is_user_changing_own_key(req, user_arg):
return self.denied_response(req)
path = quote('/v1/%s/%s' % (self.auth_account, account)) path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = self.make_pre_authed_request( resp = self.make_pre_authed_request(
@ -1403,6 +1416,36 @@ class Swauth(object):
return user_detail and self.auth_encoder().match( return user_detail and self.auth_encoder().match(
key, user_detail.get('auth')) key, user_detail.get('auth'))
def is_user_changing_own_key(self, req, user):
"""
Check if the user is changing his own key.
:param req: The swob.Request to check. This contains x-auth-admin-user
and x-auth-admin-key headers which are credentials of the
user sending the request.
:param user: User whose password is to be changed.
:returns True if user is changing his own key, False if not.
"""
admin_detail = self.get_admin_detail(req)
if not admin_detail:
# The user does not exist
return False
# If user is not admin/reseller_admin and x-auth-user-admin or
# x-auth-user-reseller-admin headers are present in request, he may be
# attempting to escalate himself as admin/reseller_admin!
if '.admin' not in (g['name'] for g in admin_detail['groups']):
if req.headers.get('x-auth-user-admin') == 'true' or \
req.headers.get('x-auth-user-reseller-admin') == 'true':
return False
if '.reseller_admin' not in \
(g['name'] for g in admin_detail['groups']) and \
req.headers.get('x-auth-user-reseller-admin') == 'true':
return False
return req.headers.get('x-auth-admin-user') == user and \
self.credentials_match(admin_detail,
req.headers.get('x-auth-admin-key'))
def is_super_admin(self, req): def is_super_admin(self, req):
""" """
Returns True if the admin specified in the request represents the Returns True if the admin specified in the request represents the

7
test/functional_auth/gswauth/test_gswauth.py
View File

@ -227,15 +227,16 @@ class TestGSWauth(unittest.TestCase):
# attempt to change password # attempt to change password
path = '%sv2/%s/%s' % (config['auth_prefix'], config['account'], path = '%sv2/%s/%s' % (config['auth_prefix'], config['account'],
config['username']) config['username'])
headers = self._get_admin_headers() headers = {'X-Auth-Admin-User':
config['account'] + ':' + config['username'],
'X-Auth-Admin-Key': config['password']}
headers.update({'X-Auth-User-Key': 'newpassword', headers.update({'X-Auth-User-Key': 'newpassword',
'Content-Length': '0', 'Content-Length': '0',
'X-Auth-Admin-Key': config['password'],
'X-Auth-User-Admin': 'true'}) 'X-Auth-User-Admin': 'true'})
conn = http_connect(config['auth_host'], config['auth_port'], 'PUT', conn = http_connect(config['auth_host'], config['auth_port'], 'PUT',
path, headers) path, headers)
resp = conn.getresponse() resp = conn.getresponse()
self.assertTrue(resp.status == 401) self.assertTrue(resp.status == 201)
finally: finally:
try: try:

76
test/functional_auth/gswauth/test_gswauth_cli.py
View File

@ -438,11 +438,6 @@ class TestUser(unittest.TestCase):
self.assertNotEqual(status, 0, 'user creation succeeded with user of other account: '+output) self.assertNotEqual(status, 0, 'user creation succeeded with user of other account: '+output)
self.assertEqual('403 Forbidden' in output,True, 'user creation succeeded with user of other account: '+output) self.assertEqual('403 Forbidden' in output,True, 'user creation succeeded with user of other account: '+output)
#update password of own regular user
(status,output)=Utils.addUser('test', 'tester', 'testingupdated', user='test:tester', key='testing')
self.assertNotEqual(status, 0, 'regular user update password succeeded with own credentials: '+output)
self.assertEqual('403 Forbidden' in output,True, 'regular user update password succeeded with own credentials: '+output)
def testDeleteUser(self): def testDeleteUser(self):
#set test acc #set test acc
self.setTestAccUserEnv() self.setTestAccUserEnv()
@ -577,3 +572,74 @@ class TestUser(unittest.TestCase):
(status,output) = Utils.deleteUser('test', 'usertobedeletedbyitself',user='test:usertobedeletedbyitself',key='testing') (status,output) = Utils.deleteUser('test', 'usertobedeletedbyitself',user='test:usertobedeletedbyitself',key='testing')
self.assertEqual(status, 0, 'user deletion failed with own credentials : '+output) self.assertEqual(status, 0, 'user deletion failed with own credentials : '+output)
def testChangeKey(self):
# Create account and users
(status, output) = Utils.addAccount('test')
self.assertEqual(status, 0, 'Account creation failed: ' + output)
(status, output) = Utils.addAdminUser('test', 'admin', 'password')
self.assertEqual(status, 0, 'User addition failed: ' + output)
(status, output) = Utils.addUser('test', 'user', 'password')
self.assertEqual(status, 0, 'User addition failed: ' + output)
(status, output) = Utils.addResellerAdminUser('test', 'radmin', 'password')
self.assertEqual(status, 0, 'User addition failed: ' + output)
# Change acccount admin password/key
(status, output) = Utils.addAdminUser('test', 'admin', 'new_password', user='test:admin', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Change regular user password/key
(status, output) = Utils.addUser('test', 'user', 'new_password', user='test:user', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Change reseller admin password/key
(status, output) = Utils.addResellerAdminUser('test', 'radmin', 'new_password', user='test:radmin', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# To verify that password was changed for real, re-run the above commands, but with the new password
# Change acccount admin password/key using the new password
(status, output) = Utils.addAdminUser('test', 'admin', 'password', user='test:admin', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Change regular user password/key using the new password
(status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Change reseller admin password/key using the new password
(status, output) = Utils.addResellerAdminUser('test', 'radmin', 'password', user='test:radmin', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Make sure that regular user cannot upgrade to admin
(status, output) = Utils.addAdminUser('test', 'user', 'password', user='test:user', key='password')
self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output)
# Make sure that regular user cannot upgrade to reseller_admin
(status, output) = Utils.addResellerAdminUser('test', 'user', 'password', user='test:user', key='password')
self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output)
# Make sure admin cannot update himself to reseller_admin
(status, output) = Utils.addResellerAdminUser('test', 'admin', 'password', user='test:admin', key='password')
self.assertEqual('User creation failed' in output, True, 'Update key failed: ' + output)
# Account admin changing regular user password/key
(status, output) = Utils.addUser('test', 'user', 'new_password', user='test:admin', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Verify by running the command with new password
(status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Reseller admin changing regular user password/key
(status, output) = Utils.addUser('test', 'user', 'new_password', user='test:radmin', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Verify by running the command with new password
(status, output) = Utils.addUser('test', 'user', 'password', user='test:user', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Reseller admin changing account admin password/key
(status, output) = Utils.addAdminUser('test', 'admin', 'new_password', user='test:radmin', key='password')
self.assertEqual(status, 0, 'Update key failed: ' + output)
# Verify by running the command with new password
(status, output) = Utils.addAdminUser('test', 'admin', 'password', user='test:admin', key='new_password')
self.assertEqual(status, 0, 'Update key failed: ' + output)

171
test/unit/common/middleware/gswauth/swauth/test_middleware.py
View File

@ -3242,6 +3242,10 @@ class TestAuth(unittest.TestCase):
def test_put_user_reseller_admin_fail_bad_creds(self): def test_put_user_reseller_admin_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# Checking if user is changing his own key. This is called.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:rdm"},
{"name": "test"}, {"name": ".admin"},
{"name": ".reseller_admin"}], "auth": "plaintext:key"})),
# GET of user object (reseller admin) # GET of user object (reseller admin)
# This shouldn't actually get called, checked # This shouldn't actually get called, checked
# below # below
@ -3261,9 +3265,13 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'} 'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401) self.assertEquals(resp.status_int, 401)
self.assertEquals(self.test_auth.app.calls, 0) self.assertEquals(self.test_auth.app.calls, 1)
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# Checking if user is changing his own key. This is called.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"})),
# GET of user object (account admin, but not reseller admin) # GET of user object (account admin, but not reseller admin)
# This shouldn't actually get called, checked # This shouldn't actually get called, checked
# below # below
@ -3283,13 +3291,16 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'} 'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401) self.assertEquals(resp.status_int, 401)
self.assertEquals(self.test_auth.app.calls, 0) self.assertEquals(self.test_auth.app.calls, 1)
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# Checking if user is changing his own key. This is called.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"})),
# GET of user object (regular user) # GET of user object (regular user)
# This shouldn't actually get called, checked # This shouldn't actually get called, checked
# below # below
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))])) {"name": "test"}], "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr', resp = Request.blank('/auth/v2/act/usr',
environ={ environ={
@ -3304,13 +3315,17 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Reseller-Admin': 'true'} 'X-Auth-User-Reseller-Admin': 'true'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 401) self.assertEquals(resp.status_int, 401)
self.assertEquals(self.test_auth.app.calls, 0) self.assertEquals(self.test_auth.app.calls, 1)
def test_put_user_account_admin_fail_bad_creds(self): def test_put_user_account_admin_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# GET of user object (account admin, but wrong # GET of user object (account admin, but wrong
# account) # account)
('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"},
{"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"})),
# Checking if user is changing his own key.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"}], {"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))])) "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr', resp = Request.blank('/auth/v2/act/usr',
@ -3326,10 +3341,13 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Admin': 'true'} 'X-Auth-User-Admin': 'true'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403) self.assertEquals(resp.status_int, 403)
self.assertEquals(self.test_auth.app.calls, 1) self.assertEquals(self.test_auth.app.calls, 2)
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# GET of user object (regular user) # GET of user object (regular user)
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"})),
# Checking if user is changing his own key.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))])) {"name": "test"}], "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr', resp = Request.blank('/auth/v2/act/usr',
@ -3345,13 +3363,17 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Admin': 'true'} 'X-Auth-User-Admin': 'true'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403) self.assertEquals(resp.status_int, 403)
self.assertEquals(self.test_auth.app.calls, 1) self.assertEquals(self.test_auth.app.calls, 2)
def test_put_user_regular_fail_bad_creds(self): def test_put_user_regular_fail_bad_creds(self):
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# GET of user object (account admin, but wrong # GET of user object (account admin, but wrong
# account) # account)
('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"}, ('200 Ok', {}, json.dumps({"groups": [{"name": "act2:adm"},
{"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"})),
# Checking if user is changing his own key.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"}], {"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))])) "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr', resp = Request.blank('/auth/v2/act/usr',
@ -3365,13 +3387,16 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Key': 'key'} 'X-Auth-User-Key': 'key'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403) self.assertEquals(resp.status_int, 403)
self.assertEquals(self.test_auth.app.calls, 1) self.assertEquals(self.test_auth.app.calls, 2)
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
# GET of user object (regular user) # GET of user object (regular user)
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"})),
# Checking if user is changing his own key.
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"}, ('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))])) {"name": "test"}], "auth": "plaintext:key"}))]))
resp = Request.blank('/auth/v2/act/usr', resp = Request.blank('/auth/v2/act2/usr',
environ={ environ={
'REQUEST_METHOD': 'PUT'}, 'REQUEST_METHOD': 'PUT'},
headers={ headers={
@ -3382,7 +3407,7 @@ class TestAuth(unittest.TestCase):
'X-Auth-User-Key': 'key'} 'X-Auth-User-Key': 'key'}
).get_response(self.test_auth) ).get_response(self.test_auth)
self.assertEquals(resp.status_int, 403) self.assertEquals(resp.status_int, 403)
self.assertEquals(self.test_auth.app.calls, 1) self.assertEquals(self.test_auth.app.calls, 2)
def test_put_user_regular_success(self): def test_put_user_regular_success(self):
self.test_auth.app = FakeApp(iter([ self.test_auth.app = FakeApp(iter([
@ -3941,6 +3966,134 @@ class TestAuth(unittest.TestCase):
self.assert_(not self.test_auth.credentials_match( self.assert_(not self.test_auth.credentials_match(
{'auth': 'plaintext:key'}, 'notkey')) {'auth': 'plaintext:key'}, 'notkey'))
def test_is_user_changing_own_key_err(self):
# User does not exist
self.test_auth.app = FakeApp(
iter([('404 Not Found', {}, '')]))
req = Request.blank('/auth/v2/act/usr',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:usr',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'key'})
self.assert_(
not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
self.assertEquals(self.test_auth.app.calls, 1)
# user attempting to escalate himself as admin
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/usr',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:usr',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'key',
'X-Auth-User-Admin': 'true'})
self.assert_(
not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
self.assertEquals(self.test_auth.app.calls, 1)
# admin attempting to escalate himself as reseller_admin
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/adm',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:adm',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'key',
'X-Auth-User-Reseller-Admin': 'true'})
self.assert_(
not self.test_auth.is_user_changing_own_key(req, 'act:adm'))
self.assertEquals(self.test_auth.app.calls, 1)
# different user
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/usr2',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:usr',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'key'})
self.assert_(
not self.test_auth.is_user_changing_own_key(req, 'act:usr2'))
self.assertEquals(self.test_auth.app.calls, 1)
# wrong key
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/usr',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:usr',
'X-Auth-Admin-Key': 'wrongkey',
'X-Auth-User-Key': 'newkey'})
self.assert_(
not self.test_auth.is_user_changing_own_key(req, 'act:usr'))
self.assertEquals(self.test_auth.app.calls, 1)
def test_is_user_changing_own_key_sucess(self):
# regular user
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:usr"},
{"name": "test"}], "auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/usr',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:usr',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'newkey'})
self.assert_(
self.test_auth.is_user_changing_own_key(req, 'act:usr'))
self.assertEquals(self.test_auth.app.calls, 1)
# account admin
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"}],
"auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/adm',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:adm',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'newkey',
'X-Auth-User-Admin': 'true'})
self.assert_(
self.test_auth.is_user_changing_own_key(req, 'act:adm'))
self.assertEquals(self.test_auth.app.calls, 1)
# reseller admin
self.test_auth.app = FakeApp(iter([
('200 Ok', {}, json.dumps({"groups": [{"name": "act:adm"},
{"name": "test"}, {"name": ".admin"},
{"name": ".reseller_admin"}], "auth": "plaintext:key"}))]))
req = Request.blank('/auth/v2/act/adm',
environ={
'REQUEST_METHOD': 'PUT'},
headers={
'X-Auth-Admin-User': 'act:adm',
'X-Auth-Admin-Key': 'key',
'X-Auth-User-Key': 'newkey',
'X-Auth-User-Reseller-Admin': 'true'})
self.assert_(
self.test_auth.is_user_changing_own_key(req, 'act:adm'))
self.assertEquals(self.test_auth.app.calls, 1)
def test_is_super_admin_success(self): def test_is_super_admin_success(self):
self.assert_( self.assert_(
self.test_auth.is_super_admin( self.test_auth.is_super_admin(