diff options
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/middleware.py | 18 | ||||
-rw-r--r-- | test/unit/common/middleware/gswauth/swauth/test_middleware.py | 39 |
2 files changed, 52 insertions, 5 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 48f1d71..7a6d713 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -148,6 +148,18 @@ class Swauth(object): 'Invalid auth_type in config file: %s' % self.auth_type) self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt') + + # Due to security concerns, S3 support is disabled by default. + self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES + if self.s3_support and self.auth_type != 'Plaintext' \ + and not self.auth_encoder.salt: + # In future, we may want to randomize salt generation rather than + # use a statically set salt as done today. + msg = _('S3 support requires salt to be manually set in conf ' + 'file using auth_type_salt config option.') + self.logger.warning(msg) + self.s3_support = False + self.allow_overrides = \ conf.get('allow_overrides', 't').lower() in TRUE_VALUES self.agent = '%(orig)s Swauth' @@ -205,6 +217,9 @@ class Swauth(object): elif env.get('PATH_INFO', '').startswith(self.auth_prefix): return self.handle(env, start_response) s3 = env.get('HTTP_AUTHORIZATION') + if s3 and not self.s3_support: + msg = 'S3 support is disabled in gswauth.' + return HTTPBadRequest(body=msg)(env, start_response) token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) if token and len(token) > authtypes.MAX_TOKEN_LENGTH: return HTTPBadRequest(body='Token exceeds maximum length.')( @@ -284,6 +299,9 @@ class Swauth(object): groups = None if env.get('HTTP_AUTHORIZATION'): + if not self.s3_support: + self.logger.warning('S3 support is disabled in gswauth.') + return None if self.swauth_remote: # TODO: Support S3-style authorization with swauth_remote mode self.logger.warn('S3-style authorization not supported yet ' diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py index e8c2001..608dba4 100644 --- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py +++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py @@ -4836,15 +4836,41 @@ class TestAuth(unittest.TestCase): resp.body, 'Token exceeds maximum length.') - def test_crazy_authorization(self): + def test_s3_authorization_default_off(self): + self.assertFalse(self.test_auth.s3_support) req = self._make_request('/v1/AUTH_account', headers={ - 'authorization': 'somebody elses header value'}) + 'authorization': 's3_header'}) resp = req.get_response(self.test_auth) - self.assertEquals(resp.status_int, 401) - self.assertEquals(resp.environ['swift.authorize'], - self.test_auth.denied_response) + self.assertEqual(resp.status_int, 400) # HTTPBadRequest + self.assertTrue(resp.environ.get('swift.authorize') is None) + + def test_s3_turned_off_get_groups(self): + env = \ + {'HTTP_AUTHORIZATION': 's3 header'} + token = 'whatever' + self.test_auth.logger = mock.Mock() + self.assertEqual(self.test_auth.get_groups(env, token), None) + + def test_s3_enabled_when_conditions_are_met(self): + # auth_type_salt needs to be set + for atype in ('Sha1', 'Sha512'): + test_auth = \ + auth.filter_factory({ + 'super_admin_key': 'supertest', + 's3_support': 'on', + 'auth_type_salt': 'blah', + 'auth_type': atype})(FakeApp()) + self.assertTrue(test_auth.s3_support) + # auth_type_salt need not be set for Plaintext + test_auth = \ + auth.filter_factory({ + 'super_admin_key': 'supertest', + 's3_support': 'on', + 'auth_type': 'Plaintext'})(FakeApp()) + self.assertTrue(test_auth.s3_support) def test_s3_creds_unicode(self): + self.test_auth.s3_support = True self.test_auth.app = FakeApp(iter([ ('200 Ok', {}, json.dumps({"auth": unicode("plaintext:key)"), @@ -4857,8 +4883,10 @@ class TestAuth(unittest.TestCase): token = 'UFVUCgoKRnJpLCAyNiBGZWIgMjAxNiAwNjo0NT'\ 'ozNCArMDAwMAovY29udGFpbmVyMw==' self.assertEqual(self.test_auth.get_groups(env, token), None) + self.test_auth.s3_support = False def test_s3_only_hash_passed_to_hmac(self): + self.test_auth.s3_support = True key = 'dadada' salt = 'zuck' key_hash = hashlib.sha1('%s%s' % (salt, key)).hexdigest() @@ -4880,6 +4908,7 @@ class TestAuth(unittest.TestCase): self.assertTrue(mock_hmac_new.called) # Assert that string passed to hmac.new is only the hash self.assertEqual(mock_hmac_new.call_args[0][0], key_hash) + self.test_auth.s3_support = False |