/usr/share/pyshared/swauth/middleware.py is in python-swauth 1.0.4-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416 1417 1418 1419 1420 1421 1422 1423 1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435 1436 1437 1438 1439 1440 1441 1442 1443 1444 1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456 | # Copyright (c) 2010-2012 OpenStack, LLC.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
try:
import simplejson as json
except ImportError:
import json
from httplib import HTTPConnection, HTTPSConnection
from time import gmtime, strftime, time
from traceback import format_exc
from urllib import quote, unquote
from uuid import uuid4
from hashlib import md5, sha1
import hmac
import base64
from eventlet.timeout import Timeout
from eventlet import TimeoutError
from webob import Response, Request
from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPConflict, \
HTTPCreated, HTTPForbidden, HTTPMethodNotAllowed, HTTPMovedPermanently, \
HTTPNoContent, HTTPNotFound, HTTPServiceUnavailable, HTTPUnauthorized
from swift.common.bufferedhttp import http_connect_raw as http_connect
from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
from swift.common.utils import cache_from_env, get_logger, get_remote_client, \
split_path, TRUE_VALUES, urlparse
from swift.common.wsgi import make_pre_authed_request
import swauth.authtypes
class Swauth(object):
"""
Scalable authentication and authorization system that uses Swift as its
backing store.
:param app: The next WSGI app in the pipeline
:param conf: The dict of configuration values
"""
def __init__(self, app, conf):
self.app = app
self.conf = conf
self.logger = get_logger(conf, log_route='swauth')
self.log_headers = conf.get('log_headers', 'no').lower() in TRUE_VALUES
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
if self.reseller_prefix and self.reseller_prefix[-1] != '_':
self.reseller_prefix += '_'
self.auth_prefix = conf.get('auth_prefix', '/auth/')
if not self.auth_prefix:
self.auth_prefix = '/auth/'
if self.auth_prefix[0] != '/':
self.auth_prefix = '/' + self.auth_prefix
if self.auth_prefix[-1] != '/':
self.auth_prefix += '/'
self.swauth_remote = conf.get('swauth_remote')
if self.swauth_remote:
self.swauth_remote = self.swauth_remote.rstrip('/')
if not self.swauth_remote:
msg = _('Invalid swauth_remote set in conf file! Exiting.')
try:
self.logger.critical(msg)
except Exception:
pass
raise ValueError(msg)
self.swauth_remote_parsed = urlparse(self.swauth_remote)
if self.swauth_remote_parsed.scheme not in ('http', 'https'):
msg = _('Cannot handle protocol scheme %s for url %s!') % \
(self.swauth_remote_parsed.scheme, repr(self.swauth_remote))
try:
self.logger.critical(msg)
except Exception:
pass
raise ValueError(msg)
self.swauth_remote_timeout = int(conf.get('swauth_remote_timeout', 10))
self.auth_account = '%s.auth' % self.reseller_prefix
self.default_swift_cluster = conf.get('default_swift_cluster',
'local#http://127.0.0.1:8080/v1')
# This setting is a little messy because of the options it has to
# provide. The basic format is cluster_name#url, such as the default
# value of local#http://127.0.0.1:8080/v1.
# If the URL given to the user needs to differ from the url used by
# Swauth to create/delete accounts, there's a more complex format:
# cluster_name#url#url, such as
# local#https://public.com:8080/v1#http://private.com:8080/v1.
cluster_parts = self.default_swift_cluster.split('#', 2)
self.dsc_name = cluster_parts[0]
if len(cluster_parts) == 3:
self.dsc_url = cluster_parts[1].rstrip('/')
self.dsc_url2 = cluster_parts[2].rstrip('/')
elif len(cluster_parts) == 2:
self.dsc_url = self.dsc_url2 = cluster_parts[1].rstrip('/')
else:
raise Exception('Invalid cluster format')
self.dsc_parsed = urlparse(self.dsc_url)
if self.dsc_parsed.scheme not in ('http', 'https'):
raise Exception('Cannot handle protocol scheme %s for url %s' %
(self.dsc_parsed.scheme, repr(self.dsc_url)))
self.dsc_parsed2 = urlparse(self.dsc_url2)
if self.dsc_parsed2.scheme not in ('http', 'https'):
raise Exception('Cannot handle protocol scheme %s for url %s' %
(self.dsc_parsed2.scheme, repr(self.dsc_url2)))
self.super_admin_key = conf.get('super_admin_key')
if not self.super_admin_key and not self.swauth_remote:
msg = _('No super_admin_key set in conf file; Swauth '
'administration features will be disabled.')
try:
self.logger.warn(msg)
except Exception:
pass
self.token_life = int(conf.get('token_life', 86400))
self.timeout = int(conf.get('node_timeout', 10))
self.itoken = None
self.itoken_expires = None
self.allowed_sync_hosts = [h.strip()
for h in conf.get('allowed_sync_hosts', '127.0.0.1').split(',')
if h.strip()]
# Get an instance of our auth_type encoder for saving and checking the
# user's key
self.auth_type = conf.get('auth_type', 'Plaintext').title()
self.auth_encoder = getattr(swauth.authtypes, self.auth_type, None)
if self.auth_encoder is None:
raise Exception('Invalid auth_type in config file: %s'
% self.auth_type)
self.auth_encoder.salt = conf.get('auth_type_salt', 'swauthsalt')
self.allow_overrides = \
conf.get('allow_overrides', 't').lower() in TRUE_VALUES
self.agent = '%(orig)s Swauth'
def __call__(self, env, start_response):
"""
Accepts a standard WSGI application call, authenticating the request
and installing callback hooks for authorization and ACL header
validation. For an authenticated request, REMOTE_USER will be set to a
comma separated list of the user's groups.
With a non-empty reseller prefix, acts as the definitive auth service
for just tokens and accounts that begin with that prefix, but will deny
requests outside this prefix if no other auth middleware overrides it.
With an empty reseller prefix, acts as the definitive auth service only
for tokens that validate to a non-empty set of groups. For all other
requests, acts as the fallback auth service when no other auth
middleware overrides it.
Alternatively, if the request matches the self.auth_prefix, the request
will be routed through the internal auth request handler (self.handle).
This is to handle creating users, accounts, granting tokens, etc.
"""
if self.allow_overrides and env.get('swift.authorize_override', False):
return self.app(env, start_response)
if not self.swauth_remote:
if env.get('PATH_INFO', '') == self.auth_prefix[:-1]:
return HTTPMovedPermanently(add_slash=True)(env,
start_response)
elif env.get('PATH_INFO', '').startswith(self.auth_prefix):
return self.handle(env, start_response)
s3 = env.get('HTTP_AUTHORIZATION')
token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
if token and len(token) > swauth.authtypes.MAX_TOKEN_LENGTH:
return HTTPBadRequest(body='Token exceeds maximum length.')(env,
start_response)
if s3 or (token and token.startswith(self.reseller_prefix)):
# Note: Empty reseller_prefix will match all tokens.
groups = self.get_groups(env, token)
if groups:
env['REMOTE_USER'] = groups
user = groups and groups.split(',', 1)[0] or ''
# We know the proxy logs the token, so we augment it just a bit
# to also log the authenticated user.
env['HTTP_X_AUTH_TOKEN'] = \
'%s,%s' % (user, 's3' if s3 else token)
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
else:
# Unauthorized token
if self.reseller_prefix:
# Because I know I'm the definitive auth for this token, I
# can deny it outright.
return HTTPUnauthorized()(env, start_response)
# Because I'm not certain if I'm the definitive auth for empty
# reseller_prefixed tokens, I won't overwrite swift.authorize.
elif 'swift.authorize' not in env:
env['swift.authorize'] = self.denied_response
else:
if self.reseller_prefix:
# With a non-empty reseller_prefix, I would like to be called
# back for anonymous access to accounts I know I'm the
# definitive auth for.
try:
version, rest = split_path(env.get('PATH_INFO', ''),
1, 2, True)
except ValueError:
version, rest = None, None
if rest and rest.startswith(self.reseller_prefix):
# Handle anonymous access to accounts I'm the definitive
# auth for.
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
# Not my token, not my account, I can't authorize this request,
# deny all is a good idea if not already set...
elif 'swift.authorize' not in env:
env['swift.authorize'] = self.denied_response
# Because I'm not certain if I'm the definitive auth for empty
# reseller_prefixed accounts, I won't overwrite swift.authorize.
elif 'swift.authorize' not in env:
env['swift.authorize'] = self.authorize
env['swift.clean_acl'] = clean_acl
return self.app(env, start_response)
def get_groups(self, env, token):
"""
Get groups for the given token.
:param env: The current WSGI environment dictionary.
:param token: Token to validate and return a group string for.
:returns: None if the token is invalid or a string containing a comma
separated list of groups the authenticated user is a member
of. The first group in the list is also considered a unique
identifier for that user.
"""
groups = None
memcache_client = cache_from_env(env)
if memcache_client:
memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
cached_auth_data = memcache_client.get(memcache_key)
if cached_auth_data:
expires, groups = cached_auth_data
if expires < time():
groups = None
if env.get('HTTP_AUTHORIZATION'):
if self.swauth_remote:
# TODO: Support S3-style authorization with swauth_remote mode
self.logger.warn('S3-style authorization not supported yet '
'with swauth_remote mode.')
return None
account = env['HTTP_AUTHORIZATION'].split(' ')[1]
account, user, sign = account.split(':')
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(env, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
return None
if 'x-object-meta-account-id' in resp.headers:
account_id = resp.headers['x-object-meta-account-id']
else:
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp2 = make_pre_authed_request(env, 'HEAD', path,
agent=self.agent).get_response(self.app)
if resp2.status_int // 100 != 2:
return None
account_id = resp2.headers['x-container-meta-account-id']
path = env['PATH_INFO']
env['PATH_INFO'] = path.replace("%s:%s" % (account, user),
account_id, 1)
detail = json.loads(resp.body)
password = detail['auth'].split(':')[-1]
msg = base64.urlsafe_b64decode(unquote(token))
s = base64.encodestring(hmac.new(password,
msg, sha1).digest()).strip()
if s != sign:
return None
groups = [g['name'] for g in detail['groups']]
if '.admin' in groups:
groups.remove('.admin')
groups.append(account_id)
groups = ','.join(groups)
return groups
if not groups:
if self.swauth_remote:
with Timeout(self.swauth_remote_timeout):
conn = http_connect(self.swauth_remote_parsed.hostname,
self.swauth_remote_parsed.port, 'GET',
'%s/v2/.token/%s' % (self.swauth_remote_parsed.path,
quote(token)),
ssl=(self.swauth_remote_parsed.scheme == 'https'))
resp = conn.getresponse()
resp.read()
conn.close()
if resp.status // 100 != 2:
return None
expires_from_now = float(resp.getheader('x-auth-ttl'))
groups = resp.getheader('x-auth-groups')
if memcache_client:
memcache_client.set(memcache_key,
(time() + expires_from_now, groups),
timeout=expires_from_now)
else:
path = quote('/v1/%s/.token_%s/%s' %
(self.auth_account, token[-1], token))
resp = make_pre_authed_request(env, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
return None
detail = json.loads(resp.body)
if detail['expires'] < time():
make_pre_authed_request(env, 'DELETE', path,
agent=self.agent).get_response(self.app)
return None
groups = [g['name'] for g in detail['groups']]
if '.admin' in groups:
groups.remove('.admin')
groups.append(detail['account_id'])
groups = ','.join(groups)
if memcache_client:
memcache_client.set(memcache_key,
(detail['expires'], groups),
timeout=float(detail['expires'] - time()))
return groups
def authorize(self, req):
"""
Returns None if the request is authorized to continue or a standard
WSGI response callable if not.
"""
try:
version, account, container, obj = split_path(req.path, 1, 4, True)
except ValueError:
return HTTPNotFound(request=req)
if not account or not account.startswith(self.reseller_prefix):
return self.denied_response(req)
user_groups = (req.remote_user or '').split(',')
if '.reseller_admin' in user_groups and \
account != self.reseller_prefix and \
account[len(self.reseller_prefix)] != '.':
req.environ['swift_owner'] = True
return None
if account in user_groups and \
(req.method not in ('DELETE', 'PUT') or container):
# If the user is admin for the account and is not trying to do an
# account DELETE or PUT...
req.environ['swift_owner'] = True
return None
if (req.environ.get('swift_sync_key') and
req.environ['swift_sync_key'] ==
req.headers.get('x-container-sync-key', None) and
'x-timestamp' in req.headers and
(req.remote_addr in self.allowed_sync_hosts or
get_remote_client(req) in self.allowed_sync_hosts)):
return None
referrers, groups = parse_acl(getattr(req, 'acl', None))
if referrer_allowed(req.referer, referrers):
if obj or '.rlistings' in groups:
return None
return self.denied_response(req)
if not req.remote_user:
return self.denied_response(req)
for user_group in user_groups:
if user_group in groups:
return None
return self.denied_response(req)
def denied_response(self, req):
"""
Returns a standard WSGI response callable with the status of 403 or 401
depending on whether the REMOTE_USER is set or not.
"""
if req.remote_user:
return HTTPForbidden(request=req)
else:
return HTTPUnauthorized(request=req)
def handle(self, env, start_response):
"""
WSGI entry point for auth requests (ones that match the
self.auth_prefix).
Wraps env in webob.Request object and passes it down.
:param env: WSGI environment dictionary
:param start_response: WSGI callable
"""
try:
req = Request(env)
if self.auth_prefix:
req.path_info_pop()
req.bytes_transferred = '-'
req.client_disconnect = False
if 'x-storage-token' in req.headers and \
'x-auth-token' not in req.headers:
req.headers['x-auth-token'] = req.headers['x-storage-token']
if 'eventlet.posthooks' in env:
env['eventlet.posthooks'].append(
(self.posthooklogger, (req,), {}))
return self.handle_request(req)(env, start_response)
else:
# Lack of posthook support means that we have to log on the
# start of the response, rather than after all the data has
# been sent. This prevents logging client disconnects
# differently than full transmissions.
response = self.handle_request(req)(env, start_response)
self.posthooklogger(env, req)
return response
except (Exception, TimeoutError):
print "EXCEPTION IN handle: %s: %s" % (format_exc(), env)
start_response('500 Server Error',
[('Content-Type', 'text/plain')])
return ['Internal server error.\n']
def handle_request(self, req):
"""
Entry point for auth requests (ones that match the self.auth_prefix).
Should return a WSGI-style callable (such as webob.Response).
:param req: webob.Request object
"""
req.start_time = time()
handler = None
try:
version, account, user, _junk = split_path(req.path_info,
minsegs=0, maxsegs=4, rest_with_last=True)
except ValueError:
return HTTPNotFound(request=req)
if version in ('v1', 'v1.0', 'auth'):
if req.method == 'GET':
handler = self.handle_get_token
elif version == 'v2':
if not self.super_admin_key:
return HTTPNotFound(request=req)
req.path_info_pop()
if req.method == 'GET':
if not account and not user:
handler = self.handle_get_reseller
elif account:
if not user:
handler = self.handle_get_account
elif account == '.token':
req.path_info_pop()
handler = self.handle_validate_token
else:
handler = self.handle_get_user
elif req.method == 'PUT':
if not user:
handler = self.handle_put_account
else:
handler = self.handle_put_user
elif req.method == 'DELETE':
if not user:
handler = self.handle_delete_account
else:
handler = self.handle_delete_user
elif req.method == 'POST':
if account == '.prep':
handler = self.handle_prep
elif user == '.services':
handler = self.handle_set_services
else:
handler = self.handle_webadmin
if not handler:
req.response = HTTPBadRequest(request=req)
else:
req.response = handler(req)
return req.response
def handle_webadmin(self, req):
if req.method not in ('GET', 'HEAD'):
return HTTPMethodNotAllowed(request=req)
subpath = req.path[len(self.auth_prefix):] or 'index.html'
path = quote('/v1/%s/.webadmin/%s' % (self.auth_account, subpath))
req.response = make_pre_authed_request(req.environ, req.method, path,
agent=self.agent).get_response(self.app)
return req.response
def handle_prep(self, req):
"""
Handles the POST v2/.prep call for preparing the backing store Swift
cluster for use with the auth subsystem. Can only be called by
.super_admin.
:param req: The webob.Request to process.
:returns: webob.Response, 204 on success
"""
if not self.is_super_admin(req):
return HTTPForbidden(request=req)
path = quote('/v1/%s' % self.auth_account)
resp = make_pre_authed_request(req.environ, 'PUT', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create the main auth account: %s %s' %
(path, resp.status))
path = quote('/v1/%s/.account_id' % self.auth_account)
resp = make_pre_authed_request(req.environ, 'PUT', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create container: %s %s' %
(path, resp.status))
for container in xrange(16):
path = quote('/v1/%s/.token_%x' % (self.auth_account, container))
resp = make_pre_authed_request(req.environ, 'PUT', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create container: %s %s' %
(path, resp.status))
return HTTPNoContent(request=req)
def handle_get_reseller(self, req):
"""
Handles the GET v2 call for getting general reseller information
(currently just a list of accounts). Can only be called by a
.reseller_admin.
On success, a JSON dictionary will be returned with a single `accounts`
key whose value is list of dicts. Each dict represents an account and
currently only contains the single key `name`. For example::
{"accounts": [{"name": "reseller"}, {"name": "test"},
{"name": "test2"}]}
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with a JSON dictionary as
explained above.
"""
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
listing = []
marker = ''
while True:
path = '/v1/%s?format=json&marker=%s' % (quote(self.auth_account),
quote(marker))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not list main auth account: %s %s' %
(path, resp.status))
sublisting = json.loads(resp.body)
if not sublisting:
break
for container in sublisting:
if container['name'][0] != '.':
listing.append({'name': container['name']})
marker = sublisting[-1]['name'].encode('utf-8')
return Response(body=json.dumps({'accounts': listing}))
def handle_get_account(self, req):
"""
Handles the GET v2/<account> call for getting account information.
Can only be called by an account .admin.
On success, a JSON dictionary will be returned containing the keys
`account_id`, `services`, and `users`. The `account_id` is the value
used when creating service accounts. The `services` value is a dict as
described in the :func:`handle_get_token` call. The `users` value is a
list of dicts, each dict representing a user and currently only
containing the single key `name`. For example::
{"account_id": "AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162",
"services": {"storage": {"default": "local",
"local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}},
"users": [{"name": "tester"}, {"name": "tester3"}]}
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with a JSON dictionary as
explained above.
"""
account = req.path_info_pop()
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not obtain the .services object: %s %s' %
(path, resp.status))
services = json.loads(resp.body)
listing = []
marker = ''
while True:
path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
(self.auth_account, account)), quote(marker))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not list in main auth account: %s %s' %
(path, resp.status))
account_id = resp.headers['X-Container-Meta-Account-Id']
sublisting = json.loads(resp.body)
if not sublisting:
break
for obj in sublisting:
if obj['name'][0] != '.':
listing.append({'name': obj['name']})
marker = sublisting[-1]['name'].encode('utf-8')
return Response(body=json.dumps({'account_id': account_id,
'services': services, 'users': listing}))
def handle_set_services(self, req):
"""
Handles the POST v2/<account>/.services call for setting services
information. Can only be called by a reseller .admin.
In the :func:`handle_get_account` (GET v2/<account>) call, a section of
the returned JSON dict is `services`. This section looks something like
this::
"services": {"storage": {"default": "local",
"local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}}
Making use of this section is described in :func:`handle_get_token`.
This function allows setting values within this section for the
<account>, allowing the addition of new service end points or updating
existing ones.
The body of the POST request should contain a JSON dict with the
following format::
{"service_name": {"end_point_name": "end_point_value"}}
There can be multiple services and multiple end points in the same
call.
Any new services or end points will be added to the existing set of
services and end points. Any existing services with the same service
name will be merged with the new end points. Any existing end points
with the same end point name will have their values updated.
The updated services dictionary will be returned on success.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with the udpated services JSON
dict as described above
"""
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info != '/.services' or not account or account[0] == '.':
return HTTPBadRequest(request=req)
try:
new_services = json.loads(req.body)
except ValueError, err:
return HTTPBadRequest(body=str(err))
# Get the current services information
path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not obtain services info: %s %s' %
(path, resp.status))
services = json.loads(resp.body)
for new_service, value in new_services.iteritems():
if new_service in services:
services[new_service].update(value)
else:
services[new_service] = value
# Save the new services information
services = json.dumps(services)
resp = make_pre_authed_request(req.environ, 'PUT', path, services,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not save .services object: %s %s' %
(path, resp.status))
return Response(request=req, body=services)
def handle_put_account(self, req):
"""
Handles the PUT v2/<account> call for adding an account to the auth
system. Can only be called by a .reseller_admin.
By default, a newly created UUID4 will be used with the reseller prefix
as the account id used when creating corresponding service accounts.
However, you can provide an X-Account-Suffix header to replace the
UUID4 part.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success.
"""
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
# Ensure the container in the main auth account exists (this
# container represents the new account)
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'HEAD', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
resp = make_pre_authed_request(req.environ, 'PUT', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create account within main auth '
'account: %s %s' % (path, resp.status))
elif resp.status_int // 100 == 2:
if 'x-container-meta-account-id' in resp.headers:
# Account was already created
return HTTPAccepted(request=req)
else:
raise Exception('Could not verify account within main auth '
'account: %s %s' % (path, resp.status))
account_suffix = req.headers.get('x-account-suffix')
if not account_suffix:
account_suffix = str(uuid4())
# Create the new account in the Swift cluster
path = quote('%s/%s%s' % (self.dsc_parsed2.path,
self.reseller_prefix, account_suffix))
try:
conn = self.get_conn()
conn.request('PUT', path,
headers={'X-Auth-Token': self.get_itoken(req.environ)})
resp = conn.getresponse()
resp.read()
if resp.status // 100 != 2:
raise Exception('Could not create account on the Swift '
'cluster: %s %s %s' % (path, resp.status, resp.reason))
except (Exception, TimeoutError):
self.logger.error(_('ERROR: Exception while trying to communicate '
'with %(scheme)s://%(host)s:%(port)s/%(path)s'),
{'scheme': self.dsc_parsed2.scheme,
'host': self.dsc_parsed2.hostname,
'port': self.dsc_parsed2.port, 'path': path})
raise
# Record the mapping from account id back to account name
path = quote('/v1/%s/.account_id/%s%s' %
(self.auth_account, self.reseller_prefix, account_suffix))
resp = make_pre_authed_request(req.environ, 'PUT', path, account,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create account id mapping: %s %s' %
(path, resp.status))
# Record the cluster url(s) for the account
path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
services = {'storage': {}}
services['storage'][self.dsc_name] = '%s/%s%s' % (self.dsc_url,
self.reseller_prefix, account_suffix)
services['storage']['default'] = self.dsc_name
resp = make_pre_authed_request(req.environ, 'PUT', path,
json.dumps(services), agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create .services object: %s %s' %
(path, resp.status))
# Record the mapping from account name to the account id
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'POST', path,
headers={'X-Container-Meta-Account-Id': '%s%s' %
(self.reseller_prefix, account_suffix)},
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not record the account id on the account: '
'%s %s' % (path, resp.status))
return HTTPCreated(request=req)
def handle_delete_account(self, req):
"""
Handles the DELETE v2/<account> call for removing an account from the
auth system. Can only be called by a .reseller_admin.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success.
"""
if not self.is_reseller_admin(req):
return HTTPForbidden(request=req)
account = req.path_info_pop()
if req.path_info or not account or account[0] == '.':
return HTTPBadRequest(request=req)
# Make sure the account has no users and get the account_id
marker = ''
while True:
path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
(self.auth_account, account)), quote(marker))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not list in main auth account: %s %s' %
(path, resp.status))
account_id = resp.headers['x-container-meta-account-id']
sublisting = json.loads(resp.body)
if not sublisting:
break
for obj in sublisting:
if obj['name'][0] != '.':
return HTTPConflict(request=req)
marker = sublisting[-1]['name'].encode('utf-8')
# Obtain the listing of services the account is on.
path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not obtain .services object: %s %s' %
(path, resp.status))
if resp.status_int // 100 == 2:
services = json.loads(resp.body)
# Delete the account on each cluster it is on.
deleted_any = False
for name, url in services['storage'].iteritems():
if name != 'default':
parsed = urlparse(url)
conn = self.get_conn(parsed)
conn.request('DELETE', parsed.path,
headers={'X-Auth-Token': self.get_itoken(req.environ)})
resp = conn.getresponse()
resp.read()
if resp.status == 409:
if deleted_any:
raise Exception('Managed to delete one or more '
'service end points, but failed with: '
'%s %s %s' % (url, resp.status, resp.reason))
else:
return HTTPConflict(request=req)
if resp.status // 100 != 2 and resp.status != 404:
raise Exception('Could not delete account on the '
'Swift cluster: %s %s %s' %
(url, resp.status, resp.reason))
deleted_any = True
# Delete the .services object itself.
path = quote('/v1/%s/%s/.services' %
(self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not delete .services object: %s %s' %
(path, resp.status))
# Delete the account id mapping for the account.
path = quote('/v1/%s/.account_id/%s' %
(self.auth_account, account_id))
resp = make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not delete account id mapping: %s %s' %
(path, resp.status))
# Delete the account marker itself.
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not delete account marked: %s %s' %
(path, resp.status))
return HTTPNoContent(request=req)
def handle_get_user(self, req):
"""
Handles the GET v2/<account>/<user> call for getting user information.
Can only be called by an account .admin.
On success, a JSON dict will be returned as described::
{"groups": [ # List of groups the user is a member of
{"name": "<act>:<usr>"},
# The first group is a unique user identifier
{"name": "<account>"},
# The second group is the auth account name
{"name": "<additional-group>"}
# There may be additional groups, .admin being a special
# group indicating an account admin and .reseller_admin
# indicating a reseller admin.
],
"auth": "plaintext:<key>"
# The auth-type and key for the user; currently only plaintext is
# implemented.
}
For example::
{"groups": [{"name": "test:tester"}, {"name": "test"},
{"name": ".admin"}],
"auth": "plaintext:testing"}
If the <user> in the request is the special user `.groups`, the JSON
dict will contain a single key of `groups` whose value is a list of
dicts representing the active groups within the account. Each dict
currently has the single key `name`. For example::
{"groups": [{"name": ".admin"}, {"name": "test"},
{"name": "test:tester"}, {"name": "test:tester3"}]}
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with a JSON dictionary as
explained above.
"""
account = req.path_info_pop()
user = req.path_info_pop()
if req.path_info or not account or account[0] == '.' or not user or \
(user[0] == '.' and user != '.groups'):
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
if user == '.groups':
# TODO: This could be very slow for accounts with a really large
# number of users. Speed could be improved by concurrently
# requesting user group information. Then again, I don't *know*
# it's slow for `normal` use cases, so testing should be done.
groups = set()
marker = ''
while True:
path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
(self.auth_account, account)), quote(marker))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not list in main auth account: '
'%s %s' % (path, resp.status))
sublisting = json.loads(resp.body)
if not sublisting:
break
for obj in sublisting:
if obj['name'][0] != '.':
path = quote('/v1/%s/%s/%s' % (self.auth_account,
account, obj['name']))
resp = make_pre_authed_request(req.environ, 'GET',
path, agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not retrieve user object: '
'%s %s' % (path, resp.status))
groups.update(g['name']
for g in json.loads(resp.body)['groups'])
marker = sublisting[-1]['name'].encode('utf-8')
body = json.dumps({'groups':
[{'name': g} for g in sorted(groups)]})
else:
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not retrieve user object: %s %s' %
(path, resp.status))
body = resp.body
display_groups = [g['name'] for g in json.loads(body)['groups']]
if ('.admin' in display_groups and
not self.is_reseller_admin(req)) or \
('.reseller_admin' in display_groups and
not self.is_super_admin(req)):
return HTTPForbidden(request=req)
return Response(body=body)
def handle_put_user(self, req):
"""
Handles the PUT v2/<account>/<user> call for adding a user to an
account.
X-Auth-User-Key represents the user's key (url encoded),
X-Auth-User-Admin may be set to `true` to create an account .admin, and
X-Auth-User-Reseller-Admin may be set to `true` to create a
.reseller_admin.
Can only be called by an account .admin unless the user is to be a
.reseller_admin, in which case the request must be by .super_admin.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success.
"""
# Validate path info
account = req.path_info_pop()
user = req.path_info_pop()
key = unquote(req.headers.get('x-auth-user-key', ''))
admin = req.headers.get('x-auth-user-admin') == 'true'
reseller_admin = \
req.headers.get('x-auth-user-reseller-admin') == 'true'
if reseller_admin:
admin = True
if req.path_info or not account or account[0] == '.' or not user or \
user[0] == '.' or not key:
return HTTPBadRequest(request=req)
if reseller_admin:
if not self.is_super_admin(req):
return HTTPForbidden(request=req)
elif not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'HEAD', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not retrieve account id value: %s %s' %
(path, resp.status))
headers = {'X-Object-Meta-Account-Id':
resp.headers['x-container-meta-account-id']}
# Create the object in the main auth account (this object represents
# the user)
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
groups = ['%s:%s' % (account, user), account]
if admin:
groups.append('.admin')
if reseller_admin:
groups.append('.reseller_admin')
auth_value = self.auth_encoder().encode(key)
resp = make_pre_authed_request(req.environ, 'PUT', path,
json.dumps({'auth': auth_value,
'groups': [{'name': g} for g in groups]}),
headers=headers, agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not create user object: %s %s' %
(path, resp.status))
return HTTPCreated(request=req)
def handle_delete_user(self, req):
"""
Handles the DELETE v2/<account>/<user> call for deleting a user from an
account.
Can only be called by an account .admin.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success.
"""
# Validate path info
account = req.path_info_pop()
user = req.path_info_pop()
if req.path_info or not account or account[0] == '.' or not user or \
user[0] == '.':
return HTTPBadRequest(request=req)
if not self.is_account_admin(req, account):
return HTTPForbidden(request=req)
# Delete the user's existing token, if any.
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(req.environ, 'HEAD', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPNotFound(request=req)
elif resp.status_int // 100 != 2:
raise Exception('Could not obtain user details: %s %s' %
(path, resp.status))
candidate_token = resp.headers.get('x-object-meta-auth-token')
if candidate_token:
path = quote('/v1/%s/.token_%s/%s' %
(self.auth_account, candidate_token[-1], candidate_token))
resp = make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not delete possibly existing token: '
'%s %s' % (path, resp.status))
# Delete the user entry itself.
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2 and resp.status_int != 404:
raise Exception('Could not delete the user object: %s %s' %
(path, resp.status))
return HTTPNoContent(request=req)
def handle_get_token(self, req):
"""
Handles the various `request for token and service end point(s)` calls.
There are various formats to support the various auth servers in the
past. Examples::
GET <auth-prefix>/v1/<act>/auth
X-Auth-User: <act>:<usr> or X-Storage-User: <usr>
X-Auth-Key: <key> or X-Storage-Pass: <key>
GET <auth-prefix>/auth
X-Auth-User: <act>:<usr> or X-Storage-User: <act>:<usr>
X-Auth-Key: <key> or X-Storage-Pass: <key>
GET <auth-prefix>/v1.0
X-Auth-User: <act>:<usr> or X-Storage-User: <act>:<usr>
X-Auth-Key: <key> or X-Storage-Pass: <key>
Values should be url encoded, "act%3Ausr" instead of "act:usr" for
example; however, for backwards compatibility the colon may be included
unencoded.
On successful authentication, the response will have X-Auth-Token and
X-Storage-Token set to the token to use with Swift and X-Storage-URL
set to the URL to the default Swift cluster to use.
The response body will be set to the account's services JSON object as
described here::
{"storage": { # Represents the Swift storage service end points
"default": "cluster1", # Indicates which cluster is the default
"cluster1": "<URL to use with Swift>",
# A Swift cluster that can be used with this account,
# "cluster1" is the name of the cluster which is usually a
# location indicator (like "dfw" for a datacenter region).
"cluster2": "<URL to use with Swift>"
# Another Swift cluster that can be used with this account,
# there will always be at least one Swift cluster to use or
# this whole "storage" dict won't be included at all.
},
"servers": { # Represents the Nova server service end points
# Expected to be similar to the "storage" dict, but not
# implemented yet.
},
# Possibly other service dicts, not implemented yet.
}
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with data set as explained
above.
"""
# Validate the request info
try:
pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3,
rest_with_last=True)
except ValueError:
return HTTPNotFound(request=req)
if pathsegs[0] == 'v1' and pathsegs[2] == 'auth':
account = pathsegs[1]
user = req.headers.get('x-storage-user')
if not user:
user = unquote(req.headers.get('x-auth-user', ''))
if not user or ':' not in user:
return HTTPUnauthorized(request=req)
account2, user = user.split(':', 1)
if account != account2:
return HTTPUnauthorized(request=req)
key = req.headers.get('x-storage-pass')
if not key:
key = unquote(req.headers.get('x-auth-key', ''))
elif pathsegs[0] in ('auth', 'v1.0'):
user = unquote(req.headers.get('x-auth-user', ''))
if not user:
user = req.headers.get('x-storage-user')
if not user or ':' not in user:
return HTTPUnauthorized(request=req)
account, user = user.split(':', 1)
key = unquote(req.headers.get('x-auth-key', ''))
if not key:
key = req.headers.get('x-storage-pass')
else:
return HTTPBadRequest(request=req)
if not all((account, user, key)):
return HTTPUnauthorized(request=req)
if user == '.super_admin' and self.super_admin_key and \
key == self.super_admin_key:
token = self.get_itoken(req.environ)
url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix)
return Response(request=req,
body=json.dumps({'storage': {'default': 'local', 'local': url}}),
headers={'x-auth-token': token, 'x-storage-token': token,
'x-storage-url': url})
# Authenticate user
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return HTTPUnauthorized(request=req)
if resp.status_int // 100 != 2:
raise Exception('Could not obtain user details: %s %s' %
(path, resp.status))
user_detail = json.loads(resp.body)
if not self.credentials_match(user_detail, key):
return HTTPUnauthorized(request=req)
# See if a token already exists and hasn't expired
token = None
candidate_token = resp.headers.get('x-object-meta-auth-token')
if candidate_token:
path = quote('/v1/%s/.token_%s/%s' %
(self.auth_account, candidate_token[-1], candidate_token))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 == 2:
token_detail = json.loads(resp.body)
if token_detail['expires'] > time():
token = candidate_token
else:
make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
elif resp.status_int != 404:
raise Exception('Could not detect whether a token already '
'exists: %s %s' % (path, resp.status))
# Create a new token if one didn't exist
if not token:
# Retrieve account id, we'll save this in the token
path = quote('/v1/%s/%s' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'HEAD', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not retrieve account id value: '
'%s %s' % (path, resp.status))
account_id = \
resp.headers['x-container-meta-account-id']
# Generate new token
token = '%stk%s' % (self.reseller_prefix, uuid4().hex)
# Save token info
path = quote('/v1/%s/.token_%s/%s' %
(self.auth_account, token[-1], token))
resp = make_pre_authed_request(req.environ, 'PUT', path,
json.dumps({'account': account, 'user': user,
'account_id': account_id,
'groups': user_detail['groups'],
'expires': time() + self.token_life}),
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not create new token: %s %s' %
(path, resp.status))
# Record the token with the user info for future use.
path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
resp = make_pre_authed_request(req.environ, 'POST', path,
headers={'X-Object-Meta-Auth-Token': token},
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not save new token: %s %s' %
(path, resp.status))
# Get the services information
path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
raise Exception('Could not obtain services info: %s %s' %
(path, resp.status))
detail = json.loads(resp.body)
url = detail['storage'][detail['storage']['default']]
return Response(request=req, body=resp.body,
headers={'x-auth-token': token, 'x-storage-token': token,
'x-storage-url': url})
def handle_validate_token(self, req):
"""
Handles the GET v2/.token/<token> call for validating a token, usually
called by a service like Swift.
On a successful validation, X-Auth-TTL will be set for how much longer
this token is valid and X-Auth-Groups will contain a comma separated
list of groups the user belongs to.
The first group listed will be a unique identifier for the user the
token represents.
.reseller_admin is a special group that indicates the user should be
allowed to do anything on any account.
:param req: The webob.Request to process.
:returns: webob.Response, 2xx on success with data set as explained
above.
"""
token = req.path_info_pop()
if req.path_info or not token.startswith(self.reseller_prefix):
return HTTPBadRequest(request=req)
expires = groups = None
memcache_client = cache_from_env(req.environ)
if memcache_client:
memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
cached_auth_data = memcache_client.get(memcache_key)
if cached_auth_data:
expires, groups = cached_auth_data
if expires < time():
groups = None
if not groups:
path = quote('/v1/%s/.token_%s/%s' %
(self.auth_account, token[-1], token))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int // 100 != 2:
return HTTPNotFound(request=req)
detail = json.loads(resp.body)
expires = detail['expires']
if expires < time():
make_pre_authed_request(req.environ, 'DELETE', path,
agent=self.agent).get_response(self.app)
return HTTPNotFound(request=req)
groups = [g['name'] for g in detail['groups']]
if '.admin' in groups:
groups.remove('.admin')
groups.append(detail['account_id'])
groups = ','.join(groups)
return HTTPNoContent(headers={'X-Auth-TTL': expires - time(),
'X-Auth-Groups': groups})
def get_conn(self, urlparsed=None):
"""
Returns an HTTPConnection based on the urlparse result given or the
default Swift cluster (internal url) urlparse result.
:param urlparsed: The result from urlparse.urlparse or None to use the
default Swift cluster's value
"""
if not urlparsed:
urlparsed = self.dsc_parsed2
if urlparsed.scheme == 'http':
return HTTPConnection(urlparsed.netloc)
else:
return HTTPSConnection(urlparsed.netloc)
def get_itoken(self, env):
"""
Returns the current internal token to use for the auth system's own
actions with other services. Each process will create its own
itoken and the token will be deleted and recreated based on the
token_life configuration value. The itoken information is stored in
memcache because the auth process that is asked by Swift to validate
the token may not be the same as the auth process that created the
token.
"""
if not self.itoken or self.itoken_expires < time():
self.itoken = '%sitk%s' % (self.reseller_prefix, uuid4().hex)
memcache_key = '%s/auth/%s' % (self.reseller_prefix, self.itoken)
self.itoken_expires = time() + self.token_life - 60
memcache_client = cache_from_env(env)
if not memcache_client:
raise Exception(
'No memcache set up; required for Swauth middleware')
memcache_client.set(memcache_key, (self.itoken_expires,
'.auth,.reseller_admin,%s.auth' % self.reseller_prefix),
timeout=self.token_life)
return self.itoken
def get_admin_detail(self, req):
"""
Returns the dict for the user specified as the admin in the request
with the addition of an `account` key set to the admin user's account.
:param req: The webob request to retrieve X-Auth-Admin-User and
X-Auth-Admin-Key from.
:returns: The dict for the admin user with the addition of the
`account` key.
"""
if ':' not in req.headers.get('x-auth-admin-user', ''):
return None
admin_account, admin_user = \
req.headers.get('x-auth-admin-user').split(':', 1)
path = quote('/v1/%s/%s/%s' % (self.auth_account, admin_account,
admin_user))
resp = make_pre_authed_request(req.environ, 'GET', path,
agent=self.agent).get_response(self.app)
if resp.status_int == 404:
return None
if resp.status_int // 100 != 2:
raise Exception('Could not get admin user object: %s %s' %
(path, resp.status))
admin_detail = json.loads(resp.body)
admin_detail['account'] = admin_account
return admin_detail
def credentials_match(self, user_detail, key):
"""
Returns True if the key is valid for the user_detail.
It will use self.auth_encoder to check for a key match.
:param user_detail: The dict for the user.
:param key: The key to validate for the user.
:returns: True if the key is valid for the user, False if not.
"""
return user_detail and self.auth_encoder().match(
key, user_detail.get('auth'))
def is_super_admin(self, req):
"""
Returns True if the admin specified in the request represents the
.super_admin.
:param req: The webob.Request to check.
:param returns: True if .super_admin.
"""
return req.headers.get('x-auth-admin-user') == '.super_admin' and \
self.super_admin_key and \
req.headers.get('x-auth-admin-key') == self.super_admin_key
def is_reseller_admin(self, req, admin_detail=None):
"""
Returns True if the admin specified in the request represents a
.reseller_admin.
:param req: The webob.Request to check.
:param admin_detail: The previously retrieved dict from
:func:`get_admin_detail` or None for this function
to retrieve the admin_detail itself.
:param returns: True if .reseller_admin.
"""
if self.is_super_admin(req):
return True
if not admin_detail:
admin_detail = self.get_admin_detail(req)
if not self.credentials_match(admin_detail,
req.headers.get('x-auth-admin-key')):
return False
return '.reseller_admin' in (g['name'] for g in admin_detail['groups'])
def is_account_admin(self, req, account):
"""
Returns True if the admin specified in the request represents a .admin
for the account specified.
:param req: The webob.Request to check.
:param account: The account to check for .admin against.
:param returns: True if .admin.
"""
if self.is_super_admin(req):
return True
admin_detail = self.get_admin_detail(req)
if admin_detail:
if self.is_reseller_admin(req, admin_detail=admin_detail):
return True
if not self.credentials_match(admin_detail,
req.headers.get('x-auth-admin-key')):
return False
return admin_detail and admin_detail['account'] == account and \
'.admin' in (g['name'] for g in admin_detail['groups'])
return False
def posthooklogger(self, env, req):
if not req.path.startswith(self.auth_prefix):
return
response = getattr(req, 'response', None)
if not response:
return
trans_time = '%.4f' % (time() - req.start_time)
the_request = quote(unquote(req.path))
if req.query_string:
the_request = the_request + '?' + req.query_string
# remote user for zeus
client = req.headers.get('x-cluster-client-ip')
if not client and 'x-forwarded-for' in req.headers:
# remote user for other lbs
client = req.headers['x-forwarded-for'].split(',')[0].strip()
logged_headers = None
if self.log_headers:
logged_headers = '\n'.join('%s: %s' % (k, v)
for k, v in req.headers.items())
status_int = response.status_int
if getattr(req, 'client_disconnect', False) or \
getattr(response, 'client_disconnect', False):
status_int = 499
self.logger.info(' '.join(quote(str(x)) for x in (client or '-',
req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()),
req.method, the_request, req.environ['SERVER_PROTOCOL'],
status_int, req.referer or '-', req.user_agent or '-',
req.headers.get('x-auth-token',
req.headers.get('x-auth-admin-user', '-')),
getattr(req, 'bytes_transferred', 0) or '-',
getattr(response, 'bytes_transferred', 0) or '-',
req.headers.get('etag', '-'),
req.headers.get('x-trans-id', '-'), logged_headers or '-',
trans_time)))
def filter_factory(global_conf, **local_conf):
"""Returns a WSGI filter app for use with paste.deploy."""
conf = global_conf.copy()
conf.update(local_conf)
def auth_filter(app):
return Swauth(app, conf)
return auth_filter
|