diff options
author | Timur Alperovich <timuralp@swiftstack.com> | 2018-04-04 18:09:26 -0700 |
---|---|---|
committer | Timur Alperovich <timuralp@swiftstack.com> | 2018-04-05 10:17:23 -0700 |
commit | 8944e9d8bcf52c1365e6c0e63ff8031a4b7dc5ca (patch) | |
tree | 45aa013397ea1278ca0ffddee5322f632f3ae637 | |
parent | 10eb94b3d840d3831b5a9439335b52e331cb2af3 (diff) | |
download | swift-8944e9d8bcf52c1365e6c0e63ff8031a4b7dc5ca.tar.gz |
Support unicode characters in tempauth user names.
Unicode characters in tempauth user names currently prevent these users
from authenticating. This manifests in two places:
1. the call to get_groups() fails to return a set that matches the user
preventing authentication
2. a new token is generated every time for such users, as the check
against existing memcache entries always fails to match
The patch fixes the existing behavior with respect to unicode users. As
part of it, the FakeMemcache class had to change to decode the strings
passed to it to mimic the actual memcache client behavior.
Darrell Bishop developed the patch and Timur Alperovich added the tests
for it.
Change-Id: I4ecfae2bca6ffa08ad15e584579ebce707f4628d
-rw-r--r-- | swift/common/middleware/tempauth.py | 5 | ||||
-rw-r--r-- | test/unit/common/middleware/test_tempauth.py | 39 |
2 files changed, 43 insertions, 1 deletions
diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py index 3c64090e9..55fc65272 100644 --- a/swift/common/middleware/tempauth.py +++ b/swift/common/middleware/tempauth.py @@ -432,6 +432,8 @@ class TempAuth(object): expires, groups = cached_auth_data if expires < time(): groups = None + else: + groups = groups.encode('utf8') s3_auth_details = env.get('swift3.auth_details') if s3_auth_details: @@ -788,7 +790,8 @@ class TempAuth(object): cached_auth_data = memcache_client.get(memcache_token_key) if cached_auth_data: expires, old_groups = cached_auth_data - old_groups = old_groups.split(',') + old_groups = [group.encode('utf8') + for group in old_groups.split(',')] new_groups = self._get_user_groups(account, account_user, account_id) diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py index 03fd84b7f..4a87b8421 100644 --- a/test/unit/common/middleware/test_tempauth.py +++ b/test/unit/common/middleware/test_tempauth.py @@ -37,6 +37,14 @@ class FakeMemcache(object): return self.store.get(key) def set(self, key, value, time=0): + if isinstance(value, (tuple, list)): + decoded = [] + for elem in value: + if type(elem) == str: + decoded.append(elem.decode('utf8')) + else: + decoded.append(elem) + value = tuple(decoded) self.store[key] = value return True @@ -908,6 +916,37 @@ class TestAuth(unittest.TestCase): self.assertEqual(resp.headers.get('Www-Authenticate'), 'Swift realm="BLAH_account"') + def test_successful_token_unicode_user(self): + app = FakeApp(iter(NO_CONTENT_RESP)) + ath = auth.filter_factory( + {u'user_t\u00e9st_t\u00e9ster'.encode('utf8'): + u'p\u00e1ss .admin'.encode('utf8')})(app) + memcache = FakeMemcache() + + req = self._make_request( + '/auth/v1.0', + headers={'X-Auth-User': u't\u00e9st:t\u00e9ster', + 'X-Auth-Key': u'p\u00e1ss'}) + req.environ['swift.cache'] = memcache + resp = req.get_response(ath) + self.assertEqual(resp.status_int, 200) + auth_token = resp.headers['X-Auth-Token'] + + req = self._make_request( + '/auth/v1.0', + headers={'X-Auth-User': u't\u00e9st:t\u00e9ster', + 'X-Auth-Key': u'p\u00e1ss'}) + req.environ['swift.cache'] = memcache + resp = req.get_response(ath) + self.assertEqual(resp.status_int, 200) + self.assertEqual(auth_token, resp.headers['X-Auth-Token']) + + req = self._make_request( + u'/v1/AUTH_t\u00e9st', headers={'X-Auth-Token': auth_token}) + req.environ['swift.cache'] = memcache + resp = req.get_response(ath) + self.assertEqual(204, resp.status_int) + class TestAuthWithMultiplePrefixes(TestAuth): """ |