Update swift token middleware.

- Update swift middleware which add features:
    - Leaves authententication to token-auth.
    - ACL.
    - Container-Sync
    - Referer.
    - S3.
- address termie comments on reviews.

Change-Id: Iefaa228015d6286e4fb05be2cc24aec01589ef58

3 files changed, 158 insertions, 199 deletions

diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py
index 0dc723b9..4a0d501a 100755
--- a/keystone/middleware/auth_token.py
+++ b/keystone/middleware/auth_token.py
@@ -1,6 +1,5 @@
-#!/usr/bin/env python
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
-#
+
 # Copyright (c) 2010-2011 OpenStack, LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/keystone/middleware/nova_auth_token.py b/keystone/middleware/nova_auth_token.py
index 68ad1d9d..ad6bcbb8 100644
--- a/keystone/middleware/nova_auth_token.py
+++ b/keystone/middleware/nova_auth_token.py
@@ -1,6 +1,5 @@
-#!/usr/bin/env python
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
-#
+
 # Copyright (c) 2010-2011 OpenStack, LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py
index e83c1366..d12ac162 100755..100644
--- a/keystone/middleware/swift_auth.py
+++ b/keystone/middleware/swift_auth.py
@@ -1,7 +1,6 @@
-#!/usr/bin/env python
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
-#
-# Copyright (c) 2010-2011 OpenStack, LLC.
+
+# Copyright (c) 2012 OpenStack, LLC.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,220 +15,183 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import webob
 
-"""
-TOKEN-BASED AUTH MIDDLEWARE FOR SWIFT
+from swift.common import utils as swift_utils
+from swift.common.middleware import acl as swift_acl
 
-Authentication on incoming request
-    * grab token from X-Auth-Token header
-    * TODO: grab the memcache servers from the request env
-    * TODOcheck for auth information in memcache
-    * check for auth information from keystone
-    * return if unauthorized
-    * decorate the request for authorization in swift
-    * forward to the swift proxy app
 
-Authorization via callback
-    * check the path and extract the tenant
-    * get the auth information stored in keystone.identity during
-        authentication
-    * TODO: check if the user is an account admin or a reseller admin
-    * determine what object-type to authorize (account, container, object)
-    * use knowledge of tenant, admin status, and container acls to authorize
+class SwiftAuth(object):
+    """Swift middleware to Keystone authorization system.
 
-"""
+    In Swift's proxy-server.conf add the middleware to your pipeline::
 
-import json
-from urlparse import urlparse
-from webob.exc import HTTPUnauthorized, HTTPNotFound, HTTPExpectationFailed
+        [pipeline:main]
+        pipeline = catch_errors cache tokenauth swiftauth proxy-server
 
-from keystone.common.bufferedhttp import http_connect_raw as http_connect
+    Set account auto creation to true::
 
-from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
-from swift.common.utils import get_logger, split_path
+        [app:proxy-server]
+        account_autocreate = true
 
+    And add a swift authorization filter section, such as::
 
-PROTOCOL_NAME = 'Swift Token Authentication'
+        [filter:swiftauth]
+        use = egg:keystone#swiftauth
+        operator_roles = admin, SwiftOperator
+        is_admin = true
 
+    If Swift memcache is to be used for caching tokens, add the additional
+    property in the tokenauth filter:
 
-class AuthProtocol(object):
-    """Handles authenticating and aurothrizing client calls.
+        [filter:tokenauth]
+        paste.filter_factory = keystone.middleware.auth_token:filter_factory
+        ...
+        cache = swift.cache
 
-    Add to your pipeline in paste config like:
+    This maps tenants to account in Swift.
 
-        [pipeline:main]
-        pipeline = catch_errors healthcheck cache keystone proxy-server
+    The user whose able to give ACL / create Containers permissions
+    will be the one that are inside the operator_roles
+    setting which by default includes the Admin and the SwiftOperator
+    roles.
 
-        [filter:keystone]
-        use = egg:keystone#swiftauth
-        keystone_url = http://127.0.0.1:8080
-        keystone_admin_token = 999888777666
-    """
+    The option is_admin if set to true will allow the
+    username that has the same name as the account name to be the owner.
+
+    Example: If we have the account called hellocorp with a user
+    hellocorp that user will be admin on that account and can give ACL
+    to all other users for hellocorp.
 
+    :param app: The next WSGI app in the pipeline
+    :param conf: The dict of configuration values
+    """
     def __init__(self, app, conf):
-        """Store valuable bits from the conf and set up logging."""
         self.app = app
-        self.keystone_url = urlparse(conf.get('keystone_url'))
-        self.admin_token = conf.get('keystone_admin_token')
-        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH')
-        self.log = get_logger(conf, log_route='keystone')
-        self.log.info('Keystone middleware started')
-
-    def __call__(self, env, start_response):
-        """Authenticate the incoming request.
-
-        If authentication fails return an appropriate http status here,
-        otherwise forward through the rest of the app.
-        """
+        self.conf = conf
+        self.logger = swift_utils.get_logger(conf, log_route='keystoneauth')
+        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
+        self.operator_roles = conf.get('operator_roles',
+                                       'admin, SwiftOperator')
+        config_is_admin = conf.get('is_admin', "false").lower()
+        self.is_admin = config_is_admin in ('true', 't', '1', 'on', 'yes', 'y')
+        cfg_synchosts = conf.get('allowed_sync_hosts', '127.0.0.1')
+        self.allowed_sync_hosts = [h.strip() for h in cfg_synchosts.split(',')
+                                   if h.strip()]
+
+    def __call__(self, environ, start_response):
+        identity = self._keystone_identity(environ)
+
+        if not identity:
+            environ['swift.authorize'] = self.denied_response
+            return self.app(environ, start_response)
+
+        self.logger.debug("Using identity: %r" % (identity))
+        environ['keystone.identity'] = identity
+        environ['REMOTE_USER'] = identity.get('tenant')
+        environ['swift.authorize'] = self.authorize
+        environ['swift.clean_acl'] = swift_acl.clean_acl
+        return self.app(environ, start_response)
+
+    def _keystone_identity(self, environ):
+        """Extract the identity from the Keystone auth component."""
+        if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed':
+            return
+        roles = []
+        if 'HTTP_X_ROLE' in environ:
+            roles = environ['HTTP_X_ROLE'].split(',')
+        identity = {'user': environ.get('HTTP_X_USER'),
+                    'tenant': (environ.get('HTTP_X_TENANT_ID'),
+                               environ.get('HTTP_X_TENANT_NAME')),
+                    'roles': roles}
+        return identity
 
-        self.log.debug('Keystone middleware called')
-        token = self._get_claims(env)
-        self.log.debug('token: %s', token)
-        if token:
-            identity = self._validate_claims(token)
-            if identity:
-                self.log.debug('request authenticated: %r', identity)
-                return self.perform_authenticated_request(identity, env,
-                                                          start_response)
-            else:
-                self.log.debug('anonymous request')
-                return self.unauthorized_request(env, start_response)
-        self.log.debug('no auth token in request headers')
-        return self.perform_unidentified_request(env, start_response)
-
-    def unauthorized_request(self, env, start_response):
-        """Clinet provided a token that wasn't acceptable, error out."""
-        return HTTPUnauthorized()(env, start_response)
-
-    def unauthorized(self, req):
-        """Return unauthorized given a webob Request object.
-
-        This can be stuffed into the evironment for swift.authorize or
-        called from the authoriztion callback when authorization fails.
-        """
-        return HTTPUnauthorized(request=req)
-
-    def perform_authenticated_request(self, identity, env, start_response):
-        """Client provieded a valid identity, so use it for authorization."""
-        env['keystone.identity'] = identity
-        env['swift.authorize'] = self.authorize
-        env['swift.clean_acl'] = clean_acl
-        self.log.debug('calling app: %s // %r', start_response, env)
-        rv = self.app(env, start_response)
-        self.log.debug('return from app: %r', rv)
-        return rv
-
-    def perform_unidentified_request(self, env, start_response):
-        """Withouth authentication data, use acls for access control."""
-        env['swift.authorize'] = self.authorize_via_acl
-        env['swift.clean_acl'] = self.authorize_via_acl
-        return self.app(env, start_response)
+    def _reseller_check(self, account, tenant_id):
+        """Check reseller prefix."""
+        return account == '%s_%s' % (self.reseller_prefix, tenant_id)
 
     def authorize(self, req):
-        """Used when we have a valid identity from keystone."""
-        self.log.debug('keystone middleware authorization begin')
         env = req.environ
-        tenant = env.get('keystone.identity', {}).get('tenant')
-        if not tenant:
-            self.log.warn('identity info not present in authorize request')
-            return HTTPExpectationFailed('Unable to locate auth claim',
-                                         request=req)
-        # TODO(todd): everyone under a tenant can do anything to that tenant.
-        #             more realistic would be role/group checking to do things
-        #             like deleting the account or creating/deleting containers
-        #             esp. when owned by other users in the same tenant.
-        if req.path.startswith('/v1/%s_%s' % (self.reseller_prefix, tenant)):
-            self.log.debug('AUTHORIZED OKAY')
-            return None
-
-        self.log.debug('tenant mismatch: %r', tenant)
-        return self.unauthorized(req)
-
-    def authorize_via_acl(self, req):
-        """Anon request handling.
-
-        For now this only allows anon read of objects.  Container and account
-        actions are prohibited.
-        """
+        env_identity = env.get('keystone.identity', {})
+        tenant = env_identity.get('tenant')
 
-        self.log.debug('authorizing anonymous request')
         try:
-            version, account, container, obj = split_path(req.path, 1, 4, True)
+            part = swift_utils.split_path(req.path, 1, 4, True)
+            version, account, container, obj = part
         except ValueError:
-            return HTTPNotFound(request=req)
-
-        if obj:
-            return self._authorize_anon_object(req, account, container, obj)
-
-        if container:
-            return self._authorize_anon_container(req, account, container)
-
-        if account:
-            return self._authorize_anon_account(req, account)
-
-        return self._authorize_anon_toplevel(req)
-
-    def _authorize_anon_object(self, req, account, container, obj):
-        referrers, groups = parse_acl(getattr(req, 'acl', None))
-        if referrer_allowed(req.referer, referrers):
-            self.log.debug('anonymous request AUTHORIZED OKAY')
-            return None
-        return self.unauthorized(req)
-
-    def _authorize_anon_container(self, req, account, container):
-        return self.unauthorized(req)
-
-    def _authorize_anon_account(self, req, account):
-        return self.unauthorized(req)
-
-    def _authorize_anon_toplevel(self, req):
-        return self.unauthorized(req)
-
-    def _get_claims(self, env):
-        claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
-        return claims
-
-    def _validate_claims(self, claims):
-        """Ask keystone (as keystone admin) for information for this user."""
-
-        # TODO(todd): cache
-
-        self.log.debug('Asking keystone to validate token')
-        headers = {'Content-type': 'application/json',
-                    'Accept': 'application/json',
-                    'X-Auth-Token': self.admin_token}
-        self.log.debug('headers: %r', headers)
-        self.log.debug('url: %s', self.keystone_url)
-        conn = http_connect(self.keystone_url.hostname, self.keystone_url.port,
-                            'GET', '/v2.0/tokens/%s' % claims, headers=headers)
-        resp = conn.getresponse()
-        data = resp.read()
-        conn.close()
-
-        # Check http status code for the 'OK' family of responses
-        if not str(resp.status).startswith('20'):
-            return False
-
-        identity_info = json.loads(data)
-        roles = []
-        role_refs = identity_info['access']['user']['roles']
-
-        if role_refs is not None:
-            for role_ref in role_refs:
-                roles.append(role_ref['id'])
-
-        try:
-            tenant = identity_info['access']['token']['tenantId']
-        except:
-            tenant = None
-        if not tenant:
-            tenant = identity_info['access']['user']['tenantId']
-        # TODO(Ziad): add groups back in
-        identity = {'user': identity_info['access']['user']['username'],
-                    'tenant': tenant,
-                    'roles': roles}
-
-        return identity
+            return webob.exc.HTTPNotFound(request=req)
+
+        if not self._reseller_check(account, tenant[0]):
+            log_msg = 'tenant mismatch: %s != %s' % (account, tenant[0])
+            self.logger.debug(log_msg)
+            return self.denied_response(req)
+
+        user_groups = env_identity.get('roles', [])
+
+        # Check the groups the user is belonging to. If the user is
+        # part of the group defined in the config variable
+        # operator_roles (like Admin) then it will be
+        # promoted as an Admin of the account/tenant.
+        for group in self.operator_roles.split(','):
+            group = group.strip()
+            if group in user_groups:
+                log_msg = "allow user in group %s as account admin" % group
+                self.logger.debug(log_msg)
+                req.environ['swift_owner'] = True
+                return
+
+        # If user is of the same name of the tenant then make owner of it.
+        user = env_identity.get('user', '')
+        if self.is_admin and user == tenant[1]:
+            req.environ['swift_owner'] = True
+            return
+
+        # Allow container sync.
+        if (req.environ.get('swift_sync_key')
+            and req.environ['swift_sync_key'] ==
+                req.headers.get('x-container-sync-key', None)
+            and 'x-timestamp' in req.headers
+            and (req.remote_addr in self.allowed_sync_hosts
+                 or swift_utils.get_remote_client(req)
+                 in self.allowed_sync_hosts)):
+            log_msg = 'allowing proxy %s for container-sync' % req.remote_addr
+            self.logger.debug(log_msg)
+            return
+
+        # Check if referrer is allowed.
+        referrers, groups = swift_acl.parse_acl(getattr(req, 'acl', None))
+        if swift_acl.referrer_allowed(req.referer, referrers):
+            if obj or '.rlistings' in groups:
+                log_msg = 'authorizing %s via referer ACL' % req.referrer
+                self.logger.debug(log_msg)
+                return
+            return self.denied_response(req)
+
+        # Allow ACL at individual user level (tenant:user format)
+        if '%s:%s' % (tenant[0], user) in groups:
+            log_msg = 'user %s:%s allowed in ACL authorizing'
+            self.logger.debug(log_msg % (tenant[0], user))
+            return
+
+        # Check if we have the group in the usergroups and allow it
+        for user_group in user_groups:
+            if user_group in groups:
+                log_msg = 'user %s:%s allowed in ACL: %s authorizing'
+                self.logger.debug(log_msg % (tenant[0], user, user_group))
+                return
+
+        return self.denied_response(req)
+
+    def denied_response(self, req):
+        """Deny WSGI Response.
+
+        Returns a standard WSGI response callable with the status of 403 or 401
+        depending on whether the REMOTE_USER is set or not.
+        """
+        if req.remote_user:
+            return webob.exc.HTTPForbidden(request=req)
+        else:
+            return webob.exc.HTTPUnauthorized(request=req)
 
 
 def filter_factory(global_conf, **local_conf):
@@ -238,6 +200,5 @@ def filter_factory(global_conf, **local_conf):
     conf.update(local_conf)
 
     def auth_filter(app):
-        return AuthProtocol(app, conf)
-
+        return SwiftAuth(app, conf)
     return auth_filter