From 722fcd8ebef3fe1268ace5c05e014f6a945abfab Mon Sep 17 00:00:00 2001
From: Todd Willey <xtoddx@gmail.com>
Date: Tue, 21 Jun 2011 14:26:47 -0400
Subject: Basic authorization for swift.

This first pass only makes sure you don't issue requests against other
accounts (regardless of publicity / acls).

TODO:
 * configurable reseller prefix (AUTH_)
 * groups (.reseller_admin)
 * don't let users change account except when admin (containerless DELETE/PUT)
 * check container ACLs for object access
 * add user groups into REMOTE_USER (?)
 * get rid of all the useless HTTP headers jammed into the request
---
 keystone/auth_protocols/auth_token.py | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/keystone/auth_protocols/auth_token.py b/keystone/auth_protocols/auth_token.py
index 1734dd3c..107d688b 100755
--- a/keystone/auth_protocols/auth_token.py
+++ b/keystone/auth_protocols/auth_token.py
@@ -58,7 +58,7 @@ import json
 import os
 from paste.deploy import loadapp
 from urlparse import urlparse
-from webob.exc import HTTPUnauthorized, HTTPUseProxy
+from webob.exc import HTTPUnauthorized, HTTPUseProxy, HTTPExpectationFailed
 from webob.exc import Request, Response
 
 from keystone.common.bufferedhttp import http_connect_raw as http_connect
@@ -157,6 +157,10 @@ class AuthProtocol(object):
             #Collect information about valid claims
             if valid:
                 claims = self._expound_claims()
+
+                # Store authentication data
+                self.env['keystone.claims'] = claims
+                self.env['swift.authorize'] = self.authorize
                 if claims:
                     # TODO(Ziad): add additional details we may need,
                     #             like tenant and group info
@@ -174,11 +178,25 @@ class AuthProtocol(object):
                                     roles += ','
                                 roles += role
                             self._decorate_request('X_ROLE', roles)
+
+                    # NOTE(todd): unused
                     self.expanded = True
 
             #Send request downstream
             return self._forward_request()
 
+    def authorize(self, req):
+        env = req.environ
+        tenant = env.get('keystone.claims', {}).get('tenant')
+        if not tenant:
+            return HTTPExpectationFailed('Unable to locate auth claim',
+                                         request=req)
+        if req.path.startswith('/v1/AUTH_%s' % tenant):
+            return None
+        return HTTPUnauthorized(request=req)
+
+
+    # NOTE(todd): unused
     def get_admin_auth_token(self, username, password, tenant):
         """
         This function gets an admin auth token to be used by this service to
-- 
cgit