diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py index 6dde03c77f..b82123999c 100644 --- a/swift/common/middleware/tempauth.py +++ b/swift/common/middleware/tempauth.py @@ -152,7 +152,7 @@ class TempAuth(object): env['reseller_request'] = True else: # Unauthorized token - if self.reseller_prefix: + if self.reseller_prefix and not s3: # Because I know I'm the definitive auth for this token, I # can deny it outright. self.logger.increment('unauthorized') diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py index 7b240a74dc..25387da773 100644 --- a/test/unit/common/middleware/test_tempauth.py +++ b/test/unit/common/middleware/test_tempauth.py @@ -226,6 +226,22 @@ class TestAuth(unittest.TestCase): self.assertEquals(req.environ['swift.authorize'], local_auth.denied_response) + def test_auth_reseller_prefix_with_s3_deny(self): + # Ensures that when we have a reseller prefix and using a middleware + # relying on Http-Authorization (for example swift3), we don't deny a + # request outright but set up a denial swift.authorize and pass the + # request on down the chain. + local_app = FakeApp() + local_auth = auth.filter_factory({'reseller_prefix': 'PRE'})(local_app) + req = self._make_request('/v1/account', + headers={'X-Auth-Token': 't', + 'Authorization': 'AWS user:pw'}) + resp = req.get_response(local_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(local_app.calls, 1) + self.assertEquals(req.environ['swift.authorize'], + local_auth.denied_response) + def test_auth_no_reseller_prefix_no_token(self): # Check that normally we set up a call back to our authorize. local_auth = \