Merge "Allow acl with a valid token."

swift/common/middleware/keystoneauth.py

@@ -190,6 +190,12 @@ class KeystoneAuth(object):
                                          tenant_id, user, user))
             return
 
+        acl_authorized = self._authorize_unconfirmed_identity(req, obj,
+                                                              referrers,
+                                                              roles)
+        if acl_authorized:
+            return
+
         # Check if a user tries to access an account that does not match their
         # token
         if not self._reseller_check(account, tenant_id):
@@ -217,11 +223,7 @@ class KeystoneAuth(object):
             req.environ['swift_owner'] = True
             return
 
-        authorized = self._authorize_unconfirmed_identity(req, obj, referrers,
-                                                          roles)
-        if authorized:
-            return
-        elif authorized is not None:
+        if acl_authorized is not None:
             return self.denied_response(req)
 
         # Check if we have the role in the userroles and allow it

test/unit/common/middleware/test_keystoneauth.py

@@ -91,6 +91,12 @@ class SwiftAuth(unittest.TestCase):
         resp = req.get_response(self._get_successful_middleware())
         self.assertEqual(resp.status_int, 200)
 
+    def test_anonymous_with_validtoken_authorized_for_permitted_referrer(self):
+        req = self._make_request(headers={'X_IDENTITY_STATUS': 'Confirmed'})
+        req.acl = '.r:*'
+        resp = req.get_response(self._get_successful_middleware())
+        self.assertEqual(resp.status_int, 200)
+
     def test_anonymous_is_not_authorized_for_unknown_reseller_prefix(self):
         req = self._make_request(path='/v1/BLAH_foo/c/o',
                                  headers={'X_IDENTITY_STATUS': 'Invalid'})