From 30654a65eac7166b0bd0567ef1d3cabb43031fd3 Mon Sep 17 00:00:00 2001
From: Lin Hua Cheng <lin-hua.cheng@hp.com>
Date: Mon, 21 May 2012 22:46:38 -0700
Subject: Add ACL check using <tenant_id>:<user> format.

Fixes bug 999998.

Swift auth middleware uses a new format for expressing
a container ACL for a user: <tenant_name>:<user>. This
fix add supports for checking ACL using the old format
of <tenant_id>:<user>.

Change-Id: I44985b191afb174605c35041741056ae1e78fa77
---
 keystone/middleware/swift_auth.py   | 8 +++++---
 tests/test_swift_auth_middleware.py | 6 +++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py
index 19f8cab9..19ef6ab9 100644
--- a/keystone/middleware/swift_auth.py
+++ b/keystone/middleware/swift_auth.py
@@ -196,9 +196,11 @@ class SwiftAuth(object):
             return self.denied_response(req)
 
         # Allow ACL at individual user level (tenant:user format)
-        if '%s:%s' % (tenant_name, user) in roles:
-            log_msg = 'user %s:%s allowed in ACL authorizing'
-            self.logger.debug(log_msg % (tenant_name, user))
+        # For backward compatibility, check for ACL in tenant_id:user format
+        if ('%s:%s' % (tenant_name, user) in roles
+             or '%s:%s' % (tenant_id, user) in roles):
+            log_msg = 'user %s:%s or %s:%s allowed in ACL authorizing'
+            self.logger.debug(log_msg % (tenant_name, user, tenant_id, user))
             return
 
         # Check if we have the role in the userroles and allow it
diff --git a/tests/test_swift_auth_middleware.py b/tests/test_swift_auth_middleware.py
index ea585a76..f5f4bdec 100644
--- a/tests/test_swift_auth_middleware.py
+++ b/tests/test_swift_auth_middleware.py
@@ -212,11 +212,15 @@ class TestAuthorize(unittest.TestCase):
         identity = self._get_identity(roles=[acl])
         self._check_authenticate(identity=identity, acl=acl)
 
-    def test_authorize_succeeds_for_tenant_user_in_roles(self):
+    def test_authorize_succeeds_for_tenant_name_user_in_roles(self):
         identity = self._get_identity()
         acl = '%s:%s' % (identity['tenant'][1], identity['user'])
         self._check_authenticate(identity=identity, acl=acl)
 
+    def test_authorize_succeeds_for_tenant_id_user_in_roles(self):
+        identity = self._get_identity()
+        acl = '%s:%s' % (identity['tenant'][0], identity['user'])
+        self._check_authenticate(identity=identity, acl=acl)
 
 if __name__ == '__main__':
     unittest.main()
-- 
cgit