Merge "copy over swift.authorize stuff into subrequests"

9 files changed, 35 insertions, 16 deletions

diff --git a/doc/manpages/proxy-server.conf.5 b/doc/manpages/proxy-server.conf.5
index 305a6293a..385b27af4 100644
--- a/doc/manpages/proxy-server.conf.5
+++ b/doc/manpages/proxy-server.conf.5
@@ -394,7 +394,7 @@ Logging level. The default is INFO.
 .IP "\fB[filter:tempurl]\fR"
 .RE
 
-Note: Put tempurl just before your auth filter(s) in the pipeline
+Note: Put tempurl before slo, dlo, and your auth filter(s) in the pipeline
 
 .RS 3
 .IP \fBincoming_remove_headers\fR
diff --git a/doc/saio/swift/proxy-server.conf b/doc/saio/swift/proxy-server.conf
index 0b409c3d4..4ed132197 100644
--- a/doc/saio/swift/proxy-server.conf
+++ b/doc/saio/swift/proxy-server.conf
@@ -8,7 +8,7 @@ eventlet_debug = true
 [pipeline:main]
 # Yes, proxy-logging appears twice. This is so that
 # middleware-originated requests get logged too.
-pipeline = catch_errors gatekeeper healthcheck proxy-logging cache bulk slo dlo ratelimit crossdomain tempurl tempauth staticweb container-quotas account-quotas proxy-logging proxy-server
+pipeline = catch_errors gatekeeper healthcheck proxy-logging cache bulk tempurl slo dlo ratelimit crossdomain tempauth staticweb container-quotas account-quotas proxy-logging proxy-server
 
 [filter:catch_errors]
 use = egg:swift#catch_errors
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index afa24e4cf..07cf68250 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -406,7 +406,7 @@ use = egg:swift#cname_lookup
 [filter:staticweb]
 use = egg:swift#staticweb
 
-# Note: Put tempurl just before your auth filter(s) in the pipeline
+# Note: Put tempurl before dlo, slo and your auth filter(s) in the pipeline
 [filter:tempurl]
 use = egg:swift#tempurl
 # The methods allowed with Temp URLs.
diff --git a/swift/common/middleware/dlo.py b/swift/common/middleware/dlo.py
index a08b81816..69ab7be50 100644
--- a/swift/common/middleware/dlo.py
+++ b/swift/common/middleware/dlo.py
@@ -24,7 +24,7 @@ from swift.common.swob import Request, Response, \
 from swift.common.utils import get_logger, json, \
     RateLimitedIterator, read_conf_dir, quote
 from swift.common.request_helpers import SegmentedIterable
-from swift.common.wsgi import WSGIContext, make_request
+from swift.common.wsgi import WSGIContext, make_subrequest
 from urllib import unquote
 
 
@@ -36,7 +36,7 @@ class GetContext(WSGIContext):
 
     def _get_container_listing(self, req, version, account, container,
                                prefix, marker=''):
-        con_req = make_request(
+        con_req = make_subrequest(
             req.environ, path='/'.join(['', version, account, container]),
             method='GET',
             headers={'x-auth-token': req.headers.get('x-auth-token')},
diff --git a/swift/common/middleware/slo.py b/swift/common/middleware/slo.py
index cf23a25fe..1dcdf07d0 100644
--- a/swift/common/middleware/slo.py
+++ b/swift/common/middleware/slo.py
@@ -151,7 +151,7 @@ from swift.common.request_helpers import SegmentedIterable, \
     closing_if_possible, close_if_possible
 from swift.common.constraints import check_utf8, MAX_BUFFERED_SLO_SEGMENTS
 from swift.common.http import HTTP_NOT_FOUND, HTTP_UNAUTHORIZED, is_success
-from swift.common.wsgi import WSGIContext, make_request
+from swift.common.wsgi import WSGIContext, make_subrequest
 from swift.common.middleware.bulk import get_response_body, \
     ACCEPTABLE_FORMATS, Bulk
 
@@ -216,7 +216,7 @@ class SloGetContext(WSGIContext):
         Fetch the submanifest, parse it, and return it.
         Raise exception on failures.
         """
-        sub_req = make_request(
+        sub_req = make_subrequest(
             req.environ, path='/'.join(['', version, acc, con, obj]),
             method='GET',
             headers={'x-auth-token': req.headers.get('x-auth-token')},
@@ -385,7 +385,7 @@ class SloGetContext(WSGIContext):
             close_if_possible(resp_iter)
             del req.environ['swift.non_client_disconnect']
 
-            get_req = make_request(
+            get_req = make_subrequest(
                 req.environ, method='GET',
                 headers={'x-auth-token': req.headers.get('x-auth-token')},
                 agent=('%(orig)s ' + 'SLO MultipartGET'), swift_source='SLO')
diff --git a/swift/common/request_helpers.py b/swift/common/request_helpers.py
index a75c3452a..a6f0c985e 100644
--- a/swift/common/request_helpers.py
+++ b/swift/common/request_helpers.py
@@ -29,7 +29,7 @@ from swift.common.exceptions import ListingIterError, SegmentError
 from swift.common.http import is_success, HTTP_SERVICE_UNAVAILABLE
 from swift.common.swob import HTTPBadRequest, HTTPNotAcceptable
 from swift.common.utils import split_path, validate_device_partition
-from swift.common.wsgi import make_request
+from swift.common.wsgi import make_subrequest
 
 
 def get_param(req, name, default=None):
@@ -281,7 +281,7 @@ class SegmentedIterable(object):
                         'ERROR: While processing manifest %s, '
                         'max LO GET time of %ds exceeded' %
                         (self.name, self.max_get_time))
-                seg_req = make_request(
+                seg_req = make_subrequest(
                     self.req.environ, path=seg_path, method='GET',
                     headers={'x-auth-token': self.req.headers.get(
                         'x-auth-token')},
diff --git a/swift/common/wsgi.py b/swift/common/wsgi.py
index 041117163..eab0988b1 100644
--- a/swift/common/wsgi.py
+++ b/swift/common/wsgi.py
@@ -575,7 +575,8 @@ def make_env(env, method=None, path=None, agent='Swift', query_string=None,
                  'PATH_INFO', 'QUERY_STRING', 'REMOTE_USER', 'REQUEST_METHOD',
                  'SCRIPT_NAME', 'SERVER_NAME', 'SERVER_PORT', 'HTTP_ORIGIN',
                  'SERVER_PROTOCOL', 'swift.cache', 'swift.source',
-                 'swift.trans_id'):
+                 'swift.trans_id', 'swift.authorize_override',
+                 'swift.authorize'):
         if name in env:
             newenv[name] = env[name]
     if method:
@@ -598,8 +599,8 @@ def make_env(env, method=None, path=None, agent='Swift', query_string=None,
     return newenv
 
 
-def make_request(env, method=None, path=None, body=None, headers=None,
-                 agent='Swift', swift_source=None, make_env=make_env):
+def make_subrequest(env, method=None, path=None, body=None, headers=None,
+                    agent='Swift', swift_source=None, make_env=make_env):
     """
     Makes a new swob.Request based on the current env but with the
     parameters specified.
@@ -623,7 +624,7 @@ def make_request(env, method=None, path=None, body=None, headers=None,
                   have no HTTP_USER_AGENT.
     :param swift_source: Used to mark the request as originating out of
                          middleware. Will be logged in proxy logs.
-    :param make_env: make_request calls this make_env to help build the
+    :param make_env: make_subrequest calls this make_env to help build the
         swob.Request.
     :returns: Fresh swob.Request object.
     """
@@ -655,7 +656,7 @@ def make_pre_authed_env(env, method=None, path=None, agent='Swift',
 
 def make_pre_authed_request(env, method=None, path=None, body=None,
                             headers=None, agent='Swift', swift_source=None):
-    """Same as :py:func:`make_request` but with preauthorization."""
-    return make_request(
+    """Same as :py:func:`make_subrequest` but with preauthorization."""
+    return make_subrequest(
         env, method=method, path=path, body=body, headers=headers, agent=agent,
         swift_source=swift_source, make_env=make_pre_authed_env)
diff --git a/test/unit/common/middleware/helpers.py b/test/unit/common/middleware/helpers.py
index 0ea957b53..52cc624e2 100644
--- a/test/unit/common/middleware/helpers.py
+++ b/test/unit/common/middleware/helpers.py
@@ -42,6 +42,11 @@ class FakeSwift(object):
         if env.get('QUERY_STRING'):
             path += '?' + env['QUERY_STRING']
 
+        if 'swift.authorize' in env:
+            resp = env['swift.authorize']()
+            if resp:
+                return resp(env, start_response)
+
         headers = swob.Request(env).headers
         self._calls.append((method, path, headers))
         self.swift_sources.append(env.get('swift.source'))
diff --git a/test/unit/common/middleware/test_dlo.py b/test/unit/common/middleware/test_dlo.py
index de495f1bc..3f01eecfe 100644
--- a/test/unit/common/middleware/test_dlo.py
+++ b/test/unit/common/middleware/test_dlo.py
@@ -758,6 +758,19 @@ class TestDloGetManifest(DloTestCase):
         self.assertEqual(body, 'aaaaabbbbbcccc')
         self.assertTrue(isinstance(exc, exceptions.SegmentError))
 
+    def test_get_with_auth_overridden(self):
+        auth_got_called = [0]
+
+        def my_auth():
+            auth_got_called[0] += 1
+            return None
+
+        req = swob.Request.blank('/v1/AUTH_test/mancon/manifest',
+                                 environ={'REQUEST_METHOD': 'GET',
+                                          'swift.authorize': my_auth})
+        status, headers, body = self.call_dlo(req)
+        self.assertTrue(auth_got_called[0] > 1)
+
 
 def fake_start_response(*args, **kwargs):
     pass