From c63f89cdcb7cfb148dfb85bb074f15fcdf393ada Mon Sep 17 00:00:00 2001
From: Tim Burke <tim.burke@gmail.com>
Date: Thu, 23 Feb 2017 20:47:48 +0000
Subject: [PATCH] Clean up how we keystone

The docs were recommending a bad config (see related change).

Related-Change: I21e38884a2aefbb94b76c76deccd815f01db7362
Change-Id: Idca96a39f552083b55dc5a86d14ee4357777d6fe
---
 README.md                                     |  1 +
 etc/proxy-server.conf-sample                  | 10 ++++++---
 .../test/functional/conf/proxy-server.conf.in |  2 +-
 swift3/test/functional/run_test.sh            |  4 ++--
 swift3/test/functional/test_bucket.py         | 21 ++++++++++++++++++-
 5 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 43f84b4f..65687cbe 100644
--- a/README.md
+++ b/README.md
@@ -60,6 +60,7 @@ Note:
  * The authtoken filter requires the keystonemiddleware package.
  * Swift3 explicitly checks that keystoneauth is in the pipeline.  You must use this name
    in the pipeline statement and in [filter:keystoneauth] section header.
+ * The authtoken filter is only required if Keystone users will use the native Swift API.
 
 3) Add to your proxy-server.conf the section for the Swift3 WSGI filter::
 
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 8979ad07..915764f6 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -5,8 +5,11 @@
 # more middleware.
 #
 # Keystone pipeline
-# Note that s3token and authtoken require the keystonemiddleware package.
-pipeline = proxy-logging cache swift3 s3token authtoken keystoneauth bulk slo proxy-logging proxy-server
+# Note that authtoken requires the keystonemiddleware package.
+pipeline = proxy-logging cache swift3 s3token keystoneauth bulk slo proxy-logging proxy-server
+# Keystone pipeline with access via both S3 and native Swift API
+# Note that authtoken requires the keystonemiddleware package.
+# pipeline = proxy-logging cache authtoken swift3 s3token keystoneauth bulk slo proxy-logging proxy-server
 
 # Tempauth pipeline
 # pipeline = proxy-logging cache swift3 tempauth bulk slo proxy-logging proxy-server
@@ -173,13 +176,14 @@ http_timeout = 10.0
 
 [filter:authtoken]
 # See swift manual for more details.
-paste.filter_factory = keystonemiddleware.auth_token:filter_factory
+use = egg:keystonemiddleware#auth_token
 identity_uri = http://keystonehost:35357/
 auth_uri = http://keystonehost:5000/
 admin_tenant_name = service
 admin_user = swift
 admin_password = password
 cache = swift.cache
+delay_auth_decision = True
 
 [filter:keystoneauth]
 # See swift manual for more details.
diff --git a/swift3/test/functional/conf/proxy-server.conf.in b/swift3/test/functional/conf/proxy-server.conf.in
index 87a89426..856dbde2 100644
--- a/swift3/test/functional/conf/proxy-server.conf.in
+++ b/swift3/test/functional/conf/proxy-server.conf.in
@@ -9,7 +9,7 @@ account_autocreate = true
 log_level = DEBUG
 
 [pipeline:main]
-pipeline = catch_errors gatekeeper proxy-logging cache swift3 %MIDDLEWARE% bulk slo dlo proxy-logging proxy-server
+pipeline = catch_errors gatekeeper proxy-logging cache %MIDDLEWARE% bulk slo dlo proxy-logging proxy-server
 
 [app:proxy-server]
 use = egg:swift#proxy
diff --git a/swift3/test/functional/run_test.sh b/swift3/test/functional/run_test.sh
index 6111a92f..0cf1c9c6 100755
--- a/swift3/test/functional/run_test.sh
+++ b/swift3/test/functional/run_test.sh
@@ -27,9 +27,9 @@ mkdir -p ${TEST_DIR}/certs ${TEST_DIR}/private
 
 # create config files
 if [ "$AUTH" == 'keystone' ]; then
-    MIDDLEWARE="s3token keystoneauth"
+    MIDDLEWARE="swift3 s3token keystoneauth"
 elif [ "$AUTH" == 'tempauth' ]; then
-    MIDDLEWARE="tempauth"
+    MIDDLEWARE="swift3 tempauth"
 else
     echo "unknown auth: $AUTH"
     exit 1
diff --git a/swift3/test/functional/test_bucket.py b/swift3/test/functional/test_bucket.py
index 8ebb82fd..e8b79552 100644
--- a/swift3/test/functional/test_bucket.py
+++ b/swift3/test/functional/test_bucket.py
@@ -40,7 +40,26 @@ class TestSwift3Bucket(Swift3FunctionalTestCase):
         self.assertEqual(status, 200)
 
         self.assertCommonResponseHeaders(headers)
-        self.assertEqual(headers['location'], '/' + bucket)
+        self.assertIn(headers['location'], (
+            '/' + bucket,  # swob won't touch it...
+            # but webob (which we get because of auth_token) *does*
+            'http://%s%s/%s' % (
+                self.conn.host,
+                '' if self.conn.port == 80 else ':%d' % self.conn.port,
+                bucket),
+            # This is all based on the Host header the client provided,
+            # and boto will double-up ports for sig v4. See
+            #   - https://github.com/boto/boto/issues/2623
+            #   - https://github.com/boto/boto/issues/3716
+            # with proposed fixes at
+            #   - https://github.com/boto/boto/pull/3513
+            #   - https://github.com/boto/boto/pull/3676
+            'http://%s%s:%d/%s' % (
+                self.conn.host,
+                '' if self.conn.port == 80 else ':%d' % self.conn.port,
+                self.conn.port,
+                bucket),
+        ))
         self.assertEqual(headers['content-length'], '0')
 
         # GET Bucket(Without Object)