From c92fe396494d12ae72d223e323217d12660c9c23 Mon Sep 17 00:00:00 2001
From: Naoto Nishizono <nishizono.naoto@po.ntts.co.jp>
Date: Fri, 9 Jan 2015 18:52:36 +0900
Subject: [PATCH] Fix canned acl to be effective for s3_acl

If 'HTTP_X_AMZ_ACL' is present in environ when creating the bucket,
handle_acl_header in acl.py is called always.

In the case of the above delete 'HTTP_X_AMZ_ACL' from environ,
and header for s3_acl(x-container-sysmeta-swift3-acl) becomes
impossible to create.

Change-Id: Ic3f260e7f35c55029a59c1dd90869ceee17cf909
Closes-Bug: #1405510
---
 swift3/controllers/acl.py       |  8 ++++++++
 swift3/test/unit/test_acl.py    | 17 +++++++++++++++++
 swift3/test/unit/test_bucket.py | 19 +++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/swift3/controllers/acl.py b/swift3/controllers/acl.py
index 8c8331cf..f12ba8f6 100644
--- a/swift3/controllers/acl.py
+++ b/swift3/controllers/acl.py
@@ -22,6 +22,7 @@ from swift3.response import HTTPOk, S3NotImplemented, MalformedACLError, \
     InvalidArgument, UnexpectedContent
 from swift3.etree import Element, SubElement, fromstring, tostring, \
     XMLSyntaxError, DocumentInvalid
+from swift3.cfg import CONF
 
 XMLNS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
 
@@ -126,6 +127,13 @@ def handle_acl_header(req):
     """
     Handle the x-amz-acl header.
     """
+    # Used this method, delete 'HTTP_X_AMZ_ACL' from environ, and header for
+    # s3_acl(x-container-sysmeta-swift3-acl) becomes impossible to create.
+    # TODO: Modify to be able to use the s3_acl and swift acl
+    # (e.g. X-Container-Read) at the same time, if s3_acl is effective.
+    if CONF.s3_acl:
+        return
+
     amz_acl = req.environ['HTTP_X_AMZ_ACL']
     # Translate the Amazon ACL to something that can be
     # implemented in Swift, 501 otherwise. Swift uses POST
diff --git a/swift3/test/unit/test_acl.py b/swift3/test/unit/test_acl.py
index 8ca77a4e..1807b408 100644
--- a/swift3/test/unit/test_acl.py
+++ b/swift3/test/unit/test_acl.py
@@ -20,6 +20,7 @@ from swift.common.swob import Request, HTTPAccepted
 from swift3.test.unit import Swift3TestCase
 from swift3.etree import fromstring, tostring, Element, SubElement
 from swift3.controllers.acl import handle_acl_header
+from swift3.test.unit.test_s3_acl import s3acl
 
 XMLNS_XSI = 'http://www.w3.org/2001/XMLSchema-instance'
 
@@ -129,6 +130,22 @@ class TestSwift3Acl(Swift3TestCase):
                                    [('X-Container-Read', '.'),
                                     ('X-Container-Write', '.')])
 
+    @s3acl(s3acl_only=True)
+    def test_handle_acl_header_with_s3acl(self):
+        def check_generated_acl_header(acl, targets):
+            req = Request.blank('/bucket',
+                                headers={'X-Amz-Acl': acl})
+            handle_acl_header(req)
+            for target in targets:
+                self.assertTrue(target not in req.headers)
+            self.assertTrue('HTTP_X_AMZ_ACL' in req.environ)
+
+        check_generated_acl_header('public-read',
+                                   ['X-Container-Read'])
+        check_generated_acl_header('public-read-write',
+                                   ['X-Container-Read', 'X-Container-Write'])
+        check_generated_acl_header('private',
+                                   ['X-Container-Read', 'X-Container-Write'])
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/swift3/test/unit/test_bucket.py b/swift3/test/unit/test_bucket.py
index 6d9f0ea2..00a074aa 100644
--- a/swift3/test/unit/test_bucket.py
+++ b/swift3/test/unit/test_bucket.py
@@ -23,6 +23,7 @@ from swift.common.swob import Request
 from swift3.test.unit import Swift3TestCase
 from swift3.etree import Element, SubElement, fromstring, tostring
 from swift3.test.unit.test_s3_acl import s3acl
+from swift3.subresource import Owner, encode_acl, ACLPublicRead
 
 
 class TestSwift3Bucket(Swift3TestCase):
@@ -310,6 +311,24 @@ class TestSwift3Bucket(Swift3TestCase):
         _, _, headers = self.swift.calls_with_headers[-1]
         self.assertTrue('X-Container-Read' in headers)
         self.assertEquals(headers.get('X-Container-Read'), '.r:*,.rlistings')
+        self.assertTrue('X-Container-Sysmeta-Swift3-Acl' not in headers)
+
+    @s3acl(s3acl_only=True)
+    def test_bucket_PUT_with_canned_s3acl(self):
+        account = 'test:tester'
+        acl = \
+            encode_acl('container', ACLPublicRead(Owner(account, account)))
+        req = Request.blank('/bucket',
+                            environ={'REQUEST_METHOD': 'PUT'},
+                            headers={'Authorization': 'AWS test:tester:hmac',
+                                     'X-Amz-Acl': 'public-read'})
+        status, headers, body = self.call_swift3(req)
+        self.assertEquals(status.split()[0], '200')
+        _, _, headers = self.swift.calls_with_headers[-1]
+        self.assertTrue('X-Container-Read' not in headers)
+        self.assertTrue('X-Container-Sysmeta-Swift3-Acl' in headers)
+        self.assertEquals(headers.get('X-Container-Sysmeta-Swift3-Acl'),
+                          acl['x-container-sysmeta-swift3-acl'])
 
     @s3acl
     def test_bucket_PUT_with_location_error(self):