Prevent early auth deny in tempauth when using swift3 middleware.

When tempauth is used together with swift3 and keystone, groups are
empty and tempauth denies the request too early without a chance for
keystone to authenticate the request.

Change-Id: I21d9b22ecbd18a5f1fba901abd94221a332c45ea
Closes-Bug: 1244545

swift/common/middleware/tempauth.py

@@ -152,7 +152,7 @@ class TempAuth(object):
                     env['reseller_request'] = True
             else:
                 # Unauthorized token
-                if self.reseller_prefix:
+                if self.reseller_prefix and not s3:
                     # Because I know I'm the definitive auth for this token, I
                     # can deny it outright.
                     self.logger.increment('unauthorized')

test/unit/common/middleware/test_tempauth.py

@@ -226,6 +226,22 @@ class TestAuth(unittest.TestCase):
         self.assertEquals(req.environ['swift.authorize'],
                           local_auth.denied_response)
 
+    def test_auth_reseller_prefix_with_s3_deny(self):
+        # Ensures that when we have a reseller prefix and using a middleware
+        # relying on Http-Authorization (for example swift3), we don't deny a
+        # request outright but set up a denial swift.authorize and pass the
+        # request on down the chain.
+        local_app = FakeApp()
+        local_auth = auth.filter_factory({'reseller_prefix': 'PRE'})(local_app)
+        req = self._make_request('/v1/account',
+                                 headers={'X-Auth-Token': 't',
+                                          'Authorization': 'AWS user:pw'})
+        resp = req.get_response(local_auth)
+        self.assertEquals(resp.status_int, 401)
+        self.assertEquals(local_app.calls, 1)
+        self.assertEquals(req.environ['swift.authorize'],
+                          local_auth.denied_response)
+
     def test_auth_no_reseller_prefix_no_token(self):
         # Check that normally we set up a call back to our authorize.
         local_auth = \