From 70864396dcbdf4c391fdb5e8e8b8ccea24c8fa4c Mon Sep 17 00:00:00 2001
From: Tim Burke <tim.burke@gmail.com>
Date: Tue, 31 May 2022 10:10:57 -0700
Subject: [PATCH] s3token: Only replace access_key_id in account

Change-Id: Ifccedbe7662925db55d0d8cd9e2e66a03126f661
Closes-Bug: #1816181
---
 swift/common/middleware/s3api/s3token.py          |  4 ++--
 test/unit/common/middleware/s3api/test_s3token.py | 12 ++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/swift/common/middleware/s3api/s3token.py b/swift/common/middleware/s3api/s3token.py
index c376dac5fa..3693b2f28d 100644
--- a/swift/common/middleware/s3api/s3token.py
+++ b/swift/common/middleware/s3api/s3token.py
@@ -403,8 +403,8 @@ class S3Token(object):
             tenant_to_connect = tenant_to_connect.encode('utf-8')
         self._logger.debug('Connecting with tenant: %s', tenant_to_connect)
         new_tenant_name = '%s%s' % (self._reseller_prefix, tenant_to_connect)
-        environ['PATH_INFO'] = environ['PATH_INFO'].replace(account,
-                                                            new_tenant_name)
+        environ['PATH_INFO'] = environ['PATH_INFO'].replace(
+            account, new_tenant_name, 1)
         return self._app(environ, start_response)
 
 
diff --git a/test/unit/common/middleware/s3api/test_s3token.py b/test/unit/common/middleware/s3api/test_s3token.py
index 16df82e3e3..ba9559ab6b 100644
--- a/test/unit/common/middleware/s3api/test_s3token.py
+++ b/test/unit/common/middleware/s3api/test_s3token.py
@@ -956,6 +956,18 @@ class S3TokenMiddlewareTestV3(S3TokenMiddlewareTestBase):
         self._assert_authorized(req, account_path='/v1/')
         self.assertEqual(req.environ['PATH_INFO'], '/v1/AUTH_PROJECT_ID/c/o')
 
+    def test_authorize_with_access_key_in_container(self):
+        req = Request.blank('/v1/accesskey/accesskey.c/o')
+        req.environ['s3api.auth_details'] = {
+            'access_key': u'access',
+            'signature': u'signature',
+            'string_to_sign': u'token',
+        }
+        req.get_response(self.middleware)
+        self._assert_authorized(req, account_path='/v1/')
+        self.assertEqual(req.environ['PATH_INFO'],
+                         '/v1/AUTH_PROJECT_ID/accesskey.c/o')
+
     def test_authorize_with_access_key_and_unquote_chars(self):
         req = Request.blank('/v1/ab%c=/c/o')
         req.environ['s3api.auth_details'] = {