)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Yan Xiao \u003cyanxiao@nvidia.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2026-01-23 12:23:19 -0500"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix token issue for base labels"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: Ibf99b4df9eeaeaee9961f05d11f2f567cf68aef9"},{"line_number":10,"context_line":"Signed-off-by: Yan Xiao \u003cyanxiao@nvidia.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"185cb462_63db6cea","line":7,"updated":"2026-01-29 16:54:03.000000000","message":"The commit message needs to explain what the issue is. Better still, refer to a launchpad bug where anyone can read about what motivated this change in more detail than may be appropriate for a commit message.\n\nIn this case I suggest a launchpad bug describing how we end up seeing \u0027polluted\u0027 account labels (with appropriate redaction of any tokens), then a commit message tag as described here:\n\nhttps://docs.opendev.org/opendev/infra-manual/latest/developers.html#working-on-bugs\n\nThen, explain briefly the strategy for the fix i.e. delegating to auth middlewares.","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Yan Xiao \u003cyanxiao@nvidia.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2026-01-23 12:23:19 -0500"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix token issue for base labels"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: Ibf99b4df9eeaeaee9961f05d11f2f567cf68aef9"},{"line_number":10,"context_line":"Signed-off-by: Yan Xiao \u003cyanxiao@nvidia.com\u003e"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"8eaca035_85821be3","line":7,"in_reply_to":"185cb462_63db6cea","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Fix token issue for base labels"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"The account label emitted in labeled metrics sometimes could be"},{"line_number":10,"context_line":"incorrectly prefixed with a fernet token. The incorrect label is"},{"line_number":11,"context_line":"from PATH_INFO as observed by the rightmost proxy-logging or other"},{"line_number":12,"context_line":"Swift middlewares on the right side of Swift auth middleware on"},{"line_number":13,"context_line":"pipeline, or backend servers."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"20305e2a_ab7d3b5d","line":10,"range":{"start_line":10,"start_character":28,"end_line":10,"end_character":40},"updated":"2026-03-13 16:00:02.000000000","message":"the problem isn\u0027t specific to fernet tokens IIUC. Isn\u0027t it any s3api request?","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"4822365d_3d2ff9d9","updated":"2026-01-29 16:54:03.000000000","message":"This is a good basis for exploring how we want proxy_logging base_labels to evolve. It\u0027s helped me get a better grasp of where we need changes. \n\nI\u0027d like ot think a bit more about whether the auth middlewares should be updating the labels and path or whether they should be communicating that info to s3api for it to fix up the request environ.\n\ntempauth should get some new unit tests","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"3ead5498_f2b0080b","updated":"2026-03-13 16:00:02.000000000","message":"This patch has made me realise a couple of things that may be existing deficiencies:\n\n1. account has no default value in base_labels, this patch makes it an empty string, but that is inconsistent with resource\u0027s default\n2. It seems reasonable to think that other middlewares might add base_labels to the environ (i.e. auth\u0027s!) which breaks an assumption in proxy_logging.\n\nI suggest a helper method, which highlights the concerns, in https://review.opendev.org/c/openstack/swift/+/980485 base_labels: add helper, set if not present\n\nThere should be a new test in test_tempauth.py","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"87668a717fb6e9a4a1f961c7c1b8d4cada2c2cf5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"1edfc1ef_f62b7cd5","updated":"2026-03-12 16:19:59.000000000","message":"recheck","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}],"swift/common/middleware/proxy_logging.py":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":524,"context_line":"            if is_s3_req(req):"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d \u0027\u0027"},{"line_number":526,"context_line":"            else:"},{"line_number":527,"context_line":"                base_labels[\u0027account\u0027] \u003d acc or \u0027\u0027"},{"line_number":528,"context_line":"            if cont:"},{"line_number":529,"context_line":"                base_labels[\u0027container\u0027] \u003d cont"},{"line_number":530,"context_line":"            req.environ[\u0027swift.base_labels\u0027] \u003d base_labels"}],"source_content_type":"text/x-python","patch_set":2,"id":"53f7e7fb_62c620dc","line":527,"updated":"2026-01-29 16:54:03.000000000","message":"can acc be not None and is_s3_req True? I don\u0027t think that can happen, in which case in both cases we can write ``base_labels[\u0027account\u0027] \u003d acc or \u0027\u0027`` i.e the if/else isn\u0027t necessary","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":524,"context_line":"            if is_s3_req(req):"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d \u0027\u0027"},{"line_number":526,"context_line":"            else:"},{"line_number":527,"context_line":"                base_labels[\u0027account\u0027] \u003d acc or \u0027\u0027"},{"line_number":528,"context_line":"            if cont:"},{"line_number":529,"context_line":"                base_labels[\u0027container\u0027] \u003d cont"},{"line_number":530,"context_line":"            req.environ[\u0027swift.base_labels\u0027] \u003d base_labels"}],"source_content_type":"text/x-python","patch_set":2,"id":"f296add2_a9092d9a","line":527,"in_reply_to":"53f7e7fb_62c620dc","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":528,"context_line":"            if cont:"},{"line_number":529,"context_line":"                base_labels[\u0027container\u0027] \u003d cont"},{"line_number":530,"context_line":"            req.environ[\u0027swift.base_labels\u0027] \u003d base_labels"},{"line_number":531,"context_line":"        elif acc:"},{"line_number":532,"context_line":"            # expected in the right-most proxy_logging instance"},{"line_number":533,"context_line":"            resource_type \u003d self.get_resource_type_from_aco("},{"line_number":534,"context_line":"                req, acc, cont, obj)"}],"source_content_type":"text/x-python","patch_set":2,"id":"5666ff45_ff36fa2e","line":531,"updated":"2026-01-29 16:54:03.000000000","message":"ok, so we still require some middleware to re-write the path to look like a valid swift request path (otherwise ``get_aco_from_path`` returns all None\u0027s), but we\u0027re now also expecting auth middleware to populate ``base_labels[\u0027account\u0027]``\n\nI wonder if we could include both expectations in a comment here at line 532 to replace the existing:\n\n```\n# expected in the right-most proxy_logging instance:\n# - base_labels exists\n# - the request has a valid swift v/a/c/o path so that resource_type can\n    be determined, if it wasn\u0027t already known in left-most proxy_logging\n# - an authoritative auth middleware will have populated \n    base_labels[\u0027account\u0027] if it wasn\u0027t known in left-most proxy_logging\n# -  \n```","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":528,"context_line":"            if cont:"},{"line_number":529,"context_line":"                base_labels[\u0027container\u0027] \u003d cont"},{"line_number":530,"context_line":"            req.environ[\u0027swift.base_labels\u0027] \u003d base_labels"},{"line_number":531,"context_line":"        elif acc:"},{"line_number":532,"context_line":"            # expected in the right-most proxy_logging instance"},{"line_number":533,"context_line":"            resource_type \u003d self.get_resource_type_from_aco("},{"line_number":534,"context_line":"                req, acc, cont, obj)"}],"source_content_type":"text/x-python","patch_set":2,"id":"87bec972_95c30370","line":531,"in_reply_to":"5666ff45_ff36fa2e","updated":"2026-02-05 22:19:44.000000000","message":"Good point, thanks for the comment!","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":516,"context_line":"        :return: a dict of labels associated with the request."},{"line_number":517,"context_line":"        \"\"\""},{"line_number":518,"context_line":"        req_labels \u003d {}"},{"line_number":519,"context_line":"        req_labels[\u0027account\u0027] \u003d acc or \u0027\u0027"},{"line_number":520,"context_line":"        if cont:"},{"line_number":521,"context_line":"            req_labels[\u0027container\u0027] \u003d cont"},{"line_number":522,"context_line":"        req_labels[\u0027resource\u0027] \u003d self.get_resource_type_from_aco("}],"source_content_type":"text/x-python","patch_set":4,"id":"fa8e08db_ad59278a","line":519,"updated":"2026-03-13 16:00:02.000000000","message":"this is a subtle but significant additional change: labels will always have an account key","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":570,"context_line":"                if base_labels.get(\u0027resource\u0027) \u003d\u003d \u0027UNKNOWN\u0027:"},{"line_number":571,"context_line":"                    # allow a later middleware to update the resource label"},{"line_number":572,"context_line":"                    # once the full swift path is known."},{"line_number":573,"context_line":"                    base_labels.pop(\u0027resource\u0027)"},{"line_number":574,"context_line":"                base_labels[\u0027api\u0027] \u003d \u0027S3\u0027"},{"line_number":575,"context_line":"            else:"},{"line_number":576,"context_line":"                base_labels[\u0027api\u0027] \u003d \u0027swift\u0027"}],"source_content_type":"text/x-python","patch_set":4,"id":"3a1addd7_0ebbd3a2","line":573,"range":{"start_line":573,"start_character":20,"end_line":573,"end_character":47},"updated":"2026-03-13 16:00:02.000000000","message":"this is now inconsistent with the account being unknown: unknown account -\u003e account\u003d\u0027\u0027, unknown resource -\u003e the key is popped\n\nI think we need to decide on one way in which we represent unknown but desired labels: empty string seems to be the candidate (in general we need the key to be present to know that is was a desired label)","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":589,"context_line":"            for k, v in labels.items():"},{"line_number":590,"context_line":"                # if these base_labels are not already set then this is the"},{"line_number":591,"context_line":"                # best idea we have"},{"line_number":592,"context_line":"                if k \u003d\u003d \u0027resource\u0027:"},{"line_number":593,"context_line":"                    base_labels.setdefault(k, v)"},{"line_number":594,"context_line":"            req_labels \u003d ChainMap(labels, base_labels)"},{"line_number":595,"context_line":"        return req_labels"}],"source_content_type":"text/x-python","patch_set":4,"id":"7951ad3b_391624b9","line":592,"updated":"2026-03-13 16:00:02.000000000","message":"there are going to be auth middlewares that have not yet implemented (and may never implement) the required change to update base_labels so I think we still need the original path-parsed account if there is not one already set in base_labels","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":590,"context_line":"                # if these base_labels are not already set then this is the"},{"line_number":591,"context_line":"                # best idea we have"},{"line_number":592,"context_line":"                if k \u003d\u003d \u0027resource\u0027:"},{"line_number":593,"context_line":"                    base_labels.setdefault(k, v)"},{"line_number":594,"context_line":"            req_labels \u003d ChainMap(labels, base_labels)"},{"line_number":595,"context_line":"        return req_labels"},{"line_number":596,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"e4fad0ea_2603346a","line":593,"updated":"2026-03-13 16:00:02.000000000","message":"here we see that inconsistency again: we CAN use setdefault for resource, but in tempauth we cannot use it for account because account key may be set but with empty string value.","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}],"swift/common/middleware/tempauth.py":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":513,"context_line":"            return None"},{"line_number":514,"context_line":"        user \u003d self.users[account_user]"},{"line_number":515,"context_line":"        account \u003d account_user.split(\u0027:\u0027, 1)[0]"},{"line_number":516,"context_line":"        account_id \u003d user[\u0027url\u0027].rsplit(\u0027/\u0027, 1)[-1]"},{"line_number":517,"context_line":"        if not s3_auth_details[\u0027check_signature\u0027](user[\u0027key\u0027]):"},{"line_number":518,"context_line":"            return None"},{"line_number":519,"context_line":"        env[\u0027PATH_INFO\u0027] \u003d env[\u0027PATH_INFO\u0027].replace("}],"source_content_type":"text/x-python","patch_set":2,"id":"5633fa0c_91100641","line":516,"updated":"2026-01-29 16:54:03.000000000","message":"we could set base_labels[\u0027account\u0027] here before possibly returning None at line 518: tempauth is authoritative\n\nHowever, we might want to consider making the path re-write and base_labels update always happen together, so to keep this patch simpler it could be a follow-on patch to move BOTH to here.","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":513,"context_line":"            return None"},{"line_number":514,"context_line":"        user \u003d self.users[account_user]"},{"line_number":515,"context_line":"        account \u003d account_user.split(\u0027:\u0027, 1)[0]"},{"line_number":516,"context_line":"        account_id \u003d user[\u0027url\u0027].rsplit(\u0027/\u0027, 1)[-1]"},{"line_number":517,"context_line":"        if not s3_auth_details[\u0027check_signature\u0027](user[\u0027key\u0027]):"},{"line_number":518,"context_line":"            return None"},{"line_number":519,"context_line":"        env[\u0027PATH_INFO\u0027] \u003d env[\u0027PATH_INFO\u0027].replace("}],"source_content_type":"text/x-python","patch_set":2,"id":"f62ba4d7_b2ab1123","line":516,"in_reply_to":"5633fa0c_91100641","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":520,"context_line":"            str_to_wsgi(account_user), wsgi_unquote(account_id), 1)"},{"line_number":521,"context_line":"        base_labels \u003d env.get(\u0027swift.base_labels\u0027)"},{"line_number":522,"context_line":"        if base_labels is not None:"},{"line_number":523,"context_line":"            acc \u003d base_labels.get(\u0027account\u0027)"},{"line_number":524,"context_line":"            if not acc:"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d account_id"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"        return self._get_user_groups(account, account_user, account_id)"},{"line_number":528,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"cdbf29f7_304d041b","line":525,"range":{"start_line":523,"start_character":12,"end_line":525,"end_character":51},"updated":"2026-01-29 16:54:03.000000000","message":"this can be written:\n``base_labels.setdefault(\u0027account\u0027, account_id)``","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":520,"context_line":"            str_to_wsgi(account_user), wsgi_unquote(account_id), 1)"},{"line_number":521,"context_line":"        base_labels \u003d env.get(\u0027swift.base_labels\u0027)"},{"line_number":522,"context_line":"        if base_labels is not None:"},{"line_number":523,"context_line":"            acc \u003d base_labels.get(\u0027account\u0027)"},{"line_number":524,"context_line":"            if not acc:"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d account_id"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"        return self._get_user_groups(account, account_user, account_id)"},{"line_number":528,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"8b5e5468_df87e839","line":525,"range":{"start_line":523,"start_character":12,"end_line":525,"end_character":51},"in_reply_to":"cdbf29f7_304d041b","updated":"2026-02-05 22:19:44.000000000","message":"that seems to only work if account is None, not empty string?","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":518,"context_line":"            return None"},{"line_number":519,"context_line":"        env[\u0027PATH_INFO\u0027] \u003d env[\u0027PATH_INFO\u0027].replace("},{"line_number":520,"context_line":"            str_to_wsgi(account_user), wsgi_unquote(account_id), 1)"},{"line_number":521,"context_line":"        base_labels \u003d env.get(\u0027swift.base_labels\u0027)"},{"line_number":522,"context_line":"        if base_labels is not None:"},{"line_number":523,"context_line":"            acc \u003d base_labels.get(\u0027account\u0027)"},{"line_number":524,"context_line":"            if not acc:"}],"source_content_type":"text/x-python","patch_set":4,"id":"59e5941f_6e83f627","line":521,"updated":"2026-03-13 16:00:02.000000000","message":"now that base_labels are becoming visible to other middlewares, I wonder if it would be useful to encapsulate some behaviour in some request_helpers.py helper functions\n\ne.g. \n```\ndef set_base_labels(environ, \u003cdict of labels\u003e):\n    # creates base_labels dict in environ if it does not exist\n    # sets label in dict if it doesn\u0027t already have a truthy value\n```\n\nEvery auth middleware is  going to need to have these 5 lines, or they all use a helper that does the right thing.","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":519,"context_line":"        env[\u0027PATH_INFO\u0027] \u003d env[\u0027PATH_INFO\u0027].replace("},{"line_number":520,"context_line":"            str_to_wsgi(account_user), wsgi_unquote(account_id), 1)"},{"line_number":521,"context_line":"        base_labels \u003d env.get(\u0027swift.base_labels\u0027)"},{"line_number":522,"context_line":"        if base_labels is not None:"},{"line_number":523,"context_line":"            acc \u003d base_labels.get(\u0027account\u0027)"},{"line_number":524,"context_line":"            if not acc:"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d account_id"}],"source_content_type":"text/x-python","patch_set":4,"id":"a2010856_e4abe3a1","line":522,"updated":"2026-03-13 16:00:02.000000000","message":"If base_labels is None why would we not create it? let\u0027s say there is no leftmost proxy_logging: the auth middleware knows the account...why shouldn\u0027t it propagate it to the rightmost proxy logging?","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":522,"context_line":"        if base_labels is not None:"},{"line_number":523,"context_line":"            acc \u003d base_labels.get(\u0027account\u0027)"},{"line_number":524,"context_line":"            if not acc:"},{"line_number":525,"context_line":"                base_labels[\u0027account\u0027] \u003d account_id"},{"line_number":526,"context_line":""},{"line_number":527,"context_line":"        return self._get_user_groups(account, account_user, account_id)"},{"line_number":528,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"56fea64c_78e81d18","line":525,"updated":"2026-03-13 16:00:02.000000000","message":"don\u0027t we want to set this as soon as we know account_id i.e. line 516? Then if check_signature fails the base_labels still has an account.\n\nAs it is currently the path will always have the account before base_labels so there isn\u0027t really anything gained vs rightmost proxy-logging parsing the path.\n\nAlso, you can use ``setdefault(\u0027account\u0027, account_id)``\n\nUPDATE: setdefault may not work because you\u0027ve changed proxy-logging to always set the account key","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}],"test/unit/common/middleware/s3api/__init__.py":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":42,"context_line":"        self.remote_user \u003d \u0027authorized\u0027"},{"line_number":43,"context_line":"        self.app \u003d app"},{"line_number":44,"context_line":"        self.update_s3_path_info \u003d update_s3_path_info"},{"line_number":45,"context_line":"        self.sw_env \u003d sw_env"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"    def _update_s3_path_info(self, env):"},{"line_number":48,"context_line":"        \"\"\""}],"source_content_type":"text/x-python","patch_set":2,"id":"140e9470_717c9595","line":45,"updated":"2026-01-29 16:54:03.000000000","message":"I\u0027m not sure this change is necessary:\n1. we can use FakeSwift to capture the request environs\n2. we can just omit FakeAuthApp from the pipeline to simulate auth not updating the request env","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":42,"context_line":"        self.remote_user \u003d \u0027authorized\u0027"},{"line_number":43,"context_line":"        self.app \u003d app"},{"line_number":44,"context_line":"        self.update_s3_path_info \u003d update_s3_path_info"},{"line_number":45,"context_line":"        self.sw_env \u003d sw_env"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"    def _update_s3_path_info(self, env):"},{"line_number":48,"context_line":"        \"\"\""}],"source_content_type":"text/x-python","patch_set":2,"id":"8fd7a8b8_03d398d6","line":45,"in_reply_to":"140e9470_717c9595","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":54,"context_line":"        tenant_user \u003d swob.str_to_wsgi(env[\u0027s3api.auth_details\u0027][\u0027access_key\u0027])"},{"line_number":55,"context_line":"        tenant, user \u003d tenant_user.rsplit(\u0027:\u0027, 1)"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"        if self.update_s3_path_info:"},{"line_number":58,"context_line":"            acc \u003d \u0027AUTH_\u0027 + tenant"},{"line_number":59,"context_line":"            path \u003d env[\u0027PATH_INFO\u0027]"},{"line_number":60,"context_line":"            # Make sure it\u0027s valid WSGI"}],"source_content_type":"text/x-python","patch_set":2,"id":"172d6a18_67b2ba13","line":57,"updated":"2026-01-29 16:54:03.000000000","message":"At line 80 this method won\u0027t even be called if ``self.update_s3_path_info`` is False.","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":54,"context_line":"        tenant_user \u003d swob.str_to_wsgi(env[\u0027s3api.auth_details\u0027][\u0027access_key\u0027])"},{"line_number":55,"context_line":"        tenant, user \u003d tenant_user.rsplit(\u0027:\u0027, 1)"},{"line_number":56,"context_line":""},{"line_number":57,"context_line":"        if self.update_s3_path_info:"},{"line_number":58,"context_line":"            acc \u003d \u0027AUTH_\u0027 + tenant"},{"line_number":59,"context_line":"            path \u003d env[\u0027PATH_INFO\u0027]"},{"line_number":60,"context_line":"            # Make sure it\u0027s valid WSGI"}],"source_content_type":"text/x-python","patch_set":2,"id":"55b35f2c_6a2de702","line":57,"in_reply_to":"172d6a18_67b2ba13","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":81,"context_line":"            self._update_s3_path_info(env)"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"        if self.sw_env is not None:"},{"line_number":84,"context_line":"            self.sw_env.append(env)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"        if self.remote_user:"},{"line_number":87,"context_line":"            env[\u0027REMOTE_USER\u0027] \u003d self.remote_user"}],"source_content_type":"text/x-python","patch_set":2,"id":"88add444_3671cb0f","line":84,"updated":"2026-01-29 16:54:03.000000000","message":"do we need to capture the request env here? It is already captured in the FakeSwift app - see comment in test_proxy_logging.py","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":81,"context_line":"            self._update_s3_path_info(env)"},{"line_number":82,"context_line":""},{"line_number":83,"context_line":"        if self.sw_env is not None:"},{"line_number":84,"context_line":"            self.sw_env.append(env)"},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"        if self.remote_user:"},{"line_number":87,"context_line":"            env[\u0027REMOTE_USER\u0027] \u003d self.remote_user"}],"source_content_type":"text/x-python","patch_set":2,"id":"07855966_f7097bb1","line":84,"in_reply_to":"88add444_3671cb0f","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":60,"context_line":""},{"line_number":61,"context_line":"        base_labels \u003d env.get(\u0027swift.base_labels\u0027)"},{"line_number":62,"context_line":"        if base_labels is not None:"},{"line_number":63,"context_line":"            base_labels[\u0027account\u0027] \u003d acc"},{"line_number":64,"context_line":""},{"line_number":65,"context_line":"    @staticmethod"},{"line_number":66,"context_line":"    def authorize_cb(req):"}],"source_content_type":"text/x-python","patch_set":4,"id":"daff56b5_9588688c","line":63,"updated":"2026-03-13 16:00:02.000000000","message":"this is different from the tempauth change in that account is set regardless of it having a truthy value already.\n\nAnother reason to consider having a request_helpers function to encapsulate the right behaviour in one place?","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}],"test/unit/common/middleware/test_proxy_logging.py":[{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":1682,"context_line":"            {"},{"line_number":1683,"context_line":"                \u0027resource\u0027: \u0027object\u0027,"},{"line_number":1684,"context_line":"                \u0027method\u0027: \u0027PUT\u0027,"},{"line_number":1685,"context_line":"                \u0027account\u0027: \u0027a\u0027,"},{"line_number":1686,"context_line":"                \u0027container\u0027: \u0027c\u0027,"},{"line_number":1687,"context_line":"            },"},{"line_number":1688,"context_line":"            self._do_test_swift_base_labels("}],"source_content_type":"text/x-python","patch_set":2,"id":"76cc2d33_c8b5583a","side":"PARENT","line":1685,"updated":"2026-01-29 16:54:03.000000000","message":"this change is counter-intuitive: IIUC, with this patch, if ``base_labels`` exists it always has an ``account`` key, correct?","commit_id":"a572a08b3d7fd89d467f7ad92d7c723b78e7b723"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":1682,"context_line":"            {"},{"line_number":1683,"context_line":"                \u0027resource\u0027: \u0027object\u0027,"},{"line_number":1684,"context_line":"                \u0027method\u0027: \u0027PUT\u0027,"},{"line_number":1685,"context_line":"                \u0027account\u0027: \u0027a\u0027,"},{"line_number":1686,"context_line":"                \u0027container\u0027: \u0027c\u0027,"},{"line_number":1687,"context_line":"            },"},{"line_number":1688,"context_line":"            self._do_test_swift_base_labels("}],"source_content_type":"text/x-python","patch_set":2,"id":"eee9899f_0aa0f8d5","side":"PARENT","line":1685,"in_reply_to":"76cc2d33_c8b5583a","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"a572a08b3d7fd89d467f7ad92d7c723b78e7b723"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":1950,"context_line":"    def _do_test_base_labels_end_to_end(self, orig_path, new_path\u003dNone,"},{"line_number":1951,"context_line":"                                        req_hdrs\u003dNone):"},{"line_number":1952,"context_line":"        # if new_path is given then pretend an s3api/auth middleware"},{"line_number":1953,"context_line":"        # combination replaces the request path with new_path"},{"line_number":1954,"context_line":"        mw_conf \u003d {}"},{"line_number":1955,"context_line":"        base_labels \u003d []"},{"line_number":1956,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"1a37faa9_393163df","line":1953,"updated":"2026-01-29 16:54:03.000000000","message":"we could add another option to this helper:\n```\n# if new_account is given then pretend an auth middleware sets the new_account in base_labels\n```","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":1950,"context_line":"    def _do_test_base_labels_end_to_end(self, orig_path, new_path\u003dNone,"},{"line_number":1951,"context_line":"                                        req_hdrs\u003dNone):"},{"line_number":1952,"context_line":"        # if new_path is given then pretend an s3api/auth middleware"},{"line_number":1953,"context_line":"        # combination replaces the request path with new_path"},{"line_number":1954,"context_line":"        mw_conf \u003d {}"},{"line_number":1955,"context_line":"        base_labels \u003d []"},{"line_number":1956,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"82eb4c67_851198a5","line":1953,"in_reply_to":"1a37faa9_393163df","updated":"2026-02-05 22:19:44.000000000","message":"updated unit tests","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2024,"context_line":"            \u0027/\u0027, \u0027/v1/a\u0027, req_hdrs)"},{"line_number":2025,"context_line":"        self.assertEqual("},{"line_number":2026,"context_line":"            [{\u0027account\u0027: \u0027\u0027, \u0027method\u0027: \u0027PUT\u0027, \u0027api\u0027: \u0027S3\u0027},"},{"line_number":2027,"context_line":"             {\u0027account\u0027: \u0027\u0027, \u0027method\u0027: \u0027PUT\u0027, \u0027resource\u0027: \u0027account\u0027,"},{"line_number":2028,"context_line":"              \u0027api\u0027: \u0027S3\u0027}],"},{"line_number":2029,"context_line":"            base_labels)"},{"line_number":2030,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"ba4e9c98_581151b2","line":2027,"updated":"2026-01-29 16:54:03.000000000","message":"ok, before the rightmost would extract account from new_path, now it doesn\u0027t","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2024,"context_line":"            \u0027/\u0027, \u0027/v1/a\u0027, req_hdrs)"},{"line_number":2025,"context_line":"        self.assertEqual("},{"line_number":2026,"context_line":"            [{\u0027account\u0027: \u0027\u0027, \u0027method\u0027: \u0027PUT\u0027, \u0027api\u0027: \u0027S3\u0027},"},{"line_number":2027,"context_line":"             {\u0027account\u0027: \u0027\u0027, \u0027method\u0027: \u0027PUT\u0027, \u0027resource\u0027: \u0027account\u0027,"},{"line_number":2028,"context_line":"              \u0027api\u0027: \u0027S3\u0027}],"},{"line_number":2029,"context_line":"            base_labels)"},{"line_number":2030,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"b9cd3ca3_2db7ea34","line":2027,"in_reply_to":"ba4e9c98_581151b2","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2439,"context_line":"        )"},{"line_number":2440,"context_line":"        status, headers, body \u003d self._do_test_call_app(req, app)"},{"line_number":2441,"context_line":"        self.assertEqual(\u0027404 Not Found\u0027, status)"},{"line_number":2442,"context_line":"        self.assertEqual(sw_env[0][\u0027PATH_INFO\u0027],"},{"line_number":2443,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2444,"context_line":"        self.assertEqual(sw_env[0][\u0027swift.base_labels\u0027], {"},{"line_number":2445,"context_line":"            \u0027resource\u0027: \u0027object\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"138779e7_3038200a","line":2442,"range":{"start_line":2442,"start_character":25,"end_line":2442,"end_character":34},"updated":"2026-01-29 16:54:03.000000000","message":"this could be ``swift.call_list[0].env`` - or is there a subtle difference?\n\nUnless it is necessary I\u0027d much prefer to stick with the existing pattern of capturing requests in FakeSwift. If it does need to be different then please add a comment to justify/explain the deviation from the normal pattern. Thanks.","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2439,"context_line":"        )"},{"line_number":2440,"context_line":"        status, headers, body \u003d self._do_test_call_app(req, app)"},{"line_number":2441,"context_line":"        self.assertEqual(\u0027404 Not Found\u0027, status)"},{"line_number":2442,"context_line":"        self.assertEqual(sw_env[0][\u0027PATH_INFO\u0027],"},{"line_number":2443,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2444,"context_line":"        self.assertEqual(sw_env[0][\u0027swift.base_labels\u0027], {"},{"line_number":2445,"context_line":"            \u0027resource\u0027: \u0027object\u0027,"}],"source_content_type":"text/x-python","patch_set":2,"id":"63e27ccf_4ed319c4","line":2442,"range":{"start_line":2442,"start_character":25,"end_line":2442,"end_character":34},"in_reply_to":"138779e7_3038200a","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2451,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2452,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2453,"context_line":""},{"line_number":2454,"context_line":"    def test_s3_not_update_path_info_base_labels(self):"},{"line_number":2455,"context_line":"        sw_env \u003d []"},{"line_number":2456,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dFalse,"},{"line_number":2457,"context_line":"                                                update_s3_path_info\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":2,"id":"639bd223_79f0a6a1","line":2454,"updated":"2026-01-29 16:54:03.000000000","message":"I think that this test is trying to show that if the auth middleware does not fix the path and populate base_labels then they remain unchanged. That feels like a test for an auth middleware - AFAICT it does not assert any behaviour of proxy_logging.\n\nI can get the same result by just excluding FakeAuthApp from the pipeline (and using FakeSwift to capture the calls)\n\n```\ndiff --git a/test/unit/common/middleware/test_proxy_logging.py b/test/unit/common/middleware/test_proxy_logging.py\nindex 209db5ca2..6b134d55c 100644\n--- a/test/unit/common/middleware/test_proxy_logging.py\n+++ b/test/unit/common/middleware/test_proxy_logging.py\n@@ -2402,8 +2402,8 @@ class TestProxyLogging(BaseTestProxyLogging):\n         }, logger\u003dself.logger)\n         if rewrite_path:\n             app \u003d PathRewritingApp(app, self.logger)\n-        app \u003d FakeAuthApp(app, update_s3_path_info\u003dupdate_s3_path_info,\n-                          sw_env\u003dout_sw_env)\n+        # app \u003d FakeAuthApp(app, update_s3_path_info\u003dupdate_s3_path_info,\n+        #                   sw_env\u003dout_sw_env)\n         app._pipeline_final_app \u003d fake_swift\n         app \u003d s3api_filter_factory({\n             \u0027force_swift_request_proxy_log\u0027: False,\n@@ -2470,9 +2470,9 @@ class TestProxyLogging(BaseTestProxyLogging):\n         )\n         status, headers, body \u003d self._do_test_call_app(req, app)\n         self.assertEqual(\u0027404 Not Found\u0027, status)\n-        self.assertEqual(sw_env[0][\u0027PATH_INFO\u0027],\n+        self.assertEqual(swift.call_list[0].env[\u0027PATH_INFO\u0027],\n                          \u0027/v1/test:tester/bucket/object\u0027)\n-        self.assertEqual(sw_env[0][\u0027swift.base_labels\u0027], {\n+        self.assertEqual(swift.call_list[0].env[\u0027swift.base_labels\u0027], {\n             \u0027resource\u0027: \u0027object\u0027,\n             \u0027method\u0027: \u0027GET\u0027,\n             \u0027account\u0027: \u0027\u0027,\n\n```\n\nWhat I _do_ think would be interesting would be to have the rightmost proxy_logging in the pipeline and assert that IT does not add account to the base_labels in the way that it used to IF the auth middleware doesn\u0027t do its job.\n\nUPDATE: I think my last point is addressed by the end-to-end tests above","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2451,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2452,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2453,"context_line":""},{"line_number":2454,"context_line":"    def test_s3_not_update_path_info_base_labels(self):"},{"line_number":2455,"context_line":"        sw_env \u003d []"},{"line_number":2456,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dFalse,"},{"line_number":2457,"context_line":"                                                update_s3_path_info\u003dFalse,"}],"source_content_type":"text/x-python","patch_set":2,"id":"5d4e6a1d_da2de6d6","line":2454,"in_reply_to":"639bd223_79f0a6a1","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2482,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2483,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2484,"context_line":""},{"line_number":2485,"context_line":"    def _do_test_s3_tempauth(self, check_sig\u003dTrue):"},{"line_number":2486,"context_line":"        # proxy_logging s3api tempauth proxy_logging fake_swift"},{"line_number":2487,"context_line":"        fake_swift \u003d FakeSwift()"},{"line_number":2488,"context_line":"        app \u003d proxy_logging.ProxyLoggingMiddleware(fake_swift, {"}],"source_content_type":"text/x-python","patch_set":2,"id":"0f1849b4_6554ab23","line":2485,"range":{"start_line":2485,"start_character":35,"end_line":2485,"end_character":44},"updated":"2026-01-29 16:54:03.000000000","message":"nit: this is actually the ``check_signature`` result, rather than a boolean controlling if the signature should be checked or not, so maybe better named ``check_sig_result`` ?","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2482,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2483,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2484,"context_line":""},{"line_number":2485,"context_line":"    def _do_test_s3_tempauth(self, check_sig\u003dTrue):"},{"line_number":2486,"context_line":"        # proxy_logging s3api tempauth proxy_logging fake_swift"},{"line_number":2487,"context_line":"        fake_swift \u003d FakeSwift()"},{"line_number":2488,"context_line":"        app \u003d proxy_logging.ProxyLoggingMiddleware(fake_swift, {"}],"source_content_type":"text/x-python","patch_set":2,"id":"21926440_ad0eb1a6","line":2485,"range":{"start_line":2485,"start_character":35,"end_line":2485,"end_character":44},"in_reply_to":"0f1849b4_6554ab23","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2514,"context_line":"            headers\u003d{\u0027Authorization\u0027: \u0027AWS test:tester:sig\u0027,"},{"line_number":2515,"context_line":"                     \u0027Date\u0027: date_header},"},{"line_number":2516,"context_line":"        )"},{"line_number":2517,"context_line":"        with mock.patch(\u0027swift.common.middleware.s3api.s3request.\u0027"},{"line_number":2518,"context_line":"                        \u0027SigCheckerV2.check_signature\u0027,"},{"line_number":2519,"context_line":"                        mock.MagicMock(side_effect\u003d[check_sig])) as mock_cs:"},{"line_number":2520,"context_line":"            status, headers, body \u003d self._do_test_call_app(req, app)"}],"source_content_type":"text/x-python","patch_set":2,"id":"ba862d68_2b437501","line":2517,"updated":"2026-01-29 16:54:03.000000000","message":"could you add a comment to remind us that\n\n```\ncheck_signature is called by tempauth while it first handles the request\n```","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2514,"context_line":"            headers\u003d{\u0027Authorization\u0027: \u0027AWS test:tester:sig\u0027,"},{"line_number":2515,"context_line":"                     \u0027Date\u0027: date_header},"},{"line_number":2516,"context_line":"        )"},{"line_number":2517,"context_line":"        with mock.patch(\u0027swift.common.middleware.s3api.s3request.\u0027"},{"line_number":2518,"context_line":"                        \u0027SigCheckerV2.check_signature\u0027,"},{"line_number":2519,"context_line":"                        mock.MagicMock(side_effect\u003d[check_sig])) as mock_cs:"},{"line_number":2520,"context_line":"            status, headers, body \u003d self._do_test_call_app(req, app)"}],"source_content_type":"text/x-python","patch_set":2,"id":"d9189dca_317a5a06","line":2517,"in_reply_to":"ba862d68_2b437501","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2538,"context_line":"            \u0027api\u0027: \u0027S3\u0027,"},{"line_number":2539,"context_line":"        })"},{"line_number":2540,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2541,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2542,"context_line":""},{"line_number":2543,"context_line":"    def test_tempauth_base_labels_with_s3api_authorization_invalid(self):"},{"line_number":2544,"context_line":"        req, status \u003d self._do_test_s3_tempauth(False)"}],"source_content_type":"text/x-python","patch_set":2,"id":"d6c45224_3983e40a","line":2541,"updated":"2026-01-29 16:54:03.000000000","message":"ok, tempauth is the authz for the request\n\ncan we assert the env[\u0027swift.base_labels\u0027] of the requests reaching fake_swift","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2538,"context_line":"            \u0027api\u0027: \u0027S3\u0027,"},{"line_number":2539,"context_line":"        })"},{"line_number":2540,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2541,"context_line":"                         \u0027/v1/AUTH_test/bucket/object\u0027)"},{"line_number":2542,"context_line":""},{"line_number":2543,"context_line":"    def test_tempauth_base_labels_with_s3api_authorization_invalid(self):"},{"line_number":2544,"context_line":"        req, status \u003d self._do_test_s3_tempauth(False)"}],"source_content_type":"text/x-python","patch_set":2,"id":"1128df2f_5e33a4d8","line":2541,"in_reply_to":"d6c45224_3983e40a","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2551,"context_line":"            \u0027api\u0027: \u0027S3\u0027,"},{"line_number":2552,"context_line":"        })"},{"line_number":2553,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2554,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2555,"context_line":""},{"line_number":2556,"context_line":"    def test_xfer_stats_put_s3api(self):"},{"line_number":2557,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":2,"id":"01bd7867_93bfb80f","line":2554,"updated":"2026-01-29 16:54:03.000000000","message":"IIUC this is an \u0027early\u0027 403, returned before the request reaches the rightmost proxy_logging and the proxy app, and therefore the authorize callback is called.\n\ncan we assert there were no fake swift requests","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2551,"context_line":"            \u0027api\u0027: \u0027S3\u0027,"},{"line_number":2552,"context_line":"        })"},{"line_number":2553,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2554,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2555,"context_line":""},{"line_number":2556,"context_line":"    def test_xfer_stats_put_s3api(self):"},{"line_number":2557,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dTrue)"}],"source_content_type":"text/x-python","patch_set":2,"id":"b650bcca_db389381","line":2554,"in_reply_to":"01bd7867_93bfb80f","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"0abf718489d0bfe2778e20ad94400326792f5235","unresolved":true,"context_lines":[{"line_number":2552,"context_line":"        })"},{"line_number":2553,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2554,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2555,"context_line":""},{"line_number":2556,"context_line":"    def test_xfer_stats_put_s3api(self):"},{"line_number":2557,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dTrue)"},{"line_number":2558,"context_line":"        buffer_str \u003d (b\u0027some stuff\\n\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"0082e6cc_341c3f94","line":2555,"updated":"2026-01-29 16:54:03.000000000","message":"is there a case missing? tempauth succeeds in get_groups but then denies the request in ``authorize``? the path and base_labels *should be updated*","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":36606,"name":"Yan Xiao","display_name":"Yan","email":"yanxiao@nvidia.com","username":"yanxiao"},"change_message_id":"25aed6d674ab06b6df5d415ea6b32f42371a5013","unresolved":false,"context_lines":[{"line_number":2552,"context_line":"        })"},{"line_number":2553,"context_line":"        self.assertEqual(req.environ[\u0027swift.backend_path\u0027],"},{"line_number":2554,"context_line":"                         \u0027/v1/test:tester/bucket/object\u0027)"},{"line_number":2555,"context_line":""},{"line_number":2556,"context_line":"    def test_xfer_stats_put_s3api(self):"},{"line_number":2557,"context_line":"        app, swift \u003d self._make_logged_pipeline(rewrite_path\u003dTrue)"},{"line_number":2558,"context_line":"        buffer_str \u003d (b\u0027some stuff\\n\u0027"}],"source_content_type":"text/x-python","patch_set":2,"id":"62590358_4ac5522c","line":2555,"in_reply_to":"0082e6cc_341c3f94","updated":"2026-02-05 22:19:44.000000000","message":"Acknowledged","commit_id":"2abf0f8e9abc930d525c635ebe98369a9e8a35e6"},{"author":{"_account_id":7847,"name":"Alistair Coles","email":"alistairncoles@gmail.com","username":"acoles"},"change_message_id":"d24d292ffc1f88ce56425366e441c2b11c210cff","unresolved":true,"context_lines":[{"line_number":697,"context_line":"        app.statsd \u003d self.statsd"},{"line_number":698,"context_line":"        exp_labels \u003d {\u0027resource\u0027: \u0027UNKNOWN\u0027,"},{"line_number":699,"context_line":"                      \u0027method\u0027: \u0027GET\u0027,"},{"line_number":700,"context_line":"                      \u0027account\u0027: \u0027\u0027,"},{"line_number":701,"context_line":"                      \u0027api\u0027: \u0027swift\u0027,"},{"line_number":702,"context_line":"                      \u0027status\u0027: 200}"},{"line_number":703,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"86e502aa_574212fc","line":700,"updated":"2026-03-13 16:00:02.000000000","message":"this feels like it is an existing bug that could be fixed a priori","commit_id":"cbca693e9bb5b59fa7ffb80c305c6a153abdb0ec"}]}