Exemple #1
0
    def _unpack_request_attributes(self, req):
        os_instance_id = req.headers.get('X-Instance-ID')
        project_id = req.headers.get('X-Tenant-ID')
        signature = req.headers.get('X-Instance-ID-Signature')
        remote_ip = req.headers.get('X-Forwarded-For')

        if not remote_ip:
            raise exception.EC2MetadataInvalidAddress()

        if os_instance_id is None:
            msg = _('X-Instance-ID header is missing from request.')
        elif project_id is None:
            msg = _('X-Tenant-ID header is missing from request.')
        elif not isinstance(os_instance_id, six.string_types):
            msg = _('Multiple X-Instance-ID headers found within request.')
        elif not isinstance(project_id, six.string_types):
            msg = _('Multiple X-Tenant-ID headers found within request.')
        else:
            msg = None

        if msg:
            raise webob.exc.HTTPBadRequest(explanation=msg)

        expected_signature = hmac.new(
            CONF.metadata.metadata_proxy_shared_secret, os_instance_id,
            hashlib.sha256).hexdigest()

        if not utils.constant_time_compare(expected_signature, signature):
            LOG.warning(
                _LW('X-Instance-ID-Signature: %(signature)s does '
                    'not match the expected value: '
                    '%(expected_signature)s for id: '
                    '%(instance_id)s. Request From: '
                    '%(remote_ip)s'), {
                        'signature': signature,
                        'expected_signature': expected_signature,
                        'instance_id': os_instance_id,
                        'remote_ip': remote_ip
                    })

            msg = _('Invalid proxy request signature.')
            raise webob.exc.HTTPForbidden(explanation=msg)

        return os_instance_id, project_id, remote_ip
Exemple #2
0
    def _unpack_request_attributes(self, req):
        os_instance_id = req.headers.get('X-Instance-ID')
        project_id = req.headers.get('X-Tenant-ID')
        signature = req.headers.get('X-Instance-ID-Signature')
        remote_ip = req.headers.get('X-Forwarded-For')

        if not remote_ip:
            raise exception.EC2MetadataInvalidAddress()

        if os_instance_id is None:
            msg = _('X-Instance-ID header is missing from request.')
        elif project_id is None:
            msg = _('X-Tenant-ID header is missing from request.')
        elif not isinstance(os_instance_id, six.string_types):
            msg = _('Multiple X-Instance-ID headers found within request.')
        elif not isinstance(project_id, six.string_types):
            msg = _('Multiple X-Tenant-ID headers found within request.')
        else:
            msg = None

        if msg:
            raise webob.exc.HTTPBadRequest(explanation=msg)

        expected_signature = hmac.new(
            CONF.metadata.metadata_proxy_shared_secret,
            os_instance_id,
            hashlib.sha256).hexdigest()

        if not utils.constant_time_compare(expected_signature, signature):
            LOG.warning(_LW(
                            'X-Instance-ID-Signature: %(signature)s does '
                            'not match the expected value: '
                            '%(expected_signature)s for id: '
                            '%(instance_id)s. Request From: '
                            '%(remote_ip)s'),
                        {'signature': signature,
                         'expected_signature': expected_signature,
                         'instance_id': os_instance_id,
                         'remote_ip': remote_ip})

            msg = _('Invalid proxy request signature.')
            raise webob.exc.HTTPForbidden(explanation=msg)

        return os_instance_id, project_id, remote_ip
Exemple #3
0
    def _validate_signature(self, signature, requester_id, requester_ip):
        expected_signature = hmac.new(
            CONF.metadata.metadata_proxy_shared_secret.encode("utf-8"),
            requester_id.encode(),
            hashlib.sha256).hexdigest()

        if not (signature and
                utils.constant_time_compare(expected_signature, signature)):
            LOG.warning('X-Instance-ID-Signature: %(signature)s does '
                        'not match the expected value: '
                        '%(expected_signature)s for id: '
                        '%(requester_id)s. Request From: '
                        '%(requester_ip)s',
                        {'signature': signature,
                         'expected_signature': expected_signature,
                         'requester_id': requester_id,
                         'requester_ip': requester_ip})

            msg = _('Invalid proxy request signature.')
            raise webob.exc.HTTPForbidden(explanation=msg)
Exemple #4
0
    def _validate_signature(self, signature, requester_id, requester_ip):
        expected_signature = hmac.new(
            CONF.metadata.metadata_proxy_shared_secret.encode("utf-8"),
            requester_id.encode(), hashlib.sha256).hexdigest()

        if not (signature and utils.constant_time_compare(
                expected_signature, signature)):
            LOG.warning(
                'X-Instance-ID-Signature: %(signature)s does '
                'not match the expected value: '
                '%(expected_signature)s for id: '
                '%(requester_id)s. Request From: '
                '%(requester_ip)s', {
                    'signature': signature,
                    'expected_signature': expected_signature,
                    'requester_id': requester_id,
                    'requester_ip': requester_ip
                })

            msg = _('Invalid proxy request signature.')
            raise webob.exc.HTTPForbidden(explanation=msg)