def _check_signature(creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
# NOTE(davechecn): credentials.get('signature') is not guaranteed to
# exist, we need to check it explicitly.
if credentials.get('signature'):
if utils.auth_str_equal(credentials['signature'], signature):
return True
# NOTE(vish): Some client libraries don't use the port when
# signing requests, so try again without the port.
elif ':' in credentials['host']:
hostname, _port = credentials.split(':')
credentials['host'] = hostname
# NOTE(davechen): we need to reinitialize 'signer' to avoid
# contaminated status of signature, this is similar with
# other programming language libraries, JAVA for example.
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
if utils.auth_str_equal(
credentials['signature'], signature):
return True
raise exception.Unauthorized(_('Invalid EC2 signature.'))
# Raise the exception when credentials.get('signature') is None
else:
raise exception.Unauthorized(
_('EC2 signature not supplied.'))
def check_signature(self, creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref["secret"])
signature = signer.generate(credentials)
# NOTE(davechen): credentials.get('signature') is not guaranteed to
# exist, we need check it explicitly.
if credentials.get("signature"):
if utils.auth_str_equal(credentials["signature"], signature):
return True
# NOTE(vish): Some client libraries don't use the port when signing
# requests, so try again without port.
elif ":" in credentials["host"]:
hostname, _port = credentials["host"].split(":")
credentials["host"] = hostname
# NOTE(davechen): we need reinitialize 'signer' to avoid
# contaminated status of signature, this is similar with
# other programming language libraries, JAVA for example.
signer = ec2_utils.Ec2Signer(creds_ref["secret"])
signature = signer.generate(credentials)
if utils.auth_str_equal(credentials["signature"], signature):
return True
raise exception.Unauthorized(message=_("Invalid EC2 signature."))
else:
raise exception.Unauthorized(message=_("EC2 signature not supplied."))
# Raise the exception when credentials.get('signature') is None
else:
raise exception.Unauthorized(message=_("EC2 signature not supplied."))
def check_signature(self, creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
if utils.auth_str_equal(credentials['signature'], signature):
return
# NOTE(vish): Some libraries don't use the port when signing
# requests, so try again without port.
elif ':' in credentials['signature']:
hostname, _port = credentials['host'].split(':')
credentials['host'] = hostname
signature = signer.generate(credentials)
if not utils.auth_str_equal(credentials.signature, signature):
raise exception.Unauthorized(message='Invalid EC2 signature.')
else:
raise exception.Unauthorized(message='EC2 signature not supplied.')
def check_signature(self, creds_ref, credentials):
msg = base64.urlsafe_b64decode(str(credentials['token']))
key = str(creds_ref['secret'])
signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
if not utils.auth_str_equal(credentials['signature'], signed):
raise exception.Unauthorized()
def check_signature(self, creds_ref, credentials):
msg = base64.urlsafe_b64decode(str(credentials["token"]))
key = str(creds_ref["secret"])
signed = base64.encodestring(hmac.new(key, msg, hashlib.sha1).digest()).strip()
if not utils.auth_str_equal(credentials["signature"], signed):
raise exception.Unauthorized("Credential signature mismatch")
def check_signature(self, creds_ref, credentials):
signer = utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
if utils.auth_str_equal(credentials['signature'], signature):
return
# NOTE(vish): Some libraries don't use the port when signing
# requests, so try again without port.
elif ':' in credentials['signature']:
hostname, _port = credentials['host'].split(':')
credentials['host'] = hostname
signature = signer.generate(credentials)
if not utils.auth_str_equal(credentials.signature, signature):
# TODO(termie): proper exception
msg = 'Invalid signature'
raise webob.exc.HTTPUnauthorized(explanation=msg)
else:
msg = 'Signature not supplied'
raise webob.exc.HTTPUnauthorized(explanation=msg)
def check_signature(self, creds_ref, credentials):
string_to_sign = base64.urlsafe_b64decode(str(credentials["token"]))
if string_to_sign[0:4] != b"AWS4":
signature = self._calculate_signature_v1(string_to_sign, creds_ref["secret"])
else:
signature = self._calculate_signature_v4(string_to_sign, creds_ref["secret"])
if not utils.auth_str_equal(credentials["signature"], signature):
raise exception.Unauthorized(message=_("Credential signature mismatch"))
def check_signature(self, creds_ref, credentials):
string_to_sign = base64.urlsafe_b64decode(str(credentials['token']))
if string_to_sign[0:4] != b'AWS4':
signature = self._calculate_signature_v1(string_to_sign,
creds_ref['secret'])
else:
signature = self._calculate_signature_v4(string_to_sign,
creds_ref['secret'])
if not utils.auth_str_equal(credentials['signature'], signature):
raise exception.Unauthorized(
message=_('Credential signature mismatch'))
def check_signature(self, creds_ref, credentials):
msg = base64.urlsafe_b64decode(str(credentials['token']))
key = str(creds_ref['secret']).encode('utf-8')
if six.PY2:
b64_encode = base64.encodestring
else:
b64_encode = base64.encodebytes
signed = b64_encode(
hmac.new(key, msg, hashlib.sha1).digest()).decode('utf-8').strip()
if not utils.auth_str_equal(credentials['signature'], signed):
raise exception.Unauthorized('Credential signature mismatch')
def test_auth_str_equal(self):
self.assertTrue(common_utils.auth_str_equal('abc123', 'abc123'))
self.assertFalse(common_utils.auth_str_equal('a', 'aaaaa'))
self.assertFalse(common_utils.auth_str_equal('aaaaa', 'a'))
self.assertFalse(common_utils.auth_str_equal('ABC123', 'abc123'))
def test_auth_str_equal(self):
self.assertTrue(common_utils.auth_str_equal("abc123", "abc123"))
self.assertFalse(common_utils.auth_str_equal("a", "aaaaa"))
self.assertFalse(common_utils.auth_str_equal("aaaaa", "a"))
self.assertFalse(common_utils.auth_str_equal("ABC123", "abc123"))
def test_auth_str_equal(self):
self.assertTrue(utils.auth_str_equal('abc123', 'abc123'))
self.assertFalse(utils.auth_str_equal('a', 'aaaaa'))
self.assertFalse(utils.auth_str_equal('aaaaa', 'a'))
self.assertFalse(utils.auth_str_equal('ABC123', 'abc123'))
def __call__(self, environ, start_response):
"""Handle incoming request. authenticate and send downstream."""
req = webob.Request(environ)
self.logger.debug('Calling S3Auth middleware.')
try:
parts = swift_utils.split_path(req.path, 1, 4, True)
version, account, container, obj = parts
except ValueError:
msg = 'Not a path query, skipping.'
self.logger.debug(msg)
return self.app(environ, start_response)
# Read request signature and access id.
if 'Authorization' not in req.headers:
msg = 'No Authorization header. skipping.'
self.logger.debug(msg)
return self.app(environ, start_response)
token = req.headers.get('X-Auth-Token',
req.headers.get('X-Storage-Token'))
if not token:
msg = 'You did not specify a auth or a storage token. skipping.'
self.logger.debug(msg)
return self.app(environ, start_response)
auth_header = req.headers['Authorization']
try:
access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
except ValueError:
msg = 'You have an invalid Authorization header: %s'
self.logger.debug(msg % (auth_header))
return self.deny_request('InvalidURI')(environ, start_response)
# NOTE(chmou): This is to handle the special case with nova
# when we have the option s3_affix_tenant. We will force it to
# connect to another account than the one
# authenticated. Before people start getting worried about
# security, I should point that we are connecting with
# username/token specified by the user but instead of
# connecting to its own account we will force it to go to an
# another account. In a normal scenario if that user don't
# have the reseller right it will just fail but since the
# reseller account can connect to every account it is allowed
# by the swift_auth middleware.
force_tenant = None
if ':' in access:
access, force_tenant = access.split(':')
# Check authentication
msg = base64.urlsafe_b64decode(str(token))
key = str(self.access_secret)
signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
if not keystone_utils.auth_str_equal(signature, signed) or \
not keystone_utils.auth_str_equal(access, self.access_id):
self.logger.debug('Failed to check credentials for %s' % access)
return self.deny_request('AccessDenied')(environ, start_response)
# Fill PATH_INFO and return
self.logger.debug('Connecting with tenant: %s' % (self.tenant_id))
new_tenant_name = '%s%s' % (self.reseller_prefix, self.tenant_id)
environ['PATH_INFO'] = environ['PATH_INFO'].replace(account,
new_tenant_name)
return self.app(environ, start_response)
