def __call__(self, req): request_id = context.generate_request_id() # Read request signature and access id. try: signature = req.params['Signature'] access = req.params['AWSAccessKeyId'] except KeyError: msg = _("Access key or signature not provided") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) # Make a copy of args for authentication and signature verification. auth_params = dict(req.params) # Not part of authentication args auth_params.pop('Signature') # Authenticate the request. authman = manager.AuthManager() try: (user, project) = authman.authenticate( access, signature, auth_params, req.method, req.host, req.path) # Be explicit for what exceptions are 403, the rest bubble as 500 except (exception.ResourceNotFound, exception.NotAuthorized, exception.InvalidSignature) as ex: LOG.audit(_("Authentication Failure: %s"), unicode(ex)) msg = _("Authentication Failure") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) # Authenticated! remote_address = req.remote_addr if FLAGS.use_forwarded_for: remote_address = req.headers.get('X-Forwarded-For', remote_address) roles = authman.get_active_roles(user, project) ctxt = context.RequestContext(user_id=user.id, project_id=project.id, is_admin=user.is_admin(), roles=roles, remote_address=remote_address) req.environ['synaps.context'] = ctxt uname = user.name pname = project.name msg = _('Authenticated Request For %(uname)s:%(pname)s)') % locals() LOG.audit(msg, context=req.environ['synaps.context']) return self.application
def __call__(self, req): request_id = context.generate_request_id() signature = req.params.get('Signature') if not signature: msg = _("Signature not provided") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) access = req.params.get('AWSAccessKeyId') if not access: msg = _("Access key not provided") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) # Make a copy of args for authentication and signature verification. auth_params = dict(req.params) # Not part of authentication args auth_params.pop('Signature') cred_dict = { 'access': access, 'signature': signature, 'host': req.host, 'verb': req.method, 'path': req.path, 'params': auth_params, } if "ec2" in FLAGS.keystone_ec2_url: creds = {'ec2Credentials': cred_dict} else: creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}} creds_json = jsonutils.dumps(creds) headers = {'Content-Type': 'application/json'} o = urlparse.urlparse(FLAGS.keystone_ec2_url) if o.scheme == "http": conn = httplib.HTTPConnection(o.netloc) else: conn = httplib.HTTPSConnection(o.netloc) conn.request('POST', o.path, body=creds_json, headers=headers) response = conn.getresponse() data = response.read() if response.status != 200: if response.status == 401: msg = response.reason else: msg = _("Failure communicating with keystone") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) result = jsonutils.loads(data) conn.close() try: token_id = result['access']['token']['id'] user_id = result['access']['user']['id'] project_id = result['access']['token']['tenant']['id'] user_name = result['access']['user'].get('name') project_name = result['access']['token']['tenant'].get('name') roles = [role['name'] for role in result['access']['user']['roles']] except (AttributeError, KeyError) as e: LOG.exception(_("Keystone failure: %s") % e) msg = _("Failure communicating with keystone") return faults.ec2_error_response(request_id, "Unauthorized", msg, status=400) remote_address = req.remote_addr if FLAGS.use_forwarded_for: remote_address = req.headers.get('X-Forwarded-For', remote_address) catalog = result['access']['serviceCatalog'] ctxt = context.RequestContext(user_id, project_id, #user_name=user_name, #project_name=project_name, roles=roles, auth_token=token_id, remote_address=remote_address) #service_catalog=catalog) req.environ['synaps.context'] = ctxt return self.application