Exemplo n.º 1
0
 def _check_signature(creds_ref, credentials):
     signer = ec2_utils.Ec2Signer(creds_ref['secret'])
     signature = signer.generate(credentials)
     # NOTE(davechecn): credentials.get('signature') is not guaranteed to
     # exist, we need to check it explicitly.
     if credentials.get('signature'):
         if utils.auth_str_equal(credentials['signature'], signature):
             return True
         # NOTE(vish): Some client libraries don't use the port when
         # signing requests, so try again without the port.
         elif ':' in credentials['host']:
             hostname, _port = credentials.split(':')
             credentials['host'] = hostname
             # NOTE(davechen): we need to reinitialize 'signer' to avoid
             # contaminated status of signature, this is similar with
             # other programming language libraries, JAVA for example.
             signer = ec2_utils.Ec2Signer(creds_ref['secret'])
             signature = signer.generate(credentials)
             if utils.auth_str_equal(
                     credentials['signature'], signature):
                 return True
         raise exception.Unauthorized(_('Invalid EC2 signature.'))
     # Raise the exception when credentials.get('signature') is None
     else:
         raise exception.Unauthorized(
             _('EC2 signature not supplied.'))
Exemplo n.º 2
0
 def check_signature(self, creds_ref, credentials):
     signer = ec2_utils.Ec2Signer(creds_ref["secret"])
     signature = signer.generate(credentials)
     # NOTE(davechen): credentials.get('signature') is not guaranteed to
     # exist, we need check it explicitly.
     if credentials.get("signature"):
         if utils.auth_str_equal(credentials["signature"], signature):
             return True
         # NOTE(vish): Some client libraries don't use the port when signing
         #             requests, so try again without port.
         elif ":" in credentials["host"]:
             hostname, _port = credentials["host"].split(":")
             credentials["host"] = hostname
             # NOTE(davechen): we need reinitialize 'signer' to avoid
             # contaminated status of signature, this is similar with
             # other programming language libraries, JAVA for example.
             signer = ec2_utils.Ec2Signer(creds_ref["secret"])
             signature = signer.generate(credentials)
             if utils.auth_str_equal(credentials["signature"], signature):
                 return True
             raise exception.Unauthorized(message=_("Invalid EC2 signature."))
         else:
             raise exception.Unauthorized(message=_("EC2 signature not supplied."))
     # Raise the exception when credentials.get('signature') is None
     else:
         raise exception.Unauthorized(message=_("EC2 signature not supplied."))
Exemplo n.º 3
0
 def check_signature(self, creds_ref, credentials):
     signer = ec2_utils.Ec2Signer(creds_ref['secret'])
     signature = signer.generate(credentials)
     if utils.auth_str_equal(credentials['signature'], signature):
         return
     # NOTE(vish): Some libraries don't use the port when signing
     #             requests, so try again without port.
     elif ':' in credentials['signature']:
         hostname, _port = credentials['host'].split(':')
         credentials['host'] = hostname
         signature = signer.generate(credentials)
         if not utils.auth_str_equal(credentials.signature, signature):
             raise exception.Unauthorized(message='Invalid EC2 signature.')
     else:
         raise exception.Unauthorized(message='EC2 signature not supplied.')
Exemplo n.º 4
0
    def check_signature(self, creds_ref, credentials):
        msg = base64.urlsafe_b64decode(str(credentials['token']))
        key = str(creds_ref['secret'])
        signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()

        if not utils.auth_str_equal(credentials['signature'], signed):
            raise exception.Unauthorized()
Exemplo n.º 5
0
    def check_signature(self, creds_ref, credentials):
        msg = base64.urlsafe_b64decode(str(credentials["token"]))
        key = str(creds_ref["secret"])
        signed = base64.encodestring(hmac.new(key, msg, hashlib.sha1).digest()).strip()

        if not utils.auth_str_equal(credentials["signature"], signed):
            raise exception.Unauthorized("Credential signature mismatch")
Exemplo n.º 6
0
 def check_signature(self, creds_ref, credentials):
     signer = utils.Ec2Signer(creds_ref['secret'])
     signature = signer.generate(credentials)
     if utils.auth_str_equal(credentials['signature'], signature):
         return
     # NOTE(vish): Some libraries don't use the port when signing
     #             requests, so try again without port.
     elif ':' in credentials['signature']:
         hostname, _port = credentials['host'].split(':')
         credentials['host'] = hostname
         signature = signer.generate(credentials)
         if not utils.auth_str_equal(credentials.signature, signature):
             # TODO(termie): proper exception
             msg = 'Invalid signature'
             raise webob.exc.HTTPUnauthorized(explanation=msg)
     else:
         msg = 'Signature not supplied'
         raise webob.exc.HTTPUnauthorized(explanation=msg)
Exemplo n.º 7
0
    def check_signature(self, creds_ref, credentials):
        string_to_sign = base64.urlsafe_b64decode(str(credentials["token"]))

        if string_to_sign[0:4] != b"AWS4":
            signature = self._calculate_signature_v1(string_to_sign, creds_ref["secret"])
        else:
            signature = self._calculate_signature_v4(string_to_sign, creds_ref["secret"])

        if not utils.auth_str_equal(credentials["signature"], signature):
            raise exception.Unauthorized(message=_("Credential signature mismatch"))
Exemplo n.º 8
0
    def check_signature(self, creds_ref, credentials):
        string_to_sign = base64.urlsafe_b64decode(str(credentials['token']))

        if string_to_sign[0:4] != b'AWS4':
            signature = self._calculate_signature_v1(string_to_sign,
                                                     creds_ref['secret'])
        else:
            signature = self._calculate_signature_v4(string_to_sign,
                                                     creds_ref['secret'])

        if not utils.auth_str_equal(credentials['signature'], signature):
            raise exception.Unauthorized(
                message=_('Credential signature mismatch'))
Exemplo n.º 9
0
    def check_signature(self, creds_ref, credentials):
        msg = base64.urlsafe_b64decode(str(credentials['token']))
        key = str(creds_ref['secret']).encode('utf-8')

        if six.PY2:
            b64_encode = base64.encodestring
        else:
            b64_encode = base64.encodebytes

        signed = b64_encode(
            hmac.new(key, msg, hashlib.sha1).digest()).decode('utf-8').strip()

        if not utils.auth_str_equal(credentials['signature'], signed):
            raise exception.Unauthorized('Credential signature mismatch')
Exemplo n.º 10
0
 def test_auth_str_equal(self):
     self.assertTrue(common_utils.auth_str_equal('abc123', 'abc123'))
     self.assertFalse(common_utils.auth_str_equal('a', 'aaaaa'))
     self.assertFalse(common_utils.auth_str_equal('aaaaa', 'a'))
     self.assertFalse(common_utils.auth_str_equal('ABC123', 'abc123'))
Exemplo n.º 11
0
 def test_auth_str_equal(self):
     self.assertTrue(common_utils.auth_str_equal("abc123", "abc123"))
     self.assertFalse(common_utils.auth_str_equal("a", "aaaaa"))
     self.assertFalse(common_utils.auth_str_equal("aaaaa", "a"))
     self.assertFalse(common_utils.auth_str_equal("ABC123", "abc123"))
Exemplo n.º 12
0
 def test_auth_str_equal(self):
     self.assertTrue(utils.auth_str_equal('abc123', 'abc123'))
     self.assertFalse(utils.auth_str_equal('a', 'aaaaa'))
     self.assertFalse(utils.auth_str_equal('aaaaa', 'a'))
     self.assertFalse(utils.auth_str_equal('ABC123', 'abc123'))
Exemplo n.º 13
0
    def __call__(self, environ, start_response):
        """Handle incoming request. authenticate and send downstream."""
        req = webob.Request(environ)
        self.logger.debug('Calling S3Auth middleware.')

        try:
            parts = swift_utils.split_path(req.path, 1, 4, True)
            version, account, container, obj = parts
        except ValueError:
            msg = 'Not a path query, skipping.'
            self.logger.debug(msg)
            return self.app(environ, start_response)

        # Read request signature and access id.
        if 'Authorization' not in req.headers:
            msg = 'No Authorization header. skipping.'
            self.logger.debug(msg)
            return self.app(environ, start_response)

        token = req.headers.get('X-Auth-Token',
                                req.headers.get('X-Storage-Token'))
        if not token:
            msg = 'You did not specify a auth or a storage token. skipping.'
            self.logger.debug(msg)
            return self.app(environ, start_response)

        auth_header = req.headers['Authorization']
        try:
            access, signature = auth_header.split(' ')[-1].rsplit(':', 1)
        except ValueError:
            msg = 'You have an invalid Authorization header: %s'
            self.logger.debug(msg % (auth_header))
            return self.deny_request('InvalidURI')(environ, start_response)

        # NOTE(chmou): This is to handle the special case with nova
        # when we have the option s3_affix_tenant. We will force it to
        # connect to another account than the one
        # authenticated. Before people start getting worried about
        # security, I should point that we are connecting with
        # username/token specified by the user but instead of
        # connecting to its own account we will force it to go to an
        # another account. In a normal scenario if that user don't
        # have the reseller right it will just fail but since the
        # reseller account can connect to every account it is allowed
        # by the swift_auth middleware.
        force_tenant = None
        if ':' in access:
            access, force_tenant = access.split(':')

        # Check authentication
        msg = base64.urlsafe_b64decode(str(token))
        key = str(self.access_secret)
        signed = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()

        if not keystone_utils.auth_str_equal(signature, signed) or \
           not keystone_utils.auth_str_equal(access, self.access_id):
            self.logger.debug('Failed to check credentials for %s' % access)
            return self.deny_request('AccessDenied')(environ, start_response)


        # Fill PATH_INFO and return
        self.logger.debug('Connecting with tenant: %s' % (self.tenant_id))
        new_tenant_name = '%s%s' % (self.reseller_prefix, self.tenant_id)
        environ['PATH_INFO'] = environ['PATH_INFO'].replace(account,
                                                            new_tenant_name)
        return self.app(environ, start_response)