openstack
/
keystone
Code Issues Proposed changes

Make ec2 auth actually work

This commit is contained in:
Vishvananda Ishaya 2012-02-06 23:01:10 +00:00 committed by termie
parent 4054253aa5
commit b6a142d840
3 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
keystone/cli.py
View File

@ -2,7 +2,6 @@ from __future__ import absolute_import
import json
import logging
import os
import sys
import StringIO
import textwrap

30
keystone/common/utils.py
View File

@ -75,17 +75,17 @@ class Ec2Signer(object):
def generate(self, credentials):
"""Generate auth string according to what SignatureVersion is given."""
if credentials.params['SignatureVersion'] == '0':
return self._calc_signature_0(credentials.params)
if credentials.params['SignatureVersion'] == '1':
return self._calc_signature_1(credentials.params)
if credentials.params['SignatureVersion'] == '2':
return self._calc_signature_2(credentials.params,
credentials.verb,
credentials.host,
credentials.path)
if credentials['params']['SignatureVersion'] == '0':
return self._calc_signature_0(credentials['params'])
if credentials['params']['SignatureVersion'] == '1':
return self._calc_signature_1(credentials['params'])
if credentials['params']['SignatureVersion'] == '2':
return self._calc_signature_2(credentials['params'],
credentials['verb'],
credentials['host'],
credentials['path'])
raise Exception('Unknown Signature Version: %s' %
credentials.params['SignatureVersion'])
credentials['params']['SignatureVersion'])
@staticmethod
def _get_utf8_value(value):
@ -115,7 +115,7 @@ class Ec2Signer(object):
def _calc_signature_2(self, params, verb, server_string, path):
"""Generate AWS signature version 2 string."""
LOG.debug('using _calc_signature_2')
logging.debug('using _calc_signature_2')
string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
if self.hmac_256:
current_hmac = self.hmac_256
@ -131,13 +131,13 @@ class Ec2Signer(object):
val = urllib.quote(val, safe='-_~')
pairs.append(urllib.quote(key, safe='') + '=' + val)
qs = '&'.join(pairs)
LOG.debug('query string: %s', qs)
logging.debug('query string: %s', qs)
string_to_sign += qs
LOG.debug('string_to_sign: %s', string_to_sign)
logging.debug('string_to_sign: %s', string_to_sign)
current_hmac.update(string_to_sign)
b64 = base64.b64encode(current_hmac.digest())
LOG.debug('len(b64)=%d', len(b64))
LOG.debug('base64 encoded digest: %s', b64)
logging.debug('len(b64)=%d', len(b64))
logging.debug('base64 encoded digest: %s', b64)
return b64

15
keystone/contrib/ec2/core.py
View File

@ -22,6 +22,8 @@ glance to list images needed to perform the requested task.
import uuid
import webob.exc
from keystone import catalog
from keystone import config
from keystone import identity
@ -86,7 +88,7 @@ class Ec2Controller(wsgi.Application):
super(Ec2Controller, self).__init__()
def check_signature(self, creds_ref, credentials):
signer = utils.Signer(creds_ref['secret'])
signer = utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
if signature == credentials['signature']:
return
@ -98,9 +100,11 @@ class Ec2Controller(wsgi.Application):
signature = signer.generate(credentials)
if signature != credentials.signature:
# TODO(termie): proper exception
raise Exception("Not Authorized")
msg = "Invalid signature"
raise webob.exc.HTTPUnauthorized(explanation=msg)
else:
raise Exception("Not Authorized")
msg = "Signature not supplied"
raise webob.exc.HTTPUnauthorized(explanation=msg)
def authenticate(self, context, credentials=None,
ec2Credentials=None):
@ -129,8 +133,13 @@ class Ec2Controller(wsgi.Application):
# NOTE(termie): backwards compat hack
if not credentials and ec2Credentials:
credentials = ec2Credentials
creds_ref = self.ec2_api.get_credential(context,
credentials['access'])
if not creds_ref:
msg = "Access key not found"
raise webob.exc.HTTPUnauthorized(explanation=msg)
self.check_signature(creds_ref, credentials)