openstack
/
keystone
Code Issues Proposed changes

Make ec2 auth actually work

This commit is contained in:
Vishvananda Ishaya 2012-02-06 23:01:10 +00:00 committed by termie
parent 4054253aa5
commit b6a142d840
3 changed files with 27 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
keystone/cli.py
View File

@ -2,7 +2,6 @@ from __future__ import absolute_import
import json import json
import logging import logging
import os
import sys import sys
import StringIO import StringIO
import textwrap import textwrap

30
keystone/common/utils.py
View File

@ -75,17 +75,17 @@ class Ec2Signer(object):
def generate(self, credentials): def generate(self, credentials):
"""Generate auth string according to what SignatureVersion is given.""" """Generate auth string according to what SignatureVersion is given."""
if credentials.params['SignatureVersion'] == '0': if credentials['params']['SignatureVersion'] == '0':
return self._calc_signature_0(credentials.params) return self._calc_signature_0(credentials['params'])
if credentials.params['SignatureVersion'] == '1': if credentials['params']['SignatureVersion'] == '1':
return self._calc_signature_1(credentials.params) return self._calc_signature_1(credentials['params'])
if credentials.params['SignatureVersion'] == '2': if credentials['params']['SignatureVersion'] == '2':
return self._calc_signature_2(credentials.params, return self._calc_signature_2(credentials['params'],
credentials.verb, credentials['verb'],
credentials.host, credentials['host'],
credentials.path) credentials['path'])
raise Exception('Unknown Signature Version: %s' % raise Exception('Unknown Signature Version: %s' %
credentials.params['SignatureVersion']) credentials['params']['SignatureVersion'])
@staticmethod @staticmethod
def _get_utf8_value(value): def _get_utf8_value(value):
@ -115,7 +115,7 @@ class Ec2Signer(object):
def _calc_signature_2(self, params, verb, server_string, path): def _calc_signature_2(self, params, verb, server_string, path):
"""Generate AWS signature version 2 string.""" """Generate AWS signature version 2 string."""
LOG.debug('using _calc_signature_2') logging.debug('using _calc_signature_2')
string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path) string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
if self.hmac_256: if self.hmac_256:
current_hmac = self.hmac_256 current_hmac = self.hmac_256
@ -131,13 +131,13 @@ class Ec2Signer(object):
val = urllib.quote(val, safe='-_~') val = urllib.quote(val, safe='-_~')
pairs.append(urllib.quote(key, safe='') + '=' + val) pairs.append(urllib.quote(key, safe='') + '=' + val)
qs = '&'.join(pairs) qs = '&'.join(pairs)
LOG.debug('query string: %s', qs) logging.debug('query string: %s', qs)
string_to_sign += qs string_to_sign += qs
LOG.debug('string_to_sign: %s', string_to_sign) logging.debug('string_to_sign: %s', string_to_sign)
current_hmac.update(string_to_sign) current_hmac.update(string_to_sign)
b64 = base64.b64encode(current_hmac.digest()) b64 = base64.b64encode(current_hmac.digest())
LOG.debug('len(b64)=%d', len(b64)) logging.debug('len(b64)=%d', len(b64))
LOG.debug('base64 encoded digest: %s', b64) logging.debug('base64 encoded digest: %s', b64)
return b64 return b64

15
keystone/contrib/ec2/core.py
View File

@ -22,6 +22,8 @@ glance to list images needed to perform the requested task.
import uuid import uuid
import webob.exc
from keystone import catalog from keystone import catalog
from keystone import config from keystone import config
from keystone import identity from keystone import identity
@ -86,7 +88,7 @@ class Ec2Controller(wsgi.Application):
super(Ec2Controller, self).__init__() super(Ec2Controller, self).__init__()
def check_signature(self, creds_ref, credentials): def check_signature(self, creds_ref, credentials):
signer = utils.Signer(creds_ref['secret']) signer = utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials) signature = signer.generate(credentials)
if signature == credentials['signature']: if signature == credentials['signature']:
return return
@ -98,9 +100,11 @@ class Ec2Controller(wsgi.Application):
signature = signer.generate(credentials) signature = signer.generate(credentials)
if signature != credentials.signature: if signature != credentials.signature:
# TODO(termie): proper exception # TODO(termie): proper exception
raise Exception("Not Authorized") msg = "Invalid signature"
raise webob.exc.HTTPUnauthorized(explanation=msg)
else: else:
raise Exception("Not Authorized") msg = "Signature not supplied"
raise webob.exc.HTTPUnauthorized(explanation=msg)
def authenticate(self, context, credentials=None, def authenticate(self, context, credentials=None,
ec2Credentials=None): ec2Credentials=None):
@ -129,8 +133,13 @@ class Ec2Controller(wsgi.Application):
# NOTE(termie): backwards compat hack # NOTE(termie): backwards compat hack
if not credentials and ec2Credentials: if not credentials and ec2Credentials:
credentials = ec2Credentials credentials = ec2Credentials
creds_ref = self.ec2_api.get_credential(context, creds_ref = self.ec2_api.get_credential(context,
credentials['access']) credentials['access'])
if not creds_ref:
msg = "Access key not found"
raise webob.exc.HTTPUnauthorized(explanation=msg)
self.check_signature(creds_ref, credentials) self.check_signature(creds_ref, credentials)