Make ec2 auth actually work
This commit is contained in:
parent
4054253aa5
commit
b6a142d840
@ -2,7 +2,6 @@ from __future__ import absolute_import
|
|||||||
|
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
import os
|
|
||||||
import sys
|
import sys
|
||||||
import StringIO
|
import StringIO
|
||||||
import textwrap
|
import textwrap
|
||||||
|
@ -75,17 +75,17 @@ class Ec2Signer(object):
|
|||||||
|
|
||||||
def generate(self, credentials):
|
def generate(self, credentials):
|
||||||
"""Generate auth string according to what SignatureVersion is given."""
|
"""Generate auth string according to what SignatureVersion is given."""
|
||||||
if credentials.params['SignatureVersion'] == '0':
|
if credentials['params']['SignatureVersion'] == '0':
|
||||||
return self._calc_signature_0(credentials.params)
|
return self._calc_signature_0(credentials['params'])
|
||||||
if credentials.params['SignatureVersion'] == '1':
|
if credentials['params']['SignatureVersion'] == '1':
|
||||||
return self._calc_signature_1(credentials.params)
|
return self._calc_signature_1(credentials['params'])
|
||||||
if credentials.params['SignatureVersion'] == '2':
|
if credentials['params']['SignatureVersion'] == '2':
|
||||||
return self._calc_signature_2(credentials.params,
|
return self._calc_signature_2(credentials['params'],
|
||||||
credentials.verb,
|
credentials['verb'],
|
||||||
credentials.host,
|
credentials['host'],
|
||||||
credentials.path)
|
credentials['path'])
|
||||||
raise Exception('Unknown Signature Version: %s' %
|
raise Exception('Unknown Signature Version: %s' %
|
||||||
credentials.params['SignatureVersion'])
|
credentials['params']['SignatureVersion'])
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def _get_utf8_value(value):
|
def _get_utf8_value(value):
|
||||||
@ -115,7 +115,7 @@ class Ec2Signer(object):
|
|||||||
|
|
||||||
def _calc_signature_2(self, params, verb, server_string, path):
|
def _calc_signature_2(self, params, verb, server_string, path):
|
||||||
"""Generate AWS signature version 2 string."""
|
"""Generate AWS signature version 2 string."""
|
||||||
LOG.debug('using _calc_signature_2')
|
logging.debug('using _calc_signature_2')
|
||||||
string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
|
string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
|
||||||
if self.hmac_256:
|
if self.hmac_256:
|
||||||
current_hmac = self.hmac_256
|
current_hmac = self.hmac_256
|
||||||
@ -131,13 +131,13 @@ class Ec2Signer(object):
|
|||||||
val = urllib.quote(val, safe='-_~')
|
val = urllib.quote(val, safe='-_~')
|
||||||
pairs.append(urllib.quote(key, safe='') + '=' + val)
|
pairs.append(urllib.quote(key, safe='') + '=' + val)
|
||||||
qs = '&'.join(pairs)
|
qs = '&'.join(pairs)
|
||||||
LOG.debug('query string: %s', qs)
|
logging.debug('query string: %s', qs)
|
||||||
string_to_sign += qs
|
string_to_sign += qs
|
||||||
LOG.debug('string_to_sign: %s', string_to_sign)
|
logging.debug('string_to_sign: %s', string_to_sign)
|
||||||
current_hmac.update(string_to_sign)
|
current_hmac.update(string_to_sign)
|
||||||
b64 = base64.b64encode(current_hmac.digest())
|
b64 = base64.b64encode(current_hmac.digest())
|
||||||
LOG.debug('len(b64)=%d', len(b64))
|
logging.debug('len(b64)=%d', len(b64))
|
||||||
LOG.debug('base64 encoded digest: %s', b64)
|
logging.debug('base64 encoded digest: %s', b64)
|
||||||
return b64
|
return b64
|
||||||
|
|
||||||
|
|
||||||
|
@ -22,6 +22,8 @@ glance to list images needed to perform the requested task.
|
|||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
import webob.exc
|
||||||
|
|
||||||
from keystone import catalog
|
from keystone import catalog
|
||||||
from keystone import config
|
from keystone import config
|
||||||
from keystone import identity
|
from keystone import identity
|
||||||
@ -86,7 +88,7 @@ class Ec2Controller(wsgi.Application):
|
|||||||
super(Ec2Controller, self).__init__()
|
super(Ec2Controller, self).__init__()
|
||||||
|
|
||||||
def check_signature(self, creds_ref, credentials):
|
def check_signature(self, creds_ref, credentials):
|
||||||
signer = utils.Signer(creds_ref['secret'])
|
signer = utils.Ec2Signer(creds_ref['secret'])
|
||||||
signature = signer.generate(credentials)
|
signature = signer.generate(credentials)
|
||||||
if signature == credentials['signature']:
|
if signature == credentials['signature']:
|
||||||
return
|
return
|
||||||
@ -98,9 +100,11 @@ class Ec2Controller(wsgi.Application):
|
|||||||
signature = signer.generate(credentials)
|
signature = signer.generate(credentials)
|
||||||
if signature != credentials.signature:
|
if signature != credentials.signature:
|
||||||
# TODO(termie): proper exception
|
# TODO(termie): proper exception
|
||||||
raise Exception("Not Authorized")
|
msg = "Invalid signature"
|
||||||
|
raise webob.exc.HTTPUnauthorized(explanation=msg)
|
||||||
else:
|
else:
|
||||||
raise Exception("Not Authorized")
|
msg = "Signature not supplied"
|
||||||
|
raise webob.exc.HTTPUnauthorized(explanation=msg)
|
||||||
|
|
||||||
def authenticate(self, context, credentials=None,
|
def authenticate(self, context, credentials=None,
|
||||||
ec2Credentials=None):
|
ec2Credentials=None):
|
||||||
@ -129,8 +133,13 @@ class Ec2Controller(wsgi.Application):
|
|||||||
# NOTE(termie): backwards compat hack
|
# NOTE(termie): backwards compat hack
|
||||||
if not credentials and ec2Credentials:
|
if not credentials and ec2Credentials:
|
||||||
credentials = ec2Credentials
|
credentials = ec2Credentials
|
||||||
|
|
||||||
creds_ref = self.ec2_api.get_credential(context,
|
creds_ref = self.ec2_api.get_credential(context,
|
||||||
credentials['access'])
|
credentials['access'])
|
||||||
|
if not creds_ref:
|
||||||
|
msg = "Access key not found"
|
||||||
|
raise webob.exc.HTTPUnauthorized(explanation=msg)
|
||||||
|
|
||||||
|
|
||||||
self.check_signature(creds_ref, credentials)
|
self.check_signature(creds_ref, credentials)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user