Merge "Fixes Bug #861293 nova.auth.signer.Signer now honors the SignatureMethod parameter for SHA1 when creating signatures"

2011-11-15 21:27:39 +00:00 · 2011-11-15 21:27:39 +00:00 · 097d122609
commit 097d122609
parent 80ffed4f0a 6183586fab
2 changed files with 49 additions and 18 deletions
--- a/nova/auth/signer.py
+++ b/nova/auth/signer.py
@ -53,8 +53,8 @@ import boto
 # NOTE(vish): for old boto
 import boto.utils

+from nova import exception
 from nova import log as logging
-from nova.exception import Error


 LOG = logging.getLogger('nova.signer')
@ -81,8 +81,7 @@ class Signer(object):
    def generate(self, params, verb, server_string, path):
        """Generate auth string according to what SignatureVersion is given.

-        The signature method defaults to SHA256 if available, or falls back to
-        SHA1 if not.
+        The signature method must be SHA1 or SHA256.

        """
        if params['SignatureVersion'] == '0':
@ -91,7 +90,7 @@ class Signer(object):
            return self._calc_signature_1(params)
        if params['SignatureVersion'] == '2':
            return self._calc_signature_2(params, verb, server_string, path)
-        raise Error('Unknown Signature Version: %s' %
+        raise exception.Error('Unknown Signature Version: %s' %
                    params['SignatureVersion'])

    @staticmethod
@ -132,12 +131,20 @@ class Signer(object):
        """Generate AWS signature version 2 string."""
        LOG.debug('using _calc_signature_2')
        string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
-        if self.hmac_256:
+
+        if 'SignatureMethod' not in params:
+            raise exception.Error('No SignatureMethod specified')
+
+        if params['SignatureMethod'] == 'HmacSHA256':
+            if not self.hmac_256:
+                raise exception.Error('SHA256 not supported on this server')
            current_hmac = self.hmac_256
-            params['SignatureMethod'] = 'HmacSHA256'
-        else:
+        elif params['SignatureMethod'] == 'HmacSHA1':
            current_hmac = self.hmac
-            params['SignatureMethod'] = 'HmacSHA1'
+        else:
+            raise exception.Error('SignatureMethod %s not supported'
+                                  % params['SignatureMethod'])
+
        keys = params.keys()
        keys.sort()
        pairs = []
@ -157,5 +164,6 @@ class Signer(object):


 if __name__ == '__main__':
-    print Signer('foo').generate({'SignatureVersion': '2'}, 'get', 'server',
-                                  '/foo')
+    print Signer('foo').generate({'SignatureVersion': '2',
+                                  'SignatureMethod': 'HmacSHA256'},
+                                  'get', 'server', '/foo')
--- a/nova/tests/test_signer.py
+++ b/nova/tests/test_signer.py
@ -54,14 +54,33 @@ class SignerTestCase(test.TestCase):
                                'PUT',
                                '/johnsmith/photos/puppy.jpg'))

-    def test_generate_using_version_2(self):
+    def test_generate_HmacSHA256(self):
        self.assertEquals('clXalhbLZXxEuI32OoX+OeXsN6Mr2q4jzGyIDAr4RZg=',
                          self.signer.generate(
                                {'SignatureMethod': 'HmacSHA256',
                                 'SignatureVersion': '2'},
                                'GET', 'server', '/foo'))

-    def test_generate_force_HmacSHA1(self):
+    def test_generate_HmacSHA1(self):
+        self.assertEquals('uJTByiDIcgB65STrS5i2egQgd+U=',
+                          self.signer.generate({'SignatureVersion': '2',
+                                           'SignatureMethod': 'HmacSHA1'},
+                                           'GET', 'server', '/foo'))
+
+    def test_generate_invalid_signature_method_defined(self):
+        self.assertRaises(exception.Error,
+                          self.signer.generate,
+                          {'SignatureVersion': '2',
+                           'SignatureMethod': 'invalid_method'},
+                          'GET', 'server', '/foo')
+
+    def test_generate_no_signature_method_defined(self):
+        self.assertRaises(exception.Error,
+                          self.signer.generate,
+                          {'SignatureVersion': '2'},
+                          'GET', 'server', '/foo')
+
+    def test_generate_HmacSHA256_missing_hashlib_sha256(self):
        # Stub out haslib.sha256
        import hashlib
        self.stubs.Set(hashlib, 'sha256', None)
@ -69,20 +88,24 @@ class SignerTestCase(test.TestCase):
        # Create Signer again now that hashlib.sha256 is None
        self.signer = signer.Signer(
                        'uV3F3YluFJax1cknvbcGwgjvx4QpvB+leU8dUj2o')
-        self.assertEquals('uJTByiDIcgB65STrS5i2egQgd+U=',
-                          self.signer.generate({'SignatureVersion': '2'},
-                                               'GET', 'server', '/foo'))
+        self.assertRaises(exception.Error,
+                          self.signer.generate,
+                          {'SignatureVersion': '2',
+                           'SignatureMethod': 'HmacSHA256'},
+                          'GET', 'server', '/foo')

    def test_generate_with_unicode_param(self):
        self.assertEquals('clXalhbLZXxEuI32OoX+OeXsN6Mr2q4jzGyIDAr4RZg=',
-                          self.signer.generate({'SignatureVersion': u'2'},
+                          self.signer.generate({'SignatureVersion': u'2',
+                                            'SignatureMethod': 'HmacSHA256'},
                                            'GET', 'server', '/foo'))

    def test_generate_with_non_string_or_unicode_param(self):
        self.assertEquals('99IAgCkhTR2aMTgRobnzKGuNxVFSdb7vlQRvnj3Urqk=',
                          self.signer.generate(
                              {'AnotherParam': ClassWithStrRepr(),
-                               'SignatureVersion': '2'},
+                               'SignatureVersion': '2',
+                               'SignatureMethod': 'HmacSHA256'},
                              'GET', 'server', '/foo'))

    def test_generate_unknown_version(self):