Ec2Signer : Allow signature verification for older boto versions

Since the fix for bug #1197553, verification for older clients (which strip the port when formatting the request) fails. This conditionally reverts to the original behavior, by detecting the boto version via the User-Agent header, the default behavior will be the new behavior (which doesn't strip the port), but this will allow a less painful transition for clients/distros to the new boto version. Fixes bug #1205281 Change-Id: I54ac9c5ba91e697004f1346a8f2d685da488992a
2013-07-26 11:42:29 +01:00
parent 262c17922a
commit fb6792ada7
2 changed files with 92 additions and 0 deletions
--- a/keystoneclient/contrib/ec2/utils.py
+++ b/keystoneclient/contrib/ec2/utils.py
@@ -21,6 +21,7 @@
 import base64
 import hashlib
 import hmac
 import re
 import urllib
@@ -211,11 +212,25 @@ class Ec2Signer(object):
            # - the X-Amz-SignedHeaders query parameter
            headers_lower = dict((k.lower().strip(), v.strip())
                                 for (k, v) in headers.iteritems())
            # Boto versions < 2.9.3 strip the port component of the host:port
            # header, so detect the user-agent via the header and strip the
            # port if we detect an old boto version.  FIXME: remove when all
            # distros package boto >= 2.9.3, this is a transitional workaround
            user_agent = headers_lower.get('user-agent', '')
            strip_port = re.match('Boto/2.[0-9].[0-2]', user_agent)
            header_list = []
            sh_str = auth_param('SignedHeaders')
            for h in sh_str.split(';'):
                if h not in headers_lower:
                    continue
                if h == 'host' and strip_port:
                    header_list.append('%s:%s' %
                                       (h, headers_lower[h].split(':')[0]))
                    continue
                header_list.append('%s:%s' % (h, headers_lower[h]))
            return '\n'.join(header_list) + '\n'
--- a/tests/test_ec2utils.py
+++ b/tests/test_ec2utils.py
@@ -179,3 +179,80 @@ class Ec2SignerTest(testtools.TestCase):
        expected = ('26dd92ea79aaa49f533d13b1055acdc'
                    'd7d7321460d64621f96cc79c4f4d4ab2b')
        self.assertEqual(signature, expected)
    def test_generate_v4_port_strip(self):
        """
        Test v4 generator with host:port format, but for an old
        (<2.9.3) version of boto, where the port should be stripped
        to match boto behavior
        """
        # Create a new signer object with the AWS example key
        secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
        signer = Ec2Signer(secret)
        body_hash = ('b6359072c78d70ebee1e81adcbab4f0'
                     '1bf2c23245fa365ef83fe8f1f955085e2')
        auth_str = ('AWS4-HMAC-SHA256 '
                    'Credential=AKIAIOSFODNN7EXAMPLE/20110909/'
                    'us-east-1/iam/aws4_request,'
                    'SignedHeaders=content-type;host;x-amz-date,')
        headers = {'Content-type':
                   'application/x-www-form-urlencoded; charset=utf-8',
                   'X-Amz-Date': '20110909T233600Z',
                   'Host': 'foo:8000',
                   'Authorization': auth_str,
                   'User-Agent': 'Boto/2.9.2 (linux2)'}
        # Note the example in the AWS docs is inconsistent, previous
        # examples specify no query string, but the final POST example
        # does, apparently incorrectly since an empty parameter list
        # aligns all steps and the final signature with the examples
        params = {}
        credentials = {'host': 'foo:8000',
                       'verb': 'POST',
                       'path': '/',
                       'params': params,
                       'headers': headers,
                       'body_hash': body_hash}
        signature = signer.generate(credentials)
        expected = ('9a4b2276a5039ada3b90f72ea8ec1745'
                    '14b92b909fb106b22ad910c5d75a54f4')
        self.assertEqual(expected, signature)
    def test_generate_v4_port_nostrip(self):
        """
        Test v4 generator with host:port format, but for an new
        (>=2.9.3) version of boto, where the port should not be stripped
        """
        # Create a new signer object with the AWS example key
        secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY'
        signer = Ec2Signer(secret)
        body_hash = ('b6359072c78d70ebee1e81adcbab4f0'
                     '1bf2c23245fa365ef83fe8f1f955085e2')
        auth_str = ('AWS4-HMAC-SHA256 '
                    'Credential=AKIAIOSFODNN7EXAMPLE/20110909/'
                    'us-east-1/iam/aws4_request,'
                    'SignedHeaders=content-type;host;x-amz-date,')
        headers = {'Content-type':
                   'application/x-www-form-urlencoded; charset=utf-8',
                   'X-Amz-Date': '20110909T233600Z',
                   'Host': 'foo:8000',
                   'Authorization': auth_str,
                   'User-Agent': 'Boto/2.9.3 (linux2)'}
        # Note the example in the AWS docs is inconsistent, previous
        # examples specify no query string, but the final POST example
        # does, apparently incorrectly since an empty parameter list
        # aligns all steps and the final signature with the examples
        params = {}
        credentials = {'host': 'foo:8000',
                       'verb': 'POST',
                       'path': '/',
                       'params': params,
                       'headers': headers,
                       'body_hash': body_hash}
        signature = signer.generate(credentials)
        expected = ('26dd92ea79aaa49f533d13b1055acdc'
                    'd7d7321460d64621f96cc79c4f4d4ab2b')
        self.assertEqual(expected, signature)