openstack/swift
Code Issues Proposed changes
0edfb879a7
swift/test/unit/common/middleware/test_tempurl.py

1377 lines
58 KiB
Python
Raw Normal View History

TempURL: Fixed bug with \r or \n in disposition. If an object had a \r or \n in its name, it would end up creating an invalid HTTP Content-Disposition header. Reviewer consensus was to use URL encoding. Fixes bug 1306250 Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d
2014-04-22 15:00:09 +00:00
# Copyright (c) 2011-2014 Greg Holt
# Copyright (c) 2012-2013 Peter Portante
# Copyright (c) 2012 Iryoung Jeong
# Copyright (c) 2012 Michael Barton
# Copyright (c) 2013 Alex Gaynor
# Copyright (c) 2013 Chuck Thier
# Copyright (c) 2013 David Goetz
Add multiple reseller prefixes and composite tokens This change is in support of Composite Tokens and Service Accounts (see http://specs.openstack.org/openstack/swift-specs/specs/in_progress/ service_token.html) During coding, minor changes were made compared to the original specification. See https://review.openstack.org/138771 for these changes. DocImpact Change-Id: I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
2014-11-25 14:42:42 +00:00
# Copyright (c) 2015 Donagh McCabe
TempURL: Fixed bug with \r or \n in disposition. If an object had a \r or \n in its name, it would end up creating an invalid HTTP Content-Disposition header. Reviewer consensus was to use URL encoding. Fixes bug 1306250 Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d
2014-04-22 15:00:09 +00:00
# Copyright (c) 2013 Greg Lange
# Copyright (c) 2013 John Dickinson
# Copyright (c) 2013 Kun Huang
# Copyright (c) 2013 Richard Hawkins
# Copyright (c) 2013 Samuel Merritt
# Copyright (c) 2013 Shri Javadekar
# Copyright (c) 2013 Tong Li
# Copyright (c) 2013 ZhiQiang Fan
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
import base64
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
import hmac
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
import itertools
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
import mock
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
import unittest
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
import hashlib
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
from time import time, strftime, gmtime
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
from swift.common.middleware import tempauth, tempurl
Move HeaderKeyDict to avoid an inline import There was a function in swift.common.utils that was importing swob.HeaderKeyDict at call time. It couldn't import it at compilation time since utils can't import from swob or else it blows up with a circular import error. This commit just moves HeaderKeyDict into swift.common.header_key_dict so that we can remove the inline import. Change-Id: I656fde8cc2e125327c26c589cf1045cb81ffc7e5
2016-03-02 10:28:51 +00:00
from swift.common.header_key_dict import HeaderKeyDict
from swift.common.swob import Request, Response
Expose allowed tempurl methods in /info Clients can construct tempurls for any method, but they only work if they're in this list, so it's helpful for clients to see the list. Change-Id: Id852f457d65b62c4fe79db01b1d7029a5fa5aa09
2013-12-12 16:13:42 -08:00
from swift.common import utils
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
class FakeApp(object):
def __init__(self, status_headers_body_iter=None):
self.calls = 0
self.status_headers_body_iter = status_headers_body_iter
if not self.status_headers_body_iter:
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
self.status_headers_body_iter = iter(
itertools.repeat((
'404 Not Found', {
'x-test-header-one-a': 'value1',
'x-test-header-two-a': 'value2',
'x-test-header-two-b': 'value3'},
'')))
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
self.request = None
def __call__(self, env, start_response):
self.calls += 1
self.request = Request.blank('', environ=env)
if 'swift.authorize' in env:
resp = env['swift.authorize'](self.request)
if resp:
return resp(env, start_response)
Replace it.next() with next(it) for py3 compat The Python 2 next() method of iterators was renamed to __next__() on Python 3. Use the builtin next() function instead which works on Python 2 and Python 3. Change-Id: Ic948bc574b58f1d28c5c58e3985906dee17fa51d
2015-06-15 22:10:45 +05:30
status, headers, body = next(self.status_headers_body_iter)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
return Response(status=status, headers=headers,
body=body)(env, start_response)
class TestTempURL(unittest.TestCase):
def setUp(self):
self.app = FakeApp()
Add multiple reseller prefixes and composite tokens This change is in support of Composite Tokens and Service Accounts (see http://specs.openstack.org/openstack/swift-specs/specs/in_progress/ service_token.html) During coding, minor changes were made compared to the original specification. See https://review.openstack.org/138771 for these changes. DocImpact Change-Id: I6072b4efb3a479a8e0cc2d9c11ffda5764b55e30
2014-11-25 14:42:42 +00:00
self.auth = tempauth.filter_factory({'reseller_prefix': ''})(self.app)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
self.tempurl = tempurl.filter_factory({})(self.auth)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
def _make_request(self, path, environ=None, keys=(), container_keys=None,
**kwargs):
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
if environ is None:
environ = {}
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
_junk, account, _junk, _junk = utils.split_path(path, 2, 4, True)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
self._fake_cache_environ(environ, account, keys,
container_keys=container_keys)
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
req = Request.blank(path, environ=environ, **kwargs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
return req
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
def _fake_cache_environ(self, environ, account, keys, container_keys=None):
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
"""
Fake out the caching layer for get_account_info(). Injects account data
into environ such that keys are the tempurl keys, if set.
"""
meta = {'swash': 'buckle'}
for idx, key in enumerate(keys):
meta_name = 'Temp-URL-key' + (("-%d" % (idx + 1) if idx else ""))
if key:
meta[meta_name] = key
Make info caching work across subrequests Previously, if you called get_account_info, get_container_info, or get_object_info, then the results of that call would be cached in the WSGI environment as top-level keys. This is okay, except that if you, in middleware, copy the WSGI environment and then make a subrequest using the copy, information retrieved in the subrequest is cached only in the copy and not in the original. This can mean lots of extra trips to memcache for, say, SLO validation where the segments are in another container; the object HEAD ends up getting container info for the segment container, but then the next object HEAD gets it again. This commit moves the cache for get_*_info into a dictionary at environ['swift.infocache']; this way, you can shallow-copy the request environment and still get the benefits from the cache. Change-Id: I3481b38b41c33cd1e39e19baab56193c5f9bf6ac
2016-01-21 13:19:30 -08:00
ic = environ.setdefault('swift.infocache', {})
Use the same key for memcache and env['swift.infocache'] When we were caching directly to the WSGI environment, it made sense to have different keys for the different caches. Now that we have a separate data structure for the per-request cache, however, we ought to be consistent. Change-Id: I199cba6e5fc9ab4205bba369e6a2f34fc5ce22d4
2016-04-27 13:31:11 -05:00
ic['account/' + account] = {
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
'status': 204,
'container_count': '0',
'total_object_count': '0',
'bytes': '0',
'meta': meta}
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
meta = {}
for i, key in enumerate(container_keys or []):
meta_name = 'Temp-URL-key' + (("-%d" % (i + 1) if i else ""))
meta[meta_name] = key
Use the same key for memcache and env['swift.infocache'] When we were caching directly to the WSGI environment, it made sense to have different keys for the different caches. Now that we have a separate data structure for the per-request cache, however, we ought to be consistent. Change-Id: I199cba6e5fc9ab4205bba369e6a2f34fc5ce22d4
2016-04-27 13:31:11 -05:00
container_cache_key = 'container/' + account + '/c'
Make info caching work across subrequests Previously, if you called get_account_info, get_container_info, or get_object_info, then the results of that call would be cached in the WSGI environment as top-level keys. This is okay, except that if you, in middleware, copy the WSGI environment and then make a subrequest using the copy, information retrieved in the subrequest is cached only in the copy and not in the original. This can mean lots of extra trips to memcache for, say, SLO validation where the segments are in another container; the object HEAD ends up getting container info for the segment container, but then the next object HEAD gets it again. This commit moves the cache for get_*_info into a dictionary at environ['swift.infocache']; this way, you can shallow-copy the request environment and still get the benefits from the cache. Change-Id: I3481b38b41c33cd1e39e19baab56193c5f9bf6ac
2016-01-21 13:19:30 -08:00
ic.setdefault(container_cache_key, {'meta': meta})
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_passthrough(self):
resp = self._make_request('/v1/a/c/o').get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('Temp URL invalid', resp.body)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
have tempurl allow OPTIONS requests Change-Id: I431cac1e9818a335ff8d20288ab6acf39d6b6d5e
2013-05-07 13:44:14 -07:00
def test_allow_options(self):
self.app.status_headers_body_iter = iter([('200 Ok', {}, '')])
resp = self._make_request(
'/v1/a/c/o?temp_url_sig=abcde&temp_url_expires=12345',
environ={'REQUEST_METHOD': 'OPTIONS'}).get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
have tempurl allow OPTIONS requests Change-Id: I431cac1e9818a335ff8d20288ab6acf39d6b6d5e
2013-05-07 13:44:14 -07:00
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
def assert_valid_sig(self, expires, path, keys, sig, environ=None,
prefix=None):
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
if not environ:
environ = {}
environ['QUERY_STRING'] = 'temp_url_sig=%s&temp_url_expires=%s' % (
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig.replace('+', '%2B'), expires)
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
if prefix is not None:
environ['QUERY_STRING'] += '&temp_url_prefix=%s' % prefix
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
req = self._make_request(path, keys=keys, environ=environ)
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="o"; ' + "filename*=UTF-8''o")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertEqual(resp.headers['expires'],
strftime('%a, %d %b %Y %H:%M:%S GMT',
gmtime(expires)))
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
Move common code into a separate function. test_get_valid and test_get_valid_key2 test tempurl with a single key and two keys respectively. This change moves common code for these tests into a separate function. Change-Id: Ifee211285e27df03d041a4c357b7c1f0c96ed6a8
2013-05-16 22:51:43 -07:00
def test_get_valid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Move common code into a separate function. test_get_valid and test_get_valid_key2 test tempurl with a single key and two keys respectively. This change moves common code for these tests into a separate function. Change-Id: Ifee211285e27df03d041a4c357b7c1f0c96ed6a8
2013-05-16 22:51:43 -07:00
self.assert_valid_sig(expires, path, [key], sig)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha256).hexdigest()
self.assert_valid_sig(expires, path, [key], sig)
sig = base64.b64encode(hmac.new(
key, hmac_body, hashlib.sha256).digest())
self.assert_valid_sig(expires, path, [key], 'sha256:' + sig)
sig = base64.b64encode(hmac.new(
key, hmac_body, hashlib.sha512).digest())
self.assert_valid_sig(expires, path, [key], 'sha512:' + sig)
Allow 2 TempURL keys per account. This allows users to rotate their TempURL keys without invalidating all existing signed URLs. This is handy if you have multiple systems generating signed URLs, but you want to change your keys for some reason (e.g. keys compromised, company policy, general paranoia). Both the first and second keys are optional, so existing accounts' signed URLs will continue to work as before. This commit does change the memcache key used to store the fetched TempURL keys. This is because we were storing the old key as a string in memcached, but the new one is a list of keys. Since the key cache lifetime here is only 60 seconds, it doesn't seem like too big a deal to completely flush the TempURL cache. Also, this commit adds caching of a negative TempURL result. If the account HEAD reveals no TempURL keys at all, that result is now stored for 60 seconds the same way that a positive result would be. Change-Id: I40a02bd607283fbce11aa52a9bb8a5846ab17f5e
2013-05-02 14:53:48 -07:00
def test_get_valid_key2(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key1 = 'abc123'
key2 = 'def456'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig1 = hmac.new(key1, hmac_body, hashlib.sha1).hexdigest()
sig2 = hmac.new(key2, hmac_body, hashlib.sha1).hexdigest()
Allow 2 TempURL keys per account. This allows users to rotate their TempURL keys without invalidating all existing signed URLs. This is handy if you have multiple systems generating signed URLs, but you want to change your keys for some reason (e.g. keys compromised, company policy, general paranoia). Both the first and second keys are optional, so existing accounts' signed URLs will continue to work as before. This commit does change the memcache key used to store the fetched TempURL keys. This is because we were storing the old key as a string in memcached, but the new one is a list of keys. Since the key cache lifetime here is only 60 seconds, it doesn't seem like too big a deal to completely flush the TempURL cache. Also, this commit adds caching of a negative TempURL result. If the account HEAD reveals no TempURL keys at all, that result is now stored for 60 seconds the same way that a positive result would be. Change-Id: I40a02bd607283fbce11aa52a9bb8a5846ab17f5e
2013-05-02 14:53:48 -07:00
for sig in (sig1, sig2):
Move common code into a separate function. test_get_valid and test_get_valid_key2 test tempurl with a single key and two keys respectively. This change moves common code for these tests into a separate function. Change-Id: Ifee211285e27df03d041a4c357b7c1f0c96ed6a8
2013-05-16 22:51:43 -07:00
self.assert_valid_sig(expires, path, [key1, key2], sig)
Allow 2 TempURL keys per account. This allows users to rotate their TempURL keys without invalidating all existing signed URLs. This is handy if you have multiple systems generating signed URLs, but you want to change your keys for some reason (e.g. keys compromised, company policy, general paranoia). Both the first and second keys are optional, so existing accounts' signed URLs will continue to work as before. This commit does change the memcache key used to store the fetched TempURL keys. This is because we were storing the old key as a string in memcached, but the new one is a list of keys. Since the key cache lifetime here is only 60 seconds, it doesn't seem like too big a deal to completely flush the TempURL cache. Also, this commit adds caching of a negative TempURL result. If the account HEAD reveals no TempURL keys at all, that result is now stored for 60 seconds the same way that a positive result would be. Change-Id: I40a02bd607283fbce11aa52a9bb8a5846ab17f5e
2013-05-02 14:53:48 -07:00
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
def test_get_valid_container_keys(self):
Make info caching work across subrequests Previously, if you called get_account_info, get_container_info, or get_object_info, then the results of that call would be cached in the WSGI environment as top-level keys. This is okay, except that if you, in middleware, copy the WSGI environment and then make a subrequest using the copy, information retrieved in the subrequest is cached only in the copy and not in the original. This can mean lots of extra trips to memcache for, say, SLO validation where the segments are in another container; the object HEAD ends up getting container info for the segment container, but then the next object HEAD gets it again. This commit moves the cache for get_*_info into a dictionary at environ['swift.infocache']; this way, you can shallow-copy the request environment and still get the benefits from the cache. Change-Id: I3481b38b41c33cd1e39e19baab56193c5f9bf6ac
2016-01-21 13:19:30 -08:00
ic = {}
environ = {'swift.infocache': ic}
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
# Add two static container keys
container_keys = ['me', 'other']
meta = {}
for idx, key in enumerate(container_keys):
meta_name = 'Temp-URL-key' + (("-%d" % (idx + 1) if idx else ""))
if key:
meta[meta_name] = key
Use the same key for memcache and env['swift.infocache'] When we were caching directly to the WSGI environment, it made sense to have different keys for the different caches. Now that we have a separate data structure for the per-request cache, however, we ought to be consistent. Change-Id: I199cba6e5fc9ab4205bba369e6a2f34fc5ce22d4
2016-04-27 13:31:11 -05:00
ic['container/a/c'] = {'meta': meta}
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key1 = 'me'
key2 = 'other'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig1 = hmac.new(key1, hmac_body, hashlib.sha1).hexdigest()
sig2 = hmac.new(key2, hmac_body, hashlib.sha1).hexdigest()
Add support for container TempURL Keys Change-Id: Ic22b0b84b657e6cac7e0062fa410eefb09bc0f4d Co-Authored-By: Christian Schwede <christian.schwede@enovance.com>
2015-02-09 17:51:01 -06:00
account_keys = []
for sig in (sig1, sig2):
self.assert_valid_sig(expires, path, account_keys, sig, environ)
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
@mock.patch('swift.common.middleware.tempurl.time', return_value=0)
def test_get_valid_with_filename(self, mock_time):
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
method = 'GET'
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
expires = (((24 + 1) * 60 + 1) * 60) + 1
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
req = self._make_request(path, keys=[key], environ={
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=bob%%20%%22killer%%22.txt' % (sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="bob %22killer%22.txt"; ' +
"filename*=UTF-8''bob%20%22killer%22.txt")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
self.assertEqual('Fri, 02 Jan 1970 01:01:01 GMT',
resp.headers['expires'])
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
Add content-disposition header to tempurl request Added content-disposition header to HEAD tempurl request. As per HTTP docs[1] HEAD response must be identical to GET except return message-body response. [1]https://tools.ietf.org/html/rfc2616#section-9.4 Change-Id: Ie60a6fb632613055da5279db5b128ce5ee5172ae Closes-Bug:#1539805
2016-03-17 09:40:23 +00:00
def test_head_valid_with_filename(self):
Fix HEAD tempurls HEAD-only tempurls didn't work; tempurl only allowed a HEAD request if the tempurl was generated for GET or PUT (that is, the method in the HMAC-signed string was "GET" or "PUT"). The intent of the code was to allow a user with a GET or a PUT tempurl to also perform a HEAD request; I think the breaking of HEAD tempurls is just a bug. Change-Id: I621ddaac03e0d058dd9e7c7c374cb5c4b6386d36
2013-11-21 17:39:56 -08:00
method = 'HEAD'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Fix HEAD tempurls HEAD-only tempurls didn't work; tempurl only allowed a HEAD request if the tempurl was generated for GET or PUT (that is, the method in the HMAC-signed string was "GET" or "PUT"). The intent of the code was to allow a user with a GET or a PUT tempurl to also perform a HEAD request; I think the breaking of HEAD tempurls is just a bug. Change-Id: I621ddaac03e0d058dd9e7c7c374cb5c4b6386d36
2013-11-21 17:39:56 -08:00
req = self._make_request(path, keys=[key], environ={
'REQUEST_METHOD': 'HEAD',
Add content-disposition header to tempurl request Added content-disposition header to HEAD tempurl request. As per HTTP docs[1] HEAD response must be identical to GET except return message-body response. [1]https://tools.ietf.org/html/rfc2616#section-9.4 Change-Id: Ie60a6fb632613055da5279db5b128ce5ee5172ae Closes-Bug:#1539805
2016-03-17 09:40:23 +00:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=bob_killer.txt' % (sig, expires)})
Fix HEAD tempurls HEAD-only tempurls didn't work; tempurl only allowed a HEAD request if the tempurl was generated for GET or PUT (that is, the method in the HMAC-signed string was "GET" or "PUT"). The intent of the code was to allow a user with a GET or a PUT tempurl to also perform a HEAD request; I think the breaking of HEAD tempurls is just a bug. Change-Id: I621ddaac03e0d058dd9e7c7c374cb5c4b6386d36
2013-11-21 17:39:56 -08:00
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
Add content-disposition header to tempurl request Added content-disposition header to HEAD tempurl request. As per HTTP docs[1] HEAD response must be identical to GET except return message-body response. [1]https://tools.ietf.org/html/rfc2616#section-9.4 Change-Id: Ie60a6fb632613055da5279db5b128ce5ee5172ae Closes-Bug:#1539805
2016-03-17 09:40:23 +00:00
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="bob_killer.txt"; ' +
"filename*=UTF-8''bob_killer.txt")
Fix HEAD tempurls HEAD-only tempurls didn't work; tempurl only allowed a HEAD request if the tempurl was generated for GET or PUT (that is, the method in the HMAC-signed string was "GET" or "PUT"). The intent of the code was to allow a user with a GET or a PUT tempurl to also perform a HEAD request; I think the breaking of HEAD tempurls is just a bug. Change-Id: I621ddaac03e0d058dd9e7c7c374cb5c4b6386d36
2013-11-21 17:39:56 -08:00
Handle tempurl Content-Disposition header missing from HEAD Content-Disposition headers should make no difference between GET and HEAD according to HTTP rfc. Closes-Bug: #1539805 Change-Id: Ifa41a7cda2f321eb8e36420ede7912ed0a549712
2016-03-24 16:08:19 +08:00
def test_head_and_get_headers_match(self):
method = 'HEAD'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Handle tempurl Content-Disposition header missing from HEAD Content-Disposition headers should make no difference between GET and HEAD according to HTTP rfc. Closes-Bug: #1539805 Change-Id: Ifa41a7cda2f321eb8e36420ede7912ed0a549712
2016-03-24 16:08:19 +08:00
req = self._make_request(path, keys=[key], environ={
'REQUEST_METHOD': 'HEAD',
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s'
% (sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
get_method = 'GET'
get_hmac_body = '%s\n%s\n%s' % (get_method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
get_sig = hmac.new(key, get_hmac_body, hashlib.sha1).hexdigest()
Handle tempurl Content-Disposition header missing from HEAD Content-Disposition headers should make no difference between GET and HEAD according to HTTP rfc. Closes-Bug: #1539805 Change-Id: Ifa41a7cda2f321eb8e36420ede7912ed0a549712
2016-03-24 16:08:19 +08:00
get_req = self._make_request(path, keys=[key], environ={
'REQUEST_METHOD': 'GET',
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s'
% (get_sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
get_resp = get_req.get_response(self.tempurl)
self.assertEqual(resp.headers, get_resp.headers)
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
@mock.patch('swift.common.middleware.tempurl.time', return_value=0)
def test_get_valid_with_filename_and_inline(self, mock_time):
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
method = 'GET'
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
expires = 1
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
req = self._make_request(path, keys=[key], environ={
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=bob%%20%%22killer%%22.txt&inline=' % (sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
Make Content-Disposition support `inline; filename=...` format. A client can process a object contents immediately when it has knowledge, if it doesn't, it stores the content to local with the filename that assigned in `Content-Disposition`. According to https://tools.ietf.org/html/rfc2183, `filename` can be use whatever `inline` or `attachment` (disposition-type) in the disposition string. Change-Id: Iba94aedfad06c1dc8bd7be5eb3c73b33fb8d5198
2016-10-12 18:02:16 +08:00
self.assertEqual(resp.headers['content-disposition'],
'inline; filename="bob %22killer%22.txt"; ' +
"filename*=UTF-8''bob%20%22killer%22.txt")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
self.assertEqual('Thu, 01 Jan 1970 00:00:01 GMT',
resp.headers['expires'])
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
def test_get_valid_with_inline(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
req = self._make_request(path, keys=[key], environ={
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'inline=' % (sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'], 'inline')
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
add an "inline" query parameter to tempurl Giving the inline query parameter will cause the tempurl response to be given a "Content-Disposition: inline" header, regardless of other query parameters or metadata. This allows easy in-line viewing, eg in browsers. DocImpact Change-Id: Icd5c544d6a749d4f58e8a921968f4e432a2185db
2013-11-22 09:44:36 -08:00
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
def test_get_valid_with_prefix(self):
method = 'GET'
expires = int(time() + 86400)
prefix = 'p1/p2/'
sig_path = 'prefix:/v1/a/c/' + prefix
query_path = '/v1/a/c/' + prefix + 'o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, sig_path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
self.assert_valid_sig(expires, query_path, [key], sig, prefix=prefix)
query_path = query_path[:-1] + 'p3/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, sig_path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
self.assert_valid_sig(expires, query_path, [key], sig, prefix=prefix)
def test_get_valid_with_prefix_empty(self):
method = 'GET'
expires = int(time() + 86400)
sig_path = 'prefix:/v1/a/c/'
query_path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, sig_path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
self.assert_valid_sig(expires, query_path, [key], sig, prefix='')
TempURL: Fixed bug with \r or \n in disposition. If an object had a \r or \n in its name, it would end up creating an invalid HTTP Content-Disposition header. Reviewer consensus was to use URL encoding. Fixes bug 1306250 Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d
2014-04-22 15:00:09 +00:00
def test_obj_odd_chars(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/a\r\nb'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
TempURL: Fixed bug with \r or \n in disposition. If an object had a \r or \n in its name, it would end up creating an invalid HTTP Content-Disposition header. Reviewer consensus was to use URL encoding. Fixes bug 1306250 Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d
2014-04-22 15:00:09 +00:00
req = self._make_request(path, keys=[key], environ={
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="a%0D%0Ab"; ' +
"filename*=UTF-8''a%0D%0Ab")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Add filename*= support to tempurl Content-Disposition When working with unicode or unsafe characters most browsers can do better with a fully quoted filename*=, and will prefer it to filename=. Old style filename= left in for backwards compat Change-Id: Ic54b0c376139bc8688d9124930689285a3b384fb
2014-05-02 21:11:49 -07:00
def test_obj_odd_chars_in_content_disposition_metadata(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Add filename*= support to tempurl Content-Disposition When working with unicode or unsafe characters most browsers can do better with a fully quoted filename*=, and will prefer it to filename=. Old style filename= left in for backwards compat Change-Id: Ic54b0c376139bc8688d9124930689285a3b384fb
2014-05-02 21:11:49 -07:00
req = self._make_request(path, keys=[key], environ={
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
headers = [('Content-Disposition', 'attachment; filename="fu\nbar"')]
self.tempurl.app = FakeApp(iter([('200 Ok', headers, '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="fu%0Abar"')
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
TempURL: Fixed bug with \r or \n in disposition. If an object had a \r or \n in its name, it would end up creating an invalid HTTP Content-Disposition header. Reviewer consensus was to use URL encoding. Fixes bug 1306250 Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d
2014-04-22 15:00:09 +00:00
Subtle change to tempurl content-disposition names If an object name ends with a /, the content-disposition filename for a tempurl ended up as an empty string. This fix just strips any trailing slashes before calling basename. Also, I added a test to verify that if the filename is passed as an overriding query parameter, that it is used in full, no rstripping, no basenaming. Change-Id: I37725b6ded04ed3b91cdb21132490fd857276e2f
2013-05-29 15:02:06 +00:00
def test_obj_trailing_slash(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o/'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
req = self._make_request(path, keys=[key], environ={
Subtle change to tempurl content-disposition names If an object name ends with a /, the content-disposition filename for a tempurl ended up as an empty string. This fix just strips any trailing slashes before calling basename. Also, I added a test to verify that if the filename is passed as an overriding query parameter, that it is used in full, no rstripping, no basenaming. Change-Id: I37725b6ded04ed3b91cdb21132490fd857276e2f
2013-05-29 15:02:06 +00:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(resp.headers['content-disposition'],
'attachment; filename="o"; ' +
"filename*=UTF-8''o")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Subtle change to tempurl content-disposition names If an object name ends with a /, the content-disposition filename for a tempurl ended up as an empty string. This fix just strips any trailing slashes before calling basename. Also, I added a test to verify that if the filename is passed as an overriding query parameter, that it is used in full, no rstripping, no basenaming. Change-Id: I37725b6ded04ed3b91cdb21132490fd857276e2f
2013-05-29 15:02:06 +00:00
def test_filename_trailing_slash(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
req = self._make_request(path, keys=[key], environ={
Subtle change to tempurl content-disposition names If an object name ends with a /, the content-disposition filename for a tempurl ended up as an empty string. This fix just strips any trailing slashes before calling basename. Also, I added a test to verify that if the filename is passed as an overriding query parameter, that it is used in full, no rstripping, no basenaming. Change-Id: I37725b6ded04ed3b91cdb21132490fd857276e2f
2013-05-29 15:02:06 +00:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=/i/want/this/just/as/it/is/' % (sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', (), '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
self.assertEqual(
Add filename*= support to tempurl Content-Disposition When working with unicode or unsafe characters most browsers can do better with a fully quoted filename*=, and will prefer it to filename=. Old style filename= left in for backwards compat Change-Id: Ic54b0c376139bc8688d9124930689285a3b384fb
2014-05-02 21:11:49 -07:00
resp.headers['content-disposition'],
'attachment; filename="/i/want/this/just/as/it/is/"; ' +
"filename*=UTF-8''/i/want/this/just/as/it/is/")
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Subtle change to tempurl content-disposition names If an object name ends with a /, the content-disposition filename for a tempurl ended up as an empty string. This fix just strips any trailing slashes before calling basename. Also, I added a test to verify that if the filename is passed as an overriding query parameter, that it is used in full, no rstripping, no basenaming. Change-Id: I37725b6ded04ed3b91cdb21132490fd857276e2f
2013-05-29 15:02:06 +00:00
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
def test_get_valid_but_404(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
TempURL filename options; bug fixes - Prior to this commit, a Content-Disposition header was always set on responses to GET requests, with the filename based on the object name. Now, the header will only be set for 2xx responses and the filename can be overridden with a filename query parameter on the request. - Fixed a bug where all query parameters on the request were being passed down the WSGI pipeline. Now, just the query parameters useful in log-based debugging are included. This becomes important with things like the Bulk middleware that act upon query parameters. - Fixed bug where the Content-Disposition header wasn't following RFC spec. DocImpact Change-Id: I66ad809321dcdd03444324973c8b76869e3b0c8e
2013-02-25 02:25:58 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
Add Expires header for successful GETs using tempurls This allows caches to actually use the expiration time that's already embedded in the URL. From RFC 2616 [1]: > [S]ince some applications have traditionally used GETs and HEADs with > query URLs (those containing a "?" in the rel_path part) to perform > operations with significant side effects, caches MUST NOT treat > responses to such URIs as fresh unless the server provides an explicit > expiration time. However, RFC 7234 notes that this hasn't played out in practice [2]: > Note: Section 13.9 of [RFC2616] prohibited caches from calculating > heuristic freshness for URIs with query components (i.e., those > containing '?'). In practice, this has not been widely implemented. > Therefore, origin servers are encouraged to send explicit directives > (e.g., Cache-Control: no-cache) if they wish to preclude caching. [1] http://tools.ietf.org/html/rfc2616#section-13.9 [2] http://tools.ietf.org/html/rfc7234#section-4.2.2 Change-Id: Ie8f26b97a124ea220a20800e35e040e4463d82bc Closes-Bug: 1502159
2016-02-12 10:15:31 -08:00
self.assertNotIn('content-disposition', resp.headers)
self.assertNotIn('expires', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_put_not_allowed_by_get(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'PUT',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_put_valid(self):
method = 'PUT'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'PUT',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_get_not_allowed_by_put(self):
method = 'PUT'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_missing_sig(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'QUERY_STRING': 'temp_url_expires=%s' % expires})
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_missing_expires(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'QUERY_STRING': 'temp_url_sig=%s' % sig})
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_bad_path(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_no_key(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_head_allowed_by_get(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'HEAD',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_head_allowed_by_put(self):
method = 'PUT'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Allow HEAD for POST tempurls HEAD requests are already allowed for GET and PUT tempurls; this commit adds that for POST tempurls. Since POST replaces all the object's metadata, it's quite useful to be able to HEAD the object in order to fetch the old metadata and do a client-side merge of the new metadata (like with normal, token-authenticated POST requests). Change-Id: I603c7822cd27f0e304fd27024f83f95114eb0aef
2014-07-11 12:03:30 -07:00
req = self._make_request(
path, keys=[key],
environ={'REQUEST_METHOD': 'HEAD',
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Allow HEAD for POST tempurls HEAD requests are already allowed for GET and PUT tempurls; this commit adds that for POST tempurls. Since POST replaces all the object's metadata, it's quite useful to be able to HEAD the object in order to fetch the old metadata and do a client-side merge of the new metadata (like with normal, token-authenticated POST requests). Change-Id: I603c7822cd27f0e304fd27024f83f95114eb0aef
2014-07-11 12:03:30 -07:00
def test_head_allowed_by_post(self):
method = 'POST'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'HEAD',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
self.assertEqual(req.environ['swift.authorize_override'], True)
self.assertEqual(req.environ['REMOTE_USER'], '.wsgi.tempurl')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_head_otherwise_not_allowed(self):
method = 'PUT'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
# Deliberately fudge expires to show HEADs aren't just automatically
# allowed.
expires += 1
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'HEAD',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Add POST and DELETE to tempurl default methods The tempurl middleware supports any configured HTTP methods, but the default set was only GET, PUT, and HEAD, so cluster operators had to take action to enable POST and DELETE. This commit changes the defaults to include POST and DELETE. Note that this doesn't affect any existing temporary URLs at all; the method is baked into the signature (temp_url_sig query param), so no new access is granted to a holder of a temporary URL by this change. It simply gives more flexibility to creators of temporary URLs. Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
2014-07-11 11:27:11 -07:00
def test_post_when_forbidden_by_config(self):
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
self.tempurl.conf['methods'].remove('POST')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
method = 'POST'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'POST',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Add POST and DELETE to tempurl default methods The tempurl middleware supports any configured HTTP methods, but the default set was only GET, PUT, and HEAD, so cluster operators had to take action to enable POST and DELETE. This commit changes the defaults to include POST and DELETE. Note that this doesn't affect any existing temporary URLs at all; the method is baked into the signature (temp_url_sig query param), so no new access is granted to a holder of a temporary URL by this change. It simply gives more flexibility to creators of temporary URLs. Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
2014-07-11 11:27:11 -07:00
def test_delete_when_forbidden_by_config(self):
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
self.tempurl.conf['methods'].remove('DELETE')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
method = 'DELETE'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'DELETE',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Add POST and DELETE to tempurl default methods The tempurl middleware supports any configured HTTP methods, but the default set was only GET, PUT, and HEAD, so cluster operators had to take action to enable POST and DELETE. This commit changes the defaults to include POST and DELETE. Note that this doesn't affect any existing temporary URLs at all; the method is baked into the signature (temp_url_sig query param), so no new access is granted to a holder of a temporary URL by this change. It simply gives more flexibility to creators of temporary URLs. Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
2014-07-11 11:27:11 -07:00
def test_delete_allowed(self):
Allow a configurable set of TempURL methods Folks have actually been asking for this. I think they're sending a DELETE TempURL to someone way ahead of time and the someone issues it when they're ready. Honestly, I'm not entirely sure of the use case, but having the set of methods configurable wouldn't hurt. Change-Id: Ibdb48f8a72077b045eeedddfae4c0a1f56098d7a
2013-04-04 16:44:22 +00:00
method = 'DELETE'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Allow a configurable set of TempURL methods Folks have actually been asking for this. I think they're sending a DELETE TempURL to someone way ahead of time and the someone issues it when they're ready. Honestly, I'm not entirely sure of the use case, but having the set of methods configurable wouldn't hurt. Change-Id: Ibdb48f8a72077b045eeedddfae4c0a1f56098d7a
2013-04-04 16:44:22 +00:00
environ={'REQUEST_METHOD': 'DELETE',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Allow a configurable set of TempURL methods Folks have actually been asking for this. I think they're sending a DELETE TempURL to someone way ahead of time and the someone issues it when they're ready. Honestly, I'm not entirely sure of the use case, but having the set of methods configurable wouldn't hurt. Change-Id: Ibdb48f8a72077b045eeedddfae4c0a1f56098d7a
2013-04-04 16:44:22 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
Allow a configurable set of TempURL methods Folks have actually been asking for this. I think they're sending a DELETE TempURL to someone way ahead of time and the someone issues it when they're ready. Honestly, I'm not entirely sure of the use case, but having the set of methods configurable wouldn't hurt. Change-Id: Ibdb48f8a72077b045eeedddfae4c0a1f56098d7a
2013-04-04 16:44:22 +00:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_unknown_not_allowed(self):
method = 'UNKNOWN'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
environ={'REQUEST_METHOD': 'UNKNOWN',
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
def test_authorize_limits_scope(self):
req_other_object = Request.blank("/v1/a/c/o2")
req_other_container = Request.blank("/v1/a/c2/o2")
req_other_account = Request.blank("/v1/a2/c2/o2")
key_kwargs = {
'keys': ['account-key', 'shared-key'],
'container_keys': ['container-key', 'shared-key'],
}
# A request with the account key limits the pre-authed scope to the
# account level.
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new('account-key', hmac_body, hashlib.sha1).hexdigest()
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
qs = '?temp_url_sig=%s&temp_url_expires=%s' % (sig, expires)
# make request will setup the environ cache for us
req = self._make_request(path + qs, **key_kwargs)
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404) # sanity check
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
authorize = req.environ['swift.authorize']
# Requests for other objects happen if, for example, you're
# downloading a large object or creating a large-object manifest.
oo_resp = authorize(req_other_object)
Using assertIsNone() instead of assertEqual(None) Following OpenStack Style Guidelines: [1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises [H203] Unit test assertions tend to give better messages for more specific assertions. As a result, assertIsNone(...) is preferred over assertEqual(None, ...) and assertIs(..., None) Change-Id: If4db8872c4f5705c1fff017c4891626e9ce4d1e4
2017-06-07 11:37:01 +08:00
self.assertIsNone(oo_resp)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
oc_resp = authorize(req_other_container)
Using assertIsNone() instead of assertEqual(None) Following OpenStack Style Guidelines: [1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises [H203] Unit test assertions tend to give better messages for more specific assertions. As a result, assertIsNone(...) is preferred over assertEqual(None, ...) and assertIs(..., None) Change-Id: If4db8872c4f5705c1fff017c4891626e9ce4d1e4
2017-06-07 11:37:01 +08:00
self.assertIsNone(oc_resp)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
oa_resp = authorize(req_other_account)
self.assertEqual(oa_resp.status_int, 401)
# A request with the container key limits the pre-authed scope to
# the container level; a different container in the same account is
# out of scope and thus forbidden.
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new('container-key', hmac_body, hashlib.sha1).hexdigest()
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
qs = '?temp_url_sig=%s&temp_url_expires=%s' % (sig, expires)
req = self._make_request(path + qs, **key_kwargs)
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404) # sanity check
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
authorize = req.environ['swift.authorize']
oo_resp = authorize(req_other_object)
Using assertIsNone() instead of assertEqual(None) Following OpenStack Style Guidelines: [1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises [H203] Unit test assertions tend to give better messages for more specific assertions. As a result, assertIsNone(...) is preferred over assertEqual(None, ...) and assertIs(..., None) Change-Id: If4db8872c4f5705c1fff017c4891626e9ce4d1e4
2017-06-07 11:37:01 +08:00
self.assertIsNone(oo_resp)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
oc_resp = authorize(req_other_container)
self.assertEqual(oc_resp.status_int, 401)
oa_resp = authorize(req_other_account)
self.assertEqual(oa_resp.status_int, 401)
# If account and container share a key (users set these, so this can
# happen by accident, stupidity, *or* malice!), limit the scope to
# account level. This prevents someone from shrinking the scope of
# account-level tempurls by reusing one of the account's keys on a
# container.
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new('shared-key', hmac_body, hashlib.sha1).hexdigest()
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
qs = '?temp_url_sig=%s&temp_url_expires=%s' % (sig, expires)
req = self._make_request(path + qs, **key_kwargs)
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404) # sanity check
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
authorize = req.environ['swift.authorize']
oo_resp = authorize(req_other_object)
Using assertIsNone() instead of assertEqual(None) Following OpenStack Style Guidelines: [1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises [H203] Unit test assertions tend to give better messages for more specific assertions. As a result, assertIsNone(...) is preferred over assertEqual(None, ...) and assertIs(..., None) Change-Id: If4db8872c4f5705c1fff017c4891626e9ce4d1e4
2017-06-07 11:37:01 +08:00
self.assertIsNone(oo_resp)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
oc_resp = authorize(req_other_container)
Using assertIsNone() instead of assertEqual(None) Following OpenStack Style Guidelines: [1] http://docs.openstack.org/developer/hacking/#unit-tests-and-assertraises [H203] Unit test assertions tend to give better messages for more specific assertions. As a result, assertIsNone(...) is preferred over assertEqual(None, ...) and assertIs(..., None) Change-Id: If4db8872c4f5705c1fff017c4891626e9ce4d1e4
2017-06-07 11:37:01 +08:00
self.assertIsNone(oc_resp)
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
oa_resp = authorize(req_other_account)
self.assertEqual(oa_resp.status_int, 401)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_changed_path_invalid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path + '2', keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_changed_sig_invalid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
if sig[-1] != '0':
sig = sig[:-1] + '0'
else:
sig = sig[:-1] + '1'
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_changed_expires_invalid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires + 1)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_different_key_invalid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key + '2'],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
self.assertTrue('Temp URL invalid' in resp.body)
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
self.assertTrue('Www-Authenticate' in resp.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
def test_no_prefix_match_invalid(self):
method = 'GET'
expires = int(time() + 86400)
sig_path = 'prefix:/v1/a/c/p1/p2/'
query_path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, sig_path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
req = self._make_request(
query_path, keys=[key],
environ={'QUERY_STRING':
'temp_url_sig=%s&temp_url_expires=%s&temp_url_prefix=%s' %
(sig, expires, 'p1/p2/')})
resp = req.get_response(self.tempurl)
self.assertEqual(resp.status_int, 401)
self.assertTrue('Temp URL invalid' in resp.body)
self.assertTrue('Www-Authenticate' in resp.headers)
def test_object_url_with_prefix_invalid(self):
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING':
'temp_url_sig=%s&temp_url_expires=%s&temp_url_prefix=o' %
(sig, expires)})
resp = req.get_response(self.tempurl)
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
Disallow unsafe tempurl operations to point to unauthorized data Do not allow PUT tempurls to create pointers to other data. Specifically disallow the creation of DLO object manifests by returning an error if a non-safe tempurl request includes an X-Object-Manifest header regardless of the value of the header. This prevents discoverability attacks which can use any PUT tempurl to probe for private data by creating a DLO object manifest and then using the PUT tempurl to head the object which would 404 if the prefix does not match any object data or form a valid DLO HEAD response if it does. This also prevents a tricky and potentially unexpected consequence of PUT tempurls which would make it unsafe to allow a user to download objects created by tempurl (even if they just created them) because the result of reading the object created via tempurl may not be the data which was uploaded. [CVE-2015-5223] Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp> Change-Id: I11e68830009d3f6bff44ae4011a41b67139146f6 Closes-Bug: 1453948
2015-07-23 22:36:21 -07:00
def test_disallowed_header_object_manifest(self):
self.tempurl = tempurl.filter_factory({})(self.auth)
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
Add test that a tempurl POST cannot set a DLO manifest header Follow up to [1] to add tests for tempurl POSTs not being allowed to set a DLO manifest header. [1] I11e68830009d3f6bff44ae4011a41b67139146f6 Change-Id: I7c0ad5a936f71e56c599b8495a586913d3334422 Related-Bug: 1453948
2015-08-26 16:30:23 +01:00
for method in ('PUT', 'POST'):
Symlink implementation. Add a symbolic link ("symlink") object support to Swift. This object will reference another object. GET and HEAD requests for a symlink object will operate on the referenced object. DELETE and PUT requests for a symlink object will operate on the symlink object, not the referenced object, and will delete or overwrite it, respectively. POST requests are *not* forwarded to the referenced object and should be sent directly. POST requests sent to a symlink object will result in a 307 Error. Historical information on symlink design can be found here: https://github.com/openstack/swift-specs/blob/master/specs/in_progress/symlinks.rst. https://etherpad.openstack.org/p/swift_symlinks Co-Authored-By: Thiago da Silva <thiago@redhat.com> Co-Authored-By: Janie Richling <jrichli@us.ibm.com> Co-Authored-By: Kazuhiro MIYAHARA <miyahara.kazuhiro@lab.ntt.co.jp> Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp> Change-Id: I838ed71bacb3e33916db8dd42c7880d5bb9f8e18 Signed-off-by: Thiago da Silva <thiago@redhat.com>
2015-10-07 15:14:58 -04:00
for hdr, value in [('X-Object-Manifest', 'private/secret'),
('X-Symlink-Target', 'cont/symlink')]:
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Symlink implementation. Add a symbolic link ("symlink") object support to Swift. This object will reference another object. GET and HEAD requests for a symlink object will operate on the referenced object. DELETE and PUT requests for a symlink object will operate on the symlink object, not the referenced object, and will delete or overwrite it, respectively. POST requests are *not* forwarded to the referenced object and should be sent directly. POST requests sent to a symlink object will result in a 307 Error. Historical information on symlink design can be found here: https://github.com/openstack/swift-specs/blob/master/specs/in_progress/symlinks.rst. https://etherpad.openstack.org/p/swift_symlinks Co-Authored-By: Thiago da Silva <thiago@redhat.com> Co-Authored-By: Janie Richling <jrichli@us.ibm.com> Co-Authored-By: Kazuhiro MIYAHARA <miyahara.kazuhiro@lab.ntt.co.jp> Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp> Change-Id: I838ed71bacb3e33916db8dd42c7880d5bb9f8e18 Signed-off-by: Thiago da Silva <thiago@redhat.com>
2015-10-07 15:14:58 -04:00
req = self._make_request(
path, method=method, keys=[key],
headers={hdr: value},
environ={'QUERY_STRING':
'temp_url_sig=%s&temp_url_expires=%s'
% (sig, expires)})
resp = req.get_response(self.tempurl)
self.assertEqual(resp.status_int, 400)
self.assertTrue('header' in resp.body)
self.assertTrue('not allowed' in resp.body)
self.assertTrue(hdr in resp.body)
Disallow unsafe tempurl operations to point to unauthorized data Do not allow PUT tempurls to create pointers to other data. Specifically disallow the creation of DLO object manifests by returning an error if a non-safe tempurl request includes an X-Object-Manifest header regardless of the value of the header. This prevents discoverability attacks which can use any PUT tempurl to probe for private data by creating a DLO object manifest and then using the PUT tempurl to head the object which would 404 if the prefix does not match any object data or form a valid DLO HEAD response if it does. This also prevents a tricky and potentially unexpected consequence of PUT tempurls which would make it unsafe to allow a user to download objects created by tempurl (even if they just created them) because the result of reading the object created via tempurl may not be the data which was uploaded. [CVE-2015-5223] Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp> Change-Id: I11e68830009d3f6bff44ae4011a41b67139146f6 Closes-Bug: 1453948
2015-07-23 22:36:21 -07:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_removed_incoming_header(self):
self.tempurl = tempurl.filter_factory({
'incoming_remove_headers': 'x-remove-this'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Make TempURL more cache-efficient. So, there's two cases here. In one case, we have memcache enabled; account info gets cached in the usual place, and tempurl keys get cached separately. In the other case, we have no cache. In neither case is anything gained by having TempURL cache keys separately from the account info. This commit removes TempURL's custom caching logic and makes it rely on get_account_info() instead. Benefits include: * immediate visibility of new keys on account POST * less data in the cache per account --> more stuff fits in cache * less code for bugs to hide in Change-Id: Idb0b6c165da14196b4c79149c546f0159b54edcb
2013-06-18 10:32:40 -07:00
headers={'x-remove-this': 'value'},
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('x-remove-this', self.app.request.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_removed_incoming_headers_match(self):
self.tempurl = tempurl.filter_factory({
'incoming_remove_headers': 'x-remove-this-*',
'incoming_allow_headers': 'x-remove-this-except-this'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
headers={'x-remove-this-one': 'value1',
'x-remove-this-except-this': 'value2'},
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('x-remove-this-one', self.app.request.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
self.app.request.headers['x-remove-this-except-this'], 'value2')
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
def test_allow_trumps_incoming_header_conflict(self):
self.tempurl = tempurl.filter_factory({
'incoming_remove_headers': 'x-conflict-header',
'incoming_allow_headers': 'x-conflict-header'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
req = self._make_request(
path, keys=[key],
headers={'x-conflict-header': 'value'},
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
self.assertTrue('x-conflict-header' in self.app.request.headers)
def test_allow_trumps_incoming_header_startswith_conflict(self):
self.tempurl = tempurl.filter_factory({
'incoming_remove_headers': 'x-conflict-header-*',
'incoming_allow_headers': 'x-conflict-header-*'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
req = self._make_request(
path, keys=[key],
headers={'x-conflict-header-test': 'value'},
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
self.assertTrue('x-conflict-header-test' in self.app.request.headers)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_removed_outgoing_header(self):
self.tempurl = tempurl.filter_factory({
'outgoing_remove_headers': 'x-test-header-one-a'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('x-test-header-one-a', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.headers['x-test-header-two-a'], 'value2')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_removed_outgoing_headers_match(self):
self.tempurl = tempurl.filter_factory({
'outgoing_remove_headers': 'x-test-header-two-*',
'outgoing_allow_headers': 'x-test-header-two-b'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
req = self._make_request(
path, keys=[key],
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 404)
self.assertEqual(resp.headers['x-test-header-one-a'], 'value1')
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('x-test-header-two-a', resp.headers)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.headers['x-test-header-two-b'], 'value3')
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
def test_allow_trumps_outgoing_header_conflict(self):
self.tempurl = tempurl.filter_factory({
'outgoing_remove_headers': 'x-conflict-header',
'outgoing_allow_headers': 'x-conflict-header'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
req = self._make_request(
path, keys=[key],
headers={},
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', {
'X-Conflict-Header': 'value'}, '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
self.assertTrue('x-conflict-header' in resp.headers)
self.assertEqual(resp.headers['x-conflict-header'], 'value')
def test_allow_trumps_outgoing_header_startswith_conflict(self):
self.tempurl = tempurl.filter_factory({
'outgoing_remove_headers': 'x-conflict-header-*',
'outgoing_allow_headers': 'x-conflict-header-*'})(self.auth)
method = 'GET'
expires = int(time() + 86400)
path = '/v1/a/c/o'
key = 'abc'
hmac_body = '%s\n%s\n%s' % (method, expires, path)
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
sig = hmac.new(key, hmac_body, hashlib.sha1).hexdigest()
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
req = self._make_request(
path, keys=[key],
headers={},
environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
sig, expires)})
self.tempurl.app = FakeApp(iter([('200 Ok', {
'X-Conflict-Header-Test': 'value'}, '123')]))
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 200)
test tempurl header sanitization priority Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
2014-09-08 12:25:54 -07:00
self.assertTrue('x-conflict-header-test' in resp.headers)
self.assertEqual(resp.headers['x-conflict-header-test'], 'value')
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
def test_get_path_parts(self):
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'HEAD', 'PATH_INFO': '/v1/a/c/o'}),
('a', 'c', 'o'))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a/c/o'}),
('a', 'c', 'o'))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'PUT', 'PATH_INFO': '/v1/a/c/o'}),
('a', 'c', 'o'))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'POST', 'PATH_INFO': '/v1/a/c/o'}),
('a', 'c', 'o'))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'DELETE', 'PATH_INFO': '/v1/a/c/o'}),
('a', 'c', 'o'))
self.assertEqual(self.tempurl._get_path_parts({
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
'REQUEST_METHOD': 'UNKNOWN', 'PATH_INFO': '/v1/a/c/o'}),
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a/c/'}),
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a/c//////'}),
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a/c///o///'}),
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
('a', 'c', '//o///'))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a/c'}),
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1/a//o'}),
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1//c/o'}),
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '//a/c/o'}),
(None, None, None))
self.assertEqual(self.tempurl._get_path_parts({
'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v2/a/c/o'}),
(None, None, None))
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_get_temp_url_info(self):
s = 'f5d5051bddf5df7e27c628818738334f'
ISO 8601 timestamps for tempurl With this commit, the tempurl middleware accepts (besides the traditional unix timestamps) also timestamps according to the format '%Y-%m-%dT%H:%M:%SZ' (one acceptable form of ISO 8601). The idea is to make the tempurls more user-friendly, and has been formulated here: Change-Id: I346a0241060a9559d178b30e60c957792bbeb9f0 Implements: blueprint human-readable-tempurl-timestamp
2017-01-19 16:07:09 +01:00
e_ts = int(time() + 86400)
e_8601 = strftime(tempurl.EXPIRES_ISO8601_FORMAT, gmtime(e_ts))
for e in (e_ts, e_8601):
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
s, e)}),
(s, e_ts, None, None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING':
'temp_url_sig=%s&temp_url_expires=%s&temp_url_prefix=%s'
% (s, e, 'prefix')}),
(s, e_ts, 'prefix', None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=bobisyouruncle' % (s, e)}),
(s, e_ts, None, 'bobisyouruncle', None))
self.assertEqual(
self.tempurl._get_temp_url_info({}),
(None, None, None, None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_expires=%s' % e}),
(None, e_ts, None, None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s' % s}),
(s, None, None, None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=bad' % (
s)}),
(s, 0, None, None, None))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'inline=' % (s, e)}),
(s, e_ts, None, None, True))
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s&'
'filename=bobisyouruncle&inline=' % (s, e)}),
(s, e_ts, None, 'bobisyouruncle', True))
e_ts = int(time() - 1)
e_8601 = strftime(tempurl.EXPIRES_ISO8601_FORMAT, gmtime(e_ts))
for e in (e_ts, e_8601):
self.assertEqual(
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
s, e)}),
(s, 0, None, None, None))
# Offsets not supported (yet?).
e_8601 = strftime('%Y-%m-%dT%H:%M:%S+0000', gmtime(e_ts))
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
self.tempurl._get_temp_url_info(
{'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
ISO 8601 timestamps for tempurl With this commit, the tempurl middleware accepts (besides the traditional unix timestamps) also timestamps according to the format '%Y-%m-%dT%H:%M:%SZ' (one acceptable form of ISO 8601). The idea is to make the tempurls more user-friendly, and has been formulated here: Change-Id: I346a0241060a9559d178b30e60c957792bbeb9f0 Implements: blueprint human-readable-tempurl-timestamp
2017-01-19 16:07:09 +01:00
s, e_8601)}),
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
(s, 0, None, None, None))
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Added discoverable capabilities. Swift can now optionally be configured to allow requests to '/info', providing information about the swift cluster. Additionally a HMAC signed requests to '/info?swiftinfo_sig=<sign>&swiftinfo_expires=<expires>' can be configured allowing privileged access to more sensitive information not meant to be public. DocImpact Change-Id: I2379360fbfe3d9e9e8b25f1dc34517d199574495 Implements: blueprint capabilities Closes-Bug: #1245694
2013-10-16 19:28:37 -05:00
def test_get_hmacs(self):
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(
Added discoverable capabilities. Swift can now optionally be configured to allow requests to '/info', providing information about the swift cluster. Additionally a HMAC signed requests to '/info?swiftinfo_sig=<sign>&swiftinfo_expires=<expires>' can be configured allowing privileged access to more sensitive information not meant to be public. DocImpact Change-Id: I2379360fbfe3d9e9e8b25f1dc34517d199574495 Implements: blueprint capabilities Closes-Bug: #1245694
2013-10-16 19:28:37 -05:00
self.tempurl._get_hmacs(
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
{'REQUEST_METHOD': 'GET'}, 1, '/v1/a/c/o',
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
[('abc', 'account')], 'sha1'),
Better scoping for tempurls, especially container tempurls It used to be that a GET of a tempurl referencing a large object would let you download that large object regardless of where its segments lived. However, this led to some violated user expectations around container tempurls. (Note on shorthand: all tempurls reference objects. However, "account tempurl" and "container tempurl" are shorthand meaning tempurls generated using a key on the account or container, respectively.) Let's say an application is given tempurl keys to a particular container, and it does all its work therein using those keys. The user expects that, if the application is compromised, then the attacker only gains access to the "compromised-container". However, with the old behavior, the attacker could read data from *any* container like so: 1) Choose a "victim-container" to download 2) Create PUT and GET tempurl for any object name within the "compromised-container". The object doesn't need to exist; we'll create it. 3) Using the PUT tempurl, upload a DLO manifest with "X-Object-Manifest: /victim-container/" 4) Using the GET tempurl, download the object created in step 3. The result will be the concatenation of all objects in the "victim-container". Step 3 need not be for all objects in the "victim-container"; for example, a value "X-Object-Manifest: /victim-container/abc" would only be the concatenation of all objects whose names begin with "abc". By probing for object names in this way, individual objects may be found and extracted. A similar bug would exist for manifests referencing other accounts except that neither the X-Object-Manifest (DLO) nor the JSON manifest document (SLO) have a way of specifying a different account. This change makes it so that a container tempurl only grants access to objects within its container, *including* large-object segments. This breaks backward compatibility for container tempurls that may have pointed to cross container *LO's, but (a) there are security implications, and (b) container tempurls are a relatively new feature. This works by having the tempurl middleware install an authorization callback ('swift.authorize' in the WSGI environment) that limits the scope of any requests to the account or container from which the key came. This requires swift.authorize to persist for both the manifest request and all segment requests; this is done by having the proxy server restore it to the WSGI environment prior to returning from __call__. [CVE-2015-5223] Co-Authored-By: Clay Gerrard <clayg@swiftstack.com> Co-Authored-By: Alistair Coles <alistair.coles@hp.com> Co-Authored-By: Christian Schwede <cschwede@redhat.com> Co-Authored-By: Matthew Oliver <matt@oliver.net.au> Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c Closes-Bug: 1449212
2015-08-11 09:10:13 -05:00
[('026d7f7cc25256450423c7ad03fc9f5ffc1dab6d', 'account')])
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(
Added discoverable capabilities. Swift can now optionally be configured to allow requests to '/info', providing information about the swift cluster. Additionally a HMAC signed requests to '/info?swiftinfo_sig=<sign>&swiftinfo_expires=<expires>' can be configured allowing privileged access to more sensitive information not meant to be public. DocImpact Change-Id: I2379360fbfe3d9e9e8b25f1dc34517d199574495 Implements: blueprint capabilities Closes-Bug: #1245694
2013-10-16 19:28:37 -05:00
self.tempurl._get_hmacs(
tempurls with a prefix-based scope The middleware now allows the usage of signatures with a prefix-based scope. A prefix-based signature grants access to all objects which share the same prefix. This avoids the creation of a large amount of signatures, when a whole container or pseudofolder is shared. Please see spec: https://review.openstack.org/#/c/199607/ Change-Id: I03b68eb74dae6196b5e63e711ef642ff7d2cfdc9
2016-01-29 13:29:31 +01:00
{'REQUEST_METHOD': 'HEAD'}, 1, '/v1/a/c/o',
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
[('abc', 'account')], 'sha512', request_method='GET'),
[('240866478d94bbe683ab1d25fba52c7d0df21a60951'
'4fe6a493dc30f951d2748abc51da0cbc633cd1e0acf'
'6fadd3af3aedff00ee3d3434dc6a4c423e74adfc4a', 'account')])
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_invalid(self):
def _start_response(status, headers, exc_info=None):
self.assertTrue(status, '401 Unauthorized')
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
self.assertTrue('Temp URL invalid' in ''.join(
self.tempurl._invalid({'REQUEST_METHOD': 'GET'},
_start_response)))
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual('', ''.join(
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
self.tempurl._invalid({'REQUEST_METHOD': 'HEAD'},
_start_response)))
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
def test_auth_scheme_value(self):
# Passthrough
environ = {}
resp = self._make_request('/v1/a/c/o', environ=environ).get_response(
self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('Temp URL invalid', resp.body)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Www-Authenticate', resp.headers)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('swift.auth_scheme', environ)
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
# Rejected by TempURL
Fix warning pep8 E128 warning of hacking 0.10 Fix the warning E128: "continuation line under-indented for visual indent" of pep8. Change-Id: Ie6c6ae341fe3d6281f2095c1d756d552fa5937f9
2015-07-30 00:28:44 +02:00
environ = {'REQUEST_METHOD': 'PUT',
'QUERY_STRING':
'temp_url_sig=dummy&temp_url_expires=1234'}
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
req = self._make_request('/v1/a/c/o', keys=['abc'],
Fix warning pep8 E128 warning of hacking 0.10 Fix the warning E128: "continuation line under-indented for visual indent" of pep8. Change-Id: Ie6c6ae341fe3d6281f2095c1d756d552fa5937f9
2015-07-30 00:28:44 +02:00
environ=environ)
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
resp = req.get_response(self.tempurl)
pep8 fix: assertEquals -> assertEqual assertEquals is deprecated in py3, replacing it. Change-Id: Ida206abbb13c320095bb9e3b25a2b66cc31bfba8 Co-Authored-By: Ondřej Nový <ondrej.novy@firma.seznam.cz>
2015-08-05 23:58:14 +05:30
self.assertEqual(resp.status_int, 401)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('Temp URL invalid', resp.body)
self.assertIn('Www-Authenticate', resp.headers)
Add WWW-Authenticate to 401 responses Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the Www-Authenticate response header MUST also be returned. The format is described in http://www.ietf.org/rfc/rfc2617.txt. Swift supports and/or implements a number of authentication schemes including tempauth, Keystone, tempurl, formpost and container sync. In this fix, we use a catch-all, "Swift". The realm is the account (where known) or "unknown" (bad path or where the 401 is returned from code that does not have the request). Examples: Www-Authenticate: Swift realm="AUTH_1234567889" Www-Authenticate: Swift realm="unknown" Fixes bug #1215491 Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
2013-08-23 15:03:08 +01:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_clean_incoming_headers(self):
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
irh = []
iah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
env = {'HTTP_TEST_HEADER': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
tempurl.TempURL(
None, {'incoming_remove_headers': irh,
'incoming_allow_headers': iah}
)._clean_incoming_headers(env)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('HTTP_TEST_HEADER', env)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
irh = ['test-header']
iah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
env = {'HTTP_TEST_HEADER': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
tempurl.TempURL(
None, {'incoming_remove_headers': irh,
'incoming_allow_headers': iah}
)._clean_incoming_headers(env)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('HTTP_TEST_HEADER', env)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
irh = ['test-header-*']
iah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
env = {'HTTP_TEST_HEADER_ONE': 'value',
'HTTP_TEST_HEADER_TWO': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
tempurl.TempURL(
None, {'incoming_remove_headers': irh,
'incoming_allow_headers': iah}
)._clean_incoming_headers(env)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('HTTP_TEST_HEADER_ONE', env)
self.assertNotIn('HTTP_TEST_HEADER_TWO', env)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
irh = ['test-header-*']
iah = ['test-header-two']
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
env = {'HTTP_TEST_HEADER_ONE': 'value',
'HTTP_TEST_HEADER_TWO': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
tempurl.TempURL(
None, {'incoming_remove_headers': irh,
'incoming_allow_headers': iah}
)._clean_incoming_headers(env)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('HTTP_TEST_HEADER_ONE', env)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('HTTP_TEST_HEADER_TWO', env)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
irh = ['test-header-*', 'test-other-header']
iah = ['test-header-two', 'test-header-yes-*']
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
env = {'HTTP_TEST_HEADER_ONE': 'value',
'HTTP_TEST_HEADER_TWO': 'value',
'HTTP_TEST_OTHER_HEADER': 'value',
'HTTP_TEST_HEADER_YES': 'value',
'HTTP_TEST_HEADER_YES_THIS': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
tempurl.TempURL(
None, {'incoming_remove_headers': irh,
'incoming_allow_headers': iah}
)._clean_incoming_headers(env)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('HTTP_TEST_HEADER_ONE', env)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('HTTP_TEST_HEADER_TWO', env)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('HTTP_TEST_OTHER_HEADER', env)
self.assertNotIn('HTTP_TEST_HEADER_YES', env)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('HTTP_TEST_HEADER_YES_THIS', env)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
def test_clean_outgoing_headers(self):
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
orh = []
oah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
hdrs = {'test-header': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
hdrs = HeaderKeyDict(tempurl.TempURL(
None,
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
{'outgoing_remove_headers': orh, 'outgoing_allow_headers': oah}
Replace dict.iteritems() with dict.items() The iteritems() of Python 2 dictionaries has been renamed to items() on Python 3. According to a discussion on the openstack-dev mailing list, the overhead of creating a temporary list using dict.items() on Python 2 is very low because most dictionaries are small: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Patch generated by the following command: sed -i 's,iteritems,items,g' \ $(find swift -name "*.py") \ $(find test -name "*.py") Change-Id: I6070bb6c684be76e8e77222a7d280ec6edd43496
2015-06-24 09:36:37 +02:00
)._clean_outgoing_headers(hdrs.items()))
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('test-header', hdrs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
orh = ['test-header']
oah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
hdrs = {'test-header': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
hdrs = HeaderKeyDict(tempurl.TempURL(
None,
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
{'outgoing_remove_headers': orh, 'outgoing_allow_headers': oah}
Replace dict.iteritems() with dict.items() The iteritems() of Python 2 dictionaries has been renamed to items() on Python 3. According to a discussion on the openstack-dev mailing list, the overhead of creating a temporary list using dict.items() on Python 2 is very low because most dictionaries are small: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Patch generated by the following command: sed -i 's,iteritems,items,g' \ $(find swift -name "*.py") \ $(find test -name "*.py") Change-Id: I6070bb6c684be76e8e77222a7d280ec6edd43496
2015-06-24 09:36:37 +02:00
)._clean_outgoing_headers(hdrs.items()))
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('test-header', hdrs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
orh = ['test-header-*']
oah = []
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
hdrs = {'test-header-one': 'value',
'test-header-two': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
hdrs = HeaderKeyDict(tempurl.TempURL(
None,
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
{'outgoing_remove_headers': orh, 'outgoing_allow_headers': oah}
Replace dict.iteritems() with dict.items() The iteritems() of Python 2 dictionaries has been renamed to items() on Python 3. According to a discussion on the openstack-dev mailing list, the overhead of creating a temporary list using dict.items() on Python 2 is very low because most dictionaries are small: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Patch generated by the following command: sed -i 's,iteritems,items,g' \ $(find swift -name "*.py") \ $(find test -name "*.py") Change-Id: I6070bb6c684be76e8e77222a7d280ec6edd43496
2015-06-24 09:36:37 +02:00
)._clean_outgoing_headers(hdrs.items()))
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('test-header-one', hdrs)
self.assertNotIn('test-header-two', hdrs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
orh = ['test-header-*']
oah = ['test-header-two']
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
hdrs = {'test-header-one': 'value',
'test-header-two': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
hdrs = HeaderKeyDict(tempurl.TempURL(
None,
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
{'outgoing_remove_headers': orh, 'outgoing_allow_headers': oah}
Replace dict.iteritems() with dict.items() The iteritems() of Python 2 dictionaries has been renamed to items() on Python 3. According to a discussion on the openstack-dev mailing list, the overhead of creating a temporary list using dict.items() on Python 2 is very low because most dictionaries are small: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Patch generated by the following command: sed -i 's,iteritems,items,g' \ $(find swift -name "*.py") \ $(find test -name "*.py") Change-Id: I6070bb6c684be76e8e77222a7d280ec6edd43496
2015-06-24 09:36:37 +02:00
)._clean_outgoing_headers(hdrs.items()))
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('test-header-one', hdrs)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('test-header-two', hdrs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
orh = ['test-header-*', 'test-other-header']
oah = ['test-header-two', 'test-header-yes-*']
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
hdrs = {'test-header-one': 'value',
'test-header-two': 'value',
'test-other-header': 'value',
'test-header-yes': 'value',
'test-header-yes-this': 'value'}
Pep8 unit tests in middleware > 20 violations (7 of 12) Change-Id: I9dfae1a473a8212ef25dcc01e338d8bdade7ef4e Signed-off-by: Peter Portante <peter.portante@redhat.com>
2013-09-01 00:35:53 -04:00
hdrs = HeaderKeyDict(tempurl.TempURL(
None,
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
{'outgoing_remove_headers': orh, 'outgoing_allow_headers': oah}
Replace dict.iteritems() with dict.items() The iteritems() of Python 2 dictionaries has been renamed to items() on Python 3. According to a discussion on the openstack-dev mailing list, the overhead of creating a temporary list using dict.items() on Python 2 is very low because most dictionaries are small: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html Patch generated by the following command: sed -i 's,iteritems,items,g' \ $(find swift -name "*.py") \ $(find test -name "*.py") Change-Id: I6070bb6c684be76e8e77222a7d280ec6edd43496
2015-06-24 09:36:37 +02:00
)._clean_outgoing_headers(hdrs.items()))
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('test-header-one', hdrs)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('test-header-two', hdrs)
Replace 'assertTrue(a not in b)' with 'assertNotIn(a, b)' trivialfix Change-Id: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 15:18:52 +07:00
self.assertNotIn('test-other-header', hdrs)
self.assertNotIn('test-header-yes', hdrs)
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('test-header-yes-this', hdrs)
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
utf8 encode tempurl key In tempurl middleware, hmac uses the value of account metadata to generate HMAC-SHA1 signature and hmac must accept a str-type string, not a unicode string. The meta dict returned from get_info stroges special chars as unicode however. So just encode it for tempurl using. Closes-Bug: #1242644 Change-Id: I4be62eea014a573efc4748470de57dccf00e431d
2013-10-23 21:19:01 +08:00
def test_unicode_metadata_value(self):
meta = {"temp-url-key": "test", "temp-url-key-2": u"test2"}
results = tempurl.get_tempurl_keys_from_metadata(meta)
for str_value in results:
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIsInstance(str_value, str)
utf8 encode tempurl key In tempurl middleware, hmac uses the value of account metadata to generate HMAC-SHA1 signature and hmac must accept a str-type string, not a unicode string. The meta dict returned from get_info stroges special chars as unicode however. So just encode it for tempurl using. Closes-Bug: #1242644 Change-Id: I4be62eea014a573efc4748470de57dccf00e431d
2013-10-23 21:19:01 +08:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
Expose allowed tempurl methods in /info Clients can construct tempurls for any method, but they only work if they're in this list, so it's helpful for clients to see the list. Change-Id: Id852f457d65b62c4fe79db01b1d7029a5fa5aa09
2013-12-12 16:13:42 -08:00
class TestSwiftInfo(unittest.TestCase):
def setUp(self):
utils._swift_info = {}
utils._swift_admin_info = {}
def test_registered_defaults(self):
tempurl.filter_factory({})
swift_info = utils.get_swift_info()
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('tempurl', swift_info)
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
info = swift_info['tempurl']
self.assertEqual(set(info['methods']),
Add POST and DELETE to tempurl default methods The tempurl middleware supports any configured HTTP methods, but the default set was only GET, PUT, and HEAD, so cluster operators had to take action to enable POST and DELETE. This commit changes the defaults to include POST and DELETE. Note that this doesn't affect any existing temporary URLs at all; the method is baked into the signature (temp_url_sig query param), so no new access is granted to a holder of a temporary URL by this change. It simply gives more flexibility to creators of temporary URLs. Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
2014-07-11 11:27:11 -07:00
set(('GET', 'HEAD', 'PUT', 'POST', 'DELETE')))
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
self.assertEqual(set(info['incoming_remove_headers']),
set(('x-timestamp',)))
self.assertEqual(set(info['incoming_allow_headers']), set())
self.assertEqual(set(info['outgoing_remove_headers']),
set(('x-object-meta-*',)))
self.assertEqual(set(info['outgoing_allow_headers']),
set(('x-object-meta-public-*',)))
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
self.assertEqual(info['allowed_digests'], ['sha1', 'sha256', 'sha512'])
Expose allowed tempurl methods in /info Clients can construct tempurls for any method, but they only work if they're in this list, so it's helpful for clients to see the list. Change-Id: Id852f457d65b62c4fe79db01b1d7029a5fa5aa09
2013-12-12 16:13:42 -08:00
def test_non_default_methods(self):
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
tempurl.filter_factory({
'methods': 'GET HEAD PUT DELETE BREW',
'incoming_remove_headers': '',
'incoming_allow_headers': 'x-timestamp x-versions-location',
'outgoing_remove_headers': 'x-*',
'outgoing_allow_headers': 'x-object-meta-* content-type',
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
'allowed_digests': 'sha512 md5 not-a-valid-digest',
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
})
Expose allowed tempurl methods in /info Clients can construct tempurls for any method, but they only work if they're in this list, so it's helpful for clients to see the list. Change-Id: Id852f457d65b62c4fe79db01b1d7029a5fa5aa09
2013-12-12 16:13:42 -08:00
swift_info = utils.get_swift_info()
More assertion cleanup Change-Id: Id88af19c5bfd0bcbbeabcf4eeb23beef4c50b1cb Related-Change: I416831c8ad92f8445bc8d9560040a5ebf5c90702
2016-12-12 11:58:01 -08:00
self.assertIn('tempurl', swift_info)
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
info = swift_info['tempurl']
self.assertEqual(set(info['methods']),
Add POST and DELETE to tempurl default methods The tempurl middleware supports any configured HTTP methods, but the default set was only GET, PUT, and HEAD, so cluster operators had to take action to enable POST and DELETE. This commit changes the defaults to include POST and DELETE. Note that this doesn't affect any existing temporary URLs at all; the method is baked into the signature (temp_url_sig query param), so no new access is granted to a holder of a temporary URL by this change. It simply gives more flexibility to creators of temporary URLs. Change-Id: I5bc15bbd2968ab7bedcd7c0df10f2ec825537191
2014-07-11 11:27:11 -07:00
set(('GET', 'HEAD', 'PUT', 'DELETE', 'BREW')))
Expose tempurl's header restrictions via /info Also, clean up the module documentation a bit. Change-Id: Iaeb5eb264b118b78738187db9242540275e77444
2015-10-07 16:47:11 -07:00
self.assertEqual(set(info['incoming_remove_headers']), set())
self.assertEqual(set(info['incoming_allow_headers']),
set(('x-timestamp', 'x-versions-location')))
self.assertEqual(set(info['outgoing_remove_headers']), set(('x-*', )))
self.assertEqual(set(info['outgoing_allow_headers']),
set(('x-object-meta-*', 'content-type')))
tempurl: Make the digest algorithm configurable ... and add support for SHA-256 and SHA-512 by default. This allows us to start moving toward replacing SHA-1-based signatures. We've known this would eventually be necessary for a while [1], and earlier this year we've seen SHA-1 collisions [2]. Additionally, allow signatures to be base64-encoded, provided they start with a digest name followed by a colon. Trailing padding is optional for base64-encoded signatures, and both normal and "url-safe" modes are supported. For example, all of the following SHA-1 signatures are equivalent: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk= sha1:2jmj7l5rSw0yVb/vlWAYkK/YBwk sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk= sha1:2jmj7l5rSw0yVb_vlWAYkK_YBwk (Note that "normal" base64 encodings will require that you url encode all "+" characters as "%2B" so they aren't misinterpretted as spaces.) This was done for two reasons: 1. A hex-encoded SHA-512 is rather lengthy at 128 characters -- 88 isn't *that* much better, but it's something. 2. This will allow us to more-easily add support for different digests with the same bit length in the future. Base64-encoding is required for SHA-512 signatures; hex-encoding is supported for SHA-256 signatures so we aren't needlessly breaking from what Rackspace is doing. [1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html [2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Change-Id: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046 Related-Bug: #1733634
2017-12-05 20:19:37 +00:00
self.assertEqual(info['allowed_digests'], ['sha512'])
def test_bad_config(self):
with self.assertRaises(ValueError):
tempurl.filter_factory({
'allowed_digests': 'md4',
})
Expose allowed tempurl methods in /info Clients can construct tempurls for any method, but they only work if they're in this list, so it's helpful for clients to see the list. Change-Id: Id852f457d65b62c4fe79db01b1d7029a5fa5aa09
2013-12-12 16:13:42 -08:00
Reverted the pulling out of various middleware: RateLimit StaticWeb TempURL/FormPOST Change-Id: I988e93e6f4aacb817a2e354d43a04e47516fdf88
2012-05-16 21:08:34 +00:00
if __name__ == '__main__':
unittest.main()
Copy Permalink