6c6af7e2bc
nova.auth.signer.Signer now honors the SignatureMethod parameter for SHA1 when creating signatures Change-Id: I4050407d374d18427f9a955ea98242f7325a5d54
170 lines
6.3 KiB
Python
170 lines
6.3 KiB
Python
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
|
|
|
# Copyright 2010 United States Government as represented by the
|
|
# Administrator of the National Aeronautics and Space Administration.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# PORTIONS OF THIS FILE ARE FROM:
|
|
# http://code.google.com/p/boto
|
|
# Copyright (c) 2006-2009 Mitch Garnaat http://garnaat.org/
|
|
#
|
|
# Permission is hereby granted, free of charge, to any person obtaining a
|
|
# copy of this software and associated documentation files (the
|
|
# "Software"), to deal in the Software without restriction, including
|
|
# without limitation the rights to use, copy, modify, merge, publish, dis-
|
|
# tribute, sublicense, and/or sell copies of the Software, and to permit
|
|
# persons to whom the Software is furnished to do so, subject to the fol-
|
|
# lowing conditions:
|
|
#
|
|
# The above copyright notice and this permission notice shall be included
|
|
# in all copies or substantial portions of the Software.
|
|
#
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
|
|
# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
|
|
# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
|
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
# IN THE SOFTWARE.
|
|
|
|
"""
|
|
Utility class for parsing signed AMI manifests.
|
|
"""
|
|
|
|
import base64
|
|
import hashlib
|
|
import hmac
|
|
import urllib
|
|
|
|
# NOTE(vish): for new boto
|
|
import boto
|
|
# NOTE(vish): for old boto
|
|
import boto.utils
|
|
|
|
from nova import exception
|
|
from nova import log as logging
|
|
|
|
|
|
LOG = logging.getLogger('nova.signer')
|
|
|
|
|
|
class Signer(object):
|
|
"""Hacked up code from boto/connection.py"""
|
|
|
|
def __init__(self, secret_key):
|
|
self.hmac = hmac.new(secret_key, digestmod=hashlib.sha1)
|
|
if hashlib.sha256:
|
|
self.hmac_256 = hmac.new(secret_key, digestmod=hashlib.sha256)
|
|
else:
|
|
self.hmac_256 = None
|
|
|
|
def s3_authorization(self, headers, verb, path):
|
|
"""Generate S3 authorization string."""
|
|
c_string = boto.utils.canonical_string(verb, path, headers)
|
|
hmac_copy = self.hmac.copy()
|
|
hmac_copy.update(c_string)
|
|
b64_hmac = base64.encodestring(hmac_copy.digest()).strip()
|
|
return b64_hmac
|
|
|
|
def generate(self, params, verb, server_string, path):
|
|
"""Generate auth string according to what SignatureVersion is given.
|
|
|
|
The signature method must be SHA1 or SHA256.
|
|
|
|
"""
|
|
if params['SignatureVersion'] == '0':
|
|
return self._calc_signature_0(params)
|
|
if params['SignatureVersion'] == '1':
|
|
return self._calc_signature_1(params)
|
|
if params['SignatureVersion'] == '2':
|
|
return self._calc_signature_2(params, verb, server_string, path)
|
|
raise exception.Error('Unknown Signature Version: %s' %
|
|
params['SignatureVersion'])
|
|
|
|
@staticmethod
|
|
def _get_utf8_value(value):
|
|
"""Get the UTF8-encoded version of a value."""
|
|
if not isinstance(value, str) and not isinstance(value, unicode):
|
|
value = str(value)
|
|
if isinstance(value, unicode):
|
|
return value.encode('utf-8')
|
|
else:
|
|
return value
|
|
|
|
def _calc_signature_0(self, params):
|
|
"""Generate AWS signature version 0 string."""
|
|
s = params['Action'] + params['Timestamp']
|
|
self.hmac.update(s)
|
|
keys = params.keys()
|
|
keys.sort(cmp=lambda x, y: cmp(x.lower(), y.lower()))
|
|
pairs = []
|
|
for key in keys:
|
|
val = self._get_utf8_value(params[key])
|
|
pairs.append(key + '=' + urllib.quote(val))
|
|
return base64.b64encode(self.hmac.digest())
|
|
|
|
def _calc_signature_1(self, params):
|
|
"""Generate AWS signature version 1 string."""
|
|
keys = params.keys()
|
|
keys.sort(cmp=lambda x, y: cmp(x.lower(), y.lower()))
|
|
pairs = []
|
|
for key in keys:
|
|
self.hmac.update(key)
|
|
val = self._get_utf8_value(params[key])
|
|
self.hmac.update(val)
|
|
pairs.append(key + '=' + urllib.quote(val))
|
|
return base64.b64encode(self.hmac.digest())
|
|
|
|
def _calc_signature_2(self, params, verb, server_string, path):
|
|
"""Generate AWS signature version 2 string."""
|
|
LOG.debug('using _calc_signature_2')
|
|
string_to_sign = '%s\n%s\n%s\n' % (verb, server_string, path)
|
|
|
|
if 'SignatureMethod' not in params:
|
|
raise exception.Error('No SignatureMethod specified')
|
|
|
|
if params['SignatureMethod'] == 'HmacSHA256':
|
|
if not self.hmac_256:
|
|
raise exception.Error('SHA256 not supported on this server')
|
|
current_hmac = self.hmac_256
|
|
elif params['SignatureMethod'] == 'HmacSHA1':
|
|
current_hmac = self.hmac
|
|
else:
|
|
raise exception.Error('SignatureMethod %s not supported'
|
|
% params['SignatureMethod'])
|
|
|
|
keys = params.keys()
|
|
keys.sort()
|
|
pairs = []
|
|
for key in keys:
|
|
val = self._get_utf8_value(params[key])
|
|
val = urllib.quote(val, safe='-_~')
|
|
pairs.append(urllib.quote(key, safe='') + '=' + val)
|
|
qs = '&'.join(pairs)
|
|
LOG.debug('query string: %s', qs)
|
|
string_to_sign += qs
|
|
LOG.debug('string_to_sign: %s', string_to_sign)
|
|
current_hmac.update(string_to_sign)
|
|
b64 = base64.b64encode(current_hmac.digest())
|
|
LOG.debug('len(b64)=%d', len(b64))
|
|
LOG.debug('base64 encoded digest: %s', b64)
|
|
return b64
|
|
|
|
|
|
if __name__ == '__main__':
|
|
print Signer('foo').generate({'SignatureVersion': '2',
|
|
'SignatureMethod': 'HmacSHA256'},
|
|
'get', 'server', '/foo')
|