Merge "Use swift3's check_signature function"
This commit is contained in:
commit
b06b88debe
@ -177,8 +177,6 @@ from __future__ import print_function
|
||||
from time import time
|
||||
from traceback import format_exc
|
||||
from uuid import uuid4
|
||||
from hashlib import sha1
|
||||
import hmac
|
||||
import base64
|
||||
|
||||
from eventlet import Timeout
|
||||
@ -437,20 +435,21 @@ class TempAuth(object):
|
||||
|
||||
s3_auth_details = env.get('swift3.auth_details')
|
||||
if s3_auth_details:
|
||||
if 'check_signature' not in s3_auth_details:
|
||||
self.logger.warning(
|
||||
'Swift3 did not provide a check_signature function; '
|
||||
'upgrade Swift3 if you want to use it with tempauth')
|
||||
return None
|
||||
account_user = s3_auth_details['access_key']
|
||||
signature_from_user = s3_auth_details['signature']
|
||||
if account_user not in self.users:
|
||||
return None
|
||||
account, user = account_user.split(':', 1)
|
||||
account_id = self.users[account_user]['url'].rsplit('/', 1)[-1]
|
||||
path = env['PATH_INFO']
|
||||
env['PATH_INFO'] = path.replace(account_user, account_id, 1)
|
||||
valid_signature = base64.encodestring(hmac.new(
|
||||
self.users[account_user]['key'],
|
||||
s3_auth_details['string_to_sign'],
|
||||
sha1).digest()).strip()
|
||||
if signature_from_user != valid_signature:
|
||||
user = self.users[account_user]
|
||||
account = account_user.split(':', 1)[0]
|
||||
account_id = user['url'].rsplit('/', 1)[-1]
|
||||
if not s3_auth_details['check_signature'](user['key']):
|
||||
return None
|
||||
env['PATH_INFO'] = env['PATH_INFO'].replace(
|
||||
account_user, account_id, 1)
|
||||
groups = self._get_user_groups(account, account_user, account_id)
|
||||
|
||||
return groups
|
||||
|
@ -19,7 +19,6 @@ import unittest
|
||||
from contextlib import contextmanager
|
||||
from base64 import b64encode
|
||||
from time import time
|
||||
import mock
|
||||
|
||||
from swift.common.middleware import tempauth as auth
|
||||
from swift.common.middleware.acl import format_acl
|
||||
@ -265,27 +264,58 @@ class TestAuth(unittest.TestCase):
|
||||
self.assertEqual(req.environ['swift.authorize'],
|
||||
local_auth.denied_response)
|
||||
|
||||
def test_auth_with_s3_authorization(self):
|
||||
def test_auth_with_s3_authorization_good(self):
|
||||
local_app = FakeApp()
|
||||
local_auth = auth.filter_factory(
|
||||
{'user_s3_s3': 'secret .admin'})(local_app)
|
||||
req = self._make_request('/v1/AUTH_s3', environ={
|
||||
req = self._make_request('/v1/s3:s3', environ={
|
||||
'swift3.auth_details': {
|
||||
'access_key': 's3:s3',
|
||||
'signature': b64encode('sig'),
|
||||
'string_to_sign': 't',
|
||||
'check_signature': lambda secret: True}})
|
||||
resp = req.get_response(local_auth)
|
||||
|
||||
self.assertEqual(resp.status_int, 404)
|
||||
self.assertEqual(local_app.calls, 1)
|
||||
self.assertEqual(req.environ['PATH_INFO'], '/v1/AUTH_s3')
|
||||
self.assertEqual(req.environ['swift.authorize'],
|
||||
local_auth.authorize)
|
||||
|
||||
def test_auth_with_s3_authorization_invalid(self):
|
||||
local_app = FakeApp()
|
||||
local_auth = auth.filter_factory(
|
||||
{'user_s3_s3': 'secret .admin'})(local_app)
|
||||
req = self._make_request('/v1/s3:s3', environ={
|
||||
'swift3.auth_details': {
|
||||
'access_key': 's3:s3',
|
||||
'signature': b64encode('sig'),
|
||||
'string_to_sign': 't',
|
||||
'check_signature': lambda secret: False}})
|
||||
resp = req.get_response(local_auth)
|
||||
|
||||
self.assertEqual(resp.status_int, 401)
|
||||
self.assertEqual(local_app.calls, 1)
|
||||
self.assertEqual(req.environ['PATH_INFO'], '/v1/s3:s3')
|
||||
self.assertEqual(req.environ['swift.authorize'],
|
||||
local_auth.denied_response)
|
||||
|
||||
def test_auth_with_old_s3_details(self):
|
||||
local_app = FakeApp()
|
||||
local_auth = auth.filter_factory(
|
||||
{'user_s3_s3': 'secret .admin'})(local_app)
|
||||
req = self._make_request('/v1/s3:s3', environ={
|
||||
'swift3.auth_details': {
|
||||
'access_key': 's3:s3',
|
||||
'signature': b64encode('sig'),
|
||||
'string_to_sign': 't'}})
|
||||
|
||||
with mock.patch('hmac.new') as hmac:
|
||||
hmac.return_value.digest.return_value = 'sig'
|
||||
resp = req.get_response(local_auth)
|
||||
self.assertEqual(hmac.mock_calls, [
|
||||
mock.call('secret', 't', mock.ANY),
|
||||
mock.call().digest()])
|
||||
|
||||
self.assertEqual(resp.status_int, 404)
|
||||
self.assertEqual(resp.status_int, 401)
|
||||
self.assertEqual(local_app.calls, 1)
|
||||
self.assertEqual(req.environ['PATH_INFO'], '/v1/s3:s3')
|
||||
self.assertEqual(req.environ['swift.authorize'],
|
||||
local_auth.authorize)
|
||||
local_auth.denied_response)
|
||||
|
||||
def test_auth_no_reseller_prefix_no_token(self):
|
||||
# Check that normally we set up a call back to our authorize.
|
||||
|
Loading…
Reference in New Issue
Block a user