summaryrefslogtreecommitdiffstats
path: root/keystone-moon/keystone/contrib/ec2/controllers.py
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/keystone/contrib/ec2/controllers.py')
-rw-r--r--keystone-moon/keystone/contrib/ec2/controllers.py72
1 files changed, 45 insertions, 27 deletions
diff --git a/keystone-moon/keystone/contrib/ec2/controllers.py b/keystone-moon/keystone/contrib/ec2/controllers.py
index 6e6d3268..78172ec9 100644
--- a/keystone-moon/keystone/contrib/ec2/controllers.py
+++ b/keystone-moon/keystone/contrib/ec2/controllers.py
@@ -46,7 +46,6 @@ from keystone.common import utils
from keystone.common import wsgi
from keystone import exception
from keystone.i18n import _
-from keystone.models import token_model
@dependency.requires('assignment_api', 'catalog_api', 'credential_api',
@@ -57,16 +56,30 @@ class Ec2ControllerCommon(object):
def check_signature(self, creds_ref, credentials):
signer = ec2_utils.Ec2Signer(creds_ref['secret'])
signature = signer.generate(credentials)
- if utils.auth_str_equal(credentials['signature'], signature):
- return
- # NOTE(vish): Some libraries don't use the port when signing
- # requests, so try again without port.
- elif ':' in credentials['signature']:
- hostname, _port = credentials['host'].split(':')
- credentials['host'] = hostname
- signature = signer.generate(credentials)
- if not utils.auth_str_equal(credentials.signature, signature):
- raise exception.Unauthorized(message='Invalid EC2 signature.')
+ # NOTE(davechen): credentials.get('signature') is not guaranteed to
+ # exist, we need check it explicitly.
+ if credentials.get('signature'):
+ if utils.auth_str_equal(credentials['signature'], signature):
+ return True
+ # NOTE(vish): Some client libraries don't use the port when signing
+ # requests, so try again without port.
+ elif ':' in credentials['host']:
+ hostname, _port = credentials['host'].split(':')
+ credentials['host'] = hostname
+ # NOTE(davechen): we need reinitialize 'signer' to avoid
+ # contaminated status of signature, this is similar with
+ # other programming language libraries, JAVA for example.
+ signer = ec2_utils.Ec2Signer(creds_ref['secret'])
+ signature = signer.generate(credentials)
+ if utils.auth_str_equal(credentials['signature'],
+ signature):
+ return True
+ raise exception.Unauthorized(
+ message='Invalid EC2 signature.')
+ else:
+ raise exception.Unauthorized(
+ message='EC2 signature not supplied.')
+ # Raise the exception when credentials.get('signature') is None
else:
raise exception.Unauthorized(message='EC2 signature not supplied.')
@@ -305,14 +318,7 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller):
:raises exception.Forbidden: when token is invalid
"""
- try:
- token_data = self.token_provider_api.validate_token(
- context['token_id'])
- except exception.TokenNotFound as e:
- raise exception.Unauthorized(e)
-
- token_ref = token_model.KeystoneToken(token_id=context['token_id'],
- token_data=token_data)
+ token_ref = utils.get_token_ref(context)
if token_ref.user_id != user_id:
raise exception.Forbidden(_('Token belongs to another user'))
@@ -329,7 +335,7 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller):
# to properly perform policy enforcement.
self.assert_admin(context)
return True
- except exception.Forbidden:
+ except (exception.Forbidden, exception.Unauthorized):
return False
def _assert_owner(self, user_id, credential_id):
@@ -349,11 +355,11 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller):
@dependency.requires('policy_api', 'token_provider_api')
class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
- member_name = 'project'
+ collection_name = 'credentials'
+ member_name = 'credential'
def __init__(self):
super(Ec2ControllerV3, self).__init__()
- self.get_member_from_driver = self.credential_api.get_credential
def _check_credential_owner_and_user_id_match(self, context, prep_info,
user_id, credential_id):
@@ -385,23 +391,35 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller):
@controller.protected(callback=_check_credential_owner_and_user_id_match)
def ec2_get_credential(self, context, user_id, credential_id):
- return super(Ec2ControllerV3, self).get_credential(user_id,
- credential_id)
+ ref = super(Ec2ControllerV3, self).get_credential(user_id,
+ credential_id)
+ return Ec2ControllerV3.wrap_member(context, ref['credential'])
@controller.protected()
def ec2_list_credentials(self, context, user_id):
- return super(Ec2ControllerV3, self).get_credentials(user_id)
+ refs = super(Ec2ControllerV3, self).get_credentials(user_id)
+ return Ec2ControllerV3.wrap_collection(context, refs['credentials'])
@controller.protected()
def ec2_create_credential(self, context, user_id, tenant_id):
- return super(Ec2ControllerV3, self).create_credential(context, user_id,
- tenant_id)
+ ref = super(Ec2ControllerV3, self).create_credential(context, user_id,
+ tenant_id)
+ return Ec2ControllerV3.wrap_member(context, ref['credential'])
@controller.protected(callback=_check_credential_owner_and_user_id_match)
def ec2_delete_credential(self, context, user_id, credential_id):
return super(Ec2ControllerV3, self).delete_credential(user_id,
credential_id)
+ @classmethod
+ def _add_self_referential_link(cls, context, ref):
+ path = '/users/%(user_id)s/credentials/OS-EC2/%(credential_id)s'
+ url = cls.base_url(context, path) % {
+ 'user_id': ref['user_id'],
+ 'credential_id': ref['access']}
+ ref.setdefault('links', {})
+ ref['links']['self'] = url
+
def render_token_data_response(token_id, token_data):
"""Render token data HTTP response.