diff options
Diffstat (limited to 'keystone-moon/keystone/contrib/ec2')
-rw-r--r-- | keystone-moon/keystone/contrib/ec2/controllers.py | 72 |
1 files changed, 45 insertions, 27 deletions
diff --git a/keystone-moon/keystone/contrib/ec2/controllers.py b/keystone-moon/keystone/contrib/ec2/controllers.py index 6e6d3268..78172ec9 100644 --- a/keystone-moon/keystone/contrib/ec2/controllers.py +++ b/keystone-moon/keystone/contrib/ec2/controllers.py @@ -46,7 +46,6 @@ from keystone.common import utils from keystone.common import wsgi from keystone import exception from keystone.i18n import _ -from keystone.models import token_model @dependency.requires('assignment_api', 'catalog_api', 'credential_api', @@ -57,16 +56,30 @@ class Ec2ControllerCommon(object): def check_signature(self, creds_ref, credentials): signer = ec2_utils.Ec2Signer(creds_ref['secret']) signature = signer.generate(credentials) - if utils.auth_str_equal(credentials['signature'], signature): - return - # NOTE(vish): Some libraries don't use the port when signing - # requests, so try again without port. - elif ':' in credentials['signature']: - hostname, _port = credentials['host'].split(':') - credentials['host'] = hostname - signature = signer.generate(credentials) - if not utils.auth_str_equal(credentials.signature, signature): - raise exception.Unauthorized(message='Invalid EC2 signature.') + # NOTE(davechen): credentials.get('signature') is not guaranteed to + # exist, we need check it explicitly. + if credentials.get('signature'): + if utils.auth_str_equal(credentials['signature'], signature): + return True + # NOTE(vish): Some client libraries don't use the port when signing + # requests, so try again without port. + elif ':' in credentials['host']: + hostname, _port = credentials['host'].split(':') + credentials['host'] = hostname + # NOTE(davechen): we need reinitialize 'signer' to avoid + # contaminated status of signature, this is similar with + # other programming language libraries, JAVA for example. + signer = ec2_utils.Ec2Signer(creds_ref['secret']) + signature = signer.generate(credentials) + if utils.auth_str_equal(credentials['signature'], + signature): + return True + raise exception.Unauthorized( + message='Invalid EC2 signature.') + else: + raise exception.Unauthorized( + message='EC2 signature not supplied.') + # Raise the exception when credentials.get('signature') is None else: raise exception.Unauthorized(message='EC2 signature not supplied.') @@ -305,14 +318,7 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller): :raises exception.Forbidden: when token is invalid """ - try: - token_data = self.token_provider_api.validate_token( - context['token_id']) - except exception.TokenNotFound as e: - raise exception.Unauthorized(e) - - token_ref = token_model.KeystoneToken(token_id=context['token_id'], - token_data=token_data) + token_ref = utils.get_token_ref(context) if token_ref.user_id != user_id: raise exception.Forbidden(_('Token belongs to another user')) @@ -329,7 +335,7 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller): # to properly perform policy enforcement. self.assert_admin(context) return True - except exception.Forbidden: + except (exception.Forbidden, exception.Unauthorized): return False def _assert_owner(self, user_id, credential_id): @@ -349,11 +355,11 @@ class Ec2Controller(Ec2ControllerCommon, controller.V2Controller): @dependency.requires('policy_api', 'token_provider_api') class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): - member_name = 'project' + collection_name = 'credentials' + member_name = 'credential' def __init__(self): super(Ec2ControllerV3, self).__init__() - self.get_member_from_driver = self.credential_api.get_credential def _check_credential_owner_and_user_id_match(self, context, prep_info, user_id, credential_id): @@ -385,23 +391,35 @@ class Ec2ControllerV3(Ec2ControllerCommon, controller.V3Controller): @controller.protected(callback=_check_credential_owner_and_user_id_match) def ec2_get_credential(self, context, user_id, credential_id): - return super(Ec2ControllerV3, self).get_credential(user_id, - credential_id) + ref = super(Ec2ControllerV3, self).get_credential(user_id, + credential_id) + return Ec2ControllerV3.wrap_member(context, ref['credential']) @controller.protected() def ec2_list_credentials(self, context, user_id): - return super(Ec2ControllerV3, self).get_credentials(user_id) + refs = super(Ec2ControllerV3, self).get_credentials(user_id) + return Ec2ControllerV3.wrap_collection(context, refs['credentials']) @controller.protected() def ec2_create_credential(self, context, user_id, tenant_id): - return super(Ec2ControllerV3, self).create_credential(context, user_id, - tenant_id) + ref = super(Ec2ControllerV3, self).create_credential(context, user_id, + tenant_id) + return Ec2ControllerV3.wrap_member(context, ref['credential']) @controller.protected(callback=_check_credential_owner_and_user_id_match) def ec2_delete_credential(self, context, user_id, credential_id): return super(Ec2ControllerV3, self).delete_credential(user_id, credential_id) + @classmethod + def _add_self_referential_link(cls, context, ref): + path = '/users/%(user_id)s/credentials/OS-EC2/%(credential_id)s' + url = cls.base_url(context, path) % { + 'user_id': ref['user_id'], + 'credential_id': ref['access']} + ref.setdefault('links', {}) + ref['links']['self'] = url + def render_token_data_response(token_id, token_data): """Render token data HTTP response. |