From 8b9980b4970dfc85cc63b5de1f4be064caeca176 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 12 Feb 2019 15:43:59 +0100 Subject: [PATCH] Normalize endpoint path in oauth client oauthlib uses the request URI as input for generating an oauth signature and matching it against the incoming oauth_signature request attribute. tempest also uses the URI to generate this signature, which means the URIs must match exactly. If the keystone catalog contains an endpoint with a trailing slash, such as https://keystone.example.org/v3/, then the URI that tempest uses for the signature generation will be https://keystone.example.org/v3//OS-OAUTH1/request_token. The incoming request URI that oauthlib sees will not have the duplicate slash and so the resulting signature will differ, and the auth request will be rejected due to mismatching HMAC-SHA1 signatures. This patch corrects the issue for deployments that use a trailing slash in their keystone catalogs (which is valid) by normalizing the path before generating the signature. Change-Id: Ie827b1af7b23c6d6eaf2c2894cc2629d0e252108 --- tempest/lib/services/identity/v3/oauth_token_client.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tempest/lib/services/identity/v3/oauth_token_client.py b/tempest/lib/services/identity/v3/oauth_token_client.py index b1d298b8fc..94da0438b3 100644 --- a/tempest/lib/services/identity/v3/oauth_token_client.py +++ b/tempest/lib/services/identity/v3/oauth_token_client.py @@ -74,6 +74,7 @@ class OAUTHTokenClient(rest_client.RestClient): scheme, netloc, path, params, query, fragment = urlparse.urlparse(uri) scheme = scheme.lower() netloc = netloc.lower() + path = path.replace('//', '/') normalized_uri = urlparse.urlunparse((scheme, netloc, path, params, '', ''))