Adding parse of protocol v4 of AWS auth to ec2_token

This patch adds parsing of protocol v4 of AWS auth to ec2_token. This code 'copy-pasted' from nova where it works well. Also this patch adds unit tests for ec2_token middleware. Chunks of the code proposed can be seen here: https://github.com/openstack/ec2-api/blob/master/ec2api/api/__init__.py#L166 and here: https://github.com/openstack/ec2-api/blob/master/ec2api/api/faults.py We copy and paste the code since pulling in ec2api would bring in a lot of dependencies and probably create a circular one https://github.com/openstack/ec2-api/blob/master/requirements.txt Change-Id: Id03a7c78152bda35879550f2aaf94483b82f381e Closes-Bug: 1473039 Closes-Bug: 1333951
2015-08-03 08:19:15 +03:00 · 2015-08-03 08:19:15 +03:00 · 9390329f07
parent e0e1df5ef3
commit 9390329f07
2 changed files with 301 additions and 30 deletions
--- a/keystonemiddleware/ec2_token.py
+++ b/keystonemiddleware/ec2_token.py
@ -20,11 +20,17 @@ Starting point for routing EC2 requests.

 """

+import hashlib
+import logging
+
 from oslo_config import cfg
 from oslo_serialization import jsonutils
 import requests
+import six
 import webob.dec
-import webob.exc
+
+from keystonemiddleware.i18n import _
+

 keystone_ec2_opts = [
    cfg.StrOpt('url',
@ -47,45 +53,118 @@ CONF = cfg.CONF
 CONF.register_opts(keystone_ec2_opts, group='keystone_ec2_token')


+PROTOCOL_NAME = 'EC2 Token Authentication'
+
+
 class EC2Token(object):
    """Authenticate an EC2 request with keystone and convert to token."""

-    def __init__(self, application):
+    def __init__(self, application, conf):
        super(EC2Token, self).__init__()
        self._application = application
+        self._logger = logging.getLogger(conf.get('log_name', __name__))
+        self._logger.debug('Starting the %s component', PROTOCOL_NAME)
+
+    def _ec2_error_response(self, code, message):
+        """Helper to construct an EC2 compatible error message."""
+        self._logger.debug('EC2 error response: %(code)s: %(message)s',
+                           {'code': code, 'message': message})
+        resp = webob.Response()
+        resp.status = 400
+        resp.headers['Content-Type'] = 'text/xml'
+        error_msg = str('<?xml version="1.0"?>\n'
+                        '<Response><Errors><Error><Code>%s</Code>'
+                        '<Message>%s</Message></Error></Errors></Response>' %
+                        (code, message))
+        if six.PY3:
+            error_msg = error_msg.encode()
+        resp.body = error_msg
+        return resp
+
+    def _get_signature(self, req):
+        """Extract the signature from the request.
+
+        This can be a get/post variable or for version 4 also in a header
+        called 'Authorization'.
+        - params['Signature'] == version 0,1,2,3
+        - params['X-Amz-Signature'] == version 4
+        - header 'Authorization' == version 4
+        """
+        sig = req.params.get('Signature') or req.params.get('X-Amz-Signature')
+        if sig is None and 'Authorization' in req.headers:
+            auth_str = req.headers['Authorization']
+            sig = auth_str.partition("Signature=")[2].split(',')[0]
+
+        return sig
+
+    def _get_access(self, req):
+        """Extract the access key identifier.
+
+        For version 0/1/2/3 this is passed as the AccessKeyId parameter, for
+        version 4 it is either an X-Amz-Credential parameter or a Credential=
+        field in the 'Authorization' header string.
+        """
+        access = req.params.get('AWSAccessKeyId')
+        if access is None:
+            cred_param = req.params.get('X-Amz-Credential')
+            if cred_param:
+                access = cred_param.split("/")[0]
+
+        if access is None and 'Authorization' in req.headers:
+            auth_str = req.headers['Authorization']
+            cred_str = auth_str.partition("Credential=")[2].split(',')[0]
+            access = cred_str.split("/")[0]
+
+        return access

    @webob.dec.wsgify()
    def __call__(self, req):
-        # Read request signature and access id.
-        try:
-            signature = req.params['Signature']
-            access = req.params['AWSAccessKeyId']
-        except KeyError:
-            raise webob.exc.HTTPBadRequest()
+        # NOTE(alevine): We need to calculate the hash here because
+        # subsequent access to request modifies the req.body so the hash
+        # calculation will yield invalid results.
+        body_hash = hashlib.sha256(req.body).hexdigest()

-        # Make a copy of args for authentication and signature verification.
-        auth_params = dict(req.params)
-        # Not part of authentication args
-        auth_params.pop('Signature')
+        signature = self._get_signature(req)
+        if not signature:
+            msg = _("Signature not provided")
+            return self._ec2_error_response("AuthFailure", msg)
+        access = self._get_access(req)
+        if not access:
+            msg = _("Access key not provided")
+            return self._ec2_error_response("AuthFailure", msg)

-        # Authenticate the request.
-        creds = {
-            'ec2Credentials': {
-                'access': access,
-                'signature': signature,
-                'host': req.host,
-                'verb': req.method,
-                'path': req.path,
-                'params': auth_params,
-            }
+        if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers:
+            auth_params = {}
+        else:
+            # Make a copy of args for authentication and signature verification
+            auth_params = dict(req.params)
+            # Not part of authentication args
+            auth_params.pop('Signature', None)
+
+        headers = req.headers
+        if six.PY3:
+            # NOTE(andrey-mp): jsonutils dumps it as list of keys without
+            # conversion instead real dict
+            headers = {k: headers[k] for k in headers}
+        cred_dict = {
+            'access': access,
+            'signature': signature,
+            'host': req.host,
+            'verb': req.method,
+            'path': req.path,
+            'params': auth_params,
+            'headers': headers,
+            'body_hash': body_hash
        }
+        if "ec2" in CONF.keystone_ec2_token.url:
+            creds = {'ec2Credentials': cred_dict}
+        else:
+            creds = {'auth': {'OS-KSEC2:ec2Credentials': cred_dict}}
        creds_json = jsonutils.dumps(creds)
        headers = {'Content-Type': 'application/json'}

-        verify = True
-        if CONF.keystone_ec2_token.insecure:
-            verify = False
-        elif CONF.keystone_ec2_token.cafile:
+        verify = not CONF.keystone_ec2_token.insecure
+        if verify and CONF.keystone_ec2_token.cafile:
            verify = CONF.keystone_ec2_token.cafile

        cert = None
@ -96,18 +175,30 @@ class EC2Token(object):
        elif CONF.keystone_ec2_token.certfile:
            cert = CONF.keystone_ec2_token.certfile

-        response = requests.post(CONF.keystone_ec2_token.url, data=creds_json,
-                                 headers=headers, verify=verify, cert=cert)
+        response = requests.request('POST', CONF.keystone_ec2_token.url,
+                                    data=creds_json, headers=headers,
+                                    verify=verify, cert=cert)

        # NOTE(vish): We could save a call to keystone by
        #             having keystone return token, tenant,
        #             user, and roles from this call.

+        status_code = response.status_code
+        if status_code != 200:
+            msg = _('Error response from keystone: %s') % response.reason
+            self._logger.debug(msg)
+            return self._ec2_error_response("AuthFailure", msg)
        result = response.json()
        try:
-            token_id = result['access']['token']['id']
+            if 'token' in result:
+                # NOTE(andrey-mp): response from keystone v3
+                token_id = response.headers['x-subject-token']
+            else:
+                token_id = result['access']['token']['id']
        except (AttributeError, KeyError):
-            raise webob.exc.HTTPBadRequest()
+            msg = _("Failure parsing response from keystone")
+            self._logger.exception(msg)
+            return self._ec2_error_response("AuthFailure", msg)

        # Authenticated!
        req.headers['X-Auth-Token'] = token_id
--- a/keystonemiddleware/tests/unit/test_ec2_token_middleware.py
+++ b/keystonemiddleware/tests/unit/test_ec2_token_middleware.py
@ -0,0 +1,180 @@
+# Copyright 2012 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+import mock
+from oslo_serialization import jsonutils
+import requests
+import six
+import webob
+
+from keystonemiddleware import ec2_token
+from keystonemiddleware.tests.unit import utils
+
+
+TOKEN_ID = 'fake-token-id'
+GOOD_RESPONSE = {'access': {'token': {'id': TOKEN_ID,
+                                      'tenant': {'id': 'TENANT_ID'}}}}
+EMPTY_RESPONSE = {}
+
+
+class FakeResponse(object):
+    reason = "Test Reason"
+
+    def __init__(self, json, status_code=400):
+        self._json = json
+        self.status_code = status_code
+
+    def json(self):
+        return self._json
+
+
+class FakeApp(object):
+    """This represents a WSGI app protected by the auth_token middleware."""
+    def __call__(self, env, start_response):
+        resp = webob.Response()
+        resp.environ = env
+        return resp(env, start_response)
+
+
+class EC2TokenMiddlewareTestBase(utils.TestCase):
+
+    TEST_PROTOCOL = 'https'
+    TEST_HOST = 'fakehost'
+    TEST_PORT = 35357
+    TEST_URL = '%s://%s:%d/v2.0/ec2tokens' % (TEST_PROTOCOL,
+                                              TEST_HOST,
+                                              TEST_PORT)
+
+    def setUp(self):
+        super(EC2TokenMiddlewareTestBase, self).setUp()
+        self.middleware = ec2_token.EC2Token(FakeApp(), {})
+
+    def _validate_ec2_error(self, response, http_status, ec2_code):
+        self.assertEqual(http_status, response.status_code,
+                         'Expected HTTP status %s' % http_status)
+        error_msg = '<Code>%s</Code>' % ec2_code
+        if six.PY3:
+            # encode error message like main code
+            error_msg = error_msg.encode()
+        self.assertIn(error_msg, response.body)
+
+
+class EC2TokenMiddlewareTestGood(EC2TokenMiddlewareTestBase):
+    @mock.patch.object(
+        requests, 'request',
+        return_value=FakeResponse(GOOD_RESPONSE, status_code=200))
+    def test_protocol_old_versions(self, mock_request):
+        req = webob.Request.blank('/test')
+        req.GET['Signature'] = 'test-signature'
+        req.GET['AWSAccessKeyId'] = 'test-key-id'
+        req.body = b'Action=ListUsers&Version=2010-05-08'
+        resp = req.get_response(self.middleware)
+        self.assertEqual(200, resp.status_code)
+        self.assertEqual(TOKEN_ID, req.headers['X-Auth-Token'])
+
+        mock_request.assert_called_with(
+            'POST', 'http://localhost:5000/v2.0/ec2tokens',
+            data=mock.ANY, headers={'Content-Type': 'application/json'},
+            verify=True, cert=None)
+
+        data = jsonutils.loads(mock_request.call_args[1]['data'])
+        expected_data = {
+            'ec2Credentials': {
+                'access': 'test-key-id',
+                'headers': {'Host': 'localhost:80', 'Content-Length': '35'},
+                'host': 'localhost:80',
+                'verb': 'GET',
+                'params': {'AWSAccessKeyId': 'test-key-id'},
+                'signature': 'test-signature',
+                'path': '/test',
+                'body_hash': 'b6359072c78d70ebee1e81adcbab4f01'
+                             'bf2c23245fa365ef83fe8f1f955085e2'}}
+        self.assertDictEqual(expected_data, data)
+
+    @mock.patch.object(
+        requests, 'request',
+        return_value=FakeResponse(GOOD_RESPONSE, status_code=200))
+    def test_protocol_v4(self, mock_request):
+        req = webob.Request.blank('/test')
+        auth_str = (
+            'AWS4-HMAC-SHA256'
+            ' Credential=test-key-id/20110909/us-east-1/iam/aws4_request,'
+            ' SignedHeaders=content-type;host;x-amz-date,'
+            ' Signature=test-signature')
+        req.headers['Authorization'] = auth_str
+        req.body = b'Action=ListUsers&Version=2010-05-08'
+        resp = req.get_response(self.middleware)
+        self.assertEqual(200, resp.status_code)
+        self.assertEqual(TOKEN_ID, req.headers['X-Auth-Token'])
+
+        mock_request.assert_called_with(
+            'POST', 'http://localhost:5000/v2.0/ec2tokens',
+            data=mock.ANY, headers={'Content-Type': 'application/json'},
+            verify=True, cert=None)
+
+        data = jsonutils.loads(mock_request.call_args[1]['data'])
+        expected_data = {
+            'ec2Credentials': {
+                'access': 'test-key-id',
+                'headers': {'Host': 'localhost:80',
+                            'Content-Length': '35',
+                            'Authorization': auth_str},
+                'host': 'localhost:80',
+                'verb': 'GET',
+                'params': {},
+                'signature': 'test-signature',
+                'path': '/test',
+                'body_hash': 'b6359072c78d70ebee1e81adcbab4f01'
+                             'bf2c23245fa365ef83fe8f1f955085e2'}}
+        self.assertDictEqual(expected_data, data)
+
+
+class EC2TokenMiddlewareTestBad(EC2TokenMiddlewareTestBase):
+
+    def test_no_signature(self):
+        req = webob.Request.blank('/test')
+        resp = req.get_response(self.middleware)
+        self._validate_ec2_error(resp, 400, 'AuthFailure')
+
+    def test_no_key_id(self):
+        req = webob.Request.blank('/test')
+        req.GET['Signature'] = 'test-signature'
+        resp = req.get_response(self.middleware)
+        self._validate_ec2_error(resp, 400, 'AuthFailure')
+
+    @mock.patch.object(requests,
+                       'request',
+                       return_value=FakeResponse(EMPTY_RESPONSE))
+    def test_communication_failure(self, mock_request):
+        req = webob.Request.blank('/test')
+        req.GET['Signature'] = 'test-signature'
+        req.GET['AWSAccessKeyId'] = 'test-key-id'
+        resp = req.get_response(self.middleware)
+        self._validate_ec2_error(resp, 400, 'AuthFailure')
+        mock_request.assert_called_with('POST', mock.ANY,
+                                        data=mock.ANY, headers=mock.ANY,
+                                        verify=mock.ANY, cert=mock.ANY)
+
+    @mock.patch.object(requests,
+                       'request',
+                       return_value=FakeResponse(EMPTY_RESPONSE))
+    def test_no_result_data(self, mock_request):
+        req = webob.Request.blank('/test')
+        req.GET['Signature'] = 'test-signature'
+        req.GET['AWSAccessKeyId'] = 'test-key-id'
+        resp = req.get_response(self.middleware)
+        self._validate_ec2_error(resp, 400, 'AuthFailure')
+        mock_request.assert_called_with('POST', mock.ANY,
+                                        data=mock.ANY, headers=mock.ANY,
+                                        verify=mock.ANY, cert=mock.ANY)