Make code compatible with v4 auth and workaround webob bug.

Webob library has a bug https://github.com/Pylons/webob/issues/149 which causes modification of req.body after first access. So it's critical to calculate the body hash before any other access is made. auth_params should be empty for v4 auth algorythm. Related-Bug: #1410622 Change-Id: I06d798a125b700d9b4670448804d6be27f978d75
2015-02-02 16:32:24 +03:00 · 2015-02-02 16:32:24 +03:00 · fb588f87db
parent 0eee9cbfa7
commit fb588f87db
1 changed files with 12 additions and 5 deletions
--- a/nova/api/ec2/init.py
+++ b/nova/api/ec2/init.py
@ -224,6 +224,11 @@ class EC2KeystoneAuth(wsgi.Middleware):

    @webob.dec.wsgify(RequestClass=wsgi.Request)
    def __call__(self, req):
+        # NOTE(alevine) We need to calculate the hash here because
+        # subsequent access to request modifies the req.body so the hash
+        # calculation will yield invalid results.
+        body_hash = hashlib.sha256(req.body).hexdigest()
+
        request_id = common_context.generate_request_id()
        signature = self._get_signature(req)
        if not signature:
@ -236,12 +241,14 @@ class EC2KeystoneAuth(wsgi.Middleware):
            return faults.ec2_error_response(request_id, "AuthFailure", msg,
                                             status=400)

-        # Make a copy of args for authentication and signature verification.
-        auth_params = dict(req.params)
-        # Not part of authentication args
-        auth_params.pop('Signature', None)
+        if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers:
+            auth_params = {}
+        else:
+            # Make a copy of args for authentication and signature verification
+            auth_params = dict(req.params)
+            # Not part of authentication args
+            auth_params.pop('Signature', None)

-        body_hash = hashlib.sha256(req.body).hexdigest()
        cred_dict = {
            'access': access,
            'signature': signature,