From 6096457d7400c280f9ee07a9c5b9760e74ecee4b Mon Sep 17 00:00:00 2001 From: Tobias Urdin Date: Mon, 12 Feb 2024 08:36:53 +0000 Subject: [PATCH] Dont enforce when HTTP GET on s3tokens and ec2tokens When calling the s3tokens or ec2tokens API with a HTTP GET we should get a 405 Method Not Allowed but we get a 500 Internal Server Error because we enforce that method. Closes-Bug: #2052916 Change-Id: I5f60d10dc25551175cc73ca8f3f28b0b95ec9f99 Signed-off-by: Tobias Urdin --- keystone/api/_shared/EC2_S3_Resource.py | 1 + keystone/tests/unit/test_contrib_ec2_core.py | 7 +++++++ keystone/tests/unit/test_contrib_s3_core.py | 7 +++++++ ...nt-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml | 6 ++++++ 4 files changed, 21 insertions(+) create mode 100644 releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml diff --git a/keystone/api/_shared/EC2_S3_Resource.py b/keystone/api/_shared/EC2_S3_Resource.py index ff94286b6e..7b2fc21b29 100644 --- a/keystone/api/_shared/EC2_S3_Resource.py +++ b/keystone/api/_shared/EC2_S3_Resource.py @@ -31,6 +31,7 @@ CRED_TYPE_EC2 = 'ec2' class ResourceBase(ks_flask.ResourceBase): + @ks_flask.unenforced_api def get(self): # SPECIAL CASE: GET is not allowed, raise METHOD_NOT_ALLOWED raise exceptions.MethodNotAllowed(valid_methods=['POST']) diff --git a/keystone/tests/unit/test_contrib_ec2_core.py b/keystone/tests/unit/test_contrib_ec2_core.py index 4b514f8985..8da5bbaa65 100644 --- a/keystone/tests/unit/test_contrib_ec2_core.py +++ b/keystone/tests/unit/test_contrib_ec2_core.py @@ -37,6 +37,13 @@ class EC2ContribCoreV3(test_v3.RestfulTestCase): PROVIDERS.credential_api.create_credential( self.credential['id'], self.credential) + def test_http_get_method_not_allowed(self): + resp = self.get('/ec2tokens', + expected_status=http.client.METHOD_NOT_ALLOWED, + convert=False) + self.assertEqual(http.client.METHOD_NOT_ALLOWED, + resp.status_code) + def test_valid_authentication_response_with_proper_secret(self): signer = ec2_utils.Ec2Signer(self.cred_blob['secret']) timestamp = utils.isotime(timeutils.utcnow()) diff --git a/keystone/tests/unit/test_contrib_s3_core.py b/keystone/tests/unit/test_contrib_s3_core.py index a9c8acd7ce..b109e8cdf2 100644 --- a/keystone/tests/unit/test_contrib_s3_core.py +++ b/keystone/tests/unit/test_contrib_s3_core.py @@ -39,6 +39,13 @@ class S3ContribCore(test_v3.RestfulTestCase): PROVIDERS.credential_api.create_credential( self.credential['id'], self.credential) + def test_http_get_method_not_allowed(self): + resp = self.get('/s3tokens', + expected_status=http.client.METHOD_NOT_ALLOWED, + convert=False) + self.assertEqual(http.client.METHOD_NOT_ALLOWED, + resp.status_code) + def test_good_response(self): sts = 'string to sign' # opaque string from swift3 sig = hmac.new(self.cred_blob['secret'].encode('ascii'), diff --git a/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml b/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml new file mode 100644 index 0000000000..fcdd030fbf --- /dev/null +++ b/releasenotes/notes/dont-enforce-get-s3tokens-ec2tokens-62b90b199e8075d8.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + [`bug 2052916 `_] + Fixed a bug where a HTTP GET request against ``/v3/s3tokens`` or + ``/v3/ec2tokens`` would return HTTP 500 instead of HTTP 405.