From fb588f87db65f28823f9e07a9900c34c7b3576a2 Mon Sep 17 00:00:00 2001 From: Andrey Pavlov Date: Mon, 2 Feb 2015 16:32:24 +0300 Subject: [PATCH] Make code compatible with v4 auth and workaround webob bug. Webob library has a bug https://github.com/Pylons/webob/issues/149 which causes modification of req.body after first access. So it's critical to calculate the body hash before any other access is made. auth_params should be empty for v4 auth algorythm. Related-Bug: #1410622 Change-Id: I06d798a125b700d9b4670448804d6be27f978d75 --- nova/api/ec2/__init__.py | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py index 669c83694b1e..5b88a2dc01fc 100644 --- a/nova/api/ec2/__init__.py +++ b/nova/api/ec2/__init__.py @@ -224,6 +224,11 @@ class EC2KeystoneAuth(wsgi.Middleware): @webob.dec.wsgify(RequestClass=wsgi.Request) def __call__(self, req): + # NOTE(alevine) We need to calculate the hash here because + # subsequent access to request modifies the req.body so the hash + # calculation will yield invalid results. + body_hash = hashlib.sha256(req.body).hexdigest() + request_id = common_context.generate_request_id() signature = self._get_signature(req) if not signature: @@ -236,12 +241,14 @@ class EC2KeystoneAuth(wsgi.Middleware): return faults.ec2_error_response(request_id, "AuthFailure", msg, status=400) - # Make a copy of args for authentication and signature verification. - auth_params = dict(req.params) - # Not part of authentication args - auth_params.pop('Signature', None) + if 'X-Amz-Signature' in req.params or 'Authorization' in req.headers: + auth_params = {} + else: + # Make a copy of args for authentication and signature verification + auth_params = dict(req.params) + # Not part of authentication args + auth_params.pop('Signature', None) - body_hash = hashlib.sha256(req.body).hexdigest() cred_dict = { 'access': access, 'signature': signature,