diff --git a/swift/common/middleware/tempauth.py b/swift/common/middleware/tempauth.py index f6207ada99..9b774111e6 100644 --- a/swift/common/middleware/tempauth.py +++ b/swift/common/middleware/tempauth.py @@ -18,8 +18,6 @@ from __future__ import print_function from time import time from traceback import format_exc from uuid import uuid4 -from hashlib import sha1 -import hmac import base64 from eventlet import Timeout @@ -395,20 +393,21 @@ class TempAuth(object): s3_auth_details = env.get('swift3.auth_details') if s3_auth_details: + if 'check_signature' not in s3_auth_details: + self.logger.warning( + 'Swift3 did not provide a check_signature function; ' + 'upgrade Swift3 if you want to use it with tempauth') + return None account_user = s3_auth_details['access_key'] - signature_from_user = s3_auth_details['signature'] if account_user not in self.users: return None - account, user = account_user.split(':', 1) - account_id = self.users[account_user]['url'].rsplit('/', 1)[-1] - path = env['PATH_INFO'] - env['PATH_INFO'] = path.replace(account_user, account_id, 1) - valid_signature = base64.encodestring(hmac.new( - self.users[account_user]['key'], - s3_auth_details['string_to_sign'], - sha1).digest()).strip() - if signature_from_user != valid_signature: + user = self.users[account_user] + account = account_user.split(':', 1)[0] + account_id = user['url'].rsplit('/', 1)[-1] + if not s3_auth_details['check_signature'](user['key']): return None + env['PATH_INFO'] = env['PATH_INFO'].replace( + account_user, account_id, 1) groups = self._get_user_groups(account, account_user, account_id) return groups diff --git a/test/unit/common/middleware/test_tempauth.py b/test/unit/common/middleware/test_tempauth.py index 0f94c86125..62aa1568f5 100644 --- a/test/unit/common/middleware/test_tempauth.py +++ b/test/unit/common/middleware/test_tempauth.py @@ -19,7 +19,6 @@ import unittest from contextlib import contextmanager from base64 import b64encode from time import time -import mock from swift.common.middleware import tempauth as auth from swift.common.middleware.acl import format_acl @@ -265,27 +264,58 @@ class TestAuth(unittest.TestCase): self.assertEqual(req.environ['swift.authorize'], local_auth.denied_response) - def test_auth_with_s3_authorization(self): + def test_auth_with_s3_authorization_good(self): local_app = FakeApp() local_auth = auth.filter_factory( {'user_s3_s3': 'secret .admin'})(local_app) - req = self._make_request('/v1/AUTH_s3', environ={ + req = self._make_request('/v1/s3:s3', environ={ + 'swift3.auth_details': { + 'access_key': 's3:s3', + 'signature': b64encode('sig'), + 'string_to_sign': 't', + 'check_signature': lambda secret: True}}) + resp = req.get_response(local_auth) + + self.assertEqual(resp.status_int, 404) + self.assertEqual(local_app.calls, 1) + self.assertEqual(req.environ['PATH_INFO'], '/v1/AUTH_s3') + self.assertEqual(req.environ['swift.authorize'], + local_auth.authorize) + + def test_auth_with_s3_authorization_invalid(self): + local_app = FakeApp() + local_auth = auth.filter_factory( + {'user_s3_s3': 'secret .admin'})(local_app) + req = self._make_request('/v1/s3:s3', environ={ + 'swift3.auth_details': { + 'access_key': 's3:s3', + 'signature': b64encode('sig'), + 'string_to_sign': 't', + 'check_signature': lambda secret: False}}) + resp = req.get_response(local_auth) + + self.assertEqual(resp.status_int, 401) + self.assertEqual(local_app.calls, 1) + self.assertEqual(req.environ['PATH_INFO'], '/v1/s3:s3') + self.assertEqual(req.environ['swift.authorize'], + local_auth.denied_response) + + def test_auth_with_old_s3_details(self): + local_app = FakeApp() + local_auth = auth.filter_factory( + {'user_s3_s3': 'secret .admin'})(local_app) + req = self._make_request('/v1/s3:s3', environ={ 'swift3.auth_details': { 'access_key': 's3:s3', 'signature': b64encode('sig'), 'string_to_sign': 't'}}) + resp = req.get_response(local_auth) - with mock.patch('hmac.new') as hmac: - hmac.return_value.digest.return_value = 'sig' - resp = req.get_response(local_auth) - self.assertEqual(hmac.mock_calls, [ - mock.call('secret', 't', mock.ANY), - mock.call().digest()]) - - self.assertEqual(resp.status_int, 404) + self.assertEqual(resp.status_int, 401) self.assertEqual(local_app.calls, 1) + self.assertEqual(req.environ['PATH_INFO'], '/v1/s3:s3') self.assertEqual(req.environ['swift.authorize'], - local_auth.authorize) + local_auth.denied_response) def test_auth_no_reseller_prefix_no_token(self): # Check that normally we set up a call back to our authorize.