diff options
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/middleware.py | 6 | ||||
-rw-r--r-- | test/unit/common/middleware/gswauth/swauth/test_middleware.py | 25 |
2 files changed, 30 insertions, 1 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 745c6f1..48f1d71 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -318,7 +318,7 @@ class Swauth(object): account_id, 1) detail = json.loads(resp.body) - password = detail['auth'].split(':')[-1] + password_type, password = detail['auth'].split(':') msg = base64.urlsafe_b64decode(unquote(token)) # https://bugs.python.org/issue5285 @@ -327,6 +327,10 @@ class Swauth(object): if isinstance(msg, unicode): msg = msg.encode('utf-8') + if password_type != 'plaintext': + # Password isn't plaintext, contains salt string + password = password.split('$')[-1] + s = base64.encodestring(hmac.new(password, msg, sha1).digest()).strip() if s != sign: diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py index 2d30082..e8c2001 100644 --- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py +++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py @@ -17,6 +17,7 @@ try: import simplejson as json except ImportError: import json +import hashlib import unittest from contextlib import contextmanager import mock @@ -4857,6 +4858,30 @@ class TestAuth(unittest.TestCase): 'ozNCArMDAwMAovY29udGFpbmVyMw==' self.assertEqual(self.test_auth.get_groups(env, token), None) + def test_s3_only_hash_passed_to_hmac(self): + key = 'dadada' + salt = 'zuck' + key_hash = hashlib.sha1('%s%s' % (salt, key)).hexdigest() + auth_stored = "sha1:%s$%s" % (salt, key_hash) + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({"auth": auth_stored, + "groups": [{'name': "act:usr"}, {'name': "act"}, + {'name': ".admin"}]})), + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_act'}, '')])) + env = \ + {'HTTP_AUTHORIZATION': 'AWS act:user:whatever', + 'PATH_INFO': '/v1/AUTH_act/c1'} + token = 'UFVUCgoKRnJpLCAyNiBGZWIgMjAxNiAwNjo0NT'\ + 'ozNCArMDAwMAovY29udGFpbmVyMw==' + mock_hmac_new = mock.MagicMock() + with mock.patch('hmac.new', mock_hmac_new): + self.test_auth.get_groups(env, token) + self.assertTrue(mock_hmac_new.called) + # Assert that string passed to hmac.new is only the hash + self.assertEqual(mock_hmac_new.call_args[0][0], key_hash) + + if __name__ == '__main__': unittest.main() |