Merge pull request #897 from andrewgaul/hpcloud-x-auth-token

Remove X-Auth-Token from HP temporary signing
2012-10-15 13:18:08 -07:00 · 2012-10-15 13:18:08 -07:00 · 141834a14d
parent 238fbceaaa 2b5173f617
commit 141834a14d
2 changed files with 6 additions and 3 deletions
--- a/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java
+++ b/providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java
@ -21,6 +21,7 @@ package org.jclouds.hpcloud.objectstorage.blobstore;
 import static com.google.common.base.Preconditions.checkArgument;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Predicates.instanceOf;
+import static com.google.common.base.Predicates.not;
 import static com.google.common.collect.Iterables.filter;
 import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest;

@ -142,7 +143,9 @@ public class HPCloudObjectStorageBlobRequestSigner implements BlobRequestSigner

   private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) {
      HttpRequest.Builder builder = request.toBuilder();
-      builder.filters(filter(request.getFilters(), instanceOf(AuthenticateRequest.class)));
+      // HP Cloud does not use X-Auth-Token for temporary signed URLs and
+      // leaking this allows clients arbitrary privileges until token timeout.
+      builder.filters(filter(request.getFilters(), not(instanceOf(AuthenticateRequest.class))));

      long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds;
      String signature = createSignature(secretKey, createStringToSign(
--- a/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java
+++ b/providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java
@ -61,7 +61,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
   protected HttpRequest getBlobWithTime() {
      return HttpRequest.builder().method("GET")
            .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792")
-            .addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
+            .build();
   }

   @Override
@ -82,7 +82,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
   protected HttpRequest putBlobWithTime() {
      return HttpRequest.builder().method("PUT")
            .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792")
-            .addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
+            .build();
   }

   @Override