Remove X-Auth-Token from HP temporary signing

HP Cloud does not use X-Auth-Token for temporary signed URLs and
leaking this allows clients arbitrary privileges until token timeout.
This commit is contained in:
Andrew Gaul 2012-10-15 11:42:28 -07:00
parent 238fbceaaa
commit 2b5173f617
2 changed files with 6 additions and 3 deletions

View File

@ -21,6 +21,7 @@ package org.jclouds.hpcloud.objectstorage.blobstore;
import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Predicates.instanceOf;
import static com.google.common.base.Predicates.not;
import static com.google.common.collect.Iterables.filter;
import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest;
@ -142,7 +143,9 @@ public class HPCloudObjectStorageBlobRequestSigner implements BlobRequestSigner
private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) {
HttpRequest.Builder builder = request.toBuilder();
builder.filters(filter(request.getFilters(), instanceOf(AuthenticateRequest.class)));
// HP Cloud does not use X-Auth-Token for temporary signed URLs and
// leaking this allows clients arbitrary privileges until token timeout.
builder.filters(filter(request.getFilters(), not(instanceOf(AuthenticateRequest.class))));
long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds;
String signature = createSignature(secretKey, createStringToSign(

View File

@ -61,7 +61,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
protected HttpRequest getBlobWithTime() {
return HttpRequest.builder().method("GET")
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792")
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
.build();
}
@Override
@ -82,7 +82,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
protected HttpRequest putBlobWithTime() {
return HttpRequest.builder().method("PUT")
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792")
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
.build();
}
@Override