Apache
/
jclouds
mirror of https://github.com/apache/jclouds.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove X-Auth-Token from HP temporary signing 

HP Cloud does not use X-Auth-Token for temporary signed URLs and
leaking this allows clients arbitrary privileges until token timeout.
This commit is contained in:
Andrew Gaul 2012-10-15 11:42:28 -07:00
parent 238fbceaaa
commit 2b5173f617
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
providers/hpcloud-objectstorage/src/main/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobRequestSigner.java
View File

@ -21,6 +21,7 @@ package org.jclouds.hpcloud.objectstorage.blobstore;
import static com.google.common.base.Preconditions.checkArgument; import static com.google.common.base.Preconditions.checkArgument;
import static com.google.common.base.Preconditions.checkNotNull; import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Predicates.instanceOf; import static com.google.common.base.Predicates.instanceOf;
import static com.google.common.base.Predicates.not;
import static com.google.common.collect.Iterables.filter; import static com.google.common.collect.Iterables.filter;
import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest; import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest;
@ -142,7 +143,9 @@ public class HPCloudObjectStorageBlobRequestSigner implements BlobRequestSigner
private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) { private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) {
HttpRequest.Builder builder = request.toBuilder(); HttpRequest.Builder builder = request.toBuilder();
builder.filters(filter(request.getFilters(), instanceOf(AuthenticateRequest.class))); // HP Cloud does not use X-Auth-Token for temporary signed URLs and
// leaking this allows clients arbitrary privileges until token timeout.
builder.filters(filter(request.getFilters(), not(instanceOf(AuthenticateRequest.class))));
long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds; long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds;
String signature = createSignature(secretKey, createStringToSign( String signature = createSignature(secretKey, createStringToSign(

4
providers/hpcloud-objectstorage/src/test/java/org/jclouds/hpcloud/objectstorage/blobstore/HPCloudObjectStorageBlobSignerExpectTest.java
View File

@ -61,7 +61,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
protected HttpRequest getBlobWithTime() { protected HttpRequest getBlobWithTime() {
return HttpRequest.builder().method("GET") return HttpRequest.builder().method("GET")
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792") .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792")
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build(); .build();
} }
@Override @Override
@ -82,7 +82,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
protected HttpRequest putBlobWithTime() { protected HttpRequest putBlobWithTime() {
return HttpRequest.builder().method("PUT") return HttpRequest.builder().method("PUT")
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792") .endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792")
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build(); .build();
} }
@Override @Override