mirror of https://github.com/apache/jclouds.git
Remove X-Auth-Token from HP temporary signing
HP Cloud does not use X-Auth-Token for temporary signed URLs and leaking this allows clients arbitrary privileges until token timeout.
This commit is contained in:
parent
238fbceaaa
commit
2b5173f617
|
@ -21,6 +21,7 @@ package org.jclouds.hpcloud.objectstorage.blobstore;
|
|||
import static com.google.common.base.Preconditions.checkArgument;
|
||||
import static com.google.common.base.Preconditions.checkNotNull;
|
||||
import static com.google.common.base.Predicates.instanceOf;
|
||||
import static com.google.common.base.Predicates.not;
|
||||
import static com.google.common.collect.Iterables.filter;
|
||||
import static org.jclouds.blobstore.util.BlobStoreUtils.cleanRequest;
|
||||
|
||||
|
@ -142,7 +143,9 @@ public class HPCloudObjectStorageBlobRequestSigner implements BlobRequestSigner
|
|||
|
||||
private HttpRequest signForTemporaryAccess(HttpRequest request, long timeInSeconds) {
|
||||
HttpRequest.Builder builder = request.toBuilder();
|
||||
builder.filters(filter(request.getFilters(), instanceOf(AuthenticateRequest.class)));
|
||||
// HP Cloud does not use X-Auth-Token for temporary signed URLs and
|
||||
// leaking this allows clients arbitrary privileges until token timeout.
|
||||
builder.filters(filter(request.getFilters(), not(instanceOf(AuthenticateRequest.class))));
|
||||
|
||||
long expiresInSeconds = unixEpochTimestampProvider.get() + timeInSeconds;
|
||||
String signature = createSignature(secretKey, createStringToSign(
|
||||
|
|
|
@ -61,7 +61,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
|
|||
protected HttpRequest getBlobWithTime() {
|
||||
return HttpRequest.builder().method("GET")
|
||||
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ada88bc31122f0d0806b1c7bf71cd3af5c5d5b94c&temp_url_expires=123456792")
|
||||
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
|
||||
.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -82,7 +82,7 @@ public class HPCloudObjectStorageBlobSignerExpectTest extends BaseBlobSignerExpe
|
|||
protected HttpRequest putBlobWithTime() {
|
||||
return HttpRequest.builder().method("PUT")
|
||||
.endpoint("https://objects.jclouds.org/v1.0/40806637803162/container/name?temp_url_sig=40806637803162%3Aidentity%3Ac90269245ab0a316d5ea5e654d4c2a975fb4bf77&temp_url_expires=123456792")
|
||||
.addHeader("X-Auth-Token", "Auth_4f173437e4b013bee56d1007").build();
|
||||
.build();
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
Loading…
Reference in New Issue