Keystone V3: Support S3 tokens signature validation#1906
Keystone V3: Support S3 tokens signature validation#1906jtopjian merged 2 commits intogophercloud:masterfrom
Conversation
|
Build failed.
|
|
Build succeeded.
|
|
Build succeeded.
|
|
Build succeeded.
|
|
Build succeeded.
|
jtopjian
left a comment
There was a problem hiding this comment.
@kayrus Thanks for working on this. I see what you mean about it being hacky. It's been a long week for me and I can't think of a better way to do this, either. I'm okay with the implementation - it can be revisited later if someone is inclined.
I have a few comments - let me know if you have any questions.
| Timestamp *time.Time `json:"-"` | ||
| // Token is a []byte string (encoded to base64 automatically) which was signed | ||
| // by an EC2 secret key. Used by S3 tokens for validation only. | ||
| Token []byte `json:"token,omitempty"` |
There was a problem hiding this comment.
Just so I understand: this field is for someone to supply a pre-generated signed string?
| c["signature"]) | ||
| h["Authorization"] = EC2CredentialsBuildAuthorizationHeaderV4(*opts, signedHeaders, c["signature"].(string), date) | ||
|
|
||
| c["token"] = stringToSign |
There was a problem hiding this comment.
If my previous comment is true, should there be some kind of check to make sure this isn't already set so it's not clobbered?
Additionally, let's add a comment above this line to say that while token is being set, it is only used for S3 and will be removed when using EC2 validation.
There was a problem hiding this comment.
Token must be set with a signature. If signature was not provided, token will be generated as well.
|
|
||
| // ValidateS3Token authenticates an S3 request using EC2 credentials. Doesn't | ||
| // generate a new token ID, but returns a tokens.CreateResult. | ||
| func ValidateS3Token(c *gophercloud.ServiceClient, opts tokens.AuthOptionsBuilder) (r tokens.CreateResult) { |
There was a problem hiding this comment.
How about doing something similar to tokens.Validate where (bool, error) is returned: https://github.com/gophercloud/gophercloud/blob/master/openstack/identity/v3/tokens/requests.go#L145
There was a problem hiding this comment.
What if we need to fetch user/project/domain info from the token response?
There was a problem hiding this comment.
Are you sure that's included? The debug output doesn't show it.
There was a problem hiding this comment.
It returns the same token body as usual, when keystone auths a user. The only difference is it doesn't return a token ID.
There was a problem hiding this comment.
Oh, right - the output is being redacted/removed in the acceptance tests. OK, I don't want to bike shed this one. Perhaps the Validate function I linked to should be renamed to IsValid at some point in the future.
There was a problem hiding this comment.
Indeed debug doesn't show the json response, but content length is big and it should include the token data:
2020/03/27 13:58:13 [DEBUG] OpenStack Response Code: 200
2020/03/27 13:58:13 [DEBUG] OpenStack Response Headers:
Content-Length: 6751
Content-Type: application/json
Date: Fri, 27 Mar 2020 13:58:13 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: X-Auth-Token
X-Openstack-Request-Id: req-07cf74fe-a252-4cbb-8107-0d263dc54b3e
|
Build succeeded.
|
Resolves #1905
@jtopjian this PR is a bit hacky, because if I put s3tokens into a separate package, I need to duplicate a lot of logic.