summaryrefslogtreecommitdiffstats
path: root/gluster/swift/common/middleware/gswauth/swauth/middleware.py
diff options
context:
space:
mode:
authorPrashanth Pai <ppai@redhat.com>2016-08-05 11:25:42 +0530
committerThiago da Silva <thiago@redhat.com>2016-09-13 07:00:49 -0700
commit83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 (patch)
tree468bbedb80a48f3c52dc52487b030a4e9b318b1e /gluster/swift/common/middleware/gswauth/swauth/middleware.py
parenta324c6e5cdfad77e8f91ec9869deb6b78425807e (diff)
Don't include salt in HMAC computation
Currently, the input to HMAC function is the entire stored credential in the format '<salt>$<hash>` but it should rather be only the hashed key/password. This is a minimal manual backport of this upstream swauth change: https://review.openstack.org/#/c/292529/ Change-Id: Ib119522d36359f87579ff8e4ada7331643695634 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/15097 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com>
Diffstat (limited to 'gluster/swift/common/middleware/gswauth/swauth/middleware.py')
-rw-r--r--gluster/swift/common/middleware/gswauth/swauth/middleware.py6
1 files changed, 5 insertions, 1 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 745c6f1..48f1d71 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -318,7 +318,7 @@ class Swauth(object):
account_id, 1)
detail = json.loads(resp.body)
- password = detail['auth'].split(':')[-1]
+ password_type, password = detail['auth'].split(':')
msg = base64.urlsafe_b64decode(unquote(token))
# https://bugs.python.org/issue5285
@@ -327,6 +327,10 @@ class Swauth(object):
if isinstance(msg, unicode):
msg = msg.encode('utf-8')
+ if password_type != 'plaintext':
+ # Password isn't plaintext, contains salt string
+ password = password.split('$')[-1]
+
s = base64.encodestring(hmac.new(password,
msg, sha1).digest()).strip()
if s != sign: