From 83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 Mon Sep 17 00:00:00 2001
From: Prashanth Pai <ppai@redhat.com>
Date: Fri, 5 Aug 2016 11:25:42 +0530
Subject: Don't include salt in HMAC computation

Currently, the input to HMAC function is the entire stored credential
in the format '<salt>$<hash>` but it should rather be only the hashed
key/password.

This is a minimal manual backport of this upstream swauth change:
https://review.openstack.org/#/c/292529/

Change-Id: Ib119522d36359f87579ff8e4ada7331643695634
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/15097
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
---
 .../common/middleware/gswauth/swauth/middleware.py |  6 +++++-
 .../middleware/gswauth/swauth/test_middleware.py   | 25 ++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 745c6f1..48f1d71 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -318,7 +318,7 @@ class Swauth(object):
                                             account_id, 1)
             detail = json.loads(resp.body)
 
-            password = detail['auth'].split(':')[-1]
+            password_type, password = detail['auth'].split(':')
             msg = base64.urlsafe_b64decode(unquote(token))
 
             # https://bugs.python.org/issue5285
@@ -327,6 +327,10 @@ class Swauth(object):
             if isinstance(msg, unicode):
                 msg = msg.encode('utf-8')
 
+            if password_type != 'plaintext':
+                # Password isn't plaintext, contains salt string
+                password = password.split('$')[-1]
+
             s = base64.encodestring(hmac.new(password,
                                              msg, sha1).digest()).strip()
             if s != sign:
diff --git a/test/unit/common/middleware/gswauth/swauth/test_middleware.py b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
index 2d30082..e8c2001 100644
--- a/test/unit/common/middleware/gswauth/swauth/test_middleware.py
+++ b/test/unit/common/middleware/gswauth/swauth/test_middleware.py
@@ -17,6 +17,7 @@ try:
     import simplejson as json
 except ImportError:
     import json
+import hashlib
 import unittest
 from contextlib import contextmanager
 import mock
@@ -4857,6 +4858,30 @@ class TestAuth(unittest.TestCase):
                 'ozNCArMDAwMAovY29udGFpbmVyMw=='
         self.assertEqual(self.test_auth.get_groups(env, token), None)
 
+    def test_s3_only_hash_passed_to_hmac(self):
+        key = 'dadada'
+        salt = 'zuck'
+        key_hash = hashlib.sha1('%s%s' % (salt, key)).hexdigest()
+        auth_stored = "sha1:%s$%s" % (salt, key_hash)
+        self.test_auth.app = FakeApp(iter([
+            ('200 Ok', {},
+             json.dumps({"auth": auth_stored,
+                         "groups": [{'name': "act:usr"}, {'name': "act"},
+                                    {'name': ".admin"}]})),
+            ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_act'}, '')]))
+        env = \
+            {'HTTP_AUTHORIZATION': 'AWS act:user:whatever',
+             'PATH_INFO': '/v1/AUTH_act/c1'}
+        token = 'UFVUCgoKRnJpLCAyNiBGZWIgMjAxNiAwNjo0NT'\
+                'ozNCArMDAwMAovY29udGFpbmVyMw=='
+        mock_hmac_new = mock.MagicMock()
+        with mock.patch('hmac.new', mock_hmac_new):
+            self.test_auth.get_groups(env, token)
+        self.assertTrue(mock_hmac_new.called)
+        # Assert that string passed to hmac.new is only the hash
+        self.assertEqual(mock_hmac_new.call_args[0][0], key_hash)
+
+
 
 if __name__ == '__main__':
     unittest.main()
-- 
cgit