Joss tempUrl generation broken, signed plainText mistakenly includes protocol and hostname #102
Description
https://github.com/openstack/swift/blob/master/swift/common/middleware/tempurl.py explains how to construct TempURLs in python:
-
import hmac -
from hashlib import sha1 -
from time import time -
method = 'GET' -
expires = int(time() + 60) -
path = '/v1/AUTH_account/container/object' -
key = 'mykey' -
hmac_body = '%s\n%s\n%s' % (method, expires, path) -
sig = hmac.new(key, hmac_body, sha1).hexdigest()
It adds "Be certain to use the full path, from the /v1/ onward."
Here are TempURL-related issues with Joss 0.9.11 that I found so far:
1)Joss 0.9.11 is signing a plaintext that includes https://the.storage.url i.e. the Joss signature will not match what the server side middleware calculates for comparison and the Joss tempURLs always fail. This may also apply to formPostUrls.
2) Python uses unicode, and it seems risky that Joss relies on the client's default charset to match for java.lang.String.getBytes() to return the same bytes as on the server side( for both key and plainText ); I'm not an expert here but getBytes("ISO-8859-1") or "UTF-8" should do; I chose UTF-8.
3) When I went about constructing a path string to encode, to match what the server would use upon receiving my tempURL, I expected account.getPath() to return the "path to append to the host", i.e. something like "/v1/AUTH_account, but for me it returned null. object.getPath() returned the expected "/container/object"