From 0c2ac22846b57f23bf9178dcea99eb4e2db7d62f Mon Sep 17 00:00:00 2001 From: James Saryerwinnie Date: Sat, 8 Nov 2014 17:26:06 -0800 Subject: [PATCH] Allow idempotent request signing This fixes a bug where request signing is not idempotent. This is because setting a header value does not replace the old value, it actually appends the new value to a list of values associated with the header name. This causes issue when the same request is retried, particularly with S3 retries. --- botocore/auth.py | 10 +++++++++- tests/unit/auth/test_signers.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/botocore/auth.py b/botocore/auth.py index bc04e82f2b..5066614b94 100644 --- a/botocore/auth.py +++ b/botocore/auth.py @@ -535,7 +535,7 @@ def canonical_string(self, method, split, headers, expires=None, def get_signature(self, method, split, headers, expires=None, auth_path=None): - if self.credentials.token: + if self.credentials.token and 'x-amz-security-token' not in headers: headers['x-amz-security-token'] = self.credentials.token string_to_sign = self.canonical_string(method, split, @@ -553,6 +553,14 @@ def add_auth(self, request): signature = self.get_signature(request.method, split, request.headers, auth_path=request.auth_path) + if 'Authorization' in request.headers: + # We have to do this because request.headers is not + # normal dictionary. It has the (unintuitive) behavior + # of aggregating repeated setattr calls for the same + # key value. For example: + # headers['foo'] = 'a'; headers['foo'] = 'b' + # list(headers) will print ['foo', 'foo']. + del request.headers['Authorization'] request.headers['Authorization'] = ( "AWS %s:%s" % (self.credentials.access_key, signature)) diff --git a/tests/unit/auth/test_signers.py b/tests/unit/auth/test_signers.py index 53ba839d2a..4aa5203781 100644 --- a/tests/unit/auth/test_signers.py +++ b/tests/unit/auth/test_signers.py @@ -85,6 +85,39 @@ def test_bucket_operations(self): cr = self.hmacv1.canonical_resource(split) self.assertEqual(cr, '/quotes?%s' % operation) + def test_sign_with_token(self): + credentials = botocore.credentials.Credentials( + access_key='foo', secret_key='bar', token='baz') + auth = botocore.auth.HmacV1Auth(credentials) + request = AWSRequest() + request.headers['Date'] = 'Thu, 17 Nov 2005 18:49:58 GMT' + request.headers['Content-Type'] = 'text/html' + request.method = 'PUT' + request.url = 'https://s3.amazonaws.com/bucket/key' + auth.add_auth(request) + self.assertIn('Authorization', request.headers) + # We're not actually checking the signature here, we're + # just making sure the auth header has the right format. + self.assertTrue(request.headers['Authorization'].startswith('AWS ')) + + def test_resign_with_token(self): + credentials = botocore.credentials.Credentials( + access_key='foo', secret_key='bar', token='baz') + auth = botocore.auth.HmacV1Auth(credentials) + request = AWSRequest() + request.headers['Date'] = 'Thu, 17 Nov 2005 18:49:58 GMT' + request.headers['Content-Type'] = 'text/html' + request.method = 'PUT' + request.url = 'https://s3.amazonaws.com/bucket/key' + + auth.add_auth(request) + original_auth = request.headers['Authorization'] + # Resigning the request shouldn't change the authorization + # header. + auth.add_auth(request) + self.assertEqual(request.headers.get_all('Authorization'), + [original_auth]) + class TestSigV2(unittest.TestCase):