Permalink
Browse files

Switch SQS to signature version 4

There were a few structural changes needed to support this
change.

To keep compatilibity with python < 2.7.3, we use the
queue.amazonaws.com endpoint because < 2.7.3 we can't
validate the subjectAltName of the SSL certs.

However, for sigv4, the service name needs to be 'sqs' and not
'queue'.  Ideally, the service name and region name are derived
from the endpoint, but we can't use the sqs.us-east-1.amazonaws.com
because this is the subjectAltName of the SSL cert.

This fix offers two mechanisms:

* The auth_service_name/auth_region_name properties on the connection
  class, which allows you to set these values:

    sqs = connect_sqs()
    sqs.auth_service_name = 'sqs'
    sqs.auth_region_name = 'us-east-1'

* An 'AuthServiceName' class attribute that will be used to set the
  auth_service_name value when the connection class is initialized.

This allows us to use 'sqs' for the credential scope required for
signature version 4, and allows us to use the queue.*.com endpoints
to ensure proper SSL cert validation for older pythons.

Also, the auth_region_name is automatically set to
self.region.name when the SQS client is initialized.  This allows
SQS to work properly with sigv4 in non us-east-1 regions.

Unittests pass, SQS integration tests pass.
  • Loading branch information...
jamesls committed Nov 21, 2012
1 parent da6d381 commit f725244241d871b04e5c35a5cfdf4b25a6a0eef3
View
@@ -546,13 +546,32 @@ def __init__(self, host, aws_access_key_id=None,
self._last_rs = None
self._auth_handler = auth.get_auth_handler(
host, config, self.provider, self._required_auth_capability())
+ if getattr(self, 'AuthServiceName', None) is not None:
+ self.auth_service_name = self.AuthServiceName
def __repr__(self):
return '%s:%s' % (self.__class__.__name__, self.host)
def _required_auth_capability(self):
return []
+ def _get_auth_service_name(self):
+ return getattr(self._auth_handler, 'service_name')
+
+ # For Sigv4, the auth_service_name/auth_region_name properties allow
+ # the service_name/region_name to be explicitly set instead of being
+ # derived from the endpoint url.
+ def _set_auth_service_name(self, value):
+ self._auth_handler.service_name = value
+ auth_service_name = property(_get_auth_service_name, _set_auth_service_name)
+
+ def _get_auth_region_name(self):
+ return getattr(self._auth_handler, 'region_name')
+
+ def _set_auth_region_name(self, value):
+ self._auth_handler.region_name = value
+ auth_region_name = property(_get_auth_service_name, _set_auth_region_name)
+
def connection(self):
return self.get_http_connection(*self._connection)
connection = property(connection)
View
@@ -37,6 +37,7 @@ class SQSConnection(AWSQueryConnection):
APIVersion = '2012-11-05'
DefaultContentType = 'text/plain'
ResponseError = SQSError
+ AuthServiceName = 'sqs'
def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
is_secure=True, port=None, proxy=None, proxy_port=None,
@@ -56,9 +57,10 @@ def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
https_connection_factory, path,
security_token=security_token,
validate_certs=validate_certs)
+ self.auth_region_name = self.region.name
def _required_auth_capability(self):
- return ['sqs']
+ return ['hmac-v4']
def create_queue(self, queue_name, visibility_timeout=None):
"""
View
@@ -22,6 +22,9 @@ def setUp(self):
https_connection_factory=self.https_connection_factory,
aws_access_key_id='aws_access_key_id',
aws_secret_access_key='aws_secret_access_key')
+ self.initialize_service_connection()
+
+ def initialize_service_connection(self):
self.actual_request = None
self.original_mexe = self.service_connection._mexe
self.service_connection._mexe = self._mexe_spy
@@ -52,7 +55,7 @@ def overwrite_header(arg, default=None):
else:
return default
response.getheader.side_effect = overwrite_header
-
+
return response
def assert_request_parameters(self, params, ignore_params_values=None):
No changes.
@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+# Copyright (c) 2012 Amazon.com, Inc. or its affiliates. All Rights Reserved
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish, dis-
+# tribute, sublicense, and/or sell copies of the Software, and to permit
+# persons to whom the Software is furnished to do so, subject to the fol-
+# lowing conditions:
+#
+# The above copyright notice and this permission notice shall be included
+# in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
+# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+#
+
+from tests.unit import unittest
+from tests.unit import AWSMockServiceTestCase
+
+from boto.sqs.connection import SQSConnection
+from boto.sqs.regioninfo import SQSRegionInfo
+
+
+class SQSAuthParams(AWSMockServiceTestCase):
+ connection_class = SQSConnection
+
+ def setUp(self):
+ super(SQSAuthParams, self).setUp()
+
+ def default_body(self):
+ return """<?xml version="1.0"?>
+ <CreateQueueResponse>
+ <CreateQueueResult>
+ <QueueUrl>
+ https://queue.amazonaws.com/599169622985/myqueue1
+ </QueueUrl>
+ </CreateQueueResult>
+ <ResponseMetadata>
+ <RequestId>54d4c94d-2307-54a8-bb27-806a682a5abd</RequestId>
+ </ResponseMetadata>
+ </CreateQueueResponse>"""
+
+ def test_auth_service_name_override(self):
+ self.set_http_response(status_code=200)
+ # We can use the auth_service_name to change what service
+ # name to use for the credential scope for sigv4.
+ self.service_connection.auth_service_name = 'service_override'
+
+ self.service_connection.create_queue('my_queue')
+ # Note the service_override value instead.
+ self.assertIn('us-east-1/service_override/aws4_request',
+ self.actual_request.headers['Authorization'])
+
+ def test_class_attribute_can_set_service_name(self):
+ self.set_http_response(status_code=200)
+ # The SQS class has an 'AuthServiceName' param of 'sqs':
+ self.assertEqual(self.service_connection.AuthServiceName, 'sqs')
+
+ self.service_connection.create_queue('my_queue')
+ # And because of this, the value of 'sqs' will be used instead of
+ # 'queue' for the credential scope:
+ self.assertIn('us-east-1/sqs/aws4_request',
+ self.actual_request.headers['Authorization'])
+
+ def test_auth_region_name_is_automatically_updated(self):
+ region = SQSRegionInfo(name='us-west-2',
+ endpoint='us-west-2.queue.amazonaws.com')
+ self.service_connection = SQSConnection(
+ https_connection_factory=self.https_connection_factory,
+ aws_access_key_id='aws_access_key_id',
+ aws_secret_access_key='aws_secret_access_key',
+ region=region)
+ self.initialize_service_connection()
+ self.set_http_response(status_code=200)
+
+ self.service_connection.create_queue('my_queue')
+ # Note the region name below is 'us-west-2'.
+ self.assertIn('us-west-2/sqs/aws4_request',
+ self.actual_request.headers['Authorization'])
+
+
+if __name__ == '__main__':
+ unittest.main()

0 comments on commit f725244

Please sign in to comment.