Uploaded image for project: 'Libcloud'
  1. Libcloud
  2. LIBCLOUD-627

service account auth fails with gce driver on python3

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Implemented
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Compute
    • Labels:

      Description

      Fails due to string/binary confusion in GoogleServiceAcctAuthConnection.

        Activity

        Hide
        jira-bot ASF subversion and git services added a comment -

        Commit ab7d07bd4e7197c275a926de8d9639de9bc234a6 in libcloud's branch refs/heads/trunk from Eric Johnson
        [ https://git-wip-us.apache.org/repos/asf?p=libcloud.git;h=ab7d07b ]

        [google compute] Add support for JSON private key format

        Closes #438
        Closes LIBCLOUD-627
        Closes LIBCLOUD-657

        Signed-off-by: Eric Johnson <erjohnso@google.com>

        Show
        jira-bot ASF subversion and git services added a comment - Commit ab7d07bd4e7197c275a926de8d9639de9bc234a6 in libcloud's branch refs/heads/trunk from Eric Johnson [ https://git-wip-us.apache.org/repos/asf?p=libcloud.git;h=ab7d07b ] [google compute] Add support for JSON private key format Closes #438 Closes LIBCLOUD-627 Closes LIBCLOUD-657 Signed-off-by: Eric Johnson <erjohnso@google.com>
        Hide
        erjohnso Eric Johnson added a comment -

        Hi Siim,

        In case you didn't catch the github notice, I included your fix in https://github.com/apache/libcloud/pull/438 since I needed to update the driver for the new JSON private key format.

        Hope you don't mind! If you do, please let me know and I'll pull that part out so you can submit the patch.

        Cheers, Eric

        Show
        erjohnso Eric Johnson added a comment - Hi Siim, In case you didn't catch the github notice, I included your fix in https://github.com/apache/libcloud/pull/438 since I needed to update the driver for the new JSON private key format. Hope you don't mind! If you do, please let me know and I'll pull that part out so you can submit the patch. Cheers, Eric
        Hide
        erjohnso Eric Johnson added a comment -

        Hi Siim,

        Any progress on approvals and a patch to fix this? If you'd prefer, I can take what you've started and see about getting it added. Happy to go either way here.

        Thanks!
        Eric

        Show
        erjohnso Eric Johnson added a comment - Hi Siim, Any progress on approvals and a patch to fix this? If you'd prefer, I can take what you've started and see about getting it added. Happy to go either way here. Thanks! Eric
        Hide
        siimphh Siim Põder added a comment -

        I'll need to get approval (which is not a problem but takes a few days) to properly submit patches. I also have not tried this with python2 nor looked at any contributing guidelines.

        Show
        siimphh Siim Põder added a comment - I'll need to get approval (which is not a problem but takes a few days) to properly submit patches. I also have not tried this with python2 nor looked at any contributing guidelines.
        Hide
        kami Tomaz Muraus added a comment -
        Show
        kami Tomaz Muraus added a comment - /cc Eric Johnson
        Hide
        kami Tomaz Muraus added a comment -

        First of all, good catch.

        Second, can you please open a pull request with your changes? It will be easier to comment on the diff.

        In general, I think the changes look OK, but they need some tests and testing. I need to double check if SHA256 takes bytes or string. If it takes a string, we will also need to call ".decode('utf-8') on header_enc variable, etc...

        Show
        kami Tomaz Muraus added a comment - First of all, good catch. Second, can you please open a pull request with your changes? It will be easier to comment on the diff. In general, I think the changes look OK, but they need some tests and testing. I need to double check if SHA256 takes bytes or string. If it takes a string, we will also need to call ".decode('utf-8') on header_enc variable, etc...
        Hide
        siimphh Siim Põder added a comment - - edited

        I had fixed this locally and noticed the patch:

        diff --git a/libcloud/common/google.py b/libcloud/common/google.py
        index 52692e6..5583334 100644
        --- a/libcloud/common/google.py
        +++ b/libcloud/common/google.py
        @@ -78,7 +78,7 @@ import os
         import socket
         import sys
         
        -from libcloud.utils.py3 import httplib, urlencode, urlparse, PY3
        +from libcloud.utils.py3 import b, httplib, urlencode, urlparse, PY3
         from libcloud.common.base import (ConnectionUserAndKey, JsonResponse,
                                           PollingConnection)
         from libcloud.common.types import (ProviderError,
        @@ -425,7 +425,7 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection):
                 """
                 # The header is always the same
                 header = {'alg': 'RS256', 'typ': 'JWT'}
        -        header_enc = base64.urlsafe_b64encode(json.dumps(header))
        +        header_enc = base64.urlsafe_b64encode(b(json.dumps(header)))
         
                 # Construct a claim set
                 claim_set = {'iss': self.user_id,
        @@ -433,10 +433,10 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection):
                              'aud': 'https://accounts.google.com/o/oauth2/token',
                              'exp': int(time.time()) + 3600,
                              'iat': int(time.time())}
        -        claim_set_enc = base64.urlsafe_b64encode(json.dumps(claim_set))
        +        claim_set_enc = base64.urlsafe_b64encode(b(json.dumps(claim_set)))
         
                 # The message contains both the header and claim set
        -        message = '%s.%s' % (header_enc, claim_set_enc)
        +        message = b'.'.join((header_enc, claim_set_enc))
                 # Then the message is signed using the key supplied
                 key = RSA.importKey(self.key)
                 hash_func = SHA256.new(message)
        @@ -444,7 +444,7 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection):
                 signature = base64.urlsafe_b64encode(signer.sign(hash_func))
         
                 # Finally the message and signature are sent to get a token
        -        jwt = '%s.%s' % (message, signature)
        +        jwt = b'.'.join((message, signature))
                 request = {'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
                            'assertion': jwt}
         
        
        Show
        siimphh Siim Põder added a comment - - edited I had fixed this locally and noticed the patch: diff --git a/libcloud/common/google.py b/libcloud/common/google.py index 52692e6..5583334 100644 --- a/libcloud/common/google.py +++ b/libcloud/common/google.py @@ -78,7 +78,7 @@ import os import socket import sys -from libcloud.utils.py3 import httplib, urlencode, urlparse, PY3 +from libcloud.utils.py3 import b, httplib, urlencode, urlparse, PY3 from libcloud.common.base import (ConnectionUserAndKey, JsonResponse, PollingConnection) from libcloud.common.types import (ProviderError, @@ -425,7 +425,7 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection): """ # The header is always the same header = {'alg': 'RS256', 'typ': 'JWT'} - header_enc = base64.urlsafe_b64encode(json.dumps(header)) + header_enc = base64.urlsafe_b64encode(b(json.dumps(header))) # Construct a claim set claim_set = {'iss': self.user_id, @@ -433,10 +433,10 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection): 'aud': 'https: //accounts.google.com/o/oauth2/token', 'exp': int (time.time()) + 3600, 'iat': int (time.time())} - claim_set_enc = base64.urlsafe_b64encode(json.dumps(claim_set)) + claim_set_enc = base64.urlsafe_b64encode(b(json.dumps(claim_set))) # The message contains both the header and claim set - message = '%s.%s' % (header_enc, claim_set_enc) + message = b'.'.join((header_enc, claim_set_enc)) # Then the message is signed using the key supplied key = RSA.importKey(self.key) hash_func = SHA256. new (message) @@ -444,7 +444,7 @@ class GoogleServiceAcctAuthConnection(GoogleBaseAuthConnection): signature = base64.urlsafe_b64encode(signer.sign(hash_func)) # Finally the message and signature are sent to get a token - jwt = '%s.%s' % (message, signature) + jwt = b'.'.join((message, signature)) request = {'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion': jwt}

          People

          • Assignee:
            erjohnso Eric Johnson
            Reporter:
            siimphh Siim Põder
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development