Merge "Validates Timestamp or Expiry time in EC2 requests"

2 files changed, 46 insertions, 0 deletions

diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py
index 2ae685cec..d1145420e 100644
--- a/nova/api/ec2/__init__.py
+++ b/nova/api/ec2/__init__.py
@@ -66,6 +66,9 @@ ec2_opts = [
                 default=True,
                 help='Validate security group names'
                      ' according to EC2 specification'),
+    cfg.IntOpt('ec2_timestamp_expiry',
+               default=300,
+               help='Time in seconds before ec2 timestamp expires'),
     ]
 
 FLAGS = flags.FLAGS
@@ -311,6 +314,13 @@ class Requestify(wsgi.Middleware):
                     'SignatureVersion', 'Version', 'Timestamp']
         args = dict(req.params)
         try:
+            expired = ec2utils.is_ec2_timestamp_expired(req.params,
+                            expires=FLAGS.ec2_timestamp_expiry)
+            if expired:
+                msg = _("Timestamp failed validation.")
+                LOG.exception(msg)
+                raise webob.exc.HTTPForbidden(detail=msg)
+
             # Raise KeyError if omitted
             action = req.params['Action']
             # Fix bug lp:720157 for older (version 1) clients
@@ -324,6 +334,8 @@ class Requestify(wsgi.Middleware):
                 args.pop(non_arg)
         except KeyError, e:
             raise webob.exc.HTTPBadRequest()
+        except exception.InvalidRequest as err:
+            raise webob.exc.HTTPBadRequest(explanation=unicode(err))
 
         LOG.debug(_('action: %s'), action)
         for key, value in args.items():
diff --git a/nova/api/ec2/ec2utils.py b/nova/api/ec2/ec2utils.py
index fdff3d9f4..4d0a926df 100644
--- a/nova/api/ec2/ec2utils.py
+++ b/nova/api/ec2/ec2utils.py
@@ -24,6 +24,7 @@ from nova import exception
 from nova import flags
 from nova.network import model as network_model
 from nova.openstack.common import log as logging
+from nova.openstack.common import timeutils
 from nova import utils
 
 
@@ -176,6 +177,39 @@ def ec2_vol_id_to_uuid(ec2_id):
     return get_volume_uuid_from_int_id(ctxt, int_id)
 
 
+def is_ec2_timestamp_expired(request, expires=None):
+    """Checks the timestamp or expiry time included in a EC2 request
+    and returns true if the request is expired
+    """
+    query_time = None
+    timestamp = request.get('Timestamp')
+    expiry_time = request.get('Expires')
+    try:
+        if timestamp and expiry_time:
+            msg = _("Request must include either Timestamp or Expires,"
+                    " but cannot contain both")
+            LOG.error(msg)
+            raise exception.InvalidRequest(msg)
+        elif expiry_time:
+            query_time = timeutils.parse_strtime(expiry_time,
+                                        "%Y-%m-%dT%H:%M:%SZ")
+            return timeutils.is_older_than(query_time, -1)
+        elif timestamp:
+            query_time = timeutils.parse_strtime(timestamp,
+                                        "%Y-%m-%dT%H:%M:%SZ")
+
+            # Check if the difference between the timestamp in the request
+            # and the time on our servers is larger than 5 minutes, the
+            # request is too old (or too new).
+            if query_time and expires:
+                return timeutils.is_older_than(query_time, expires) or \
+                       timeutils.is_newer_than(query_time, expires)
+        return False
+    except ValueError:
+        LOG.audit(_("Timestamp is invalid."))
+        return True
+
+
 def get_int_id_from_instance_uuid(context, instance_uuid):
     if instance_uuid is None:
         return