MAAS

Merge lp:~lutostag/maas/1.5+nonce-generation-fix into lp:maas/1.5

  1. 1.5+nonce-generation-fix
  2. Merge into 1.5
Proposed by Greg Lutostanski
Status: Merged
Merge reported by: Julian Edwards
Merged at revision: not available
Proposed branch: lp:~lutostag/maas/1.5+nonce-generation-fix
Merge into: lp:maas/1.5
Diff against target: 42 lines (+5/-2)
2 files modified
etc/maas/templates/commissioning-user-data/snippets/maas_api_helper.py (+2/-1)
src/apiclient/maas_client.py (+3/-1)
To merge this branch: bzr merge lp:~lutostag/maas/1.5+nonce-generation-fix
Reviewer Review Type Date Requested Status
Julian Edwards (community) Approve
Review via email: mp+226407@code.launchpad.net

Commit message

Fix nonce generation to use uuid.uuid4() rather than random [0-9]{8} string; makes nonce collisions WAY less likely.

Description of the change

Fix nonce generation to use uuid.uuid4() rather than random [0-9]{8} string; makes nonce collisions WAY less likely.

To post a comment you must log in.
Revision history for this message
Julian Edwards (julian-edwards) wrote :

I think this is ok with my changes suggested in the diff comments, but please wait for a second opinion before landing.

review: Approve
Revision history for this message
Julian Edwards (julian-edwards) wrote :

Also, can you set a commit message and don't worry about the other branches for 1.6 and trunk, we'll migrate the revision directly.

Revision history for this message
Raphaël Badin (rvb) :
Revision history for this message
Julian Edwards (julian-edwards) wrote :

On 11/07/14 16:50, Raphaël Badin wrote:
> Although the term nonce means "number used once", I don't see anything in the code that prevents us from using the canonical form of a UUID (i.e. with the dashes); The oauth specification explicitly says "A nonce is a random string, uniquely generated for each request."

Yes, but what I was driving at is that it's a lot nicer than using
string formatting.

lp:~lutostag/maas/1.5+nonce-generation-fix updated
2293. By Greg Lutostanski

use get_hex rather than string formatting to coerce nonce into a string

Revision history for this message
Julian Edwards (julian-edwards) wrote :

I'm going to merge this to trunk and then backport to release branches.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'etc/maas/templates/commissioning-user-data/snippets/maas_api_helper.py'
2--- etc/maas/templates/commissioning-user-data/snippets/maas_api_helper.py 2013-10-22 23:45:39 +0000
3+++ etc/maas/templates/commissioning-user-data/snippets/maas_api_helper.py 2014-07-11 14:30:38 +0000
4@@ -12,6 +12,7 @@
5 import sys
6 import time
7 import urllib2
8+import uuid
9
10 import oauth.oauth as oauth
11 import yaml
12@@ -60,7 +61,7 @@
13
14 params = {
15 'oauth_version': "1.0",
16- 'oauth_nonce': oauth.generate_nonce(),
17+ 'oauth_nonce': uuid.uuid4().get_hex(),
18 'oauth_timestamp': timestamp,
19 'oauth_token': token.key,
20 'oauth_consumer_key': consumer.key,
21
22=== modified file 'src/apiclient/maas_client.py'
23--- src/apiclient/maas_client.py 2014-04-29 06:57:26 +0000
24+++ src/apiclient/maas_client.py 2014-07-11 14:30:38 +0000
25@@ -21,6 +21,7 @@
26 import gzip
27 from io import BytesIO
28 import urllib2
29+import uuid
30
31 from apiclient.encode_json import encode_json_data
32 from apiclient.multipart import encode_multipart_data
33@@ -45,7 +46,8 @@
34 with the signature.
35 """
36 oauth_request = oauth.OAuthRequest.from_consumer_and_token(
37- self.consumer_token, token=self.resource_token, http_url=url)
38+ self.consumer_token, token=self.resource_token, http_url=url,
39+ parameters={'oauth_nonce': uuid.uuid4().get_hex()})
40 oauth_request.sign_request(
41 oauth.OAuthSignatureMethod_PLAINTEXT(), self.consumer_token,
42 self.resource_token)

Subscribers

People subscribed via source and target branches

to all changes: