1 files changed, 24 insertions, 10 deletions

diff --git a/keystone/contrib/ec2/controllers.py b/keystone/contrib/ec2/controllers.py
index 70d13901e..1f35e5644 100644
--- a/keystone/contrib/ec2/controllers.py
+++ b/keystone/contrib/ec2/controllers.py
@@ -57,16 +57,30 @@ class Ec2ControllerCommon(object):
     def check_signature(self, creds_ref, credentials):
         signer = ec2_utils.Ec2Signer(creds_ref['secret'])
         signature = signer.generate(credentials)
-        if utils.auth_str_equal(credentials['signature'], signature):
-            return
-        # NOTE(vish): Some libraries don't use the port when signing
-        #             requests, so try again without port.
-        elif ':' in credentials['signature']:
-            hostname, _port = credentials['host'].split(':')
-            credentials['host'] = hostname
-            signature = signer.generate(credentials)
-            if not utils.auth_str_equal(credentials.signature, signature):
-                raise exception.Unauthorized(message='Invalid EC2 signature.')
+        # NOTE(davechen): credentials.get('signature') is not guaranteed to
+        # exist, we need check it explicitly.
+        if credentials.get('signature'):
+            if utils.auth_str_equal(credentials['signature'], signature):
+                return True
+            # NOTE(vish): Some client libraries don't use the port when signing
+            #             requests, so try again without port.
+            elif ':' in credentials['host']:
+                hostname, _port = credentials['host'].split(':')
+                credentials['host'] = hostname
+                # NOTE(davechen): we need reinitialize 'signer' to avoid
+                # contaminated status of signature, this is similar with
+                # other programming language libraries, JAVA for example.
+                signer = ec2_utils.Ec2Signer(creds_ref['secret'])
+                signature = signer.generate(credentials)
+                if utils.auth_str_equal(credentials['signature'],
+                                        signature):
+                    return True
+                raise exception.Unauthorized(
+                    message='Invalid EC2 signature.')
+            else:
+                raise exception.Unauthorized(
+                    message='EC2 signature not supplied.')
+        # Raise the exception when credentials.get('signature') is None
         else:
             raise exception.Unauthorized(message='EC2 signature not supplied.')