From 49d72e19e97391d1da6404d83360779e25152f3c Mon Sep 17 00:00:00 2001
From: Mark Wutzke <mwutzke@users.noreply.github.com>
Date: Mon, 29 Jan 2018 09:43:04 +1100
Subject: [PATCH 1/1] ec2token: Use query arguments for signature calculation

Webob exposes a synthesized req.params field - of both the
query string and request body (POST) variables.

Any 'POST'ed request body variables (e.g. from heat-config-notify)
will interfere negatively with the signature calculation,
so the signature should only be calculated on the query
string variables.
---
 heat/api/aws/ec2token.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/heat/api/aws/ec2token.py b/heat/api/aws/ec2token.py
index 39b240f..fbeca61 100644
--- a/heat/api/aws/ec2token.py
+++ b/heat/api/aws/ec2token.py
@@ -184,8 +184,8 @@ class EC2Token(wsgi.Middleware):
                       "specified in config file")
             raise exception.HeatInternalFailureError(_('Service '
                                                        'misconfigured'))
-        # Make a copy of args for authentication and signature verification.
-        auth_params = dict(req.params)
+        # Make a copy of query args for authentication and signature verification.
+        auth_params = dict(req.GET)
         # 'Signature' param Not part of authentication args
         auth_params.pop('Signature', None)
 
-- 
2.7.4