rgw: remove the old AWS v4 streaming mode's implementation.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index 94b2d5c2da878d53689538894d65b80e8c057f2e..f5b5277b25f64d9128d0fae8b974a17880e23e61 100644 (file)
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -1029,21 +1029,7 @@ size_t AWSv4Completer::recv_body(char* const buf, const size_t max)
 
 void AWSv4Completer::modify_request_state(req_state* const s_rw)
 {
-  /* TODO(rzarzynski): switch to the dedicated filter over RestfulClient. */
-  //s_rw->aws4_auth_streaming_mode = aws4_auth_streaming_mode;
-
-  s_rw->aws4_auth = std::unique_ptr<rgw_aws4_auth>(new rgw_aws4_auth);
-
-  s_rw->aws4_auth->date = date;
-  s_rw->aws4_auth->credential_scope = credential_scope;
-
-  /* If we're here, the provided signature has been successfully validated
-   * earlier. */
-  s_rw->aws4_auth->seed_signature = seed_signature;
-
-  if (signing_key) {
-    s_rw->aws4_auth->signing_key = std::move(*signing_key);
-  } else if (aws4_auth_streaming_mode) {
+  if (!signing_key && aws4_auth_streaming_mode) {
     /* Some external authorizers (like Keystone) aren't fully compliant with
      * AWSv4. They do not provide the secret_key which is necessary to handle
      * the streamed upload. */

diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h
index 2a625336bdc9621d7ecc29c861b461b535adf00f..4e61a6be5fde232b3bc6c1757bc56adc908d1671 100644 (file)
--- a/src/rgw/rgw_auth_s3.h
+++ b/src/rgw/rgw_auth_s3.h
@@ -203,7 +203,6 @@ private:
   std::string seed_signature;
   boost::optional<std::array<unsigned char,
                   CEPH_CRYPTO_HMACSHA256_DIGESTSIZE>> signing_key;
-  ceph::bufferlist bl;
 
   /* TODO(rzarzynski): this won't be necessary after moving to filter-over-
    * rgw::io::RestfulClient. */

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 46f9bdbc3f24f70035761ec860a7a54df4b77999..7874fd1f2e6ae8452452c2da1852549aeb3993f8 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -264,7 +264,6 @@ req_state::req_state(CephContext* _cct, RGWEnv* e, RGWUserInfo* u)
   bucket_acl = NULL;
   object_acl = NULL;
   expect_cont = false;
-  aws4_auth_streaming_mode = false;
 
   header_ended = false;
   obj_size = 0;

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index bd62e834be89afd0e6c100a2948a7b2efdaf83e7..f476a0ea481d8aa71ae2be72e2662762670e119e 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1694,15 +1694,6 @@ inline ostream& operator<<(ostream& out, const rgw_obj_index_key &o) {
   }
 }
 
-struct rgw_aws4_auth {
-  string date;
-  string credential_scope;
-  string seed_signature;
-  std::array<unsigned char,
-             CEPH_CRYPTO_HMACSHA256_DIGESTSIZE> signing_key;
-  bufferlist bl;
-};
-
 struct req_init_state {
   /* Keeps [[tenant]:]bucket until we parse the token. */
   string url_bucket;
@@ -1805,10 +1796,6 @@ struct req_state {
    * Being system user means we also have the admin status. */
   bool system_request;
 
-  /* aws4 auth support */
-  bool aws4_auth_streaming_mode;
-  unique_ptr<rgw_aws4_auth> aws4_auth;
-
   string canned_acl;
   bool has_acl_header;
   bool local_source; /* source is local */

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 4a004755646c291c2ba80064b26c0fd934a993f8..0a2a565dd931514b3c787460f1df625f7f699641 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -3174,17 +3174,17 @@ void RGWPutObj::execute()
   }
 
   do {
-    bufferlist data_in;
+    bufferlist data;
     if (fst > lst)
       break;
     if (!copy_source) {
-      len = get_data(data_in);
+      len = get_data(data);
     } else {
       uint64_t cur_lst = min(fst + s->cct->_conf->rgw_max_chunk_size - 1, lst);
-      op_ret = get_data(fst, cur_lst, data_in);
+      op_ret = get_data(fst, cur_lst, data);
       if (op_ret < 0)
         goto done;
-      len = data_in.length();
+      len = data.length();
       s->content_length += len;
       fst += len;
     }
@@ -3193,19 +3193,12 @@ void RGWPutObj::execute()
       goto done;
     }
 
-    bufferlist &data = data_in;
-    if (len && s->aws4_auth_streaming_mode) {
-      /* use unwrapped data */
-      data = s->aws4_auth->bl;
-      len = data.length();
-    }
-
     if (need_calc_md5) {
       hash.Update((const byte *)data.c_str(), data.length());
     }
 
     /* update torrrent */
-    torrent.update(data_in);
+    torrent.update(data);
 
     /* do we need this operation to be synchronous? if we're dealing with an object with immutable
      * head, e.g., multipart object we need to make sure we're the first one writing to this object

diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index f3d3d2b55c97d1326aba0ed56b03de767eaa36c1..4eb45aeb2d77d2a2ee7c2494819cf3663c65636e 100644 (file)
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1125,49 +1125,6 @@ int RGWPutObj_ObjStore::get_params()
   return 0;
 }
 
-int RGWPutObj_ObjStore::get_padding_last_aws4_chunk_encoded(bufferlist &bl, uint64_t chunk_size) {
-
-  const int chunk_str_min_len = 1 + 17 + 64 + 2; /* len('0') = 1 */
-
-  char *chunk_str = bl.c_str();
-  int budget = bl.length();
-
-  unsigned int chunk_data_size;
-  unsigned int chunk_offset = 0;
-
-  while (1) {
-
-    /* check available metadata */
-    if (budget < chunk_str_min_len) {
-      return -ERR_SIGNATURE_NO_MATCH;
-    }
-
-    chunk_offset = 0;
-
-    /* grab chunk size */
-    while ((*(chunk_str+chunk_offset) != ';') && (chunk_offset < chunk_str_min_len))
-      chunk_offset++;
-    string str = string(chunk_str, chunk_offset);
-    stringstream ss;
-    ss << std::hex << str;
-    ss >> chunk_data_size;
-
-    /* next chunk */
-    chunk_offset += 17 + 64 + 2 + chunk_data_size;
-
-    /* last chunk? */
-    budget -= chunk_offset;
-    if (budget < 0) {
-      budget *= -1;
-      break;
-    }
-
-    chunk_str += chunk_offset;
-  }
-
-  return budget;
-}
-
 int RGWPutObj_ObjStore::get_data(bufferlist& bl)
 {
   size_t cl;
@@ -1193,26 +1150,6 @@ int RGWPutObj_ObjStore::get_data(bufferlist& bl)
     len = read_len;
     bl.append(bp, 0, len);
 
-    /* read last aws4 chunk padding */
-    if (s->aws4_auth_streaming_mode && len == (int)chunk_size) {
-      int ret_auth = get_padding_last_aws4_chunk_encoded(bl, chunk_size);
-      if (ret_auth < 0) {
-        return ret_auth;
-      }
-      int len_padding = ret_auth;
-      if (len_padding) {
-        bufferptr bp_extra(len_padding);
-        const auto read_len = recv_body(s, bp_extra.c_str(), len_padding);
-        if (read_len < 0) {
-          return read_len;
-        }
-        if (read_len != len_padding) {
-          return -ERR_SIGNATURE_NO_MATCH;
-        }
-        bl.append(bp_extra.c_str(), len_padding);
-        bl.rebuild();
-      }
-    }
     ACCOUNTING_IO(s)->set_account(false);
   }
 

diff --git a/src/rgw/rgw_rest.h b/src/rgw/rgw_rest.h
index 41597a2d476b16e1e30d51b34a19db16a6726956..2d24eed9475a992d96d876096a9fc748e19b6a13 100644 (file)
--- a/src/rgw/rgw_rest.h
+++ b/src/rgw/rgw_rest.h
@@ -212,8 +212,6 @@ public:
   int verify_params() override;
   int get_params() override;
   int get_data(bufferlist& bl) override;
-
-  int get_padding_last_aws4_chunk_encoded(bufferlist &bl, uint64_t chunk_size);
 };
 
 class RGWPostObj_ObjStore : public RGWPostObj

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 65959ba4372db94a9789c6d57a8ab50cffd0ef66..47a96c215ff653dc96f423649c41c19b667bfd77 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1188,149 +1188,11 @@ int RGWPutObj_ObjStore_S3::get_params()
   return RGWPutObj_ObjStore::get_params();
 }
 
-int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str,
-                                                      char *chunk_data_str,
-                                                      unsigned int chunk_data_size,
-                                                      string chunk_signature)
-{
-
-  /* string to sign */
-
-  const std::string hash_empty_str = rgw::auth::s3::hash_string_sha256("", 0);
-
-  const std::string hash_chunk_data = \
-    rgw::auth::s3::hash_string_sha256(chunk_data_str, chunk_data_size);
-
-  string string_to_sign = "AWS4-HMAC-SHA256-PAYLOAD\n";
-  string_to_sign.append(s->aws4_auth->date + "\n");
-  string_to_sign.append(s->aws4_auth->credential_scope + "\n");
-  string_to_sign.append(s->aws4_auth->seed_signature + "\n");
-  string_to_sign.append(hash_empty_str + "\n");
-  string_to_sign.append(hash_chunk_data);
-
-  /* new chunk signature */
-  const auto sighex = buf_to_hex(calc_hmac_sha256(s->aws4_auth->signing_key,
-                                                  string_to_sign));
-  /* FIXME(rzarzynski): std::string here is really unnecessary. */
-  std::string new_chunk_signature = std::string(sighex.data(), sighex.size());
-
-  ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl;
-  ldout(s->cct, 20) << "chunk_signature     = " << chunk_signature << dendl;
-  ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl;
-  ldout(s->cct, 20) << "aws4 chunk signing_key    = "
-                    << buf_to_hex(s->aws4_auth->signing_key).data()
-                    << dendl;
-  ldout(s->cct, 20) << "aws4 chunk string_to_sign = "
-                    << rgw::crypt_sanitize::log_content{string_to_sign.c_str()}
-                    << dendl;
-
-  /* chunk auth ok? */
-
-  if (new_chunk_signature != chunk_signature) {
-    ldout(s->cct, 20) << "ERROR: AWS4 chunk signature does NOT match (new_chunk_signature != chunk_signature)" << dendl;
-    return -ERR_SIGNATURE_NO_MATCH;
-  }
-
-  /* update seed signature */
-
-  s->aws4_auth->seed_signature = new_chunk_signature;
-
-  return 0;
-}
-
-int RGWPutObj_ObjStore_S3::validate_and_unwrap_available_aws4_chunked_data(bufferlist& bl_in,
-                                                                           bufferlist& bl_out)
-{
-
-  /* string(IntHexBase(chunk-size)) + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n */
-
-  const unsigned int chunk_str_min_len = 1 + 17 + 64 + 2; /* len('0') = 1 */
-
-  char *chunk_str = bl_in.c_str();
-  unsigned int budget = bl_in.length();
-
-  bl_out.clear();
-
-  while (true) {
-
-    /* check available metadata */
-
-    if (budget < chunk_str_min_len) {
-      return -ERR_SIGNATURE_NO_MATCH;
-    }
-
-    unsigned int chunk_offset = 0;
-
-    /* grab chunk size */
-
-    while ((chunk_offset < chunk_str_min_len) && (chunk_str[chunk_offset] != ';'))
-      chunk_offset++;
-    string str = string(chunk_str, chunk_offset);
-    unsigned int chunk_data_size;
-    stringstream ss;
-    ss << std::hex << str;
-    ss >> chunk_data_size;
-    if (ss.fail()) {
-      return -ERR_SIGNATURE_NO_MATCH;
-    }
-
-    /* grab chunk signature */
-
-    chunk_offset += 17;
-    string chunk_signature = string(chunk_str, chunk_offset, 64);
-
-    /* get chunk data */
-
-    chunk_offset += 64 + 2;
-    char *chunk_data_str = chunk_str + chunk_offset;
-
-    /* handle budget */
-
-    budget -= chunk_offset;
-    if (budget < chunk_data_size) {
-      return -ERR_SIGNATURE_NO_MATCH;
-    } else {
-      budget -= chunk_data_size;
-    }
-
-    /* auth single chunk */
-
-    if (validate_aws4_single_chunk(chunk_str, chunk_data_str, chunk_data_size, chunk_signature) < 0) {
-      ldout(s->cct, 20) << "ERROR AWS4 single chunk validation" << dendl;
-      return -ERR_SIGNATURE_NO_MATCH;
-    }
-
-    /* aggregate single chunk */
-
-    bl_out.append(chunk_data_str, chunk_data_size);
-
-    /* last chunk or no more budget? */
-
-    if ((chunk_data_size == 0) || (budget == 0))
-      break;
-
-    /* next chunk */
-
-    chunk_offset += chunk_data_size;
-    chunk_str += chunk_offset;
-  }
-
-  /* authorization ok */
-
-  return 0;
-
-}
-
 int RGWPutObj_ObjStore_S3::get_data(bufferlist& bl)
 {
-  int ret = RGWPutObj_ObjStore::get_data(bl);
-  if (ret > 0 && s->aws4_auth_streaming_mode) {
-    int ret_auth = validate_and_unwrap_available_aws4_chunked_data(bl, s->aws4_auth->bl);
-    if (ret_auth < 0) {
-      return ret_auth;
-    }
-  } else if (ret == 0) {
-    int ret_auth = do_aws4_auth_completion();
+  const int ret = RGWPutObj_ObjStore::get_data(bl);
+  if (ret == 0) {
+    const int ret_auth = do_aws4_auth_completion();
     if (ret_auth < 0) {
       return ret_auth;
     }
@@ -1714,16 +1576,19 @@ int RGWPostObj_ObjStore_S3::get_policy()
 
         /* AWS4 */
 
+#if 0
         try {
           s->aws4_auth = std::unique_ptr<rgw_aws4_auth>(new rgw_aws4_auth);
         } catch (std::bad_alloc&) {
           return -ENOMEM;
         }
+#endif
 
         /* FIXME(rzarzynski): clean this up! */
         std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(),
                                        s->auth.s3_postobj_creds.encoded_policy.length());
 
+#if 0
         s->aws4_auth->signing_key = \
           rgw::auth::s3::get_v4_signing_key(s->cct, cs_aux, s3_secret_key);
 
@@ -1740,6 +1605,9 @@ int RGWPostObj_ObjStore_S3::get_policy()
         if (received_signature_str != new_signature_str) {
           return -ERR_SIGNATURE_NO_MATCH;
         }
+#else
+        return -ERR_SIGNATURE_NO_MATCH;
+#endif
       }
 
       /* Deep copy. */

diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h
index edaf306a69b9b1200b862e80bff5fc9288296f11..f521d52d3102781c78748475fae1c8fa03cfc105 100644 (file)
--- a/src/rgw/rgw_rest_s3.h
+++ b/src/rgw/rgw_rest_s3.h
@@ -185,13 +185,6 @@ public:
   int get_data(bufferlist& bl) override;
   void send_response() override;
 
-  int validate_aws4_single_chunk(char *chunk_str,
-                                 char *chunk_data_str,
-                                 unsigned int chunk_data_size,
-                                 string chunk_signature);
-  int validate_and_unwrap_available_aws4_chunked_data(bufferlist& bl_in,
-                                                      bufferlist& bl_out);
-
   int get_encrypt_filter(std::unique_ptr<RGWPutObjDataProcessor>* filter,
                          RGWPutObjDataProcessor* cb) override;
   int get_decrypt_filter(std::unique_ptr<RGWGetDataCB>* filter,