rgw: add aws4 auth grace period

Protect against reuse of the signed portions of the request. In AWS, the signed
portions (using AWS Signatures) of requests are valid within 15 minutes of the
timestamp in the request.

Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 975d1d0d7acbcc52cf848648df7e4948bd233995..75c543c4832a94dd1b4e2707b1b388997e65fe0e 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2946,6 +2946,14 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
         return -EPERM;
       }
     }
+
+    if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
+         (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
+      dout(10) << "NOTICE: request time skew too big." << dendl;
+      dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
+      return -ERR_REQUEST_TIME_SKEWED;
+    }
+
     s->aws4_auth->signedheaders = s->info.args.get("X-Amz-SignedHeaders");
     if (s->aws4_auth->signedheaders.size() == 0) {
       return -EPERM;