rgw: cors rules num limit

According to AWS S3, an cors rules can
have up to 100 rules.

Signed-off-by: yuliyang <yuliyang@cmss.chinamobile.com>
(cherry picked from commit c97ee932f380a673b52ffcb1986b015e06246844)

Conflicts:
	src/common/options.cc
- luminous lacks some options that are present in master

diff --git a/src/common/legacy_config_opts.h b/src/common/legacy_config_opts.h
index 2b4361103f32b9fde86e3c18b03652f00ea0c302..eaaab1fe62e0eddf7c40b5e8dd001619917593e4 100644 (file)
--- a/src/common/legacy_config_opts.h
+++ b/src/common/legacy_config_opts.h
@@ -1584,3 +1584,4 @@ OPTION(rgw_max_objs_per_shard, OPT_INT)
 OPTION(rgw_reshard_thread_interval, OPT_U32) // maximum time between rounds of reshard thread processing
 
 OPTION(rgw_acl_grants_max_num, OPT_INT) // According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html), An ACL can have up to 100 grants.
+OPTION(rgw_cors_rules_max_num, OPT_INT) // According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html), An cors can have up to 100 rules.

diff --git a/src/common/options.cc b/src/common/options.cc
index 3434c799d5aa1e67d30a5cef0210d5a3e56e78e5..d72e1ddf5df357abf083bae4eede8d1710cb70ce 100644 (file)
--- a/src/common/options.cc
+++ b/src/common/options.cc
@@ -4444,6 +4444,10 @@ std::vector<Option> get_rgw_options() {
     .set_default(100)
     .set_description("Max number of ACL grants in a single request"),
 
+    Option("rgw_cors_rules_max_num", Option::TYPE_INT, Option::LEVEL_ADVANCED)
+    .set_default(100)
+    .set_description("Max number of cors rules in a single request"),
+
     Option("rgw_max_chunk_size", Option::TYPE_INT, Option::LEVEL_ADVANCED)
     .set_default(4_M)
     .set_description("Set RGW max chunk size")

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 5a2ed322142f791ad197397ff08e9c14d9064f6e..0a31d5d34141d53a6cf6113b558a61f11124fcbf 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -74,6 +74,7 @@ rgw_http_errors rgw_http_s3_errors({
     { ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }},
     { ERR_INVALID_TAG, {400, "InvalidTag"}},
     { ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }},
+    { ERR_INVALID_CORS_RULES_ERROR, {400, "InvalidRequest" }},
     { ERR_INVALID_ENCRYPTION_ALGORITHM, {400, "InvalidEncryptionAlgorithmError" }},
     { ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }},
     { EACCES, {403, "AccessDenied" }},

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 3854d5b4a8fd34e69c44d39c0e5399d0de167ad4..72f42c53f1b22686a6f3fcb144e2ace4192358f9 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -219,6 +219,7 @@ using ceph::crypto::MD5;
 #define ERR_MALFORMED_ACL_ERROR  2212
 #define ERR_ZONEGROUP_DEFAULT_PLACEMENT_MISCONFIGURATION 2213
 #define ERR_INVALID_ENCRYPTION_ALGORITHM                 2214
+#define ERR_INVALID_CORS_RULES_ERROR                     2215
 
 #define ERR_BUSY_RESHARDING      2300
 

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 8042a0d4b874f19ee9c3d6a1c416391ed9d5f6b1..6cd1ae6b76d1d7af28357644d70c531ca9b308de 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2362,6 +2362,23 @@ int RGWPutCORS_ObjStore_S3::get_params()
     return -EINVAL;
   }
 
+#define CORS_RULES_MAX_NUM      100
+  int max_num = s->cct->_conf->rgw_cors_rules_max_num;
+  if (max_num < 0) {
+    max_num = CORS_RULES_MAX_NUM;
+  }
+  int cors_rules_num = cors_config->get_rules().size();
+  if (cors_rules_num > max_num) {
+    ldout(s->cct, 4) << "An cors config can have up to "
+                     << max_num
+                     << " rules, request cors rules num: "
+                     << cors_rules_num << dendl;
+    op_ret = -ERR_INVALID_CORS_RULES_ERROR;
+    s->err.message = "The number of CORS rules should not exceed allowed limit of "
+                     + std::to_string(max_num) + " rules.";
+    return -ERR_INVALID_REQUEST;
+  }
+
   // forward bucket cors requests to meta master zone
   if (!store->is_meta_master()) {
     /* only need to keep this data around if we're not meta master */