rgw: UNSIGNED-PAYLOAD support in AWS4 auth

Fixes: #10333
Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>

diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index 700695b149614d055a78471499a0ae61fc8c16c5..cd3adc41683efc3f9a77ecdb9d55d5951a8bc0ef 100644 (file)
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -262,14 +262,14 @@ void rgw_assemble_s3_v4_canonical_request(const char *method, const char *canoni
  */
 void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canonical_uri, const string& canonical_qs,
                                         const string& canonical_hdrs, const string& signed_hdrs, const string& request_payload,
-                                        string& canonical_req, string& canonical_req_hash)
+                                        bool unsigned_payload, string& canonical_req, string& canonical_req_hash)
 {
   string request_payload_hash;
 
-  if (len < 0) {
+  if (unsigned_payload) {
     request_payload_hash = "UNSIGNED-PAYLOAD";
   } else {
-    rgw_hash_s3_string_sha256(data, len, request_payload_hash);
+    rgw_hash_s3_string_sha256(request_payload.c_str(), request_payload.size(), request_payload_hash);
   }
 
   dout(10) << "payload request hash = " << request_payload_hash << dendl;

diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h
index b08fb560a1a51d627eb768b3e9c2f6d493e75a08..cb56a181d2039679a8a4b66f874afbb23ad934a5 100644 (file)
--- a/src/rgw/rgw_auth_s3.h
+++ b/src/rgw/rgw_auth_s3.h
@@ -15,7 +15,7 @@ int rgw_get_s3_header_digest(const string& auth_hdr, const string& key, string&
 void rgw_hash_s3_string_sha256(const string& str, string& dest);
 void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canonical_uri, const string& canonical_qs,
                                         const string& canonical_hdrs, const string& signed_hdrs, const string& request_payload,
-                                        string& canonical_req, string& canonical_req_hash);
+                                        bool unsigned_payload, string& canonical_req, string& canonical_req_hash);
 void rgw_create_s3_v4_string_to_sign(const string& algorithm, const string& request_date, const string& credential_scope, const string& hashed_qr, string& string_to_sign);
 int rgw_calculate_s3_v4_aws_signature(struct req_state *s, const string& access_key_id, const string &date, const string& region, const string& service, const string& string_to_sign, string& signature);
 

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 9b4c26a225e3618a939cbb347f85773d15a6282c..5cdd2df490f44e35543dc70bc14fae782d5b26fb 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2963,11 +2963,23 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
 
   string request_payload;
 
+  bool unsigned_payload = false;
   if (using_qs) {
-    len = -1;
+    unsigned_payload = true;
   }
 
-  if (!using_qs && ((s->content_length > 0) || s->info.env->get("HTTP_TRANSFER_ENCODING"))) {
+  if (using_qs || ((s->content_length == 0) && s->info.env->get("HTTP_TRANSFER_ENCODING") == NULL)) {
+
+    /* requests lacking of body are authenticated now */
+
+    /* craft canonical request */
+
+    string canonical_req;
+    string canonical_req_hash;
+
+    rgw_create_s3_v4_canonical_request(s, canonical_uri, canonical_qs,
+        canonical_hdrs, signed_hdrs, request_payload, unsigned_payload,
+        canonical_req, canonical_req_hash);
 
     /* TODO: read body in request_payload */