rgw_ldap: two bug fixes

1. only attempt auth on tokens which pass valid() check
2. ignore false positive search result (and fix result in that case)

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>

diff --git a/src/rgw/rgw_file.h b/src/rgw/rgw_file.h
index 51e4829a4e6fa0252b53eb9c44288a04b3190076..a6e06ded0499d3dffd55a10cd672f92bcb2d8d2b 100644 (file)
--- a/src/rgw/rgw_file.h
+++ b/src/rgw/rgw_file.h
@@ -676,7 +676,7 @@ namespace rgw {
        /* try external authenticators (ldap for now) */
        rgw::LDAPHelper* ldh = rgwlib.get_ldh(); /* !nullptr */
        RGWToken token{from_base64(key.id)};
-       if (ldh->auth(token.id, token.key) == 0) {
+       if (token.valid() && (ldh->auth(token.id, token.key) == 0)) {
          /* try to store user if it doesn't already exist */
          if (rgw_get_user_info_by_uid(store, token.id, user) < 0) {
            int ret = rgw_store_user_info(store, user, NULL, NULL, real_time(),

diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
index 62c901a9bf5fe8740e688df36c53170ecf3cf276..46b05fff658b1543109e6b88e89bc6b9771b5dfb 100644 (file)
--- a/src/rgw/rgw_ldap.h
+++ b/src/rgw/rgw_ldap.h
@@ -64,14 +64,18 @@ namespace rgw {
       filter += uid;
       filter += ")";
       char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
-      LDAPMessage *answer, *entry;
+      LDAPMessage *answer = nullptr, *entry = nullptr;
       ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
                          filter.c_str(), attrs, 0, &answer);
       if (ret == LDAP_SUCCESS) {
        entry = ldap_first_entry(ldap, answer);
-       char *dn = ldap_get_dn(ldap, entry);
-       ret = simple_bind(dn, pwd);
-       ldap_memfree(dn);
+       if (entry) {
+         char *dn = ldap_get_dn(ldap, entry);
+         ret = simple_bind(dn, pwd);
+         ldap_memfree(dn);
+       } else {
+         ret = LDAP_NO_SUCH_ATTRIBUTE; // fixup result
+       }
        ldap_msgfree(answer);
       }
       return (ret == LDAP_SUCCESS) ? ret : -EACCES;

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index a31b95b0b63e5671f0593b3fee864a5addde05f8..fc7458f5f473ad5094d7c8a7800b5731ed4a8ebe 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1584,7 +1584,7 @@ int RGWPostObj_ObjStore_S3::get_policy()
                store->ctx()->_conf->rgw_ldap_uri.empty()) {
        RGWToken token{from_base64(s3_access_key)};
        rgw::LDAPHelper *ldh = RGW_Auth_S3::get_ldap_ctx(store);
-       if (ldh->auth(token.id, token.key) != 0)
+       if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
          return -EACCES;
 
        /* ok, succeeded, try to create shadow */
@@ -3700,7 +3700,7 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
     RGW_Auth_S3::init(store);
 
     RGWToken token{from_base64(auth_id)};
-    if (ldh->auth(token.id, token.key) != 0)
+    if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
       external_auth_result = -EACCES;
     else {
       /* ok, succeeded */
@@ -3708,9 +3708,10 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
       /* create local account, if none exists */
       s->user->user_id = token.id;
       s->user->display_name = token.id; // cn?
-      if (rgw_get_user_info_by_uid(store, s->user->user_id,
-                                  *(s->user)) < 0) {
-       int ret = rgw_store_user_info(store, *(s->user), NULL, NULL, real_time(), true);
+      int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user));
+      if (ret < 0) {
+       ret = rgw_store_user_info(store, *(s->user), NULL, NULL, real_time(),
+                                 true);
        if (ret < 0) {
          dout(10) << "NOTICE: failed to store new user's info: ret=" << ret
                   << dendl;