rgw: add x-amz-expires support

Provides the time period, in seconds, for which the generated presigned URL is
valid. For example, 86400 (24 hours). This value is an integer. The minimum
value you can set is 1, and the maximum is 604800 (seven days).

Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 36e28d118d2c731184165b6c02098a27e39380e0..6f28bb1660275450673cdb32bf77f18de66de113 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1102,6 +1102,7 @@ inline ostream& operator<<(ostream& out, const rgw_obj_key &o) {
 
 struct rgw_aws4_auth {
   string date;
+  string expires;
   string credential;
   string signedheaders;
   string signed_hdrs;

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ab927b7b0e6ce5ba0195509137fd4e09f5d88bff..975d1d0d7acbcc52cf848648df7e4948bd233995 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2900,6 +2900,9 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
   string::size_type pos;
   bool using_qs;
 
+  time_t now, now_req=0;
+  time(&now);
+
   /* v4 requires rados auth */
   if (!store->ctx()->_conf->rgw_s3_auth_use_rados) {
     return -EPERM;
@@ -2920,9 +2923,28 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
     if (s->aws4_auth->credential.size() == 0) {
       return -EPERM;
     }
+
     s->aws4_auth->date = s->info.args.get("X-Amz-Date");
-    if (s->aws4_auth->date.size() == 0) {
+    struct tm date_t;
+    if (!parse_iso8601(s->aws4_auth->date.c_str(), &date_t, false))
       return -EPERM;
+
+    s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
+    if (s->aws4_auth->expires.size() != 0) {
+      /* X-Amz-Expires provides the time period, in seconds, for which
+         the generated presigned URL is valid. The minimum value
+         you can set is 1, and the maximum is 604800 (seven days) */
+      time_t exp = atoll(s->aws4_auth->expires.c_str());
+      if ((exp < 1) || (exp > 604800)) {
+        dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
+        return -EPERM;
+      }
+      /* handle expiration in epoch time */
+      now_req = mktime(&date_t);
+      if (now >= now_req + exp) {
+        dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
+        return -EPERM;
+      }
     }
     s->aws4_auth->signedheaders = s->info.args.get("X-Amz-SignedHeaders");
     if (s->aws4_auth->signedheaders.size() == 0) {