rgw_file: use correct secret key to check auth

Currently, the authorize function in rgw_file only use the secret key of
first key pair to compare, add a function which get secret key by user's
access key and check the result is match with user's secret key.

Fixes: https://tracker.ceph.com/issues/37855
Signed-off-by: MinSheng Lin <minsheng.l@inwinstack.com>
(cherry picked from commit e92755c60325475342afcafcd5293a20e3e5216a)

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index cf00f29704b8914759f71c1ce2df83c9a202504f..820085233758b3954617ea0ae8d77b797fcd954c 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -656,11 +656,15 @@ struct RGWUserInfo
       type(TYPE_NONE) {
   }
 
-  RGWAccessKey* get_key0() {
+  RGWAccessKey* get_key(const string& access_key) {
     if (access_keys.empty())
       return nullptr;
+
+    auto k = access_keys.find(access_key);
+    if (k == access_keys.end())
+      return nullptr;
     else
-      return &(access_keys.begin()->second);
+      return &(k->second);
   }
 
   void encode(bufferlist& bl) const {

diff --git a/src/rgw/rgw_file.h b/src/rgw/rgw_file.h
index 3bdcf03d0ceb5396e87a962c24212bf8c8de29d1..63b5b9e2427783b166703746907fde69e916c1ac 100644 (file)
--- a/src/rgw/rgw_file.h
+++ b/src/rgw/rgw_file.h
@@ -920,9 +920,8 @@ namespace rgw {
     int authorize(RGWRados* store) {
       int ret = rgw_get_user_info_by_access_key(store, key.id, user);
       if (ret == 0) {
-       RGWAccessKey* key0 = user.get_key0();
-       if (!key0 ||
-           (key0->key != key.key))
+       RGWAccessKey* k = user.get_key(key.id);
+       if (!k || (k->key != key.key))
          return -EINVAL;
        if (user.suspended)
          return -ERR_USER_SUSPENDED;