sts: Fixes get_cert_url improper url path concatenation

Invalid URL concatenation prevents some OpenIDConnect providers from working
with RGW and the AssumeRoleWithWebIdentity API. Invalid URLs contain a double
slash `//`. This fix ensures that an ISS is properly joined to the .well-known
path.

Fixes: https://tracker.ceph.com/issues/58890
Signed-off-by: Mathew Utter <mat@hazmat.dev>
(cherry picked from commit c71818a586f2e29fb76310cb6477f0ccee7f19bd)

diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index 8e70faa99f4e1db735f2287ce8c5008c224384c6..09f77f61d5f6134d4f9fdb7afd795e007bf22138 100644 (file)
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -309,8 +309,14 @@ std::string
 WebTokenEngine::get_cert_url(const string& iss, const DoutPrefixProvider *dpp, optional_yield y) const
 {
   string cert_url;
-  string openidc_wellknown_url = iss + "/.well-known/openid-configuration";
+  string openidc_wellknown_url = iss;
   bufferlist openidc_resp;
+
+  if (openidc_wellknown_url.back() == '/') {
+    openidc_wellknown_url.pop_back();
+  }
+  openidc_wellknown_url.append("/.well-known/openid-configuration");
+
   RGWHTTPTransceiver openidc_req(cct, "GET", openidc_wellknown_url, &openidc_resp);
 
   //Headers
@@ -761,7 +767,7 @@ static const std::unordered_map<std::string_view, op_generator> op_generators =
   {"AssumeRoleWithWebIdentity", []() -> RGWOp* {return new RGWSTSAssumeRoleWithWebIdentity;}}
 };
 
-bool RGWHandler_REST_STS::action_exists(const req_state* s) 
+bool RGWHandler_REST_STS::action_exists(const req_state* s)
 {
   if (s->info.args.exists("Action")) {
     const std::string action_name = s->info.args.get("Action");