rgw/auth: a forwarded CreateBucket request in case of multisite has an empty

payload hash computed for UNSIGNED-PAYLOAD. use that hash for the header
'x-amz-content-sha256' in AWSSignerV4::prepare()

Signed-off-by: Shilpa Jagannath <smanjara@redhat.com>

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 7aef4284ce9cae937b1f1882c90ca7f7bf88f2c4..909246c221f86004065629a5c6cb7d563f0e7a7a 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6341,10 +6341,17 @@ AWSSignerV4::prepare(const DoutPrefixProvider *dpp,
     content_hash = rgw::auth::s3::calc_v4_payload_hash(opt_content->to_str());
     extra_headers["x-amz-content-sha256"] = content_hash;
   } else {
+    // check if the header was already set (e.g. from a forwarded request)
+    const char* existing_hash = info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (existing_hash) {
+      // use existing header value
+      extra_headers["x-amz-content-sha256"] = existing_hash;
+    } else {
     /* Some S3-compatible services require x-amz-content-sha256 header to always
      * be present and included in the signature, even for unsigned payload.
      * AWS S3 specification states that this header is required for all requests. */
     extra_headers["x-amz-content-sha256"] = AWS4_UNSIGNED_PAYLOAD_HASH;
+    }
   }
 
   /* craft canonical headers */