From: Radoslaw Zarzynski Date: Fri, 28 Apr 2017 18:34:08 +0000 (+0200) Subject: rgw: remove the old AWS v4 streaming mode's implementation. X-Git-Tag: v12.1.0~155^2~25 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0845d9c874d3b00f2b00b57019a112d782c1f7c6;p=ceph.git rgw: remove the old AWS v4 streaming mode's implementation. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 94b2d5c2da87..f5b5277b25f6 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -1029,21 +1029,7 @@ size_t AWSv4Completer::recv_body(char* const buf, const size_t max) void AWSv4Completer::modify_request_state(req_state* const s_rw) { - /* TODO(rzarzynski): switch to the dedicated filter over RestfulClient. */ - //s_rw->aws4_auth_streaming_mode = aws4_auth_streaming_mode; - - s_rw->aws4_auth = std::unique_ptr(new rgw_aws4_auth); - - s_rw->aws4_auth->date = date; - s_rw->aws4_auth->credential_scope = credential_scope; - - /* If we're here, the provided signature has been successfully validated - * earlier. */ - s_rw->aws4_auth->seed_signature = seed_signature; - - if (signing_key) { - s_rw->aws4_auth->signing_key = std::move(*signing_key); - } else if (aws4_auth_streaming_mode) { + if (!signing_key && aws4_auth_streaming_mode) { /* Some external authorizers (like Keystone) aren't fully compliant with * AWSv4. They do not provide the secret_key which is necessary to handle * the streamed upload. */ diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index 2a625336bdc9..4e61a6be5fde 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -203,7 +203,6 @@ private: std::string seed_signature; boost::optional> signing_key; - ceph::bufferlist bl; /* TODO(rzarzynski): this won't be necessary after moving to filter-over- * rgw::io::RestfulClient. */ diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 46f9bdbc3f24..7874fd1f2e6a 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -264,7 +264,6 @@ req_state::req_state(CephContext* _cct, RGWEnv* e, RGWUserInfo* u) bucket_acl = NULL; object_acl = NULL; expect_cont = false; - aws4_auth_streaming_mode = false; header_ended = false; obj_size = 0; diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index bd62e834be89..f476a0ea481d 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1694,15 +1694,6 @@ inline ostream& operator<<(ostream& out, const rgw_obj_index_key &o) { } } -struct rgw_aws4_auth { - string date; - string credential_scope; - string seed_signature; - std::array signing_key; - bufferlist bl; -}; - struct req_init_state { /* Keeps [[tenant]:]bucket until we parse the token. */ string url_bucket; @@ -1805,10 +1796,6 @@ struct req_state { * Being system user means we also have the admin status. */ bool system_request; - /* aws4 auth support */ - bool aws4_auth_streaming_mode; - unique_ptr aws4_auth; - string canned_acl; bool has_acl_header; bool local_source; /* source is local */ diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 4a004755646c..0a2a565dd931 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -3174,17 +3174,17 @@ void RGWPutObj::execute() } do { - bufferlist data_in; + bufferlist data; if (fst > lst) break; if (!copy_source) { - len = get_data(data_in); + len = get_data(data); } else { uint64_t cur_lst = min(fst + s->cct->_conf->rgw_max_chunk_size - 1, lst); - op_ret = get_data(fst, cur_lst, data_in); + op_ret = get_data(fst, cur_lst, data); if (op_ret < 0) goto done; - len = data_in.length(); + len = data.length(); s->content_length += len; fst += len; } @@ -3193,19 +3193,12 @@ void RGWPutObj::execute() goto done; } - bufferlist &data = data_in; - if (len && s->aws4_auth_streaming_mode) { - /* use unwrapped data */ - data = s->aws4_auth->bl; - len = data.length(); - } - if (need_calc_md5) { hash.Update((const byte *)data.c_str(), data.length()); } /* update torrrent */ - torrent.update(data_in); + torrent.update(data); /* do we need this operation to be synchronous? if we're dealing with an object with immutable * head, e.g., multipart object we need to make sure we're the first one writing to this object diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc index f3d3d2b55c97..4eb45aeb2d77 100644 --- a/src/rgw/rgw_rest.cc +++ b/src/rgw/rgw_rest.cc @@ -1125,49 +1125,6 @@ int RGWPutObj_ObjStore::get_params() return 0; } -int RGWPutObj_ObjStore::get_padding_last_aws4_chunk_encoded(bufferlist &bl, uint64_t chunk_size) { - - const int chunk_str_min_len = 1 + 17 + 64 + 2; /* len('0') = 1 */ - - char *chunk_str = bl.c_str(); - int budget = bl.length(); - - unsigned int chunk_data_size; - unsigned int chunk_offset = 0; - - while (1) { - - /* check available metadata */ - if (budget < chunk_str_min_len) { - return -ERR_SIGNATURE_NO_MATCH; - } - - chunk_offset = 0; - - /* grab chunk size */ - while ((*(chunk_str+chunk_offset) != ';') && (chunk_offset < chunk_str_min_len)) - chunk_offset++; - string str = string(chunk_str, chunk_offset); - stringstream ss; - ss << std::hex << str; - ss >> chunk_data_size; - - /* next chunk */ - chunk_offset += 17 + 64 + 2 + chunk_data_size; - - /* last chunk? */ - budget -= chunk_offset; - if (budget < 0) { - budget *= -1; - break; - } - - chunk_str += chunk_offset; - } - - return budget; -} - int RGWPutObj_ObjStore::get_data(bufferlist& bl) { size_t cl; @@ -1193,26 +1150,6 @@ int RGWPutObj_ObjStore::get_data(bufferlist& bl) len = read_len; bl.append(bp, 0, len); - /* read last aws4 chunk padding */ - if (s->aws4_auth_streaming_mode && len == (int)chunk_size) { - int ret_auth = get_padding_last_aws4_chunk_encoded(bl, chunk_size); - if (ret_auth < 0) { - return ret_auth; - } - int len_padding = ret_auth; - if (len_padding) { - bufferptr bp_extra(len_padding); - const auto read_len = recv_body(s, bp_extra.c_str(), len_padding); - if (read_len < 0) { - return read_len; - } - if (read_len != len_padding) { - return -ERR_SIGNATURE_NO_MATCH; - } - bl.append(bp_extra.c_str(), len_padding); - bl.rebuild(); - } - } ACCOUNTING_IO(s)->set_account(false); } diff --git a/src/rgw/rgw_rest.h b/src/rgw/rgw_rest.h index 41597a2d476b..2d24eed9475a 100644 --- a/src/rgw/rgw_rest.h +++ b/src/rgw/rgw_rest.h @@ -212,8 +212,6 @@ public: int verify_params() override; int get_params() override; int get_data(bufferlist& bl) override; - - int get_padding_last_aws4_chunk_encoded(bufferlist &bl, uint64_t chunk_size); }; class RGWPostObj_ObjStore : public RGWPostObj diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 65959ba4372d..47a96c215ff6 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1188,149 +1188,11 @@ int RGWPutObj_ObjStore_S3::get_params() return RGWPutObj_ObjStore::get_params(); } -int RGWPutObj_ObjStore_S3::validate_aws4_single_chunk(char *chunk_str, - char *chunk_data_str, - unsigned int chunk_data_size, - string chunk_signature) -{ - - /* string to sign */ - - const std::string hash_empty_str = rgw::auth::s3::hash_string_sha256("", 0); - - const std::string hash_chunk_data = \ - rgw::auth::s3::hash_string_sha256(chunk_data_str, chunk_data_size); - - string string_to_sign = "AWS4-HMAC-SHA256-PAYLOAD\n"; - string_to_sign.append(s->aws4_auth->date + "\n"); - string_to_sign.append(s->aws4_auth->credential_scope + "\n"); - string_to_sign.append(s->aws4_auth->seed_signature + "\n"); - string_to_sign.append(hash_empty_str + "\n"); - string_to_sign.append(hash_chunk_data); - - /* new chunk signature */ - const auto sighex = buf_to_hex(calc_hmac_sha256(s->aws4_auth->signing_key, - string_to_sign)); - /* FIXME(rzarzynski): std::string here is really unnecessary. */ - std::string new_chunk_signature = std::string(sighex.data(), sighex.size()); - - ldout(s->cct, 20) << "--------------- aws4 chunk validation" << dendl; - ldout(s->cct, 20) << "chunk_signature = " << chunk_signature << dendl; - ldout(s->cct, 20) << "new_chunk_signature = " << new_chunk_signature << dendl; - ldout(s->cct, 20) << "aws4 chunk signing_key = " - << buf_to_hex(s->aws4_auth->signing_key).data() - << dendl; - ldout(s->cct, 20) << "aws4 chunk string_to_sign = " - << rgw::crypt_sanitize::log_content{string_to_sign.c_str()} - << dendl; - - /* chunk auth ok? */ - - if (new_chunk_signature != chunk_signature) { - ldout(s->cct, 20) << "ERROR: AWS4 chunk signature does NOT match (new_chunk_signature != chunk_signature)" << dendl; - return -ERR_SIGNATURE_NO_MATCH; - } - - /* update seed signature */ - - s->aws4_auth->seed_signature = new_chunk_signature; - - return 0; -} - -int RGWPutObj_ObjStore_S3::validate_and_unwrap_available_aws4_chunked_data(bufferlist& bl_in, - bufferlist& bl_out) -{ - - /* string(IntHexBase(chunk-size)) + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n */ - - const unsigned int chunk_str_min_len = 1 + 17 + 64 + 2; /* len('0') = 1 */ - - char *chunk_str = bl_in.c_str(); - unsigned int budget = bl_in.length(); - - bl_out.clear(); - - while (true) { - - /* check available metadata */ - - if (budget < chunk_str_min_len) { - return -ERR_SIGNATURE_NO_MATCH; - } - - unsigned int chunk_offset = 0; - - /* grab chunk size */ - - while ((chunk_offset < chunk_str_min_len) && (chunk_str[chunk_offset] != ';')) - chunk_offset++; - string str = string(chunk_str, chunk_offset); - unsigned int chunk_data_size; - stringstream ss; - ss << std::hex << str; - ss >> chunk_data_size; - if (ss.fail()) { - return -ERR_SIGNATURE_NO_MATCH; - } - - /* grab chunk signature */ - - chunk_offset += 17; - string chunk_signature = string(chunk_str, chunk_offset, 64); - - /* get chunk data */ - - chunk_offset += 64 + 2; - char *chunk_data_str = chunk_str + chunk_offset; - - /* handle budget */ - - budget -= chunk_offset; - if (budget < chunk_data_size) { - return -ERR_SIGNATURE_NO_MATCH; - } else { - budget -= chunk_data_size; - } - - /* auth single chunk */ - - if (validate_aws4_single_chunk(chunk_str, chunk_data_str, chunk_data_size, chunk_signature) < 0) { - ldout(s->cct, 20) << "ERROR AWS4 single chunk validation" << dendl; - return -ERR_SIGNATURE_NO_MATCH; - } - - /* aggregate single chunk */ - - bl_out.append(chunk_data_str, chunk_data_size); - - /* last chunk or no more budget? */ - - if ((chunk_data_size == 0) || (budget == 0)) - break; - - /* next chunk */ - - chunk_offset += chunk_data_size; - chunk_str += chunk_offset; - } - - /* authorization ok */ - - return 0; - -} - int RGWPutObj_ObjStore_S3::get_data(bufferlist& bl) { - int ret = RGWPutObj_ObjStore::get_data(bl); - if (ret > 0 && s->aws4_auth_streaming_mode) { - int ret_auth = validate_and_unwrap_available_aws4_chunked_data(bl, s->aws4_auth->bl); - if (ret_auth < 0) { - return ret_auth; - } - } else if (ret == 0) { - int ret_auth = do_aws4_auth_completion(); + const int ret = RGWPutObj_ObjStore::get_data(bl); + if (ret == 0) { + const int ret_auth = do_aws4_auth_completion(); if (ret_auth < 0) { return ret_auth; } @@ -1714,16 +1576,19 @@ int RGWPostObj_ObjStore_S3::get_policy() /* AWS4 */ +#if 0 try { s->aws4_auth = std::unique_ptr(new rgw_aws4_auth); } catch (std::bad_alloc&) { return -ENOMEM; } +#endif /* FIXME(rzarzynski): clean this up! */ std::string encoded_policy_str(s->auth.s3_postobj_creds.encoded_policy.c_str(), s->auth.s3_postobj_creds.encoded_policy.length()); +#if 0 s->aws4_auth->signing_key = \ rgw::auth::s3::get_v4_signing_key(s->cct, cs_aux, s3_secret_key); @@ -1740,6 +1605,9 @@ int RGWPostObj_ObjStore_S3::get_policy() if (received_signature_str != new_signature_str) { return -ERR_SIGNATURE_NO_MATCH; } +#else + return -ERR_SIGNATURE_NO_MATCH; +#endif } /* Deep copy. */ diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index edaf306a69b9..f521d52d3102 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -185,13 +185,6 @@ public: int get_data(bufferlist& bl) override; void send_response() override; - int validate_aws4_single_chunk(char *chunk_str, - char *chunk_data_str, - unsigned int chunk_data_size, - string chunk_signature); - int validate_and_unwrap_available_aws4_chunked_data(bufferlist& bl_in, - bufferlist& bl_out); - int get_encrypt_filter(std::unique_ptr* filter, RGWPutObjDataProcessor* cb) override; int get_decrypt_filter(std::unique_ptr* filter,