From: Javier M. Mellid <jmunhoz@igalia.com>
Date: Mon, 18 Jan 2016 20:08:45 +0000 (+0100)
Subject: rgw: add aws4 auth grace period
X-Git-Tag: v10.1.0~351^2^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=16646c3be626154d223f22266bac40a8809b3e2c;p=ceph.git

rgw: add aws4 auth grace period

Protect against reuse of the signed portions of the request. In AWS, the signed
portions (using AWS Signatures) of requests are valid within 15 minutes of the
timestamp in the request.

Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 975d1d0d7acb..75c543c4832a 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2946,6 +2946,14 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
         return -EPERM;
       }
     }
+
+    if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
+         (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
+      dout(10) << "NOTICE: request time skew too big." << dendl;
+      dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
+      return -ERR_REQUEST_TIME_SKEWED;
+    }
+
     s->aws4_auth->signedheaders = s->info.args.get("X-Amz-SignedHeaders");
     if (s->aws4_auth->signedheaders.size() == 0) {
       return -EPERM;