From: Pritha Srivastava <prsrivas@redhat.com>
Date: Fri, 23 Oct 2020 08:06:18 +0000 (+0530)
Subject: rgw/sts: fix for validating path in role arn in assume role api.
X-Git-Tag: v17.0.0~660^2
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=1d2b95541978f343f6369b45f8a6b78a63fb46b2;p=ceph-ci.git

rgw/sts: fix for validating path in role arn in assume role api.

Fixes: https://tracker.ceph.com/issues/47871

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 40c0fb7ea9a..04c61c523f2 100644
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -287,6 +287,18 @@ std::tuple<int, RGWRole> STSService::getRoleInfo(const string& arn)
       }
       return make_tuple(ret, this->role);
     } else {
+      auto path_pos = r_arn->resource.find('/');
+      string path;
+      if (path_pos == pos) {
+        path = "/";
+      } else {
+        path = r_arn->resource.substr(path_pos, ((pos - path_pos) + 1));
+      }
+      string r_path = role.get_path();
+      if (path != r_path) {
+        ldout(cct, 0) << "Invalid Role ARN: Path in ARN does not match with the role path: " << path << " " << r_path << dendl;
+        return make_tuple(-EACCES, this->role);
+      }
       this->role = std::move(role);
       return make_tuple(0, this->role);
     }