From: Marc Singer <marc@singer.services>
Date: Thu, 7 Mar 2024 17:46:21 +0000 (+0100)
Subject: rgw: allow user disabling presigned urls in rgw configuration
X-Git-Tag: v19.1.0~133^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=2d6efcc6623692fd2759190d3417861c1dca7495;p=ceph.git

rgw: allow user disabling presigned urls in rgw configuration
Fixes: https://tracker.ceph.com/issues/64797

Signed-off-by: Marc Singer <marc@singer.services>
(cherry picked from commit 5e7a78cd900891611fd5463523d8bb22b62831db)
---

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index a7af43ae05f5..d6f7a56aba07 100644
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -892,6 +892,14 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_s3_auth_disable_signature_url
+  type: bool
+  level: advanced
+  desc: Should authentification with presigned URLs be disabled
+  long_desc: 'If enabled, any request that is presigned with either V2 or V4 signature will be denied'
+  default: false
+  services:
+  - rgw
 - name: rgw_barbican_url
   type: str
   level: advanced
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 4b3f33e9c70e..5d98933063c8 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -299,11 +299,16 @@ rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strat
        * nullptr inside. */
       ldpp_dout(dpp, 5) << "Failed the auth strategy, reason="
                        << result.get_reason() << dendl;
-      //Special handling for expired pre-signed URL
+      // Special handling for expired pre-signed URL
       if (result.get_reason() == ERR_PRESIGNED_URL_EXPIRED) {
         result = result_t::deny(-EPERM);
         set_req_state_err(s, -EPERM, "The pre-signed URL has expired");
       }
+      // Special handling for disabled presigned URL
+      if (result.get_reason() == ERR_PRESIGNED_URL_DISABLED) {
+        result = result_t::deny(-EPERM);
+        set_req_state_err(s, -EPERM, "Presigned URLs are disabled by admin");
+      }
       return result.get_reason();
     }
 
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index e76e552a9385..6f405235b193 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -308,6 +308,7 @@ static inline const char* to_mime_type(const RGWFormat f)
 #define ERR_INVALID_BUCKET_STATE                         2221
 #define ERR_INVALID_OBJECT_STATE			 2222
 #define ERR_PRESIGNED_URL_EXPIRED			 2223
+#define ERR_PRESIGNED_URL_DISABLED     2224
 
 #define ERR_BUSY_RESHARDING      2300
 #define ERR_NO_SUCH_ENTITY       2301
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 1b964742a685..df582dd811d2 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5551,13 +5551,18 @@ AWSGeneralAbstractor::get_auth_data(const req_state* const s) const
   AwsRoute route;
   std::tie(version, route) = discover_aws_flavour(s->info);
 
-  if (version == AwsVersion::V2) {
-    return get_auth_data_v2(s);
-  } else if (version == AwsVersion::V4) {
-    return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+  if (! s->cct->_conf->rgw_s3_auth_disable_signature_url) {
+    if (version == AwsVersion::V2) {
+      return get_auth_data_v2(s);
+    } else if (version == AwsVersion::V4) {
+      return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+    } else {
+      /* FIXME(rzarzynski): handle anon user. */
+      throw -EINVAL;
+    }
   } else {
-    /* FIXME(rzarzynski): handle anon user. */
-    throw -EINVAL;
+    ldpp_dout(s, 0) << "Presigned URLs are disabled by admin" << dendl;
+    throw -ERR_PRESIGNED_URL_DISABLED;
   }
 }