From: David.Hall <mcfadden7586@gmail.com>
Date: Fri, 8 Sep 2023 20:12:49 +0000 (-0500)
Subject: SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth
X-Git-Tag: v19.0.0~49^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3758f6e7433c58b9e62ae35184659cffabdbd133;p=ceph.git

SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth

https://tracker.ceph.com/issues/62105
Change from std::map<> to std::multimap<> to allow for duplicates
rgwadmin submits duplicates in a very few cases, so we need to handle them.

Signed-off-by: David.Hall <mcfadden7586@gmail.com>
---

diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index a2def87040e..ccbdfff0c42 100644
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -574,7 +574,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs)
 
   /* Handle case when query string exists. Step 3 described in: http://docs.
    * aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html */
-  std::map<std::string, std::string> canonical_qs_map;
+  std::multimap<std::string, std::string> canonical_qs_map;
   for (const auto& s : get_str_vec<5>(*params, "&")) {
     std::string_view key, val;
     const auto parsed_pair = parse_key_value(s);
@@ -595,7 +595,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs)
     // while awsv4 specs ask for all slashes to be encoded, s3 itself is relaxed
     // in its implementation allowing non-url-encoded slashes to be present in
     // presigned urls for instance
-    canonical_qs_map[aws4_uri_recode(key, true)] = aws4_uri_recode(val, true);
+    canonical_qs_map.insert({{aws4_uri_recode(key, true), aws4_uri_recode(val, true)}});
   }
 
   /* Thanks to the early exist we have the guarantee that canonical_qs_map has