From: Tobias Urdin Date: Thu, 17 Aug 2023 11:45:06 +0000 (+0000) Subject: rgw/auth: move http options v4 logic to get_v4_canonical_method() X-Git-Tag: v17.2.7~56^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=4369112c55312257fe49fd64f7b4539e3812bdd4;p=ceph.git rgw/auth: move http options v4 logic to get_v4_canonical_method() Signed-off-by: Tobias Urdin (cherry picked from commit dbc0a4ed2dd6a92d06e585dda25b1325464efefb) --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index be2c430286199..bd23b20a24d81 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -653,6 +653,35 @@ std::string gen_v4_canonical_qs(const req_info& info, bool is_non_s3_op) return canonical_qs; } +std::string get_v4_canonical_method(const req_state* s) +{ + /* If this is a OPTIONS request we need to compute the v4 signature for the + * intended HTTP method and not the OPTIONS request itself. */ + if (s->op_type == RGW_OP_OPTIONS_CORS) { + const char *cors_method = s->info.env->get("HTTP_ACCESS_CONTROL_REQUEST_METHOD"); + + if (cors_method) { + /* Validate request method passed in access-control-request-method is valid. */ + auto cors_flags = get_cors_method_flags(cors_method); + if (!cors_flags) { + ldpp_dout(s, 1) << "invalid access-control-request-method header = " + << cors_method << dendl; + throw -EINVAL; + } + + ldpp_dout(s, 10) << "canonical req method = " << cors_method + << ", due to access-control-request-method header" << dendl; + return cors_method; + } else { + ldpp_dout(s, 1) << "invalid http options req missing " + << "access-control-request-method header" << dendl; + throw -EINVAL; + } + } + + return s->info.method; +} + boost::optional get_v4_canonical_headers(const req_info& info, const std::string_view& signedheaders, diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index 00eddc46f30b0..411f8aa805eae 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -603,6 +603,8 @@ std::string get_v4_canonical_qs(const req_info& info, bool using_qs); std::string gen_v4_canonical_qs(const req_info& info, bool is_non_s3_op); +std::string get_v4_canonical_method(const req_state* s); + boost::optional get_v4_canonical_headers(const req_info& info, const std::string_view& signedheaders, diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index bd86f4ea663f9..5110d69a36e92 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -5609,37 +5609,13 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s, /* Craft canonical query string. std::moving later so non-const here. */ auto canonical_qs = rgw::auth::s3::get_v4_canonical_qs(s->info, using_qs); - const char *req_meth = s->info.method; - - /* If this is a OPTIONS request we need to compute the v4 signature for the - * intended HTTP method and not the OPTIONS request itself. */ - if (s->op_type == RGW_OP_OPTIONS_CORS) { - /* Validate signature for CORS header if set otherwise use HTTP request method. */ - const char *cors_method = s->info.env->get("HTTP_ACCESS_CONTROL_REQUEST_METHOD"); - - if (cors_method) { - /* Validate request method passed in access-control-request-method is valid. */ - auto cors_flags = get_cors_method_flags(cors_method); - if (!cors_flags) { - ldpp_dout(s, 1) << "invalid access-control-request-method header = " - << cors_method << dendl; - throw -EINVAL; - } - - req_meth = cors_method; - ldpp_dout(s, 10) << "setting canonical req method = " << cors_method - << ", due to access-control-request-method header" << dendl; - } else { - ldpp_dout(s, 1) << "invalid http options req missing " - << "access-control-request-method header" << dendl; - throw -EINVAL; - } - } + /* Craft canonical method. */ + auto canonical_method = rgw::auth::s3::get_v4_canonical_method(s); /* Craft canonical request. */ auto canonical_req_hash = \ rgw::auth::s3::get_v4_canon_req_hash(s->cct, - req_meth, + std::move(canonical_method), std::move(canonical_uri), std::move(canonical_qs), std::move(*canonical_headers),