From: Yehuda Sadeh Date: Wed, 28 Oct 2015 21:03:00 +0000 (-0700) Subject: rgw: multiple fixes and adjustments following aws4 code review X-Git-Tag: v10.1.0~351^2^2~15 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=52e601b34730c5d67472851e202f5850cea4bada;p=ceph.git rgw: multiple fixes and adjustments following aws4 code review Signed-off-by: Yehuda Sadeh --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index e370eee2b09c..7befb85304d9 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -270,16 +270,16 @@ void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canon if (unsigned_payload) { request_payload_hash = "UNSIGNED-PAYLOAD"; } else { - if (s->aws4_auth_complete) { + if (s->aws4_auth_needs_complete) { request_payload_hash = s->cio->grab_aws4_sha256_hash(); } else { rgw_hash_s3_string_sha256(request_payload.c_str(), request_payload.size(), request_payload_hash); } } - s->aws4_auth_payload_hash = request_payload_hash; + s->aws4_auth->payload_hash = request_payload_hash; - dout(10) << "payload request hash = " << request_payload_hash << dendl; + ldout(s->cct, 10) << "payload request hash = " << request_payload_hash << dendl; rgw_assemble_s3_v4_canonical_request(s->info.method, canonical_uri.c_str(), canonical_qs.c_str(), canonical_hdrs.c_str(), signed_hdrs.c_str(), @@ -287,8 +287,8 @@ void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canon rgw_hash_s3_string_sha256(canonical_req.c_str(), canonical_req.size(), canonical_req_hash); - dout(10) << "canonical request = " << canonical_req << dendl; - dout(10) << "canonical request hash = " << canonical_req_hash << dendl; + ldout(s->cct, 10) << "canonical request = " << canonical_req << dendl; + ldout(s->cct, 10) << "canonical request hash = " << canonical_req_hash << dendl; } /* @@ -320,14 +320,14 @@ void rgw_assemble_s3_v4_string_to_sign(const char *algorithm, const char *reques /* * create string to sign for signature version 4 */ -void rgw_create_s3_v4_string_to_sign(const string& algorithm, const string& request_date, +void rgw_create_s3_v4_string_to_sign(CephContext *cct, const string& algorithm, const string& request_date, const string& credential_scope, const string& hashed_qr, string& string_to_sign) { rgw_assemble_s3_v4_string_to_sign(algorithm.c_str(), request_date.c_str(), credential_scope.c_str(), hashed_qr.c_str(), string_to_sign); - dout(10) << "string to sign = " << string_to_sign << dendl; + ldout(cct, 10) << "string to sign = " << string_to_sign << dendl; } /* @@ -339,7 +339,7 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, map::iterator iter = s->user.access_keys.find(access_key_id); if (iter == s->user.access_keys.end()) { - dout(10) << "ERROR: access key not encoded in user info" << dendl; + ldout(s->cct, 10) << "ERROR: access key not encoded in user info" << dendl; return -EPERM; } @@ -366,7 +366,7 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, char aux[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE * 2 + 1]; buf_to_hex((unsigned char *) date_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - dout(10) << "date_k = " << string(aux) << dendl; + ldout(s->cct, 10) << "date_k = " << string(aux) << dendl; /* region */ @@ -375,7 +375,7 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, buf_to_hex((unsigned char *) region_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - dout(10) << "region_k = " << string(aux) << dendl; + ldout(s->cct, 10) << "region_k = " << string(aux) << dendl; /* service */ @@ -384,7 +384,7 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, buf_to_hex((unsigned char *) service_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - dout(10) << "service_k = " << string(aux) << dendl; + ldout(s->cct, 10) << "service_k = " << string(aux) << dendl; /* aws4_request */ @@ -393,7 +393,7 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, buf_to_hex((unsigned char *) signing_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - dout(10) << "signing_k = " << string(aux) << dendl; + ldout(s->cct, 10) << "signing_k = " << string(aux) << dendl; /* new signature */ @@ -402,11 +402,11 @@ int rgw_calculate_s3_v4_aws_signature(struct req_state *s, buf_to_hex((unsigned char *) signature_k, CEPH_CRYPTO_HMACSHA256_DIGESTSIZE, aux); - dout(10) << "signature_k = " << string(aux) << dendl; + ldout(s->cct, 10) << "signature_k = " << string(aux) << dendl; signature = string(aux); - dout(10) << "new signature = " << signature << dendl; + ldout(s->cct, 10) << "new signature = " << signature << dendl; return 0; } diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index ed4aa010f6db..b5b49429475a 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -16,7 +16,7 @@ void rgw_hash_s3_string_sha256(const char *data, int len, string& dest); void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canonical_uri, const string& canonical_qs, const string& canonical_hdrs, const string& signed_hdrs, const string& request_payload, bool unsigned_payload, string& canonical_req, string& canonical_req_hash); -void rgw_create_s3_v4_string_to_sign(const string& algorithm, const string& request_date, const string& credential_scope, const string& hashed_qr, string& string_to_sign); +void rgw_create_s3_v4_string_to_sign(CephContext *cct, const string& algorithm, const string& request_date, const string& credential_scope, const string& hashed_qr, string& string_to_sign); int rgw_calculate_s3_v4_aws_signature(struct req_state *s, const string& access_key_id, const string &date, const string& region, const string& service, const string& string_to_sign, string& signature); #endif diff --git a/src/rgw/rgw_client_io.cc b/src/rgw/rgw_client_io.cc index c280b4209e7a..d13dce877dcf 100644 --- a/src/rgw/rgw_client_io.cc +++ b/src/rgw/rgw_client_io.cc @@ -82,6 +82,9 @@ int RGWClientIO::read(char *buf, int max, int *actual, bool hash /* = false */) bytes_received += *actual; if (hash) { + if (!sha256_hash) { + sha256_hash = calc_hash_sha256_open_stream(); + } calc_hash_sha256_update_stream(sha256_hash, buf, *actual); } @@ -91,5 +94,5 @@ int RGWClientIO::read(char *buf, int max, int *actual, bool hash /* = false */) string RGWClientIO::grab_aws4_sha256_hash() { - return calc_hash_sha256_close_stream(sha256_hash); + return calc_hash_sha256_close_stream(&sha256_hash); } diff --git a/src/rgw/rgw_client_io.h b/src/rgw/rgw_client_io.h index 07c11c777f48..d8dc803a0752 100644 --- a/src/rgw/rgw_client_io.h +++ b/src/rgw/rgw_client_io.h @@ -29,9 +29,7 @@ protected: public: virtual ~RGWClientIO() {} - RGWClientIO() : account(false), bytes_sent(0), bytes_received(0) { - sha256_hash = calc_hash_sha256_open_stream(); - } + RGWClientIO() : account(false), bytes_sent(0), bytes_received(0), sha256_hash(NULL) {} void init(CephContext *cct); int print(const char *format, ...); diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index a427bde8ac71..ea2b2803c5bf 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -157,7 +157,7 @@ req_state::req_state(CephContext *_cct, class RGWEnv *e) : cct(_cct), cio(NULL), bucket_acl = NULL; object_acl = NULL; expect_cont = false; - aws4_auth_complete = false; + aws4_auth_needs_complete = false; header_ended = false; obj_size = 0; @@ -175,6 +175,8 @@ req_state::req_state(CephContext *_cct, class RGWEnv *e) : cct(_cct), cio(NULL), http_auth = NULL; local_source = false; + aws4_auth = NULL; + obj_ctx = NULL; } @@ -182,6 +184,7 @@ req_state::~req_state() { delete formatter; delete bucket_acl; delete object_acl; + delete aws4_auth; } struct str_len { @@ -464,8 +467,12 @@ void calc_hash_sha256_update_stream(SHA256 *hash, const char *msg, int len) hash->Update((const unsigned char *)msg, len); } -string calc_hash_sha256_close_stream(SHA256* hash) +string calc_hash_sha256_close_stream(SHA256 **phash) { + SHA256 *hash = *phash; + if (!hash) { + hash = calc_hash_sha256_open_stream(); + } char hash_sha256[CEPH_CRYPTO_HMACSHA256_DIGESTSIZE]; hash->Final((unsigned char *)hash_sha256); @@ -474,7 +481,8 @@ string calc_hash_sha256_close_stream(SHA256* hash) buf_to_hex((unsigned char *)hash_sha256, CEPH_CRYPTO_SHA256_DIGESTSIZE, hex_str); delete hash; - + *phash = NULL; + return std::string(hex_str); } diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index e540934fec48..deb361da8284 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1063,6 +1063,21 @@ inline ostream& operator<<(ostream& out, const rgw_obj_key &o) { } } +struct rgw_aws4_auth { + string date; + string credential; + string signedheaders; + string signed_hdrs; + string access_key_id; + string credential_scope; + string canonical_uri; + string canonical_qs; + string canonical_hdrs; + string signature; + string new_signature; + string payload_hash; +}; + struct req_init_state { /* Keeps [[tenant]:]bucket until we parse the token. */ string url_bucket; @@ -1133,19 +1148,9 @@ struct req_state { string swift_groups; /* aws4 auth support */ - bool aws4_auth_complete; - string aws4_auth_date; - string aws4_auth_credential; - string aws4_auth_signedheaders; - string aws4_auth_signed_hdrs; - string aws4_auth_access_key_id; - string aws4_auth_credential_scope; - string aws4_auth_canonical_uri; - string aws4_auth_canonical_qs; - string aws4_auth_canonical_hdrs; - string aws4_auth_signature; - string aws4_auth_new_signature; - string aws4_auth_payload_hash; + bool aws4_auth_needs_complete; + + rgw_aws4_auth *aws4_auth; utime_t time; @@ -1739,7 +1744,7 @@ extern void calc_hash_sha256(const string& msg, string& dest); using ceph::crypto::SHA256; extern SHA256* calc_hash_sha256_open_stream(); extern void calc_hash_sha256_update_stream(SHA256 *hash, const char *msg, int len); -extern string calc_hash_sha256_close_stream(SHA256* hash); +extern string calc_hash_sha256_close_stream(SHA256 **hash); extern int rgw_parse_op_type_list(const string& str, uint32_t *perm); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index b5983b257075..288a8d2f4dd4 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -2324,7 +2324,7 @@ void RGWPutObj::execute() perfcounter->inc(l_rgw_put_b, s->obj_size); - if (s->aws4_auth_complete) { + if (s->aws4_auth_needs_complete) { /* complete aws4 auth */ @@ -2333,7 +2333,7 @@ void RGWPutObj::execute() goto done; } - s->aws4_auth_complete = false; + s->aws4_auth_needs_complete = false; /* verify signature */ diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index b12cf7c1047f..75342e2a6b65 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2703,7 +2703,7 @@ int RGW_Auth_S3::authorize_aws4_auth_complete(RGWRados *store, struct req_state return authorize_v4_complete(store, s, "", false); } -int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, string request_payload, bool unsigned_payload) +int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, const string& request_payload, bool unsigned_payload) { size_t pos; @@ -2712,17 +2712,17 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, str string canonical_req; string canonical_req_hash; - rgw_create_s3_v4_canonical_request(s, s->aws4_auth_canonical_uri, s->aws4_auth_canonical_qs, - s->aws4_auth_canonical_hdrs, s->aws4_auth_signed_hdrs, request_payload, unsigned_payload, + rgw_create_s3_v4_canonical_request(s, s->aws4_auth->canonical_uri, s->aws4_auth->canonical_qs, + s->aws4_auth->canonical_hdrs, s->aws4_auth->signed_hdrs, request_payload, unsigned_payload, canonical_req, canonical_req_hash); /* Validate x-amz-sha256 */ - if (s->aws4_auth_complete) { + if (s->aws4_auth_needs_complete) { const char *expected_request_payload_hash = s->info.env->get("HTTP_X_AMZ_CONTENT_SHA256"); if (expected_request_payload_hash && - s->aws4_auth_payload_hash.compare(expected_request_payload_hash) != 0) { - dout(10) << "ERROR: x-amz-content-sha256 does not match" << dendl; + s->aws4_auth->payload_hash.compare(expected_request_payload_hash) != 0) { + ldout(s->cct, 10) << "ERROR: x-amz-content-sha256 does not match" << dendl; return -ERR_AMZ_CONTENT_SHA256_MISMATCH; } } @@ -2735,7 +2735,7 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, str string string_to_sign; - rgw_create_s3_v4_string_to_sign("AWS4-HMAC-SHA256", s->aws4_auth_date, s->aws4_auth_credential_scope, + rgw_create_s3_v4_string_to_sign(s->cct, "AWS4-HMAC-SHA256", s->aws4_auth->date, s->aws4_auth->credential_scope, canonical_req_hash, string_to_sign); /* @@ -2744,7 +2744,7 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, str * http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html */ - string cs_aux = s->aws4_auth_credential_scope; + string cs_aux = s->aws4_auth->credential_scope; string date_cs = cs_aux; pos = date_cs.find("/"); @@ -2760,13 +2760,13 @@ int RGW_Auth_S3::authorize_v4_complete(RGWRados *store, struct req_state *s, str pos = service_cs.find("/"); service_cs = service_cs.substr(0, pos); - int err = rgw_calculate_s3_v4_aws_signature(s, s->aws4_auth_access_key_id, date_cs, - region_cs, service_cs, string_to_sign, s->aws4_auth_new_signature); + int err = rgw_calculate_s3_v4_aws_signature(s, s->aws4_auth->access_key_id, date_cs, + region_cs, service_cs, string_to_sign, s->aws4_auth->new_signature); - dout(10) << "----------------------------- Verifying signatures" << dendl; - dout(10) << "Signature = " << s->aws4_auth_signature << dendl; - dout(10) << "New Signature = " << s->aws4_auth_new_signature << dendl; - dout(10) << "-----------------------------" << dendl; + ldout(s->cct, 10) << "----------------------------- Verifying signatures" << dendl; + ldout(s->cct, 10) << "Signature = " << s->aws4_auth->signature << dendl; + ldout(s->cct, 10) << "New Signature = " << s->aws4_auth->new_signature << dendl; + ldout(s->cct, 10) << "-----------------------------" << dendl; if (err) { return err; @@ -2795,6 +2795,8 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) string algorithm = "AWS4-HMAC-SHA256"; + s->aws4_auth = new rgw_aws4_auth; + if ((!s->http_auth) || !(*s->http_auth)) { /* auth ships with req params ... */ @@ -2802,21 +2804,21 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) /* look for required params */ using_qs = true; - s->aws4_auth_credential = s->info.args.get("X-Amz-Credential"); - if (s->aws4_auth_credential.size() == 0) { + s->aws4_auth->credential = s->info.args.get("X-Amz-Credential"); + if (s->aws4_auth->credential.size() == 0) { return -EPERM; } - s->aws4_auth_date = s->info.args.get("X-Amz-Date"); - if (s->aws4_auth_date.size() == 0) { + s->aws4_auth->date = s->info.args.get("X-Amz-Date"); + if (s->aws4_auth->date.size() == 0) { return -EPERM; } - s->aws4_auth_signedheaders = s->info.args.get("X-Amz-SignedHeaders"); - if (s->aws4_auth_signedheaders.size() == 0) { + s->aws4_auth->signedheaders = s->info.args.get("X-Amz-SignedHeaders"); + if (s->aws4_auth->signedheaders.size() == 0) { return -EPERM; } - s->aws4_auth_signature = s->info.args.get("X-Amz-Signature"); - if (s->aws4_auth_signature.size() == 0) { + s->aws4_auth->signature = s->info.args.get("X-Amz-Signature"); + if (s->aws4_auth->signature.size() == 0) { return -EPERM; } @@ -2827,83 +2829,83 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) /* ------------------------- handle Credential header */ using_qs = false; - s->aws4_auth_credential = s->http_auth; + s->aws4_auth->credential = s->http_auth; - s->aws4_auth_credential = s->aws4_auth_credential.substr(17, s->aws4_auth_credential.length()); + s->aws4_auth->credential = s->aws4_auth->credential.substr(17, s->aws4_auth->credential.length()); - pos = s->aws4_auth_credential.find("Credential"); + pos = s->aws4_auth->credential.find("Credential"); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_credential = s->aws4_auth_credential.substr(pos, s->aws4_auth_credential.find(",")); + s->aws4_auth->credential = s->aws4_auth->credential.substr(pos, s->aws4_auth->credential.find(",")); - s->aws4_auth_credential = s->aws4_auth_credential.substr(pos + 1, s->aws4_auth_credential.length()); + s->aws4_auth->credential = s->aws4_auth->credential.substr(pos + 1, s->aws4_auth->credential.length()); - pos = s->aws4_auth_credential.find("="); + pos = s->aws4_auth->credential.find("="); - s->aws4_auth_credential = s->aws4_auth_credential.substr(pos + 1, s->aws4_auth_credential.length()); + s->aws4_auth->credential = s->aws4_auth->credential.substr(pos + 1, s->aws4_auth->credential.length()); /* ------------------------- handle SignedHeaders header */ - s->aws4_auth_signedheaders = s->http_auth; + s->aws4_auth->signedheaders = s->http_auth; - s->aws4_auth_signedheaders = s->aws4_auth_signedheaders.substr(17, s->aws4_auth_signedheaders.length()); + s->aws4_auth->signedheaders = s->aws4_auth->signedheaders.substr(17, s->aws4_auth->signedheaders.length()); - pos = s->aws4_auth_signedheaders.find("SignedHeaders"); + pos = s->aws4_auth->signedheaders.find("SignedHeaders"); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_signedheaders = s->aws4_auth_signedheaders.substr(pos, s->aws4_auth_signedheaders.length()); + s->aws4_auth->signedheaders = s->aws4_auth->signedheaders.substr(pos, s->aws4_auth->signedheaders.length()); - pos = s->aws4_auth_signedheaders.find(","); + pos = s->aws4_auth->signedheaders.find(","); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_signedheaders = s->aws4_auth_signedheaders.substr(0, pos); + s->aws4_auth->signedheaders = s->aws4_auth->signedheaders.substr(0, pos); - pos = s->aws4_auth_signedheaders.find("="); + pos = s->aws4_auth->signedheaders.find("="); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_signedheaders = s->aws4_auth_signedheaders.substr(pos + 1, s->aws4_auth_signedheaders.length()); + s->aws4_auth->signedheaders = s->aws4_auth->signedheaders.substr(pos + 1, s->aws4_auth->signedheaders.length()); /* host;user-agent;x-amz-content-sha256;x-amz-date */ - dout(10) << "v4 signedheaders format = " << s->aws4_auth_signedheaders << dendl; + dout(10) << "v4 signedheaders format = " << s->aws4_auth->signedheaders << dendl; /* ------------------------- handle Signature header */ - s->aws4_auth_signature = s->http_auth; + s->aws4_auth->signature = s->http_auth; - s->aws4_auth_signature = s->aws4_auth_signature.substr(17, s->aws4_auth_signature.length()); + s->aws4_auth->signature = s->aws4_auth->signature.substr(17, s->aws4_auth->signature.length()); - pos = s->aws4_auth_signature.find("Signature"); + pos = s->aws4_auth->signature.find("Signature"); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_signature = s->aws4_auth_signature.substr(pos, s->aws4_auth_signature.length()); + s->aws4_auth->signature = s->aws4_auth->signature.substr(pos, s->aws4_auth->signature.length()); - pos = s->aws4_auth_signature.find("="); + pos = s->aws4_auth->signature.find("="); if (pos == std::string::npos) { return -EINVAL; } - s->aws4_auth_signature = s->aws4_auth_signature.substr(pos + 1, s->aws4_auth_signature.length()); + s->aws4_auth->signature = s->aws4_auth->signature.substr(pos + 1, s->aws4_auth->signature.length()); /* sig hex str */ - dout(10) << "v4 signature format = " << s->aws4_auth_signature << dendl; + dout(10) << "v4 signature format = " << s->aws4_auth->signature << dendl; /* ------------------------- handle x-amz-date header */ /* grab date */ const char *d = s->info.env->get("HTTP_X_AMZ_DATE"); - s->aws4_auth_date = d ? d : ""; - if (s->aws4_auth_date.empty()) { + s->aws4_auth->date = d ? d : ""; + if (s->aws4_auth->date.empty()) { dout(10) << "error reading date via http_x_amz_date" << dendl; return -EINVAL; } @@ -2911,34 +2913,34 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) } /* AKIAIVKTAZLOCF43WNQD/AAAAMMDD/region/host/aws4_request */ - dout(10) << "v4 credential format = " << s->aws4_auth_credential << dendl; + dout(10) << "v4 credential format = " << s->aws4_auth->credential << dendl; - if (std::count(s->aws4_auth_credential.begin(), s->aws4_auth_credential.end(), '/') != 4) { + if (std::count(s->aws4_auth->credential.begin(), s->aws4_auth->credential.end(), '/') != 4) { return -EINVAL; } /* credential must end with 'aws4_request' */ - if (s->aws4_auth_credential.find("aws4_request") == std::string::npos) { + if (s->aws4_auth->credential.find("aws4_request") == std::string::npos) { return -EINVAL; } /* grab access key id */ - pos = s->aws4_auth_credential.find("/"); - s->aws4_auth_access_key_id = s->aws4_auth_credential.substr(0, pos); + pos = s->aws4_auth->credential.find("/"); + s->aws4_auth->access_key_id = s->aws4_auth->credential.substr(0, pos); - dout(10) << "access key id = " << s->aws4_auth_access_key_id << dendl; + dout(10) << "access key id = " << s->aws4_auth->access_key_id << dendl; /* grab credential scope */ - s->aws4_auth_credential_scope = s->aws4_auth_credential.substr(pos + 1, s->aws4_auth_credential.length()); + s->aws4_auth->credential_scope = s->aws4_auth->credential.substr(pos + 1, s->aws4_auth->credential.length()); - dout(10) << "credential scope = " << s->aws4_auth_credential_scope << dendl; + dout(10) << "credential scope = " << s->aws4_auth->credential_scope << dendl; /* grab user information */ - if (rgw_get_user_info_by_access_key(store, s->aws4_auth_access_key_id, s->user) < 0) { - dout(10) << "error reading user info, uid=" << s->aws4_auth_access_key_id + if (rgw_get_user_info_by_access_key(store, s->aws4_auth->access_key_id, s->user) < 0) { + dout(10) << "error reading user info, uid=" << s->aws4_auth->access_key_id << " can't authenticate" << dendl; return -ERR_INVALID_ACCESS_KEY; } @@ -2955,23 +2957,23 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) * that SigV4 typically does. this code follows the same approach that boto library * see auth.py:canonical_uri(...) */ - s->aws4_auth_canonical_uri = s->info.request_uri; + s->aws4_auth->canonical_uri = s->info.request_uri; - if (s->aws4_auth_canonical_uri.empty()) { - s->aws4_auth_canonical_uri = "/"; + if (s->aws4_auth->canonical_uri.empty()) { + s->aws4_auth->canonical_uri = "/"; } /* craft canonical query string */ - s->aws4_auth_canonical_qs = s->info.request_params; + s->aws4_auth->canonical_qs = s->info.request_params; - if (!s->aws4_auth_canonical_qs.empty()) { + if (!s->aws4_auth->canonical_qs.empty()) { /* handle case when query string exists. Step 3 in * http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html */ map canonical_qs_map; - istringstream cqs(s->aws4_auth_canonical_qs); + istringstream cqs(s->aws4_auth->canonical_qs); string keyval; while (getline(cqs, keyval, '&')) { @@ -2987,16 +2989,16 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) } } - s->aws4_auth_canonical_qs = ""; + s->aws4_auth->canonical_qs = ""; map::iterator last = canonical_qs_map.end(); --last; for (map::iterator it = canonical_qs_map.begin(); it != canonical_qs_map.end(); ++it) { - s->aws4_auth_canonical_qs.append(it->first + "=" + it->second); + s->aws4_auth->canonical_qs.append(it->first + "=" + it->second); if (it != last) { - s->aws4_auth_canonical_qs.append("&"); + s->aws4_auth->canonical_qs.append("&"); } } @@ -3005,7 +3007,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) /* craft canonical headers */ map canonical_hdrs_map; - istringstream sh(s->aws4_auth_signedheaders); + istringstream sh(s->aws4_auth->signedheaders); string token; while (getline(sh, token, ';')) { @@ -3037,14 +3039,14 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) for (map::iterator it = canonical_hdrs_map.begin(); it != canonical_hdrs_map.end(); ++it) { - s->aws4_auth_canonical_hdrs.append(it->first + ":" + it->second + "\n"); + s->aws4_auth->canonical_hdrs.append(it->first + ":" + it->second + "\n"); } - dout(10) << "canonical headers format = " << s->aws4_auth_canonical_hdrs << dendl; + dout(10) << "canonical headers format = " << s->aws4_auth->canonical_hdrs << dendl; /* craft signed headers */ - s->aws4_auth_signed_hdrs = s->aws4_auth_signedheaders; + s->aws4_auth->signed_hdrs = s->aws4_auth->signedheaders; /* handle request payload */ @@ -3054,7 +3056,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) * Content-Length or Transfer-Encoding header field in the request's message-headers." */ - s->aws4_auth_payload_hash = ""; + s->aws4_auth->payload_hash = ""; string request_payload; @@ -3076,7 +3078,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) /* verify signature */ - if (s->aws4_auth_signature != s->aws4_auth_new_signature) { + if (s->aws4_auth->signature != s->aws4_auth->new_signature) { return -ERR_SIGNATURE_NO_MATCH; } @@ -3086,19 +3088,19 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) /* aws4 auth completed */ - s->aws4_auth_complete = false; + s->aws4_auth_needs_complete = false; } else { /* aws4 auth not completed... delay aws4 auth */ - s->aws4_auth_complete = true; + s->aws4_auth_needs_complete = true; dout(10) << "body content detected... delaying v4 auth" << dendl; } - map::iterator iter = s->user.access_keys.find(s->aws4_auth_access_key_id); + map::iterator iter = s->user.access_keys.find(s->aws4_auth->access_key_id); if (iter == s->user.access_keys.end()) { dout(0) << "ERROR: access key not encoded in user info" << dendl; return -EPERM; diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 24b75a0eb37f..606986afc8fe 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -391,7 +391,7 @@ private: static int authorize_v2(RGWRados *store, struct req_state *s); static int authorize_v4(RGWRados *store, struct req_state *s); static int authorize_v4_complete(RGWRados *store, struct req_state *s, - string request_payload, bool unsigned_payload); + const string& request_payload, bool unsigned_payload); };