From: John Gibson <jgibson@mitre.org>
Date: Sun, 24 Dec 2017 20:49:50 +0000 (-0500)
Subject: rgw: Bucket IP address policy evaluation now uses rgw_remote_addr_param.
X-Git-Tag: v12.2.3~207^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=65b515b9d0c119dde57f57d1d7c75d81e175113b;p=ceph.git

rgw: Bucket IP address policy evaluation now uses rgw_remote_addr_param.

Previously bucket policy ip address restrictions were only being evaluated
against the REMOTE_ADDR environment variable and ignoring the header
specified by the rgw_remote_addr_param configuration option. This rendered
ip-based bucket policies worthless when running behind a reverse proxy.

Signed-off-by: John Gibson <jgibson@mitre.org>
(cherry picked from commit c4c24ca986f17c68b75f76fc48ad489002fcf87e)
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 3738dbd074f5..4127d3254d4e 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -603,7 +603,12 @@ rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store,
     e.emplace("aws:SecureTransport", "true");
   }
 
-  i = m.find("REMOTE_ADDR");
+  const auto remote_addr_param = s->cct->_conf->rgw_remote_addr_param;
+  if (remote_addr_param.length()) {
+    i = m.find(remote_addr_param);
+  } else {
+    i = m.find("REMOTE_ADDR");
+  }
   if (i != m.end()) {
     e.emplace("aws:SourceIp", i->second);
   }
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 9c5af51bbe12..98e2f97d0ae3 100644
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -25,6 +25,7 @@
 #include "global/global_init.h"
 #include "rgw/rgw_auth.h"
 #include "rgw/rgw_iam_policy.h"
+#include "rgw/rgw_op.h"
 
 
 using std::string;
@@ -581,6 +582,39 @@ TEST_F(IPPolicyTest, asNetworkInvalid) {
   EXPECT_FALSE(rgw::IAM::Condition::as_network("1.2.3.10000"));
 }
 
+TEST_F(IPPolicyTest, IPEnvironment) {
+  // Unfortunately RGWCivetWeb is too tightly tied to civetweb to test RGWCivetWeb::init_env.
+  RGWEnv rgw_env;
+  RGWUserInfo user;
+  RGWRados rgw_rados;
+  rgw_env.set("REMOTE_ADDR", "192.168.1.1");
+  rgw_env.set("HTTP_HOST", "1.2.3.4");
+  req_state rgw_req_state(cct.get(), &rgw_env, &user);
+  Environment iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
+  auto ip = iam_env.find("aws:SourceIp");
+  ASSERT_NE(ip, iam_env.end());
+  EXPECT_EQ(ip->second, "192.168.1.1");
+
+  ASSERT_EQ(cct.get()->_conf->set_val("rgw_remote_addr_param", "SOME_VAR"), 0);
+  EXPECT_EQ(cct.get()->_conf->rgw_remote_addr_param, "SOME_VAR");
+  iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
+  ip = iam_env.find("aws:SourceIp");
+  EXPECT_EQ(ip, iam_env.end());
+
+  rgw_env.set("SOME_VAR", "192.168.1.2");
+  iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
+  ip = iam_env.find("aws:SourceIp");
+  ASSERT_NE(ip, iam_env.end());
+  EXPECT_EQ(ip->second, "192.168.1.2");
+
+  ASSERT_EQ(cct.get()->_conf->set_val("rgw_remote_addr_param", "HTTP_X_FORWARDED_FOR"), 0);
+  rgw_env.set("HTTP_X_FORWARDED_FOR", "192.168.1.3");
+  iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
+  ip = iam_env.find("aws:SourceIp");
+  ASSERT_NE(ip, iam_env.end());
+  EXPECT_EQ(ip->second, "192.168.1.3");
+}
+
 TEST_F(IPPolicyTest, ParseIPAddress) {
   optional<Policy> p;