From: Matt Benjamin <mbenjamin@redhat.com>
Date: Mon, 21 Mar 2016 17:07:49 +0000 (-0400)
Subject: rgw_ldap:  two bug fixes
X-Git-Tag: v10.1.0~9^2~1
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=6ffa9c755954a82f9100ce0afff14ef89a35822c;p=ceph.git

rgw_ldap:  two bug fixes

1. only attempt auth on tokens which pass valid() check
2. ignore false positive search result (and fix result in that case)

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
---

diff --git a/src/rgw/rgw_file.h b/src/rgw/rgw_file.h
index 51e4829a4e6fa..a6e06ded0499d 100644
--- a/src/rgw/rgw_file.h
+++ b/src/rgw/rgw_file.h
@@ -676,7 +676,7 @@ namespace rgw {
 	/* try external authenticators (ldap for now) */
 	rgw::LDAPHelper* ldh = rgwlib.get_ldh(); /* !nullptr */
 	RGWToken token{from_base64(key.id)};
-	if (ldh->auth(token.id, token.key) == 0) {
+	if (token.valid() && (ldh->auth(token.id, token.key) == 0)) {
 	  /* try to store user if it doesn't already exist */
 	  if (rgw_get_user_info_by_uid(store, token.id, user) < 0) {
 	    int ret = rgw_store_user_info(store, user, NULL, NULL, real_time(),
diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
index 62c901a9bf5fe..46b05fff658b1 100644
--- a/src/rgw/rgw_ldap.h
+++ b/src/rgw/rgw_ldap.h
@@ -64,14 +64,18 @@ namespace rgw {
       filter += uid;
       filter += ")";
       char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
-      LDAPMessage *answer, *entry;
+      LDAPMessage *answer = nullptr, *entry = nullptr;
       ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
 			  filter.c_str(), attrs, 0, &answer);
       if (ret == LDAP_SUCCESS) {
 	entry = ldap_first_entry(ldap, answer);
-	char *dn = ldap_get_dn(ldap, entry);
-	ret = simple_bind(dn, pwd);
-	ldap_memfree(dn);
+	if (entry) {
+	  char *dn = ldap_get_dn(ldap, entry);
+	  ret = simple_bind(dn, pwd);
+	  ldap_memfree(dn);
+	} else {
+	  ret = LDAP_NO_SUCH_ATTRIBUTE; // fixup result
+	}
 	ldap_msgfree(answer);
       }
       return (ret == LDAP_SUCCESS) ? ret : -EACCES;
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index a31b95b0b63e5..fc7458f5f473a 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1584,7 +1584,7 @@ int RGWPostObj_ObjStore_S3::get_policy()
 		store->ctx()->_conf->rgw_ldap_uri.empty()) {
 	RGWToken token{from_base64(s3_access_key)};
 	rgw::LDAPHelper *ldh = RGW_Auth_S3::get_ldap_ctx(store);
-	if (ldh->auth(token.id, token.key) != 0)
+	if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
 	  return -EACCES;
 
 	/* ok, succeeded, try to create shadow */
@@ -3700,7 +3700,7 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
     RGW_Auth_S3::init(store);
 
     RGWToken token{from_base64(auth_id)};
-    if (ldh->auth(token.id, token.key) != 0)
+    if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
       external_auth_result = -EACCES;
     else {
       /* ok, succeeded */
@@ -3708,9 +3708,10 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
       /* create local account, if none exists */
       s->user->user_id = token.id;
       s->user->display_name = token.id; // cn?
-      if (rgw_get_user_info_by_uid(store, s->user->user_id,
-				   *(s->user)) < 0) {
-	int ret = rgw_store_user_info(store, *(s->user), NULL, NULL, real_time(), true);
+      int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user));
+      if (ret < 0) {
+	ret = rgw_store_user_info(store, *(s->user), NULL, NULL, real_time(),
+				  true);
 	if (ret < 0) {
 	  dout(10) << "NOTICE: failed to store new user's info: ret=" << ret
 		   << dendl;