From: yuliyang Date: Tue, 26 Nov 2019 09:59:11 +0000 (+0800) Subject: rgw: use STSEngine::authenticate when post upload with x_amz_security_token X-Git-Tag: v15.1.0~12^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=81dbefd15efbe17636656a06ebf80fb489591fc7;p=ceph.git rgw: use STSEngine::authenticate when post upload with x_amz_security_token Signed-off-by: yuliyang --- diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index cdc85016318cb..b1470cd340a69 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1648,6 +1648,7 @@ namespace rgw { namespace auth { namespace s3 { class AWSBrowserUploadAbstractor; + class STSEngine; } class Completer; } @@ -2056,6 +2057,7 @@ struct req_state : DoutPrefixProvider { friend class RGWPostObj_ObjStore_S3; /* Reader. */ friend class rgw::auth::s3::AWSBrowserUploadAbstractor; + friend class rgw::auth::s3::STSEngine; std::string access_key; std::string signature; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index e9dca22ae8b72..37d7cb95b1457 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2308,7 +2308,12 @@ int RGWPostObj_ObjStore_S3::get_policy() } } - part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token); + if (part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token)) { + if (s->auth.s3_postobj_creds.x_amz_security_token.size() == 0) { + err_msg = "Invalid token"; + return -EINVAL; + } + } /* FIXME: this is a makeshift solution. The browser upload authentication will be * handled by an instance of rgw::auth::Completer spawned in Handler's authorize() @@ -5099,7 +5104,8 @@ rgw::auth::s3::STSEngine::authenticate( const req_state* const s) const { if (! s->info.args.exists("X-Amz-Security-Token") && - ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) { + ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") && + s->auth.s3_postobj_creds.x_amz_security_token.empty()) { return result_t::deny(); }