From: Casey Bodley <cbodley@users.noreply.github.com>
Date: Mon, 2 Oct 2023 14:35:47 +0000 (+0100)
Subject: Merge pull request #53680 from cbodley/wip-62989
X-Git-Tag: v19.0.0~370
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=98cdc0960866fd2cfeca03a1cc77810f6911032f;p=ceph.git

Merge pull request #53680 from cbodley/wip-62989

rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH

Reviewed-by: Daniel Gryniewicz <dang@redhat.com>
---

98cdc0960866fd2cfeca03a1cc77810f6911032f
diff --cc src/rgw/rgw_auth_keystone.cc
index 0e411f7ca4e5,1d810ca6856f..c414e3627e41
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@@ -679,9 -671,14 +679,15 @@@ rgw::auth::Engine::result_t EC2Engine::
    } accepted_roles(cct);
  
    auto [t, secret_key, failure_reason] =
 -    get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory);
 +    get_access_token(dpp, access_key_id, string_to_sign,
 +                     signature, signature_factory, y);
    if (! t) {
+     if (failure_reason == -ERR_SIGNATURE_NO_MATCH) {
+       // we looked up a secret but it didn't generate the same signature as
+       // the client. since we found this access key in keystone, we should
+       // reject the request instead of trying other engines
+       return result_t::reject(failure_reason);
+     }
      return result_t::deny(failure_reason);
    }