From: Pritha Srivastava Date: Tue, 30 Jun 2020 16:40:07 +0000 (+0530) Subject: rgw: Normalizing X-Amz- headers for case in RGWHTTPArgs X-Git-Tag: v17.0.0~1818^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=cc9d402181ece4de38632026ac9f164347b0d235;p=ceph.git rgw: Normalizing X-Amz- headers for case in RGWHTTPArgs in req_info, which are used to parse credentials in query strings. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index cd1239ce0aaa5..0eefc19f98875 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -18,6 +18,7 @@ #include "rgw_crypt_sanitize.h" #include +#include #include #define dout_context g_ceph_context @@ -267,18 +268,18 @@ static inline int parse_v4_query_string(const req_info& info, /* in /* auth ships with req params ... */ /* look for required params */ - credential = info.args.get("X-Amz-Credential"); + credential = info.args.get("x-amz-credential"); if (credential.size() == 0) { return -EPERM; } - date = info.args.get("X-Amz-Date"); + date = info.args.get("x-amz-date"); struct tm date_t; if (!parse_iso8601(sview2cstr(date).data(), &date_t, nullptr, false)) { return -EPERM; } - std::string_view expires = info.args.get("X-Amz-Expires"); + std::string_view expires = info.args.get("x-amz-expires"); if (expires.empty()) { return -EPERM; } @@ -298,18 +299,18 @@ static inline int parse_v4_query_string(const req_info& info, /* in return -EPERM; } - signedheaders = info.args.get("X-Amz-SignedHeaders"); + signedheaders = info.args.get("x-amz-signedheaders"); if (signedheaders.size() == 0) { return -EPERM; } - signature = info.args.get("X-Amz-Signature"); + signature = info.args.get("x-amz-signature"); if (signature.size() == 0) { return -EPERM; } - if (info.args.exists("X-Amz-Security-Token")) { - sessiontoken = info.args.get("X-Amz-Security-Token"); + if (info.args.exists("x-amz-security-token")) { + sessiontoken = info.args.get("x-amz-security-token"); if (sessiontoken.size() == 0) { return -EPERM; } @@ -516,7 +517,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs) key = s; } - if (using_qs && key == "X-Amz-Signature") { + if (using_qs && boost::iequals(key, "X-Amz-Signature")) { /* Preserving the original behaviour of get_v4_canonical_qs() here. */ continue; } diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 3b368916c3e53..9f62edb2bb4f7 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -812,8 +812,17 @@ int RGWHTTPArgs::parse() int ret = nv.parse(); if (ret >= 0) { string& name = nv.get_name(); + if (name.find("X-Amz-") != string::npos) { + std::for_each(name.begin(), + name.end(), + [](char &c){ + if (c != '-') { + c = ::tolower(static_cast(c)); + } + }); + } string& val = nv.get_val(); - + dout(10) << "name: " << name << " val: " << val << dendl; append(name, val); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 47be196e59607..98eadd8134ace 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -4815,7 +4815,7 @@ discover_aws_flavour(const req_info& info) } else { route = AwsRoute::QUERY_STRING; - if (info.args.get("X-Amz-Algorithm") == AWS4_HMAC_SHA256_STR) { + if (info.args.get("x-amz-algorithm") == AWS4_HMAC_SHA256_STR) { /* AWS v4 */ version = AwsVersion::V4; } else if (!info.args.get("AWSAccessKeyId").empty()) { @@ -5465,8 +5465,8 @@ AWSGeneralAbstractor::get_auth_data_v2(const req_state* const s) const if (now >= exp) { throw -EPERM; } - if (s->info.args.exists("X-Amz-Security-Token")) { - session_token = s->info.args.get("X-Amz-Security-Token"); + if (s->info.args.exists("x-amz-security-token")) { + session_token = s->info.args.get("x-amz-security-token"); if (session_token.size() == 0) { throw -EPERM; } @@ -5838,7 +5838,7 @@ rgw::auth::s3::STSEngine::authenticate( const completer_factory_t& completer_factory, const req_state* const s) const { - if (! s->info.args.exists("X-Amz-Security-Token") && + if (! s->info.args.exists("x-amz-security-token") && ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") && s->auth.s3_postobj_creds.x_amz_security_token.empty()) { return result_t::deny();