From: Mathew <mat@hazmat.dev>
Date: Mon, 6 Mar 2023 19:13:00 +0000 (-0500)
Subject: sts: Fixes get_cert_url improper url path concatenation
X-Git-Tag: v18.1.0~154^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e5aaa57235b9f890e970675406297d43a5ac0455;p=ceph-ci.git

sts: Fixes get_cert_url improper url path concatenation

Invalid URL concatenation prevents some OpenIDConnect providers from working
with RGW and the AssumeRoleWithWebIdentity API. Invalid URLs contain a double
slash `//`. This fix ensures that an ISS is properly joined to the .well-known
path.

Fixes: https://tracker.ceph.com/issues/58890
Signed-off-by: Mathew Utter <mat@hazmat.dev>
(cherry picked from commit c71818a586f2e29fb76310cb6477f0ccee7f19bd)
---

diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index 8e70faa99f4..09f77f61d5f 100644
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -309,8 +309,14 @@ std::string
 WebTokenEngine::get_cert_url(const string& iss, const DoutPrefixProvider *dpp, optional_yield y) const
 {
   string cert_url;
-  string openidc_wellknown_url = iss + "/.well-known/openid-configuration";
+  string openidc_wellknown_url = iss;
   bufferlist openidc_resp;
+
+  if (openidc_wellknown_url.back() == '/') {
+    openidc_wellknown_url.pop_back();
+  }
+  openidc_wellknown_url.append("/.well-known/openid-configuration");
+
   RGWHTTPTransceiver openidc_req(cct, "GET", openidc_wellknown_url, &openidc_resp);
 
   //Headers
@@ -761,7 +767,7 @@ static const std::unordered_map<std::string_view, op_generator> op_generators =
   {"AssumeRoleWithWebIdentity", []() -> RGWOp* {return new RGWSTSAssumeRoleWithWebIdentity;}}
 };
 
-bool RGWHandler_REST_STS::action_exists(const req_state* s) 
+bool RGWHandler_REST_STS::action_exists(const req_state* s)
 {
   if (s->info.args.exists("Action")) {
     const std::string action_name = s->info.args.get("Action");