From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 26 Sep 2023 16:16:52 +0000 (-0400)
Subject: rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH
X-Git-Tag: v19.0.0~370^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F53680%2Fhead;p=ceph.git

rgw/keystone: EC2Engine uses reject() for ERR_SIGNATURE_NO_MATCH

ERR_SIGNATURE_NO_MATCH means that we found the given access key in
keystone, so we should use reject() instead of deny() to prevent
other engines like LocalEngine from looking up the access key again

this change causes us to return the SignatureDoesNotMatch error expected
by s3test case test_list_buckets_bad_auth()

Fixes: https://tracker.ceph.com/issues/62989

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 123d94e6e550..1d810ca6856f 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -673,6 +673,12 @@ rgw::auth::Engine::result_t EC2Engine::authenticate(
   auto [t, secret_key, failure_reason] =
     get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory);
   if (! t) {
+    if (failure_reason == -ERR_SIGNATURE_NO_MATCH) {
+      // we looked up a secret but it didn't generate the same signature as
+      // the client. since we found this access key in keystone, we should
+      // reject the request instead of trying other engines
+      return result_t::reject(failure_reason);
+    }
     return result_t::deny(failure_reason);
   }