From 12f9175be1e1d37cc033788d7027c277a7fd0e17 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Mon, 23 May 2016 14:49:33 +0200 Subject: [PATCH] rgw: improve error checking in Keystone-related code. Signed-off-by: Radoslaw Zarzynski --- src/rgw/rgw_auth.cc | 19 +++++++++++++++++-- src/rgw/rgw_http_client.h | 1 + src/rgw/rgw_keystone.cc | 7 +++++++ 3 files changed, 25 insertions(+), 2 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index b96795d665a48..192f14e34daa2 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -363,9 +363,24 @@ KeystoneToken RGWKeystoneAuthEngine::get_from_keystone(const std::string& token) if (ret < 0) { throw ret; } - token_body_bl.append((char)0); // NULL terminate for debug output - ldout(cct, 20) << "received response: " << token_body_bl.c_str() << dendl; + /* NULL terminate for debug output. */ + token_body_bl.append(static_cast(0)); + ldout(cct, 20) << "received response status=" << validate.get_http_status() + << ", body=" << token_body_bl.c_str() << dendl; + + /* Detect Keystone rejection earlier than during the token parsing. + * Although failure at the parsing phase doesn't impose a threat, + * this allows to return proper error code (EACCESS instead of EINVAL + * or similar) and thus improves logging. */ + if (validate.get_http_status() == + /* Most likely: wrong admin credentials or admin token. */ + RGWValidateKeystoneToken::HTTP_STATUS_UNAUTHORIZED || + validate.get_http_status() == + /* Most likely: non-existent token supplied by the client. */ + RGWValidateKeystoneToken::HTTP_STATUS_NOTFOUND) { + throw -EACCES; + } KeystoneToken token_body; ret = token_body.parse(cct, token, token_body_bl); diff --git a/src/rgw/rgw_http_client.h b/src/rgw/rgw_http_client.h index 4a96be6caf0dc..683db7ba0d56f 100644 --- a/src/rgw/rgw_http_client.h +++ b/src/rgw/rgw_http_client.h @@ -83,6 +83,7 @@ protected: public: static const long HTTP_STATUS_NOSTATUS = 0; static const long HTTP_STATUS_UNAUTHORIZED = 401; + static const long HTTP_STATUS_NOTFOUND = 404; virtual ~RGWHTTPClient(); explicit RGWHTTPClient(CephContext *cct) diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc index 538a2cbc847d4..3fa96d2e4038e 100644 --- a/src/rgw/rgw_keystone.cc +++ b/src/rgw/rgw_keystone.cc @@ -224,6 +224,13 @@ int KeystoneService::get_keystone_admin_token(CephContext * const cct, if (ret < 0) { return ret; } + + /* Detect rejection earlier than during the token parsing step. */ + if (token_req.get_http_status() == + RGWGetKeystoneAdminToken::HTTP_STATUS_UNAUTHORIZED) { + return -EACCES; + } + if (t.parse(cct, token_req.get_subject_token(), token_bl) != 0) { return -EINVAL; } -- 2.39.5