From 135b6fc20e8ad094ed94e05bfb1975578abbbdab Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.se>
Date: Thu, 27 Jul 2023 14:59:45 +0000
Subject: [PATCH] rgw/auth: check auth for http options requests

If we get a HTTP OPTIONS request we previously always
allowed the anonymous engine to handle the request even
if other auth was given in the request.

Fixes: https://tracker.ceph.com/issues/62033
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
---
 src/rgw/rgw_rest_s3.cc | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 21f0a4754517f..123bcbab7335e 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6461,14 +6461,16 @@ rgw::auth::s3::STSEngine::authenticate(
 bool rgw::auth::s3::S3AnonymousEngine::is_applicable(
   const req_state* s
 ) const noexcept {
-  if (s->op == OP_OPTIONS) {
-    return true;
-  }
-
   AwsVersion version;
   AwsRoute route;
   std::tie(version, route) = discover_aws_flavour(s->info);
 
+  /* If HTTP OPTIONS and no authentication provided using the
+   * anonymous engine is applicable */
+  if (s->op == OP_OPTIONS && version == AwsVersion::UNKNOWN) {
+    return true;
+  }
+
   return route == AwsRoute::QUERY_STRING && version == AwsVersion::UNKNOWN;
 }
 
-- 
2.39.5