From 466cb81cfc286208cb0e68f556a76e2795ed590c Mon Sep 17 00:00:00 2001 From: "Javier M. Mellid" Date: Mon, 14 Sep 2015 22:12:04 +0200 Subject: [PATCH] rgw: UNSIGNED-PAYLOAD support in AWS4 auth Fixes: #10333 Signed-off-by: Javier M. Mellid --- src/rgw/rgw_auth_s3.cc | 6 +++--- src/rgw/rgw_auth_s3.h | 2 +- src/rgw/rgw_rest_s3.cc | 16 ++++++++++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 700695b1496..cd3adc41683 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -262,14 +262,14 @@ void rgw_assemble_s3_v4_canonical_request(const char *method, const char *canoni */ void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canonical_uri, const string& canonical_qs, const string& canonical_hdrs, const string& signed_hdrs, const string& request_payload, - string& canonical_req, string& canonical_req_hash) + bool unsigned_payload, string& canonical_req, string& canonical_req_hash) { string request_payload_hash; - if (len < 0) { + if (unsigned_payload) { request_payload_hash = "UNSIGNED-PAYLOAD"; } else { - rgw_hash_s3_string_sha256(data, len, request_payload_hash); + rgw_hash_s3_string_sha256(request_payload.c_str(), request_payload.size(), request_payload_hash); } dout(10) << "payload request hash = " << request_payload_hash << dendl; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index b08fb560a1a..cb56a181d20 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -15,7 +15,7 @@ int rgw_get_s3_header_digest(const string& auth_hdr, const string& key, string& void rgw_hash_s3_string_sha256(const string& str, string& dest); void rgw_create_s3_v4_canonical_request(struct req_state *s, const string& canonical_uri, const string& canonical_qs, const string& canonical_hdrs, const string& signed_hdrs, const string& request_payload, - string& canonical_req, string& canonical_req_hash); + bool unsigned_payload, string& canonical_req, string& canonical_req_hash); void rgw_create_s3_v4_string_to_sign(const string& algorithm, const string& request_date, const string& credential_scope, const string& hashed_qr, string& string_to_sign); int rgw_calculate_s3_v4_aws_signature(struct req_state *s, const string& access_key_id, const string &date, const string& region, const string& service, const string& string_to_sign, string& signature); diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 9b4c26a225e..5cdd2df490f 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2963,11 +2963,23 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s) string request_payload; + bool unsigned_payload = false; if (using_qs) { - len = -1; + unsigned_payload = true; } - if (!using_qs && ((s->content_length > 0) || s->info.env->get("HTTP_TRANSFER_ENCODING"))) { + if (using_qs || ((s->content_length == 0) && s->info.env->get("HTTP_TRANSFER_ENCODING") == NULL)) { + + /* requests lacking of body are authenticated now */ + + /* craft canonical request */ + + string canonical_req; + string canonical_req_hash; + + rgw_create_s3_v4_canonical_request(s, canonical_uri, canonical_qs, + canonical_hdrs, signed_hdrs, request_payload, unsigned_payload, + canonical_req, canonical_req_hash); /* TODO: read body in request_payload */ -- 2.47.3