From 5f1eea2ccf1ee4296530fc754bfd5dfc1571cd62 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Sat, 18 Jan 2014 18:01:20 -0800
Subject: [PATCH] rgw: Use correct secret key for POST authn

The POST authentication by signature validation looked up a user based
on the access key, then used the first secret key for the user. If the
access key used was not the first access key, then the expected
signature would be wrong, and the POST would be rejected.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
(cherry picked from commit 586ad1f69e6260ef298805647911b3b49f8be7cf)
---
 src/rgw/rgw_rest_s3.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ba6b4e7f34c3..e8a10c1335d7 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -964,7 +964,14 @@ int RGWPostObj_ObjStore_S3::get_policy()
 
     map<string, RGWAccessKey> access_keys  = user_info.access_keys;
 
-    map<string, RGWAccessKey>::const_iterator iter = access_keys.begin();
+    map<string, RGWAccessKey>::const_iterator iter = access_keys.find(s3_access_key);
+    // We know the key must exist, since the user was returned by
+    // rgw_get_user_info_by_access_key, but it doesn't hurt to check!
+    if (iter == access_keys.end()) {
+      ldout(s->cct, 0) << "Secret key lookup failed!" << dendl;
+      err_msg = "No secret key for matching access key";
+      return -EACCES;
+    }
     string s3_secret_key = (iter->second).key;
 
     char calc_signature[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE];
-- 
2.47.3