From 6ad0251c5b7b4083b320d2a212b34c16ca4199e6 Mon Sep 17 00:00:00 2001 From: "David.Hall" Date: Fri, 8 Sep 2023 15:12:49 -0500 Subject: [PATCH] SignatureDoesNotMatch for certain RGW Admin Ops endpoints when using v4 auth https://tracker.ceph.com/issues/62105 Change from std::map<> to std::multimap<> to allow for duplicates rgwadmin submits duplicates in a very few cases, so we need to handle them. Signed-off-by: David.Hall (cherry picked from commit 3758f6e7433c58b9e62ae35184659cffabdbd133) --- src/rgw/rgw_auth_s3.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index 0797f8184aa..dcd29bfca2b 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -574,7 +574,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs) /* Handle case when query string exists. Step 3 described in: http://docs. * aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html */ - std::map canonical_qs_map; + std::multimap canonical_qs_map; for (const auto& s : get_str_vec<5>(*params, "&")) { std::string_view key, val; const auto parsed_pair = parse_key_value(s); @@ -595,7 +595,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs) // while awsv4 specs ask for all slashes to be encoded, s3 itself is relaxed // in its implementation allowing non-url-encoded slashes to be present in // presigned urls for instance - canonical_qs_map[aws4_uri_recode(key, true)] = aws4_uri_recode(val, true); + canonical_qs_map.insert({{aws4_uri_recode(key, true), aws4_uri_recode(val, true)}}); } /* Thanks to the early exist we have the guarantee that canonical_qs_map has -- 2.39.5