From 6ee4416d80d17f57460ebe044bd9cc8d43dc26e8 Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Tue, 30 Jan 2024 16:48:42 +0530
Subject: [PATCH] rgw/auth: correcting the error message to indicate clearly
 that a pre-signed URL has expired.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---
 src/rgw/rgw_auth.cc    | 5 +++++
 src/rgw/rgw_auth_s3.cc | 6 +++---
 src/rgw/rgw_common.h   | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 7be6518514e85..4b3f33e9c70e8 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -299,6 +299,11 @@ rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strat
        * nullptr inside. */
       ldpp_dout(dpp, 5) << "Failed the auth strategy, reason="
                        << result.get_reason() << dendl;
+      //Special handling for expired pre-signed URL
+      if (result.get_reason() == ERR_PRESIGNED_URL_EXPIRED) {
+        result = result_t::deny(-EPERM);
+        set_req_state_err(s, -EPERM, "The pre-signed URL has expired");
+      }
       return result.get_reason();
     }
 
diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc
index 519060f93fb27..6f0141ef94158 100644
--- a/src/rgw/rgw_auth_s3.cc
+++ b/src/rgw/rgw_auth_s3.cc
@@ -298,15 +298,15 @@ static inline int parse_v4_query_string(const req_info& info,              /* in
      you can set is 1, and the maximum is 604800 (seven days) */
   time_t exp = atoll(expires.data());
   if ((exp < 1) || (exp > 7*24*60*60)) {
-    dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
+    dout(10) << "ERROR: exp out of range, exp = " << exp << dendl;
     return -EPERM;
   }
   /* handle expiration in epoch time */
   uint64_t req_sec = (uint64_t)internal_timegm(&date_t);
   uint64_t now = ceph_clock_now();
   if (now >= req_sec + exp) {
-    dout(10) << "NOTICE: now = " << now << ", req_sec = " << req_sec << ", exp = " << exp << dendl;
-    return -EPERM;
+    dout(10) << "ERROR: presigned URL has expired, now = " << now << ", req_sec = " << req_sec << ", exp = " << exp << dendl;
+    return -ERR_PRESIGNED_URL_EXPIRED;
   }
 
   signedheaders = info.args.get("x-amz-signedheaders");
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index ef9aa54205582..3bf6c4dfac8e9 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -306,6 +306,7 @@ static inline const char* to_mime_type(const RGWFormat f)
 #define ERR_OBJECT_NOT_APPENDABLE                        2220
 #define ERR_INVALID_BUCKET_STATE                         2221
 #define ERR_INVALID_OBJECT_STATE			 2222
+#define ERR_PRESIGNED_URL_EXPIRED			 2223
 
 #define ERR_BUSY_RESHARDING      2300
 #define ERR_NO_SUCH_ENTITY       2301
-- 
2.39.5