From 81dbefd15efbe17636656a06ebf80fb489591fc7 Mon Sep 17 00:00:00 2001 From: yuliyang Date: Tue, 26 Nov 2019 17:59:11 +0800 Subject: [PATCH] rgw: use STSEngine::authenticate when post upload with x_amz_security_token Signed-off-by: yuliyang --- src/rgw/rgw_common.h | 2 ++ src/rgw/rgw_rest_s3.cc | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index cdc85016318cb..b1470cd340a69 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1648,6 +1648,7 @@ namespace rgw { namespace auth { namespace s3 { class AWSBrowserUploadAbstractor; + class STSEngine; } class Completer; } @@ -2056,6 +2057,7 @@ struct req_state : DoutPrefixProvider { friend class RGWPostObj_ObjStore_S3; /* Reader. */ friend class rgw::auth::s3::AWSBrowserUploadAbstractor; + friend class rgw::auth::s3::STSEngine; std::string access_key; std::string signature; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index e9dca22ae8b72..37d7cb95b1457 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2308,7 +2308,12 @@ int RGWPostObj_ObjStore_S3::get_policy() } } - part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token); + if (part_str(parts, "x-amz-security-token", &s->auth.s3_postobj_creds.x_amz_security_token)) { + if (s->auth.s3_postobj_creds.x_amz_security_token.size() == 0) { + err_msg = "Invalid token"; + return -EINVAL; + } + } /* FIXME: this is a makeshift solution. The browser upload authentication will be * handled by an instance of rgw::auth::Completer spawned in Handler's authorize() @@ -5099,7 +5104,8 @@ rgw::auth::s3::STSEngine::authenticate( const req_state* const s) const { if (! s->info.args.exists("X-Amz-Security-Token") && - ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) { + ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") && + s->auth.s3_postobj_creds.x_amz_security_token.empty()) { return result_t::deny(); } -- 2.39.5