From a7a5cf2b919dbdee79307d7cb4a0fc597bf9da76 Mon Sep 17 00:00:00 2001
From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Wed, 10 Feb 2016 15:33:25 +0100
Subject: [PATCH] rgw: return proper error codes in S3/Keystone auth.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---
 src/rgw/rgw_rest_s3.cc | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index d59123bc174b2..81ccc1db201fe 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -2802,6 +2802,11 @@ int RGW_Auth_S3_Keystone_ValidateToken::validate_s3token(
     return -EPERM;
   }
 
+  /* if the supplied signature is wrong, we will get 401 from Keystone */
+  if (get_http_status() == HTTP_STATUS_UNAUTHORIZED) {
+    return -ERR_SIGNATURE_NO_MATCH;
+  }
+
   /* now parse response */
   if (response.parse(cct, rx_buffer) < 0) {
     dout(2) << "s3 keystone: token parsing failed" << dendl;
@@ -2820,7 +2825,7 @@ int RGW_Auth_S3_Keystone_ValidateToken::validate_s3token(
     ldout(cct, 5) << "s3 keystone: user does not hold a matching role;"
                      " required roles: "
                   << cct->_conf->rgw_keystone_accepted_roles << dendl;
-    return -EPERM;
+    return -ERR_INVALID_ACCESS_KEY;
   }
 
   /* everything seems fine, continue with this user */
@@ -3462,7 +3467,7 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
   }
 
   /* try keystone auth first */
-  int keystone_result = -EINVAL;
+  int keystone_result = -ERR_INVALID_ACCESS_KEY;;
   if (store->ctx()->_conf->rgw_s3_auth_use_keystone
       && !store->ctx()->_conf->rgw_keystone_url.empty()) {
     dout(20) << "s3 keystone: trying keystone auth" << dendl;
@@ -3471,8 +3476,9 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
     string token;
 
     if (!rgw_create_s3_canonical_header(s->info,
-					&s->header_time, token, qsr)) {
+                                        &s->header_time, token, qsr)) {
       dout(10) << "failed to create auth header\n" << token << dendl;
+      keystone_result = -EPERM;
     } else {
       keystone_result = keystone_validator.validate_s3token(auth_id, token,
 							    auth_sign);
@@ -3514,18 +3520,17 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
     }
   }
 
-  /* keystone failed (or not enabled); check if we want to use rados backend */
-  if (!store->ctx()->_conf->rgw_s3_auth_use_rados
-      && keystone_result < 0)
-    return keystone_result;
-
-  /* now try rados backend, but only if keystone did not succeed */
   if (keystone_result < 0) {
+    if (!store->ctx()->_conf->rgw_s3_auth_use_rados) {
+      /* No other auth option possible. Terminate request. */
+      return keystone_result;
+    }
+
     /* get the user info */
     if (rgw_get_user_info_by_access_key(store, auth_id, *(s->user)) < 0) {
       dout(5) << "error reading user info, uid=" << auth_id
               << " can't authenticate" << dendl;
-      return -ERR_INVALID_ACCESS_KEY;
+      return keystone_result;
     }
 
     /* now verify signature */
-- 
2.39.5