From cc9d402181ece4de38632026ac9f164347b0d235 Mon Sep 17 00:00:00 2001 From: Pritha Srivastava Date: Tue, 30 Jun 2020 22:10:07 +0530 Subject: [PATCH] rgw: Normalizing X-Amz- headers for case in RGWHTTPArgs in req_info, which are used to parse credentials in query strings. Signed-off-by: Pritha Srivastava --- src/rgw/rgw_auth_s3.cc | 17 +++++++++-------- src/rgw/rgw_common.cc | 11 ++++++++++- src/rgw/rgw_rest_s3.cc | 8 ++++---- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index cd1239ce0aa..0eefc19f988 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -18,6 +18,7 @@ #include "rgw_crypt_sanitize.h" #include +#include #include #define dout_context g_ceph_context @@ -267,18 +268,18 @@ static inline int parse_v4_query_string(const req_info& info, /* in /* auth ships with req params ... */ /* look for required params */ - credential = info.args.get("X-Amz-Credential"); + credential = info.args.get("x-amz-credential"); if (credential.size() == 0) { return -EPERM; } - date = info.args.get("X-Amz-Date"); + date = info.args.get("x-amz-date"); struct tm date_t; if (!parse_iso8601(sview2cstr(date).data(), &date_t, nullptr, false)) { return -EPERM; } - std::string_view expires = info.args.get("X-Amz-Expires"); + std::string_view expires = info.args.get("x-amz-expires"); if (expires.empty()) { return -EPERM; } @@ -298,18 +299,18 @@ static inline int parse_v4_query_string(const req_info& info, /* in return -EPERM; } - signedheaders = info.args.get("X-Amz-SignedHeaders"); + signedheaders = info.args.get("x-amz-signedheaders"); if (signedheaders.size() == 0) { return -EPERM; } - signature = info.args.get("X-Amz-Signature"); + signature = info.args.get("x-amz-signature"); if (signature.size() == 0) { return -EPERM; } - if (info.args.exists("X-Amz-Security-Token")) { - sessiontoken = info.args.get("X-Amz-Security-Token"); + if (info.args.exists("x-amz-security-token")) { + sessiontoken = info.args.get("x-amz-security-token"); if (sessiontoken.size() == 0) { return -EPERM; } @@ -516,7 +517,7 @@ std::string get_v4_canonical_qs(const req_info& info, const bool using_qs) key = s; } - if (using_qs && key == "X-Amz-Signature") { + if (using_qs && boost::iequals(key, "X-Amz-Signature")) { /* Preserving the original behaviour of get_v4_canonical_qs() here. */ continue; } diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 3b368916c3e..9f62edb2bb4 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -812,8 +812,17 @@ int RGWHTTPArgs::parse() int ret = nv.parse(); if (ret >= 0) { string& name = nv.get_name(); + if (name.find("X-Amz-") != string::npos) { + std::for_each(name.begin(), + name.end(), + [](char &c){ + if (c != '-') { + c = ::tolower(static_cast(c)); + } + }); + } string& val = nv.get_val(); - + dout(10) << "name: " << name << " val: " << val << dendl; append(name, val); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 47be196e596..98eadd8134a 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -4815,7 +4815,7 @@ discover_aws_flavour(const req_info& info) } else { route = AwsRoute::QUERY_STRING; - if (info.args.get("X-Amz-Algorithm") == AWS4_HMAC_SHA256_STR) { + if (info.args.get("x-amz-algorithm") == AWS4_HMAC_SHA256_STR) { /* AWS v4 */ version = AwsVersion::V4; } else if (!info.args.get("AWSAccessKeyId").empty()) { @@ -5465,8 +5465,8 @@ AWSGeneralAbstractor::get_auth_data_v2(const req_state* const s) const if (now >= exp) { throw -EPERM; } - if (s->info.args.exists("X-Amz-Security-Token")) { - session_token = s->info.args.get("X-Amz-Security-Token"); + if (s->info.args.exists("x-amz-security-token")) { + session_token = s->info.args.get("x-amz-security-token"); if (session_token.size() == 0) { throw -EPERM; } @@ -5838,7 +5838,7 @@ rgw::auth::s3::STSEngine::authenticate( const completer_factory_t& completer_factory, const req_state* const s) const { - if (! s->info.args.exists("X-Amz-Security-Token") && + if (! s->info.args.exists("x-amz-security-token") && ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") && s->auth.s3_postobj_creds.x_amz_security_token.empty()) { return result_t::deny(); -- 2.39.5