From e5aaa57235b9f890e970675406297d43a5ac0455 Mon Sep 17 00:00:00 2001 From: Mathew Date: Mon, 6 Mar 2023 14:13:00 -0500 Subject: [PATCH] sts: Fixes get_cert_url improper url path concatenation Invalid URL concatenation prevents some OpenIDConnect providers from working with RGW and the AssumeRoleWithWebIdentity API. Invalid URLs contain a double slash `//`. This fix ensures that an ISS is properly joined to the .well-known path. Fixes: https://tracker.ceph.com/issues/58890 Signed-off-by: Mathew Utter (cherry picked from commit c71818a586f2e29fb76310cb6477f0ccee7f19bd) --- src/rgw/rgw_rest_sts.cc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 8e70faa99f4..09f77f61d5f 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -309,8 +309,14 @@ std::string WebTokenEngine::get_cert_url(const string& iss, const DoutPrefixProvider *dpp, optional_yield y) const { string cert_url; - string openidc_wellknown_url = iss + "/.well-known/openid-configuration"; + string openidc_wellknown_url = iss; bufferlist openidc_resp; + + if (openidc_wellknown_url.back() == '/') { + openidc_wellknown_url.pop_back(); + } + openidc_wellknown_url.append("/.well-known/openid-configuration"); + RGWHTTPTransceiver openidc_req(cct, "GET", openidc_wellknown_url, &openidc_resp); //Headers @@ -761,7 +767,7 @@ static const std::unordered_map op_generators = {"AssumeRoleWithWebIdentity", []() -> RGWOp* {return new RGWSTSAssumeRoleWithWebIdentity;}} }; -bool RGWHandler_REST_STS::action_exists(const req_state* s) +bool RGWHandler_REST_STS::action_exists(const req_state* s) { if (s->info.args.exists("Action")) { const std::string action_name = s->info.args.get("Action"); -- 2.47.3