From 9a7a73edf1f432df98984ab7ad60306aa6aca6e3 Mon Sep 17 00:00:00 2001
From: liuchang0812 <liuchang0812@gmail.com>
Date: Fri, 10 Feb 2017 18:02:03 +0800
Subject: [PATCH] rgw: don't return skew time in pre-signed url

Fixes: http://tracker.ceph.com/issues/18828

Signed-off-by: liuchang0812 <liuchang0812@gmail.com>
(cherry picked from commit dd8b348f4aad0124e8a4457117bf3f5f76af7bdb)
---
 src/rgw/rgw_rest_s3.cc | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index a745b95f5a2ef..c6b8b6015a67a 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -3416,6 +3416,7 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s)
     return 0;
 
   } else {
+    /* Authorization in Header */
 
     /* AWS4 */
 
@@ -3558,6 +3559,9 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
 {
   string::size_type pos;
   bool using_qs;
+  /* used for pre-signatured url, We shouldn't return -ERR_REQUEST_TIME_SKEWED when 
+     current time <= X-Amz-Expires */
+  bool qsr = false;
 
   uint64_t now_req = 0;
   uint64_t now = ceph_clock_now();
@@ -3593,12 +3597,12 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
       return -EPERM;
 
     s->aws4_auth->expires = s->info.args.get("X-Amz-Expires");
-    if (s->aws4_auth->expires.size() != 0) {
+    if (!s->aws4_auth->expires.empty()) {
       /* X-Amz-Expires provides the time period, in seconds, for which
          the generated presigned URL is valid. The minimum value
          you can set is 1, and the maximum is 604800 (seven days) */
       time_t exp = atoll(s->aws4_auth->expires.c_str());
-      if ((exp < 1) || (exp > 604800)) {
+      if ((exp < 1) || (exp > 7*24*60*60)) {
         dout(10) << "NOTICE: exp out of range, exp = " << exp << dendl;
         return -EPERM;
       }
@@ -3608,12 +3612,17 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s, bool force_b
         dout(10) << "NOTICE: now = " << now << ", now_req = " << now_req << ", exp = " << exp << dendl;
         return -EPERM;
       }
+      qsr = true;
     }
 
-    if ( (now_req < now - RGW_AUTH_GRACE_MINS * 60) ||
-         (now_req > now + RGW_AUTH_GRACE_MINS * 60) ) {
+    if ((now_req < now - RGW_AUTH_GRACE_MINS * 60 ||
+       now_req > now + RGW_AUTH_GRACE_MINS * 60) && !qsr) {
       dout(10) << "NOTICE: request time skew too big." << dendl;
-      dout(10) << "now_req = " << now_req << " now = " << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
+      dout(10) << "now_req = " << now_req << " now = " << now
+               << "; now - RGW_AUTH_GRACE_MINS=" 
+               << now - RGW_AUTH_GRACE_MINS * 60
+               << "; now + RGW_AUTH_GRACE_MINS="
+               << now + RGW_AUTH_GRACE_MINS * 60 << dendl;
       return -ERR_REQUEST_TIME_SKEWED;
     }
 
-- 
2.39.5