From 04c5a6f0339ad4ad8eead5260b415f4e1584dfbf Mon Sep 17 00:00:00 2001 From: MinSheng Lin Date: Fri, 25 Jan 2019 03:20:17 +0000 Subject: [PATCH] rgw_file: use correct secret key to check auth Currently, the authorize function in rgw_file only use the secret key of first key pair to compare, add a function which get secret key by user's access key and check the result is match with user's secret key. Fixes: https://tracker.ceph.com/issues/37855 Signed-off-by: MinSheng Lin (cherry picked from commit e92755c60325475342afcafcd5293a20e3e5216a) --- src/rgw/rgw_common.h | 8 ++++++-- src/rgw/rgw_file.h | 5 ++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 563fe7a79d16..3854d5b4a8fd 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -646,11 +646,15 @@ struct RGWUserInfo type(TYPE_NONE) { } - RGWAccessKey* get_key0() { + RGWAccessKey* get_key(const string& access_key) { if (access_keys.empty()) return nullptr; + + auto k = access_keys.find(access_key); + if (k == access_keys.end()) + return nullptr; else - return &(access_keys.begin()->second); + return &(k->second); } void encode(bufferlist& bl) const { diff --git a/src/rgw/rgw_file.h b/src/rgw/rgw_file.h index b91bde189064..59559a2901ad 100644 --- a/src/rgw/rgw_file.h +++ b/src/rgw/rgw_file.h @@ -918,9 +918,8 @@ namespace rgw { int authorize(RGWRados* store) { int ret = rgw_get_user_info_by_access_key(store, key.id, user); if (ret == 0) { - RGWAccessKey* key0 = user.get_key0(); - if (!key0 || - (key0->key != key.key)) + RGWAccessKey* k = user.get_key(key.id); + if (!k || (k->key != key.key)) return -EINVAL; if (user.suspended) return -ERR_USER_SUSPENDED; -- 2.47.3