From 9074eb7c46589aa1e5d10a2b9a8534f22dff2154 Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Mon, 17 Nov 2014 17:37:00 +0530 Subject: [PATCH] rgw: check for timestamp for s3 keystone auth This commit ensures that we check for timestamp of s3 request is within acceptable grace time of radosgw Addresses some failures in #10062 Fixes: #10062 Signed-off-by: Abhishek Lekshmanan (cherry picked from commit 4b35ae067fef9f97b886afe112d662c61c564365) --- src/rgw/rgw_rest_s3.cc | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 6fcecf7ac54..aaff84cf189 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2115,7 +2115,18 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s) } else { keystone_result = keystone_validator.validate_s3token(auth_id, token, auth_sign); if (keystone_result == 0) { - s->user.user_id = keystone_validator.response.token.tenant.id; + // Check for time skew first + time_t req_sec = s->header_time.sec(); + + if ((req_sec < now - RGW_AUTH_GRACE_MINS * 60 || + req_sec > now + RGW_AUTH_GRACE_MINS * 60) && !qsr) { + dout(10) << "req_sec=" << req_sec << " now=" << now << "; now - RGW_AUTH_GRACE_MINS=" << now - RGW_AUTH_GRACE_MINS * 60 << "; now + RGW_AUTH_GRACE_MINS=" << now + RGW_AUTH_GRACE_MINS * 60 << dendl; + dout(0) << "NOTICE: request time skew too big now=" << utime_t(now, 0) << " req_time=" << s->header_time << dendl; + return -ERR_REQUEST_TIME_SKEWED; + } + + + s->user.user_id = keystone_validator.response.token.tenant.id; s->user.display_name = keystone_validator.response.token.tenant.name; // wow. /* try to store user if it not already exists */ -- 2.47.3