Merge pull request #8601 from jmunhoz/fix-aws4-unsigned-payload

rgw: aws4: handle UNSIGNED-PAYLOAD under header auth Reviewed-by: Yehuda Sadeh <yehuda@redhat.com>
ceph · Apr 17, 2016 · 0859625 · 0859625
2 parents f0e3b61 + ecf4572
commit 0859625
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -3523,24 +3523,33 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
 
   /* handle request payload */
 
-  /* from rfc2616 - 4.3 Message Body
-   *
-   * "The presence of a message-body in a request is signaled by the inclusion of a
-   *  Content-Length or Transfer-Encoding header field in the request's message-headers."
-   */
-
   s->aws4_auth->payload_hash = "";
 
   string request_payload;
 
   bool unsigned_payload = false;
+
   if (using_qs) {
+    /* query parameters auth */
     unsigned_payload = true;
+  } else {
+    /* header auth */
+    const char *request_payload_hash = s->info.env->get("HTTP_X_AMZ_CONTENT_SHA256");
+    if (request_payload_hash && string("UNSIGNED-PAYLOAD").compare(request_payload_hash) == 0) {
+      unsigned_payload = true;
+    }
   }
 
-  if (using_qs || ((s->content_length == 0) && s->info.env->get("HTTP_TRANSFER_ENCODING") == NULL)) {
+  /* from rfc2616 - 4.3 Message Body
+   *
+   * "The presence of a message-body in a request is signaled by the inclusion of a
+   *  Content-Length or Transfer-Encoding header field in the request's message-headers."
+   */
+  bool body_available = s->content_length != 0 || s->info.env->get("HTTP_TRANSFER_ENCODING") != NULL;
+
+  if (unsigned_payload || !body_available) {
 
-    /* requests lacking of body are authenticated now */
+    /* requests lacking of body or shipping with 'UNSIGNED-PAYLOAD' are authenticated now */
 
     /* complete aws4 auth */