rgw: aws4: add presigned url bugfix in runtime

Runtime bugfix to handle presigned urls computed with canonical requests using the port number once. Boto2 computes canonical requests using the port number twice although it should be used once only. This behaviour is a bug supported by AWS S3. Boto2 is used in RGW S3 as reference implementation. The client-side tools not supporting this boto2 bug will fail although they should work too. In order to support both presigned url implementations this patch adds a config option to compute a second signature. With this option enabled, the code will compute two signatures when the first signature is not valid. The aws4 auth succeed if some of the two signatures is valid. The config option rgw_s3_auth_aws4_presigned_url_bugfix is disabled by default so one signature, working with boto2, is computed only. Fixes: http://tracker.ceph.com/issues/16463 Signed-off-by: Javier M. Mellid <jmunhoz@igalia.com>
ceph · Jul 6, 2016 · 8f915e0 · 8f915e0
1 parent 2daf3ef
commit 8f915e0
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/src/common/config_opts.h b/src/common/config_opts.h
@@ -1310,6 +1310,7 @@ OPTION(rgw_keystone_verify_ssl, OPT_BOOL, true) // should we try to verify keyst
 OPTION(rgw_keystone_implicit_tenants, OPT_BOOL, false)  // create new users in their own tenants of the same name
 OPTION(rgw_s3_auth_use_rados, OPT_BOOL, true)  // should we try to use the internal credentials for s3?
 OPTION(rgw_s3_auth_use_keystone, OPT_BOOL, false)  // should we try to use keystone for s3?
+OPTION(rgw_s3_auth_aws4_presigned_url_bugfix, OPT_BOOL, false) // aws4 auth presigned url client-side bug support?
 
 /* OpenLDAP-style LDAP parameter strings */
 /* rgw_ldap_uri  space-separated list of LDAP servers in URI format */

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -1297,6 +1297,7 @@ struct req_state {
   /* aws4 auth support */
   bool aws4_auth_needs_complete;
   bool aws4_auth_streaming_mode;
+  bool aws4_auth_presigned_url_bugfix;
   unique_ptr<rgw_aws4_auth> aws4_auth;
 
   string canned_acl;

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -3229,6 +3229,8 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s)
     return 0;
   }
 
+  s->aws4_auth_presigned_url_bugfix = false;
+
   if (!s->http_auth || !(*s->http_auth)) {
 
     /* AWS4 */
@@ -3238,7 +3240,14 @@ int RGW_Auth_S3::authorize(RGWRados *store, struct req_state *s)
       if (algorithm != "AWS4-HMAC-SHA256") {
         return -EPERM;
       }
-      return authorize_v4(store, s);
+      /* compute first aws4 signature (stick to the boto2 implementation) */
+      int err = authorize_v4(store, s);
+      if (err && store->ctx()->_conf->rgw_s3_auth_aws4_presigned_url_bugfix) {
+        /* compute second aws4 signature (no bugs supported) */
+        s->aws4_auth_presigned_url_bugfix = true;
+        return authorize_v4(store, s);
+      }
+      return err;
     }
 
     /* AWS2 */
@@ -3667,7 +3676,7 @@ int RGW_Auth_S3::authorize_v4(RGWRados *store, struct req_state *s)
       }
     }
     string token_value = string(t);
-    if (using_qs && (token == "host")) {
+    if (!s->aws4_auth_presigned_url_bugfix && using_qs && (token == "host")) {
       if (!port.empty() && port != "80" && port != "0") {
         token_value = token_value + ":" + port;
       } else if (!secure_port.empty() && secure_port != "443") {