RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2024-12-19 09:57:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

rgw: Bucket IP address policy evaluation now uses rgw_remote_addr_param.

Browse Source 
Previously bucket policy ip address restrictions were only being evaluated
against the REMOTE_ADDR environment variable and ignoring the header
specified by the rgw_remote_addr_param configuration option. This rendered
ip-based bucket policies worthless when running behind a reverse proxy.

Signed-off-by: John Gibson <jgibson@mitre.org>
This commit is contained in:
John Gibson 2017-12-24 15:49:50 -05:00
parent 557bdb617e
commit c4c24ca986
No known key found for this signature in database
GPG Key ID: 3C1AA9D440584354
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/rgw/rgw_op.cc
View File

@ -600,7 +600,12 @@ rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store,
e.emplace("aws:SecureTransport", "true");
}
i = m.find("REMOTE_ADDR");
const auto remote_addr_param = s->cct->_conf->rgw_remote_addr_param;
if (remote_addr_param.length()) {
i = m.find(remote_addr_param);
} else {
i = m.find("REMOTE_ADDR");
}
if (i != m.end()) {
e.emplace("aws:SourceIp", i->second);
}

34
src/test/rgw/test_rgw_iam_policy.cc
View File

@ -25,6 +25,7 @@
#include "global/global_init.h"
#include "rgw/rgw_auth.h"
#include "rgw/rgw_iam_policy.h"
#include "rgw/rgw_op.h"
using std::string;
@ -581,6 +582,39 @@ TEST_F(IPPolicyTest, asNetworkInvalid) {
EXPECT_FALSE(rgw::IAM::Condition::as_network("1.2.3.10000"));
}
TEST_F(IPPolicyTest, IPEnvironment) {
// Unfortunately RGWCivetWeb is too tightly tied to civetweb to test RGWCivetWeb::init_env.
RGWEnv rgw_env;
RGWUserInfo user;
RGWRados rgw_rados;
rgw_env.set("REMOTE_ADDR", "192.168.1.1");
rgw_env.set("HTTP_HOST", "1.2.3.4");
req_state rgw_req_state(cct.get(), &rgw_env, &user);
Environment iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
auto ip = iam_env.find("aws:SourceIp");
ASSERT_NE(ip, iam_env.end());
EXPECT_EQ(ip->second, "192.168.1.1");
ASSERT_EQ(cct.get()->_conf->set_val("rgw_remote_addr_param", "SOME_VAR"), 0);
EXPECT_EQ(cct.get()->_conf->rgw_remote_addr_param, "SOME_VAR");
iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
ip = iam_env.find("aws:SourceIp");
EXPECT_EQ(ip, iam_env.end());
rgw_env.set("SOME_VAR", "192.168.1.2");
iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
ip = iam_env.find("aws:SourceIp");
ASSERT_NE(ip, iam_env.end());
EXPECT_EQ(ip->second, "192.168.1.2");
ASSERT_EQ(cct.get()->_conf->set_val("rgw_remote_addr_param", "HTTP_X_FORWARDED_FOR"), 0);
rgw_env.set("HTTP_X_FORWARDED_FOR", "192.168.1.3");
iam_env = rgw_build_iam_environment(&rgw_rados, &rgw_req_state);
ip = iam_env.find("aws:SourceIp");
ASSERT_NE(ip, iam_env.end());
EXPECT_EQ(ip->second, "192.168.1.3");
}
TEST_F(IPPolicyTest, ParseIPAddress) {
optional<Policy> p;