1 files changed, 18 insertions, 0 deletions

diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 48f1d71..7a6d713 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -148,6 +148,18 @@ class Swauth(object):
                 'Invalid auth_type in config file: %s'
                 % self.auth_type)
         self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt')
+
+        # Due to security concerns, S3 support is disabled by default.
+        self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES
+        if self.s3_support and self.auth_type != 'Plaintext' \
+                and not self.auth_encoder.salt:
+            # In future, we may want to randomize salt generation rather than
+            # use a statically set salt as done today.
+            msg = _('S3 support requires salt to be manually set in conf '
+                    'file using auth_type_salt config option.')
+            self.logger.warning(msg)
+            self.s3_support = False
+
         self.allow_overrides = \
             conf.get('allow_overrides', 't').lower() in TRUE_VALUES
         self.agent = '%(orig)s Swauth'
@@ -205,6 +217,9 @@ class Swauth(object):
             elif env.get('PATH_INFO', '').startswith(self.auth_prefix):
                 return self.handle(env, start_response)
         s3 = env.get('HTTP_AUTHORIZATION')
+        if s3 and not self.s3_support:
+            msg = 'S3 support is disabled in gswauth.'
+            return HTTPBadRequest(body=msg)(env, start_response)
         token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
         if token and len(token) > authtypes.MAX_TOKEN_LENGTH:
             return HTTPBadRequest(body='Token exceeds maximum length.')(
@@ -284,6 +299,9 @@ class Swauth(object):
                     groups = None
 
         if env.get('HTTP_AUTHORIZATION'):
+            if not self.s3_support:
+                self.logger.warning('S3 support is disabled in gswauth.')
+                return None
             if self.swauth_remote:
                 # TODO: Support S3-style authorization with swauth_remote mode
                 self.logger.warn('S3-style authorization not supported yet '