From 2318a57a1ea632f77d5f78dc11023fb3b7fc2ad0 Mon Sep 17 00:00:00 2001
From: Prashanth Pai <ppai@redhat.com>
Date: Fri, 5 Aug 2016 14:25:08 +0530
Subject: s3: Make s3 support configurable

Amazon S3 compatibility:
This change makes S3 support tunable using a config option and is
turned off by default.

This is a manual backport of this upstream swauth change:
https://review.openstack.org/#/c/326336/

Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/15098
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
---
 .../common/middleware/gswauth/swauth/middleware.py     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'gluster')

diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 48f1d71..7a6d713 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -148,6 +148,18 @@ class Swauth(object):
                 'Invalid auth_type in config file: %s'
                 % self.auth_type)
         self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt')
+
+        # Due to security concerns, S3 support is disabled by default.
+        self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES
+        if self.s3_support and self.auth_type != 'Plaintext' \
+                and not self.auth_encoder.salt:
+            # In future, we may want to randomize salt generation rather than
+            # use a statically set salt as done today.
+            msg = _('S3 support requires salt to be manually set in conf '
+                    'file using auth_type_salt config option.')
+            self.logger.warning(msg)
+            self.s3_support = False
+
         self.allow_overrides = \
             conf.get('allow_overrides', 't').lower() in TRUE_VALUES
         self.agent = '%(orig)s Swauth'
@@ -205,6 +217,9 @@ class Swauth(object):
             elif env.get('PATH_INFO', '').startswith(self.auth_prefix):
                 return self.handle(env, start_response)
         s3 = env.get('HTTP_AUTHORIZATION')
+        if s3 and not self.s3_support:
+            msg = 'S3 support is disabled in gswauth.'
+            return HTTPBadRequest(body=msg)(env, start_response)
         token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
         if token and len(token) > authtypes.MAX_TOKEN_LENGTH:
             return HTTPBadRequest(body='Token exceeds maximum length.')(
@@ -284,6 +299,9 @@ class Swauth(object):
                     groups = None
 
         if env.get('HTTP_AUTHORIZATION'):
+            if not self.s3_support:
+                self.logger.warning('S3 support is disabled in gswauth.')
+                return None
             if self.swauth_remote:
                 # TODO: Support S3-style authorization with swauth_remote mode
                 self.logger.warn('S3-style authorization not supported yet '
-- 
cgit