validate.set_url(url);
int ret = validate.process(null_yield);
- if (ret < 0) {
- throw ret;
- }
/* NULL terminate for debug output. */
token_body_bl.append(static_cast<char>(0));
<< validate.get_http_status() << dendl;
return boost::none;
}
+ // throw any other http or connection errors
+ if (ret < 0) {
+ throw ret;
+ }
ldpp_dout(dpp, 20) << "received response status=" << validate.get_http_status()
<< ", body=" << token_body_bl.c_str() << dendl;
/* send request */
ret = validate.process(null_yield);
- if (ret < 0) {
- ldpp_dout(dpp, 2) << "s3 keystone: token validation ERROR: "
- << token_body_bl.c_str() << dendl;
- throw ret;
- }
/* if the supplied signature is wrong, we will get 401 from Keystone */
if (validate.get_http_status() ==
decltype(validate)::HTTP_STATUS_NOTFOUND) {
return std::make_pair(boost::none, -ERR_INVALID_ACCESS_KEY);
}
+ // throw any other http or connection errors
+ if (ret < 0) {
+ ldpp_dout(dpp, 2) << "s3 keystone: token validation ERROR: "
+ << token_body_bl.c_str() << dendl;
+ throw ret;
+ }
/* now parse response */
rgw::keystone::TokenEnvelope token_envelope;
/* send request */
ret = secret.process(null_yield);
+
+ /* if the supplied access key isn't found, we will get 404 from Keystone */
+ if (secret.get_http_status() ==
+ decltype(secret)::HTTP_STATUS_NOTFOUND) {
+ return make_pair(boost::none, -ERR_INVALID_ACCESS_KEY);
+ }
+ // return any other http or connection errors
if (ret < 0) {
ldpp_dout(dpp, 2) << "s3 keystone: secret fetching error: "
<< token_body_bl.c_str() << dendl;
return make_pair(boost::none, ret);
}
- /* if the supplied signature is wrong, we will get 401 from Keystone */
- if (secret.get_http_status() ==
- decltype(secret)::HTTP_STATUS_NOTFOUND) {
- return make_pair(boost::none, -EINVAL);
- }
-
/* now parse response */
JSONParser parser;
auto [t, secret_key, failure_reason] =
get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory);
if (! t) {
+ if (failure_reason == -ERR_SIGNATURE_NO_MATCH) {
+ // we looked up a secret but it didn't generate the same signature as
+ // the client. since we found this access key in keystone, we should
+ // reject the request instead of trying other engines
+ return result_t::reject(failure_reason);
+ }
return result_t::deny(failure_reason);
}