frostfs-s3-gw/legacy/signature-v4-parser.go

/*
 * MinIO Cloud Storage, (C) 2015 MinIO, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package legacy

import (
	"net/http"
	"net/url"
	"strings"
	"time"

	"github.com/minio/minio/pkg/auth"
)

// credentialHeader data type represents structured form of Credential
// string from authorization header.
type credentialHeader struct {
	accessKey string
	scope     struct {
		date    time.Time
		region  string
		service string
		request string
	}
}

// Return scope string.
func (c credentialHeader) getScope() string {
	return strings.Join([]string{
		c.scope.date.Format(yyyymmdd),
		c.scope.region,
		c.scope.service,
		c.scope.request,
	}, SlashSeparator)
}

func getReqAccessKeyV4(r *http.Request, region string, stype serviceType) (auth.Credentials, bool, APIErrorCode) {
	ch, err := parseCredentialHeader("Credential="+r.URL.Query().Get("X-Amz-Credential"), region, stype)
	if err != ErrNone {
		// Strip off the Algorithm prefix.
		v4Auth := strings.TrimPrefix(r.Header.Get("Authorization"), signV4Algorithm)
		authFields := strings.Split(strings.TrimSpace(v4Auth), ",")
		if len(authFields) != 3 {
			return auth.Credentials{}, false, ErrMissingFields
		}
		ch, err = parseCredentialHeader(authFields[0], region, stype)
		if err != ErrNone {
			return auth.Credentials{}, false, err
		}
	}
	return checkKeyValid(ch.accessKey)
}

// parse credentialHeader string into its structured form.
func parseCredentialHeader(credElement string, region string, stype serviceType) (ch credentialHeader, aec APIErrorCode) {
	creds := strings.SplitN(strings.TrimSpace(credElement), "=", 2)
	if len(creds) != 2 {
		return ch, ErrMissingFields
	}
	if creds[0] != "Credential" {
		return ch, ErrMissingCredTag
	}
	credElements := strings.Split(strings.TrimSpace(creds[1]), SlashSeparator)
	if len(credElements) < 5 {
		return ch, ErrCredMalformed
	}
	accessKey := strings.Join(credElements[:len(credElements)-4], SlashSeparator) // The access key may contain one or more `/`
	if !auth.IsAccessKeyValid(accessKey) {
		return ch, ErrInvalidAccessKeyID
	}
	// Save access key id.
	cred := credentialHeader{
		accessKey: accessKey,
	}
	credElements = credElements[len(credElements)-4:]
	var e error
	cred.scope.date, e = time.Parse(yyyymmdd, credElements[0])
	if e != nil {
		return ch, ErrMalformedCredentialDate
	}

	cred.scope.region = credElements[1]
	// Verify if region is valid.
	sRegion := cred.scope.region
	// Region is set to be empty, we use whatever was sent by the
	// request and proceed further. This is a work-around to address
	// an important problem for ListBuckets() getting signed with
	// different regions.
	if region == "" {
		region = sRegion
	}
	// Should validate region, only if region is set.
	if !isValidRegion(sRegion, region) {
		return ch, ErrAuthorizationHeaderMalformed

	}
	if credElements[2] != string(stype) {
		switch stype {
		case serviceSTS:
			return ch, ErrInvalidServiceSTS
		}
		return ch, ErrInvalidServiceS3
	}
	cred.scope.service = credElements[2]
	if credElements[3] != "aws4_request" {
		return ch, ErrInvalidRequestVersion
	}
	cred.scope.request = credElements[3]
	return cred, ErrNone
}

// Parse signature from signature tag.
func parseSignature(signElement string) (string, APIErrorCode) {
	signFields := strings.Split(strings.TrimSpace(signElement), "=")
	if len(signFields) != 2 {
		return "", ErrMissingFields
	}
	if signFields[0] != "Signature" {
		return "", ErrMissingSignTag
	}
	if signFields[1] == "" {
		return "", ErrMissingFields
	}
	signature := signFields[1]
	return signature, ErrNone
}

// Parse slice of signed headers from signed headers tag.
func parseSignedHeader(signedHdrElement string) ([]string, APIErrorCode) {
	signedHdrFields := strings.Split(strings.TrimSpace(signedHdrElement), "=")
	if len(signedHdrFields) != 2 {
		return nil, ErrMissingFields
	}
	if signedHdrFields[0] != "SignedHeaders" {
		return nil, ErrMissingSignHeadersTag
	}
	if signedHdrFields[1] == "" {
		return nil, ErrMissingFields
	}
	signedHeaders := strings.Split(signedHdrFields[1], ";")
	return signedHeaders, ErrNone
}

// signValues data type represents structured form of AWS Signature V4 header.
type signValues struct {
	Credential    credentialHeader
	SignedHeaders []string
	Signature     string
}

// preSignValues data type represents structued form of AWS Signature V4 query string.
type preSignValues struct {
	signValues
	Date    time.Time
	Expires time.Duration
}

// Parses signature version '4' query string of the following form.
//
//   querystring = X-Amz-Algorithm=algorithm
//   querystring += &X-Amz-Credential= urlencode(accessKey + '/' + credential_scope)
//   querystring += &X-Amz-Date=date
//   querystring += &X-Amz-Expires=timeout interval
//   querystring += &X-Amz-SignedHeaders=signed_headers
//   querystring += &X-Amz-Signature=signature
//
// verifies if any of the necessary query params are missing in the presigned request.
func doesV4PresignParamsExist(query url.Values) APIErrorCode {
	v4PresignQueryParams := []string{"X-Amz-Algorithm", "X-Amz-Credential", "X-Amz-Signature", "X-Amz-Date", "X-Amz-SignedHeaders", "X-Amz-Expires"}
	for _, v4PresignQueryParam := range v4PresignQueryParams {
		if _, ok := query[v4PresignQueryParam]; !ok {
			return ErrInvalidQueryParams
		}
	}
	return ErrNone
}

// Parses all the presigned signature values into separate elements.
func parsePreSignV4(query url.Values, region string, stype serviceType) (psv preSignValues, aec APIErrorCode) {
	// verify whether the required query params exist.
	err := doesV4PresignParamsExist(query)
	if err != ErrNone {
		return psv, err
	}

	// Verify if the query algorithm is supported or not.
	if query.Get("X-Amz-Algorithm") != signV4Algorithm {
		return psv, ErrInvalidQuerySignatureAlgo
	}

	// Initialize signature version '4' structured header.
	preSignV4Values := preSignValues{}

	// Save credential.
	preSignV4Values.Credential, err = parseCredentialHeader("Credential="+query.Get("X-Amz-Credential"), region, stype)
	if err != ErrNone {
		return psv, err
	}

	var e error
	// Save date in native time.Time.
	preSignV4Values.Date, e = time.Parse(iso8601Format, query.Get("X-Amz-Date"))
	if e != nil {
		return psv, ErrMalformedPresignedDate
	}

	// Save expires in native time.Duration.
	preSignV4Values.Expires, e = time.ParseDuration(query.Get("X-Amz-Expires") + "s")
	if e != nil {
		return psv, ErrMalformedExpires
	}

	if preSignV4Values.Expires < 0 {
		return psv, ErrNegativeExpires
	}

	// Check if Expiry time is less than 7 days (value in seconds).
	if preSignV4Values.Expires.Seconds() > 604800 {
		return psv, ErrMaximumExpires
	}

	// Save signed headers.
	preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
	if err != ErrNone {
		return psv, err
	}

	// Save signature.
	preSignV4Values.Signature, err = parseSignature("Signature=" + query.Get("X-Amz-Signature"))
	if err != ErrNone {
		return psv, err
	}

	// Return structed form of signature query string.
	return preSignV4Values, ErrNone
}

// Parses signature version '4' header of the following form.
//
//    Authorization: algorithm Credential=accessKeyID/credScope, \
//            SignedHeaders=signedHeaders, Signature=signature
//
func parseSignV4(v4Auth string, region string, stype serviceType) (sv signValues, aec APIErrorCode) {
	// credElement is fetched first to skip replacing the space in access key.
	credElement := strings.TrimPrefix(strings.Split(strings.TrimSpace(v4Auth), ",")[0], signV4Algorithm)
	// Replace all spaced strings, some clients can send spaced
	// parameters and some won't. So we pro-actively remove any spaces
	// to make parsing easier.
	v4Auth = strings.Replace(v4Auth, " ", "", -1)
	if v4Auth == "" {
		return sv, ErrAuthHeaderEmpty
	}

	// Verify if the header algorithm is supported or not.
	if !strings.HasPrefix(v4Auth, signV4Algorithm) {
		return sv, ErrSignatureVersionNotSupported
	}

	// Strip off the Algorithm prefix.
	v4Auth = strings.TrimPrefix(v4Auth, signV4Algorithm)
	authFields := strings.Split(strings.TrimSpace(v4Auth), ",")
	if len(authFields) != 3 {
		return sv, ErrMissingFields
	}

	// Initialize signature version '4' structured header.
	signV4Values := signValues{}

	var err APIErrorCode
	// Save credentail values.
	signV4Values.Credential, err = parseCredentialHeader(strings.TrimSpace(credElement), region, stype)
	if err != ErrNone {
		return sv, err
	}

	// Save signed headers.
	signV4Values.SignedHeaders, err = parseSignedHeader(authFields[1])
	if err != ErrNone {
		return sv, err
	}

	// Save signature.
	signV4Values.Signature, err = parseSignature(authFields[2])
	if err != ErrNone {
		return sv, err
	}

	// Return the structure here.
	return signV4Values, ErrNone
}
Initial commit based on https://github.com/minio/minio/releases/tag/RELEASE.2020-07-02T00-15-09Z 2020-07-03 12:03:06 +00:00			`/*`
			`* MinIO Cloud Storage, (C) 2015 MinIO, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

Refactoring cmd package 2020-07-09 09:21:15 +00:00			`package legacy`
Initial commit based on https://github.com/minio/minio/releases/tag/RELEASE.2020-07-02T00-15-09Z 2020-07-03 12:03:06 +00:00
			`import (`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`"time"`

			`"github.com/minio/minio/pkg/auth"`
			`)`

			`// credentialHeader data type represents structured form of Credential`
			`// string from authorization header.`
			`type credentialHeader struct {`
			`accessKey string`
			`scope struct {`
			`date time.Time`
			`region string`
			`service string`
			`request string`
			`}`
			`}`

			`// Return scope string.`
			`func (c credentialHeader) getScope() string {`
			`return strings.Join([]string{`
			`c.scope.date.Format(yyyymmdd),`
			`c.scope.region,`
			`c.scope.service,`
			`c.scope.request,`
			`}, SlashSeparator)`
			`}`

			`func getReqAccessKeyV4(r *http.Request, region string, stype serviceType) (auth.Credentials, bool, APIErrorCode) {`
			`ch, err := parseCredentialHeader("Credential="+r.URL.Query().Get("X-Amz-Credential"), region, stype)`
			`if err != ErrNone {`
			`// Strip off the Algorithm prefix.`
			`v4Auth := strings.TrimPrefix(r.Header.Get("Authorization"), signV4Algorithm)`
			`authFields := strings.Split(strings.TrimSpace(v4Auth), ",")`
			`if len(authFields) != 3 {`
			`return auth.Credentials{}, false, ErrMissingFields`
			`}`
			`ch, err = parseCredentialHeader(authFields[0], region, stype)`
			`if err != ErrNone {`
			`return auth.Credentials{}, false, err`
			`}`
			`}`
			`return checkKeyValid(ch.accessKey)`
			`}`

			`// parse credentialHeader string into its structured form.`
			`func parseCredentialHeader(credElement string, region string, stype serviceType) (ch credentialHeader, aec APIErrorCode) {`
			`creds := strings.SplitN(strings.TrimSpace(credElement), "=", 2)`
			`if len(creds) != 2 {`
			`return ch, ErrMissingFields`
			`}`
			`if creds[0] != "Credential" {`
			`return ch, ErrMissingCredTag`
			`}`
			`credElements := strings.Split(strings.TrimSpace(creds[1]), SlashSeparator)`
			`if len(credElements) < 5 {`
			`return ch, ErrCredMalformed`
			`}`
			accessKey := strings.Join(credElements[:len(credElements)-4], SlashSeparator) // The access key may contain one or more `/`
			`if !auth.IsAccessKeyValid(accessKey) {`
			`return ch, ErrInvalidAccessKeyID`
			`}`
			`// Save access key id.`
			`cred := credentialHeader{`
			`accessKey: accessKey,`
			`}`
			`credElements = credElements[len(credElements)-4:]`
			`var e error`
			`cred.scope.date, e = time.Parse(yyyymmdd, credElements[0])`
			`if e != nil {`
			`return ch, ErrMalformedCredentialDate`
			`}`

			`cred.scope.region = credElements[1]`
			`// Verify if region is valid.`
			`sRegion := cred.scope.region`
			`// Region is set to be empty, we use whatever was sent by the`
			`// request and proceed further. This is a work-around to address`
			`// an important problem for ListBuckets() getting signed with`
			`// different regions.`
			`if region == "" {`
			`region = sRegion`
			`}`
			`// Should validate region, only if region is set.`
			`if !isValidRegion(sRegion, region) {`
			`return ch, ErrAuthorizationHeaderMalformed`

			`}`
			`if credElements[2] != string(stype) {`
			`switch stype {`
			`case serviceSTS:`
			`return ch, ErrInvalidServiceSTS`
			`}`
			`return ch, ErrInvalidServiceS3`
			`}`
			`cred.scope.service = credElements[2]`
			`if credElements[3] != "aws4_request" {`
			`return ch, ErrInvalidRequestVersion`
			`}`
			`cred.scope.request = credElements[3]`
			`return cred, ErrNone`
			`}`

			`// Parse signature from signature tag.`
			`func parseSignature(signElement string) (string, APIErrorCode) {`
			`signFields := strings.Split(strings.TrimSpace(signElement), "=")`
			`if len(signFields) != 2 {`
			`return "", ErrMissingFields`
			`}`
			`if signFields[0] != "Signature" {`
			`return "", ErrMissingSignTag`
			`}`
			`if signFields[1] == "" {`
			`return "", ErrMissingFields`
			`}`
			`signature := signFields[1]`
			`return signature, ErrNone`
			`}`

			`// Parse slice of signed headers from signed headers tag.`
			`func parseSignedHeader(signedHdrElement string) ([]string, APIErrorCode) {`
			`signedHdrFields := strings.Split(strings.TrimSpace(signedHdrElement), "=")`
			`if len(signedHdrFields) != 2 {`
			`return nil, ErrMissingFields`
			`}`
			`if signedHdrFields[0] != "SignedHeaders" {`
			`return nil, ErrMissingSignHeadersTag`
			`}`
			`if signedHdrFields[1] == "" {`
			`return nil, ErrMissingFields`
			`}`
			`signedHeaders := strings.Split(signedHdrFields[1], ";")`
			`return signedHeaders, ErrNone`
			`}`

			`// signValues data type represents structured form of AWS Signature V4 header.`
			`type signValues struct {`
			`Credential credentialHeader`
			`SignedHeaders []string`
			`Signature string`
			`}`

			`// preSignValues data type represents structued form of AWS Signature V4 query string.`
			`type preSignValues struct {`
			`signValues`
			`Date time.Time`
			`Expires time.Duration`
			`}`

			`// Parses signature version '4' query string of the following form.`
			`//`
			`// querystring = X-Amz-Algorithm=algorithm`
			`// querystring += &X-Amz-Credential= urlencode(accessKey + '/' + credential_scope)`
			`// querystring += &X-Amz-Date=date`
			`// querystring += &X-Amz-Expires=timeout interval`
			`// querystring += &X-Amz-SignedHeaders=signed_headers`
			`// querystring += &X-Amz-Signature=signature`
			`//`
			`// verifies if any of the necessary query params are missing in the presigned request.`
			`func doesV4PresignParamsExist(query url.Values) APIErrorCode {`
			`v4PresignQueryParams := []string{"X-Amz-Algorithm", "X-Amz-Credential", "X-Amz-Signature", "X-Amz-Date", "X-Amz-SignedHeaders", "X-Amz-Expires"}`
			`for _, v4PresignQueryParam := range v4PresignQueryParams {`
			`if _, ok := query[v4PresignQueryParam]; !ok {`
			`return ErrInvalidQueryParams`
			`}`
			`}`
			`return ErrNone`
			`}`

			`// Parses all the presigned signature values into separate elements.`
			`func parsePreSignV4(query url.Values, region string, stype serviceType) (psv preSignValues, aec APIErrorCode) {`
			`// verify whether the required query params exist.`
			`err := doesV4PresignParamsExist(query)`
			`if err != ErrNone {`
			`return psv, err`
			`}`

			`// Verify if the query algorithm is supported or not.`
			`if query.Get("X-Amz-Algorithm") != signV4Algorithm {`
			`return psv, ErrInvalidQuerySignatureAlgo`
			`}`

			`// Initialize signature version '4' structured header.`
			`preSignV4Values := preSignValues{}`

			`// Save credential.`
			`preSignV4Values.Credential, err = parseCredentialHeader("Credential="+query.Get("X-Amz-Credential"), region, stype)`
			`if err != ErrNone {`
			`return psv, err`
			`}`

			`var e error`
			`// Save date in native time.Time.`
			`preSignV4Values.Date, e = time.Parse(iso8601Format, query.Get("X-Amz-Date"))`
			`if e != nil {`
			`return psv, ErrMalformedPresignedDate`
			`}`

			`// Save expires in native time.Duration.`
			`preSignV4Values.Expires, e = time.ParseDuration(query.Get("X-Amz-Expires") + "s")`
			`if e != nil {`
			`return psv, ErrMalformedExpires`
			`}`

			`if preSignV4Values.Expires < 0 {`
			`return psv, ErrNegativeExpires`
			`}`

			`// Check if Expiry time is less than 7 days (value in seconds).`
			`if preSignV4Values.Expires.Seconds() > 604800 {`
			`return psv, ErrMaximumExpires`
			`}`

			`// Save signed headers.`
			`preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))`
			`if err != ErrNone {`
			`return psv, err`
			`}`

			`// Save signature.`
			`preSignV4Values.Signature, err = parseSignature("Signature=" + query.Get("X-Amz-Signature"))`
			`if err != ErrNone {`
			`return psv, err`
			`}`

			`// Return structed form of signature query string.`
			`return preSignV4Values, ErrNone`
			`}`

			`// Parses signature version '4' header of the following form.`
			`//`
			`// Authorization: algorithm Credential=accessKeyID/credScope, \`
			`// SignedHeaders=signedHeaders, Signature=signature`
			`//`
			`func parseSignV4(v4Auth string, region string, stype serviceType) (sv signValues, aec APIErrorCode) {`
			`// credElement is fetched first to skip replacing the space in access key.`
			`credElement := strings.TrimPrefix(strings.Split(strings.TrimSpace(v4Auth), ",")[0], signV4Algorithm)`
			`// Replace all spaced strings, some clients can send spaced`
			`// parameters and some won't. So we pro-actively remove any spaces`
			`// to make parsing easier.`
			`v4Auth = strings.Replace(v4Auth, " ", "", -1)`
			`if v4Auth == "" {`
			`return sv, ErrAuthHeaderEmpty`
			`}`

			`// Verify if the header algorithm is supported or not.`
			`if !strings.HasPrefix(v4Auth, signV4Algorithm) {`
			`return sv, ErrSignatureVersionNotSupported`
			`}`

			`// Strip off the Algorithm prefix.`
			`v4Auth = strings.TrimPrefix(v4Auth, signV4Algorithm)`
			`authFields := strings.Split(strings.TrimSpace(v4Auth), ",")`
			`if len(authFields) != 3 {`
			`return sv, ErrMissingFields`
			`}`

			`// Initialize signature version '4' structured header.`
			`signV4Values := signValues{}`

			`var err APIErrorCode`
			`// Save credentail values.`
			`signV4Values.Credential, err = parseCredentialHeader(strings.TrimSpace(credElement), region, stype)`
			`if err != ErrNone {`
			`return sv, err`
			`}`

			`// Save signed headers.`
			`signV4Values.SignedHeaders, err = parseSignedHeader(authFields[1])`
			`if err != ErrNone {`
			`return sv, err`
			`}`

			`// Save signature.`
			`signV4Values.Signature, err = parseSignature(authFields[2])`
			`if err != ErrNone {`
			`return sv, err`
			`}`

			`// Return the structure here.`
			`return signV4Values, ErrNone`
			`}`