TrueCloudLab/frostfs-s3-gw
17
3
Fork 20
Code Issues 29 Pull requests 9 Projects Releases 33 Packages 1 Activity Actions

[#Issue] presign
Some checks failed
/ DCO (pull_request) Failing after 1m24s
Details
/ Builds (1.20) (pull_request) Successful in 2m29s
Details
/ Builds (1.21) (pull_request) Successful in 2m15s
Details
/ Vulncheck (pull_request) Successful in 2m0s
Details
/ Lint (pull_request) Failing after 2m31s
Details
/ Tests (1.20) (pull_request) Successful in 2m18s
Details
/ Tests (1.21) (pull_request) Failing after 11s
Details

Browse source 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-04-23 14:49:34 +03:00
parent 4d8db3b38a
commit 978679f380
5 changed files with 40 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
api/auth/center.go
View file

@ -9,7 +9,6 @@ import (
"io" "io"
"mime/multipart" "mime/multipart"
"net/http" "net/http"
"os"
"regexp" "regexp"
"strings" "strings"
"time" "time"
@ -23,7 +22,6 @@ import (
oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id" oid "git.frostfs.info/TrueCloudLab/frostfs-sdk-go/object/id"
credentialsv2 "github.com/aws/aws-sdk-go-v2/credentials" credentialsv2 "github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/smithy-go/logging"
) )
var ( var (
@ -410,8 +408,6 @@ func (c *Center) checkSign(authHeader *AuthHeader, box *accessbox.Box, request *
case signaturePreambleSigV4A: case signaturePreambleSigV4A:
signer := v4a.NewSigner(func(options *v4a.SignerOptions) { signer := v4a.NewSigner(func(options *v4a.SignerOptions) {
options.DisableURIPathEscaping = true options.DisableURIPathEscaping = true
options.LogSigning = true
options.Logger = logging.NewStandardLogger(os.Stdout)
}) })
credAdapter := v4a.SymmetricCredentialAdaptor{ credAdapter := v4a.SymmetricCredentialAdaptor{
@ -423,13 +419,16 @@ func (c *Center) checkSign(authHeader *AuthHeader, box *accessbox.Box, request *
return fmt.Errorf("failed to derive assymetric key from credentials: %w", err) return fmt.Errorf("failed to derive assymetric key from credentials: %w", err)
} }
if authHeader.IsPresigned { if !authHeader.IsPresigned {
if err = checkPresignedDate(authHeader, signatureDateTime); err != nil { return signer.VerifySignature(creds, request, authHeader.PayloadHash, authHeader.Service,
return err strings.Split(authHeader.Region, ","), signatureDateTime, authHeader.Signature)
}
} }
return signer.VerifySignature(creds, request, authHeader.PayloadHash, authHeader.Service, if err = checkPresignedDate(authHeader, signatureDateTime); err != nil {
return err
}
return signer.VerifyPresigned(creds, request, authHeader.PayloadHash, authHeader.Service,
strings.Split(authHeader.Region, ","), signatureDateTime, authHeader.Signature) strings.Split(authHeader.Region, ","), signatureDateTime, authHeader.Signature)
default: default:
return fmt.Errorf("invalid preamble: %s", authHeader.Preamble) return fmt.Errorf("invalid preamble: %s", authHeader.Preamble)

1
api/auth/center_test.go
View file

@ -35,6 +35,7 @@ func TestAuthHeaderParse(t *testing.T) {
Signature: "2811ccb9e242f41426738fb1f", Signature: "2811ccb9e242f41426738fb1f",
SignedFields: []string{"host", "x-amz-content-sha256", "x-amz-date"}, SignedFields: []string{"host", "x-amz-content-sha256", "x-amz-date"},
Date: "20210809", Date: "20210809",
Preamble: signaturePreambleSigV4,
}, },
}, },
{ {

10
api/auth/presign.go
View file

@ -28,6 +28,7 @@ type PresignData struct {
Region string Region string
Lifetime time.Duration Lifetime time.Duration
SignTime time.Time SignTime time.Time
Headers map[string]string
} }
// PresignRequest forms pre-signed request to access objects without aws credentials. // PresignRequest forms pre-signed request to access objects without aws credentials.
@ -38,8 +39,10 @@ func PresignRequest(creds *credentials.Credentials, reqData RequestData, presign
return nil, fmt.Errorf("failed to create new request: %w", err) return nil, fmt.Errorf("failed to create new request: %w", err)
} }
for k, v := range presignData.Headers {
req.Header.Set(k, v) // maybe we should filter system header (or keep responsibility on caller)
}
req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z")) req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))
req.Header.Set(ContentTypeHdr, "text/plain")
signer := v4.NewSigner(creds) signer := v4.NewSigner(creds)
signer.DisableURIPathEscaping = true signer.DisableURIPathEscaping = true
@ -59,8 +62,11 @@ func PresignRequestV4a(credProvider credentialsv2.StaticCredentialsProvider, req
return nil, fmt.Errorf("failed to create new request: %w", err) return nil, fmt.Errorf("failed to create new request: %w", err)
} }
for k, v := range presignData.Headers {
req.Header.Set(k, v) // maybe we should filter system header (or keep responsibility on caller)
}
req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z")) req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))
req.Header.Set(ContentTypeHdr, "text/plain")
req.Header.Set(AmzExpires, strconv.Itoa(int(presignData.Lifetime.Seconds()))) req.Header.Set(AmzExpires, strconv.Itoa(int(presignData.Lifetime.Seconds())))
signer := v4a.NewSigner(func(options *v4a.SignerOptions) { signer := v4a.NewSigner(func(options *v4a.SignerOptions) {

17
api/auth/presign_test.go
View file

@ -75,6 +75,9 @@ func TestCheckSign(t *testing.T) {
Region: "spb", Region: "spb",
Lifetime: 10 * time.Minute, Lifetime: 10 * time.Minute,
SignTime: time.Now().UTC(), SignTime: time.Now().UTC(),
Headers: map[string]string{
ContentTypeHdr: "text/plain",
},
} }
req, err := PresignRequest(awsCreds, reqData, presignData) req, err := PresignRequest(awsCreds, reqData, presignData)
@ -119,11 +122,16 @@ func TestCheckSignV4a(t *testing.T) {
Region: "spb", Region: "spb",
Lifetime: 10 * time.Minute, Lifetime: 10 * time.Minute,
SignTime: time.Now().UTC(), SignTime: time.Now().UTC(),
Headers: map[string]string{
ContentTypeHdr: "text/plain",
},
} }
req, err := PresignRequestV4a(awsCreds, reqData, presignData) req, err := PresignRequestV4a(awsCreds, reqData, presignData)
require.NoError(t, err) require.NoError(t, err)
req.Header.Set(ContentTypeHdr, "text/plain")
expBox := &accessbox.Box{ expBox := &accessbox.Box{
Gate: &accessbox.GateData{ Gate: &accessbox.GateData{
SecretKey: secretKey, SecretKey: secretKey,
@ -170,9 +178,7 @@ func TestPresignRequestV4a(t *testing.T) {
req, err := http.NewRequest("GET", "http://localhost:8084/bucket/object", nil) req, err := http.NewRequest("GET", "http://localhost:8084/bucket/object", nil)
require.NoError(t, err) require.NoError(t, err)
//req.Header.Set(AmzRegionSet, strings.Join(regionSet, ",")) req.Header.Set(AmzExpires, "600")
//req.Header.Set(AmzDate, signingTime.Format("20060102T150405Z"))
//req.Header.Set(AmzAlgorithm, signaturePreambleSigV4A)
presignedURL, hdr, err := signer.PresignHTTP(req.Context(), creds, req, "", service, regionSet, signingTime) presignedURL, hdr, err := signer.PresignHTTP(req.Context(), creds, req, "", service, regionSet, signingTime)
require.NoError(t, err) require.NoError(t, err)
@ -184,7 +190,10 @@ func TestPresignRequestV4a(t *testing.T) {
r, err := http.NewRequest("GET", presignedURL, nil) r, err := http.NewRequest("GET", presignedURL, nil)
require.NoError(t, err) require.NoError(t, err)
query := r.URL.Query()
query.Del(AmzSignature)
r.URL.RawQuery = query.Encode()
err = signer.VerifySignature(creds, r, "", service, regionSet, signingTime, signature) err = signer.VerifyPresigned(creds, r, "", service, regionSet, signingTime, signature)
require.NoError(t, err) require.NoError(t, err)
} }

15
api/auth/signer/v4asdk2/v4a.go
View file

@ -202,6 +202,15 @@ func (s *Signer) SignHTTP(ctx context.Context, credentials Credentials, r *http.
// VerifySignature checks sigv4a. // VerifySignature checks sigv4a.
func (s *Signer) VerifySignature(credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, signature string, optFns ...func(*SignerOptions)) error { func (s *Signer) VerifySignature(credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, signature string, optFns ...func(*SignerOptions)) error {
return s.verifySignature(credentials, r, payloadHash, service, regionSet, signingTime, signature, false, optFns...)
}
// VerifyPresigned checks sigv4a.
func (s *Signer) VerifyPresigned(credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, signature string, optFns ...func(*SignerOptions)) error {
return s.verifySignature(credentials, r, payloadHash, service, regionSet, signingTime, signature, true, optFns...)
}
func (s *Signer) verifySignature(credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, signature string, isPresigned bool, optFns ...func(*SignerOptions)) error {
options := s.options options := s.options
for _, fn := range optFns { for _, fn := range optFns {
fn(&options) fn(&options)
@ -214,6 +223,7 @@ func (s *Signer) VerifySignature(credentials Credentials, r *http.Request, paylo
RegionSet: regionSet, RegionSet: regionSet,
Credentials: credentials, Credentials: credentials,
Time: signingTime.UTC(), Time: signingTime.UTC(),
IsPreSign: isPresigned,
DisableHeaderHoisting: options.DisableHeaderHoisting, DisableHeaderHoisting: options.DisableHeaderHoisting,
DisableURIPathEscaping: options.DisableURIPathEscaping, DisableURIPathEscaping: options.DisableURIPathEscaping,
} }
@ -465,11 +475,6 @@ func (s *httpSigner) buildCanonicalHeaders(host string, rule v4Internal.Rule, he
continue // ignored header continue // ignored header
} }
if strings.EqualFold(k, contentLengthHeader) {
// prevent signing already handled content-length header.
continue
}
lowerCaseKey := strings.ToLower(k) lowerCaseKey := strings.ToLower(k)
if _, ok := signed[lowerCaseKey]; ok { if _, ok := signed[lowerCaseKey]; ok {
// include additional values // include additional values