[#8] Active validation of AWS V4 signature

Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov 2020-08-06 18:23:01 +03:00
parent fdc6d7acbd
commit d70fe6410b

View file

@ -2,12 +2,16 @@ package auth
import ( import (
"bytes" "bytes"
"context"
"crypto/ecdsa" "crypto/ecdsa"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"regexp" "regexp"
"strings" "strings"
"time"
aws_credentials "github.com/aws/aws-sdk-go/aws/credentials"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/nspcc-dev/neofs-api-go/refs" "github.com/nspcc-dev/neofs-api-go/refs"
"github.com/nspcc-dev/neofs-api-go/service" "github.com/nspcc-dev/neofs-api-go/service"
"github.com/nspcc-dev/neofs-authmate/accessbox/hcs" "github.com/nspcc-dev/neofs-authmate/accessbox/hcs"
@ -87,43 +91,38 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
if len(signedHeaderFieldsNames) == 0 { if len(signedHeaderFieldsNames) == 0 {
return nil, errors.New("wrong format of signed headers part") return nil, errors.New("wrong format of signed headers part")
} }
// signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date")) signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date"))
// if err != nil { if err != nil {
// return nil, errors.Wrap(err, "failed to parse x-amz-date header field") return nil, errors.Wrap(err, "failed to parse x-amz-date header field")
// } }
accessKeyID := sms1["access_key_id"] accessKeyID := sms1["access_key_id"]
bearerToken, _, err := center.fetchBearerToken(accessKeyID) bearerToken, secretAccessKey, err := center.fetchBearerToken(accessKeyID)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to fetch bearer token") return nil, errors.Wrap(err, "failed to fetch bearer token")
} }
otherRequest := request.Clone(context.TODO())
// Disable verification of S3 signature for arrival of the new auth scheme. otherRequest.Header = map[string][]string{}
/* for hfn, hfvs := range request.Header {
otherRequest := request.Clone(context.TODO()) for _, shfn := range signedHeaderFieldsNames {
otherRequest.Header = map[string][]string{} if strings.EqualFold(hfn, shfn) {
for hfn, hfvs := range request.Header { otherRequest.Header[hfn] = hfvs
for _, shfn := range signedHeaderFieldsNames {
if strings.EqualFold(hfn, shfn) {
otherRequest.Header[hfn] = hfvs
}
} }
} }
awsCreds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") }
signer := v4.NewSigner(awsCreds) awsCreds := aws_credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
body, err := readAndKeepBody(request) signer := v4.NewSigner(awsCreds)
if err != nil { body, err := readAndKeepBody(request)
return nil, errors.Wrap(err, "failed to read out request body") if err != nil {
} return nil, errors.Wrap(err, "failed to read out request body")
_, err = signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime) }
if err != nil { _, err = signer.Sign(otherRequest, body, sms1["service"], sms1["region"], signatureDateTime)
return nil, errors.Wrap(err, "failed to sign temporary HTTP request") if err != nil {
} return nil, errors.Wrap(err, "failed to sign temporary HTTP request")
sms2 := center.submatcher.getSubmatches(otherRequest.Header.Get("Authorization")) }
if sms1["v4_signature"] != sms2["v4_signature"] { sms2 := center.submatcher.getSubmatches(otherRequest.Header.Get("Authorization"))
return nil, errors.Wrap(err, "failed to pass authentication procedure") if sms1["v4_signature"] != sms2["v4_signature"] {
} return nil, errors.Wrap(err, "failed to pass authentication procedure")
*/ }
return bearerToken, nil return bearerToken, nil
} }