forked from TrueCloudLab/frostfs-s3-gw
[#339] Presign fix aws sdk
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
7b0a9e9573
commit
1844cdb0d2
1 changed files with 35 additions and 31 deletions
|
@ -1,48 +1,41 @@
|
||||||
// Package v4 implements signing for AWS V4 signer
|
// Package v4 implements the AWS signature version 4 algorithm (commonly known
|
||||||
|
// as SigV4).
|
||||||
//
|
//
|
||||||
// Provides request signing for request that need to be signed with
|
// For more information about SigV4, see [Signing AWS API requests] in the IAM
|
||||||
// AWS V4 Signatures.
|
// user guide.
|
||||||
//
|
//
|
||||||
// # Standalone Signer
|
// While this implementation CAN work in an external context, it is developed
|
||||||
|
// primarily for SDK use and you may encounter fringe behaviors around header
|
||||||
|
// canonicalization.
|
||||||
//
|
//
|
||||||
// Generally using the signer outside of the SDK should not require any additional
|
// # Pre-escaping a request URI
|
||||||
//
|
//
|
||||||
// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires
|
// AWS v4 signature validation requires that the canonical string's URI path
|
||||||
|
// component must be the escaped form of the HTTP request's path.
|
||||||
//
|
//
|
||||||
// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent
|
// The Go HTTP client will perform escaping automatically on the HTTP request.
|
||||||
// to the service as.
|
// This may cause signature validation errors because the request differs from
|
||||||
|
// the URI path or query from which the signature was generated.
|
||||||
//
|
//
|
||||||
// The signer will first check the URL.Opaque field, and use its value if set.
|
// Because of this, we recommend that you explicitly escape the request when
|
||||||
// The signer does require the URL.Opaque field to be set in the form of:
|
// using this signer outside of the SDK to prevent possible signature mismatch.
|
||||||
|
// This can be done by setting URL.Opaque on the request. The signer will
|
||||||
|
// prefer that value, falling back to the return of URL.EscapedPath if unset.
|
||||||
|
//
|
||||||
|
// When setting URL.Opaque you must do so in the form of:
|
||||||
//
|
//
|
||||||
// "//<hostname>/<path>"
|
// "//<hostname>/<path>"
|
||||||
//
|
//
|
||||||
// // e.g.
|
// // e.g.
|
||||||
// "//example.com/some/path"
|
// "//example.com/some/path"
|
||||||
//
|
//
|
||||||
// The leading "//" and hostname are required or the URL.Opaque escaping will
|
// The leading "//" and hostname are required or the escaping will not work
|
||||||
// not work correctly.
|
// correctly.
|
||||||
//
|
//
|
||||||
// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath()
|
// The TestStandaloneSign unit test provides a complete example of using the
|
||||||
// method and using the returned value.
|
// signer outside of the SDK and pre-escaping the URI path.
|
||||||
//
|
//
|
||||||
// AWS v4 signature validation requires that the canonical string's URI path
|
// [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
|
||||||
// element must be the URI escaped form of the HTTP request's path.
|
|
||||||
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
|
|
||||||
//
|
|
||||||
// The Go HTTP client will perform escaping automatically on the request. Some
|
|
||||||
// of these escaping may cause signature validation errors because the HTTP
|
|
||||||
// request differs from the URI path or query that the signature was generated.
|
|
||||||
// https://golang.org/pkg/net/url/#URL.EscapedPath
|
|
||||||
//
|
|
||||||
// Because of this, it is recommended that when using the signer outside of the
|
|
||||||
// SDK that explicitly escaping the request prior to being signed is preferable,
|
|
||||||
// and will help prevent signature validation errors. This can be done by setting
|
|
||||||
// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
|
|
||||||
// call URL.EscapedPath() if Opaque is not set.
|
|
||||||
//
|
|
||||||
// Test `TestStandaloneSign` provides a complete example of using the signer
|
|
||||||
// outside of the SDK and pre-escaping the URI path.
|
|
||||||
package v4
|
package v4
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
@ -411,7 +404,18 @@ func (s *httpSigner) buildCredentialScope() string {
|
||||||
func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) {
|
func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) {
|
||||||
query := url.Values{}
|
query := url.Values{}
|
||||||
unsignedHeaders := http.Header{}
|
unsignedHeaders := http.Header{}
|
||||||
|
|
||||||
|
// A list of headers to be converted to lower case to mitigate a limitation from S3
|
||||||
|
lowerCaseHeaders := map[string]string{
|
||||||
|
"X-Amz-Expected-Bucket-Owner": "x-amz-expected-bucket-owner", // see #2508
|
||||||
|
"X-Amz-Request-Payer": "x-amz-request-payer", // see #2764
|
||||||
|
}
|
||||||
|
|
||||||
for k, h := range header {
|
for k, h := range header {
|
||||||
|
if newKey, ok := lowerCaseHeaders[k]; ok {
|
||||||
|
k = newKey
|
||||||
|
}
|
||||||
|
|
||||||
if r.IsValid(k) {
|
if r.IsValid(k) {
|
||||||
query[k] = h
|
query[k] = h
|
||||||
} else {
|
} else {
|
||||||
|
|
Loading…
Reference in a new issue