dkirillov/frostfs-s3-gw
1
0
Fork 0
forked from TrueCloudLab/frostfs-s3-gw
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#339] Presign fix aws sdk

Browse source 
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
Denis Kirillov 2024-09-05 15:11:00 +03:00
parent 0397bf83e7
commit be2109bfc9
1 changed files with 35 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
api/auth/signer/v4sdk2/signer/v4/v4.go
View file

@ -1,48 +1,41 @@
// Package v4 implements signing for AWS V4 signer // Package v4 implements the AWS signature version 4 algorithm (commonly known
// as SigV4).
// //
// Provides request signing for request that need to be signed with // For more information about SigV4, see [Signing AWS API requests] in the IAM
// AWS V4 Signatures. // user guide.
// //
// # Standalone Signer // While this implementation CAN work in an external context, it is developed
// primarily for SDK use and you may encounter fringe behaviors around header
// canonicalization.
// //
// Generally using the signer outside of the SDK should not require any additional // # Pre-escaping a request URI
// //
// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires // AWS v4 signature validation requires that the canonical string's URI path
// component must be the escaped form of the HTTP request's path.
// //
// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent // The Go HTTP client will perform escaping automatically on the HTTP request.
// to the service as. // This may cause signature validation errors because the request differs from
// the URI path or query from which the signature was generated.
// //
// The signer will first check the URL.Opaque field, and use its value if set. // Because of this, we recommend that you explicitly escape the request when
// The signer does require the URL.Opaque field to be set in the form of: // using this signer outside of the SDK to prevent possible signature mismatch.
// This can be done by setting URL.Opaque on the request. The signer will
// prefer that value, falling back to the return of URL.EscapedPath if unset.
//
// When setting URL.Opaque you must do so in the form of:
// //
// "//<hostname>/<path>" // "//<hostname>/<path>"
// //
// // e.g. // // e.g.
// "//example.com/some/path" // "//example.com/some/path"
// //
// The leading "//" and hostname are required or the URL.Opaque escaping will // The leading "//" and hostname are required or the escaping will not work
// not work correctly. // correctly.
// //
// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath() // The TestStandaloneSign unit test provides a complete example of using the
// method and using the returned value. // signer outside of the SDK and pre-escaping the URI path.
// //
// AWS v4 signature validation requires that the canonical string's URI path // [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
// element must be the URI escaped form of the HTTP request's path.
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
//
// The Go HTTP client will perform escaping automatically on the request. Some
// of these escaping may cause signature validation errors because the HTTP
// request differs from the URI path or query that the signature was generated.
// https://golang.org/pkg/net/url/#URL.EscapedPath
//
// Because of this, it is recommended that when using the signer outside of the
// SDK that explicitly escaping the request prior to being signed is preferable,
// and will help prevent signature validation errors. This can be done by setting
// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
// call URL.EscapedPath() if Opaque is not set.
//
// Test `TestStandaloneSign` provides a complete example of using the signer
// outside of the SDK and pre-escaping the URI path.
package v4 package v4
import ( import (
@ -411,7 +404,18 @@ func (s *httpSigner) buildCredentialScope() string {
func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) { func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) {
query := url.Values{} query := url.Values{}
unsignedHeaders := http.Header{} unsignedHeaders := http.Header{}
// A list of headers to be converted to lower case to mitigate a limitation from S3
lowerCaseHeaders := map[string]string{
"X-Amz-Expected-Bucket-Owner": "x-amz-expected-bucket-owner", // see #2508
"X-Amz-Request-Payer": "x-amz-request-payer", // see #2764
}
for k, h := range header { for k, h := range header {
if newKey, ok := lowerCaseHeaders[k]; ok {
k = newKey
}
if r.IsValid(k) { if r.IsValid(k) {
query[k] = h query[k] = h
} else { } else {