[#8] Active validation of AWS V4 signature

Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov 2020-08-06 18:23:01 +03:00
parent fdc6d7acbd
commit d70fe6410b

View file

@ -2,12 +2,16 @@ package auth
import ( import (
"bytes" "bytes"
"context"
"crypto/ecdsa" "crypto/ecdsa"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"regexp" "regexp"
"strings" "strings"
"time"
aws_credentials "github.com/aws/aws-sdk-go/aws/credentials"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/nspcc-dev/neofs-api-go/refs" "github.com/nspcc-dev/neofs-api-go/refs"
"github.com/nspcc-dev/neofs-api-go/service" "github.com/nspcc-dev/neofs-api-go/service"
"github.com/nspcc-dev/neofs-authmate/accessbox/hcs" "github.com/nspcc-dev/neofs-authmate/accessbox/hcs"
@ -87,19 +91,15 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
if len(signedHeaderFieldsNames) == 0 { if len(signedHeaderFieldsNames) == 0 {
return nil, errors.New("wrong format of signed headers part") return nil, errors.New("wrong format of signed headers part")
} }
// signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date")) signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date"))
// if err != nil { if err != nil {
// return nil, errors.Wrap(err, "failed to parse x-amz-date header field") return nil, errors.Wrap(err, "failed to parse x-amz-date header field")
// } }
accessKeyID := sms1["access_key_id"] accessKeyID := sms1["access_key_id"]
bearerToken, _, err := center.fetchBearerToken(accessKeyID) bearerToken, secretAccessKey, err := center.fetchBearerToken(accessKeyID)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to fetch bearer token") return nil, errors.Wrap(err, "failed to fetch bearer token")
} }
// Disable verification of S3 signature for arrival of the new auth scheme.
/*
otherRequest := request.Clone(context.TODO()) otherRequest := request.Clone(context.TODO())
otherRequest.Header = map[string][]string{} otherRequest.Header = map[string][]string{}
for hfn, hfvs := range request.Header { for hfn, hfvs := range request.Header {
@ -109,7 +109,7 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
} }
} }
} }
awsCreds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "") awsCreds := aws_credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
signer := v4.NewSigner(awsCreds) signer := v4.NewSigner(awsCreds)
body, err := readAndKeepBody(request) body, err := readAndKeepBody(request)
if err != nil { if err != nil {
@ -123,7 +123,6 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
if sms1["v4_signature"] != sms2["v4_signature"] { if sms1["v4_signature"] != sms2["v4_signature"] {
return nil, errors.Wrap(err, "failed to pass authentication procedure") return nil, errors.Wrap(err, "failed to pass authentication procedure")
} }
*/
return bearerToken, nil return bearerToken, nil
} }