[#8] Active validation of AWS V4 signature

Signed-off-by: Pavel Korotkov <pkorotkov@gmail.com>
This commit is contained in:
Pavel Korotkov 2020-08-06 18:23:01 +03:00
parent fdc6d7acbd
commit d70fe6410b

View file

@ -2,12 +2,16 @@ package auth
import (
"bytes"
"context"
"crypto/ecdsa"
"io/ioutil"
"net/http"
"regexp"
"strings"
"time"
aws_credentials "github.com/aws/aws-sdk-go/aws/credentials"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/nspcc-dev/neofs-api-go/refs"
"github.com/nspcc-dev/neofs-api-go/service"
"github.com/nspcc-dev/neofs-authmate/accessbox/hcs"
@ -87,19 +91,15 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
if len(signedHeaderFieldsNames) == 0 {
return nil, errors.New("wrong format of signed headers part")
}
// signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date"))
// if err != nil {
// return nil, errors.Wrap(err, "failed to parse x-amz-date header field")
// }
signatureDateTime, err := time.Parse("20060102T150405Z", request.Header.Get("X-Amz-Date"))
if err != nil {
return nil, errors.Wrap(err, "failed to parse x-amz-date header field")
}
accessKeyID := sms1["access_key_id"]
bearerToken, _, err := center.fetchBearerToken(accessKeyID)
bearerToken, secretAccessKey, err := center.fetchBearerToken(accessKeyID)
if err != nil {
return nil, errors.Wrap(err, "failed to fetch bearer token")
}
// Disable verification of S3 signature for arrival of the new auth scheme.
/*
otherRequest := request.Clone(context.TODO())
otherRequest.Header = map[string][]string{}
for hfn, hfvs := range request.Header {
@ -109,7 +109,7 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
}
}
}
awsCreds := credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
awsCreds := aws_credentials.NewStaticCredentials(accessKeyID, secretAccessKey, "")
signer := v4.NewSigner(awsCreds)
body, err := readAndKeepBody(request)
if err != nil {
@ -123,7 +123,6 @@ func (center *Center) AuthenticationPassed(request *http.Request) (*service.Bear
if sms1["v4_signature"] != sms2["v4_signature"] {
return nil, errors.Wrap(err, "failed to pass authentication procedure")
}
*/
return bearerToken, nil
}