forked from TrueCloudLab/frostfs-s3-gw
[#615] Use UNSIGNED_PAYLOAD to check sign
Use `UNSIGNED_PAYLOAD` to check signature if x-amz-content-sha256 isn't provided as signed header https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html " You include the literal string UNSIGNED-PAYLOAD when constructing a canonical request, and set the same value as the x-amz-content-sha256 header value when sending the request to Amazon S3" Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
510b0a1005
commit
3d3dd00211
6 changed files with 142 additions and 23 deletions
|
|
@ -13,6 +13,7 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
|
|
@ -396,6 +397,10 @@ func cloneRequest(r *http.Request, authHeader *AuthHeader) *http.Request {
|
|||
func (c *Center) checkSign(ctx context.Context, authHeader *AuthHeader, box *accessbox.Box, request *http.Request, signatureDateTime time.Time) error {
|
||||
var signature string
|
||||
|
||||
if !slices.Contains(authHeader.SignedFields, "x-amz-content-sha256") && authHeader.PayloadHash == "" {
|
||||
authHeader.PayloadHash = UnsignedPayload
|
||||
}
|
||||
|
||||
switch authHeader.Preamble {
|
||||
case signaturePreambleSigV4:
|
||||
creds := aws.Credentials{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue