[#339] v4: Don't duplicate content-length as signed header

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
2024-12-10 15:04:31 +03:00 · 2024-12-10 15:04:31 +03:00 · 9395b5f39d
commit 9395b5f39d
parent 11c1a86404
3 changed files with 54 additions and 10 deletions
--- a/api/auth/center_test.go
+++ b/api/auth/center_test.go
@ -139,6 +139,45 @@ Testing with the {sdk-java}
 	require.NoError(t, err)
 }

+func TestSignatureV4(t *testing.T) {
+	signer := v4.NewSigner(func(options *v4.SignerOptions) {
+		options.DisableURIPathEscaping = true
+		options.Logger = zaptest.NewLogger(t)
+		options.LogSigning = true
+	})
+
+	creds := aws.Credentials{
+		AccessKeyID:     "9CBEGH8T9XfLin2pg7LG8ZxBH1PnZc1yoioViKngrUnu0CbC2mcjpcw9t4Y7AS6zsF5cJGkDhXAx5hxFDKwfZzgj7",
+		SecretAccessKey: "8742218da7f905de24f633f44efe02f82c6d2a317ed6f99592627215d17816e3",
+	}
+
+	bodyStr := `tmp2
+`
+	body := bytes.NewBufferString(bodyStr)
+
+	req, err := http.NewRequest("PUT", "http://localhost:8084/main/tmp2", body)
+	require.NoError(t, err)
+	req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=9CBEGH8T9XfLin2pg7LG8ZxBH1PnZc1yoioViKngrUnu0CbC2mcjpcw9t4Y7AS6zsF5cJGkDhXAx5hxFDKwfZzgj7/20241210/ru/s3/aws4_request, SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date, Signature=945664a5bccfd37a1167ca5e718e2b883f68a7ccf7f1044768e7fe58b737b7ed")
+	req.Header.Set("Content-Length", "5")
+	req.Header.Set("User-Agent", "aws-cli/2.13.2 Python/3.11.4 Linux/6.4.5-x64v1-xanmod1 exe/x86_64.debian.11 prompt/off command/s3api.put-object")
+	req.Header.Set("Content-MD5", "DstU4KxdzBj5jTGltfyqgA==")
+	req.Header.Set("Expect", "101-continue")
+	req.Header.Set("X-Amz-Content-Sha256", "1f9b7417ee5445c41dbe904c3651eb0ba1c12fecff16c1bccd8df3db6e390b5f")
+	req.Header.Set("X-Amz-Date", "20241210T114611Z")
+
+	service := "s3"
+	region := "ru"
+	signature := "945664a5bccfd37a1167ca5e718e2b883f68a7ccf7f1044768e7fe58b737b7ed"
+	signingTime, err := time.Parse("20060102T150405Z", "20241210T114611Z")
+	require.NoError(t, err)
+	cloned := cloneRequest(req, &AuthHeader{SignedFields: []string{"content-md5", "host", "x-amz-content-sha256", "x-amz-date"}})
+
+	err = signer.SignHTTP(cloned.Context(), creds, cloned, "1f9b7417ee5445c41dbe904c3651eb0ba1c12fecff16c1bccd8df3db6e390b5f", service, region, signingTime)
+	require.NoError(t, err)
+	signatureComputed := NewRegexpMatcher(AuthorizationFieldRegexp).GetSubmatches(cloned.Header.Get(AuthorizationHdr))["v4_signature"]
+	require.Equal(t, signature, signatureComputed, "signature mismatched")
+}
+
 func TestCheckFormatContentSHA256(t *testing.T) {
 	defaultErr := errors.GetAPIError(errors.ErrContentSHA256Mismatch)