forked from TrueCloudLab/frostfs-s3-gw
[#607] Support sigV4a streaming with trailers
Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>
This commit is contained in:
parent
5e9c562683
commit
a53e50b324
3 changed files with 217 additions and 69 deletions
|
|
@ -7,6 +7,8 @@ import (
|
|||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
v4a "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth/signer/v4asdk2"
|
||||
|
|
@ -20,10 +22,12 @@ type (
|
|||
reader *bufio.Reader
|
||||
streamSigner *v4a.StreamSigner
|
||||
|
||||
requestTime time.Time
|
||||
buffer []byte
|
||||
offset int
|
||||
err error
|
||||
trailerHeaders []string
|
||||
trailers map[string]string
|
||||
requestTime time.Time
|
||||
buffer []byte
|
||||
offset int
|
||||
err error
|
||||
}
|
||||
)
|
||||
|
||||
|
|
@ -87,21 +91,9 @@ func (c *s3v4aChunkReader) Read(buf []byte) (num int, err error) {
|
|||
c.err = errMalformedChunkedEncoding
|
||||
return num, c.err
|
||||
}
|
||||
b, err := c.reader.ReadByte()
|
||||
if err != nil {
|
||||
return c.handleErr(num, err)
|
||||
}
|
||||
if b != '\r' {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return num, c.err
|
||||
}
|
||||
b, err = c.reader.ReadByte()
|
||||
if err != nil {
|
||||
return c.handleErr(num, err)
|
||||
}
|
||||
if b != '\n' {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return num, c.err
|
||||
|
||||
if err = c.readCRLF(); err != nil {
|
||||
return num, err
|
||||
}
|
||||
|
||||
if cap(c.buffer) < size {
|
||||
|
|
@ -119,19 +111,6 @@ func (c *s3v4aChunkReader) Read(buf []byte) (num int, err error) {
|
|||
c.err = err
|
||||
return num, c.err
|
||||
}
|
||||
b, err = c.reader.ReadByte()
|
||||
if b != '\r' || err != nil {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return num, c.err
|
||||
}
|
||||
b, err = c.reader.ReadByte()
|
||||
if err != nil {
|
||||
return c.handleErr(num, err)
|
||||
}
|
||||
if b != '\n' {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return num, c.err
|
||||
}
|
||||
|
||||
// Once we have read the entire chunk successfully, we verify
|
||||
// that the received signature is valid.
|
||||
|
|
@ -150,10 +129,23 @@ func (c *s3v4aChunkReader) Read(buf []byte) (num int, err error) {
|
|||
// If the chunk size is zero we return io.EOF. As specified by AWS,
|
||||
// only the last chunk is zero-sized.
|
||||
if size == 0 {
|
||||
if len(c.trailerHeaders) != 0 {
|
||||
if err = c.readTrailers(); err != nil {
|
||||
c.err = err
|
||||
return num, c.err
|
||||
}
|
||||
} else if err = c.readCRLF(); err != nil {
|
||||
return num, err
|
||||
}
|
||||
|
||||
c.err = io.EOF
|
||||
return num, c.err
|
||||
}
|
||||
|
||||
if err = c.readCRLF(); err != nil {
|
||||
return num, err
|
||||
}
|
||||
|
||||
c.offset = copy(buf, c.buffer)
|
||||
num += c.offset
|
||||
return num, err
|
||||
|
|
@ -168,10 +160,77 @@ func (c *s3v4aChunkReader) handleErr(num int, err error) (int, error) {
|
|||
return num, c.err
|
||||
}
|
||||
|
||||
func (c *s3v4aChunkReader) TrailerHeaders() map[string]string {
|
||||
func (c *s3v4aChunkReader) readCRLF() error {
|
||||
for _, ch := range [2]byte{'\r', '\n'} {
|
||||
b, err := c.reader.ReadByte()
|
||||
if err == io.EOF {
|
||||
err = io.ErrUnexpectedEOF
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
c.err = err
|
||||
return c.err
|
||||
}
|
||||
if b != ch {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return c.err
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *s3v4aChunkReader) readTrailers() error {
|
||||
var k, v []byte
|
||||
var err error
|
||||
for err == nil {
|
||||
k, err = c.reader.ReadBytes(':')
|
||||
if err != nil {
|
||||
if err == io.EOF {
|
||||
break
|
||||
}
|
||||
c.err = errMalformedTrailerHeaders
|
||||
return c.err
|
||||
}
|
||||
v, err = c.reader.ReadBytes('\n')
|
||||
if err != nil && err != io.EOF {
|
||||
c.err = errMalformedTrailerHeaders
|
||||
return c.err
|
||||
}
|
||||
if len(v) >= 2 && v[len(v)-2] == '\r' {
|
||||
v[len(v)-2] = '\n'
|
||||
v = v[:len(v)-1]
|
||||
}
|
||||
|
||||
switch {
|
||||
case slices.Contains(c.trailerHeaders, string(k[:len(k)-1])):
|
||||
c.buffer = append(append(c.buffer, k...), v...) // todo use copy
|
||||
case string(k) == "x-amz-trailer-signature:":
|
||||
n, err := hex.Decode(v[:], bytes.TrimRight(v[:], "*\n"))
|
||||
if err != nil {
|
||||
c.err = errMalformedChunkedEncoding
|
||||
return c.err
|
||||
}
|
||||
|
||||
if err = c.streamSigner.VerifyTrailerSignature(c.buffer, c.requestTime, v[:n]); err != nil {
|
||||
c.err = fmt.Errorf("%w: %s", errs.GetAPIError(errs.ErrSignatureDoesNotMatch), err.Error())
|
||||
return c.err
|
||||
}
|
||||
default:
|
||||
c.err = errMalformedTrailerHeaders
|
||||
return c.err
|
||||
}
|
||||
|
||||
c.trailers[string(k[:len(k)-1])] = string(v[:len(v)-1])
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *s3v4aChunkReader) TrailerHeaders() map[string]string {
|
||||
return c.trailers
|
||||
}
|
||||
|
||||
func newSignV4aChunkedReader(req *http.Request) (*s3v4aChunkReader, error) {
|
||||
box, err := middleware.GetBoxData(req.Context())
|
||||
if err != nil {
|
||||
|
|
@ -204,10 +263,18 @@ func newSignV4aChunkedReader(req *http.Request) (*s3v4aChunkReader, error) {
|
|||
|
||||
newStreamSigner := v4a.NewStreamSigner(creds, "s3", seed)
|
||||
|
||||
var trailerHeaders []string
|
||||
trailer := req.Header.Get("x-amz-trailer")
|
||||
if trailer != "" {
|
||||
trailerHeaders = strings.Split(trailer, ";")
|
||||
}
|
||||
|
||||
return &s3v4aChunkReader{
|
||||
reader: bufio.NewReader(req.Body),
|
||||
streamSigner: newStreamSigner,
|
||||
requestTime: reqTime,
|
||||
buffer: make([]byte, 64*1024),
|
||||
reader: bufio.NewReader(req.Body),
|
||||
streamSigner: newStreamSigner,
|
||||
requestTime: reqTime,
|
||||
buffer: make([]byte, 64*1024),
|
||||
trailerHeaders: trailerHeaders,
|
||||
trailers: make(map[string]string, len(trailerHeaders)),
|
||||
}, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue