From 002c427e7d4f722d24672d2ebbd8dfd4318996e5 Mon Sep 17 00:00:00 2001 From: Ben McClelland Date: Wed, 7 Jun 2023 08:37:14 -0700 Subject: [PATCH] fix signature check when content length not included --- cmd/versitygw/main.go | 10 ++++++++++ go.mod | 2 +- s3api/middlewares/authentication.go | 10 +++++++--- s3api/server.go | 8 +++++++- s3api/utils/utils.go | 6 ++++++ 5 files changed, 31 insertions(+), 5 deletions(-) diff --git a/cmd/versitygw/main.go b/cmd/versitygw/main.go index 3f7b6b4..28ef013 100644 --- a/cmd/versitygw/main.go +++ b/cmd/versitygw/main.go @@ -34,6 +34,7 @@ var ( adminSecret string region string certFile, keyFile string + debug bool ) var ( @@ -119,6 +120,11 @@ func initFlags() []cli.Flag { Usage: "TLS key file", Destination: &keyFile, }, + &cli.BoolFlag{ + Name: "debug", + Usage: "enable debug output", + Destination: &debug, + }, } } @@ -145,6 +151,10 @@ func runGateway(be backend.Backend) error { opts = append(opts, s3api.WithTLS(cert)) } + if debug { + opts = append(opts, s3api.WithDebug()) + } + srv, err := s3api.New(app, be, port, middlewares.AdminConfig{ AdminAccess: adminAccess, diff --git a/go.mod b/go.mod index d79b4f2..137e872 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.20 require ( github.com/aws/aws-sdk-go-v2 v1.18.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1 + github.com/aws/smithy-go v1.13.5 github.com/gofiber/fiber/v2 v2.46.0 github.com/google/uuid v1.3.0 github.com/pkg/xattr v0.4.9 @@ -23,7 +24,6 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect - github.com/aws/smithy-go v1.13.5 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/klauspost/compress v1.16.5 // indirect github.com/mattn/go-colorable v0.1.13 // indirect diff --git a/s3api/middlewares/authentication.go b/s3api/middlewares/authentication.go index 186b524..10ede7f 100644 --- a/s3api/middlewares/authentication.go +++ b/s3api/middlewares/authentication.go @@ -17,11 +17,13 @@ package middlewares import ( "crypto/sha256" "encoding/hex" + "os" "strings" "time" "github.com/aws/aws-sdk-go-v2/aws" v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/smithy-go/logging" "github.com/gofiber/fiber/v2" "github.com/versity/versitygw/backend/auth" "github.com/versity/versitygw/s3api/controllers" @@ -39,7 +41,7 @@ type AdminConfig struct { Region string } -func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler { +func VerifyV4Signature(config AdminConfig, iam auth.IAMService, debug bool) fiber.Handler { acct := accounts{ admin: config, iam: iam, @@ -115,8 +117,10 @@ func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler { AccessKeyID: creds[0], SecretAccessKey: secret, }, req, hexPayload, creds[3], config.Region, tdate, func(options *v4.SignerOptions) { - //options.LogSigning = true - //options.Logger = logging.NewStandardLogger(os.Stdout) + if debug { + options.LogSigning = true + options.Logger = logging.NewStandardLogger(os.Stderr) + } }) if signErr != nil { return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrInternalError)) diff --git a/s3api/server.go b/s3api/server.go index adfcc79..d1dcbfb 100644 --- a/s3api/server.go +++ b/s3api/server.go @@ -30,6 +30,7 @@ type S3ApiServer struct { router *S3ApiRouter port string cert *tls.Certificate + debug bool } func New(app *fiber.App, be backend.Backend, port string, adminUser middlewares.AdminConfig, iam auth.IAMService, opts ...Option) (*S3ApiServer, error) { @@ -44,7 +45,7 @@ func New(app *fiber.App, be backend.Backend, port string, adminUser middlewares. opt(server) } - app.Use(middlewares.VerifyV4Signature(adminUser, iam)) + app.Use(middlewares.VerifyV4Signature(adminUser, iam, server.debug)) app.Use(logger.New()) app.Use(middlewares.VerifyMD5Body()) server.router.Init(app, be) @@ -59,6 +60,11 @@ func WithTLS(cert tls.Certificate) Option { return func(s *S3ApiServer) { s.cert = &cert } } +// WithDebug sets debug output +func WithDebug() Option { + return func(s *S3ApiServer) { s.debug = true } +} + func (sa *S3ApiServer) Serve() (err error) { if sa.cert != nil { return sa.app.ListenTLSWithCertificate(sa.port, *sa.cert) diff --git a/s3api/utils/utils.go b/s3api/utils/utils.go index 8112ad4..8e2ff35 100644 --- a/s3api/utils/utils.go +++ b/s3api/utils/utils.go @@ -54,6 +54,12 @@ func CreateHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string) (*http.Reques } }) + // Check if Content-Length in signed headers + // If content length is non 0, then the header will be included + if !includeHeader("Content-Length", signedHdrs) { + httpReq.ContentLength = 0 + } + // Set the Host header httpReq.Host = string(req.Header.Host())