diff --git a/s3api/admin-router.go b/s3api/admin-router.go index fde1902..5704220 100644 --- a/s3api/admin-router.go +++ b/s3api/admin-router.go @@ -35,42 +35,42 @@ func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMSe // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(ctrl.CreateUser, metrics.ActionAdminCreateUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(ctrl.DeleteUser, metrics.ActionAdminDeleteUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(ctrl.UpdateUser, metrics.ActionAdminUpdateUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(ctrl.ListUsers, metrics.ActionAdminListUsers, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(ctrl.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(ctrl.ListBuckets, metrics.ActionAdminListBuckets, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } diff --git a/s3api/controllers/bucket-put.go b/s3api/controllers/bucket-put.go index 3ca0765..6c4d30e 100644 --- a/s3api/controllers/bucket-put.go +++ b/s3api/controllers/bucket-put.go @@ -15,7 +15,6 @@ package controllers import ( - "bytes" "encoding/xml" "errors" "fmt" @@ -271,37 +270,6 @@ func (c S3ApiController) PutBucketCors(ctx *fiber.Ctx) (*Response, error) { }, err } - algo, checksusms, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx) - if err != nil { - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - - if algo != "" { - rdr, err := utils.NewHashReader(bytes.NewReader(body), checksusms[algo], utils.HashType(strings.ToLower(string(algo)))) - if err != nil { - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - - // Pass the same body to avoid data duplication - _, err = rdr.Read(body) - if err != nil { - debuglogger.Logf("failed to read hash calculation data: %v", err) - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - } - err = c.be.PutBucketCors(ctx.Context(), bucket, body) return &Response{ MetaOpts: &MetaOptions{ diff --git a/s3api/controllers/bucket-put_test.go b/s3api/controllers/bucket-put_test.go index 9555bd2..1d37ecb 100644 --- a/s3api/controllers/bucket-put_test.go +++ b/s3api/controllers/bucket-put_test.go @@ -528,22 +528,6 @@ func TestS3ApiController_PutBucketCors(t *testing.T) { err: s3err.GetUnsopportedCORSMethodErr("invalid_method"), }, }, - { - name: "invalid checksum algo", - input: testInput{ - locals: defaultLocals, - body: validBody, - headers: map[string]string{ - "X-Amz-Sdk-Checksum-Algorithm": "invalid_algo", - }, - }, - output: testOutput{ - response: &Response{ - MetaOpts: &MetaOptions{BucketOwner: "root"}, - }, - err: s3err.GetAPIError(s3err.ErrInvalidChecksumAlgorithm), - }, - }, { name: "backend error", input: testInput{ diff --git a/s3api/middlewares/authentication.go b/s3api/middlewares/authentication.go index 1c2fb55..321e40a 100644 --- a/s3api/middlewares/authentication.go +++ b/s3api/middlewares/authentication.go @@ -37,7 +37,7 @@ type RootUserConfig struct { Secret string } -func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool) fiber.Handler { +func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool, requireContentSha256 bool) fiber.Handler { acct := accounts{root: root, iam: iam} return func(ctx *fiber.Ctx) error { @@ -109,6 +109,9 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, } hashPayload := ctx.Get("X-Amz-Content-Sha256") + if requireContentSha256 && hashPayload == "" { + return s3err.GetAPIError(s3err.ErrMissingContentSha256) + } if !utils.IsValidSh256PayloadHeader(hashPayload) { return s3err.GetAPIError(s3err.ErrInvalidSHA256Paylod) } diff --git a/s3api/middlewares/checksum.go b/s3api/middlewares/checksum.go new file mode 100644 index 0000000..9ca1253 --- /dev/null +++ b/s3api/middlewares/checksum.go @@ -0,0 +1,121 @@ +// Copyright 2023 Versity Software +// This file is licensed under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package middlewares + +import ( + "bytes" + "encoding/base64" + "io" + "strings" + + "github.com/gofiber/fiber/v2" + "github.com/versity/versitygw/s3api/utils" + "github.com/versity/versitygw/s3err" +) + +// VerifyChecksums parses, validates, and calculates the +// Content-MD5 and x-amz-checksum-* headers. +// Additionally, it ensures that the request body is not empty +// for actions that require a non-empty body. For large data actions(PutObject, UploadPart), +// it wraps the body reader to handle Content-MD5: +// the x-amz-checksum-* headers are explicitly processed by the backend. +func VerifyChecksums(streamBody bool, requireBody bool, requireChecksum bool) fiber.Handler { + return func(ctx *fiber.Ctx) error { + md5sum := ctx.Get("Content-Md5") + + if streamBody { + // for large data actions(PutObject, UploadPart) + // only stack the md5 reader,as x-amz-checksum-* + // calculation is explicitly handled in back-end + if md5sum == "" { + return nil + } + + if !isValidMD5(md5sum) { + return s3err.GetAPIError(s3err.ErrInvalidDigest) + } + + var err error + wrapBodyReader(ctx, func(r io.Reader) io.Reader { + r, err = utils.NewHashReader(r, md5sum, utils.HashTypeMd5) + return r + }) + if err != nil { + return err + } + return nil + } + + body := ctx.Body() + if requireBody && len(body) == 0 { + return s3err.GetAPIError(s3err.ErrMissingRequestBody) + } + + var rdr io.Reader + var err error + if md5sum != "" { + if !isValidMD5(md5sum) { + return s3err.GetAPIError(s3err.ErrInvalidDigest) + } + + rdr, err = utils.NewHashReader(bytes.NewReader(body), md5sum, utils.HashTypeMd5) + if err != nil { + return err + } + } + + // parse and validate checksum headers + algo, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx) + if err != nil { + return err + } + + if algo != "" { + r, err := utils.NewHashReader(bytes.NewReader(body), checksums[algo], utils.HashType(strings.ToLower(string(algo)))) + if err != nil { + return err + } + + if rdr != nil { + // combine both md5 and the checksum readers + rdr = io.MultiReader(rdr, r) + } else { + rdr = r + } + } + + if rdr == nil && requireChecksum { + return s3err.GetAPIError(s3err.ErrChecksumRequired) + } + + if rdr != nil { + _, err = io.Copy(io.Discard, rdr) + if err != nil { + return err + } + } + + return nil + } +} + +func isValidMD5(s string) bool { + decoded, err := base64.StdEncoding.DecodeString(s) + if err != nil { + return false + } + + return len(decoded) == 16 +} diff --git a/s3api/middlewares/md5.go b/s3api/middlewares/md5.go deleted file mode 100644 index b967560..0000000 --- a/s3api/middlewares/md5.go +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2023 Versity Software -// This file is licensed under the Apache License, Version 2.0 -// (the "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package middlewares - -import ( - "crypto/md5" - "encoding/base64" - "io" - - "github.com/gofiber/fiber/v2" - "github.com/versity/versitygw/s3api/utils" - "github.com/versity/versitygw/s3err" -) - -func VerifyMD5Body(streamBody bool) fiber.Handler { - return func(ctx *fiber.Ctx) error { - incomingSum := ctx.Get("Content-Md5") - if incomingSum == "" { - return nil - } - - if !isValidMD5(incomingSum) { - return s3err.GetAPIError(s3err.ErrInvalidDigest) - } - - if streamBody { - var err error - wrapBodyReader(ctx, func(r io.Reader) io.Reader { - r, err = utils.NewHashReader(r, incomingSum, utils.HashTypeMd5) - return r - }) - if err != nil { - return err - } - return nil - } - - sum := md5.Sum(ctx.Body()) - calculatedSum := utils.Base64SumString(sum[:]) - - if incomingSum != calculatedSum { - return s3err.GetAPIError(s3err.ErrBadDigest) - } - - return nil - } -} - -func isValidMD5(s string) bool { - decoded, err := base64.StdEncoding.DecodeString(s) - if err != nil { - return false - } - - return len(decoded) == 16 -} diff --git a/s3api/middlewares/public-bucket.go b/s3api/middlewares/public-bucket.go index b3adcea..0e58066 100644 --- a/s3api/middlewares/public-bucket.go +++ b/s3api/middlewares/public-bucket.go @@ -103,13 +103,15 @@ func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPerm } } - // Calculate the hash of the request payload - hashedPayload := sha256.Sum256(ctx.Body()) - hexPayload := hex.EncodeToString(hashedPayload[:]) + if payloadHash != "" { + // Calculate the hash of the request payload + hashedPayload := sha256.Sum256(ctx.Body()) + hexPayload := hex.EncodeToString(hashedPayload[:]) - // Compare the calculated hash with the hash provided - if payloadHash != hexPayload { - return s3err.GetAPIError(s3err.ErrContentSHA256Mismatch) + // Compare the calculated hash with the hash provided + if payloadHash != hexPayload { + return s3err.GetAPIError(s3err.ErrContentSHA256Mismatch) + } } return nil diff --git a/s3api/router.go b/s3api/router.go index 27fd50a..814a3ac 100644 --- a/s3api/router.go +++ b/s3api/router.go @@ -42,42 +42,42 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(adminController.CreateUser, metrics.ActionAdminCreateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(adminController.DeleteUser, metrics.ActionAdminDeleteUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(adminController.UpdateUser, metrics.ActionAdminUpdateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(adminController.ListUsers, metrics.ActionAdminListUsers, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(adminController.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(adminController.ListBuckets, metrics.ActionAdminListBuckets, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } @@ -96,7 +96,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ services, middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListAllMyBuckets, "", auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), )) bucketRouter := app.Group("/:bucket") @@ -112,8 +112,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ParseAcl(be), middlewares.ApplyBucketCORS(be), )) @@ -126,8 +126,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -140,8 +140,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketVersioning, auth.PutBucketVersioningAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -154,8 +154,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLockConfiguration, auth.PutBucketObjectLockConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -168,8 +168,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -182,8 +182,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -196,8 +196,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAcl, auth.PutBucketAclAction, auth.PermissionWriteAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -210,8 +210,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -224,8 +223,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -238,8 +236,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -252,8 +249,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -266,8 +262,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLifecycleConfiguration, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -280,8 +275,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLogging, auth.PutBucketLoggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -294,8 +288,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketRequestPayment, auth.PutBucketRequestPaymentAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -308,8 +301,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -322,8 +314,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -336,8 +327,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutPublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -350,8 +340,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketNotificationConfiguration, auth.PutBucketNotificationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -364,8 +353,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAccelerateConfiguration, auth.PutAccelerateConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -378,8 +366,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -391,8 +378,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateBucket, auth.CreateBucketAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), )) @@ -406,7 +393,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadBucket, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -421,7 +408,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -434,7 +421,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -447,7 +434,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -460,7 +447,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -473,7 +460,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -486,7 +473,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -499,7 +486,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -512,7 +499,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -525,7 +512,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketLifecycle, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -538,7 +525,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -551,7 +538,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -564,7 +551,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeletePublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -577,7 +564,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -589,7 +576,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucket, auth.DeleteBucketAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -604,7 +591,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLocation, auth.GetBucketLocationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), ), @@ -618,7 +605,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketTagging, auth.GetBucketTaggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -631,7 +618,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketOwnershipControls, auth.GetBucketOwnershipControlsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -644,7 +631,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketVersioning, auth.GetBucketVersioningAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -657,7 +644,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicy, auth.GetBucketPolicyAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -670,7 +657,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketCors, auth.GetBucketCorsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -683,7 +670,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLockConfiguration, auth.GetBucketObjectLockConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -696,7 +683,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAcl, auth.GetBucketAclAction, auth.PermissionReadAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -709,7 +696,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListMultipartUploads, auth.ListBucketMultipartUploadsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -722,7 +709,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectVersions, auth.ListBucketVersionsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -735,7 +722,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicyStatus, auth.GetBucketPolicyStatusAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -748,7 +735,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -761,7 +748,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -774,7 +761,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -787,7 +774,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketIntelligentTieringConfiguration, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -800,7 +787,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketIntelligentTieringConfigurations, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -813,7 +800,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketInventoryConfiguration, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -826,7 +813,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketInventoryConfigurations, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -839,7 +826,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLifecycleConfiguration, auth.GetLifecycleConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -852,7 +839,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLogging, auth.GetBucketLoggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -865,7 +852,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketRequestPayment, auth.GetBucketRequestPaymentAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -878,7 +865,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketMetricsConfiguration, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -891,7 +878,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketMetricsConfigurations, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -904,7 +891,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketReplication, auth.GetReplicationConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -917,7 +904,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetPublicAccessBlock, auth.GetBucketPublicAccessBlockAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -930,7 +917,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketNotificationConfiguration, auth.GetBucketNotificationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -943,7 +930,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAccelerateConfiguration, auth.GetAccelerateConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -956,7 +943,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketWebsite, auth.GetBucketWebsiteAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -969,7 +956,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectsV2, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -981,7 +968,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjects, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -996,8 +983,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjects, auth.DeleteObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1011,7 +998,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadObject, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1026,7 +1013,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectTagging, auth.GetObjectTaggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1039,7 +1026,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectRetention, auth.GetObjectRetentionAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1052,7 +1039,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLegalHold, auth.GetObjectLegalHoldAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1065,7 +1052,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAcl, auth.GetObjectAclAction, auth.PermissionReadAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1078,7 +1065,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAttributes, auth.GetObjectAttributesAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1091,7 +1078,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListParts, auth.ListMultipartUploadPartsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1103,7 +1090,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObject, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1118,7 +1105,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjectTagging, auth.DeleteObjectTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1131,7 +1118,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionAbortMultipartUpload, auth.AbortMultipartUploadAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1143,7 +1130,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObject, auth.DeleteObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1157,8 +1144,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionRestoreObject, auth.RestoreObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1172,8 +1159,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionSelectObjectContent, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1186,7 +1173,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCompleteMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1199,7 +1186,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1214,8 +1201,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectTagging, auth.PutObjectTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1228,8 +1215,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectRetention, auth.PutObjectRetentionAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1242,8 +1229,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLegalHold, auth.PutObjectLegalHoldAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1256,8 +1243,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectAcl, auth.PutObjectAclAction, auth.PermissionWriteAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1271,7 +1258,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPartCopy, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1284,8 +1271,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPart, auth.PutObjectAction, auth.PermissionWrite, true), middlewares.VerifyPresignedV4Signature(root, iam, region, true), - middlewares.VerifyV4Signature(root, iam, region, true), - middlewares.VerifyMD5Body(true), + middlewares.VerifyV4Signature(root, iam, region, true, true), + middlewares.VerifyChecksums(true, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1310,7 +1297,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCopyObject, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1322,8 +1309,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObject, auth.PutObjectAction, auth.PermissionWrite, true), middlewares.VerifyPresignedV4Signature(root, iam, region, true), - middlewares.VerifyV4Signature(root, iam, region, true), - middlewares.VerifyMD5Body(true), + middlewares.VerifyV4Signature(root, iam, region, true, true), + middlewares.VerifyChecksums(true, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) diff --git a/s3api/utils/utils.go b/s3api/utils/utils.go index 3e0022e..80d2a86 100644 --- a/s3api/utils/utils.go +++ b/s3api/utils/utils.go @@ -496,24 +496,6 @@ func ParseCompleteMpChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) { return checksums, nil } -// ParseChecksumHeaders parses/validates x-amz-checksum-x headers key/values -func ParseChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) { - // first parse/validate 'x-amz-checksum-x' headers - checksums, err := ParseCalculatedChecksumHeaders(ctx) - if err != nil { - return checksums, err - } - - // check if the values are valid - for al, val := range checksums { - if !IsValidChecksum(val, al) { - return checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) - } - } - - return checksums, nil -} - // ParseChecksumHeadersAndSdkAlgo parses/validates 'x-amz-sdk-checksum-algorithm' and // 'x-amz-checksum-x' precalculated request headers func ParseChecksumHeadersAndSdkAlgo(ctx *fiber.Ctx) (types.ChecksumAlgorithm, ChecksumValues, error) { @@ -529,14 +511,25 @@ func ParseChecksumHeadersAndSdkAlgo(ctx *fiber.Ctx) (types.ChecksumAlgorithm, Ch return sdkAlgorithm, checksums, err } - for al, val := range checksums { - if !IsValidChecksum(val, al) { - return sdkAlgorithm, checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) + if len(checksums) == 0 && sdkAlgorithm != "" { + if ctx.Get("X-Amz-Trailer") == "" { + // This is a special case when x-amz-trailer is there + // it means the upload is done with chunked encoding + // where the checksum verification is handled in the chunk reader + debuglogger.Logf("'x-amz-sdk-checksum-algorithm : %s' is used without corresponding x-amz-checksum-* header", sdkAlgorithm) + return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrChecksumSDKAlgoMismatch) } + } + + for al, val := range checksums { // If any other checksum value is provided, // rather than x-amz-sdk-checksum-algorithm if sdkAlgorithm != "" && sdkAlgorithm != al { - return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders) + return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrChecksumSDKAlgoMismatch) + } + + if !IsValidChecksum(val, al) { + return sdkAlgorithm, checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) } sdkAlgorithm = al } diff --git a/s3err/s3err.go b/s3err/s3err.go index 7a1e34c..bc5f999 100644 --- a/s3err/s3err.go +++ b/s3err/s3err.go @@ -156,7 +156,11 @@ const ( ErrInvalidVersionId ErrNoSuchVersion ErrSuspendedVersioningNotAllowed + ErrMissingRequestBody ErrMultipleChecksumHeaders + ErrChecksumSDKAlgoMismatch + ErrChecksumRequired + ErrMissingContentSha256 ErrInvalidChecksumAlgorithm ErrInvalidChecksumPart ErrChecksumTypeWithAlgo @@ -673,6 +677,26 @@ var errorCodeResponse = map[ErrorCode]APIError{ Description: "An Object Lock configuration is present on this bucket, so the versioning state cannot be changed.", HTTPStatusCode: http.StatusBadRequest, }, + ErrMissingRequestBody: { + Code: "MissingRequestBodyError", + Description: "Request Body is empty", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrChecksumSDKAlgoMismatch: { + Code: "InvalidRequest", + Description: "x-amz-sdk-checksum-algorithm specified, but no corresponding x-amz-checksum-* or x-amz-trailer headers were found.", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrChecksumRequired: { + Code: "InvalidRequest", + Description: "Missing required header for this request: Content-MD5 OR x-amz-checksum-*", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrMissingContentSha256: { + Code: "InvalidRequest", + Description: "Missing required header for this request: x-amz-content-sha256", + HTTPStatusCode: http.StatusBadRequest, + }, ErrMultipleChecksumHeaders: { Code: "InvalidRequest", Description: "Expecting a single x-amz-checksum- header. Multiple checksum Types are not allowed.", diff --git a/tests/integration/group-tests.go b/tests/integration/group-tests.go index bfd6ee6..3a9e709 100644 --- a/tests/integration/group-tests.go +++ b/tests/integration/group-tests.go @@ -384,7 +384,6 @@ func TestUploadPart(ts *TestState) { ts.Run(UploadPart_non_existing_mp_upload) //TODO: remove the condition after implementing checksums in azure if !ts.conf.azureTests { - ts.Run(UploadPart_checksum_algorithm_and_header_mismatch) ts.Run(UploadPart_multiple_checksum_headers) ts.Run(UploadPart_invalid_checksum_header) ts.Run(UploadPart_checksum_algorithm_mistmatch_on_initialization) @@ -606,7 +605,8 @@ func TestCORSMiddleware(ts *TestState) { func TestPutObjectLockConfiguration(ts *TestState) { ts.Run(PutObjectLockConfiguration_non_existing_bucket) - ts.Run(PutObjectLockConfiguration_empty_config) + ts.Run(PutObjectLockConfiguration_empty_request_body) + ts.Run(PutObjectLockConfiguration_malformed_body) if !ts.conf.versioningEnabled { ts.Run(PutObjectLockConfiguration_not_enabled_on_bucket_creation) } @@ -1311,7 +1311,6 @@ func GetIntTests() IntTests { "UploadPart_invalid_part_number": UploadPart_invalid_part_number, "UploadPart_non_existing_key": UploadPart_non_existing_key, "UploadPart_non_existing_mp_upload": UploadPart_non_existing_mp_upload, - "UploadPart_checksum_algorithm_and_header_mismatch": UploadPart_checksum_algorithm_and_header_mismatch, "UploadPart_multiple_checksum_headers": UploadPart_multiple_checksum_headers, "UploadPart_invalid_checksum_header": UploadPart_invalid_checksum_header, "UploadPart_checksum_algorithm_mistmatch_on_initialization": UploadPart_checksum_algorithm_mistmatch_on_initialization, @@ -1465,7 +1464,8 @@ func GetIntTests() IntTests { "CORSMiddleware_access_forbidden": CORSMiddleware_access_forbidden, "CORSMiddleware_access_granted": CORSMiddleware_access_granted, "PutObjectLockConfiguration_non_existing_bucket": PutObjectLockConfiguration_non_existing_bucket, - "PutObjectLockConfiguration_empty_config": PutObjectLockConfiguration_empty_config, + "PutObjectLockConfiguration_empty_request_body": PutObjectLockConfiguration_empty_request_body, + "PutObjectLockConfiguration_malformed_body": PutObjectLockConfiguration_malformed_body, "PutObjectLockConfiguration_not_enabled_on_bucket_creation": PutObjectLockConfiguration_not_enabled_on_bucket_creation, "PutObjectLockConfiguration_invalid_status": PutObjectLockConfiguration_invalid_status, "PutObjectLockConfiguration_invalid_mode": PutObjectLockConfiguration_invalid_mode, diff --git a/tests/integration/tests.go b/tests/integration/tests.go index dca5ebf..c277b8a 100644 --- a/tests/integration/tests.go +++ b/tests/integration/tests.go @@ -17,6 +17,7 @@ package integration import ( "bytes" "context" + "crypto/md5" "crypto/rand" "crypto/sha256" "encoding/base64" @@ -2709,7 +2710,18 @@ func PutBucketTagging_success_status(s *S3Conf) error { return fmt.Errorf("err parsing tagging: %w", err) } - req, err := createSignedReq(http.MethodPut, s.endpoint, fmt.Sprintf("%v?tagging=", bucket), s.awsID, s.awsSecret, "s3", s.awsRegion, taggingParsed, time.Now(), nil) + hasher := md5.New() + _, err = hasher.Write(taggingParsed) + if err != nil { + return err + } + + sum := hasher.Sum(nil) + md5Sum := base64.StdEncoding.EncodeToString(sum) + + req, err := createSignedReq(http.MethodPut, s.endpoint, fmt.Sprintf("%v?tagging=", bucket), s.awsID, s.awsSecret, "s3", s.awsRegion, taggingParsed, time.Now(), map[string]string{ + "Content-Md5": md5Sum, + }) if err != nil { return fmt.Errorf("err signing the request: %w", err) } @@ -9836,36 +9848,6 @@ func UploadPart_non_existing_mp_upload(s *S3Conf) error { }) } -func UploadPart_checksum_algorithm_and_header_mismatch(s *S3Conf) error { - testName := "UploadPart_checksum_algorithm_and_header_mismatch" - return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { - obj := "my-obj" - - mp, err := createMp(s3client, bucket, obj, withChecksum(types.ChecksumAlgorithmCrc32)) - if err != nil { - return err - } - - partNumber := int32(1) - - ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) - _, err = s3client.UploadPart(ctx, &s3.UploadPartInput{ - Bucket: &bucket, - Key: &obj, - ChecksumAlgorithm: types.ChecksumAlgorithmCrc32, - ChecksumCRC32C: getPtr("m0cB1Q=="), - PartNumber: &partNumber, - UploadId: mp.UploadId, - }) - cancel() - if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders)); err != nil { - return err - } - - return nil - }) -} - func UploadPart_multiple_checksum_headers(s *S3Conf) error { testName := "UploadPart_multiple_checksum_headers" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { @@ -16387,6 +16369,15 @@ func PutObjectLockConfiguration_non_existing_bucket(s *S3Conf) error { ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) _, err := s3client.PutObjectLockConfiguration(ctx, &s3.PutObjectLockConfigurationInput{ Bucket: getPtr(getBucketName()), + ObjectLockConfiguration: &types.ObjectLockConfiguration{ + ObjectLockEnabled: types.ObjectLockEnabledEnabled, + Rule: &types.ObjectLockRule{ + DefaultRetention: &types.DefaultRetention{ + Mode: types.ObjectLockRetentionModeCompliance, + Days: getPtr(int32(10)), + }, + }, + }, }) cancel() if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrNoSuchBucket)); err != nil { @@ -16397,21 +16388,63 @@ func PutObjectLockConfiguration_non_existing_bucket(s *S3Conf) error { }) } -func PutObjectLockConfiguration_empty_config(s *S3Conf) error { - testName := "PutObjectLockConfiguration_empty_config" +func PutObjectLockConfiguration_empty_request_body(s *S3Conf) error { + testName := "PutObjectLockConfiguration_empty_request_body" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) _, err := s3client.PutObjectLockConfiguration(ctx, &s3.PutObjectLockConfigurationInput{ Bucket: &bucket, }) cancel() - if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMalformedXML)); err != nil { + if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMissingRequestBody)); err != nil { return err } return nil }) } +func PutObjectLockConfiguration_malformed_body(s *S3Conf) error { + testName := "PutObjectLockConfiguration_malformed_body" + return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { + body := []byte("malformed_body") + hasher := md5.New() + _, err := hasher.Write(body) + if err != nil { + return err + } + + sum := hasher.Sum(nil) + md5Sum := base64.StdEncoding.EncodeToString(sum) + + req, err := createSignedReq( + http.MethodPut, + s.endpoint, + fmt.Sprintf("%s?object-lock", bucket), + s.awsID, + s.awsSecret, + "s3", + s.awsRegion, + body, + time.Now(), + map[string]string{"Content-Md5": md5Sum}, + ) + if err != nil { + return err + } + + resp, err := s.httpClient.Do(req) + if err != nil { + return fmt.Errorf("err sending request: %w", err) + } + + if err := checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrMalformedXML)); err != nil { + return err + } + + return nil + }) +} + func PutObjectLockConfiguration_not_enabled_on_bucket_creation(s *S3Conf) error { testName := "PutObjectLockConfiguration_not_enabled_on_bucket_creation" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {