From 12f4920c8dd107cd31fd196b0c426c2ce53db904 Mon Sep 17 00:00:00 2001 From: niksis02 Date: Sat, 25 Oct 2025 01:33:27 +0400 Subject: [PATCH] feat: implements checksum calculation for all actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #1549 Fixes #1593 Fixes #1521 Fixes #1427 Fixes #1311 Fixes #1301 Fixes #1040 This PR primarily focuses on checksum calculation within the gateway, but it also includes several related fixes and improvements. It introduces a middleware responsible for handling and calculating checksums for the `x-amz-checksum-*` headers and `Content-MD5`. The middleware is applied only to actions that expect a request body or checksum headers. It also enforces validation for actions that require a non-empty request body, returning an error if the body is missing. Similarly, it returns an error for actions where at least one checksum header (`Content-MD5` or `x-amz-checksum-*`) is required but none is provided. The implementation is based on [https://gist.github.com/niksis02/eec3198f03e561a0998d67af75c648d7](the reference table), tested directly against S3: It also fixes the error case where the `x-amz-sdk-checksum-algorithm` header is present but no corresponding `x-amz-checksum-*` or `x-amz-trailer` header is included. Additionally, the PR improves validation for the `x-amz-content-sha256` header. For actions that require this header, an error is now returned when it’s missing. For actions that don’t require it, the middleware no longer enforces its presence. Following the common S3 pattern, the header remains mandatory for admin routes. Finally, the `x-amz-content-sha256` header is now optional for anonymous requests, as it is not required in that case. --- s3api/admin-router.go | 12 +- s3api/controllers/bucket-put.go | 32 ---- s3api/controllers/bucket-put_test.go | 16 -- s3api/middlewares/authentication.go | 5 +- s3api/middlewares/checksum.go | 121 ++++++++++++++ s3api/middlewares/md5.go | 68 -------- s3api/middlewares/public-bucket.go | 14 +- s3api/router.go | 241 +++++++++++++-------------- s3api/utils/utils.go | 37 ++-- s3err/s3err.go | 24 +++ tests/integration/group-tests.go | 8 +- tests/integration/tests.go | 101 +++++++---- 12 files changed, 363 insertions(+), 316 deletions(-) create mode 100644 s3api/middlewares/checksum.go delete mode 100644 s3api/middlewares/md5.go diff --git a/s3api/admin-router.go b/s3api/admin-router.go index fde1902..5704220 100644 --- a/s3api/admin-router.go +++ b/s3api/admin-router.go @@ -35,42 +35,42 @@ func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMSe // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(ctrl.CreateUser, metrics.ActionAdminCreateUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(ctrl.DeleteUser, metrics.ActionAdminDeleteUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(ctrl.UpdateUser, metrics.ActionAdminUpdateUser, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(ctrl.ListUsers, metrics.ActionAdminListUsers, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(ctrl.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(ctrl.ListBuckets, metrics.ActionAdminListBuckets, services, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } diff --git a/s3api/controllers/bucket-put.go b/s3api/controllers/bucket-put.go index 3ca0765..6c4d30e 100644 --- a/s3api/controllers/bucket-put.go +++ b/s3api/controllers/bucket-put.go @@ -15,7 +15,6 @@ package controllers import ( - "bytes" "encoding/xml" "errors" "fmt" @@ -271,37 +270,6 @@ func (c S3ApiController) PutBucketCors(ctx *fiber.Ctx) (*Response, error) { }, err } - algo, checksusms, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx) - if err != nil { - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - - if algo != "" { - rdr, err := utils.NewHashReader(bytes.NewReader(body), checksusms[algo], utils.HashType(strings.ToLower(string(algo)))) - if err != nil { - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - - // Pass the same body to avoid data duplication - _, err = rdr.Read(body) - if err != nil { - debuglogger.Logf("failed to read hash calculation data: %v", err) - return &Response{ - MetaOpts: &MetaOptions{ - BucketOwner: parsedAcl.Owner, - }, - }, err - } - } - err = c.be.PutBucketCors(ctx.Context(), bucket, body) return &Response{ MetaOpts: &MetaOptions{ diff --git a/s3api/controllers/bucket-put_test.go b/s3api/controllers/bucket-put_test.go index 9555bd2..1d37ecb 100644 --- a/s3api/controllers/bucket-put_test.go +++ b/s3api/controllers/bucket-put_test.go @@ -528,22 +528,6 @@ func TestS3ApiController_PutBucketCors(t *testing.T) { err: s3err.GetUnsopportedCORSMethodErr("invalid_method"), }, }, - { - name: "invalid checksum algo", - input: testInput{ - locals: defaultLocals, - body: validBody, - headers: map[string]string{ - "X-Amz-Sdk-Checksum-Algorithm": "invalid_algo", - }, - }, - output: testOutput{ - response: &Response{ - MetaOpts: &MetaOptions{BucketOwner: "root"}, - }, - err: s3err.GetAPIError(s3err.ErrInvalidChecksumAlgorithm), - }, - }, { name: "backend error", input: testInput{ diff --git a/s3api/middlewares/authentication.go b/s3api/middlewares/authentication.go index 1c2fb55..321e40a 100644 --- a/s3api/middlewares/authentication.go +++ b/s3api/middlewares/authentication.go @@ -37,7 +37,7 @@ type RootUserConfig struct { Secret string } -func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool) fiber.Handler { +func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool, requireContentSha256 bool) fiber.Handler { acct := accounts{root: root, iam: iam} return func(ctx *fiber.Ctx) error { @@ -109,6 +109,9 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, } hashPayload := ctx.Get("X-Amz-Content-Sha256") + if requireContentSha256 && hashPayload == "" { + return s3err.GetAPIError(s3err.ErrMissingContentSha256) + } if !utils.IsValidSh256PayloadHeader(hashPayload) { return s3err.GetAPIError(s3err.ErrInvalidSHA256Paylod) } diff --git a/s3api/middlewares/checksum.go b/s3api/middlewares/checksum.go new file mode 100644 index 0000000..9ca1253 --- /dev/null +++ b/s3api/middlewares/checksum.go @@ -0,0 +1,121 @@ +// Copyright 2023 Versity Software +// This file is licensed under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package middlewares + +import ( + "bytes" + "encoding/base64" + "io" + "strings" + + "github.com/gofiber/fiber/v2" + "github.com/versity/versitygw/s3api/utils" + "github.com/versity/versitygw/s3err" +) + +// VerifyChecksums parses, validates, and calculates the +// Content-MD5 and x-amz-checksum-* headers. +// Additionally, it ensures that the request body is not empty +// for actions that require a non-empty body. For large data actions(PutObject, UploadPart), +// it wraps the body reader to handle Content-MD5: +// the x-amz-checksum-* headers are explicitly processed by the backend. +func VerifyChecksums(streamBody bool, requireBody bool, requireChecksum bool) fiber.Handler { + return func(ctx *fiber.Ctx) error { + md5sum := ctx.Get("Content-Md5") + + if streamBody { + // for large data actions(PutObject, UploadPart) + // only stack the md5 reader,as x-amz-checksum-* + // calculation is explicitly handled in back-end + if md5sum == "" { + return nil + } + + if !isValidMD5(md5sum) { + return s3err.GetAPIError(s3err.ErrInvalidDigest) + } + + var err error + wrapBodyReader(ctx, func(r io.Reader) io.Reader { + r, err = utils.NewHashReader(r, md5sum, utils.HashTypeMd5) + return r + }) + if err != nil { + return err + } + return nil + } + + body := ctx.Body() + if requireBody && len(body) == 0 { + return s3err.GetAPIError(s3err.ErrMissingRequestBody) + } + + var rdr io.Reader + var err error + if md5sum != "" { + if !isValidMD5(md5sum) { + return s3err.GetAPIError(s3err.ErrInvalidDigest) + } + + rdr, err = utils.NewHashReader(bytes.NewReader(body), md5sum, utils.HashTypeMd5) + if err != nil { + return err + } + } + + // parse and validate checksum headers + algo, checksums, err := utils.ParseChecksumHeadersAndSdkAlgo(ctx) + if err != nil { + return err + } + + if algo != "" { + r, err := utils.NewHashReader(bytes.NewReader(body), checksums[algo], utils.HashType(strings.ToLower(string(algo)))) + if err != nil { + return err + } + + if rdr != nil { + // combine both md5 and the checksum readers + rdr = io.MultiReader(rdr, r) + } else { + rdr = r + } + } + + if rdr == nil && requireChecksum { + return s3err.GetAPIError(s3err.ErrChecksumRequired) + } + + if rdr != nil { + _, err = io.Copy(io.Discard, rdr) + if err != nil { + return err + } + } + + return nil + } +} + +func isValidMD5(s string) bool { + decoded, err := base64.StdEncoding.DecodeString(s) + if err != nil { + return false + } + + return len(decoded) == 16 +} diff --git a/s3api/middlewares/md5.go b/s3api/middlewares/md5.go deleted file mode 100644 index b967560..0000000 --- a/s3api/middlewares/md5.go +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2023 Versity Software -// This file is licensed under the Apache License, Version 2.0 -// (the "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package middlewares - -import ( - "crypto/md5" - "encoding/base64" - "io" - - "github.com/gofiber/fiber/v2" - "github.com/versity/versitygw/s3api/utils" - "github.com/versity/versitygw/s3err" -) - -func VerifyMD5Body(streamBody bool) fiber.Handler { - return func(ctx *fiber.Ctx) error { - incomingSum := ctx.Get("Content-Md5") - if incomingSum == "" { - return nil - } - - if !isValidMD5(incomingSum) { - return s3err.GetAPIError(s3err.ErrInvalidDigest) - } - - if streamBody { - var err error - wrapBodyReader(ctx, func(r io.Reader) io.Reader { - r, err = utils.NewHashReader(r, incomingSum, utils.HashTypeMd5) - return r - }) - if err != nil { - return err - } - return nil - } - - sum := md5.Sum(ctx.Body()) - calculatedSum := utils.Base64SumString(sum[:]) - - if incomingSum != calculatedSum { - return s3err.GetAPIError(s3err.ErrBadDigest) - } - - return nil - } -} - -func isValidMD5(s string) bool { - decoded, err := base64.StdEncoding.DecodeString(s) - if err != nil { - return false - } - - return len(decoded) == 16 -} diff --git a/s3api/middlewares/public-bucket.go b/s3api/middlewares/public-bucket.go index b3adcea..0e58066 100644 --- a/s3api/middlewares/public-bucket.go +++ b/s3api/middlewares/public-bucket.go @@ -103,13 +103,15 @@ func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPerm } } - // Calculate the hash of the request payload - hashedPayload := sha256.Sum256(ctx.Body()) - hexPayload := hex.EncodeToString(hashedPayload[:]) + if payloadHash != "" { + // Calculate the hash of the request payload + hashedPayload := sha256.Sum256(ctx.Body()) + hexPayload := hex.EncodeToString(hashedPayload[:]) - // Compare the calculated hash with the hash provided - if payloadHash != hexPayload { - return s3err.GetAPIError(s3err.ErrContentSHA256Mismatch) + // Compare the calculated hash with the hash provided + if payloadHash != hexPayload { + return s3err.GetAPIError(s3err.ErrContentSHA256Mismatch) + } } return nil diff --git a/s3api/router.go b/s3api/router.go index 27fd50a..814a3ac 100644 --- a/s3api/router.go +++ b/s3api/router.go @@ -42,42 +42,42 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(adminController.CreateUser, metrics.ActionAdminCreateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(adminController.DeleteUser, metrics.ActionAdminDeleteUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(adminController.UpdateUser, metrics.ActionAdminUpdateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(adminController.ListUsers, metrics.ActionAdminListUsers, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(adminController.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(adminController.ListBuckets, metrics.ActionAdminListBuckets, adminServices, - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } @@ -96,7 +96,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ services, middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListAllMyBuckets, "", auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), )) bucketRouter := app.Group("/:bucket") @@ -112,8 +112,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ParseAcl(be), middlewares.ApplyBucketCORS(be), )) @@ -126,8 +126,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -140,8 +140,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketVersioning, auth.PutBucketVersioningAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -154,8 +154,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLockConfiguration, auth.PutBucketObjectLockConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -168,8 +168,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -182,8 +182,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -196,8 +196,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAcl, auth.PutBucketAclAction, auth.PermissionWriteAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -210,8 +210,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -224,8 +223,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -238,8 +236,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -252,8 +249,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -266,8 +262,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLifecycleConfiguration, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -280,8 +275,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLogging, auth.PutBucketLoggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -294,8 +288,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketRequestPayment, auth.PutBucketRequestPaymentAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -308,8 +301,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -322,8 +314,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -336,8 +327,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutPublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -350,8 +340,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketNotificationConfiguration, auth.PutBucketNotificationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -364,8 +353,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAccelerateConfiguration, auth.PutAccelerateConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -378,8 +366,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -391,8 +378,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateBucket, auth.CreateBucketAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), )) @@ -406,7 +393,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadBucket, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -421,7 +408,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -434,7 +421,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -447,7 +434,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -460,7 +447,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -473,7 +460,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -486,7 +473,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -499,7 +486,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -512,7 +499,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -525,7 +512,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketLifecycle, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -538,7 +525,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -551,7 +538,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -564,7 +551,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeletePublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -577,7 +564,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -589,7 +576,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucket, auth.DeleteBucketAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -604,7 +591,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLocation, auth.GetBucketLocationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), ), @@ -618,7 +605,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketTagging, auth.GetBucketTaggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -631,7 +618,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketOwnershipControls, auth.GetBucketOwnershipControlsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -644,7 +631,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketVersioning, auth.GetBucketVersioningAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -657,7 +644,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicy, auth.GetBucketPolicyAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -670,7 +657,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketCors, auth.GetBucketCorsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -683,7 +670,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLockConfiguration, auth.GetBucketObjectLockConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -696,7 +683,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAcl, auth.GetBucketAclAction, auth.PermissionReadAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -709,7 +696,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListMultipartUploads, auth.ListBucketMultipartUploadsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -722,7 +709,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectVersions, auth.ListBucketVersionsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -735,7 +722,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicyStatus, auth.GetBucketPolicyStatusAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -748,7 +735,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -761,7 +748,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -774,7 +761,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -787,7 +774,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketIntelligentTieringConfiguration, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -800,7 +787,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketIntelligentTieringConfigurations, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -813,7 +800,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketInventoryConfiguration, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -826,7 +813,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketInventoryConfigurations, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -839,7 +826,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLifecycleConfiguration, auth.GetLifecycleConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -852,7 +839,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLogging, auth.GetBucketLoggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -865,7 +852,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketRequestPayment, auth.GetBucketRequestPaymentAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -878,7 +865,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketMetricsConfiguration, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -891,7 +878,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketMetricsConfigurations, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -904,7 +891,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketReplication, auth.GetReplicationConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -917,7 +904,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetPublicAccessBlock, auth.GetBucketPublicAccessBlockAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -930,7 +917,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketNotificationConfiguration, auth.GetBucketNotificationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -943,7 +930,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAccelerateConfiguration, auth.GetAccelerateConfigurationAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -956,7 +943,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketWebsite, auth.GetBucketWebsiteAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ParseAcl(be), ), ) @@ -969,7 +956,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectsV2, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -981,7 +968,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjects, auth.ListBucketAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -996,8 +983,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjects, auth.DeleteObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1011,7 +998,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadObject, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1026,7 +1013,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectTagging, auth.GetObjectTaggingAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1039,7 +1026,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectRetention, auth.GetObjectRetentionAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1052,7 +1039,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLegalHold, auth.GetObjectLegalHoldAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1065,7 +1052,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAcl, auth.GetObjectAclAction, auth.PermissionReadAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1078,7 +1065,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAttributes, auth.GetObjectAttributesAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1091,7 +1078,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListParts, auth.ListMultipartUploadPartsAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1103,7 +1090,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObject, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1118,7 +1105,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjectTagging, auth.DeleteObjectTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1131,7 +1118,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionAbortMultipartUpload, auth.AbortMultipartUploadAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1143,7 +1130,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObject, auth.DeleteObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1157,8 +1144,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionRestoreObject, auth.RestoreObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1172,8 +1159,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionSelectObjectContent, auth.GetObjectAction, auth.PermissionRead, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1186,7 +1173,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCompleteMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1199,7 +1186,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1214,8 +1201,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectTagging, auth.PutObjectTaggingAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, true, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1228,8 +1215,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectRetention, auth.PutObjectRetentionAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1242,8 +1229,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLegalHold, auth.PutObjectLegalHoldAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1256,8 +1243,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectAcl, auth.PutObjectAclAction, auth.PermissionWriteAcp, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), - middlewares.VerifyMD5Body(false), + middlewares.VerifyV4Signature(root, iam, region, false, true), + middlewares.VerifyChecksums(false, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1271,7 +1258,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPartCopy, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1284,8 +1271,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPart, auth.PutObjectAction, auth.PermissionWrite, true), middlewares.VerifyPresignedV4Signature(root, iam, region, true), - middlewares.VerifyV4Signature(root, iam, region, true), - middlewares.VerifyMD5Body(true), + middlewares.VerifyV4Signature(root, iam, region, true, true), + middlewares.VerifyChecksums(true, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1310,7 +1297,7 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCopyObject, auth.PutObjectAction, auth.PermissionWrite, false), middlewares.VerifyPresignedV4Signature(root, iam, region, false), - middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false, true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1322,8 +1309,8 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ middlewares.BucketObjectNameValidator(), middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObject, auth.PutObjectAction, auth.PermissionWrite, true), middlewares.VerifyPresignedV4Signature(root, iam, region, true), - middlewares.VerifyV4Signature(root, iam, region, true), - middlewares.VerifyMD5Body(true), + middlewares.VerifyV4Signature(root, iam, region, true, true), + middlewares.VerifyChecksums(true, false, false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) diff --git a/s3api/utils/utils.go b/s3api/utils/utils.go index 3e0022e..80d2a86 100644 --- a/s3api/utils/utils.go +++ b/s3api/utils/utils.go @@ -496,24 +496,6 @@ func ParseCompleteMpChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) { return checksums, nil } -// ParseChecksumHeaders parses/validates x-amz-checksum-x headers key/values -func ParseChecksumHeaders(ctx *fiber.Ctx) (ChecksumValues, error) { - // first parse/validate 'x-amz-checksum-x' headers - checksums, err := ParseCalculatedChecksumHeaders(ctx) - if err != nil { - return checksums, err - } - - // check if the values are valid - for al, val := range checksums { - if !IsValidChecksum(val, al) { - return checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) - } - } - - return checksums, nil -} - // ParseChecksumHeadersAndSdkAlgo parses/validates 'x-amz-sdk-checksum-algorithm' and // 'x-amz-checksum-x' precalculated request headers func ParseChecksumHeadersAndSdkAlgo(ctx *fiber.Ctx) (types.ChecksumAlgorithm, ChecksumValues, error) { @@ -529,14 +511,25 @@ func ParseChecksumHeadersAndSdkAlgo(ctx *fiber.Ctx) (types.ChecksumAlgorithm, Ch return sdkAlgorithm, checksums, err } - for al, val := range checksums { - if !IsValidChecksum(val, al) { - return sdkAlgorithm, checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) + if len(checksums) == 0 && sdkAlgorithm != "" { + if ctx.Get("X-Amz-Trailer") == "" { + // This is a special case when x-amz-trailer is there + // it means the upload is done with chunked encoding + // where the checksum verification is handled in the chunk reader + debuglogger.Logf("'x-amz-sdk-checksum-algorithm : %s' is used without corresponding x-amz-checksum-* header", sdkAlgorithm) + return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrChecksumSDKAlgoMismatch) } + } + + for al, val := range checksums { // If any other checksum value is provided, // rather than x-amz-sdk-checksum-algorithm if sdkAlgorithm != "" && sdkAlgorithm != al { - return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders) + return sdkAlgorithm, checksums, s3err.GetAPIError(s3err.ErrChecksumSDKAlgoMismatch) + } + + if !IsValidChecksum(val, al) { + return sdkAlgorithm, checksums, s3err.GetInvalidChecksumHeaderErr(fmt.Sprintf("x-amz-checksum-%v", strings.ToLower(string(al)))) } sdkAlgorithm = al } diff --git a/s3err/s3err.go b/s3err/s3err.go index 7a1e34c..bc5f999 100644 --- a/s3err/s3err.go +++ b/s3err/s3err.go @@ -156,7 +156,11 @@ const ( ErrInvalidVersionId ErrNoSuchVersion ErrSuspendedVersioningNotAllowed + ErrMissingRequestBody ErrMultipleChecksumHeaders + ErrChecksumSDKAlgoMismatch + ErrChecksumRequired + ErrMissingContentSha256 ErrInvalidChecksumAlgorithm ErrInvalidChecksumPart ErrChecksumTypeWithAlgo @@ -673,6 +677,26 @@ var errorCodeResponse = map[ErrorCode]APIError{ Description: "An Object Lock configuration is present on this bucket, so the versioning state cannot be changed.", HTTPStatusCode: http.StatusBadRequest, }, + ErrMissingRequestBody: { + Code: "MissingRequestBodyError", + Description: "Request Body is empty", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrChecksumSDKAlgoMismatch: { + Code: "InvalidRequest", + Description: "x-amz-sdk-checksum-algorithm specified, but no corresponding x-amz-checksum-* or x-amz-trailer headers were found.", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrChecksumRequired: { + Code: "InvalidRequest", + Description: "Missing required header for this request: Content-MD5 OR x-amz-checksum-*", + HTTPStatusCode: http.StatusBadRequest, + }, + ErrMissingContentSha256: { + Code: "InvalidRequest", + Description: "Missing required header for this request: x-amz-content-sha256", + HTTPStatusCode: http.StatusBadRequest, + }, ErrMultipleChecksumHeaders: { Code: "InvalidRequest", Description: "Expecting a single x-amz-checksum- header. Multiple checksum Types are not allowed.", diff --git a/tests/integration/group-tests.go b/tests/integration/group-tests.go index bfd6ee6..3a9e709 100644 --- a/tests/integration/group-tests.go +++ b/tests/integration/group-tests.go @@ -384,7 +384,6 @@ func TestUploadPart(ts *TestState) { ts.Run(UploadPart_non_existing_mp_upload) //TODO: remove the condition after implementing checksums in azure if !ts.conf.azureTests { - ts.Run(UploadPart_checksum_algorithm_and_header_mismatch) ts.Run(UploadPart_multiple_checksum_headers) ts.Run(UploadPart_invalid_checksum_header) ts.Run(UploadPart_checksum_algorithm_mistmatch_on_initialization) @@ -606,7 +605,8 @@ func TestCORSMiddleware(ts *TestState) { func TestPutObjectLockConfiguration(ts *TestState) { ts.Run(PutObjectLockConfiguration_non_existing_bucket) - ts.Run(PutObjectLockConfiguration_empty_config) + ts.Run(PutObjectLockConfiguration_empty_request_body) + ts.Run(PutObjectLockConfiguration_malformed_body) if !ts.conf.versioningEnabled { ts.Run(PutObjectLockConfiguration_not_enabled_on_bucket_creation) } @@ -1311,7 +1311,6 @@ func GetIntTests() IntTests { "UploadPart_invalid_part_number": UploadPart_invalid_part_number, "UploadPart_non_existing_key": UploadPart_non_existing_key, "UploadPart_non_existing_mp_upload": UploadPart_non_existing_mp_upload, - "UploadPart_checksum_algorithm_and_header_mismatch": UploadPart_checksum_algorithm_and_header_mismatch, "UploadPart_multiple_checksum_headers": UploadPart_multiple_checksum_headers, "UploadPart_invalid_checksum_header": UploadPart_invalid_checksum_header, "UploadPart_checksum_algorithm_mistmatch_on_initialization": UploadPart_checksum_algorithm_mistmatch_on_initialization, @@ -1465,7 +1464,8 @@ func GetIntTests() IntTests { "CORSMiddleware_access_forbidden": CORSMiddleware_access_forbidden, "CORSMiddleware_access_granted": CORSMiddleware_access_granted, "PutObjectLockConfiguration_non_existing_bucket": PutObjectLockConfiguration_non_existing_bucket, - "PutObjectLockConfiguration_empty_config": PutObjectLockConfiguration_empty_config, + "PutObjectLockConfiguration_empty_request_body": PutObjectLockConfiguration_empty_request_body, + "PutObjectLockConfiguration_malformed_body": PutObjectLockConfiguration_malformed_body, "PutObjectLockConfiguration_not_enabled_on_bucket_creation": PutObjectLockConfiguration_not_enabled_on_bucket_creation, "PutObjectLockConfiguration_invalid_status": PutObjectLockConfiguration_invalid_status, "PutObjectLockConfiguration_invalid_mode": PutObjectLockConfiguration_invalid_mode, diff --git a/tests/integration/tests.go b/tests/integration/tests.go index dca5ebf..c277b8a 100644 --- a/tests/integration/tests.go +++ b/tests/integration/tests.go @@ -17,6 +17,7 @@ package integration import ( "bytes" "context" + "crypto/md5" "crypto/rand" "crypto/sha256" "encoding/base64" @@ -2709,7 +2710,18 @@ func PutBucketTagging_success_status(s *S3Conf) error { return fmt.Errorf("err parsing tagging: %w", err) } - req, err := createSignedReq(http.MethodPut, s.endpoint, fmt.Sprintf("%v?tagging=", bucket), s.awsID, s.awsSecret, "s3", s.awsRegion, taggingParsed, time.Now(), nil) + hasher := md5.New() + _, err = hasher.Write(taggingParsed) + if err != nil { + return err + } + + sum := hasher.Sum(nil) + md5Sum := base64.StdEncoding.EncodeToString(sum) + + req, err := createSignedReq(http.MethodPut, s.endpoint, fmt.Sprintf("%v?tagging=", bucket), s.awsID, s.awsSecret, "s3", s.awsRegion, taggingParsed, time.Now(), map[string]string{ + "Content-Md5": md5Sum, + }) if err != nil { return fmt.Errorf("err signing the request: %w", err) } @@ -9836,36 +9848,6 @@ func UploadPart_non_existing_mp_upload(s *S3Conf) error { }) } -func UploadPart_checksum_algorithm_and_header_mismatch(s *S3Conf) error { - testName := "UploadPart_checksum_algorithm_and_header_mismatch" - return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { - obj := "my-obj" - - mp, err := createMp(s3client, bucket, obj, withChecksum(types.ChecksumAlgorithmCrc32)) - if err != nil { - return err - } - - partNumber := int32(1) - - ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) - _, err = s3client.UploadPart(ctx, &s3.UploadPartInput{ - Bucket: &bucket, - Key: &obj, - ChecksumAlgorithm: types.ChecksumAlgorithmCrc32, - ChecksumCRC32C: getPtr("m0cB1Q=="), - PartNumber: &partNumber, - UploadId: mp.UploadId, - }) - cancel() - if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMultipleChecksumHeaders)); err != nil { - return err - } - - return nil - }) -} - func UploadPart_multiple_checksum_headers(s *S3Conf) error { testName := "UploadPart_multiple_checksum_headers" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { @@ -16387,6 +16369,15 @@ func PutObjectLockConfiguration_non_existing_bucket(s *S3Conf) error { ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) _, err := s3client.PutObjectLockConfiguration(ctx, &s3.PutObjectLockConfigurationInput{ Bucket: getPtr(getBucketName()), + ObjectLockConfiguration: &types.ObjectLockConfiguration{ + ObjectLockEnabled: types.ObjectLockEnabledEnabled, + Rule: &types.ObjectLockRule{ + DefaultRetention: &types.DefaultRetention{ + Mode: types.ObjectLockRetentionModeCompliance, + Days: getPtr(int32(10)), + }, + }, + }, }) cancel() if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrNoSuchBucket)); err != nil { @@ -16397,21 +16388,63 @@ func PutObjectLockConfiguration_non_existing_bucket(s *S3Conf) error { }) } -func PutObjectLockConfiguration_empty_config(s *S3Conf) error { - testName := "PutObjectLockConfiguration_empty_config" +func PutObjectLockConfiguration_empty_request_body(s *S3Conf) error { + testName := "PutObjectLockConfiguration_empty_request_body" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { ctx, cancel := context.WithTimeout(context.Background(), shortTimeout) _, err := s3client.PutObjectLockConfiguration(ctx, &s3.PutObjectLockConfigurationInput{ Bucket: &bucket, }) cancel() - if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMalformedXML)); err != nil { + if err := checkApiErr(err, s3err.GetAPIError(s3err.ErrMissingRequestBody)); err != nil { return err } return nil }) } +func PutObjectLockConfiguration_malformed_body(s *S3Conf) error { + testName := "PutObjectLockConfiguration_malformed_body" + return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { + body := []byte("malformed_body") + hasher := md5.New() + _, err := hasher.Write(body) + if err != nil { + return err + } + + sum := hasher.Sum(nil) + md5Sum := base64.StdEncoding.EncodeToString(sum) + + req, err := createSignedReq( + http.MethodPut, + s.endpoint, + fmt.Sprintf("%s?object-lock", bucket), + s.awsID, + s.awsSecret, + "s3", + s.awsRegion, + body, + time.Now(), + map[string]string{"Content-Md5": md5Sum}, + ) + if err != nil { + return err + } + + resp, err := s.httpClient.Do(req) + if err != nil { + return fmt.Errorf("err sending request: %w", err) + } + + if err := checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrMalformedXML)); err != nil { + return err + } + + return nil + }) +} + func PutObjectLockConfiguration_not_enabled_on_bucket_creation(s *S3Conf) error { testName := "PutObjectLockConfiguration_not_enabled_on_bucket_creation" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error {