Merge pull request #63 from versity/ben/fix_sig_again

fix: v4 auth signature to only use specified signed headers
2026-01-05 11:24:52 +00:00 · 2023-06-07 08:17:19 -07:00
parent 8f27e88198 1717d45664
commit 20b6c1c266
5 changed files with 31 additions and 107 deletions
--- a/s3api/controllers/base.go
+++ b/s3api/controllers/base.go
@@ -79,7 +79,10 @@ func (c S3ApiController) GetActions(ctx *fiber.Ctx) error {
 	}

 	res, err := c.be.GetObject(bucket, key, acceptRange, ctx.Response().BodyWriter())
-	return Responce(ctx, res, err)
+	if err != nil {
+		return Responce(ctx, res, err)
+	}
+	return nil
 }

 func (c S3ApiController) ListActions(ctx *fiber.Ctx) error {
--- a/s3api/controllers/base_test.go
+++ b/s3api/controllers/base_test.go
@@ -199,22 +199,13 @@ func TestS3ApiController_GetActions(t *testing.T) {
 			statusCode: 200,
 		},
 		{
-			name: "Get-actions-invalid-range-header",
-			app:  app,
-			args: args{
-				req: getObjectReq,
-			},
-			wantErr:    false,
-			statusCode: 500,
-		},
-		{
-			name: "Get-actions-get-object-error",
+			name: "Get-actions-get-object-success",
 			app:  app,
 			args: args{
 				req: getObjectSuccessReq,
 			},
 			wantErr:    false,
-			statusCode: 500,
+			statusCode: 200,
 		},
 	}
 	for _, tt := range tests {
--- a/s3api/middlewares/authentication.go
+++ b/s3api/middlewares/authentication.go
@@ -60,11 +60,21 @@ func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported))
 		}

-		creds := strings.Split(strings.Split(authParts[1], "=")[1], "/")
+		credKv := strings.Split(authParts[1], "=")
+		if len(credKv) != 2 {
+			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrCredMalformed))
+		}
+		creds := strings.Split(credKv[1], "/")
 		if len(creds) < 4 {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrCredMalformed))
 		}

+		signHdrKv := strings.Split(authParts[2], "=")
+		if len(signHdrKv) != 2 {
+			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrCredMalformed))
+		}
+		signedHdrs := strings.Split(signHdrKv[1], ";")
+
 		secret, ok := acct.getAcctSecret(creds[0])
 		if !ok {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID))
@@ -94,7 +104,7 @@ func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler {
 		}

 		// Create a new http request instance from fasthttp request
-		req, err := utils.CreateHttpRequestFromCtx(ctx)
+		req, err := utils.CreateHttpRequestFromCtx(ctx, signedHdrs)
 		if err != nil {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrInternalError))
 		}
@@ -104,7 +114,10 @@ func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler {
 		signErr := signer.SignHTTP(req.Context(), aws.Credentials{
 			AccessKeyID:     creds[0],
 			SecretAccessKey: secret,
-		}, req, hexPayload, creds[3], config.Region, tdate)
+		}, req, hexPayload, creds[3], config.Region, tdate, func(options *v4.SignerOptions) {
+			//options.LogSigning = true
+			//options.Logger = logging.NewStandardLogger(os.Stdout)
+		})
 		if signErr != nil {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrInternalError))
 		}
--- a/s3api/utils/utils.go
+++ b/s3api/utils/utils.go
@@ -38,7 +38,7 @@ func GetUserMetaData(headers *fasthttp.RequestHeader) (metadata map[string]strin
 	return
 }

-func CreateHttpRequestFromCtx(ctx *fiber.Ctx) (*http.Request, error) {
+func CreateHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string) (*http.Request, error) {
 	req := ctx.Request()

 	httpReq, err := http.NewRequest(string(req.Header.Method()), req.URI().String(), bytes.NewReader(req.Body()))
@@ -49,14 +49,11 @@ func CreateHttpRequestFromCtx(ctx *fiber.Ctx) (*http.Request, error) {
 	// Set the request headers
 	req.Header.VisitAll(func(key, value []byte) {
 		keyStr := string(key)
-		if includeHeader(keyStr) {
+		if includeHeader(keyStr, signedHdrs) {
 			httpReq.Header.Add(keyStr, string(value))
 		}
 	})

-	// Content-Length header ignored for signing
-	httpReq.ContentLength = 0
-
 	// Set the Host header
 	httpReq.Host = string(req.Header.Host())

@@ -80,91 +77,11 @@ func SetResponseHeaders(ctx *fiber.Ctx, headers []CustomHeader) {
 	}
 }

-func includeHeader(hdr string) bool {
-	switch {
-	case strings.EqualFold(hdr, "Cache-Control"):
-		return true
-	case strings.EqualFold(hdr, "Content-Disposition"):
-		return true
-	case strings.EqualFold(hdr, "Content-Encoding"):
-		return true
-	case strings.EqualFold(hdr, "Content-Language"):
-		return true
-	case strings.EqualFold(hdr, "Content-Md5"):
-		return true
-	case strings.EqualFold(hdr, "Content-Type"):
-		return true
-	case strings.EqualFold(hdr, "Expires"):
-		return true
-	case strings.EqualFold(hdr, "If-Match"):
-		return true
-	case strings.EqualFold(hdr, "If-Modified-Since"):
-		return true
-	case strings.EqualFold(hdr, "If-None-Match"):
-		return true
-	case strings.EqualFold(hdr, "If-Unmodified-Since"):
-		return true
-	case strings.EqualFold(hdr, "Range"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Acl"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-If-Match"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-If-Modified-Since"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-If-None-Match"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-If-Unmodified-Since"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-Range"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Grant-Full-control"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Grant-Read"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Grant-Read-Acp"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Grant-Write"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Grant-Write-Acp"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Metadata-Directive"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Mfa"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Request-Payer"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Server-Side-Encryption"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Server-Side-Encryption-Customer-Algorithm"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Server-Side-Encryption-Customer-Key"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Server-Side-Encryption-Customer-Key-Md5"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Storage-Class"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Website-Redirect-Location"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Content-Sha256"):
-		return true
-	case strings.EqualFold(hdr, "X-Amz-Tagging"):
-		return true
-	case strings.HasPrefix(hdr, "X-Amz-Object-Lock-"):
-		return true
-	case strings.HasPrefix(hdr, "X-Amz-Meta-"):
-		return true
-	default:
-		return false
+func includeHeader(hdr string, signedHdrs []string) bool {
+	for _, shdr := range signedHdrs {
+		if strings.EqualFold(hdr, shdr) {
+			return true
+		}
 	}
+	return false
 }
--- a/s3api/utils/utils_test.go
+++ b/s3api/utils/utils_test.go
@@ -56,7 +56,7 @@ func TestCreateHttpRequestFromCtx(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := CreateHttpRequestFromCtx(tt.args.ctx)
+			got, err := CreateHttpRequestFromCtx(tt.args.ctx, []string{"X-Amz-Mfa"})
 			if (err != nil) != tt.wantErr {
 				t.Errorf("CreateHttpRequestFromCtx() error = %v, wantErr %v", err, tt.wantErr)
 				return