fix: adds checks for x-amz-content-sha256 in anonymous requests

Fixes #1554 Fixes #1423 The gateway previously ignored the `x-amz-content-sha256` header for anonymous unsigned requests to public buckets. This PR adds hash calculation for this header and correctly handles special payload types. It also fixes the case where a signed streaming payload (`STREAMING-AWS4-HMAC-SHA256-PAYLOAD...`) is used with anonymous requests. In this scenario, the gateway now returns a specific "not supported" error, consistent with S3 behavior.
2025-12-23 05:05:16 +00:00 · 2025-09-23 00:44:14 +04:00
parent 6a34f3a848
commit df74e7fde6
6 changed files with 118 additions and 11 deletions
--- a/s3api/utils/chunk-reader.go
+++ b/s3api/utils/chunk-reader.go
@@ -133,6 +133,25 @@ func IsUnsignedStreamingPayload(str string) bool {
 	return payloadType(str) == payloadTypeStreamingUnsignedTrailer
 }

+// IsAnonymousPayloadHashSupported returns error if payload hash
+// is streaming signed.
+// e.g.
+// "STREAMING-AWS4-HMAC-SHA256-PAYLOAD", "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD" ...
+func IsAnonymousPayloadHashSupported(hash string) error {
+	switch payloadType(hash) {
+	case payloadTypeStreamingEcdsa, payloadTypeStreamingEcdsaTrailer, payloadTypeStreamingSigned, payloadTypeStreamingSignedTrailer:
+		return s3err.GetAPIError(s3err.ErrUnsupportedAnonymousSignedStreaming)
+	}
+
+	return nil
+}
+
+// IsUnsignedPaylod checks if the provided payload hash type
+// is "UNSIGNED-PAYLOAD"
+func IsUnsignedPaylod(hash string) bool {
+	return hash == string(payloadTypeUnsigned)
+}
+
 // IsChunkEncoding checks for streaming/unsigned authorization types
 func IsStreamingPayload(str string) bool {
 	pt := payloadType(str)