From ebdda06633b610ec1b336a033195dff12e3ba17f Mon Sep 17 00:00:00 2001 From: niksis02 Date: Thu, 18 Sep 2025 19:51:30 +0400 Subject: [PATCH] fix: adds BadDigest error for incorrect Content-Md5 s Closes #1525 * Adds validation for the `Content-MD5` header. * If the header value is invalid, the gateway now returns an `InvalidDigest` error. * If the value is valid but does not match the payload, it returns a `BadDigest` error. * Adds integration test cases for `PutBucketCors` with `Content-MD5`. --- s3api/admin-router.go | 12 +- s3api/middlewares/authentication.go | 6 +- s3api/middlewares/md5.go | 20 +- s3api/middlewares/md5_test.go | 41 ++ s3api/middlewares/presign-auth.go | 6 +- s3api/middlewares/public-bucket.go | 4 +- s3api/router.go | 740 ++++++++++++++-------------- s3api/utils/auth-reader.go | 6 +- s3api/utils/auth_test.go | 2 +- s3api/utils/csum-reader.go | 2 +- s3api/utils/presign-auth-reader.go | 6 +- s3api/utils/utils.go | 17 +- s3api/utils/utils_test.go | 2 +- s3err/s3err.go | 6 + tests/integration/group-tests.go | 10 +- tests/integration/tests.go | 136 +++-- tests/integration/utils.go | 2 + 17 files changed, 566 insertions(+), 452 deletions(-) create mode 100644 s3api/middlewares/md5_test.go diff --git a/s3api/admin-router.go b/s3api/admin-router.go index c6aeaa0..fde1902 100644 --- a/s3api/admin-router.go +++ b/s3api/admin-router.go @@ -35,42 +35,42 @@ func (ar *S3AdminRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMSe // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(ctrl.CreateUser, metrics.ActionAdminCreateUser, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(ctrl.DeleteUser, metrics.ActionAdminDeleteUser, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(ctrl.UpdateUser, metrics.ActionAdminUpdateUser, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(ctrl.ListUsers, metrics.ActionAdminListUsers, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(ctrl.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(ctrl.ListBuckets, metrics.ActionAdminListBuckets, services, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } diff --git a/s3api/middlewares/authentication.go b/s3api/middlewares/authentication.go index f9e377f..1c2fb55 100644 --- a/s3api/middlewares/authentication.go +++ b/s3api/middlewares/authentication.go @@ -37,7 +37,7 @@ type RootUserConfig struct { Secret string } -func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string) fiber.Handler { +func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool) fiber.Handler { acct := accounts{root: root, iam: iam} return func(ctx *fiber.Ctx) error { @@ -112,7 +112,7 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string) if !utils.IsValidSh256PayloadHeader(hashPayload) { return s3err.GetAPIError(s3err.ErrInvalidSHA256Paylod) } - if utils.IsBigDataAction(ctx) { + if streamBody { // for streaming PUT actions, authorization is deferred // until end of stream due to need to get length and // checksum of the stream to validate authorization @@ -160,7 +160,7 @@ func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, region string) } } - err = utils.CheckValidSignature(ctx, authData, account.Secret, hashPayload, tdate, contentLength) + err = utils.CheckValidSignature(ctx, authData, account.Secret, hashPayload, tdate, contentLength, false) if err != nil { return err } diff --git a/s3api/middlewares/md5.go b/s3api/middlewares/md5.go index 5cd70b7..b967560 100644 --- a/s3api/middlewares/md5.go +++ b/s3api/middlewares/md5.go @@ -16,6 +16,7 @@ package middlewares import ( "crypto/md5" + "encoding/base64" "io" "github.com/gofiber/fiber/v2" @@ -23,14 +24,18 @@ import ( "github.com/versity/versitygw/s3err" ) -func VerifyMD5Body() fiber.Handler { +func VerifyMD5Body(streamBody bool) fiber.Handler { return func(ctx *fiber.Ctx) error { incomingSum := ctx.Get("Content-Md5") if incomingSum == "" { return nil } - if utils.IsBigDataAction(ctx) { + if !isValidMD5(incomingSum) { + return s3err.GetAPIError(s3err.ErrInvalidDigest) + } + + if streamBody { var err error wrapBodyReader(ctx, func(r io.Reader) io.Reader { r, err = utils.NewHashReader(r, incomingSum, utils.HashTypeMd5) @@ -46,9 +51,18 @@ func VerifyMD5Body() fiber.Handler { calculatedSum := utils.Base64SumString(sum[:]) if incomingSum != calculatedSum { - return s3err.GetAPIError(s3err.ErrInvalidDigest) + return s3err.GetAPIError(s3err.ErrBadDigest) } return nil } } + +func isValidMD5(s string) bool { + decoded, err := base64.StdEncoding.DecodeString(s) + if err != nil { + return false + } + + return len(decoded) == 16 +} diff --git a/s3api/middlewares/md5_test.go b/s3api/middlewares/md5_test.go new file mode 100644 index 0000000..475b5d3 --- /dev/null +++ b/s3api/middlewares/md5_test.go @@ -0,0 +1,41 @@ +// Copyright 2023 Versity Software +// This file is licensed under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package middlewares + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func Test_isValidMD5(t *testing.T) { + tests := []struct { + name string + s string + want bool + }{ + {"invalid", "hello world", false}, + {"valid base64", "aGVsbCBzLGRham5mamFuc2Zhc2RmZHNhZmRzYWY=", false}, + {"valid 1", "CY9rzUYh03PK3k6DJie09g==", true}, + {"valid 2", "uU0nuZNNPgilLlLX2n2r+s==", true}, + {"valid 3", "7Qdih1MuhjZehB6Sv8UNjA==", true}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := isValidMD5(tt.s) + assert.Equal(t, tt.want, got) + }) + } +} diff --git a/s3api/middlewares/presign-auth.go b/s3api/middlewares/presign-auth.go index dd6eacd..6bebafd 100644 --- a/s3api/middlewares/presign-auth.go +++ b/s3api/middlewares/presign-auth.go @@ -24,7 +24,7 @@ import ( "github.com/versity/versitygw/s3err" ) -func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, region string) fiber.Handler { +func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, region string, streamBody bool) fiber.Handler { acct := accounts{root: root, iam: iam} return func(ctx *fiber.Ctx) error { @@ -71,7 +71,7 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, region } } - if utils.IsBigDataAction(ctx) { + if streamBody { // Content-Length has to be set for data uploads: PutObject, UploadPart if contentLengthStr == "" { return s3err.GetAPIError(s3err.ErrMissingContentLength) @@ -88,7 +88,7 @@ func VerifyPresignedV4Signature(root RootUserConfig, iam auth.IAMService, region return nil } - err = utils.CheckPresignedSignature(ctx, authData, account.Secret) + err = utils.CheckPresignedSignature(ctx, authData, account.Secret, streamBody) if err != nil { return err } diff --git a/s3api/middlewares/public-bucket.go b/s3api/middlewares/public-bucket.go index 94fe608..4b3634f 100644 --- a/s3api/middlewares/public-bucket.go +++ b/s3api/middlewares/public-bucket.go @@ -28,7 +28,7 @@ import ( // AuthorizePublicBucketAccess checks if the bucket grants public // access to anonymous requesters -func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPermission auth.Action, permission auth.Permission) fiber.Handler { +func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPermission auth.Action, permission auth.Permission, streamBody bool) fiber.Handler { return func(ctx *fiber.Ctx) error { // skip for authenticated requests if utils.IsPresignedURLAuth(ctx) || ctx.Get("Authorization") != "" { @@ -60,7 +60,7 @@ func AuthorizePublicBucketAccess(be backend.Backend, s3action string, policyPerm return err } - if utils.IsBigDataAction(ctx) { + if streamBody { payloadType := ctx.Get("X-Amz-Content-Sha256") if utils.IsUnsignedStreamingPayload(payloadType) { checksumType, err := utils.ExtractChecksumType(ctx) diff --git a/s3api/router.go b/s3api/router.go index b84769d..f7b5b5a 100644 --- a/s3api/router.go +++ b/s3api/router.go @@ -42,42 +42,42 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ // CreateUser admin api app.Patch("/create-user", controllers.ProcessHandlers(adminController.CreateUser, metrics.ActionAdminCreateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminCreateUser), )) // DeleteUsers admin api app.Patch("/delete-user", controllers.ProcessHandlers(adminController.DeleteUser, metrics.ActionAdminDeleteUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminDeleteUser), )) // UpdateUser admin api app.Patch("/update-user", controllers.ProcessHandlers(adminController.UpdateUser, metrics.ActionAdminUpdateUser, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminUpdateUser), )) // ListUsers admin api app.Patch("/list-users", controllers.ProcessHandlers(adminController.ListUsers, metrics.ActionAdminListUsers, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminListUsers), )) // ChangeBucketOwner admin api app.Patch("/change-bucket-owner", controllers.ProcessHandlers(adminController.ChangeBucketOwner, metrics.ActionAdminChangeBucketOwner, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminChangeBucketOwner), )) // ListBucketsAndOwners admin api app.Patch("/list-buckets", controllers.ProcessHandlers(adminController.ListBuckets, metrics.ActionAdminListBuckets, adminServices, - middlewares.VerifyV4Signature(root, iam, region), + middlewares.VerifyV4Signature(root, iam, region, false), middlewares.IsAdmin(metrics.ActionAdminListBuckets), )) } @@ -94,10 +94,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ ctrl.ListBuckets, metrics.ActionListAllMyBuckets, services, - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListAllMyBuckets, "", auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListAllMyBuckets, "", auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), )) bucketRouter := app.Group("/:bucket") @@ -111,10 +111,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), middlewares.ApplyBucketCORS(be), )) @@ -125,10 +125,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketOwnershipControls, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -139,10 +139,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketVersioning, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketVersioning, auth.PutBucketVersioningAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketVersioning, auth.PutBucketVersioningAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -153,10 +153,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObjectLockConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLockConfiguration, auth.PutBucketObjectLockConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLockConfiguration, auth.PutBucketObjectLockConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -167,10 +167,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketCors, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -181,10 +181,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketPolicy, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -195,10 +195,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketAcl, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAcl, auth.PutBucketAclAction, auth.PermissionWriteAcp), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAcl, auth.PutBucketAclAction, auth.PermissionWriteAcp, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -209,10 +209,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -223,10 +223,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketEncryption, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -237,10 +237,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketIntelligentTieringConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -251,10 +251,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketInventoryConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -265,10 +265,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketLifecycleConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLifecycleConfiguration, auth.PutLifecycleConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLifecycleConfiguration, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -279,10 +279,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketLogging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLogging, auth.PutBucketLoggingAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketLogging, auth.PutBucketLoggingAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -293,10 +293,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketRequestPayment, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketRequestPayment, auth.PutBucketRequestPaymentAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketRequestPayment, auth.PutBucketRequestPaymentAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -307,10 +307,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketMetricsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -321,10 +321,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketReplication, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -335,10 +335,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutPublicAccessBlock, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutPublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutPublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -349,10 +349,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketNotificationConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketNotificationConfiguration, auth.PutBucketNotificationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketNotificationConfiguration, auth.PutBucketNotificationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -363,10 +363,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketAccelerateConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAccelerateConfiguration, auth.PutAccelerateConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketAccelerateConfiguration, auth.PutAccelerateConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -377,10 +377,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutBucketWebsite, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -390,10 +390,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionCreateBucket, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateBucket, auth.CreateBucketAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateBucket, auth.CreateBucketAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), )) @@ -405,10 +405,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ services, middlewares.ApplyBucketCORS(be), middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadBucket, auth.ListBucketAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadBucket, auth.ListBucketAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -421,10 +421,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketTagging, auth.PutBucketTaggingAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -435,10 +435,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketOwnershipControls, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketOwnershipControls, auth.PutBucketOwnershipControlsAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -449,10 +449,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketPolicy, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketPolicy, auth.PutBucketPolicyAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -463,10 +463,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketCors, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketCors, auth.PutBucketCorsAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -477,10 +477,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketAnalyticsConfiguration, auth.PutAnalyticsConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -491,10 +491,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketEncryption, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketEncryption, auth.PutEncryptionConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -505,10 +505,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketIntelligentTieringConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketIntelligentTieringConfiguration, auth.PutIntelligentTieringConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -519,10 +519,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketInventoryConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketInventoryConfiguration, auth.PutInventoryConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -533,10 +533,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketLifecycle, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketLifecycle, auth.PutLifecycleConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketLifecycle, auth.PutLifecycleConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -547,10 +547,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketMetricsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketMetricsConfiguration, auth.PutMetricsConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -561,10 +561,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketReplication, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketReplication, auth.PutReplicationConfigurationAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -575,10 +575,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeletePublicAccessBlock, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeletePublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeletePublicAccessBlock, auth.PutBucketPublicAccessBlockAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -589,10 +589,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucketWebsite, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucketWebsite, auth.PutBucketWebsiteAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -602,10 +602,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteBucket, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucket, auth.DeleteBucketAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteBucket, auth.DeleteBucketAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -618,10 +618,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketLocation, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLocation, auth.GetBucketLocationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLocation, auth.GetBucketLocationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), ), @@ -633,10 +633,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketTagging, auth.GetBucketTaggingAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketTagging, auth.GetBucketTaggingAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -647,10 +647,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketOwnershipControls, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketOwnershipControls, auth.GetBucketOwnershipControlsAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketOwnershipControls, auth.GetBucketOwnershipControlsAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -661,10 +661,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketVersioning, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketVersioning, auth.GetBucketVersioningAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketVersioning, auth.GetBucketVersioningAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -675,10 +675,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketPolicy, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicy, auth.GetBucketPolicyAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicy, auth.GetBucketPolicyAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -689,10 +689,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketCors, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketCors, auth.GetBucketCorsAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketCors, auth.GetBucketCorsAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -703,10 +703,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectLockConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLockConfiguration, auth.GetBucketObjectLockConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLockConfiguration, auth.GetBucketObjectLockConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -717,10 +717,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketAcl, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAcl, auth.GetBucketAclAction, auth.PermissionReadAcp), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAcl, auth.GetBucketAclAction, auth.PermissionReadAcp, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -731,10 +731,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListMultipartUploads, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListMultipartUploads, auth.ListBucketMultipartUploadsAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListMultipartUploads, auth.ListBucketMultipartUploadsAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -745,10 +745,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListObjectVersions, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectVersions, auth.ListBucketVersionsAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectVersions, auth.ListBucketVersionsAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -759,10 +759,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketPolicyStatus, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicyStatus, auth.GetBucketPolicyStatusAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketPolicyStatus, auth.GetBucketPolicyStatusAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -773,10 +773,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketAnalyticsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAnalyticsConfiguration, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -787,10 +787,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListBucketAnalyticsConfigurations, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketAnalyticsConfigurations, auth.GetAnalyticsConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -801,10 +801,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketEncryption, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketEncryption, auth.GetEncryptionConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -815,10 +815,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketIntelligentTieringConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketIntelligentTieringConfiguration, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketIntelligentTieringConfiguration, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -829,10 +829,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListBucketIntelligentTieringConfigurations, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketIntelligentTieringConfigurations, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketIntelligentTieringConfigurations, auth.GetIntelligentTieringConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -843,10 +843,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketInventoryConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketInventoryConfiguration, auth.GetInventoryConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketInventoryConfiguration, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -857,10 +857,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListBucketInventoryConfigurations, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketInventoryConfigurations, auth.GetInventoryConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketInventoryConfigurations, auth.GetInventoryConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -871,10 +871,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketLifecycleConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLifecycleConfiguration, auth.GetLifecycleConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLifecycleConfiguration, auth.GetLifecycleConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -885,10 +885,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketLogging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLogging, auth.GetBucketLoggingAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketLogging, auth.GetBucketLoggingAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -899,10 +899,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketRequestPayment, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketRequestPayment, auth.GetBucketRequestPaymentAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketRequestPayment, auth.GetBucketRequestPaymentAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -913,10 +913,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketMetricsConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketMetricsConfiguration, auth.GetMetricsConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketMetricsConfiguration, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -927,10 +927,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListBucketMetricsConfigurations, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketMetricsConfigurations, auth.GetMetricsConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListBucketMetricsConfigurations, auth.GetMetricsConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -941,10 +941,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketReplication, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketReplication, auth.GetReplicationConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketReplication, auth.GetReplicationConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -955,10 +955,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetPublicAccessBlock, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetPublicAccessBlock, auth.GetBucketPublicAccessBlockAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetPublicAccessBlock, auth.GetBucketPublicAccessBlockAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -969,10 +969,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketNotificationConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketNotificationConfiguration, auth.GetBucketNotificationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketNotificationConfiguration, auth.GetBucketNotificationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -983,10 +983,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketAccelerateConfiguration, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAccelerateConfiguration, auth.GetAccelerateConfigurationAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketAccelerateConfiguration, auth.GetAccelerateConfigurationAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -997,10 +997,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetBucketWebsite, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketWebsite, auth.GetBucketWebsiteAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetBucketWebsite, auth.GetBucketWebsiteAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ParseAcl(be), ), ) @@ -1011,10 +1011,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListObjectsV2, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectsV2, auth.ListBucketAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjectsV2, auth.ListBucketAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1024,10 +1024,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListObjects, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjects, auth.ListBucketAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListObjects, auth.ListBucketAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1040,10 +1040,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteObjects, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjects, auth.DeleteObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjects, auth.DeleteObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1055,10 +1055,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionHeadObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadObject, auth.GetObjectAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionHeadObject, auth.GetObjectAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1071,10 +1071,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectTagging, auth.GetObjectTaggingAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectTagging, auth.GetObjectTaggingAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1085,10 +1085,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectRetention, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectRetention, auth.GetObjectRetentionAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectRetention, auth.GetObjectRetentionAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1099,10 +1099,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectLegalHold, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLegalHold, auth.GetObjectLegalHoldAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectLegalHold, auth.GetObjectLegalHoldAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1113,10 +1113,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectAcl, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAcl, auth.GetObjectAclAction, auth.PermissionReadAcp), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAcl, auth.GetObjectAclAction, auth.PermissionReadAcp, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1127,10 +1127,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObjectAttributes, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAttributes, auth.GetObjectAttributesAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObjectAttributes, auth.GetObjectAttributesAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1141,10 +1141,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionListParts, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListParts, auth.ListMultipartUploadPartsAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionListParts, auth.ListMultipartUploadPartsAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1154,10 +1154,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionGetObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObject, auth.GetObjectAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionGetObject, auth.GetObjectAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1170,10 +1170,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteObjectTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjectTagging, auth.DeleteObjectTaggingAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObjectTagging, auth.DeleteObjectTaggingAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1184,10 +1184,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionAbortMultipartUpload, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionAbortMultipartUpload, auth.AbortMultipartUploadAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionAbortMultipartUpload, auth.AbortMultipartUploadAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1197,10 +1197,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionDeleteObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObject, auth.DeleteObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionDeleteObject, auth.DeleteObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1212,10 +1212,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionRestoreObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionRestoreObject, auth.RestoreObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionRestoreObject, auth.RestoreObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1227,10 +1227,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionSelectObjectContent, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionSelectObjectContent, auth.GetObjectAction, auth.PermissionRead), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionSelectObjectContent, auth.GetObjectAction, auth.PermissionRead, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1241,10 +1241,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionCompleteMultipartUpload, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCompleteMultipartUpload, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCompleteMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1255,10 +1255,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionCreateMultipartUpload, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateMultipartUpload, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCreateMultipartUpload, auth.PutObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1271,10 +1271,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObjectTagging, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectTagging, auth.PutObjectTaggingAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectTagging, auth.PutObjectTaggingAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1285,10 +1285,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObjectRetention, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectRetention, auth.PutObjectRetentionAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectRetention, auth.PutObjectRetentionAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1299,10 +1299,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObjectLegalHold, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLegalHold, auth.PutObjectLegalHoldAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectLegalHold, auth.PutObjectLegalHoldAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1313,10 +1313,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObjectAcl, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectAcl, auth.PutObjectAclAction, auth.PermissionWriteAcp), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObjectAcl, auth.PutObjectAclAction, auth.PermissionWriteAcp, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1328,10 +1328,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionUploadPartCopy, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPartCopy, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPartCopy, auth.PutObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1342,10 +1342,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionUploadPart, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPart, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionUploadPart, auth.PutObjectAction, auth.PermissionWrite, true), + middlewares.VerifyPresignedV4Signature(root, iam, region, true), + middlewares.VerifyV4Signature(root, iam, region, true), + middlewares.VerifyMD5Body(true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1368,10 +1368,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionCopyObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCopyObject, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionCopyObject, auth.PutObjectAction, auth.PermissionWrite, false), + middlewares.VerifyPresignedV4Signature(root, iam, region, false), + middlewares.VerifyV4Signature(root, iam, region, false), + middlewares.VerifyMD5Body(false), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) @@ -1381,10 +1381,10 @@ func (sa *S3ApiRouter) Init(app *fiber.App, be backend.Backend, iam auth.IAMServ metrics.ActionPutObject, services, middlewares.BucketObjectNameValidator(), - middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObject, auth.PutObjectAction, auth.PermissionWrite), - middlewares.VerifyPresignedV4Signature(root, iam, region), - middlewares.VerifyV4Signature(root, iam, region), - middlewares.VerifyMD5Body(), + middlewares.AuthorizePublicBucketAccess(be, metrics.ActionPutObject, auth.PutObjectAction, auth.PermissionWrite, true), + middlewares.VerifyPresignedV4Signature(root, iam, region, true), + middlewares.VerifyV4Signature(root, iam, region, true), + middlewares.VerifyMD5Body(true), middlewares.ApplyBucketCORS(be), middlewares.ParseAcl(be), )) diff --git a/s3api/utils/auth-reader.go b/s3api/utils/auth-reader.go index 9b2cff0..6c7e5b4 100644 --- a/s3api/utils/auth-reader.go +++ b/s3api/utils/auth-reader.go @@ -106,7 +106,7 @@ func (ar *AuthReader) validateSignature() error { return s3err.GetAPIError(s3err.ErrMissingDateHeader) } - return CheckValidSignature(ar.ctx, ar.auth, ar.secret, hashPayload, tdate, int64(ar.size)) + return CheckValidSignature(ar.ctx, ar.auth, ar.secret, hashPayload, tdate, int64(ar.size), true) } const ( @@ -114,11 +114,11 @@ const ( ) // CheckValidSignature validates the ctx v4 auth signature -func CheckValidSignature(ctx *fiber.Ctx, auth AuthData, secret, checksum string, tdate time.Time, contentLen int64) error { +func CheckValidSignature(ctx *fiber.Ctx, auth AuthData, secret, checksum string, tdate time.Time, contentLen int64, streamBody bool) error { signedHdrs := strings.Split(auth.SignedHeaders, ";") // Create a new http request instance from fasthttp request - req, err := createHttpRequestFromCtx(ctx, signedHdrs, contentLen) + req, err := createHttpRequestFromCtx(ctx, signedHdrs, contentLen, streamBody) if err != nil { return fmt.Errorf("create http request from context: %w", err) } diff --git a/s3api/utils/auth_test.go b/s3api/utils/auth_test.go index 38876e7..995243d 100644 --- a/s3api/utils/auth_test.go +++ b/s3api/utils/auth_test.go @@ -92,7 +92,7 @@ func Test_Client_UserAgent(t *testing.T) { } app.Get("/", func(c *fiber.Ctx) error { - req, err := createHttpRequestFromCtx(c, signedHdrs, int64(c.Request().Header.ContentLength())) + req, err := createHttpRequestFromCtx(c, signedHdrs, int64(c.Request().Header.ContentLength()), true) if err != nil { t.Fatal(err) } diff --git a/s3api/utils/csum-reader.go b/s3api/utils/csum-reader.go index d8fe62d..2c5233c 100644 --- a/s3api/utils/csum-reader.go +++ b/s3api/utils/csum-reader.go @@ -115,7 +115,7 @@ func (hr *HashReader) Read(p []byte) (int, error) { case HashTypeMd5: sum := hr.Sum() if sum != hr.sum { - return n, s3err.GetAPIError(s3err.ErrInvalidDigest) + return n, s3err.GetAPIError(s3err.ErrBadDigest) } case HashTypeSha256Hex: sum := hr.Sum() diff --git a/s3api/utils/presign-auth-reader.go b/s3api/utils/presign-auth-reader.go index 083b9a4..e4328cf 100644 --- a/s3api/utils/presign-auth-reader.go +++ b/s3api/utils/presign-auth-reader.go @@ -64,7 +64,7 @@ func (pr *PresignedAuthReader) Read(p []byte) (int, error) { n, err := pr.r.Read(p) if errors.Is(err, io.EOF) { - cerr := CheckPresignedSignature(pr.ctx, pr.auth, pr.secret) + cerr := CheckPresignedSignature(pr.ctx, pr.auth, pr.secret, true) if cerr != nil { return n, cerr } @@ -74,7 +74,7 @@ func (pr *PresignedAuthReader) Read(p []byte) (int, error) { } // CheckPresignedSignature validates presigned request signature -func CheckPresignedSignature(ctx *fiber.Ctx, auth AuthData, secret string) error { +func CheckPresignedSignature(ctx *fiber.Ctx, auth AuthData, secret string, streamBody bool) error { signedHdrs := strings.Split(auth.SignedHeaders, ";") var contentLength int64 @@ -88,7 +88,7 @@ func CheckPresignedSignature(ctx *fiber.Ctx, auth AuthData, secret string) error } // Create a new http request instance from fasthttp request - req, err := createPresignedHttpRequestFromCtx(ctx, signedHdrs, contentLength) + req, err := createPresignedHttpRequestFromCtx(ctx, signedHdrs, contentLength, streamBody) if err != nil { return fmt.Errorf("create http request from context: %w", err) } diff --git a/s3api/utils/utils.go b/s3api/utils/utils.go index 5c7c2a2..8d28de9 100644 --- a/s3api/utils/utils.go +++ b/s3api/utils/utils.go @@ -57,10 +57,10 @@ func GetUserMetaData(headers *fasthttp.RequestHeader) (metadata map[string]strin return } -func createHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, contentLength int64) (*http.Request, error) { +func createHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, contentLength int64, streamBody bool) (*http.Request, error) { req := ctx.Request() var body io.Reader - if IsBigDataAction(ctx) { + if streamBody { body = req.BodyStream() } else { body = bytes.NewReader(req.Body()) @@ -112,10 +112,10 @@ var ( } ) -func createPresignedHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, contentLength int64) (*http.Request, error) { +func createPresignedHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string, contentLength int64, streamBody bool) (*http.Request, error) { req := ctx.Request() var body io.Reader - if IsBigDataAction(ctx) { + if streamBody { body = req.BodyStream() } else { body = bytes.NewReader(req.Body()) @@ -236,15 +236,6 @@ func includeHeader(hdr string, signedHdrs []string) bool { return false } -func IsBigDataAction(ctx *fiber.Ctx) bool { - if ctx.Method() == http.MethodPut && len(strings.Split(ctx.Path(), "/")) >= 3 { - if !ctx.Request().URI().QueryArgs().Has("tagging") && ctx.Get("X-Amz-Copy-Source") == "" && !ctx.Request().URI().QueryArgs().Has("acl") { - return true - } - } - return false -} - // expiration time window // https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html#RESTAuthenticationTimeStamp const timeExpirationSec = 15 * 60 diff --git a/s3api/utils/utils_test.go b/s3api/utils/utils_test.go index 6870a86..2bf32e4 100644 --- a/s3api/utils/utils_test.go +++ b/s3api/utils/utils_test.go @@ -81,7 +81,7 @@ func TestCreateHttpRequestFromCtx(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - got, err := createHttpRequestFromCtx(tt.args.ctx, tt.hdrs, 0) + got, err := createHttpRequestFromCtx(tt.args.ctx, tt.hdrs, 0, true) if (err != nil) != tt.wantErr { t.Errorf("CreateHttpRequestFromCtx() error = %v, wantErr %v", err, tt.wantErr) return diff --git a/s3err/s3err.go b/s3err/s3err.go index 85fb111..483c529 100644 --- a/s3err/s3err.go +++ b/s3err/s3err.go @@ -75,6 +75,7 @@ const ( ErrNoSuchUpload ErrInvalidBucketName ErrInvalidDigest + ErrBadDigest ErrInvalidMaxKeys ErrInvalidMaxBuckets ErrInvalidMaxUploads @@ -256,6 +257,11 @@ var errorCodeResponse = map[ErrorCode]APIError{ Description: "The Content-Md5 you specified is not valid.", HTTPStatusCode: http.StatusBadRequest, }, + ErrBadDigest: { + Code: "BadDigest", + Description: "The Content-MD5 you specified did not match what we received.", + HTTPStatusCode: http.StatusBadRequest, + }, ErrInvalidMaxBuckets: { Code: "InvalidArgument", Description: "Argument max-buckets must be an integer between 1 and 10000.", diff --git a/tests/integration/group-tests.go b/tests/integration/group-tests.go index d2cb685..a1aae18 100644 --- a/tests/integration/group-tests.go +++ b/tests/integration/group-tests.go @@ -36,7 +36,7 @@ func TestAuthentication(s *S3Conf) { Authentication_date_mismatch(s) Authentication_incorrect_payload_hash(s) Authentication_invalid_sha256_payload_hash(s) - Authentication_incorrect_md5(s) + Authentication_md5(s) Authentication_signature_error_incorrect_secret_key(s) } @@ -562,8 +562,7 @@ func TestPutBucketCors(s *S3Conf) { PutBucketCors_empty_cors_rules(s) PutBucketCors_invalid_method(s) PutBucketCors_invalid_header(s) - PutBucketCors_invalid_content_md5(s) - PutBucketCors_incorrect_content_md5(s) + PutBucketCors_md5(s) PutBucketCors_success(s) } @@ -1045,7 +1044,7 @@ func GetIntTests() IntTests { "Authentication_date_mismatch": Authentication_date_mismatch, "Authentication_incorrect_payload_hash": Authentication_incorrect_payload_hash, "Authentication_invalid_sha256_payload_hash": Authentication_invalid_sha256_payload_hash, - "Authentication_incorrect_md5": Authentication_incorrect_md5, + "Authentication_md5": Authentication_md5, "Authentication_signature_error_incorrect_secret_key": Authentication_signature_error_incorrect_secret_key, "PresignedAuth_security_token_not_supported": PresignedAuth_security_token_not_supported, "PresignedAuth_unsupported_algorithm": PresignedAuth_unsupported_algorithm, @@ -1403,8 +1402,7 @@ func GetIntTests() IntTests { "PutBucketCors_empty_cors_rules": PutBucketCors_empty_cors_rules, "PutBucketCors_invalid_method": PutBucketCors_invalid_method, "PutBucketCors_invalid_header": PutBucketCors_invalid_header, - "PutBucketCors_invalid_content_md5": PutBucketCors_invalid_content_md5, - "PutBucketCors_incorrect_content_md5": PutBucketCors_incorrect_content_md5, + "PutBucketCors_md5": PutBucketCors_md5, "GetBucketCors_non_existing_bucket": GetBucketCors_non_existing_bucket, "GetBucketCors_no_such_bucket_cors": GetBucketCors_no_such_bucket_cors, "GetBucketCors_success": GetBucketCors_success, diff --git a/tests/integration/tests.go b/tests/integration/tests.go index 9c7e9aa..87f2c9b 100644 --- a/tests/integration/tests.go +++ b/tests/integration/tests.go @@ -67,7 +67,7 @@ func Authentication_invalid_auth_header(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrInvalidAuthHeader)) }) } @@ -89,7 +89,7 @@ func Authentication_unsupported_signature_version(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrUnsupportedAuthorizationType)) }) } @@ -110,7 +110,7 @@ func Authentication_missing_components(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MissingComponents()) }) } @@ -131,7 +131,7 @@ func Authentication_malformed_component(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MalformedComponent("SignedHeaders-Content-Length")) }) } @@ -152,7 +152,7 @@ func Authentication_missing_credentials(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MissingCredential()) }) } @@ -173,7 +173,7 @@ func Authentication_missing_signedheaders(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MissingSignedHeaders()) }) } @@ -194,7 +194,7 @@ func Authentication_missing_signature(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MissingSignature()) }) } @@ -217,7 +217,7 @@ func Authentication_malformed_credential(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.MalformedCredential()) }) } @@ -240,7 +240,7 @@ func Authentication_credentials_invalid_terminal(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.InvalidTerminal("aws_request")) }) } @@ -263,7 +263,7 @@ func Authentication_credentials_incorrect_service(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.IncorrectService("ec2")) }) } @@ -287,7 +287,7 @@ func Authentication_credentials_incorrect_region(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.IncorrectRegion(s.awsRegion, cfg.awsRegion)) }) } @@ -310,7 +310,7 @@ func Authentication_credentials_invalid_date(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.InvalidDateFormat("3223423234")) }) } @@ -407,7 +407,7 @@ func Authentication_credentials_non_existing_access_key(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID)) }) } @@ -427,7 +427,7 @@ func Authentication_missing_date_header(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrMissingDateHeader)) }) } @@ -447,7 +447,7 @@ func Authentication_invalid_date_header(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrMissingDateHeader)) }) } @@ -475,7 +475,7 @@ func Authentication_date_mismatch(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.MalformedAuth.DateMismatch()) }) } @@ -495,7 +495,7 @@ func Authentication_invalid_sha256_payload_hash(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrInvalidSHA256Paylod)) }) } @@ -516,29 +516,55 @@ func Authentication_incorrect_payload_hash(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch)) }) } -func Authentication_incorrect_md5(s *S3Conf) error { - testName := "Authentication_incorrect_md5" +func Authentication_md5(s *S3Conf) error { + testName := "Authentication_md5" + bucket := getBucketName() return authHandler(s, &authConfig{ testName: testName, - method: http.MethodGet, + method: http.MethodPut, body: nil, service: "s3", date: time.Now(), + path: fmt.Sprintf("%s/obj", bucket), }, func(req *http.Request) error { - - req.Header.Set("Content-Md5", "sadfasdf87sad6f87==") - - resp, err := s.httpClient.Do(req) + err := setup(s, bucket) if err != nil { return err } - defer resp.Body.Close() - return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrInvalidDigest)) + + for i, test := range []struct { + md5 string + err s3err.APIError + }{ + {"invalid_md5", s3err.GetAPIError(s3err.ErrInvalidDigest)}, + // valid base64, but invalid md5 + {"aGVsbCBzLGRham5mamFuc2Y=", s3err.GetAPIError(s3err.ErrInvalidDigest)}, + // valid md5, but incorrect + {"XrY7u+Ae7tCTyyK7j1rNww==", s3err.GetAPIError(s3err.ErrBadDigest)}, + } { + req.Header.Set("Content-Md5", test.md5) + + resp, err := s.httpClient.Do(req) + if err != nil { + return err + } + + if err := checkHTTPResponseApiErr(resp, test.err); err != nil { + return fmt.Errorf("test %v failed: %v", i+1, err) + } + } + + err = teardown(s, bucket) + if err != nil { + return err + } + + return nil }) } @@ -558,7 +584,7 @@ func Authentication_signature_error_incorrect_secret_key(s *S3Conf) error { if err != nil { return err } - defer resp.Body.Close() + return checkHTTPResponseApiErr(resp, s3err.GetAPIError(s3err.ErrSignatureDoesNotMatch)) }) } @@ -15212,17 +15238,53 @@ func PutBucketCors_invalid_header(s *S3Conf) error { }) } -// TODO: report a bug for this case -func PutBucketCors_invalid_content_md5(s *S3Conf) error { - testName := "PutBucketCors_invalid_content_md5" +func PutBucketCors_md5(s *S3Conf) error { + testName := "PutBucketCors_md5" return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { - return nil - }) -} + cfg := &types.CORSConfiguration{ + CORSRules: []types.CORSRule{ + { + AllowedOrigins: []string{"http://origin.com", "something.net"}, + AllowedMethods: []string{http.MethodPost, http.MethodPut, http.MethodHead}, + AllowedHeaders: []string{"X-Amz-Date", "X-Amz-Meta-Something", "Content-Type"}, + ExposeHeaders: []string{"Authorization", "Content-Disposition"}, + MaxAgeSeconds: getPtr(int32(125)), + ID: getPtr("my-id"), + }, + }, + } + + for i, test := range []struct { + md5 string + err error + }{ + // invalid content-md5 + {"invalid", s3err.GetAPIError(s3err.ErrInvalidDigest)}, + // incorrect content-md5 + {"uU0nuZNNPgilLlLX2n2r+s==", s3err.GetAPIError(s3err.ErrBadDigest)}, + // correct content-md5 + {"liZChnDYdpG46exsGGaBhg==", nil}, + } { + err := putBucketCors(s3client, &s3.PutBucketCorsInput{ + Bucket: &bucket, + CORSConfiguration: cfg, + ContentMD5: &test.md5, + }) + if test.err == nil && err != nil { + return fmt.Errorf("test %v failed: expected no error but got %v", i+1, err) + } + if test.err != nil { + apiErr, ok := test.err.(s3err.APIError) + if !ok { + return fmt.Errorf("test %v failed: expected s3err.APIError", i+1) + } + + if err := checkApiErr(err, apiErr); err != nil { + return fmt.Errorf("test %v failed: %v", i+1, err) + } + } + } -func PutBucketCors_incorrect_content_md5(s *S3Conf) error { - testName := "PutBucketCors_incorrect_content_md5" - return actionHandler(s, testName, func(s3client *s3.Client, bucket string) error { return nil }) } diff --git a/tests/integration/utils.go b/tests/integration/utils.go index 3ca0aa7..5ee4d5d 100644 --- a/tests/integration/utils.go +++ b/tests/integration/utils.go @@ -371,6 +371,8 @@ func checkHTTPResponseApiErr(resp *http.Response, apiErr s3err.APIError) error { return err } + resp.Body.Close() + var errResp s3err.APIErrorResponse err = xml.Unmarshal(body, &errResp) if err != nil {