mirror of
https://github.com/versity/versitygw.git
synced 2026-01-11 05:40:10 +00:00
9eaaeedd28
Fixes #1683 Fixes #1684 Fixes #1685 Fixes #1690 Fixes #1691 Fixes #1692 Fixes #1694 Fixes #1695 This PR primarily focuses on error handling and checksum calculation for signed streaming requests of type `STREAMING-AWS4-HMAC-SHA256-PAYLOAD` and `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER`. It fixes the error type returned when the payload encoding is incorrect: the correct `IncompleteBody` error is now returned. Chunk size validation has been added, enforcing the rule that only the final chunk may be smaller than 8192 bytes. The `x-amz-trailer` header value is now validated against the checksum trailer present in the payload. For `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` requests, if no checksum trailer is provided in the payload, the gateway now returns an `IncompleteBody` error. If there is a mismatch between the `x-amz-trailer` header and the checksum trailer in the payload, or if the checksum header key in the payload is invalid, a `MalformedTrailer` error is returned. The `x-amz-decoded-content-length` header value is now compared against the actual decoded payload length, and an `IncompleteBody` error is returned if there is a mismatch. Finally, the double checksum calculation issue has been fixed. For `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` requests, the trailing checksum is now parsed from the request payload and stored in the backend, instead of being recalculated by the backend.
218 lines
7.0 KiB
Go
218 lines
7.0 KiB
Go
// Copyright 2024 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/versity/versitygw/debuglogger"
|
|
"github.com/versity/versitygw/s3err"
|
|
)
|
|
|
|
const (
|
|
maxObjSizeLimit = 5 * 1024 * 1024 * 1024 // 5gb
|
|
)
|
|
|
|
type payloadType string
|
|
|
|
const (
|
|
payloadTypeUnsigned payloadType = "UNSIGNED-PAYLOAD"
|
|
payloadTypeStreamingUnsignedTrailer payloadType = "STREAMING-UNSIGNED-PAYLOAD-TRAILER"
|
|
payloadTypeStreamingSigned payloadType = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
|
|
payloadTypeStreamingSignedTrailer payloadType = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER"
|
|
payloadTypeStreamingEcdsa payloadType = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD"
|
|
payloadTypeStreamingEcdsaTrailer payloadType = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER"
|
|
)
|
|
|
|
func getPayloadTypeNotSupportedErr(p payloadType) error {
|
|
return s3err.APIError{
|
|
HTTPStatusCode: http.StatusNotImplemented,
|
|
Code: "NotImplemented",
|
|
Description: fmt.Sprintf("The chunk encoding algorithm %v is not supported.", p),
|
|
}
|
|
}
|
|
|
|
var (
|
|
specialValues = map[payloadType]bool{
|
|
payloadTypeUnsigned: true,
|
|
payloadTypeStreamingUnsignedTrailer: true,
|
|
payloadTypeStreamingSigned: true,
|
|
payloadTypeStreamingSignedTrailer: true,
|
|
payloadTypeStreamingEcdsa: true,
|
|
payloadTypeStreamingEcdsaTrailer: true,
|
|
}
|
|
)
|
|
|
|
func (pt payloadType) isValid() bool {
|
|
return pt == payloadTypeUnsigned ||
|
|
pt == payloadTypeStreamingUnsignedTrailer ||
|
|
pt == payloadTypeStreamingSigned ||
|
|
pt == payloadTypeStreamingSignedTrailer ||
|
|
pt == payloadTypeStreamingEcdsa ||
|
|
pt == payloadTypeStreamingEcdsaTrailer
|
|
}
|
|
|
|
type checksumType string
|
|
|
|
const (
|
|
checksumTypeCrc32 checksumType = "x-amz-checksum-crc32"
|
|
checksumTypeCrc32c checksumType = "x-amz-checksum-crc32c"
|
|
checksumTypeSha1 checksumType = "x-amz-checksum-sha1"
|
|
checksumTypeSha256 checksumType = "x-amz-checksum-sha256"
|
|
checksumTypeCrc64nvme checksumType = "x-amz-checksum-crc64nvme"
|
|
)
|
|
|
|
func (c checksumType) isValid() bool {
|
|
return c == checksumTypeCrc32 ||
|
|
c == checksumTypeCrc32c ||
|
|
c == checksumTypeSha1 ||
|
|
c == checksumTypeSha256 ||
|
|
c == checksumTypeCrc64nvme
|
|
}
|
|
|
|
// Extracts and validates the checksum type from the 'X-Amz-Trailer' header
|
|
func ExtractChecksumType(ctx *fiber.Ctx) (checksumType, error) {
|
|
trailer := ctx.Get("X-Amz-Trailer")
|
|
chType := checksumType(strings.ToLower(trailer))
|
|
if chType != "" && !chType.isValid() {
|
|
debuglogger.Logf("invalid value for 'X-Amz-Trailer': %v", chType)
|
|
return "", s3err.GetAPIError(s3err.ErrTrailerHeaderNotSupported)
|
|
}
|
|
|
|
return chType, nil
|
|
}
|
|
|
|
// IsSpecialPayload checks for special authorization types
|
|
func IsSpecialPayload(str string) bool {
|
|
return specialValues[payloadType(str)]
|
|
}
|
|
|
|
// IsValidSh256PayloadHeader checks if the provided x-amz-content-sha256
|
|
// paylod header is valid special paylod type or a valid sh256 hash
|
|
func IsValidSh256PayloadHeader(value string) bool {
|
|
// empty header is valid
|
|
if value == "" {
|
|
return true
|
|
}
|
|
// special values are valid
|
|
if specialValues[payloadType(value)] {
|
|
return true
|
|
}
|
|
|
|
// check to be a valid sha256
|
|
if len(value) != 64 {
|
|
return false
|
|
}
|
|
|
|
// decode the string as hex
|
|
_, err := hex.DecodeString(value)
|
|
return err == nil
|
|
}
|
|
|
|
// Checks if the provided string is unsigned payload trailer type
|
|
func IsUnsignedStreamingPayload(str string) bool {
|
|
return payloadType(str) == payloadTypeStreamingUnsignedTrailer
|
|
}
|
|
|
|
// IsAnonymousPayloadHashSupported returns error if payload hash
|
|
// is streaming signed.
|
|
// e.g.
|
|
// "STREAMING-AWS4-HMAC-SHA256-PAYLOAD", "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD" ...
|
|
func IsAnonymousPayloadHashSupported(hash string) error {
|
|
switch payloadType(hash) {
|
|
case payloadTypeStreamingEcdsa, payloadTypeStreamingEcdsaTrailer, payloadTypeStreamingSigned, payloadTypeStreamingSignedTrailer:
|
|
return s3err.GetAPIError(s3err.ErrUnsupportedAnonymousSignedStreaming)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// IsUnsignedPaylod checks if the provided payload hash type
|
|
// is "UNSIGNED-PAYLOAD"
|
|
func IsUnsignedPaylod(hash string) bool {
|
|
return hash == string(payloadTypeUnsigned)
|
|
}
|
|
|
|
// IsChunkEncoding checks for streaming/unsigned authorization types
|
|
func IsStreamingPayload(str string) bool {
|
|
pt := payloadType(str)
|
|
return pt == payloadTypeStreamingUnsignedTrailer ||
|
|
pt == payloadTypeStreamingSigned ||
|
|
pt == payloadTypeStreamingSignedTrailer
|
|
}
|
|
|
|
// ParseDecodedContentLength extracts and validates the
|
|
// 'x-amz-decoded-content-length' from fiber context
|
|
func ParseDecodedContentLength(ctx *fiber.Ctx) (int64, error) {
|
|
decContLengthStr := ctx.Get("X-Amz-Decoded-Content-Length")
|
|
if decContLengthStr == "" {
|
|
debuglogger.Logf("missing required header 'X-Amz-Decoded-Content-Length'")
|
|
return 0, s3err.GetAPIError(s3err.ErrMissingContentLength)
|
|
}
|
|
decContLength, err := strconv.ParseInt(decContLengthStr, 10, 64)
|
|
if err != nil {
|
|
debuglogger.Logf("invalid value for 'X-Amz-Decoded-Content-Length': %v", decContLengthStr)
|
|
return 0, s3err.GetAPIError(s3err.ErrMissingContentLength)
|
|
}
|
|
|
|
if decContLength > maxObjSizeLimit {
|
|
debuglogger.Logf("the object size exceeds the allowed limit: (size): %v, (limit): %v", decContLength, int64(maxObjSizeLimit))
|
|
return 0, s3err.GetAPIError(s3err.ErrEntityTooLarge)
|
|
}
|
|
|
|
return decContLength, nil
|
|
}
|
|
|
|
func NewChunkReader(ctx *fiber.Ctx, r io.Reader, authdata AuthData, secret string, date time.Time) (io.Reader, error) {
|
|
cLength, err := ParseDecodedContentLength(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
contentSha256 := payloadType(ctx.Get("X-Amz-Content-Sha256"))
|
|
if !contentSha256.isValid() {
|
|
//TODO: Add proper APIError
|
|
debuglogger.Logf("invalid value for 'X-Amz-Content-Sha256': %v", contentSha256)
|
|
return nil, fmt.Errorf("invalid x-amz-content-sha256: %v", string(contentSha256))
|
|
}
|
|
|
|
checksumType, err := ExtractChecksumType(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
switch contentSha256 {
|
|
case payloadTypeStreamingUnsignedTrailer:
|
|
return NewUnsignedChunkReader(r, checksumType, cLength)
|
|
case payloadTypeStreamingSignedTrailer:
|
|
return NewSignedChunkReader(r, authdata, secret, date, checksumType, true, cLength)
|
|
case payloadTypeStreamingSigned:
|
|
return NewSignedChunkReader(r, authdata, secret, date, "", false, cLength)
|
|
// return not supported for:
|
|
// - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD
|
|
// - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER
|
|
default:
|
|
debuglogger.Logf("unsupported chunk reader algorithm: %v", contentSha256)
|
|
return nil, getPayloadTypeNotSupportedErr(contentSha256)
|
|
}
|
|
}
|