mirror of
https://github.com/versity/versitygw.git
synced 2026-03-27 18:05:00 +00:00
d507673c1b
Closes #1648 Fixes #1980 Fixes #1981 This PR implements browser-based POST object uploads for S3-compatible form uploads. It adds support for handling `multipart/form-data` object uploads submitted from browsers, including streaming multipart parsing so file content is not buffered in memory, POST policy decoding and evaluation, SigV4-based form authorization, and integration with the existing `PutObject` backend flow. The implementation covers the full browser POST upload path, including validation of required form fields, credential scope and request date checks, signature verification, metadata extraction from `x-amz-meta-*` fields, checksum field parsing, object tagging conversion from XML into the query-string format expected by `PutObject`, and browser-compatible success handling through `success_action_status` and `success_action_redirect`. It also wires the new flow into the router and metrics layer and adds POST-specific error handling and debug logging across policy parsing, multipart parsing, and POST authorization. AWS S3 also accepts the `redirect` form field alongside `success_action_redirect`, but since AWS has marked `redirect` as deprecated and is planning to remove it, this gateway intentionally does not support it.
270 lines
7.0 KiB
Go
270 lines
7.0 KiB
Go
// Copyright 2023 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/url"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
|
|
"github.com/aws/smithy-go/logging"
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/versity/versitygw/debuglogger"
|
|
"github.com/versity/versitygw/s3err"
|
|
)
|
|
|
|
const (
|
|
unsignedPayload string = "UNSIGNED-PAYLOAD"
|
|
|
|
algoHMAC string = "AWS4-HMAC-SHA256"
|
|
algoECDSA string = "AWS4-ECDSA-P256-SHA256"
|
|
)
|
|
|
|
// PresignedAuthReader is an io.Reader that validates presigned request authorization
|
|
// once the underlying reader returns io.EOF. This is needed for streaming
|
|
// data requests where the data size is not known until
|
|
// the data is completely read.
|
|
type PresignedAuthReader struct {
|
|
ctx *fiber.Ctx
|
|
auth AuthData
|
|
secret string
|
|
r io.Reader
|
|
}
|
|
|
|
func NewPresignedAuthReader(ctx *fiber.Ctx, r io.Reader, auth AuthData, secret string) *PresignedAuthReader {
|
|
return &PresignedAuthReader{
|
|
ctx: ctx,
|
|
r: r,
|
|
auth: auth,
|
|
secret: secret,
|
|
}
|
|
}
|
|
|
|
// Read allows *PresignedAuthReader to be used as an io.Reader
|
|
func (pr *PresignedAuthReader) Read(p []byte) (int, error) {
|
|
n, err := pr.r.Read(p)
|
|
|
|
if errors.Is(err, io.EOF) {
|
|
cerr := CheckPresignedSignature(pr.ctx, pr.auth, pr.secret, true)
|
|
if cerr != nil {
|
|
return n, cerr
|
|
}
|
|
}
|
|
|
|
return n, err
|
|
}
|
|
|
|
// CheckPresignedSignature validates presigned request signature
|
|
func CheckPresignedSignature(ctx *fiber.Ctx, auth AuthData, secret string, streamBody bool) error {
|
|
signedHdrs := strings.Split(auth.SignedHeaders, ";")
|
|
|
|
var contentLength int64
|
|
var err error
|
|
contentLengthStr := ctx.Get("Content-Length")
|
|
if contentLengthStr != "" {
|
|
contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
|
|
if err != nil {
|
|
return s3err.GetAPIError(s3err.ErrInvalidRequest)
|
|
}
|
|
}
|
|
|
|
// Create a new http request instance from fasthttp request
|
|
req, err := createPresignedHttpRequestFromCtx(ctx, signedHdrs, contentLength, streamBody)
|
|
if err != nil {
|
|
return fmt.Errorf("create http request from context: %w", err)
|
|
}
|
|
|
|
date, _ := time.Parse(iso8601Format, auth.Date)
|
|
|
|
signer := v4.NewSigner()
|
|
uri, _, signErr := signer.PresignHTTP(ctx.Context(), aws.Credentials{
|
|
AccessKeyID: auth.Access,
|
|
SecretAccessKey: secret,
|
|
}, req, unsignedPayload, service, auth.Region, date, func(options *v4.SignerOptions) {
|
|
options.DisableURIPathEscaping = true
|
|
if debuglogger.IsDebugEnabled() {
|
|
options.LogSigning = true
|
|
options.Logger = logging.NewStandardLogger(os.Stderr)
|
|
}
|
|
})
|
|
if signErr != nil {
|
|
return fmt.Errorf("presign generated http request: %w", err)
|
|
}
|
|
|
|
urlParts, err := url.Parse(uri)
|
|
if err != nil {
|
|
return fmt.Errorf("parse presigned url: %w", err)
|
|
}
|
|
|
|
signature := urlParts.Query().Get("X-Amz-Signature")
|
|
if signature != auth.Signature {
|
|
return s3err.GetAPIError(s3err.ErrSignatureDoesNotMatch)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
|
|
//
|
|
// # ParsePresignedURIParts parses and validates request URL query parameters
|
|
//
|
|
// ?X-Amz-Algorithm=AWS4-HMAC-SHA256
|
|
// &X-Amz-Credential=access-key-id/20130721/us-east-1/s3/aws4_request
|
|
// &X-Amz-Date=20130721T201207Z
|
|
// &X-Amz-Expires=86400
|
|
// &X-Amz-SignedHeaders=host
|
|
// &X-Amz-Signature=1e68ad45c1db540284a4a1eca3884c293ba1a0ff63ab9db9a15b5b29dfa02cd8
|
|
func ParsePresignedURIParts(ctx *fiber.Ctx, region string) (AuthData, error) {
|
|
a := AuthData{}
|
|
|
|
// Get and verify algorithm query parameter
|
|
algo := ctx.Query("X-Amz-Algorithm")
|
|
err := validateAlgorithm(algo)
|
|
if err != nil {
|
|
return a, err
|
|
}
|
|
|
|
// Parse and validate credentials query parameter
|
|
credsQuery := ctx.Query("X-Amz-Credential")
|
|
if credsQuery == "" {
|
|
return a, s3err.QueryAuthErrors.MissingRequiredParams()
|
|
}
|
|
|
|
creds, err := ParseCredentials(credsQuery, s3err.QueryAuthErrors)
|
|
if err != nil {
|
|
return a, err
|
|
}
|
|
|
|
// validate the region
|
|
if creds.Region != region {
|
|
return a, s3err.QueryAuthErrors.IncorrectRegion(region, creds.Region)
|
|
}
|
|
|
|
// Parse and validate Date query param
|
|
date := ctx.Query("X-Amz-Date")
|
|
if date == "" {
|
|
return a, s3err.QueryAuthErrors.MissingRequiredParams()
|
|
}
|
|
|
|
tdate, err := time.Parse(iso8601Format, date)
|
|
if err != nil {
|
|
return a, s3err.QueryAuthErrors.InvalidXAmzDateFormat()
|
|
}
|
|
|
|
if date[:8] != creds.Date {
|
|
return a, s3err.QueryAuthErrors.DateMismatch(creds.Date, date[:8])
|
|
}
|
|
|
|
signature := ctx.Query("X-Amz-Signature")
|
|
if signature == "" {
|
|
return a, s3err.QueryAuthErrors.MissingRequiredParams()
|
|
}
|
|
|
|
signedHdrs := ctx.Query("X-Amz-SignedHeaders")
|
|
if signedHdrs == "" {
|
|
return a, s3err.QueryAuthErrors.MissingRequiredParams()
|
|
}
|
|
|
|
// Validate X-Amz-Expires query param and check if request is expired
|
|
err = validateExpiration(ctx.Query("X-Amz-Expires"), tdate)
|
|
if err != nil {
|
|
return a, err
|
|
}
|
|
|
|
a.Signature = signature
|
|
a.Access = creds.Access
|
|
a.Algorithm = algo
|
|
a.Region = creds.Region
|
|
a.SignedHeaders = signedHdrs
|
|
a.Date = date
|
|
|
|
return a, nil
|
|
}
|
|
|
|
func validateExpiration(str string, date time.Time) error {
|
|
if str == "" {
|
|
return s3err.QueryAuthErrors.MissingRequiredParams()
|
|
}
|
|
|
|
exp, err := strconv.Atoi(str)
|
|
if err != nil {
|
|
return s3err.QueryAuthErrors.ExpiresNumber()
|
|
}
|
|
|
|
if exp < 0 {
|
|
return s3err.QueryAuthErrors.ExpiresNegative()
|
|
}
|
|
|
|
if exp > 604800 {
|
|
return s3err.QueryAuthErrors.ExpiresTooLarge()
|
|
}
|
|
|
|
now := time.Now()
|
|
passed := int(now.Sub(date).Seconds())
|
|
|
|
if passed > exp {
|
|
return s3err.GetAPIError(s3err.ErrExpiredPresignRequest)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// validateAlgorithm validates the algorithm
|
|
// for AWS4-ECDSA-P256-SHA256 it returns a custom non AWS error
|
|
// currently only AWS4-HMAC-SHA256 algorithm is supported
|
|
func validateAlgorithm(algo string) error {
|
|
switch algo {
|
|
case "":
|
|
return s3err.QueryAuthErrors.MissingRequiredParams()
|
|
case algoHMAC:
|
|
return nil
|
|
case algoECDSA:
|
|
return s3err.QueryAuthErrors.OnlyHMACSupported()
|
|
default:
|
|
// all other algorithms are considerd as invalid
|
|
return s3err.QueryAuthErrors.UnsupportedAlgorithm()
|
|
}
|
|
}
|
|
|
|
// IsPresignedURLAuth determines if the request is presigned:
|
|
// which is authorization with query params
|
|
func IsPresignedURLAuth(ctx *fiber.Ctx) bool {
|
|
algo := ctx.Query("X-Amz-Algorithm")
|
|
creds := ctx.Query("X-Amz-Credential")
|
|
signature := ctx.Query("X-Amz-Signature")
|
|
signedHeaders := ctx.Query("X-Amz-SignedHeaders")
|
|
expires := ctx.Query("X-Amz-Expires")
|
|
|
|
return !isEmpty(algo, creds, signature, signedHeaders, expires)
|
|
}
|
|
|
|
// isEmpty checks if all the given strings are empty
|
|
func isEmpty(args ...string) bool {
|
|
for _, a := range args {
|
|
if a != "" {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|