mirror of
https://github.com/versity/versitygw.git
synced 2026-01-10 13:27:21 +00:00
d861dc8e30
Fixes #1600 Fixes #1603 Fixes #1607 Fixes #1626 Fixes #1632 Fixes #1652 Fixes #1653 Fixes #1656 Fixes #1657 Fixes #1659 This PR focuses mainly on unsigned streaming payload **trailer request payload parsing** and **checksum calculation**. For streaming uploads, there are essentially two ways to specify checksums: 1. via `x-amz-checksum-*` headers, 2. via `x-amz-trailer`, or none — in which case the checksum should default to **crc64nvme**. Previously, the implementation calculated the checksum only from `x-amz-checksum-*` headers. Now, `x-amz-trailer` is also treated as a checksum-related header and indicates the checksum algorithm for streaming requests. If `x-amz-trailer` is present, the payload must include a trailing checksum; otherwise, an error is returned. `x-amz-trailer` and any `x-amz-checksum-*` header **cannot** be used together — doing so results in an error. If `x-amz-sdk-checksum-algorithm` is specified, then either `x-amz-trailer` or one of the `x-amz-checksum-*` headers must also be present, and the algorithms must match. If they don’t, an error is returned. The old implementation used to return an internal error when no `x-amz-trailer` was received in streaming requests or when the payload didn’t contain a trailer. This is now fixed. Checksum calculation used to happen twice in the gateway (once in the chunk reader and once in the backend). A new `ChecksumReader` is introduced to prevent double computation, and the trailing checksum is now read by the backend from the chunk reader. The logic for stacking `io.Reader`s in the Fiber context is preserved, but extended: once a `ChecksumReader` is stacked, all following `io.Reader`s are wrapped with `MockChecksumReader`, which simply delegates to the underlying checksum reader. In the backend, a simple type assertion on `io.Reader` provides the necessary checksum metadata (algorithm, value, etc.).
208 lines
6.8 KiB
Go
208 lines
6.8 KiB
Go
// Copyright 2024 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/versity/versitygw/debuglogger"
|
|
"github.com/versity/versitygw/s3err"
|
|
)
|
|
|
|
const (
|
|
maxObjSizeLimit = 5 * 1024 * 1024 * 1024 // 5gb
|
|
)
|
|
|
|
type payloadType string
|
|
|
|
const (
|
|
payloadTypeUnsigned payloadType = "UNSIGNED-PAYLOAD"
|
|
payloadTypeStreamingUnsignedTrailer payloadType = "STREAMING-UNSIGNED-PAYLOAD-TRAILER"
|
|
payloadTypeStreamingSigned payloadType = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
|
|
payloadTypeStreamingSignedTrailer payloadType = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER"
|
|
payloadTypeStreamingEcdsa payloadType = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD"
|
|
payloadTypeStreamingEcdsaTrailer payloadType = "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER"
|
|
)
|
|
|
|
func getPayloadTypeNotSupportedErr(p payloadType) error {
|
|
return s3err.APIError{
|
|
HTTPStatusCode: http.StatusNotImplemented,
|
|
Code: "NotImplemented",
|
|
Description: fmt.Sprintf("The chunk encoding algorithm %v is not supported.", p),
|
|
}
|
|
}
|
|
|
|
var (
|
|
specialValues = map[payloadType]bool{
|
|
payloadTypeUnsigned: true,
|
|
payloadTypeStreamingUnsignedTrailer: true,
|
|
payloadTypeStreamingSigned: true,
|
|
payloadTypeStreamingSignedTrailer: true,
|
|
payloadTypeStreamingEcdsa: true,
|
|
payloadTypeStreamingEcdsaTrailer: true,
|
|
}
|
|
)
|
|
|
|
func (pt payloadType) isValid() bool {
|
|
return pt == payloadTypeUnsigned ||
|
|
pt == payloadTypeStreamingUnsignedTrailer ||
|
|
pt == payloadTypeStreamingSigned ||
|
|
pt == payloadTypeStreamingSignedTrailer ||
|
|
pt == payloadTypeStreamingEcdsa ||
|
|
pt == payloadTypeStreamingEcdsaTrailer
|
|
}
|
|
|
|
type checksumType string
|
|
|
|
const (
|
|
checksumTypeCrc32 checksumType = "x-amz-checksum-crc32"
|
|
checksumTypeCrc32c checksumType = "x-amz-checksum-crc32c"
|
|
checksumTypeSha1 checksumType = "x-amz-checksum-sha1"
|
|
checksumTypeSha256 checksumType = "x-amz-checksum-sha256"
|
|
checksumTypeCrc64nvme checksumType = "x-amz-checksum-crc64nvme"
|
|
)
|
|
|
|
func (c checksumType) isValid() bool {
|
|
return c == checksumTypeCrc32 ||
|
|
c == checksumTypeCrc32c ||
|
|
c == checksumTypeSha1 ||
|
|
c == checksumTypeSha256 ||
|
|
c == checksumTypeCrc64nvme
|
|
}
|
|
|
|
// Extracts and validates the checksum type from the 'X-Amz-Trailer' header
|
|
func ExtractChecksumType(ctx *fiber.Ctx) (checksumType, error) {
|
|
trailer := ctx.Get("X-Amz-Trailer")
|
|
chType := checksumType(strings.ToLower(trailer))
|
|
if chType != "" && !chType.isValid() {
|
|
debuglogger.Logf("invalid value for 'X-Amz-Trailer': %v", chType)
|
|
return "", s3err.GetAPIError(s3err.ErrTrailerHeaderNotSupported)
|
|
}
|
|
|
|
return chType, nil
|
|
}
|
|
|
|
// IsSpecialPayload checks for special authorization types
|
|
func IsSpecialPayload(str string) bool {
|
|
return specialValues[payloadType(str)]
|
|
}
|
|
|
|
// IsValidSh256PayloadHeader checks if the provided x-amz-content-sha256
|
|
// paylod header is valid special paylod type or a valid sh256 hash
|
|
func IsValidSh256PayloadHeader(value string) bool {
|
|
// empty header is valid
|
|
if value == "" {
|
|
return true
|
|
}
|
|
// special values are valid
|
|
if specialValues[payloadType(value)] {
|
|
return true
|
|
}
|
|
|
|
// check to be a valid sha256
|
|
if len(value) != 64 {
|
|
return false
|
|
}
|
|
|
|
// decode the string as hex
|
|
_, err := hex.DecodeString(value)
|
|
return err == nil
|
|
}
|
|
|
|
// Checks if the provided string is unsigned payload trailer type
|
|
func IsUnsignedStreamingPayload(str string) bool {
|
|
return payloadType(str) == payloadTypeStreamingUnsignedTrailer
|
|
}
|
|
|
|
// IsAnonymousPayloadHashSupported returns error if payload hash
|
|
// is streaming signed.
|
|
// e.g.
|
|
// "STREAMING-AWS4-HMAC-SHA256-PAYLOAD", "STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD" ...
|
|
func IsAnonymousPayloadHashSupported(hash string) error {
|
|
switch payloadType(hash) {
|
|
case payloadTypeStreamingEcdsa, payloadTypeStreamingEcdsaTrailer, payloadTypeStreamingSigned, payloadTypeStreamingSignedTrailer:
|
|
return s3err.GetAPIError(s3err.ErrUnsupportedAnonymousSignedStreaming)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// IsUnsignedPaylod checks if the provided payload hash type
|
|
// is "UNSIGNED-PAYLOAD"
|
|
func IsUnsignedPaylod(hash string) bool {
|
|
return hash == string(payloadTypeUnsigned)
|
|
}
|
|
|
|
// IsChunkEncoding checks for streaming/unsigned authorization types
|
|
func IsStreamingPayload(str string) bool {
|
|
pt := payloadType(str)
|
|
return pt == payloadTypeStreamingUnsignedTrailer ||
|
|
pt == payloadTypeStreamingSigned ||
|
|
pt == payloadTypeStreamingSignedTrailer
|
|
}
|
|
|
|
func NewChunkReader(ctx *fiber.Ctx, r io.Reader, authdata AuthData, region, secret string, date time.Time) (io.Reader, error) {
|
|
decContLengthStr := ctx.Get("X-Amz-Decoded-Content-Length")
|
|
if decContLengthStr == "" {
|
|
debuglogger.Logf("missing required header 'X-Amz-Decoded-Content-Length'")
|
|
return nil, s3err.GetAPIError(s3err.ErrMissingContentLength)
|
|
}
|
|
decContLength, err := strconv.ParseInt(decContLengthStr, 10, 64)
|
|
//TODO: not sure if InvalidRequest should be returned in this case
|
|
if err != nil {
|
|
debuglogger.Logf("invalid value for 'X-Amz-Decoded-Content-Length': %v", decContLengthStr)
|
|
return nil, s3err.GetAPIError(s3err.ErrMissingContentLength)
|
|
}
|
|
|
|
if decContLength > maxObjSizeLimit {
|
|
debuglogger.Logf("the object size exceeds the allowed limit: (size): %v, (limit): %v", decContLength, int64(maxObjSizeLimit))
|
|
return nil, s3err.GetAPIError(s3err.ErrEntityTooLarge)
|
|
}
|
|
|
|
contentSha256 := payloadType(ctx.Get("X-Amz-Content-Sha256"))
|
|
if !contentSha256.isValid() {
|
|
//TODO: Add proper APIError
|
|
debuglogger.Logf("invalid value for 'X-Amz-Content-Sha256': %v", contentSha256)
|
|
return nil, fmt.Errorf("invalid x-amz-content-sha256: %v", string(contentSha256))
|
|
}
|
|
|
|
checksumType, err := ExtractChecksumType(ctx)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
switch contentSha256 {
|
|
case payloadTypeStreamingUnsignedTrailer:
|
|
return NewUnsignedChunkReader(r, checksumType)
|
|
case payloadTypeStreamingSignedTrailer:
|
|
return NewSignedChunkReader(r, authdata, region, secret, date, checksumType)
|
|
case payloadTypeStreamingSigned:
|
|
return NewSignedChunkReader(r, authdata, region, secret, date, "")
|
|
// return not supported for:
|
|
// - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD
|
|
// - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER
|
|
default:
|
|
debuglogger.Logf("unsupported chunk reader algorithm: %v", contentSha256)
|
|
return nil, getPayloadTypeNotSupportedErr(contentSha256)
|
|
}
|
|
}
|