mirror of
https://github.com/versity/versitygw.git
synced 2026-01-08 12:41:10 +00:00
171 lines
5.0 KiB
Go
171 lines
5.0 KiB
Go
// Copyright 2023 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package middlewares
|
|
|
|
import (
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/versity/versitygw/auth"
|
|
"github.com/versity/versitygw/metrics"
|
|
"github.com/versity/versitygw/s3api/controllers"
|
|
"github.com/versity/versitygw/s3api/utils"
|
|
"github.com/versity/versitygw/s3err"
|
|
"github.com/versity/versitygw/s3log"
|
|
)
|
|
|
|
const (
|
|
iso8601Format = "20060102T150405Z"
|
|
)
|
|
|
|
type RootUserConfig struct {
|
|
Access string
|
|
Secret string
|
|
}
|
|
|
|
func VerifyV4Signature(root RootUserConfig, iam auth.IAMService, logger s3log.AuditLogger, mm *metrics.Manager, region string, debug bool) fiber.Handler {
|
|
acct := accounts{root: root, iam: iam}
|
|
|
|
return func(ctx *fiber.Ctx) error {
|
|
// If account is set in context locals, it means it was presigned url case
|
|
_, ok := ctx.Locals("account").(auth.Account)
|
|
if ok {
|
|
return ctx.Next()
|
|
}
|
|
|
|
ctx.Locals("region", region)
|
|
ctx.Locals("startTime", time.Now())
|
|
authorization := ctx.Get("Authorization")
|
|
if authorization == "" {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrAuthHeaderEmpty), logger, mm)
|
|
}
|
|
|
|
authData, err := utils.ParseAuthorization(authorization)
|
|
if err != nil {
|
|
return sendResponse(ctx, err, logger, mm)
|
|
}
|
|
|
|
if authData.Algorithm != "AWS4-HMAC-SHA256" {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureVersionNotSupported), logger, mm)
|
|
}
|
|
|
|
if authData.Region != region {
|
|
return sendResponse(ctx, s3err.APIError{
|
|
Code: "SignatureDoesNotMatch",
|
|
Description: fmt.Sprintf("Credential should be scoped to a valid Region, not %v", authData.Region),
|
|
HTTPStatusCode: http.StatusForbidden,
|
|
}, logger, mm)
|
|
}
|
|
|
|
ctx.Locals("isRoot", authData.Access == root.Access)
|
|
|
|
account, err := acct.getAccount(authData.Access)
|
|
if err == auth.ErrNoSuchUser {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidAccessKeyID), logger, mm)
|
|
}
|
|
if err != nil {
|
|
return sendResponse(ctx, err, logger, mm)
|
|
}
|
|
ctx.Locals("account", account)
|
|
|
|
// Check X-Amz-Date header
|
|
date := ctx.Get("X-Amz-Date")
|
|
if date == "" {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMissingDateHeader), logger, mm)
|
|
}
|
|
|
|
// Parse the date and check the date validity
|
|
tdate, err := time.Parse(iso8601Format, date)
|
|
if err != nil {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrMalformedDate), logger, mm)
|
|
}
|
|
|
|
if date[:8] != authData.Date {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrSignatureDateDoesNotMatch), logger, mm)
|
|
}
|
|
|
|
// Validate the dates difference
|
|
err = utils.ValidateDate(tdate)
|
|
if err != nil {
|
|
return sendResponse(ctx, err, logger, mm)
|
|
}
|
|
|
|
if utils.IsBigDataAction(ctx) {
|
|
// for streaming PUT actions, authorization is deferred
|
|
// until end of stream due to need to get length and
|
|
// checksum of the stream to validate authorization
|
|
wrapBodyReader(ctx, func(r io.Reader) io.Reader {
|
|
return utils.NewAuthReader(ctx, r, authData, account.Secret, debug)
|
|
})
|
|
return ctx.Next()
|
|
}
|
|
|
|
hashPayload := ctx.Get("X-Amz-Content-Sha256")
|
|
if !utils.IsSpecialPayload(hashPayload) {
|
|
// Calculate the hash of the request payload
|
|
hashedPayload := sha256.Sum256(ctx.Body())
|
|
hexPayload := hex.EncodeToString(hashedPayload[:])
|
|
|
|
// Compare the calculated hash with the hash provided
|
|
if hashPayload != hexPayload {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrContentSHA256Mismatch), logger, mm)
|
|
}
|
|
}
|
|
|
|
var contentLength int64
|
|
contentLengthStr := ctx.Get("Content-Length")
|
|
if contentLengthStr != "" {
|
|
contentLength, err = strconv.ParseInt(contentLengthStr, 10, 64)
|
|
if err != nil {
|
|
return sendResponse(ctx, s3err.GetAPIError(s3err.ErrInvalidRequest), logger, mm)
|
|
}
|
|
}
|
|
|
|
err = utils.CheckValidSignature(ctx, authData, account.Secret, hashPayload, tdate, contentLength, debug)
|
|
if err != nil {
|
|
return sendResponse(ctx, err, logger, mm)
|
|
}
|
|
|
|
return ctx.Next()
|
|
}
|
|
}
|
|
|
|
type accounts struct {
|
|
root RootUserConfig
|
|
iam auth.IAMService
|
|
}
|
|
|
|
func (a accounts) getAccount(access string) (auth.Account, error) {
|
|
if access == a.root.Access {
|
|
return auth.Account{
|
|
Access: a.root.Access,
|
|
Secret: a.root.Secret,
|
|
Role: "admin",
|
|
}, nil
|
|
}
|
|
|
|
return a.iam.GetUserAccount(access)
|
|
}
|
|
|
|
func sendResponse(ctx *fiber.Ctx, err error, logger s3log.AuditLogger, mm *metrics.Manager) error {
|
|
return controllers.SendResponse(ctx, err, &controllers.MetaOpts{Logger: logger, MetricsMng: mm})
|
|
}
|