mirror of
https://github.com/versity/versitygw.git
synced 2026-01-05 11:24:52 +00:00
ebdda06633
Closes #1525 * Adds validation for the `Content-MD5` header. * If the header value is invalid, the gateway now returns an `InvalidDigest` error. * If the value is valid but does not match the payload, it returns a `BadDigest` error. * Adds integration test cases for `PutBucketCors` with `Content-MD5`.
145 lines
4.7 KiB
Go
145 lines
4.7 KiB
Go
// Copyright 2023 Versity Software
|
|
// This file is licensed under the Apache License, Version 2.0
|
|
// (the "License"); you may not use this file except in compliance
|
|
// with the License. You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing,
|
|
// software distributed under the License is distributed on an
|
|
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
// KIND, either express or implied. See the License for the
|
|
// specific language governing permissions and limitations
|
|
// under the License.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"net"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
"github.com/gofiber/fiber/v2"
|
|
"github.com/valyala/fasthttp/fasthttputil"
|
|
v4 "github.com/versity/versitygw/aws/signer/v4"
|
|
)
|
|
|
|
func TestAuthParse(t *testing.T) {
|
|
vectors := []struct {
|
|
name string // name of test string
|
|
authstr string // Authorization string
|
|
algo string
|
|
sig string
|
|
}{
|
|
{
|
|
name: "restic",
|
|
authstr: "AWS4-HMAC-SHA256 Credential=user/20240116/us-east-1/s3/aws4_request,SignedHeaders=content-md5;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length,Signature=d5199fc7f3aa35dd3d400427be2ae4c98bfad390785280cbb9eea015b51e12ac",
|
|
algo: "AWS4-HMAC-SHA256",
|
|
sig: "d5199fc7f3aa35dd3d400427be2ae4c98bfad390785280cbb9eea015b51e12ac",
|
|
},
|
|
{
|
|
name: "aws eaxample",
|
|
authstr: "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
|
|
algo: "AWS4-HMAC-SHA256",
|
|
sig: "fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024",
|
|
},
|
|
{
|
|
name: "s3browser",
|
|
authstr: "AWS4-HMAC-SHA256 Credential=access_key/20240206/us-east-1/s3/aws4_request,SignedHeaders=host;user-agent;x-amz-content-sha256;x-amz-date, Signature=37a35d96998d786113ad420c57c22c5433f6aca74f88f26566caa047fc3601c6",
|
|
algo: "AWS4-HMAC-SHA256",
|
|
sig: "37a35d96998d786113ad420c57c22c5433f6aca74f88f26566caa047fc3601c6",
|
|
},
|
|
}
|
|
|
|
for _, v := range vectors {
|
|
t.Run(v.name, func(t *testing.T) {
|
|
data, err := ParseAuthorization(v.authstr)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if data.Algorithm != v.algo {
|
|
t.Errorf("algo got %v, expected %v", data.Algorithm, v.algo)
|
|
}
|
|
if data.Signature != v.sig {
|
|
t.Errorf("signature got %v, expected %v", data.Signature, v.sig)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// 2024/02/06 21:03:28 Request headers:
|
|
// 2024/02/06 21:03:28 Host: 172.21.0.160:11000
|
|
// 2024/02/06 21:03:28 User-Agent: S3 Browser/11.5.7 (https://s3browser.com)
|
|
// 2024/02/06 21:03:28 Authorization: AWS4-HMAC-SHA256 Credential=access_key/20240206/us-east-1/s3/aws4_request,SignedHeaders=host;user-agent;x-amz-content-sha256;x-amz-date, Signature=37a35d96998d786113ad420c57c22c5433f6aca74f88f26566caa047fc3601c6
|
|
// 2024/02/06 21:03:28 X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
|
// 2024/02/06 21:03:28 X-Amz-Date: 20240206T210328Z
|
|
func Test_Client_UserAgent(t *testing.T) {
|
|
signedHdrs := []string{"host", "user-agent", "x-amz-content-sha256", "x-amz-date"}
|
|
access := "access_key"
|
|
secret := "secret_key"
|
|
region := "us-east-1"
|
|
host := "172.21.0.160:11000"
|
|
agent := "S3 Browser/11.5.7 (https://s3browser.com)"
|
|
expectedSig := "37a35d96998d786113ad420c57c22c5433f6aca74f88f26566caa047fc3601c6"
|
|
dateStr := "20240206T210328Z"
|
|
|
|
app := fiber.New(fiber.Config{DisableStartupMessage: true})
|
|
|
|
tdate, err := time.Parse(iso8601Format, dateStr)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
app.Get("/", func(c *fiber.Ctx) error {
|
|
req, err := createHttpRequestFromCtx(c, signedHdrs, int64(c.Request().Header.ContentLength()), true)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
req.Host = host
|
|
req.Header.Set("X-Amz-Content-Sha256", zeroLenSig)
|
|
|
|
signer := v4.NewSigner()
|
|
|
|
signErr := signer.SignHTTP(req.Context(),
|
|
aws.Credentials{
|
|
AccessKeyID: access,
|
|
SecretAccessKey: secret,
|
|
},
|
|
req, zeroLenSig, service, region, tdate, signedHdrs,
|
|
func(options *v4.SignerOptions) {
|
|
options.DisableURIPathEscaping = true
|
|
})
|
|
if signErr != nil {
|
|
t.Fatalf("sign generated http request: %v", err)
|
|
}
|
|
|
|
genAuth, err := ParseAuthorization(req.Header.Get("Authorization"))
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if genAuth.Signature != expectedSig {
|
|
t.Errorf("SIG: %v\nexpected: %v\n", genAuth.Signature, expectedSig)
|
|
}
|
|
|
|
return c.Send(c.Request().Header.UserAgent())
|
|
})
|
|
|
|
ln := fasthttputil.NewInmemoryListener()
|
|
go func() {
|
|
err := app.Listener(ln)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}()
|
|
|
|
c := fiber.AcquireClient()
|
|
c.UserAgent = agent
|
|
a := c.Get("http://example.com")
|
|
a.HostClient.Dial = func(_ string) (net.Conn, error) { return ln.Dial() }
|
|
a.String()
|
|
fiber.ReleaseClient(c)
|
|
}
|