Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11158 Commits
37 Branches
296 Tags
161 MiB
Tree: 11042ddb71
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '11042ddb71'
${ noResults }
seaweedfs/weed/s3api/policy/post-policy_test.go

378 lines
14 KiB
Raw Normal View History

s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
  1. package policy
  3. /*
  4. * MinIO Cloud Storage, (C) 2016, 2017, 2018 MinIO, Inc.
  5. *
  6. * Licensed under the Apache License, Version 2.0 (the "License");
  7. * you may not use this file except in compliance with the License.
  8. * You may obtain a copy of the License at
  9. *
  10. * http://www.apache.org/licenses/LICENSE-2.0
  11. *
  12. * Unless required by applicable law or agreed to in writing, software
  13. * distributed under the License is distributed on an "AS IS" BASIS,
  14. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15. * See the License for the specific language governing permissions and
  16. * limitations under the License.
  17. */
  19. import (
  20. "bytes"
  21. "crypto/hmac"
  22. "crypto/sha1"
  23. "crypto/sha256"
  24. "encoding/base64"
  25. "encoding/hex"
  26. "fmt"
  27. "mime/multipart"
  28. "net/http"
  29. "net/url"
  30. "regexp"
  31. "strings"
  32. "time"
  33. "unicode/utf8"
  34. )
  36. const (
  37. iso8601DateFormat = "20060102T150405Z"
  38. iso8601TimeFormat = "2006-01-02T15:04:05.000Z" // Reply date format with nanosecond precision.
  39. )
  41. func newPostPolicyBytesV4WithContentRange(credential, bucketName, objectKey string, expiration time.Time) []byte {
  42. t := time.Now().UTC()
  43. // Add the expiration date.
  44. expirationStr := fmt.Sprintf(`"expiration": "%s"`, expiration.Format(iso8601TimeFormat))
  45. // Add the bucket condition, only accept buckets equal to the one passed.
  46. bucketConditionStr := fmt.Sprintf(`["eq", "$bucket", "%s"]`, bucketName)
  47. // Add the key condition, only accept keys equal to the one passed.
  48. keyConditionStr := fmt.Sprintf(`["eq", "$key", "%s/upload.txt"]`, objectKey)
  49. // Add content length condition, only accept content sizes of a given length.
  50. contentLengthCondStr := `["content-length-range", 1024, 1048576]`
  51. // Add the algorithm condition, only accept AWS SignV4 Sha256.
  52. algorithmConditionStr := `["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"]`
  53. // Add the date condition, only accept the current date.
  54. dateConditionStr := fmt.Sprintf(`["eq", "$x-amz-date", "%s"]`, t.Format(iso8601DateFormat))
  55. // Add the credential string, only accept the credential passed.
  56. credentialConditionStr := fmt.Sprintf(`["eq", "$x-amz-credential", "%s"]`, credential)
  57. // Add the meta-uuid string, set to 1234
  58. uuidConditionStr := fmt.Sprintf(`["eq", "$x-amz-meta-uuid", "%s"]`, "1234")
  60. // Combine all conditions into one string.
  61. conditionStr := fmt.Sprintf(`"conditions":[%s, %s, %s, %s, %s, %s, %s]`, bucketConditionStr,
  62. keyConditionStr, contentLengthCondStr, algorithmConditionStr, dateConditionStr, credentialConditionStr, uuidConditionStr)
  63. retStr := "{"
  64. retStr = retStr + expirationStr + ","
  65. retStr = retStr + conditionStr
  66. retStr = retStr + "}"
  68. return []byte(retStr)
  69. }
  71. // newPostPolicyBytesV4 - creates a bare bones postpolicy string with key and bucket matches.
  72. func newPostPolicyBytesV4(credential, bucketName, objectKey string, expiration time.Time) []byte {
  73. t := time.Now().UTC()
  74. // Add the expiration date.
  75. expirationStr := fmt.Sprintf(`"expiration": "%s"`, expiration.Format(iso8601TimeFormat))
  76. // Add the bucket condition, only accept buckets equal to the one passed.
  77. bucketConditionStr := fmt.Sprintf(`["eq", "$bucket", "%s"]`, bucketName)
  78. // Add the key condition, only accept keys equal to the one passed.
  79. keyConditionStr := fmt.Sprintf(`["eq", "$key", "%s/upload.txt"]`, objectKey)
  80. // Add the algorithm condition, only accept AWS SignV4 Sha256.
  81. algorithmConditionStr := `["eq", "$x-amz-algorithm", "AWS4-HMAC-SHA256"]`
  82. // Add the date condition, only accept the current date.
  83. dateConditionStr := fmt.Sprintf(`["eq", "$x-amz-date", "%s"]`, t.Format(iso8601DateFormat))
  84. // Add the credential string, only accept the credential passed.
  85. credentialConditionStr := fmt.Sprintf(`["eq", "$x-amz-credential", "%s"]`, credential)
  86. // Add the meta-uuid string, set to 1234
  87. uuidConditionStr := fmt.Sprintf(`["eq", "$x-amz-meta-uuid", "%s"]`, "1234")
  89. // Combine all conditions into one string.
  90. conditionStr := fmt.Sprintf(`"conditions":[%s, %s, %s, %s, %s, %s]`, bucketConditionStr, keyConditionStr, algorithmConditionStr, dateConditionStr, credentialConditionStr, uuidConditionStr)
  91. retStr := "{"
  92. retStr = retStr + expirationStr + ","
  93. retStr = retStr + conditionStr
  94. retStr = retStr + "}"
  96. return []byte(retStr)
  97. }
  99. // newPostPolicyBytesV2 - creates a bare bones postpolicy string with key and bucket matches.
  100. func newPostPolicyBytesV2(bucketName, objectKey string, expiration time.Time) []byte {
  101. // Add the expiration date.
  102. expirationStr := fmt.Sprintf(`"expiration": "%s"`, expiration.Format(iso8601TimeFormat))
  103. // Add the bucket condition, only accept buckets equal to the one passed.
  104. bucketConditionStr := fmt.Sprintf(`["eq", "$bucket", "%s"]`, bucketName)
  105. // Add the key condition, only accept keys equal to the one passed.
  106. keyConditionStr := fmt.Sprintf(`["starts-with", "$key", "%s/upload.txt"]`, objectKey)
  108. // Combine all conditions into one string.
  109. conditionStr := fmt.Sprintf(`"conditions":[%s, %s]`, bucketConditionStr, keyConditionStr)
  110. retStr := "{"
  111. retStr = retStr + expirationStr + ","
  112. retStr = retStr + conditionStr
  113. retStr = retStr + "}"
  115. return []byte(retStr)
  116. }
  118. // Wrapper for calling TestPostPolicyBucketHandler tests for both Erasure multiple disks and single node setup.
  120. // testPostPolicyBucketHandler - Tests validate post policy handler uploading objects.
  122. // Wrapper for calling TestPostPolicyBucketHandlerRedirect tests for both Erasure multiple disks and single node setup.
  124. // testPostPolicyBucketHandlerRedirect tests POST Object when success_action_redirect is specified
  126. // postPresignSignatureV4 - presigned signature for PostPolicy requests.
  127. func postPresignSignatureV4(policyBase64 string, t time.Time, secretAccessKey, location string) string {
  128. // Get signing key.
  129. signingkey := getSigningKey(secretAccessKey, t, location)
  130. // Calculate signature.
  131. signature := getSignature(signingkey, policyBase64)
  132. return signature
  133. }
  135. // copied from auth_signature_v4.go to break import loop
  136. // sumHMAC calculate hmac between two input byte array.
  137. func sumHMAC(key []byte, data []byte) []byte {
  138. hash := hmac.New(sha256.New, key)
  139. hash.Write(data)
  140. return hash.Sum(nil)
  141. }
  143. // copied from auth_signature_v4.go to break import loop
  144. // getSigningKey hmac seed to calculate final signature.
  145. func getSigningKey(secretKey string, t time.Time, region string) []byte {
  146. date := sumHMAC([]byte("AWS4"+secretKey), []byte(t.Format("20060102")))
  147. regionBytes := sumHMAC(date, []byte(region))
  148. service := sumHMAC(regionBytes, []byte("s3"))
  149. signingKey := sumHMAC(service, []byte("aws4_request"))
  150. return signingKey
  151. }
  153. // copied from auth_signature_v4.go to break import loop
  154. // getSignature final signature in hexadecimal form.
  155. func getSignature(signingKey []byte, stringToSign string) string {
  156. return hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
  157. }
  159. // copied from auth_signature_v4.go to break import loop
  160. func calculateSignatureV2(stringToSign string, secret string) string {
  161. hm := hmac.New(sha1.New, []byte(secret))
  162. hm.Write([]byte(stringToSign))
  163. return base64.StdEncoding.EncodeToString(hm.Sum(nil))
  164. }
  166. func newPostRequestV2(endPoint, bucketName, objectName string, accessKey, secretKey string) (*http.Request, error) {
  167. // Expire the request five minutes from now.
  168. expirationTime := time.Now().UTC().Add(time.Minute * 5)
  169. // Create a new post policy.
  170. policy := newPostPolicyBytesV2(bucketName, objectName, expirationTime)
  171. // Only need the encoding.
  172. encodedPolicy := base64.StdEncoding.EncodeToString(policy)
  174. // Presign with V4 signature based on the policy.
  175. signature := calculateSignatureV2(encodedPolicy, secretKey)
  177. formData := map[string]string{
  178. "AWSAccessKeyId": accessKey,
  179. "bucket": bucketName,
  180. "key": objectName + "/${filename}",
  181. "policy": encodedPolicy,
  182. "signature": signature,
  183. }
  185. // Create the multipart form.
  186. var buf bytes.Buffer
  187. w := multipart.NewWriter(&buf)
  189. // Set the normal formData
  190. for k, v := range formData {
  191. w.WriteField(k, v)
  192. }
  193. // Set the File formData
  194. writer, err := w.CreateFormFile("file", "upload.txt")
  195. if err != nil {
  196. // return nil, err
  197. return nil, err
  198. }
  199. writer.Write([]byte("hello world"))
  200. // Close before creating the new request.
  201. w.Close()
  203. // Set the body equal to the created policy.
  204. reader := bytes.NewReader(buf.Bytes())
  206. req, err := http.NewRequest(http.MethodPost, makeTestTargetURL(endPoint, bucketName, "", nil), reader)
  207. if err != nil {
  208. return nil, err
  209. }
  211. // Set form content-type.
  212. req.Header.Set("Content-Type", w.FormDataContentType())
  213. return req, nil
  214. }
  216. func buildGenericPolicy(t time.Time, accessKey, region, bucketName, objectName string, contentLengthRange bool) []byte {
  217. // Expire the request five minutes from now.
  218. expirationTime := t.Add(time.Minute * 5)
  220. credStr := getCredentialString(accessKey, region, t)
  221. // Create a new post policy.
  222. policy := newPostPolicyBytesV4(credStr, bucketName, objectName, expirationTime)
  223. if contentLengthRange {
  224. policy = newPostPolicyBytesV4WithContentRange(credStr, bucketName, objectName, expirationTime)
  225. }
  226. return policy
  227. }
  229. func newPostRequestV4Generic(endPoint, bucketName, objectName string, objData []byte, accessKey, secretKey string, region string,
  230. t time.Time, policy []byte, addFormData map[string]string, corruptedB64 bool, corruptedMultipart bool) (*http.Request, error) {
  231. // Get the user credential.
  232. credStr := getCredentialString(accessKey, region, t)
  234. // Only need the encoding.
  235. encodedPolicy := base64.StdEncoding.EncodeToString(policy)
  237. if corruptedB64 {
  238. encodedPolicy = "%!~&" + encodedPolicy
  239. }
  241. // Presign with V4 signature based on the policy.
  242. signature := postPresignSignatureV4(encodedPolicy, t, secretKey, region)
  244. formData := map[string]string{
  245. "bucket": bucketName,
  246. "key": objectName + "/${filename}",
  247. "x-amz-credential": credStr,
  248. "policy": encodedPolicy,
  249. "x-amz-signature": signature,
  250. "x-amz-date": t.Format(iso8601DateFormat),
  251. "x-amz-algorithm": "AWS4-HMAC-SHA256",
  252. "x-amz-meta-uuid": "1234",
  253. "Content-Encoding": "gzip",
  254. }
  256. // Add form data
  257. for k, v := range addFormData {
  258. formData[k] = v
  259. }
  261. // Create the multipart form.
  262. var buf bytes.Buffer
  263. w := multipart.NewWriter(&buf)
  265. // Set the normal formData
  266. for k, v := range formData {
  267. w.WriteField(k, v)
  268. }
  269. // Set the File formData but don't if we want send an incomplete multipart request
  270. if !corruptedMultipart {
  271. writer, err := w.CreateFormFile("file", "upload.txt")
  272. if err != nil {
  273. // return nil, err
  274. return nil, err
  275. }
  276. writer.Write(objData)
  277. // Close before creating the new request.
  278. w.Close()
  279. }
  281. // Set the body equal to the created policy.
  282. reader := bytes.NewReader(buf.Bytes())
  284. req, err := http.NewRequest(http.MethodPost, makeTestTargetURL(endPoint, bucketName, "", nil), reader)
  285. if err != nil {
  286. return nil, err
  287. }
  289. // Set form content-type.
  290. req.Header.Set("Content-Type", w.FormDataContentType())
  291. return req, nil
  292. }
  294. func newPostRequestV4WithContentLength(endPoint, bucketName, objectName string, objData []byte, accessKey, secretKey string) (*http.Request, error) {
  295. t := time.Now().UTC()
  296. region := "us-east-1"
  297. policy := buildGenericPolicy(t, accessKey, region, bucketName, objectName, true)
  298. return newPostRequestV4Generic(endPoint, bucketName, objectName, objData, accessKey, secretKey, region, t, policy, nil, false, false)
  299. }
  301. func newPostRequestV4(endPoint, bucketName, objectName string, objData []byte, accessKey, secretKey string) (*http.Request, error) {
  302. t := time.Now().UTC()
  303. region := "us-east-1"
  304. policy := buildGenericPolicy(t, accessKey, region, bucketName, objectName, false)
  305. return newPostRequestV4Generic(endPoint, bucketName, objectName, objData, accessKey, secretKey, region, t, policy, nil, false, false)
  306. }
  308. // construct URL for http requests for bucket operations.
  309. func makeTestTargetURL(endPoint, bucketName, objectName string, queryValues url.Values) string {
  310. urlStr := endPoint + "/"
  311. if bucketName != "" {
  312. urlStr = urlStr + bucketName + "/"
  313. }
  314. if objectName != "" {
  315. urlStr = urlStr + EncodePath(objectName)
  316. }
  317. if len(queryValues) > 0 {
  318. urlStr = urlStr + "?" + queryValues.Encode()
  319. }
  320. return urlStr
  321. }
  323. // if object matches reserved string, no need to encode them
  324. var reservedObjectNames = regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")
  326. // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
  327. //
  328. // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
  329. // non english characters cannot be parsed due to the nature in which url.Encode() is written
  330. //
  331. // This function on the other hand is a direct replacement for url.Encode() technique to support
  332. // pretty much every UTF-8 character.
  333. func EncodePath(pathName string) string {
  334. if reservedObjectNames.MatchString(pathName) {
  335. return pathName
  336. }
  337. var encodedPathname string
  338. for _, s := range pathName {
  339. if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
  340. encodedPathname = encodedPathname + string(s)
  341. continue
  342. }
  343. switch s {
  344. case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
  345. encodedPathname = encodedPathname + string(s)
  346. continue
  347. default:
  348. len := utf8.RuneLen(s)
  349. if len < 0 {
  350. // if utf8 cannot convert return the same string as is
  351. return pathName
  352. }
  353. u := make([]byte, len)
  354. utf8.EncodeRune(u, s)
  355. for _, r := range u {
  356. hex := hex.EncodeToString([]byte{r})
  357. encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
  358. }
  359. }
  360. }
  361. return encodedPathname
  362. }
  364. // getCredentialString generate a credential string.
  365. func getCredentialString(accessKeyID, location string, t time.Time) string {
  366. return accessKeyID + "/" + getScope(t, location)
  367. }
  369. // getScope generate a string of a specific date, an AWS region, and a service.
  370. func getScope(t time.Time, region string) string {
  371. scope := strings.Join([]string{
  372. t.Format("20060102"),
  373. region,
  374. string("s3"),
  375. "aws4_request",
  376. }, "/")
  377. return scope
  378. }