You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

414 lines
12 KiB

2 years ago
4 years ago
4 years ago
4 years ago
2 years ago
  1. package s3api
  2. // the related code is copied and modified from minio source code
  3. /*
  4. * Minio Cloud Storage, (C) 2016 Minio, Inc.
  5. *
  6. * Licensed under the Apache License, Version 2.0 (the "License");
  7. * you may not use this file except in compliance with the License.
  8. * You may obtain a copy of the License at
  9. *
  10. * http://www.apache.org/licenses/LICENSE-2.0
  11. *
  12. * Unless required by applicable law or agreed to in writing, software
  13. * distributed under the License is distributed on an "AS IS" BASIS,
  14. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  15. * See the License for the specific language governing permissions and
  16. * limitations under the License.
  17. */
  18. import (
  19. "bufio"
  20. "bytes"
  21. "crypto/sha256"
  22. "encoding/hex"
  23. "errors"
  24. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
  25. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  26. "hash"
  27. "io"
  28. "net/http"
  29. "time"
  30. "github.com/dustin/go-humanize"
  31. )
  32. // getChunkSignature - get chunk signature.
  33. func getChunkSignature(secretKey string, seedSignature string, region string, date time.Time, hashedChunk string) string {
  34. // Calculate string to sign.
  35. stringToSign := signV4ChunkedAlgorithm + "\n" +
  36. date.Format(iso8601Format) + "\n" +
  37. getScope(date, region) + "\n" +
  38. seedSignature + "\n" +
  39. emptySHA256 + "\n" +
  40. hashedChunk
  41. // Get hmac signing key.
  42. signingKey := getSigningKey(secretKey, date, region, "s3")
  43. // Calculate signature.
  44. newSignature := getSignature(signingKey, stringToSign)
  45. return newSignature
  46. }
  47. // calculateSeedSignature - Calculate seed signature in accordance with
  48. // - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html
  49. //
  50. // returns signature, error otherwise if the signature mismatches or any other
  51. // error while parsing and validating.
  52. func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (idnt *Identity, cred *Credential, signature string, region string, date time.Time, errCode s3err.ErrorCode) {
  53. // Copy request.
  54. req := *r
  55. // Save authorization header.
  56. v4Auth := req.Header.Get("Authorization")
  57. // Parse signature version '4' header.
  58. signV4Values, errCode := parseSignV4(v4Auth)
  59. if errCode != s3err.ErrNone {
  60. return nil, nil, "", "", time.Time{}, errCode
  61. }
  62. // Payload streaming.
  63. payload := streamingContentSHA256
  64. // Payload for STREAMING signature should be 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD'
  65. if payload != req.Header.Get("X-Amz-Content-Sha256") {
  66. return nil, nil, "", "", time.Time{}, s3err.ErrContentSHA256Mismatch
  67. }
  68. // Extract all the signed headers along with its values.
  69. extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
  70. if errCode != s3err.ErrNone {
  71. return nil, nil, "", "", time.Time{}, errCode
  72. }
  73. // Verify if the access key id matches.
  74. identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
  75. if !found {
  76. return nil, nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID
  77. }
  78. bucket, object := s3_constants.GetBucketAndObject(r)
  79. if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) {
  80. errCode = s3err.ErrAccessDenied
  81. return
  82. }
  83. // Verify if region is valid.
  84. region = signV4Values.Credential.scope.region
  85. // Extract date, if not present throw error.
  86. var dateStr string
  87. if dateStr = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); dateStr == "" {
  88. if dateStr = r.Header.Get("Date"); dateStr == "" {
  89. return nil, nil, "", "", time.Time{}, s3err.ErrMissingDateHeader
  90. }
  91. }
  92. // Parse date header.
  93. var err error
  94. date, err = time.Parse(iso8601Format, dateStr)
  95. if err != nil {
  96. return nil, nil, "", "", time.Time{}, s3err.ErrMalformedDate
  97. }
  98. // Query string.
  99. queryStr := req.URL.Query().Encode()
  100. // Get canonical request.
  101. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, payload, queryStr, req.URL.Path, req.Method)
  102. // Get string to sign from canonical request.
  103. stringToSign := getStringToSign(canonicalRequest, date, signV4Values.Credential.getScope())
  104. // Get hmac signing key.
  105. signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region, "s3")
  106. // Calculate signature.
  107. newSignature := getSignature(signingKey, stringToSign)
  108. // Verify if signature match.
  109. if !compareSignatureV4(newSignature, signV4Values.Signature) {
  110. return nil, nil, "", "", time.Time{}, s3err.ErrSignatureDoesNotMatch
  111. }
  112. // Return calculated signature.
  113. return identity, cred, newSignature, region, date, s3err.ErrNone
  114. }
  115. const maxLineLength = 4 * humanize.KiByte // assumed <= bufio.defaultBufSize 4KiB
  116. // lineTooLong is generated as chunk header is bigger than 4KiB.
  117. var errLineTooLong = errors.New("header line too long")
  118. // Malformed encoding is generated when chunk header is wrongly formed.
  119. var errMalformedEncoding = errors.New("malformed chunked encoding")
  120. // newSignV4ChunkedReader returns a new s3ChunkedReader that translates the data read from r
  121. // out of HTTP "chunked" format before returning it.
  122. // The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.
  123. func (iam *IdentityAccessManagement) newSignV4ChunkedReader(req *http.Request) (io.ReadCloser, *Identity, s3err.ErrorCode) {
  124. ident, cred, seedSignature, region, seedDate, errCode := iam.calculateSeedSignature(req)
  125. if errCode != s3err.ErrNone {
  126. return nil, nil, errCode
  127. }
  128. return &s3ChunkedReader{
  129. cred: cred,
  130. reader: bufio.NewReader(req.Body),
  131. seedSignature: seedSignature,
  132. seedDate: seedDate,
  133. region: region,
  134. chunkSHA256Writer: sha256.New(),
  135. state: readChunkHeader,
  136. }, ident, s3err.ErrNone
  137. }
  138. // Represents the overall state that is required for decoding a
  139. // AWS Signature V4 chunked reader.
  140. type s3ChunkedReader struct {
  141. cred *Credential
  142. reader *bufio.Reader
  143. seedSignature string
  144. seedDate time.Time
  145. region string
  146. state chunkState
  147. lastChunk bool
  148. chunkSignature string
  149. chunkSHA256Writer hash.Hash // Calculates sha256 of chunk data.
  150. n uint64 // Unread bytes in chunk
  151. err error
  152. }
  153. // Read chunk reads the chunk token signature portion.
  154. func (cr *s3ChunkedReader) readS3ChunkHeader() {
  155. // Read the first chunk line until CRLF.
  156. var hexChunkSize, hexChunkSignature []byte
  157. hexChunkSize, hexChunkSignature, cr.err = readChunkLine(cr.reader)
  158. if cr.err != nil {
  159. return
  160. }
  161. // <hex>;token=value - converts the hex into its uint64 form.
  162. cr.n, cr.err = parseHexUint(hexChunkSize)
  163. if cr.err != nil {
  164. return
  165. }
  166. if cr.n == 0 {
  167. cr.err = io.EOF
  168. }
  169. // Save the incoming chunk signature.
  170. cr.chunkSignature = string(hexChunkSignature)
  171. }
  172. type chunkState int
  173. const (
  174. readChunkHeader chunkState = iota
  175. readChunkTrailer
  176. readChunk
  177. verifyChunk
  178. eofChunk
  179. )
  180. func (cs chunkState) String() string {
  181. stateString := ""
  182. switch cs {
  183. case readChunkHeader:
  184. stateString = "readChunkHeader"
  185. case readChunkTrailer:
  186. stateString = "readChunkTrailer"
  187. case readChunk:
  188. stateString = "readChunk"
  189. case verifyChunk:
  190. stateString = "verifyChunk"
  191. case eofChunk:
  192. stateString = "eofChunk"
  193. }
  194. return stateString
  195. }
  196. func (cr *s3ChunkedReader) Close() (err error) {
  197. return nil
  198. }
  199. // Read - implements `io.Reader`, which transparently decodes
  200. // the incoming AWS Signature V4 streaming signature.
  201. func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
  202. for {
  203. switch cr.state {
  204. case readChunkHeader:
  205. cr.readS3ChunkHeader()
  206. // If we're at the end of a chunk.
  207. if cr.n == 0 && cr.err == io.EOF {
  208. cr.state = readChunkTrailer
  209. cr.lastChunk = true
  210. continue
  211. }
  212. if cr.err != nil {
  213. return 0, cr.err
  214. }
  215. cr.state = readChunk
  216. case readChunkTrailer:
  217. cr.err = readCRLF(cr.reader)
  218. if cr.err != nil {
  219. return 0, errMalformedEncoding
  220. }
  221. cr.state = verifyChunk
  222. case readChunk:
  223. // There is no more space left in the request buffer.
  224. if len(buf) == 0 {
  225. return n, nil
  226. }
  227. rbuf := buf
  228. // The request buffer is larger than the current chunk size.
  229. // Read only the current chunk from the underlying reader.
  230. if uint64(len(rbuf)) > cr.n {
  231. rbuf = rbuf[:cr.n]
  232. }
  233. var n0 int
  234. n0, cr.err = cr.reader.Read(rbuf)
  235. if cr.err != nil {
  236. // We have lesser than chunk size advertised in chunkHeader, this is 'unexpected'.
  237. if cr.err == io.EOF {
  238. cr.err = io.ErrUnexpectedEOF
  239. }
  240. return 0, cr.err
  241. }
  242. // Calculate sha256.
  243. cr.chunkSHA256Writer.Write(rbuf[:n0])
  244. // Update the bytes read into request buffer so far.
  245. n += n0
  246. buf = buf[n0:]
  247. // Update bytes to be read of the current chunk before verifying chunk's signature.
  248. cr.n -= uint64(n0)
  249. // If we're at the end of a chunk.
  250. if cr.n == 0 {
  251. cr.state = readChunkTrailer
  252. continue
  253. }
  254. case verifyChunk:
  255. // Calculate the hashed chunk.
  256. hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
  257. // Calculate the chunk signature.
  258. newSignature := getChunkSignature(cr.cred.SecretKey, cr.seedSignature, cr.region, cr.seedDate, hashedChunk)
  259. if !compareSignatureV4(cr.chunkSignature, newSignature) {
  260. // Chunk signature doesn't match we return signature does not match.
  261. cr.err = errors.New("chunk signature does not match")
  262. return 0, cr.err
  263. }
  264. // Newly calculated signature becomes the seed for the next chunk
  265. // this follows the chaining.
  266. cr.seedSignature = newSignature
  267. cr.chunkSHA256Writer.Reset()
  268. if cr.lastChunk {
  269. cr.state = eofChunk
  270. } else {
  271. cr.state = readChunkHeader
  272. }
  273. case eofChunk:
  274. return n, io.EOF
  275. }
  276. }
  277. }
  278. // readCRLF - check if reader only has '\r\n' CRLF character.
  279. // returns malformed encoding if it doesn't.
  280. func readCRLF(reader io.Reader) error {
  281. buf := make([]byte, 2)
  282. _, err := io.ReadFull(reader, buf[:2])
  283. if err != nil {
  284. return err
  285. }
  286. if buf[0] != '\r' || buf[1] != '\n' {
  287. return errMalformedEncoding
  288. }
  289. return nil
  290. }
  291. // Read a line of bytes (up to \n) from b.
  292. // Give up if the line exceeds maxLineLength.
  293. // The returned bytes are owned by the bufio.Reader
  294. // so they are only valid until the next bufio read.
  295. func readChunkLine(b *bufio.Reader) ([]byte, []byte, error) {
  296. buf, err := b.ReadSlice('\n')
  297. if err != nil {
  298. // We always know when EOF is coming.
  299. // If the caller asked for a line, there should be a line.
  300. if err == io.EOF {
  301. err = io.ErrUnexpectedEOF
  302. } else if err == bufio.ErrBufferFull {
  303. err = errLineTooLong
  304. }
  305. return nil, nil, err
  306. }
  307. if len(buf) >= maxLineLength {
  308. return nil, nil, errLineTooLong
  309. }
  310. // Parse s3 specific chunk extension and fetch the values.
  311. hexChunkSize, hexChunkSignature := parseS3ChunkExtension(buf)
  312. return hexChunkSize, hexChunkSignature, nil
  313. }
  314. // trimTrailingWhitespace - trim trailing white space.
  315. func trimTrailingWhitespace(b []byte) []byte {
  316. for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
  317. b = b[:len(b)-1]
  318. }
  319. return b
  320. }
  321. // isASCIISpace - is ascii space?
  322. func isASCIISpace(b byte) bool {
  323. return b == ' ' || b == '\t' || b == '\n' || b == '\r'
  324. }
  325. // Constant s3 chunk encoding signature.
  326. const s3ChunkSignatureStr = ";chunk-signature="
  327. // parses3ChunkExtension removes any s3 specific chunk-extension from buf.
  328. // For example,
  329. //
  330. // "10000;chunk-signature=..." => "10000", "chunk-signature=..."
  331. func parseS3ChunkExtension(buf []byte) ([]byte, []byte) {
  332. buf = trimTrailingWhitespace(buf)
  333. semi := bytes.Index(buf, []byte(s3ChunkSignatureStr))
  334. // Chunk signature not found, return the whole buffer.
  335. if semi == -1 {
  336. return buf, nil
  337. }
  338. return buf[:semi], parseChunkSignature(buf[semi:])
  339. }
  340. // parseChunkSignature - parse chunk signature.
  341. func parseChunkSignature(chunk []byte) []byte {
  342. chunkSplits := bytes.SplitN(chunk, []byte(s3ChunkSignatureStr), 2)
  343. return chunkSplits[1]
  344. }
  345. // parse hex to uint64.
  346. func parseHexUint(v []byte) (n uint64, err error) {
  347. for i, b := range v {
  348. switch {
  349. case '0' <= b && b <= '9':
  350. b = b - '0'
  351. case 'a' <= b && b <= 'f':
  352. b = b - 'a' + 10
  353. case 'A' <= b && b <= 'F':
  354. b = b - 'A' + 10
  355. default:
  356. return 0, errors.New("invalid byte in chunk length")
  357. }
  358. if i == 16 {
  359. return 0, errors.New("http chunk length too large")
  360. }
  361. n <<= 4
  362. n |= uint64(b)
  363. }
  364. return
  365. }