Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10623 Commits
32 Branches
296 Tags
160 MiB
Tree: 843e778875
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '843e778875'
${ noResults }
seaweedfs/weed/s3api/auth_signature_v2.go

428 lines
13 KiB
Raw Normal View History

add v2 support
5 years ago
move to https://github.com/seaweedfs/seaweedfs
2 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
s3: add support for PostPolicy fix https://github.com/chrislusf/seaweedfs/issues/1426
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
go fmt
2 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
refactoring
4 years ago
add v2 support
5 years ago
  1. /*
  2. * The following code tries to reverse engineer the Amazon S3 APIs,
  3. * and is mostly copied from minio implementation.
  4. */
  6. // Licensed under the Apache License, Version 2.0 (the "License");
  7. // you may not use this file except in compliance with the License.
  8. // You may obtain a copy of the License at
  9. //
  10. // http://www.apache.org/licenses/LICENSE-2.0
  11. //
  12. // Unless required by applicable law or agreed to in writing, software
  13. // distributed under the License is distributed on an "AS IS" BASIS,
  14. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
  15. // implied. See the License for the specific language governing
  16. // permissions and limitations under the License.
  18. package s3api
  20. import (
  21. "crypto/hmac"
  22. "crypto/sha1"
  23. "crypto/subtle"
  24. "encoding/base64"
  25. "fmt"
  26. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  27. "net"
  28. "net/http"
  29. "net/url"
  30. "path"
  31. "sort"
  32. "strconv"
  33. "strings"
  34. "time"
  35. )
  37. // Whitelist resource list that will be used in query string for signature-V2 calculation.
  38. // The list should be alphabetically sorted
  39. var resourceList = []string{
  40. "acl",
  41. "delete",
  42. "lifecycle",
  43. "location",
  44. "logging",
  45. "notification",
  46. "partNumber",
  47. "policy",
  48. "requestPayment",
  49. "response-cache-control",
  50. "response-content-disposition",
  51. "response-content-encoding",
  52. "response-content-language",
  53. "response-content-type",
  54. "response-expires",
  55. "torrent",
  56. "uploadId",
  57. "uploads",
  58. "versionId",
  59. "versioning",
  60. "versions",
  61. "website",
  62. }
  64. // Verify if request has valid AWS Signature Version '2'.
  65. func (iam *IdentityAccessManagement) isReqAuthenticatedV2(r *http.Request) (*Identity, s3err.ErrorCode) {
  66. if isRequestSignatureV2(r) {
  67. return iam.doesSignV2Match(r)
  68. }
  69. return iam.doesPresignV2SignatureMatch(r)
  70. }
  72. func (iam *IdentityAccessManagement) doesPolicySignatureV2Match(formValues http.Header) s3err.ErrorCode {
  73. accessKey := formValues.Get("AWSAccessKeyId")
  74. _, cred, found := iam.lookupByAccessKey(accessKey)
  75. if !found {
  76. return s3err.ErrInvalidAccessKeyID
  77. }
  78. policy := formValues.Get("Policy")
  79. signature := formValues.Get("Signature")
  80. if !compareSignatureV2(signature, calculateSignatureV2(policy, cred.SecretKey)) {
  81. return s3err.ErrSignatureDoesNotMatch
  82. }
  83. return s3err.ErrNone
  84. }
  86. // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;
  87. // Signature = Base64( HMAC-SHA1( YourSecretKey, UTF-8-Encoding-Of( StringToSign ) ) );
  88. //
  89. // StringToSign = HTTP-Verb + "\n" +
  90. // Content-Md5 + "\n" +
  91. // Content-Type + "\n" +
  92. // Date + "\n" +
  93. // CanonicalizedProtocolHeaders +
  94. // CanonicalizedResource;
  95. //
  96. // CanonicalizedResource = [ "/" + Bucket ] +
  97. // <HTTP-Request-URI, from the protocol name up to the query string> +
  98. // [ subresource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
  99. //
  100. // CanonicalizedProtocolHeaders = <described below>
  102. // doesSignV2Match - Verify authorization header with calculated header in accordance with
  103. // - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html
  104. // returns true if matches, false otherwise. if error is not nil then it is always false
  106. func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorCode) {
  107. if v2Auth == "" {
  108. return "", s3err.ErrAuthHeaderEmpty
  109. }
  110. // Verify if the header algorithm is supported or not.
  111. if !strings.HasPrefix(v2Auth, signV2Algorithm) {
  112. return "", s3err.ErrSignatureVersionNotSupported
  113. }
  115. // below is V2 Signed Auth header format, splitting on `space` (after the `AWS` string).
  116. // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature
  117. authFields := strings.Split(v2Auth, " ")
  118. if len(authFields) != 2 {
  119. return "", s3err.ErrMissingFields
  120. }
  122. // Then will be splitting on ":", this will separate `AWSAccessKeyId` and `Signature` string.
  123. keySignFields := strings.Split(strings.TrimSpace(authFields[1]), ":")
  124. if len(keySignFields) != 2 {
  125. return "", s3err.ErrMissingFields
  126. }
  128. return keySignFields[0], s3err.ErrNone
  129. }
  131. func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity, s3err.ErrorCode) {
  132. v2Auth := r.Header.Get("Authorization")
  134. accessKey, apiError := validateV2AuthHeader(v2Auth)
  135. if apiError != s3err.ErrNone {
  136. return nil, apiError
  137. }
  139. // Access credentials.
  140. // Validate if access key id same.
  141. ident, cred, found := iam.lookupByAccessKey(accessKey)
  142. if !found {
  143. return nil, s3err.ErrInvalidAccessKeyID
  144. }
  146. // r.RequestURI will have raw encoded URI as sent by the client.
  147. tokens := strings.SplitN(r.RequestURI, "?", 2)
  148. encodedResource := tokens[0]
  149. encodedQuery := ""
  150. if len(tokens) == 2 {
  151. encodedQuery = tokens[1]
  152. }
  154. unescapedQueries, err := unescapeQueries(encodedQuery)
  155. if err != nil {
  156. return nil, s3err.ErrInvalidQueryParams
  157. }
  159. encodedResource, err = getResource(encodedResource, r.Host, iam.domain)
  160. if err != nil {
  161. return nil, s3err.ErrInvalidRequest
  162. }
  164. prefix := fmt.Sprintf("%s %s:", signV2Algorithm, cred.AccessKey)
  165. if !strings.HasPrefix(v2Auth, prefix) {
  166. return nil, s3err.ErrSignatureDoesNotMatch
  167. }
  168. v2Auth = v2Auth[len(prefix):]
  169. expectedAuth := signatureV2(cred, r.Method, encodedResource, strings.Join(unescapedQueries, "&"), r.Header)
  170. if !compareSignatureV2(v2Auth, expectedAuth) {
  171. return nil, s3err.ErrSignatureDoesNotMatch
  172. }
  173. return ident, s3err.ErrNone
  174. }
  176. // doesPresignV2SignatureMatch - Verify query headers with presigned signature
  177. // - http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
  178. //
  179. // returns ErrNone if matches. S3 errors otherwise.
  180. func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request) (*Identity, s3err.ErrorCode) {
  182. // r.RequestURI will have raw encoded URI as sent by the client.
  183. tokens := strings.SplitN(r.RequestURI, "?", 2)
  184. encodedResource := tokens[0]
  185. encodedQuery := ""
  186. if len(tokens) == 2 {
  187. encodedQuery = tokens[1]
  188. }
  190. var (
  191. filteredQueries []string
  192. gotSignature string
  193. expires string
  194. accessKey string
  195. err error
  196. )
  198. var unescapedQueries []string
  199. unescapedQueries, err = unescapeQueries(encodedQuery)
  200. if err != nil {
  201. return nil, s3err.ErrInvalidQueryParams
  202. }
  204. // Extract the necessary values from presigned query, construct a list of new filtered queries.
  205. for _, query := range unescapedQueries {
  206. keyval := strings.SplitN(query, "=", 2)
  207. if len(keyval) != 2 {
  208. return nil, s3err.ErrInvalidQueryParams
  209. }
  210. switch keyval[0] {
  211. case "AWSAccessKeyId":
  212. accessKey = keyval[1]
  213. case "Signature":
  214. gotSignature = keyval[1]
  215. case "Expires":
  216. expires = keyval[1]
  217. default:
  218. filteredQueries = append(filteredQueries, query)
  219. }
  220. }
  222. // Invalid values returns error.
  223. if accessKey == "" || gotSignature == "" || expires == "" {
  224. return nil, s3err.ErrInvalidQueryParams
  225. }
  227. // Validate if access key id same.
  228. ident, cred, found := iam.lookupByAccessKey(accessKey)
  229. if !found {
  230. return nil, s3err.ErrInvalidAccessKeyID
  231. }
  233. // Make sure the request has not expired.
  234. expiresInt, err := strconv.ParseInt(expires, 10, 64)
  235. if err != nil {
  236. return nil, s3err.ErrMalformedExpires
  237. }
  239. // Check if the presigned URL has expired.
  240. if expiresInt < time.Now().UTC().Unix() {
  241. return nil, s3err.ErrExpiredPresignRequest
  242. }
  244. encodedResource, err = getResource(encodedResource, r.Host, iam.domain)
  245. if err != nil {
  246. return nil, s3err.ErrInvalidRequest
  247. }
  249. expectedSignature := preSignatureV2(cred, r.Method, encodedResource, strings.Join(filteredQueries, "&"), r.Header, expires)
  250. if !compareSignatureV2(gotSignature, expectedSignature) {
  251. return nil, s3err.ErrSignatureDoesNotMatch
  252. }
  254. return ident, s3err.ErrNone
  255. }
  257. // Escape encodedQuery string into unescaped list of query params, returns error
  258. // if any while unescaping the values.
  259. func unescapeQueries(encodedQuery string) (unescapedQueries []string, err error) {
  260. for _, query := range strings.Split(encodedQuery, "&") {
  261. var unescapedQuery string
  262. unescapedQuery, err = url.QueryUnescape(query)
  263. if err != nil {
  264. return nil, err
  265. }
  266. unescapedQueries = append(unescapedQueries, unescapedQuery)
  267. }
  268. return unescapedQueries, nil
  269. }
  271. // Returns "/bucketName/objectName" for path-style or virtual-host-style requests.
  272. func getResource(path string, host string, domain string) (string, error) {
  273. if domain == "" {
  274. return path, nil
  275. }
  276. // If virtual-host-style is enabled construct the "resource" properly.
  277. if strings.Contains(host, ":") {
  278. // In bucket.mydomain.com:9000, strip out :9000
  279. var err error
  280. if host, _, err = net.SplitHostPort(host); err != nil {
  281. return "", err
  282. }
  283. }
  284. if !strings.HasSuffix(host, "."+domain) {
  285. return path, nil
  286. }
  287. bucket := strings.TrimSuffix(host, "."+domain)
  288. return "/" + pathJoin(bucket, path), nil
  289. }
  291. // pathJoin - like path.Join() but retains trailing "/" of the last element
  292. func pathJoin(elem ...string) string {
  293. trailingSlash := ""
  294. if len(elem) > 0 {
  295. if strings.HasSuffix(elem[len(elem)-1], "/") {
  296. trailingSlash = "/"
  297. }
  298. }
  299. return path.Join(elem...) + trailingSlash
  300. }
  302. // Return the signature v2 of a given request.
  303. func signatureV2(cred *Credential, method string, encodedResource string, encodedQuery string, headers http.Header) string {
  304. stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, "")
  305. signature := calculateSignatureV2(stringToSign, cred.SecretKey)
  306. return signature
  307. }
  309. // Return string to sign under two different conditions.
  310. // - if expires string is set then string to sign includes date instead of the Date header.
  311. // - if expires string is empty then string to sign includes date header instead.
  312. func getStringToSignV2(method string, encodedResource, encodedQuery string, headers http.Header, expires string) string {
  313. canonicalHeaders := canonicalizedAmzHeadersV2(headers)
  314. if len(canonicalHeaders) > 0 {
  315. canonicalHeaders += "\n"
  316. }
  318. date := expires // Date is set to expires date for presign operations.
  319. if date == "" {
  320. // If expires date is empty then request header Date is used.
  321. date = headers.Get("Date")
  322. }
  324. // From the Amazon docs:
  325. //
  326. // StringToSign = HTTP-Verb + "\n" +
  327. // Content-Md5 + "\n" +
  328. // Content-Type + "\n" +
  329. // Date/Expires + "\n" +
  330. // CanonicalizedProtocolHeaders +
  331. // CanonicalizedResource;
  332. stringToSign := strings.Join([]string{
  333. method,
  334. headers.Get("Content-MD5"),
  335. headers.Get("Content-Type"),
  336. date,
  337. canonicalHeaders,
  338. }, "\n")
  340. return stringToSign + canonicalizedResourceV2(encodedResource, encodedQuery)
  341. }
  343. // Return canonical resource string.
  344. func canonicalizedResourceV2(encodedResource, encodedQuery string) string {
  345. queries := strings.Split(encodedQuery, "&")
  346. keyval := make(map[string]string)
  347. for _, query := range queries {
  348. key := query
  349. val := ""
  350. index := strings.Index(query, "=")
  351. if index != -1 {
  352. key = query[:index]
  353. val = query[index+1:]
  354. }
  355. keyval[key] = val
  356. }
  358. var canonicalQueries []string
  359. for _, key := range resourceList {
  360. val, ok := keyval[key]
  361. if !ok {
  362. continue
  363. }
  364. if val == "" {
  365. canonicalQueries = append(canonicalQueries, key)
  366. continue
  367. }
  368. canonicalQueries = append(canonicalQueries, key+"="+val)
  369. }
  371. // The queries will be already sorted as resourceList is sorted, if canonicalQueries
  372. // is empty strings.Join returns empty.
  373. canonicalQuery := strings.Join(canonicalQueries, "&")
  374. if canonicalQuery != "" {
  375. return encodedResource + "?" + canonicalQuery
  376. }
  377. return encodedResource
  378. }
  380. // Return canonical headers.
  381. func canonicalizedAmzHeadersV2(headers http.Header) string {
  382. var keys []string
  383. keyval := make(map[string]string)
  384. for key := range headers {
  385. lkey := strings.ToLower(key)
  386. if !strings.HasPrefix(lkey, "x-amz-") {
  387. continue
  388. }
  389. keys = append(keys, lkey)
  390. keyval[lkey] = strings.Join(headers[key], ",")
  391. }
  392. sort.Strings(keys)
  393. var canonicalHeaders []string
  394. for _, key := range keys {
  395. canonicalHeaders = append(canonicalHeaders, key+":"+keyval[key])
  396. }
  397. return strings.Join(canonicalHeaders, "\n")
  398. }
  400. func calculateSignatureV2(stringToSign string, secret string) string {
  401. hm := hmac.New(sha1.New, []byte(secret))
  402. hm.Write([]byte(stringToSign))
  403. return base64.StdEncoding.EncodeToString(hm.Sum(nil))
  404. }
  406. // compareSignatureV2 returns true if and only if both signatures
  407. // are equal. The signatures are expected to be base64 encoded strings
  408. // according to the AWS S3 signature V2 spec.
  409. func compareSignatureV2(sig1, sig2 string) bool {
  410. // Decode signature string to binary byte-sequence representation is required
  411. // as Base64 encoding of a value is not unique:
  412. // For example "aGVsbG8=" and "aGVsbG8=\r" will result in the same byte slice.
  413. signature1, err := base64.StdEncoding.DecodeString(sig1)
  414. if err != nil {
  415. return false
  416. }
  417. signature2, err := base64.StdEncoding.DecodeString(sig2)
  418. if err != nil {
  419. return false
  420. }
  421. return subtle.ConstantTimeCompare(signature1, signature2) == 1
  422. }
  424. // Return signature-v2 for the presigned request.
  425. func preSignatureV2(cred *Credential, method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string {
  426. stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, expires)
  427. return calculateSignatureV2(stringToSign, cred.SecretKey)
  428. }