Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3851 Commits
37 Branches
296 Tags
161 MiB
Tree: bd8bfdae07
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bd8bfdae07'
${ noResults }
seaweedfs/weed/s3api/auto_signature_v4_test.go

418 lines
12 KiB
Raw Normal View History

support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
add v2 support
5 years ago
support acl
5 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "crypto/md5"
  6. "crypto/sha256"
  7. "encoding/base64"
  8. "encoding/hex"
  9. "errors"
  10. "fmt"
  11. "io"
  12. "io/ioutil"
  13. "net/http"
  14. "net/url"
  15. "sort"
  16. "strconv"
  17. "strings"
  18. "testing"
  19. "time"
  20. "unicode/utf8"
  21. )
  23. // TestIsRequestPresignedSignatureV4 - Test validates the logic for presign signature verision v4 detection.
  24. func TestIsRequestPresignedSignatureV4(t *testing.T) {
  25. testCases := []struct {
  26. inputQueryKey string
  27. inputQueryValue string
  28. expectedResult bool
  29. }{
  30. // Test case - 1.
  31. // Test case with query key ""X-Amz-Credential" set.
  32. {"", "", false},
  33. // Test case - 2.
  34. {"X-Amz-Credential", "", true},
  35. // Test case - 3.
  36. {"X-Amz-Content-Sha256", "", false},
  37. }
  39. for i, testCase := range testCases {
  40. // creating an input HTTP request.
  41. // Only the query parameters are relevant for this particular test.
  42. inputReq, err := http.NewRequest("GET", "http://example.com", nil)
  43. if err != nil {
  44. t.Fatalf("Error initializing input HTTP request: %v", err)
  45. }
  46. q := inputReq.URL.Query()
  47. q.Add(testCase.inputQueryKey, testCase.inputQueryValue)
  48. inputReq.URL.RawQuery = q.Encode()
  50. actualResult := isRequestPresignedSignatureV4(inputReq)
  51. if testCase.expectedResult != actualResult {
  52. t.Errorf("Test %d: Expected the result to `%v`, but instead got `%v`", i+1, testCase.expectedResult, actualResult)
  53. }
  54. }
  55. }
  57. // Tests is requested authenticated function, tests replies for s3 errors.
  58. func TestIsReqAuthenticated(t *testing.T) {
  59. iam := NewIdentityAccessManagement("", "")
  60. iam.identities = []*Identity{
  61. {
  62. Name: "someone",
  63. Credentials: []*Credential{
  64. {
  65. AccessKey: "access_key_1",
  66. SecretKey: "secret_key_1",
  67. },
  68. },
  69. Actions: nil,
  70. },
  71. }
  73. // List of test cases for validating http request authentication.
  74. testCases := []struct {
  75. req *http.Request
  76. s3Error ErrorCode
  77. }{
  78. // When request is unsigned, access denied is returned.
  79. {mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrAccessDenied},
  80. // When request is properly signed, error is none.
  81. {mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrNone},
  82. }
  84. // Validates all testcases.
  85. for i, testCase := range testCases {
  86. if _, s3Error := iam.reqSignatureV4Verify(testCase.req); s3Error != testCase.s3Error {
  87. ioutil.ReadAll(testCase.req.Body)
  88. t.Fatalf("Test %d: Unexpected S3 error: want %d - got %d", i, testCase.s3Error, s3Error)
  89. }
  90. }
  91. }
  93. func TestCheckAdminRequestAuthType(t *testing.T) {
  94. iam := NewIdentityAccessManagement("", "")
  95. iam.identities = []*Identity{
  96. {
  97. Name: "someone",
  98. Credentials: []*Credential{
  99. {
  100. AccessKey: "access_key_1",
  101. SecretKey: "secret_key_1",
  102. },
  103. },
  104. Actions: nil,
  105. },
  106. }
  108. testCases := []struct {
  109. Request *http.Request
  110. ErrCode ErrorCode
  111. }{
  112. {Request: mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrAccessDenied},
  113. {Request: mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrNone},
  114. {Request: mustNewPresignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: ErrNone},
  115. }
  116. for i, testCase := range testCases {
  117. if _, s3Error := iam.reqSignatureV4Verify(testCase.Request); s3Error != testCase.ErrCode {
  118. t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error)
  119. }
  120. }
  121. }
  123. // Provides a fully populated http request instance, fails otherwise.
  124. func mustNewRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  125. req, err := newTestRequest(method, urlStr, contentLength, body)
  126. if err != nil {
  127. t.Fatalf("Unable to initialize new http request %s", err)
  128. }
  129. return req
  130. }
  132. // This is similar to mustNewRequest but additionally the request
  133. // is signed with AWS Signature V4, fails if not able to do so.
  134. func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  135. req := mustNewRequest(method, urlStr, contentLength, body, t)
  136. cred := &Credential{"access_key_1", "secret_key_1"}
  137. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  138. t.Fatalf("Unable to inititalized new signed http request %s", err)
  139. }
  140. return req
  141. }
  143. // This is similar to mustNewRequest but additionally the request
  144. // is presigned with AWS Signature V4, fails if not able to do so.
  145. func mustNewPresignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  146. req := mustNewRequest(method, urlStr, contentLength, body, t)
  147. cred := &Credential{"access_key_1", "secret_key_1"}
  148. if err := preSignV4(req, cred.AccessKey, cred.SecretKey, int64(10*time.Minute.Seconds())); err != nil {
  149. t.Fatalf("Unable to inititalized new signed http request %s", err)
  150. }
  151. return req
  152. }
  154. // Returns new HTTP request object.
  155. func newTestRequest(method, urlStr string, contentLength int64, body io.ReadSeeker) (*http.Request, error) {
  156. if method == "" {
  157. method = "POST"
  158. }
  160. // Save for subsequent use
  161. var hashedPayload string
  162. var md5Base64 string
  163. switch {
  164. case body == nil:
  165. hashedPayload = getSHA256Hash([]byte{})
  166. default:
  167. payloadBytes, err := ioutil.ReadAll(body)
  168. if err != nil {
  169. return nil, err
  170. }
  171. hashedPayload = getSHA256Hash(payloadBytes)
  172. md5Base64 = getMD5HashBase64(payloadBytes)
  173. }
  174. // Seek back to beginning.
  175. if body != nil {
  176. body.Seek(0, 0)
  177. } else {
  178. body = bytes.NewReader([]byte(""))
  179. }
  180. req, err := http.NewRequest(method, urlStr, body)
  181. if err != nil {
  182. return nil, err
  183. }
  184. if md5Base64 != "" {
  185. req.Header.Set("Content-Md5", md5Base64)
  186. }
  187. req.Header.Set("x-amz-content-sha256", hashedPayload)
  189. // Add Content-Length
  190. req.ContentLength = contentLength
  192. return req, nil
  193. }
  195. // getSHA256Hash returns SHA-256 hash in hex encoding of given data.
  196. func getSHA256Hash(data []byte) string {
  197. return hex.EncodeToString(getSHA256Sum(data))
  198. }
  200. // getMD5HashBase64 returns MD5 hash in base64 encoding of given data.
  201. func getMD5HashBase64(data []byte) string {
  202. return base64.StdEncoding.EncodeToString(getMD5Sum(data))
  203. }
  205. // getSHA256Hash returns SHA-256 sum of given data.
  206. func getSHA256Sum(data []byte) []byte {
  207. hash := sha256.New()
  208. hash.Write(data)
  209. return hash.Sum(nil)
  210. }
  212. // getMD5Sum returns MD5 sum of given data.
  213. func getMD5Sum(data []byte) []byte {
  214. hash := md5.New()
  215. hash.Write(data)
  216. return hash.Sum(nil)
  217. }
  219. // getMD5Hash returns MD5 hash in hex encoding of given data.
  220. func getMD5Hash(data []byte) string {
  221. return hex.EncodeToString(getMD5Sum(data))
  222. }
  224. var ignoredHeaders = map[string]bool{
  225. "Authorization": true,
  226. "Content-Type": true,
  227. "Content-Length": true,
  228. "User-Agent": true,
  229. }
  231. // Sign given request using Signature V4.
  232. func signRequestV4(req *http.Request, accessKey, secretKey string) error {
  233. // Get hashed payload.
  234. hashedPayload := req.Header.Get("x-amz-content-sha256")
  235. if hashedPayload == "" {
  236. return fmt.Errorf("Invalid hashed payload")
  237. }
  239. currTime := time.Now()
  241. // Set x-amz-date.
  242. req.Header.Set("x-amz-date", currTime.Format(iso8601Format))
  244. // Get header map.
  245. headerMap := make(map[string][]string)
  246. for k, vv := range req.Header {
  247. // If request header key is not in ignored headers, then add it.
  248. if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; !ok {
  249. headerMap[strings.ToLower(k)] = vv
  250. }
  251. }
  253. // Get header keys.
  254. headers := []string{"host"}
  255. for k := range headerMap {
  256. headers = append(headers, k)
  257. }
  258. sort.Strings(headers)
  260. region := "us-east-1"
  262. // Get canonical headers.
  263. var buf bytes.Buffer
  264. for _, k := range headers {
  265. buf.WriteString(k)
  266. buf.WriteByte(':')
  267. switch {
  268. case k == "host":
  269. buf.WriteString(req.URL.Host)
  270. fallthrough
  271. default:
  272. for idx, v := range headerMap[k] {
  273. if idx > 0 {
  274. buf.WriteByte(',')
  275. }
  276. buf.WriteString(v)
  277. }
  278. buf.WriteByte('\n')
  279. }
  280. }
  281. canonicalHeaders := buf.String()
  283. // Get signed headers.
  284. signedHeaders := strings.Join(headers, ";")
  286. // Get canonical query string.
  287. req.URL.RawQuery = strings.Replace(req.URL.Query().Encode(), "+", "%20", -1)
  289. // Get canonical URI.
  290. canonicalURI := EncodePath(req.URL.Path)
  292. // Get canonical request.
  293. // canonicalRequest =
  294. // <HTTPMethod>\n
  295. // <CanonicalURI>\n
  296. // <CanonicalQueryString>\n
  297. // <CanonicalHeaders>\n
  298. // <SignedHeaders>\n
  299. // <HashedPayload>
  300. //
  301. canonicalRequest := strings.Join([]string{
  302. req.Method,
  303. canonicalURI,
  304. req.URL.RawQuery,
  305. canonicalHeaders,
  306. signedHeaders,
  307. hashedPayload,
  308. }, "\n")
  310. // Get scope.
  311. scope := strings.Join([]string{
  312. currTime.Format(yyyymmdd),
  313. region,
  314. "s3",
  315. "aws4_request",
  316. }, "/")
  318. stringToSign := "AWS4-HMAC-SHA256" + "\n" + currTime.Format(iso8601Format) + "\n"
  319. stringToSign = stringToSign + scope + "\n"
  320. stringToSign = stringToSign + getSHA256Hash([]byte(canonicalRequest))
  322. date := sumHMAC([]byte("AWS4"+secretKey), []byte(currTime.Format(yyyymmdd)))
  323. regionHMAC := sumHMAC(date, []byte(region))
  324. service := sumHMAC(regionHMAC, []byte("s3"))
  325. signingKey := sumHMAC(service, []byte("aws4_request"))
  327. signature := hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
  329. // final Authorization header
  330. parts := []string{
  331. "AWS4-HMAC-SHA256" + " Credential=" + accessKey + "/" + scope,
  332. "SignedHeaders=" + signedHeaders,
  333. "Signature=" + signature,
  334. }
  335. auth := strings.Join(parts, ", ")
  336. req.Header.Set("Authorization", auth)
  338. return nil
  339. }
  341. // preSignV4 presign the request, in accordance with
  342. // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html.
  343. func preSignV4(req *http.Request, accessKeyID, secretAccessKey string, expires int64) error {
  344. // Presign is not needed for anonymous credentials.
  345. if accessKeyID == "" || secretAccessKey == "" {
  346. return errors.New("Presign cannot be generated without access and secret keys")
  347. }
  349. region := "us-east-1"
  350. date := time.Now().UTC()
  351. scope := getScope(date, region)
  352. credential := fmt.Sprintf("%s/%s", accessKeyID, scope)
  354. // Set URL query.
  355. query := req.URL.Query()
  356. query.Set("X-Amz-Algorithm", signV4Algorithm)
  357. query.Set("X-Amz-Date", date.Format(iso8601Format))
  358. query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10))
  359. query.Set("X-Amz-SignedHeaders", "host")
  360. query.Set("X-Amz-Credential", credential)
  361. query.Set("X-Amz-Content-Sha256", unsignedPayload)
  363. // "host" is the only header required to be signed for Presigned URLs.
  364. extractedSignedHeaders := make(http.Header)
  365. extractedSignedHeaders.Set("host", req.Host)
  367. queryStr := strings.Replace(query.Encode(), "+", "%20", -1)
  368. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, queryStr, req.URL.Path, req.Method)
  369. stringToSign := getStringToSign(canonicalRequest, date, scope)
  370. signingKey := getSigningKey(secretAccessKey, date, region)
  371. signature := getSignature(signingKey, stringToSign)
  373. req.URL.RawQuery = query.Encode()
  375. // Add signature header to RawQuery.
  376. req.URL.RawQuery += "&X-Amz-Signature=" + url.QueryEscape(signature)
  378. // Construct the final presigned URL.
  379. return nil
  380. }
  382. // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
  383. //
  384. // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
  385. // non english characters cannot be parsed due to the nature in which url.Encode() is written
  386. //
  387. // This function on the other hand is a direct replacement for url.Encode() technique to support
  388. // pretty much every UTF-8 character.
  389. func EncodePath(pathName string) string {
  390. if reservedObjectNames.MatchString(pathName) {
  391. return pathName
  392. }
  393. var encodedPathname string
  394. for _, s := range pathName {
  395. if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
  396. encodedPathname = encodedPathname + string(s)
  397. continue
  398. }
  399. switch s {
  400. case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
  401. encodedPathname = encodedPathname + string(s)
  402. continue
  403. default:
  404. len := utf8.RuneLen(s)
  405. if len < 0 {
  406. // if utf8 cannot convert return the same string as is
  407. return pathName
  408. }
  409. u := make([]byte, len)
  410. utf8.EncodeRune(u, s)
  411. for _, r := range u {
  412. hex := hex.EncodeToString([]byte{r})
  413. encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
  414. }
  415. }
  416. }
  417. return encodedPathname
  418. }