Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8323 Commits
37 Branches
296 Tags
161 MiB
Tree: becb987672
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'becb987672'
${ noResults }
seaweedfs/weed/s3api/chunked_reader_v4.go

412 lines
12 KiB
Raw Normal View History

add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
refactoring
4 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add auth aws signV4
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
S3 authorization: StreamingSigned enforces access control fix https://github.com/chrislusf/seaweedfs/issues/2180
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
move s3 related constants from package http to s3_constants
3 years ago
wildcard prefix to restrict access to directories in s3 bucket https://github.com/chrislusf/seaweedfs/discussions/2551
3 years ago
S3 authorization: StreamingSigned enforces access control fix https://github.com/chrislusf/seaweedfs/issues/2180
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
add auth aws signV4
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
refactoring
4 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
refactoring
4 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
add streaming v4
5 years ago
add s3ChunkedReader fix https://github.com/chrislusf/seaweedfs/issues/718
6 years ago
  1. package s3api
  3. // the related code is copied and modified from minio source code
  5. /*
  6. * Minio Cloud Storage, (C) 2016 Minio, Inc.
  7. *
  8. * Licensed under the Apache License, Version 2.0 (the "License");
  9. * you may not use this file except in compliance with the License.
  10. * You may obtain a copy of the License at
  11. *
  12. * http://www.apache.org/licenses/LICENSE-2.0
  13. *
  14. * Unless required by applicable law or agreed to in writing, software
  15. * distributed under the License is distributed on an "AS IS" BASIS,
  16. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  17. * See the License for the specific language governing permissions and
  18. * limitations under the License.
  19. */
  21. import (
  22. "bufio"
  23. "bytes"
  24. "crypto/sha256"
  25. "encoding/hex"
  26. "errors"
  27. "github.com/chrislusf/seaweedfs/weed/s3api/s3_constants"
  28. "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
  29. "hash"
  30. "io"
  31. "net/http"
  32. "time"
  34. "github.com/dustin/go-humanize"
  35. )
  37. // getChunkSignature - get chunk signature.
  38. func getChunkSignature(secretKey string, seedSignature string, region string, date time.Time, hashedChunk string) string {
  40. // Calculate string to sign.
  41. stringToSign := signV4ChunkedAlgorithm + "\n" +
  42. date.Format(iso8601Format) + "\n" +
  43. getScope(date, region) + "\n" +
  44. seedSignature + "\n" +
  45. emptySHA256 + "\n" +
  46. hashedChunk
  48. // Get hmac signing key.
  49. signingKey := getSigningKey(secretKey, date, region, "s3")
  51. // Calculate signature.
  52. newSignature := getSignature(signingKey, stringToSign)
  54. return newSignature
  55. }
  57. // calculateSeedSignature - Calculate seed signature in accordance with
  58. // - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html
  59. // returns signature, error otherwise if the signature mismatches or any other
  60. // error while parsing and validating.
  61. func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cred *Credential, signature string, region string, date time.Time, errCode s3err.ErrorCode) {
  63. // Copy request.
  64. req := *r
  66. // Save authorization header.
  67. v4Auth := req.Header.Get("Authorization")
  69. // Parse signature version '4' header.
  70. signV4Values, errCode := parseSignV4(v4Auth)
  71. if errCode != s3err.ErrNone {
  72. return nil, "", "", time.Time{}, errCode
  73. }
  75. // Payload streaming.
  76. payload := streamingContentSHA256
  78. // Payload for STREAMING signature should be 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD'
  79. if payload != req.Header.Get("X-Amz-Content-Sha256") {
  80. return nil, "", "", time.Time{}, s3err.ErrContentSHA256Mismatch
  81. }
  83. // Extract all the signed headers along with its values.
  84. extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
  85. if errCode != s3err.ErrNone {
  86. return nil, "", "", time.Time{}, errCode
  87. }
  88. // Verify if the access key id matches.
  89. identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
  90. if !found {
  91. return nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID
  92. }
  94. bucket, object := s3_constants.GetBucketAndObject(r)
  95. if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) {
  96. errCode = s3err.ErrAccessDenied
  97. return
  98. }
  100. // Verify if region is valid.
  101. region = signV4Values.Credential.scope.region
  103. // Extract date, if not present throw error.
  104. var dateStr string
  105. if dateStr = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); dateStr == "" {
  106. if dateStr = r.Header.Get("Date"); dateStr == "" {
  107. return nil, "", "", time.Time{}, s3err.ErrMissingDateHeader
  108. }
  109. }
  110. // Parse date header.
  111. var err error
  112. date, err = time.Parse(iso8601Format, dateStr)
  113. if err != nil {
  114. return nil, "", "", time.Time{}, s3err.ErrMalformedDate
  115. }
  117. // Query string.
  118. queryStr := req.URL.Query().Encode()
  120. // Get canonical request.
  121. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, payload, queryStr, req.URL.Path, req.Method)
  123. // Get string to sign from canonical request.
  124. stringToSign := getStringToSign(canonicalRequest, date, signV4Values.Credential.getScope())
  126. // Get hmac signing key.
  127. signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region, "s3")
  129. // Calculate signature.
  130. newSignature := getSignature(signingKey, stringToSign)
  132. // Verify if signature match.
  133. if !compareSignatureV4(newSignature, signV4Values.Signature) {
  134. return nil, "", "", time.Time{}, s3err.ErrSignatureDoesNotMatch
  135. }
  137. // Return caculated signature.
  138. return cred, newSignature, region, date, s3err.ErrNone
  139. }
  141. const maxLineLength = 4 * humanize.KiByte // assumed <= bufio.defaultBufSize 4KiB
  143. // lineTooLong is generated as chunk header is bigger than 4KiB.
  144. var errLineTooLong = errors.New("header line too long")
  146. // Malformed encoding is generated when chunk header is wrongly formed.
  147. var errMalformedEncoding = errors.New("malformed chunked encoding")
  149. // newSignV4ChunkedReader returns a new s3ChunkedReader that translates the data read from r
  150. // out of HTTP "chunked" format before returning it.
  151. // The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.
  152. func (iam *IdentityAccessManagement) newSignV4ChunkedReader(req *http.Request) (io.ReadCloser, s3err.ErrorCode) {
  153. ident, seedSignature, region, seedDate, errCode := iam.calculateSeedSignature(req)
  154. if errCode != s3err.ErrNone {
  155. return nil, errCode
  156. }
  157. return &s3ChunkedReader{
  158. cred: ident,
  159. reader: bufio.NewReader(req.Body),
  160. seedSignature: seedSignature,
  161. seedDate: seedDate,
  162. region: region,
  163. chunkSHA256Writer: sha256.New(),
  164. state: readChunkHeader,
  165. }, s3err.ErrNone
  166. }
  168. // Represents the overall state that is required for decoding a
  169. // AWS Signature V4 chunked reader.
  170. type s3ChunkedReader struct {
  171. cred *Credential
  172. reader *bufio.Reader
  173. seedSignature string
  174. seedDate time.Time
  175. region string
  176. state chunkState
  177. lastChunk bool
  178. chunkSignature string
  179. chunkSHA256Writer hash.Hash // Calculates sha256 of chunk data.
  180. n uint64 // Unread bytes in chunk
  181. err error
  182. }
  184. // Read chunk reads the chunk token signature portion.
  185. func (cr *s3ChunkedReader) readS3ChunkHeader() {
  186. // Read the first chunk line until CRLF.
  187. var hexChunkSize, hexChunkSignature []byte
  188. hexChunkSize, hexChunkSignature, cr.err = readChunkLine(cr.reader)
  189. if cr.err != nil {
  190. return
  191. }
  192. // <hex>;token=value - converts the hex into its uint64 form.
  193. cr.n, cr.err = parseHexUint(hexChunkSize)
  194. if cr.err != nil {
  195. return
  196. }
  197. if cr.n == 0 {
  198. cr.err = io.EOF
  199. }
  200. // Save the incoming chunk signature.
  201. cr.chunkSignature = string(hexChunkSignature)
  202. }
  204. type chunkState int
  206. const (
  207. readChunkHeader chunkState = iota
  208. readChunkTrailer
  209. readChunk
  210. verifyChunk
  211. eofChunk
  212. )
  214. func (cs chunkState) String() string {
  215. stateString := ""
  216. switch cs {
  217. case readChunkHeader:
  218. stateString = "readChunkHeader"
  219. case readChunkTrailer:
  220. stateString = "readChunkTrailer"
  221. case readChunk:
  222. stateString = "readChunk"
  223. case verifyChunk:
  224. stateString = "verifyChunk"
  225. case eofChunk:
  226. stateString = "eofChunk"
  228. }
  229. return stateString
  230. }
  232. func (cr *s3ChunkedReader) Close() (err error) {
  233. return nil
  234. }
  236. // Read - implements `io.Reader`, which transparently decodes
  237. // the incoming AWS Signature V4 streaming signature.
  238. func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
  239. for {
  240. switch cr.state {
  241. case readChunkHeader:
  242. cr.readS3ChunkHeader()
  243. // If we're at the end of a chunk.
  244. if cr.n == 0 && cr.err == io.EOF {
  245. cr.state = readChunkTrailer
  246. cr.lastChunk = true
  247. continue
  248. }
  249. if cr.err != nil {
  250. return 0, cr.err
  251. }
  252. cr.state = readChunk
  253. case readChunkTrailer:
  254. cr.err = readCRLF(cr.reader)
  255. if cr.err != nil {
  256. return 0, errMalformedEncoding
  257. }
  258. cr.state = verifyChunk
  259. case readChunk:
  260. // There is no more space left in the request buffer.
  261. if len(buf) == 0 {
  262. return n, nil
  263. }
  264. rbuf := buf
  265. // The request buffer is larger than the current chunk size.
  266. // Read only the current chunk from the underlying reader.
  267. if uint64(len(rbuf)) > cr.n {
  268. rbuf = rbuf[:cr.n]
  269. }
  270. var n0 int
  271. n0, cr.err = cr.reader.Read(rbuf)
  272. if cr.err != nil {
  273. // We have lesser than chunk size advertised in chunkHeader, this is 'unexpected'.
  274. if cr.err == io.EOF {
  275. cr.err = io.ErrUnexpectedEOF
  276. }
  277. return 0, cr.err
  278. }
  280. // Calculate sha256.
  281. cr.chunkSHA256Writer.Write(rbuf[:n0])
  283. // Update the bytes read into request buffer so far.
  284. n += n0
  285. buf = buf[n0:]
  286. // Update bytes to be read of the current chunk before verifying chunk's signature.
  287. cr.n -= uint64(n0)
  289. // If we're at the end of a chunk.
  290. if cr.n == 0 {
  291. cr.state = readChunkTrailer
  292. continue
  293. }
  294. case verifyChunk:
  295. // Calculate the hashed chunk.
  296. hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
  297. // Calculate the chunk signature.
  298. newSignature := getChunkSignature(cr.cred.SecretKey, cr.seedSignature, cr.region, cr.seedDate, hashedChunk)
  299. if !compareSignatureV4(cr.chunkSignature, newSignature) {
  300. // Chunk signature doesn't match we return signature does not match.
  301. cr.err = errors.New("chunk signature does not match")
  302. return 0, cr.err
  303. }
  304. // Newly calculated signature becomes the seed for the next chunk
  305. // this follows the chaining.
  306. cr.seedSignature = newSignature
  307. cr.chunkSHA256Writer.Reset()
  308. if cr.lastChunk {
  309. cr.state = eofChunk
  310. } else {
  311. cr.state = readChunkHeader
  312. }
  313. case eofChunk:
  314. return n, io.EOF
  315. }
  316. }
  317. }
  319. // readCRLF - check if reader only has '\r\n' CRLF character.
  320. // returns malformed encoding if it doesn't.
  321. func readCRLF(reader io.Reader) error {
  322. buf := make([]byte, 2)
  323. _, err := io.ReadFull(reader, buf[:2])
  324. if err != nil {
  325. return err
  326. }
  327. if buf[0] != '\r' || buf[1] != '\n' {
  328. return errMalformedEncoding
  329. }
  330. return nil
  331. }
  333. // Read a line of bytes (up to \n) from b.
  334. // Give up if the line exceeds maxLineLength.
  335. // The returned bytes are owned by the bufio.Reader
  336. // so they are only valid until the next bufio read.
  337. func readChunkLine(b *bufio.Reader) ([]byte, []byte, error) {
  338. buf, err := b.ReadSlice('\n')
  339. if err != nil {
  340. // We always know when EOF is coming.
  341. // If the caller asked for a line, there should be a line.
  342. if err == io.EOF {
  343. err = io.ErrUnexpectedEOF
  344. } else if err == bufio.ErrBufferFull {
  345. err = errLineTooLong
  346. }
  347. return nil, nil, err
  348. }
  349. if len(buf) >= maxLineLength {
  350. return nil, nil, errLineTooLong
  351. }
  352. // Parse s3 specific chunk extension and fetch the values.
  353. hexChunkSize, hexChunkSignature := parseS3ChunkExtension(buf)
  354. return hexChunkSize, hexChunkSignature, nil
  355. }
  357. // trimTrailingWhitespace - trim trailing white space.
  358. func trimTrailingWhitespace(b []byte) []byte {
  359. for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
  360. b = b[:len(b)-1]
  361. }
  362. return b
  363. }
  365. // isASCIISpace - is ascii space?
  366. func isASCIISpace(b byte) bool {
  367. return b == ' ' || b == '\t' || b == '\n' || b == '\r'
  368. }
  370. // Constant s3 chunk encoding signature.
  371. const s3ChunkSignatureStr = ";chunk-signature="
  373. // parses3ChunkExtension removes any s3 specific chunk-extension from buf.
  374. // For example,
  375. // "10000;chunk-signature=..." => "10000", "chunk-signature=..."
  376. func parseS3ChunkExtension(buf []byte) ([]byte, []byte) {
  377. buf = trimTrailingWhitespace(buf)
  378. semi := bytes.Index(buf, []byte(s3ChunkSignatureStr))
  379. // Chunk signature not found, return the whole buffer.
  380. if semi == -1 {
  381. return buf, nil
  382. }
  383. return buf[:semi], parseChunkSignature(buf[semi:])
  384. }
  386. // parseChunkSignature - parse chunk signature.
  387. func parseChunkSignature(chunk []byte) []byte {
  388. chunkSplits := bytes.SplitN(chunk, []byte(s3ChunkSignatureStr), 2)
  389. return chunkSplits[1]
  390. }
  392. // parse hex to uint64.
  393. func parseHexUint(v []byte) (n uint64, err error) {
  394. for i, b := range v {
  395. switch {
  396. case '0' <= b && b <= '9':
  397. b = b - '0'
  398. case 'a' <= b && b <= 'f':
  399. b = b - 'a' + 10
  400. case 'A' <= b && b <= 'F':
  401. b = b - 'A' + 10
  402. default:
  403. return 0, errors.New("invalid byte in chunk length")
  404. }
  405. if i == 16 {
  406. return 0, errors.New("http chunk length too large")
  407. }
  408. n <<= 4
  409. n |= uint64(b)
  410. }
  411. return
  412. }