Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9625 Commits
32 Branches
300 Tags
172 MiB
Tree: cdd817edf9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cdd817edf9'
${ noResults }
seaweedfs/weed/s3api/auto_signature_v4_test.go

434 lines
12 KiB
Raw Normal View History

support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
support acl
5 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "crypto/md5"
  6. "crypto/sha256"
  7. "encoding/base64"
  8. "encoding/hex"
  9. "errors"
  10. "fmt"
  11. "io"
  12. "net/http"
  13. "net/url"
  14. "sort"
  15. "strconv"
  16. "strings"
  17. "sync"
  18. "testing"
  19. "time"
  20. "unicode/utf8"
  22. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  23. )
  25. // TestIsRequestPresignedSignatureV4 - Test validates the logic for presign signature version v4 detection.
  26. func TestIsRequestPresignedSignatureV4(t *testing.T) {
  27. testCases := []struct {
  28. inputQueryKey string
  29. inputQueryValue string
  30. expectedResult bool
  31. }{
  32. // Test case - 1.
  33. // Test case with query key ""X-Amz-Credential" set.
  34. {"", "", false},
  35. // Test case - 2.
  36. {"X-Amz-Credential", "", true},
  37. // Test case - 3.
  38. {"X-Amz-Content-Sha256", "", false},
  39. }
  41. for i, testCase := range testCases {
  42. // creating an input HTTP request.
  43. // Only the query parameters are relevant for this particular test.
  44. inputReq, err := http.NewRequest("GET", "http://example.com", nil)
  45. if err != nil {
  46. t.Fatalf("Error initializing input HTTP request: %v", err)
  47. }
  48. q := inputReq.URL.Query()
  49. q.Add(testCase.inputQueryKey, testCase.inputQueryValue)
  50. inputReq.URL.RawQuery = q.Encode()
  52. actualResult := isRequestPresignedSignatureV4(inputReq)
  53. if testCase.expectedResult != actualResult {
  54. t.Errorf("Test %d: Expected the result to `%v`, but instead got `%v`", i+1, testCase.expectedResult, actualResult)
  55. }
  56. }
  57. }
  59. // Tests is requested authenticated function, tests replies for s3 errors.
  60. func TestIsReqAuthenticated(t *testing.T) {
  61. option := S3ApiServerOption{}
  62. iam := NewIdentityAccessManagement(&option)
  63. iam.identities = []*Identity{
  64. {
  65. Name: "someone",
  66. Credentials: []*Credential{
  67. {
  68. AccessKey: "access_key_1",
  69. SecretKey: "secret_key_1",
  70. },
  71. },
  72. Actions: nil,
  73. },
  74. }
  76. // List of test cases for validating http request authentication.
  77. testCases := []struct {
  78. req *http.Request
  79. s3Error s3err.ErrorCode
  80. }{
  81. // When request is unsigned, access denied is returned.
  82. {mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), s3err.ErrAccessDenied},
  83. // When request is properly signed, error is none.
  84. {mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), s3err.ErrNone},
  85. }
  87. // Validates all testcases.
  88. for i, testCase := range testCases {
  89. if _, s3Error := iam.reqSignatureV4Verify(testCase.req); s3Error != testCase.s3Error {
  90. io.ReadAll(testCase.req.Body)
  91. t.Fatalf("Test %d: Unexpected S3 error: want %d - got %d", i, testCase.s3Error, s3Error)
  92. }
  93. }
  94. }
  96. func TestCheckAdminRequestAuthType(t *testing.T) {
  97. option := S3ApiServerOption{}
  98. iam := NewIdentityAccessManagement(&option)
  99. iam.identities = []*Identity{
  100. {
  101. Name: "someone",
  102. Credentials: []*Credential{
  103. {
  104. AccessKey: "access_key_1",
  105. SecretKey: "secret_key_1",
  106. },
  107. },
  108. Actions: nil,
  109. },
  110. }
  112. testCases := []struct {
  113. Request *http.Request
  114. ErrCode s3err.ErrorCode
  115. }{
  116. {Request: mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrAccessDenied},
  117. {Request: mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrNone},
  118. {Request: mustNewPresignedRequest(iam, "GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrNone},
  119. }
  120. for i, testCase := range testCases {
  121. if _, s3Error := iam.reqSignatureV4Verify(testCase.Request); s3Error != testCase.ErrCode {
  122. t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error)
  123. }
  124. }
  125. }
  127. func BenchmarkGetSignature(b *testing.B) {
  128. t := time.Now()
  129. iam := IdentityAccessManagement{
  130. hashes: make(map[string]*sync.Pool),
  131. }
  133. b.ReportAllocs()
  134. b.ResetTimer()
  135. for i := 0; i < b.N; i++ {
  136. iam.getSignature("secret-key", t, "us-east-1", "s3", "random data")
  137. }
  138. }
  140. // Provides a fully populated http request instance, fails otherwise.
  141. func mustNewRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  142. req, err := newTestRequest(method, urlStr, contentLength, body)
  143. if err != nil {
  144. t.Fatalf("Unable to initialize new http request %s", err)
  145. }
  146. return req
  147. }
  149. // This is similar to mustNewRequest but additionally the request
  150. // is signed with AWS Signature V4, fails if not able to do so.
  151. func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  152. req := mustNewRequest(method, urlStr, contentLength, body, t)
  153. cred := &Credential{"access_key_1", "secret_key_1"}
  154. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  155. t.Fatalf("Unable to initialized new signed http request %s", err)
  156. }
  157. return req
  158. }
  160. // This is similar to mustNewRequest but additionally the request
  161. // is presigned with AWS Signature V4, fails if not able to do so.
  162. func mustNewPresignedRequest(iam *IdentityAccessManagement, method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  163. req := mustNewRequest(method, urlStr, contentLength, body, t)
  164. cred := &Credential{"access_key_1", "secret_key_1"}
  165. if err := preSignV4(iam, req, cred.AccessKey, cred.SecretKey, int64(10*time.Minute.Seconds())); err != nil {
  166. t.Fatalf("Unable to initialized new signed http request %s", err)
  167. }
  168. return req
  169. }
  171. // Returns new HTTP request object.
  172. func newTestRequest(method, urlStr string, contentLength int64, body io.ReadSeeker) (*http.Request, error) {
  173. if method == "" {
  174. method = "POST"
  175. }
  177. // Save for subsequent use
  178. var hashedPayload string
  179. var md5Base64 string
  180. switch {
  181. case body == nil:
  182. hashedPayload = getSHA256Hash([]byte{})
  183. default:
  184. payloadBytes, err := io.ReadAll(body)
  185. if err != nil {
  186. return nil, err
  187. }
  188. hashedPayload = getSHA256Hash(payloadBytes)
  189. md5Base64 = getMD5HashBase64(payloadBytes)
  190. }
  191. // Seek back to beginning.
  192. if body != nil {
  193. body.Seek(0, 0)
  194. } else {
  195. body = bytes.NewReader([]byte(""))
  196. }
  197. req, err := http.NewRequest(method, urlStr, body)
  198. if err != nil {
  199. return nil, err
  200. }
  201. if md5Base64 != "" {
  202. req.Header.Set("Content-Md5", md5Base64)
  203. }
  204. req.Header.Set("x-amz-content-sha256", hashedPayload)
  206. // Add Content-Length
  207. req.ContentLength = contentLength
  209. return req, nil
  210. }
  212. // getSHA256Hash returns SHA-256 hash in hex encoding of given data.
  213. func getSHA256Hash(data []byte) string {
  214. return hex.EncodeToString(getSHA256Sum(data))
  215. }
  217. // getMD5HashBase64 returns MD5 hash in base64 encoding of given data.
  218. func getMD5HashBase64(data []byte) string {
  219. return base64.StdEncoding.EncodeToString(getMD5Sum(data))
  220. }
  222. // getSHA256Hash returns SHA-256 sum of given data.
  223. func getSHA256Sum(data []byte) []byte {
  224. hash := sha256.New()
  225. hash.Write(data)
  226. return hash.Sum(nil)
  227. }
  229. // getMD5Sum returns MD5 sum of given data.
  230. func getMD5Sum(data []byte) []byte {
  231. hash := md5.New()
  232. hash.Write(data)
  233. return hash.Sum(nil)
  234. }
  236. // getMD5Hash returns MD5 hash in hex encoding of given data.
  237. func getMD5Hash(data []byte) string {
  238. return hex.EncodeToString(getMD5Sum(data))
  239. }
  241. var ignoredHeaders = map[string]bool{
  242. "Authorization": true,
  243. "Content-Type": true,
  244. "Content-Length": true,
  245. "User-Agent": true,
  246. }
  248. // Sign given request using Signature V4.
  249. func signRequestV4(req *http.Request, accessKey, secretKey string) error {
  250. // Get hashed payload.
  251. hashedPayload := req.Header.Get("x-amz-content-sha256")
  252. if hashedPayload == "" {
  253. return fmt.Errorf("Invalid hashed payload")
  254. }
  256. currTime := time.Now()
  258. // Set x-amz-date.
  259. req.Header.Set("x-amz-date", currTime.Format(iso8601Format))
  261. // Get header map.
  262. headerMap := make(map[string][]string)
  263. for k, vv := range req.Header {
  264. // If request header key is not in ignored headers, then add it.
  265. if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; !ok {
  266. headerMap[strings.ToLower(k)] = vv
  267. }
  268. }
  270. // Get header keys.
  271. headers := []string{"host"}
  272. for k := range headerMap {
  273. headers = append(headers, k)
  274. }
  275. sort.Strings(headers)
  277. region := "us-east-1"
  279. // Get canonical headers.
  280. var buf bytes.Buffer
  281. for _, k := range headers {
  282. buf.WriteString(k)
  283. buf.WriteByte(':')
  284. switch {
  285. case k == "host":
  286. buf.WriteString(req.URL.Host)
  287. fallthrough
  288. default:
  289. for idx, v := range headerMap[k] {
  290. if idx > 0 {
  291. buf.WriteByte(',')
  292. }
  293. buf.WriteString(v)
  294. }
  295. buf.WriteByte('\n')
  296. }
  297. }
  298. canonicalHeaders := buf.String()
  300. // Get signed headers.
  301. signedHeaders := strings.Join(headers, ";")
  303. // Get canonical query string.
  304. req.URL.RawQuery = strings.Replace(req.URL.Query().Encode(), "+", "%20", -1)
  306. // Get canonical URI.
  307. canonicalURI := EncodePath(req.URL.Path)
  309. // Get canonical request.
  310. // canonicalRequest =
  311. // <HTTPMethod>\n
  312. // <CanonicalURI>\n
  313. // <CanonicalQueryString>\n
  314. // <CanonicalHeaders>\n
  315. // <SignedHeaders>\n
  316. // <HashedPayload>
  317. //
  318. canonicalRequest := strings.Join([]string{
  319. req.Method,
  320. canonicalURI,
  321. req.URL.RawQuery,
  322. canonicalHeaders,
  323. signedHeaders,
  324. hashedPayload,
  325. }, "\n")
  327. // Get scope.
  328. scope := strings.Join([]string{
  329. currTime.Format(yyyymmdd),
  330. region,
  331. "s3",
  332. "aws4_request",
  333. }, "/")
  335. stringToSign := "AWS4-HMAC-SHA256" + "\n" + currTime.Format(iso8601Format) + "\n"
  336. stringToSign = stringToSign + scope + "\n"
  337. stringToSign = stringToSign + getSHA256Hash([]byte(canonicalRequest))
  339. date := sumHMAC([]byte("AWS4"+secretKey), []byte(currTime.Format(yyyymmdd)))
  340. regionHMAC := sumHMAC(date, []byte(region))
  341. service := sumHMAC(regionHMAC, []byte("s3"))
  342. signingKey := sumHMAC(service, []byte("aws4_request"))
  344. signature := hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
  346. // final Authorization header
  347. parts := []string{
  348. "AWS4-HMAC-SHA256" + " Credential=" + accessKey + "/" + scope,
  349. "SignedHeaders=" + signedHeaders,
  350. "Signature=" + signature,
  351. }
  352. auth := strings.Join(parts, ", ")
  353. req.Header.Set("Authorization", auth)
  355. return nil
  356. }
  358. // preSignV4 presign the request, in accordance with
  359. // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html.
  360. func preSignV4(iam *IdentityAccessManagement, req *http.Request, accessKeyID, secretAccessKey string, expires int64) error {
  361. // Presign is not needed for anonymous credentials.
  362. if accessKeyID == "" || secretAccessKey == "" {
  363. return errors.New("Presign cannot be generated without access and secret keys")
  364. }
  366. region := "us-east-1"
  367. date := time.Now().UTC()
  368. scope := getScope(date, region)
  369. credential := fmt.Sprintf("%s/%s", accessKeyID, scope)
  371. // Set URL query.
  372. query := req.URL.Query()
  373. query.Set("X-Amz-Algorithm", signV4Algorithm)
  374. query.Set("X-Amz-Date", date.Format(iso8601Format))
  375. query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10))
  376. query.Set("X-Amz-SignedHeaders", "host")
  377. query.Set("X-Amz-Credential", credential)
  378. query.Set("X-Amz-Content-Sha256", unsignedPayload)
  380. // "host" is the only header required to be signed for Presigned URLs.
  381. extractedSignedHeaders := make(http.Header)
  382. extractedSignedHeaders.Set("host", req.Host)
  384. queryStr := strings.Replace(query.Encode(), "+", "%20", -1)
  385. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, queryStr, req.URL.Path, req.Method)
  386. stringToSign := getStringToSign(canonicalRequest, date, scope)
  387. signature := iam.getSignature(secretAccessKey, date, region, "s3", stringToSign)
  389. req.URL.RawQuery = query.Encode()
  391. // Add signature header to RawQuery.
  392. req.URL.RawQuery += "&X-Amz-Signature=" + url.QueryEscape(signature)
  394. // Construct the final presigned URL.
  395. return nil
  396. }
  398. // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
  399. //
  400. // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
  401. // non english characters cannot be parsed due to the nature in which url.Encode() is written
  402. //
  403. // This function on the other hand is a direct replacement for url.Encode() technique to support
  404. // pretty much every UTF-8 character.
  405. func EncodePath(pathName string) string {
  406. if reservedObjectNames.MatchString(pathName) {
  407. return pathName
  408. }
  409. var encodedPathname string
  410. for _, s := range pathName {
  411. if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
  412. encodedPathname = encodedPathname + string(s)
  413. continue
  414. }
  415. switch s {
  416. case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
  417. encodedPathname = encodedPathname + string(s)
  418. continue
  419. default:
  420. len := utf8.RuneLen(s)
  421. if len < 0 {
  422. // if utf8 cannot convert return the same string as is
  423. return pathName
  424. }
  425. u := make([]byte, len)
  426. utf8.EncodeRune(u, s)
  427. for _, r := range u {
  428. hex := hex.EncodeToString([]byte{r})
  429. encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
  430. }
  431. }
  432. }
  433. return encodedPathname
  434. }