Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9692 Commits
32 Branches
298 Tags
169 MiB
Tree: cf28108ea4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cf28108ea4'
${ noResults }
seaweedfs/weed/s3api/auto_signature_v4_test.go

441 lines
13 KiB
Raw Normal View History

support acl
5 years ago
fix grpd dial option
1 year ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
move to https://github.com/seaweedfs/seaweedfs
3 years ago
support acl
5 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
fix grpd dial option
1 year ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
fix grpd dial option
1 year ago
load S3 config from filer https://github.com/chrislusf/seaweedfs/issues/1500
4 years ago
support acl
5 years ago
refactoring
4 years ago
support acl
5 years ago
refactoring
4 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
Clean up old signature hash pools
1 year ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
docs(s3api): readability improvements (#3696) Signed-off-by: Ryan Russell <git@ryanrussell.org> Signed-off-by: Ryan Russell <git@ryanrussell.org>
2 years ago
support acl
5 years ago
refactor: move from io/ioutil to io and os package The io/ioutil package has been deprecated as of Go 1.16, see https://golang.org/doc/go1.16#ioutil. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
3 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
Improve S3 request signing performance This change is caching HMAC hashers for repeated use in subsequent requests and chunks, so they don't have to be initialized from scratch every time. On my local computer this gives me ~5-6 times faster signature calculation and ~5-6.5% more throughput in S3 requests. The smaller the payload the better the throughput gets.
2 years ago
support acl
5 years ago
  1. package s3api
  3. import (
  4. "bytes"
  5. "crypto/md5"
  6. "crypto/sha256"
  7. "encoding/base64"
  8. "encoding/hex"
  9. "errors"
  10. "fmt"
  11. "google.golang.org/grpc"
  12. "google.golang.org/grpc/credentials/insecure"
  13. "io"
  14. "net/http"
  15. "net/url"
  16. "sort"
  17. "strconv"
  18. "strings"
  19. "sync"
  20. "testing"
  21. "time"
  22. "unicode/utf8"
  24. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  25. )
  27. // TestIsRequestPresignedSignatureV4 - Test validates the logic for presign signature version v4 detection.
  28. func TestIsRequestPresignedSignatureV4(t *testing.T) {
  29. testCases := []struct {
  30. inputQueryKey string
  31. inputQueryValue string
  32. expectedResult bool
  33. }{
  34. // Test case - 1.
  35. // Test case with query key ""X-Amz-Credential" set.
  36. {"", "", false},
  37. // Test case - 2.
  38. {"X-Amz-Credential", "", true},
  39. // Test case - 3.
  40. {"X-Amz-Content-Sha256", "", false},
  41. }
  43. for i, testCase := range testCases {
  44. // creating an input HTTP request.
  45. // Only the query parameters are relevant for this particular test.
  46. inputReq, err := http.NewRequest("GET", "http://example.com", nil)
  47. if err != nil {
  48. t.Fatalf("Error initializing input HTTP request: %v", err)
  49. }
  50. q := inputReq.URL.Query()
  51. q.Add(testCase.inputQueryKey, testCase.inputQueryValue)
  52. inputReq.URL.RawQuery = q.Encode()
  54. actualResult := isRequestPresignedSignatureV4(inputReq)
  55. if testCase.expectedResult != actualResult {
  56. t.Errorf("Test %d: Expected the result to `%v`, but instead got `%v`", i+1, testCase.expectedResult, actualResult)
  57. }
  58. }
  59. }
  61. // Tests is requested authenticated function, tests replies for s3 errors.
  62. func TestIsReqAuthenticated(t *testing.T) {
  63. option := S3ApiServerOption{
  64. GrpcDialOption: grpc.WithTransportCredentials(insecure.NewCredentials()),
  65. }
  66. iam := NewIdentityAccessManagement(&option)
  67. iam.identities = []*Identity{
  68. {
  69. Name: "someone",
  70. Credentials: []*Credential{
  71. {
  72. AccessKey: "access_key_1",
  73. SecretKey: "secret_key_1",
  74. },
  75. },
  76. Actions: nil,
  77. },
  78. }
  80. // List of test cases for validating http request authentication.
  81. testCases := []struct {
  82. req *http.Request
  83. s3Error s3err.ErrorCode
  84. }{
  85. // When request is unsigned, access denied is returned.
  86. {mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), s3err.ErrAccessDenied},
  87. // When request is properly signed, error is none.
  88. {mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), s3err.ErrNone},
  89. }
  91. // Validates all testcases.
  92. for i, testCase := range testCases {
  93. if _, s3Error := iam.reqSignatureV4Verify(testCase.req); s3Error != testCase.s3Error {
  94. io.ReadAll(testCase.req.Body)
  95. t.Fatalf("Test %d: Unexpected S3 error: want %d - got %d", i, testCase.s3Error, s3Error)
  96. }
  97. }
  98. }
  100. func TestCheckAdminRequestAuthType(t *testing.T) {
  101. option := S3ApiServerOption{
  102. GrpcDialOption: grpc.WithTransportCredentials(insecure.NewCredentials()),
  103. }
  104. iam := NewIdentityAccessManagement(&option)
  105. iam.identities = []*Identity{
  106. {
  107. Name: "someone",
  108. Credentials: []*Credential{
  109. {
  110. AccessKey: "access_key_1",
  111. SecretKey: "secret_key_1",
  112. },
  113. },
  114. Actions: nil,
  115. },
  116. }
  118. testCases := []struct {
  119. Request *http.Request
  120. ErrCode s3err.ErrorCode
  121. }{
  122. {Request: mustNewRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrAccessDenied},
  123. {Request: mustNewSignedRequest("GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrNone},
  124. {Request: mustNewPresignedRequest(iam, "GET", "http://127.0.0.1:9000", 0, nil, t), ErrCode: s3err.ErrNone},
  125. }
  126. for i, testCase := range testCases {
  127. if _, s3Error := iam.reqSignatureV4Verify(testCase.Request); s3Error != testCase.ErrCode {
  128. t.Errorf("Test %d: Unexpected s3error returned wanted %d, got %d", i, testCase.ErrCode, s3Error)
  129. }
  130. }
  131. }
  133. func BenchmarkGetSignature(b *testing.B) {
  134. t := time.Now()
  135. iam := IdentityAccessManagement{
  136. hashes: make(map[string]*sync.Pool),
  137. hashCounters: make(map[string]*int32),
  138. }
  140. b.ReportAllocs()
  141. b.ResetTimer()
  142. for i := 0; i < b.N; i++ {
  143. iam.getSignature("secret-key", t, "us-east-1", "s3", "random data")
  144. }
  145. }
  147. // Provides a fully populated http request instance, fails otherwise.
  148. func mustNewRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  149. req, err := newTestRequest(method, urlStr, contentLength, body)
  150. if err != nil {
  151. t.Fatalf("Unable to initialize new http request %s", err)
  152. }
  153. return req
  154. }
  156. // This is similar to mustNewRequest but additionally the request
  157. // is signed with AWS Signature V4, fails if not able to do so.
  158. func mustNewSignedRequest(method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  159. req := mustNewRequest(method, urlStr, contentLength, body, t)
  160. cred := &Credential{"access_key_1", "secret_key_1"}
  161. if err := signRequestV4(req, cred.AccessKey, cred.SecretKey); err != nil {
  162. t.Fatalf("Unable to initialized new signed http request %s", err)
  163. }
  164. return req
  165. }
  167. // This is similar to mustNewRequest but additionally the request
  168. // is presigned with AWS Signature V4, fails if not able to do so.
  169. func mustNewPresignedRequest(iam *IdentityAccessManagement, method string, urlStr string, contentLength int64, body io.ReadSeeker, t *testing.T) *http.Request {
  170. req := mustNewRequest(method, urlStr, contentLength, body, t)
  171. cred := &Credential{"access_key_1", "secret_key_1"}
  172. if err := preSignV4(iam, req, cred.AccessKey, cred.SecretKey, int64(10*time.Minute.Seconds())); err != nil {
  173. t.Fatalf("Unable to initialized new signed http request %s", err)
  174. }
  175. return req
  176. }
  178. // Returns new HTTP request object.
  179. func newTestRequest(method, urlStr string, contentLength int64, body io.ReadSeeker) (*http.Request, error) {
  180. if method == "" {
  181. method = "POST"
  182. }
  184. // Save for subsequent use
  185. var hashedPayload string
  186. var md5Base64 string
  187. switch {
  188. case body == nil:
  189. hashedPayload = getSHA256Hash([]byte{})
  190. default:
  191. payloadBytes, err := io.ReadAll(body)
  192. if err != nil {
  193. return nil, err
  194. }
  195. hashedPayload = getSHA256Hash(payloadBytes)
  196. md5Base64 = getMD5HashBase64(payloadBytes)
  197. }
  198. // Seek back to beginning.
  199. if body != nil {
  200. body.Seek(0, 0)
  201. } else {
  202. body = bytes.NewReader([]byte(""))
  203. }
  204. req, err := http.NewRequest(method, urlStr, body)
  205. if err != nil {
  206. return nil, err
  207. }
  208. if md5Base64 != "" {
  209. req.Header.Set("Content-Md5", md5Base64)
  210. }
  211. req.Header.Set("x-amz-content-sha256", hashedPayload)
  213. // Add Content-Length
  214. req.ContentLength = contentLength
  216. return req, nil
  217. }
  219. // getSHA256Hash returns SHA-256 hash in hex encoding of given data.
  220. func getSHA256Hash(data []byte) string {
  221. return hex.EncodeToString(getSHA256Sum(data))
  222. }
  224. // getMD5HashBase64 returns MD5 hash in base64 encoding of given data.
  225. func getMD5HashBase64(data []byte) string {
  226. return base64.StdEncoding.EncodeToString(getMD5Sum(data))
  227. }
  229. // getSHA256Hash returns SHA-256 sum of given data.
  230. func getSHA256Sum(data []byte) []byte {
  231. hash := sha256.New()
  232. hash.Write(data)
  233. return hash.Sum(nil)
  234. }
  236. // getMD5Sum returns MD5 sum of given data.
  237. func getMD5Sum(data []byte) []byte {
  238. hash := md5.New()
  239. hash.Write(data)
  240. return hash.Sum(nil)
  241. }
  243. // getMD5Hash returns MD5 hash in hex encoding of given data.
  244. func getMD5Hash(data []byte) string {
  245. return hex.EncodeToString(getMD5Sum(data))
  246. }
  248. var ignoredHeaders = map[string]bool{
  249. "Authorization": true,
  250. "Content-Type": true,
  251. "Content-Length": true,
  252. "User-Agent": true,
  253. }
  255. // Sign given request using Signature V4.
  256. func signRequestV4(req *http.Request, accessKey, secretKey string) error {
  257. // Get hashed payload.
  258. hashedPayload := req.Header.Get("x-amz-content-sha256")
  259. if hashedPayload == "" {
  260. return fmt.Errorf("Invalid hashed payload")
  261. }
  263. currTime := time.Now()
  265. // Set x-amz-date.
  266. req.Header.Set("x-amz-date", currTime.Format(iso8601Format))
  268. // Get header map.
  269. headerMap := make(map[string][]string)
  270. for k, vv := range req.Header {
  271. // If request header key is not in ignored headers, then add it.
  272. if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; !ok {
  273. headerMap[strings.ToLower(k)] = vv
  274. }
  275. }
  277. // Get header keys.
  278. headers := []string{"host"}
  279. for k := range headerMap {
  280. headers = append(headers, k)
  281. }
  282. sort.Strings(headers)
  284. region := "us-east-1"
  286. // Get canonical headers.
  287. var buf bytes.Buffer
  288. for _, k := range headers {
  289. buf.WriteString(k)
  290. buf.WriteByte(':')
  291. switch {
  292. case k == "host":
  293. buf.WriteString(req.URL.Host)
  294. fallthrough
  295. default:
  296. for idx, v := range headerMap[k] {
  297. if idx > 0 {
  298. buf.WriteByte(',')
  299. }
  300. buf.WriteString(v)
  301. }
  302. buf.WriteByte('\n')
  303. }
  304. }
  305. canonicalHeaders := buf.String()
  307. // Get signed headers.
  308. signedHeaders := strings.Join(headers, ";")
  310. // Get canonical query string.
  311. req.URL.RawQuery = strings.Replace(req.URL.Query().Encode(), "+", "%20", -1)
  313. // Get canonical URI.
  314. canonicalURI := EncodePath(req.URL.Path)
  316. // Get canonical request.
  317. // canonicalRequest =
  318. // <HTTPMethod>\n
  319. // <CanonicalURI>\n
  320. // <CanonicalQueryString>\n
  321. // <CanonicalHeaders>\n
  322. // <SignedHeaders>\n
  323. // <HashedPayload>
  324. //
  325. canonicalRequest := strings.Join([]string{
  326. req.Method,
  327. canonicalURI,
  328. req.URL.RawQuery,
  329. canonicalHeaders,
  330. signedHeaders,
  331. hashedPayload,
  332. }, "\n")
  334. // Get scope.
  335. scope := strings.Join([]string{
  336. currTime.Format(yyyymmdd),
  337. region,
  338. "s3",
  339. "aws4_request",
  340. }, "/")
  342. stringToSign := "AWS4-HMAC-SHA256" + "\n" + currTime.Format(iso8601Format) + "\n"
  343. stringToSign = stringToSign + scope + "\n"
  344. stringToSign = stringToSign + getSHA256Hash([]byte(canonicalRequest))
  346. date := sumHMAC([]byte("AWS4"+secretKey), []byte(currTime.Format(yyyymmdd)))
  347. regionHMAC := sumHMAC(date, []byte(region))
  348. service := sumHMAC(regionHMAC, []byte("s3"))
  349. signingKey := sumHMAC(service, []byte("aws4_request"))
  351. signature := hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
  353. // final Authorization header
  354. parts := []string{
  355. "AWS4-HMAC-SHA256" + " Credential=" + accessKey + "/" + scope,
  356. "SignedHeaders=" + signedHeaders,
  357. "Signature=" + signature,
  358. }
  359. auth := strings.Join(parts, ", ")
  360. req.Header.Set("Authorization", auth)
  362. return nil
  363. }
  365. // preSignV4 presign the request, in accordance with
  366. // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html.
  367. func preSignV4(iam *IdentityAccessManagement, req *http.Request, accessKeyID, secretAccessKey string, expires int64) error {
  368. // Presign is not needed for anonymous credentials.
  369. if accessKeyID == "" || secretAccessKey == "" {
  370. return errors.New("Presign cannot be generated without access and secret keys")
  371. }
  373. region := "us-east-1"
  374. date := time.Now().UTC()
  375. scope := getScope(date, region)
  376. credential := fmt.Sprintf("%s/%s", accessKeyID, scope)
  378. // Set URL query.
  379. query := req.URL.Query()
  380. query.Set("X-Amz-Algorithm", signV4Algorithm)
  381. query.Set("X-Amz-Date", date.Format(iso8601Format))
  382. query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10))
  383. query.Set("X-Amz-SignedHeaders", "host")
  384. query.Set("X-Amz-Credential", credential)
  385. query.Set("X-Amz-Content-Sha256", unsignedPayload)
  387. // "host" is the only header required to be signed for Presigned URLs.
  388. extractedSignedHeaders := make(http.Header)
  389. extractedSignedHeaders.Set("host", req.Host)
  391. queryStr := strings.Replace(query.Encode(), "+", "%20", -1)
  392. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, unsignedPayload, queryStr, req.URL.Path, req.Method)
  393. stringToSign := getStringToSign(canonicalRequest, date, scope)
  394. signature := iam.getSignature(secretAccessKey, date, region, "s3", stringToSign)
  396. req.URL.RawQuery = query.Encode()
  398. // Add signature header to RawQuery.
  399. req.URL.RawQuery += "&X-Amz-Signature=" + url.QueryEscape(signature)
  401. // Construct the final presigned URL.
  402. return nil
  403. }
  405. // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
  406. //
  407. // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
  408. // non english characters cannot be parsed due to the nature in which url.Encode() is written
  409. //
  410. // This function on the other hand is a direct replacement for url.Encode() technique to support
  411. // pretty much every UTF-8 character.
  412. func EncodePath(pathName string) string {
  413. if reservedObjectNames.MatchString(pathName) {
  414. return pathName
  415. }
  416. var encodedPathname string
  417. for _, s := range pathName {
  418. if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
  419. encodedPathname = encodedPathname + string(s)
  420. continue
  421. }
  422. switch s {
  423. case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
  424. encodedPathname = encodedPathname + string(s)
  425. continue
  426. default:
  427. len := utf8.RuneLen(s)
  428. if len < 0 {
  429. // if utf8 cannot convert return the same string as is
  430. return pathName
  431. }
  432. u := make([]byte, len)
  433. utf8.EncodeRune(u, s)
  434. for _, r := range u {
  435. hex := hex.EncodeToString([]byte{r})
  436. encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
  437. }
  438. }
  439. }
  440. return encodedPathname
  441. }