|
|
@ -148,15 +148,38 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" { |
|
|
|
// Handling usage of reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
|
|
|
|
// Trying with prefix before main path.
|
|
|
|
|
|
|
|
// Get canonical request.
|
|
|
|
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, forwardedPrefix + req.URL.Path, req.Method) |
|
|
|
|
|
|
|
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values) |
|
|
|
if errCode == s3err.ErrNone { |
|
|
|
return identity, errCode |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
// Get canonical request.
|
|
|
|
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method) |
|
|
|
|
|
|
|
errCode = iam.genAndCompareSignatureV4(canonicalRequest, cred.SecretKey, t, signV4Values) |
|
|
|
|
|
|
|
if errCode == s3err.ErrNone { |
|
|
|
return identity, errCode |
|
|
|
} |
|
|
|
return nil, errCode |
|
|
|
} |
|
|
|
|
|
|
|
// Generate and compare signature for request.
|
|
|
|
func (iam *IdentityAccessManagement) genAndCompareSignatureV4(canonicalRequest, secretKey string, t time.Time, signV4Values signValues) s3err.ErrorCode { |
|
|
|
// Get string to sign from canonical request.
|
|
|
|
stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope()) |
|
|
|
|
|
|
|
// Calculate signature.
|
|
|
|
newSignature := iam.getSignature( |
|
|
|
cred.SecretKey, |
|
|
|
secretKey, |
|
|
|
signV4Values.Credential.scope.date, |
|
|
|
signV4Values.Credential.scope.region, |
|
|
|
signV4Values.Credential.scope.service, |
|
|
@ -165,11 +188,9 @@ func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r |
|
|
|
|
|
|
|
// Verify if signature match.
|
|
|
|
if !compareSignatureV4(newSignature, signV4Values.Signature) { |
|
|
|
return nil, s3err.ErrSignatureDoesNotMatch |
|
|
|
return s3err.ErrSignatureDoesNotMatch |
|
|
|
} |
|
|
|
|
|
|
|
// Return error none.
|
|
|
|
return identity, s3err.ErrNone |
|
|
|
return s3err.ErrNone |
|
|
|
} |
|
|
|
|
|
|
|
// credentialHeader data type represents structured form of Credential
|
|
|
@ -664,7 +685,10 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header, |
|
|
|
extractedSignedHeaders.Set(header, "100-continue") |
|
|
|
case "host": |
|
|
|
// Go http server removes "host" from Request.Header
|
|
|
|
if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { |
|
|
|
if forwardedHost := r.Header.Get("X-Forwarded-Host"); forwardedHost != "" { |
|
|
|
// Trying to use reverse proxy at prefix. Note that it's an undefined behavior for AWS S3 and not supported in MinIO.
|
|
|
|
extractedSignedHeaders.Set(header, forwardedHost) |
|
|
|
} else if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" { |
|
|
|
extractedSignedHeaders.Set(header, forwardedFor) |
|
|
|
} else { |
|
|
|
extractedSignedHeaders.Set(header, r.Host) |
|
|
|