Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

s3api: fix S3 Tables auth to allow auto-hashing of body (#8170) 

* s3api: allow auto-hashing of request body for s3tables

* s3api: add unit test for s3tables body hashing
pull/8171/head
Chris Lu 2 days ago
committed by GitHub
parent
f1e27b8f30
commit
6a9e7360df
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 62 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      weed/s3api/auth_signature_v4.go
  2. 61
      weed/s3api/auth_signature_v4_test.go

2
weed/s3api/auth_signature_v4.go
View File

@ -477,7 +477,7 @@ func extractV4AuthInfoFromHeader(r *http.Request) (*v4AuthInfo, s3err.ErrorCode)
} }
hashedPayload := getContentSha256Cksum(r) hashedPayload := getContentSha256Cksum(r)
if signV4Values.Credential.scope.service != "s3" && signV4Values.Credential.scope.service != "s3tables" && hashedPayload == emptySHA256 && r.Body != nil {
if signV4Values.Credential.scope.service != "s3" && hashedPayload == emptySHA256 && r.Body != nil {
var hashErr error var hashErr error
hashedPayload, hashErr = streamHashRequestBody(r, iamRequestBodyLimit) hashedPayload, hashErr = streamHashRequestBody(r, iamRequestBodyLimit)
if hashErr != nil { if hashErr != nil {

61
weed/s3api/auth_signature_v4_test.go
View File

@ -1,10 +1,71 @@
package s3api package s3api
import ( import (
"bytes"
"crypto/sha256"
"encoding/hex"
"fmt"
"net/http" "net/http"
"testing" "testing"
"time"
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
) )
func TestExtractV4AuthInfoFromHeader_S3Tables(t *testing.T) {
now := time.Now().UTC()
dateStr := now.Format(iso8601Format)
tests := []struct {
name string
service string
body string
expectAutoHash bool
}{
{
name: "s3 service should not auto-hash",
service: "s3",
body: "hello",
expectAutoHash: false,
},
{
name: "s3tables service should auto-hash",
service: "s3tables",
body: "hello",
expectAutoHash: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
body := bytes.NewReader([]byte(tt.body))
req, _ := http.NewRequest(http.MethodPost, "http://localhost/", body)
authHeader := fmt.Sprintf("AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/%s/us-east-1/%s/aws4_request, SignedHeaders=host, Signature=dummy",
now.Format(yyyymmdd), tt.service)
req.Header.Set("Authorization", authHeader)
req.Header.Set("x-amz-date", dateStr)
authInfo, errCode := extractV4AuthInfoFromHeader(req)
if errCode != s3err.ErrNone {
t.Fatalf("extractV4AuthInfoFromHeader failed: %v", errCode)
}
if tt.expectAutoHash {
expectedHash := sha256.Sum256([]byte(tt.body))
expectedHashStr := hex.EncodeToString(expectedHash[:])
if authInfo.HashedPayload != expectedHashStr {
t.Errorf("Expected auto-hashed payload %s, got %s", expectedHashStr, authInfo.HashedPayload)
}
} else {
if authInfo.HashedPayload != emptySHA256 {
t.Errorf("Expected non-auto-hashed payload %s (emptySHA256), got %s", emptySHA256, authInfo.HashedPayload)
}
}
})
}
}
func TestBuildPathWithForwardedPrefix(t *testing.T) { func TestBuildPathWithForwardedPrefix(t *testing.T) {
tests := []struct { tests := []struct {
name string name string

Write Preview
Loading…
Cancel
Save