You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
284 lines
7.7 KiB
284 lines
7.7 KiB
package s3api
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
|
|
"github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
|
|
)
|
|
|
|
func setupTestIAMForV2Auth() *IdentityAccessManagement {
|
|
iam := &IdentityAccessManagement{
|
|
identities: []*Identity{},
|
|
accessKeyIdent: make(map[string]*Identity),
|
|
}
|
|
|
|
testCred := &Credential{
|
|
AccessKey: "AKIAIOSFODNN7EXAMPLE",
|
|
SecretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
|
|
}
|
|
|
|
testIdentity := &Identity{
|
|
Name: "testUser",
|
|
Account: &AccountAdmin,
|
|
Credentials: []*Credential{testCred},
|
|
Actions: []Action{
|
|
s3_constants.ACTION_ADMIN,
|
|
},
|
|
}
|
|
|
|
iam.identities = append(iam.identities, testIdentity)
|
|
iam.accessKeyIdent[testCred.AccessKey] = testIdentity
|
|
|
|
return iam
|
|
}
|
|
|
|
func TestValidateV2AuthHeader(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
authHeader string
|
|
expectedAccessKey string
|
|
expectedError s3err.ErrorCode
|
|
}{
|
|
{
|
|
name: "valid auth header with space",
|
|
authHeader: "AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg=",
|
|
expectedAccessKey: "AKIAIOSFODNN7EXAMPLE",
|
|
expectedError: s3err.ErrNone,
|
|
},
|
|
{
|
|
name: "empty auth header",
|
|
authHeader: "",
|
|
expectedError: s3err.ErrAuthHeaderEmpty,
|
|
},
|
|
{
|
|
name: "wrong algorithm prefix",
|
|
authHeader: "HMAC AKIAIOSFODNN7EXAMPLE:signature",
|
|
expectedError: s3err.ErrSignatureVersionNotSupported,
|
|
},
|
|
{
|
|
name: "missing colon separator",
|
|
authHeader: "AWS AKIAIOSFODNN7EXAMPLE",
|
|
expectedError: s3err.ErrMissingFields,
|
|
},
|
|
{
|
|
name: "empty access key",
|
|
authHeader: "AWS :signature",
|
|
expectedError: s3err.ErrInvalidAccessKeyID,
|
|
},
|
|
{
|
|
name: "empty signature",
|
|
authHeader: "AWS AKIAIOSFODNN7EXAMPLE:",
|
|
expectedError: s3err.ErrMissingFields,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
accessKey, errCode := validateV2AuthHeader(tt.authHeader)
|
|
|
|
if errCode != tt.expectedError {
|
|
t.Errorf("validateV2AuthHeader() error = %v, want %v", errCode, tt.expectedError)
|
|
}
|
|
|
|
if errCode == s3err.ErrNone && accessKey != tt.expectedAccessKey {
|
|
t.Errorf("validateV2AuthHeader() accessKey = %q, want %q", accessKey, tt.expectedAccessKey)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSignatureV2Format(t *testing.T) {
|
|
cred := &Credential{
|
|
AccessKey: "AKIAIOSFODNN7EXAMPLE",
|
|
SecretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
|
|
}
|
|
|
|
headers := http.Header{}
|
|
headers.Set("Date", "Mon, 09 Sep 2011 23:36:00 GMT")
|
|
|
|
signature := signatureV2(cred, "GET", "/bucket/object", "", headers)
|
|
|
|
// Verify format: "AWS <AccessKey>:<Signature>" with space after AWS
|
|
expectedPrefix := "AWS " + cred.AccessKey + ":"
|
|
if len(signature) < len(expectedPrefix) {
|
|
t.Fatalf("Signature too short: %s", signature)
|
|
}
|
|
|
|
actualPrefix := signature[:len(expectedPrefix)]
|
|
if actualPrefix != expectedPrefix {
|
|
t.Errorf("Signature prefix = %q, want %q", actualPrefix, expectedPrefix)
|
|
}
|
|
}
|
|
|
|
func TestDoesSignV2Match(t *testing.T) {
|
|
iam := setupTestIAMForV2Auth()
|
|
cred := &Credential{
|
|
AccessKey: "AKIAIOSFODNN7EXAMPLE",
|
|
SecretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
|
|
}
|
|
|
|
tests := []struct {
|
|
name string
|
|
method string
|
|
path string
|
|
query string
|
|
headers map[string]string
|
|
authOverride string
|
|
expectedError s3err.ErrorCode
|
|
expectIdent bool
|
|
}{
|
|
{
|
|
name: "valid GET request",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
expectedError: s3err.ErrNone,
|
|
expectIdent: true,
|
|
},
|
|
{
|
|
name: "valid PUT request with content headers",
|
|
method: "PUT",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{
|
|
"Date": "Mon, 09 Sep 2011 23:36:00 GMT",
|
|
"Content-Type": "text/plain",
|
|
"Content-Md5": "c8fdb181845a4ca6b8fec737b3581d76",
|
|
},
|
|
expectedError: s3err.ErrNone,
|
|
expectIdent: true,
|
|
},
|
|
{
|
|
name: "request with query parameters",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "acl&versionId=123",
|
|
headers: map[string]string{
|
|
"Date": "Mon, 09 Sep 2011 23:36:00 GMT",
|
|
},
|
|
expectedError: s3err.ErrNone,
|
|
expectIdent: true,
|
|
},
|
|
{
|
|
name: "request with x-amz headers",
|
|
method: "PUT",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{
|
|
"Date": "Mon, 09 Sep 2011 23:36:00 GMT",
|
|
"x-amz-storage-class": "REDUCED_REDUNDANCY",
|
|
"x-amz-meta-custom": "value",
|
|
},
|
|
expectedError: s3err.ErrNone,
|
|
expectIdent: true,
|
|
},
|
|
{
|
|
name: "invalid signature",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "AWS AKIAIOSFODNN7EXAMPLE:invalidSignature123456==",
|
|
expectedError: s3err.ErrSignatureDoesNotMatch,
|
|
expectIdent: false,
|
|
},
|
|
{
|
|
name: "non-existent access key",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "AWS NONEXISTENTKEY:signature==",
|
|
expectedError: s3err.ErrInvalidAccessKeyID,
|
|
expectIdent: false,
|
|
},
|
|
{
|
|
name: "empty authorization header",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "",
|
|
expectedError: s3err.ErrAuthHeaderEmpty,
|
|
expectIdent: false,
|
|
},
|
|
{
|
|
name: "malformed auth - missing signature",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "AWS AKIAIOSFODNN7EXAMPLE",
|
|
expectedError: s3err.ErrMissingFields,
|
|
expectIdent: false,
|
|
},
|
|
{
|
|
name: "malformed auth - wrong prefix",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "HMAC AKIAIOSFODNN7EXAMPLE:sig",
|
|
expectedError: s3err.ErrSignatureVersionNotSupported,
|
|
expectIdent: false,
|
|
},
|
|
{
|
|
name: "malformed auth - no space after AWS",
|
|
method: "GET",
|
|
path: "/bucket/object",
|
|
query: "",
|
|
headers: map[string]string{"Date": "Mon, 09 Sep 2011 23:36:00 GMT"},
|
|
authOverride: "AWSAKIAIOSFODNN7EXAMPLE:signature==",
|
|
expectedError: s3err.ErrInvalidAccessKeyID,
|
|
expectIdent: false,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
url := "http://example.com" + tt.path
|
|
if tt.query != "" {
|
|
url += "?" + tt.query
|
|
}
|
|
req, err := http.NewRequest(tt.method, url, nil)
|
|
if err != nil {
|
|
t.Fatalf("Failed to create request: %v", err)
|
|
}
|
|
|
|
for key, value := range tt.headers {
|
|
req.Header.Set(key, value)
|
|
}
|
|
|
|
var authHeader string
|
|
if tt.authOverride != "" {
|
|
authHeader = tt.authOverride
|
|
} else {
|
|
authHeader = signatureV2(cred, req.Method, req.URL.Path, req.URL.Query().Encode(), req.Header)
|
|
}
|
|
if tt.name != "empty authorization header" {
|
|
req.Header.Set("Authorization", authHeader)
|
|
}
|
|
|
|
identity, errCode := iam.doesSignV2Match(req)
|
|
|
|
if errCode != tt.expectedError {
|
|
t.Errorf("doesSignV2Match() error = %v, want %v", errCode, tt.expectedError)
|
|
}
|
|
|
|
if tt.expectIdent && identity == nil {
|
|
t.Error("Expected non-nil identity")
|
|
}
|
|
|
|
if !tt.expectIdent && identity != nil {
|
|
t.Error("Expected nil identity")
|
|
}
|
|
|
|
if identity != nil && identity.Name != "testUser" {
|
|
t.Errorf("Identity name = %q, want %q", identity.Name, "testUser")
|
|
}
|
|
})
|
|
}
|
|
}
|