gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(s3): use URL-safe secret keys for dashboard users and service accounts (#8902)

Browse Source 
* fix(s3): use URL-safe secret keys for admin dashboard users and service accounts

The dashboard's generateSecretKey() used base64.StdEncoding which produces
+, /, and = characters that break S3 signature authentication. Reuse the
IAM package's GenerateSecretAccessKey() which was already fixed in #7990.

Fixes #8898

* fix: handle error from GenerateSecretAccessKey instead of ignoring it
This commit is contained in:
Chris Lu
2026-04-03 11:20:28 -07:00
committed by GitHub
parent d3cea714d0
commit 2e98902f29
2 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
weed/admin/dash/user_management.go
View File

@@ -3,13 +3,13 @@ package dash
import (
"context"
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"strings"
"time"
"github.com/seaweedfs/seaweedfs/weed/credential"
"github.com/seaweedfs/seaweedfs/weed/iam"
"github.com/seaweedfs/seaweedfs/weed/pb/iam_pb"
)
@@ -435,10 +435,13 @@ func generateAccessKey() string {
}
func generateSecretKey() string {
// Generate 40-character secret key (AWS standard)
b := make([]byte, 30) // 30 bytes = 40 characters in base64
rand.Read(b)
return base64.StdEncoding.EncodeToString(b)
// Use the IAM helper to generate URL-safe secret keys (no +, / characters)
// that won't break S3 signature authentication
key, err := iam.GenerateSecretAccessKey()
if err != nil {
panic(fmt.Sprintf("failed to generate secret key: %v", err))
}
return key
}
func generateAccountId() string {

13
weed/admin/dash/user_management_test.go
View File

@@ -74,9 +74,16 @@ func TestGenerateSecretKey(t *testing.T) {
key1 := generateSecretKey()
key2 := generateSecretKey()
// Check length (base64 encoding of 30 bytes = 40 characters)
if len(key1) != 40 {
t.Errorf("Expected secret key length 40, got %d", len(key1))
// Check length (IAM standard secret key length)
if len(key1) != 42 {
t.Errorf("Expected secret key length 42, got %d", len(key1))
}
// Check that key contains only URL-safe characters (no +, /)
for _, c := range key1 {
if c == '+' || c == '/' || c == '=' {
t.Errorf("Secret key contains non-URL-safe character: %c", c)
}
}
// Check uniqueness