gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

S3: Signature verification should not check permissions (#7335)

Browse Source 
* Signature verification should not check permissions - that's done later in authRequest

* test permissions during signature verfication

* fix s3 test path

* s3tests_boto3 => s3tests

* remove extra lines
This commit is contained in:
Chris Lu
2025-10-15 11:27:39 -07:00
committed by GitHub
parent ffc45a538d
commit 3d25f206c8
5 changed files with 420 additions and 386 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
weed/s3api/auth_signature_v2.go
View File

@@ -116,11 +116,6 @@ func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity
return nil, s3err.ErrInvalidAccessKeyID
}
bucket, object := s3_constants.GetBucketAndObject(r)
if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) {
return nil, s3err.ErrAccessDenied
}
expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header)
if !compareSignatureV2(v2Auth, expectedAuth) {
return nil, s3err.ErrSignatureDoesNotMatch
@@ -163,11 +158,6 @@ func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request
return nil, s3err.ErrInvalidAccessKeyID
}
bucket, object := s3_constants.GetBucketAndObject(r)
if !identity.canDo(s3_constants.ACTION_READ, bucket, object) {
return nil, s3err.ErrAccessDenied
}
expectedSignature := preSignatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header, expires)
if !compareSignatureV2(signature, expectedSignature) {
return nil, s3err.ErrSignatureDoesNotMatch