Fix STS InvalidAccessKeyId and request body consumption issues (#8328)

* Fix STS InvalidAccessKeyId and request body consumption in Lakekeeper integration test * Remove debug prints * Add Lakekeeper integration tests to CI * Fix connection refused in CI by binding to 0.0.0.0 * Add timeout to docker run in Lakekeeper integration test * Update weed/s3api/auth_credentials.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-12 17:37:07 -08:00
parent 951eeefb76
commit 796f23f68a
5 changed files with 419 additions and 20 deletions
--- a/weed/s3api/auth_credentials.go
+++ b/weed/s3api/auth_credentials.go
@@ -1271,6 +1271,7 @@ func (iam *IdentityAccessManagement) authRequestWithAuthType(r *http.Request, ac
 // the specific IAM action (e.g., self-service vs admin operations).
 // Returns the authenticated identity and any signature verification error.
 func (iam *IdentityAccessManagement) AuthSignatureOnly(r *http.Request) (*Identity, s3err.ErrorCode) {
+
 	var identity *Identity
 	var s3Err s3err.ErrorCode
 	var authType string
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -79,7 +79,7 @@ func streamHashRequestBody(r *http.Request, sizeLimit int64) (string, error) {
 		return "", err
 	}

-	r.Body = io.NopCloser(&bodyBuffer)
+	r.Body = io.NopCloser(bytes.NewReader(bodyBuffer.Bytes()))

 	if bodyBuffer.Len() == 0 {
 		return emptySHA256, nil
--- a/weed/s3api/s3api_sts.go
+++ b/weed/s3api/s3api_sts.go
@@ -5,8 +5,6 @@ package s3api
 // AWS SDKs to obtain temporary credentials using OIDC/JWT tokens.

 import (
-	"crypto/rand"
-	"encoding/base64"
 	"encoding/xml"
 	"errors"
 	"fmt"
@@ -488,24 +486,14 @@ func (h *STSHandlers) prepareSTSCredentials(roleArn, roleSessionName, principalA
 		return STSCredentials{}, nil, fmt.Errorf("failed to generate session token: %w", err)
 	}

-	// Generate temporary credentials (cryptographically secure)
-	// AccessKeyId: ASIA + 16 chars hex
-	// SecretAccessKey: 40 chars base64
-	randBytes := make([]byte, 30) // Sufficient for both
-	if _, err := rand.Read(randBytes); err != nil {
-		return STSCredentials{}, nil, fmt.Errorf("failed to generate random bytes: %w", err)
+	// Generate temporary credentials (deterministic based on sessionId)
+	stsCredGen := sts.NewCredentialGenerator()
+	stsCredsDet, err := stsCredGen.GenerateTemporaryCredentials(sessionId, expiration)
+	if err != nil {
+		return STSCredentials{}, nil, fmt.Errorf("failed to generate temporary credentials: %w", err)
 	}
-
-	// Generate AccessKeyId (ASIA + 16 upper-hex chars)
-	// We use 8 bytes (16 hex chars)
-	accessKeyId := "ASIA" + fmt.Sprintf("%X", randBytes[:8])
-
-	// Generate SecretAccessKey: 30 random bytes, base64-encoded to a 40-character string
-	secretBytes := make([]byte, 30)
-	if _, err := rand.Read(secretBytes); err != nil {
-		return STSCredentials{}, nil, fmt.Errorf("failed to generate secret bytes: %w", err)
-	}
-	secretAccessKey := base64.StdEncoding.EncodeToString(secretBytes)
+	accessKeyId := stsCredsDet.AccessKeyId
+	secretAccessKey := stsCredsDet.SecretAccessKey

 	// Get account ID from STS config or use default
 	accountId := defaultAccountId