s3: change s3 tables to use RESTful API (#8169)

* s3: refactor s3 tables to use RESTful API * test/s3tables: guard empty namespaces * s3api: document tag parsing and validate get-table * s3api: limit S3Tables REST body size * Update weed/s3api/s3api_tables.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update weed/s3api/s3tables/handler.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * s3api: accept encoded table bucket ARNs * s3api: validate namespaces and close body * s3api: match encoded table bucket ARNs * s3api: scope table bucket ARN routes * s3api: dedupe table bucket request builders * test/s3tables: allow list tables without namespace * s3api: validate table params and tag ARN * s3api: tighten tag handling and get-table params * s3api: loosen tag ARN route matching * Fix S3 Tables REST routing and tests * Adjust S3 Tables request parsing * Gate S3 Tables target routing * Avoid double decoding namespaces --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-01-30 10:37:34 -08:00
parent 9e15823855
commit f1e27b8f30
7 changed files with 964 additions and 172 deletions
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@@ -26,6 +26,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"regexp"
 	"sort"
 	"strconv"
@@ -284,8 +285,12 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 	}

 	// 8. Verify the signature, trying with X-Forwarded-Prefix first
+	pathForSignature := r.URL.EscapedPath()
+	if pathForSignature == "" {
+		pathForSignature = r.URL.Path
+	}
 	if forwardedPrefix := r.Header.Get("X-Forwarded-Prefix"); forwardedPrefix != "" {
-		cleanedPath := buildPathWithForwardedPrefix(forwardedPrefix, r.URL.Path)
+		cleanedPath := buildPathWithForwardedPrefix(forwardedPrefix, pathForSignature)
 		calculatedSignature, errCode = verify(cleanedPath)
 		if errCode == s3err.ErrNone {
 			return identity, cred, calculatedSignature, authInfo, s3err.ErrNone
@@ -293,12 +298,20 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 	}

 	// 9. Verify with the original path
-	calculatedSignature, errCode = verify(r.URL.Path)
-	if errCode != s3err.ErrNone {
-		return nil, nil, "", nil, errCode
+	calculatedSignature, errCode = verify(pathForSignature)
+	if errCode == s3err.ErrNone {
+		return identity, cred, calculatedSignature, authInfo, s3err.ErrNone
 	}

-	return identity, cred, calculatedSignature, authInfo, s3err.ErrNone
+	// 10. Retry with decoded path if signature used raw path encoding
+	if decodedPath, decodeErr := url.PathUnescape(pathForSignature); decodeErr == nil && decodedPath != pathForSignature {
+		calculatedSignature, errCode = verify(decodedPath)
+		if errCode == s3err.ErrNone {
+			return identity, cred, calculatedSignature, authInfo, s3err.ErrNone
+		}
+	}
+
+	return nil, nil, "", nil, errCode
 }

 // validateSTSSessionToken validates an STS session token and extracts temporary credentials
@@ -464,7 +477,7 @@ func extractV4AuthInfoFromHeader(r *http.Request) (*v4AuthInfo, s3err.ErrorCode)
 	}

 	hashedPayload := getContentSha256Cksum(r)
-	if signV4Values.Credential.scope.service != "s3" && hashedPayload == emptySHA256 && r.Body != nil {
+	if signV4Values.Credential.scope.service != "s3" && signV4Values.Credential.scope.service != "s3tables" && hashedPayload == emptySHA256 && r.Body != nil {
 		var hashErr error
 		hashedPayload, hashErr = streamHashRequestBody(r, iamRequestBodyLimit)
 		if hashErr != nil {