|
|
|
|
@@ -21,12 +21,115 @@ package s3api
|
|
|
|
|
import (
|
|
|
|
|
"bufio"
|
|
|
|
|
"bytes"
|
|
|
|
|
"crypto/sha256"
|
|
|
|
|
"encoding/hex"
|
|
|
|
|
"errors"
|
|
|
|
|
"github.com/dustin/go-humanize"
|
|
|
|
|
"hash"
|
|
|
|
|
"io"
|
|
|
|
|
"net/http"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/dustin/go-humanize"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// getChunkSignature - get chunk signature.
|
|
|
|
|
func getChunkSignature(secretKey string, seedSignature string, region string, date time.Time, hashedChunk string) string {
|
|
|
|
|
|
|
|
|
|
// Calculate string to sign.
|
|
|
|
|
stringToSign := signV4ChunkedAlgorithm + "\n" +
|
|
|
|
|
date.Format(iso8601Format) + "\n" +
|
|
|
|
|
getScope(date, region) + "\n" +
|
|
|
|
|
seedSignature + "\n" +
|
|
|
|
|
emptySHA256 + "\n" +
|
|
|
|
|
hashedChunk
|
|
|
|
|
|
|
|
|
|
// Get hmac signing key.
|
|
|
|
|
signingKey := getSigningKey(secretKey, date, region)
|
|
|
|
|
|
|
|
|
|
// Calculate signature.
|
|
|
|
|
newSignature := getSignature(signingKey, stringToSign)
|
|
|
|
|
|
|
|
|
|
return newSignature
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// calculateSeedSignature - Calculate seed signature in accordance with
|
|
|
|
|
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html
|
|
|
|
|
// returns signature, error otherwise if the signature mismatches or any other
|
|
|
|
|
// error while parsing and validating.
|
|
|
|
|
func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cred *Credential, signature string, region string, date time.Time, errCode ErrorCode) {
|
|
|
|
|
|
|
|
|
|
// Copy request.
|
|
|
|
|
req := *r
|
|
|
|
|
|
|
|
|
|
// Save authorization header.
|
|
|
|
|
v4Auth := req.Header.Get("Authorization")
|
|
|
|
|
|
|
|
|
|
// Parse signature version '4' header.
|
|
|
|
|
signV4Values, errCode := parseSignV4(v4Auth)
|
|
|
|
|
if errCode != ErrNone {
|
|
|
|
|
return nil, "", "", time.Time{}, errCode
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Payload streaming.
|
|
|
|
|
payload := streamingContentSHA256
|
|
|
|
|
|
|
|
|
|
// Payload for STREAMING signature should be 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD'
|
|
|
|
|
if payload != req.Header.Get("X-Amz-Content-Sha256") {
|
|
|
|
|
return nil, "", "", time.Time{}, ErrContentSHA256Mismatch
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Extract all the signed headers along with its values.
|
|
|
|
|
extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
|
|
|
|
|
if errCode != ErrNone {
|
|
|
|
|
return nil, "", "", time.Time{}, errCode
|
|
|
|
|
}
|
|
|
|
|
// Verify if the access key id matches.
|
|
|
|
|
_, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
|
|
|
|
|
if !found {
|
|
|
|
|
return nil, "", "", time.Time{}, ErrInvalidAccessKeyID
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Verify if region is valid.
|
|
|
|
|
region = signV4Values.Credential.scope.region
|
|
|
|
|
|
|
|
|
|
// Extract date, if not present throw error.
|
|
|
|
|
var dateStr string
|
|
|
|
|
if dateStr = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); dateStr == "" {
|
|
|
|
|
if dateStr = r.Header.Get("Date"); dateStr == "" {
|
|
|
|
|
return nil, "", "", time.Time{}, ErrMissingDateHeader
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Parse date header.
|
|
|
|
|
var err error
|
|
|
|
|
date, err = time.Parse(iso8601Format, dateStr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, "", "", time.Time{}, ErrMalformedDate
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Query string.
|
|
|
|
|
queryStr := req.URL.Query().Encode()
|
|
|
|
|
|
|
|
|
|
// Get canonical request.
|
|
|
|
|
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, payload, queryStr, req.URL.Path, req.Method)
|
|
|
|
|
|
|
|
|
|
// Get string to sign from canonical request.
|
|
|
|
|
stringToSign := getStringToSign(canonicalRequest, date, signV4Values.Credential.getScope())
|
|
|
|
|
|
|
|
|
|
// Get hmac signing key.
|
|
|
|
|
signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region)
|
|
|
|
|
|
|
|
|
|
// Calculate signature.
|
|
|
|
|
newSignature := getSignature(signingKey, stringToSign)
|
|
|
|
|
|
|
|
|
|
// Verify if signature match.
|
|
|
|
|
if !compareSignatureV4(newSignature, signV4Values.Signature) {
|
|
|
|
|
return nil, "", "", time.Time{}, ErrSignatureDoesNotMatch
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Return caculated signature.
|
|
|
|
|
return cred, newSignature, region, date, ErrNone
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const maxLineLength = 4 * humanize.KiByte // assumed <= bufio.defaultBufSize 4KiB
|
|
|
|
|
|
|
|
|
|
// lineTooLong is generated as chunk header is bigger than 4KiB.
|
|
|
|
|
@@ -38,22 +141,36 @@ var errMalformedEncoding = errors.New("malformed chunked encoding")
|
|
|
|
|
// newSignV4ChunkedReader returns a new s3ChunkedReader that translates the data read from r
|
|
|
|
|
// out of HTTP "chunked" format before returning it.
|
|
|
|
|
// The s3ChunkedReader returns io.EOF when the final 0-length chunk is read.
|
|
|
|
|
func newSignV4ChunkedReader(req *http.Request) io.ReadCloser {
|
|
|
|
|
return &s3ChunkedReader{
|
|
|
|
|
reader: bufio.NewReader(req.Body),
|
|
|
|
|
state: readChunkHeader,
|
|
|
|
|
func (iam *IdentityAccessManagement) newSignV4ChunkedReader(req *http.Request) (io.ReadCloser, ErrorCode) {
|
|
|
|
|
ident, seedSignature, region, seedDate, errCode := iam.calculateSeedSignature(req)
|
|
|
|
|
if errCode != ErrNone {
|
|
|
|
|
return nil, errCode
|
|
|
|
|
}
|
|
|
|
|
return &s3ChunkedReader{
|
|
|
|
|
cred: ident,
|
|
|
|
|
reader: bufio.NewReader(req.Body),
|
|
|
|
|
seedSignature: seedSignature,
|
|
|
|
|
seedDate: seedDate,
|
|
|
|
|
region: region,
|
|
|
|
|
chunkSHA256Writer: sha256.New(),
|
|
|
|
|
state: readChunkHeader,
|
|
|
|
|
}, ErrNone
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Represents the overall state that is required for decoding a
|
|
|
|
|
// AWS Signature V4 chunked reader.
|
|
|
|
|
type s3ChunkedReader struct {
|
|
|
|
|
reader *bufio.Reader
|
|
|
|
|
state chunkState
|
|
|
|
|
lastChunk bool
|
|
|
|
|
chunkSignature string
|
|
|
|
|
n uint64 // Unread bytes in chunk
|
|
|
|
|
err error
|
|
|
|
|
cred *Credential
|
|
|
|
|
reader *bufio.Reader
|
|
|
|
|
seedSignature string
|
|
|
|
|
seedDate time.Time
|
|
|
|
|
region string
|
|
|
|
|
state chunkState
|
|
|
|
|
lastChunk bool
|
|
|
|
|
chunkSignature string
|
|
|
|
|
chunkSHA256Writer hash.Hash // Calculates sha256 of chunk data.
|
|
|
|
|
n uint64 // Unread bytes in chunk
|
|
|
|
|
err error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Read chunk reads the chunk token signature portion.
|
|
|
|
|
@@ -152,6 +269,9 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
|
|
|
|
|
return 0, cr.err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Calculate sha256.
|
|
|
|
|
cr.chunkSHA256Writer.Write(rbuf[:n0])
|
|
|
|
|
|
|
|
|
|
// Update the bytes read into request buffer so far.
|
|
|
|
|
n += n0
|
|
|
|
|
buf = buf[n0:]
|
|
|
|
|
@@ -164,6 +284,19 @@ func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
case verifyChunk:
|
|
|
|
|
// Calculate the hashed chunk.
|
|
|
|
|
hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
|
|
|
|
|
// Calculate the chunk signature.
|
|
|
|
|
newSignature := getChunkSignature(cr.cred.SecretKey, cr.seedSignature, cr.region, cr.seedDate, hashedChunk)
|
|
|
|
|
if !compareSignatureV4(cr.chunkSignature, newSignature) {
|
|
|
|
|
// Chunk signature doesn't match we return signature does not match.
|
|
|
|
|
cr.err = errors.New("chunk signature does not match")
|
|
|
|
|
return 0, cr.err
|
|
|
|
|
}
|
|
|
|
|
// Newly calculated signature becomes the seed for the next chunk
|
|
|
|
|
// this follows the chaining.
|
|
|
|
|
cr.seedSignature = newSignature
|
|
|
|
|
cr.chunkSHA256Writer.Reset()
|
|
|
|
|
if cr.lastChunk {
|
|
|
|
|
cr.state = eofChunk
|
|
|
|
|
} else {
|
|
|
|
|
|
Chris Lu