signatures for service k2v different than for s3

2022-04-21 13:33:33 +02:00 · 2022-04-21 13:33:33 +02:00 · bf94344ae0
parent 87a8315546
commit bf94344ae0
4 changed files with 17 additions and 5 deletions
--- a/src/api/k2v/api_server.rs
+++ b/src/api/k2v/api_server.rs
@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer {
 			return handle_options_s3api(garage, &req, Some(bucket_name)).await;
 		}

-		let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
+		let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
 		let api_key = api_key.ok_or_else(|| {
 			Error::Forbidden("Garage does not support anonymous access yet".to_string())
 		})?;
--- a/src/api/s3/api_server.rs
+++ b/src/api/s3/api_server.rs
@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer {
 			return handle_options_s3api(garage, &req, bucket_name).await;
 		}

-		let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
+		let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
 		let api_key = api_key.ok_or_else(|| {
 			Error::Forbidden("Garage does not support anonymous access yet".to_string())
 		})?;
--- a/src/api/s3/post_object.rs
+++ b/src/api/s3/post_object.rs
@ -119,7 +119,15 @@ pub async fn handle_post_object(
 	};

 	let date = parse_date(date)?;
-	let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?;
+	let api_key = verify_v4(
+		&garage,
+		"s3",
+		credential,
+		&date,
+		signature,
+		policy.as_bytes(),
+	)
+	.await?;

 	let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;

--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@ -19,6 +19,7 @@ use crate::error::*;

 pub async fn check_payload_signature(
 	garage: &Garage,
+	service: &str,
 	request: &Request<Body>,
 ) -> Result<(Option<Key>, Option<Hash>), Error> {
 	let mut headers = HashMap::new();
@ -64,6 +65,7 @@ pub async fn check_payload_signature(

 	let key = verify_v4(
 		garage,
+		service,
 		&authorization.credential,
 		&authorization.date,
 		&authorization.signature,
@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result<DateTime<Utc>, Error> {

 pub async fn verify_v4(
 	garage: &Garage,
+	service: &str,
 	credential: &str,
 	date: &DateTime<Utc>,
 	signature: &str,
@ -289,9 +292,10 @@ pub async fn verify_v4(
 	let (key_id, scope) = parse_credential(credential)?;

 	let scope_expected = format!(
-		"{}/{}/s3/aws4_request",
+		"{}/{}/{}/aws4_request",
 		date.format(SHORT_DATE),
-		garage.config.s3_api.s3_region
+		garage.config.s3_api.s3_region,
+		service
 	);
 	if scope != scope_expected {
 		return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));