From bf94344ae0f30d5491d2bb678a0a849a50da63ec Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Thu, 21 Apr 2022 13:33:33 +0200 Subject: [PATCH] signatures for service k2v different than for s3 --- src/api/k2v/api_server.rs | 2 +- src/api/s3/api_server.rs | 2 +- src/api/s3/post_object.rs | 10 +++++++++- src/api/signature/payload.rs | 8 ++++++-- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/api/k2v/api_server.rs b/src/api/k2v/api_server.rs index 0efa5d8e..39b6f267 100644 --- a/src/api/k2v/api_server.rs +++ b/src/api/k2v/api_server.rs @@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer { return handle_options_s3api(garage, &req, Some(bucket_name)).await; } - let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?; + let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?; let api_key = api_key.ok_or_else(|| { Error::Forbidden("Garage does not support anonymous access yet".to_string()) })?; diff --git a/src/api/s3/api_server.rs b/src/api/s3/api_server.rs index 04e3727f..d908f84a 100644 --- a/src/api/s3/api_server.rs +++ b/src/api/s3/api_server.rs @@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer { return handle_options_s3api(garage, &req, bucket_name).await; } - let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?; + let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?; let api_key = api_key.ok_or_else(|| { Error::Forbidden("Garage does not support anonymous access yet".to_string()) })?; diff --git a/src/api/s3/post_object.rs b/src/api/s3/post_object.rs index a060c8fb..86fa7880 100644 --- a/src/api/s3/post_object.rs +++ b/src/api/s3/post_object.rs @@ -119,7 +119,15 @@ pub async fn handle_post_object( }; let date = parse_date(date)?; - let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?; + let api_key = verify_v4( + &garage, + "s3", + credential, + &date, + signature, + policy.as_bytes(), + ) + .await?; let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?; diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index 2a41b307..59d7ff6a 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -19,6 +19,7 @@ use crate::error::*; pub async fn check_payload_signature( garage: &Garage, + service: &str, request: &Request, ) -> Result<(Option, Option), Error> { let mut headers = HashMap::new(); @@ -64,6 +65,7 @@ pub async fn check_payload_signature( let key = verify_v4( garage, + service, &authorization.credential, &authorization.date, &authorization.signature, @@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result, Error> { pub async fn verify_v4( garage: &Garage, + service: &str, credential: &str, date: &DateTime, signature: &str, @@ -289,9 +292,10 @@ pub async fn verify_v4( let (key_id, scope) = parse_credential(credential)?; let scope_expected = format!( - "{}/{}/s3/aws4_request", + "{}/{}/{}/aws4_request", date.format(SHORT_DATE), - garage.config.s3_api.s3_region + garage.config.s3_api.s3_region, + service ); if scope != scope_expected { return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));