signatures for service k2v different than for s3
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing

This commit is contained in:
Alex 2022-04-21 13:33:33 +02:00
parent 87a8315546
commit bf94344ae0
Signed by: lx
GPG key ID: 0E496D15096376BE
4 changed files with 17 additions and 5 deletions

View file

@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer {
return handle_options_s3api(garage, &req, Some(bucket_name)).await; return handle_options_s3api(garage, &req, Some(bucket_name)).await;
} }
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?; let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
let api_key = api_key.ok_or_else(|| { let api_key = api_key.ok_or_else(|| {
Error::Forbidden("Garage does not support anonymous access yet".to_string()) Error::Forbidden("Garage does not support anonymous access yet".to_string())
})?; })?;

View file

@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer {
return handle_options_s3api(garage, &req, bucket_name).await; return handle_options_s3api(garage, &req, bucket_name).await;
} }
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?; let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
let api_key = api_key.ok_or_else(|| { let api_key = api_key.ok_or_else(|| {
Error::Forbidden("Garage does not support anonymous access yet".to_string()) Error::Forbidden("Garage does not support anonymous access yet".to_string())
})?; })?;

View file

@ -119,7 +119,15 @@ pub async fn handle_post_object(
}; };
let date = parse_date(date)?; let date = parse_date(date)?;
let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?; let api_key = verify_v4(
&garage,
"s3",
credential,
&date,
signature,
policy.as_bytes(),
)
.await?;
let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?; let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;

View file

@ -19,6 +19,7 @@ use crate::error::*;
pub async fn check_payload_signature( pub async fn check_payload_signature(
garage: &Garage, garage: &Garage,
service: &str,
request: &Request<Body>, request: &Request<Body>,
) -> Result<(Option<Key>, Option<Hash>), Error> { ) -> Result<(Option<Key>, Option<Hash>), Error> {
let mut headers = HashMap::new(); let mut headers = HashMap::new();
@ -64,6 +65,7 @@ pub async fn check_payload_signature(
let key = verify_v4( let key = verify_v4(
garage, garage,
service,
&authorization.credential, &authorization.credential,
&authorization.date, &authorization.date,
&authorization.signature, &authorization.signature,
@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result<DateTime<Utc>, Error> {
pub async fn verify_v4( pub async fn verify_v4(
garage: &Garage, garage: &Garage,
service: &str,
credential: &str, credential: &str,
date: &DateTime<Utc>, date: &DateTime<Utc>,
signature: &str, signature: &str,
@ -289,9 +292,10 @@ pub async fn verify_v4(
let (key_id, scope) = parse_credential(credential)?; let (key_id, scope) = parse_credential(credential)?;
let scope_expected = format!( let scope_expected = format!(
"{}/{}/s3/aws4_request", "{}/{}/{}/aws4_request",
date.format(SHORT_DATE), date.format(SHORT_DATE),
garage.config.s3_api.s3_region garage.config.s3_api.s3_region,
service
); );
if scope != scope_expected { if scope != scope_expected {
return Err(Error::AuthorizationHeaderMalformed(scope.to_string())); return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));