signatures for service k2v different than for s3
Some checks failed
continuous-integration/drone/pr Build is failing
continuous-integration/drone/push Build is failing

This commit is contained in:
Alex 2022-04-21 13:33:33 +02:00
parent 87a8315546
commit bf94344ae0
Signed by: lx
GPG key ID: 0E496D15096376BE
4 changed files with 17 additions and 5 deletions

View file

@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer {
return handle_options_s3api(garage, &req, Some(bucket_name)).await;
}
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
let api_key = api_key.ok_or_else(|| {
Error::Forbidden("Garage does not support anonymous access yet".to_string())
})?;

View file

@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer {
return handle_options_s3api(garage, &req, bucket_name).await;
}
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
let api_key = api_key.ok_or_else(|| {
Error::Forbidden("Garage does not support anonymous access yet".to_string())
})?;

View file

@ -119,7 +119,15 @@ pub async fn handle_post_object(
};
let date = parse_date(date)?;
let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?;
let api_key = verify_v4(
&garage,
"s3",
credential,
&date,
signature,
policy.as_bytes(),
)
.await?;
let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;

View file

@ -19,6 +19,7 @@ use crate::error::*;
pub async fn check_payload_signature(
garage: &Garage,
service: &str,
request: &Request<Body>,
) -> Result<(Option<Key>, Option<Hash>), Error> {
let mut headers = HashMap::new();
@ -64,6 +65,7 @@ pub async fn check_payload_signature(
let key = verify_v4(
garage,
service,
&authorization.credential,
&authorization.date,
&authorization.signature,
@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result<DateTime<Utc>, Error> {
pub async fn verify_v4(
garage: &Garage,
service: &str,
credential: &str,
date: &DateTime<Utc>,
signature: &str,
@ -289,9 +292,10 @@ pub async fn verify_v4(
let (key_id, scope) = parse_credential(credential)?;
let scope_expected = format!(
"{}/{}/s3/aws4_request",
"{}/{}/{}/aws4_request",
date.format(SHORT_DATE),
garage.config.s3_api.s3_region
garage.config.s3_api.s3_region,
service
);
if scope != scope_expected {
return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));