K2V #293
6 changed files with 23 additions and 14 deletions
|
@ -91,6 +91,7 @@ impl ApiHandler for K2VApiServer {
|
||||||
req,
|
req,
|
||||||
&mut content_sha256,
|
&mut content_sha256,
|
||||||
&garage.config.s3_api.s3_region,
|
&garage.config.s3_api.s3_region,
|
||||||
|
"s3",
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
let bucket_id = resolve_bucket(&garage, &bucket_name, &api_key).await?;
|
let bucket_id = resolve_bucket(&garage, &bucket_name, &api_key).await?;
|
||||||
|
|
|
@ -131,6 +131,7 @@ impl ApiHandler for S3ApiServer {
|
||||||
req,
|
req,
|
||||||
&mut content_sha256,
|
&mut content_sha256,
|
||||||
&garage.config.s3_api.s3_region,
|
&garage.config.s3_api.s3_region,
|
||||||
|
"s3",
|
||||||
)?;
|
)?;
|
||||||
|
|
||||||
let bucket_name = match bucket_name {
|
let bucket_name = match bucket_name {
|
||||||
|
|
|
@ -42,6 +42,11 @@ pub fn signing_hmac(
|
||||||
Ok(hmac)
|
Ok(hmac)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn compute_scope(datetime: &DateTime<Utc>, region: &str) -> String {
|
pub fn compute_scope(datetime: &DateTime<Utc>, region: &str, service: &str) -> String {
|
||||||
format!("{}/{}/s3/aws4_request", datetime.format(SHORT_DATE), region,)
|
format!(
|
||||||
|
"{}/{}/{}/aws4_request",
|
||||||
|
datetime.format(SHORT_DATE),
|
||||||
|
region,
|
||||||
|
service
|
||||||
|
)
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,8 +11,8 @@ use garage_util::data::Hash;
|
||||||
use garage_model::garage::Garage;
|
use garage_model::garage::Garage;
|
||||||
use garage_model::key_table::*;
|
use garage_model::key_table::*;
|
||||||
|
|
||||||
use super::signing_hmac;
|
use super::LONG_DATETIME;
|
||||||
use super::{LONG_DATETIME, SHORT_DATE};
|
use super::{compute_scope, signing_hmac};
|
||||||
|
|
||||||
use crate::encoding::uri_encode;
|
use crate::encoding::uri_encode;
|
||||||
use crate::error::*;
|
use crate::error::*;
|
||||||
|
@ -291,12 +291,7 @@ pub async fn verify_v4(
|
||||||
) -> Result<Key, Error> {
|
) -> Result<Key, Error> {
|
||||||
let (key_id, scope) = parse_credential(credential)?;
|
let (key_id, scope) = parse_credential(credential)?;
|
||||||
|
|
||||||
let scope_expected = format!(
|
let scope_expected = compute_scope(date, &garage.config.s3_api.s3_region, service);
|
||||||
"{}/{}/{}/aws4_request",
|
|
||||||
date.format(SHORT_DATE),
|
|
||||||
garage.config.s3_api.s3_region,
|
|
||||||
service
|
|
||||||
);
|
|
||||||
if scope != scope_expected {
|
if scope != scope_expected {
|
||||||
return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));
|
return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,7 @@ pub fn parse_streaming_body(
|
||||||
req: Request<Body>,
|
req: Request<Body>,
|
||||||
content_sha256: &mut Option<Hash>,
|
content_sha256: &mut Option<Hash>,
|
||||||
region: &str,
|
region: &str,
|
||||||
|
service: &str,
|
||||||
) -> Result<Request<Body>, Error> {
|
) -> Result<Request<Body>, Error> {
|
||||||
match req.headers().get("x-amz-content-sha256") {
|
match req.headers().get("x-amz-content-sha256") {
|
||||||
Some(header) if header == "STREAMING-AWS4-HMAC-SHA256-PAYLOAD" => {
|
Some(header) if header == "STREAMING-AWS4-HMAC-SHA256-PAYLOAD" => {
|
||||||
|
@ -41,8 +42,8 @@ pub fn parse_streaming_body(
|
||||||
.ok_or_bad_request("Invalid date")?;
|
.ok_or_bad_request("Invalid date")?;
|
||||||
let date: DateTime<Utc> = DateTime::from_utc(date, Utc);
|
let date: DateTime<Utc> = DateTime::from_utc(date, Utc);
|
||||||
|
|
||||||
let scope = compute_scope(&date, region);
|
let scope = compute_scope(&date, region, service);
|
||||||
let signing_hmac = crate::signature::signing_hmac(&date, secret_key, region, "s3")
|
let signing_hmac = crate::signature::signing_hmac(&date, secret_key, region, service)
|
||||||
.ok_or_internal_error("Unable to build signing HMAC")?;
|
.ok_or_internal_error("Unable to build signing HMAC")?;
|
||||||
|
|
||||||
Ok(req.map(move |body| {
|
Ok(req.map(move |body| {
|
||||||
|
@ -343,7 +344,7 @@ mod tests {
|
||||||
.with_timezone(&Utc);
|
.with_timezone(&Utc);
|
||||||
let secret_key = "test";
|
let secret_key = "test";
|
||||||
let region = "test";
|
let region = "test";
|
||||||
let scope = crate::signature::compute_scope(&datetime, region);
|
let scope = crate::signature::compute_scope(&datetime, region, "s3");
|
||||||
let signing_hmac =
|
let signing_hmac =
|
||||||
crate::signature::signing_hmac(&datetime, secret_key, region, "s3").unwrap();
|
crate::signature::signing_hmac(&datetime, secret_key, region, "s3").unwrap();
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,7 @@ impl CustomRequester {
|
||||||
pub fn builder(&self, bucket: String) -> RequestBuilder<'_> {
|
pub fn builder(&self, bucket: String) -> RequestBuilder<'_> {
|
||||||
RequestBuilder {
|
RequestBuilder {
|
||||||
requester: self,
|
requester: self,
|
||||||
|
service: "s3",
|
||||||
bucket,
|
bucket,
|
||||||
method: Method::GET,
|
method: Method::GET,
|
||||||
path: String::new(),
|
path: String::new(),
|
||||||
|
@ -47,6 +48,7 @@ impl CustomRequester {
|
||||||
|
|
||||||
pub struct RequestBuilder<'a> {
|
pub struct RequestBuilder<'a> {
|
||||||
requester: &'a CustomRequester,
|
requester: &'a CustomRequester,
|
||||||
|
service: &'static str,
|
||||||
bucket: String,
|
bucket: String,
|
||||||
method: Method,
|
method: Method,
|
||||||
path: String,
|
path: String,
|
||||||
|
@ -59,6 +61,10 @@ pub struct RequestBuilder<'a> {
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<'a> RequestBuilder<'a> {
|
impl<'a> RequestBuilder<'a> {
|
||||||
|
pub fn service(&mut self, service: &'static str) -> &mut Self {
|
||||||
|
self.service = service;
|
||||||
|
self
|
||||||
|
}
|
||||||
pub fn method(&mut self, method: Method) -> &mut Self {
|
pub fn method(&mut self, method: Method) -> &mut Self {
|
||||||
self.method = method;
|
self.method = method;
|
||||||
self
|
self
|
||||||
|
@ -118,7 +124,7 @@ impl<'a> RequestBuilder<'a> {
|
||||||
let uri = format!("{}{}", self.requester.uri, path);
|
let uri = format!("{}{}", self.requester.uri, path);
|
||||||
|
|
||||||
let now = Utc::now();
|
let now = Utc::now();
|
||||||
let scope = signature::compute_scope(&now, super::REGION.as_ref());
|
let scope = signature::compute_scope(&now, super::REGION.as_ref(), self.service);
|
||||||
let mut signer = signature::signing_hmac(
|
let mut signer = signature::signing_hmac(
|
||||||
&now,
|
&now,
|
||||||
&self.requester.key.secret,
|
&self.requester.key.secret,
|
||||||
|
|
Loading…
Reference in a new issue