K2V #293
4 changed files with 17 additions and 5 deletions
|
|
@ -81,7 +81,7 @@ impl ApiHandler for K2VApiServer {
|
||||||
return handle_options_s3api(garage, &req, Some(bucket_name)).await;
|
return handle_options_s3api(garage, &req, Some(bucket_name)).await;
|
||||||
}
|
}
|
||||||
|
|
||||||
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
|
let (api_key, mut content_sha256) = check_payload_signature(&garage, "k2v", &req).await?;
|
||||||
let api_key = api_key.ok_or_else(|| {
|
let api_key = api_key.ok_or_else(|| {
|
||||||
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
||||||
})?;
|
})?;
|
||||||
|
|
|
||||||
|
|
@ -121,7 +121,7 @@ impl ApiHandler for S3ApiServer {
|
||||||
return handle_options_s3api(garage, &req, bucket_name).await;
|
return handle_options_s3api(garage, &req, bucket_name).await;
|
||||||
}
|
}
|
||||||
|
|
||||||
let (api_key, mut content_sha256) = check_payload_signature(&garage, &req).await?;
|
let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?;
|
||||||
let api_key = api_key.ok_or_else(|| {
|
let api_key = api_key.ok_or_else(|| {
|
||||||
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
Error::Forbidden("Garage does not support anonymous access yet".to_string())
|
||||||
})?;
|
})?;
|
||||||
|
|
|
||||||
|
|
@ -119,7 +119,15 @@ pub async fn handle_post_object(
|
||||||
};
|
};
|
||||||
|
|
||||||
let date = parse_date(date)?;
|
let date = parse_date(date)?;
|
||||||
let api_key = verify_v4(&garage, credential, &date, signature, policy.as_bytes()).await?;
|
let api_key = verify_v4(
|
||||||
|
&garage,
|
||||||
|
"s3",
|
||||||
|
credential,
|
||||||
|
&date,
|
||||||
|
signature,
|
||||||
|
policy.as_bytes(),
|
||||||
|
)
|
||||||
|
.await?;
|
||||||
|
|
||||||
let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;
|
let bucket_id = resolve_bucket(&garage, &bucket, &api_key).await?;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -19,6 +19,7 @@ use crate::error::*;
|
||||||
|
|
||||||
pub async fn check_payload_signature(
|
pub async fn check_payload_signature(
|
||||||
garage: &Garage,
|
garage: &Garage,
|
||||||
|
service: &str,
|
||||||
request: &Request<Body>,
|
request: &Request<Body>,
|
||||||
) -> Result<(Option<Key>, Option<Hash>), Error> {
|
) -> Result<(Option<Key>, Option<Hash>), Error> {
|
||||||
let mut headers = HashMap::new();
|
let mut headers = HashMap::new();
|
||||||
|
|
@ -64,6 +65,7 @@ pub async fn check_payload_signature(
|
||||||
|
|
||||||
let key = verify_v4(
|
let key = verify_v4(
|
||||||
garage,
|
garage,
|
||||||
|
service,
|
||||||
&authorization.credential,
|
&authorization.credential,
|
||||||
&authorization.date,
|
&authorization.date,
|
||||||
&authorization.signature,
|
&authorization.signature,
|
||||||
|
|
@ -281,6 +283,7 @@ pub fn parse_date(date: &str) -> Result<DateTime<Utc>, Error> {
|
||||||
|
|
||||||
pub async fn verify_v4(
|
pub async fn verify_v4(
|
||||||
garage: &Garage,
|
garage: &Garage,
|
||||||
|
service: &str,
|
||||||
credential: &str,
|
credential: &str,
|
||||||
date: &DateTime<Utc>,
|
date: &DateTime<Utc>,
|
||||||
signature: &str,
|
signature: &str,
|
||||||
|
|
@ -289,9 +292,10 @@ pub async fn verify_v4(
|
||||||
let (key_id, scope) = parse_credential(credential)?;
|
let (key_id, scope) = parse_credential(credential)?;
|
||||||
|
|
||||||
let scope_expected = format!(
|
let scope_expected = format!(
|
||||||
"{}/{}/s3/aws4_request",
|
"{}/{}/{}/aws4_request",
|
||||||
date.format(SHORT_DATE),
|
date.format(SHORT_DATE),
|
||||||
garage.config.s3_api.s3_region
|
garage.config.s3_api.s3_region,
|
||||||
|
service
|
||||||
);
|
);
|
||||||
if scope != scope_expected {
|
if scope != scope_expected {
|
||||||
return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));
|
return Err(Error::AuthorizationHeaderMalformed(scope.to_string()));
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue