minio/pkg/server/api/signature.go

/*
 * Minio Cloud Storage, (C) 2015 Minio, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package api

import (
	"errors"
	"net/http"
	"strings"

	"github.com/minio/minio/pkg/auth"
	"github.com/minio/minio/pkg/donut"
	"github.com/minio/minio/pkg/probe"
)

const (
	authHeaderPrefix = "AWS4-HMAC-SHA256"
)

// StripAccessKeyID - strip only access key id from auth header
func StripAccessKeyID(ah string) (string, error) {
	if ah == "" {
		return "", errors.New("Missing auth header")
	}
	authFields := strings.Split(strings.TrimSpace(ah), ",")
	if len(authFields) != 3 {
		return "", errors.New("Missing fields in Auth header")
	}
	authPrefixFields := strings.Fields(authFields[0])
	if len(authPrefixFields) != 2 {
		return "", errors.New("Missing fields in Auth header")
	}
	if authPrefixFields[0] != authHeaderPrefix {
		return "", errors.New("Missing fields is Auth header")
	}
	credentials := strings.Split(strings.TrimSpace(authPrefixFields[1]), "=")
	if len(credentials) != 2 {
		return "", errors.New("Missing fields in Auth header")
	}
	if len(strings.Split(strings.TrimSpace(authFields[1]), "=")) != 2 {
		return "", errors.New("Missing fields in Auth header")
	}
	if len(strings.Split(strings.TrimSpace(authFields[2]), "=")) != 2 {
		return "", errors.New("Missing fields in Auth header")
	}
	accessKeyID := strings.Split(strings.TrimSpace(credentials[1]), "/")[0]
	if !auth.IsValidAccessKey(accessKeyID) {
		return "", errors.New("Invalid access key")
	}
	return accessKeyID, nil
}

// InitSignatureV4 initializing signature verification
func InitSignatureV4(req *http.Request) (*donut.Signature, *probe.Error) {
	// strip auth from authorization header
	ah := req.Header.Get("Authorization")
	var accessKeyID string
	{
		var err error
		accessKeyID, err = StripAccessKeyID(ah)
		if err != nil {
			return nil, probe.NewError(err)
		}
	}
	authConfig, err := auth.LoadConfig()
	if err != nil {
		return nil, err.Trace()
	}
	if _, ok := authConfig.Users[accessKeyID]; !ok {
		return nil, probe.NewError(errors.New("AccessID not found"))
	}
	signature := &donut.Signature{
		AccessKeyID:     authConfig.Users[accessKeyID].AccessKeyID,
		SecretAccessKey: authConfig.Users[accessKeyID].SecretAccessKey,
		AuthHeader:      ah,
		Request:         req,
	}
	return signature, nil
}
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`/*`
Move from Minimalist Object Storage to Minio Cloud Storage 2015-07-24 20:51:40 -04:00			`* Minio Cloud Storage, (C) 2015 Minio, Inc.`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`package api`

			`import (`
			`"errors"`
			`"net/http"`
			`"strings"`

			`"github.com/minio/minio/pkg/auth"`
			`"github.com/minio/minio/pkg/donut"`
Migrate from iodine to probe 2015-08-03 19:17:21 -04:00			`"github.com/minio/minio/pkg/probe"`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`)`

			`const (`
			`authHeaderPrefix = "AWS4-HMAC-SHA256"`
			`)`

			`// StripAccessKeyID - strip only access key id from auth header`
			`func StripAccessKeyID(ah string) (string, error) {`
			`if ah == "" {`
			`return "", errors.New("Missing auth header")`
			`}`
Handle both space and non-space characters, in signature v4 - add errors for all API's 2015-07-10 00:44:24 -04:00			`authFields := strings.Split(strings.TrimSpace(ah), ",")`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`if len(authFields) != 3 {`
			`return "", errors.New("Missing fields in Auth header")`
			`}`
			`authPrefixFields := strings.Fields(authFields[0])`
			`if len(authPrefixFields) != 2 {`
			`return "", errors.New("Missing fields in Auth header")`
			`}`
			`if authPrefixFields[0] != authHeaderPrefix {`
			`return "", errors.New("Missing fields is Auth header")`
			`}`
Handle both space and non-space characters, in signature v4 - add errors for all API's 2015-07-10 00:44:24 -04:00			`credentials := strings.Split(strings.TrimSpace(authPrefixFields[1]), "=")`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`if len(credentials) != 2 {`
			`return "", errors.New("Missing fields in Auth header")`
			`}`
Handle both space and non-space characters, in signature v4 - add errors for all API's 2015-07-10 00:44:24 -04:00			`if len(strings.Split(strings.TrimSpace(authFields[1]), "=")) != 2 {`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`return "", errors.New("Missing fields in Auth header")`
			`}`
Handle both space and non-space characters, in signature v4 - add errors for all API's 2015-07-10 00:44:24 -04:00			`if len(strings.Split(strings.TrimSpace(authFields[2]), "=")) != 2 {`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`return "", errors.New("Missing fields in Auth header")`
			`}`
Handle both space and non-space characters, in signature v4 - add errors for all API's 2015-07-10 00:44:24 -04:00			`accessKeyID := strings.Split(strings.TrimSpace(credentials[1]), "/")[0]`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`if !auth.IsValidAccessKey(accessKeyID) {`
			`return "", errors.New("Invalid access key")`
			`}`
			`return accessKeyID, nil`
			`}`

			`// InitSignatureV4 initializing signature verification`
Migrate from iodine to probe 2015-08-03 19:17:21 -04:00			`func InitSignatureV4(req http.Request) (donut.Signature, *probe.Error) {`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`// strip auth from authorization header`
			`ah := req.Header.Get("Authorization")`
Migrate from iodine to probe 2015-08-03 19:17:21 -04:00			`var accessKeyID string`
			`{`
			`var err error`
			`accessKeyID, err = StripAccessKeyID(ah)`
			`if err != nil {`
Probe revamped to provide for a new WrappedError struct to wrap probes as error interface This convenience was necessary to be used for golang library functions like io.Copy and io.Pipe where we shouldn't be writing proxies and alternatives returning probe.Error This change also brings more changes across code base for clear separation regarding where an error interface should be passed encapsulating probe.Error and where it should be used as is. 2015-08-08 02:47:22 -04:00			`return nil, probe.NewError(err)`
Migrate from iodine to probe 2015-08-03 19:17:21 -04:00			`}`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`}`
			`authConfig, err := auth.LoadConfig()`
Migrate from iodine to probe 2015-08-03 19:17:21 -04:00			`if err != nil {`
			`return nil, err.Trace()`
			`}`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`if _, ok := authConfig.Users[accessKeyID]; !ok {`
Probe revamped to provide for a new WrappedError struct to wrap probes as error interface This convenience was necessary to be used for golang library functions like io.Copy and io.Pipe where we shouldn't be writing proxies and alternatives returning probe.Error This change also brings more changes across code base for clear separation regarding where an error interface should be passed encapsulating probe.Error and where it should be used as is. 2015-08-08 02:47:22 -04:00			`return nil, probe.NewError(errors.New("AccessID not found"))`
PutObject handler gets initial support for signature v4, working 2015-07-09 17:42:04 -04:00			`}`
			`signature := &donut.Signature{`
			`AccessKeyID: authConfig.Users[accessKeyID].AccessKeyID,`
			`SecretAccessKey: authConfig.Users[accessKeyID].SecretAccessKey,`
			`AuthHeader: ah,`
			`Request: req,`
			`}`
			`return signature, nil`
			`}`