mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
Merge pull request #899 from harshavardhana/fix-signature-v4-bugs
Fix some bugs in controller rpc
This commit is contained in:
commit
2f5fa394ce
@ -194,6 +194,7 @@ func getControllerConfig(c *cli.Context) minioConfig {
|
||||
CertFile: certFile,
|
||||
KeyFile: keyFile,
|
||||
RateLimit: c.GlobalInt("ratelimit"),
|
||||
Anonymous: c.GlobalBool("anonymous"),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"bytes"
|
||||
"encoding/hex"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"sort"
|
||||
"strings"
|
||||
@ -35,7 +36,7 @@ type rpcSignatureHandler struct {
|
||||
|
||||
// RPCSignatureHandler to validate authorization header for the incoming request.
|
||||
func RPCSignatureHandler(h http.Handler) http.Handler {
|
||||
return signatureHandler{h}
|
||||
return rpcSignatureHandler{h}
|
||||
}
|
||||
|
||||
type rpcSignature struct {
|
||||
@ -114,7 +115,7 @@ func (r rpcSignature) extractSignedHeaders() map[string][]string {
|
||||
// <HashedPayload>
|
||||
//
|
||||
func (r *rpcSignature) getCanonicalRequest() string {
|
||||
payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-content-sha256"))
|
||||
payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-minio-content-sha256"))
|
||||
r.Request.URL.RawQuery = strings.Replace(r.Request.URL.Query().Encode(), "+", "%20", -1)
|
||||
encodedPath := getURLEncodedName(r.Request.URL.Path)
|
||||
// convert any space strings back to "+"
|
||||
@ -143,7 +144,7 @@ func (r rpcSignature) getScope(t time.Time) string {
|
||||
|
||||
// getStringToSign a string based on selected query values
|
||||
func (r rpcSignature) getStringToSign(canonicalRequest string, t time.Time) string {
|
||||
stringToSign := authHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n"
|
||||
stringToSign := rpcAuthHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n"
|
||||
stringToSign = stringToSign + r.getScope(t) + "\n"
|
||||
stringToSign = stringToSign + hex.EncodeToString(sha256.Sum256([]byte(canonicalRequest)))
|
||||
return stringToSign
|
||||
@ -236,8 +237,10 @@ func (s rpcSignatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
|
||||
return
|
||||
}
|
||||
// Copy the buffer back into request body to be read by the RPC service callers
|
||||
r.Body = ioutil.NopCloser(buffer)
|
||||
s.handler.ServeHTTP(w, r)
|
||||
return
|
||||
} else {
|
||||
writeErrorResponse(w, r, AccessDenied, r.URL.Path)
|
||||
}
|
||||
writeErrorResponse(w, r, AccessDenied, r.URL.Path)
|
||||
}
|
||||
|
@ -78,25 +78,24 @@ func isValidRPCRegion(authHeaderValue string) *probe.Error {
|
||||
|
||||
// stripRPCAccessKeyID - strip only access key id from auth header
|
||||
func stripRPCAccessKeyID(authHeaderValue string) (string, *probe.Error) {
|
||||
if err := isValidRegion(authHeaderValue); err != nil {
|
||||
if err := isValidRPCRegion(authHeaderValue); err != nil {
|
||||
return "", err.Trace()
|
||||
}
|
||||
credentialElements, err := getRPCCredentialsFromAuth(authHeaderValue)
|
||||
if err != nil {
|
||||
return "", err.Trace()
|
||||
}
|
||||
accessKeyID := credentialElements[0]
|
||||
if !IsValidAccessKey(accessKeyID) {
|
||||
if credentialElements[0] != "admin" {
|
||||
return "", probe.NewError(errAccessKeyIDInvalid)
|
||||
}
|
||||
return accessKeyID, nil
|
||||
return credentialElements[0], nil
|
||||
}
|
||||
|
||||
// initSignatureRPC initializing rpc signature verification
|
||||
func initSignatureRPC(req *http.Request) (*rpcSignature, *probe.Error) {
|
||||
// strip auth from authorization header
|
||||
authHeaderValue := req.Header.Get("Authorization")
|
||||
accessKeyID, err := stripAccessKeyID(authHeaderValue)
|
||||
accessKeyID, err := stripRPCAccessKeyID(authHeaderValue)
|
||||
if err != nil {
|
||||
return nil, err.Trace()
|
||||
}
|
||||
|
@ -19,7 +19,6 @@ package main
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"sort"
|
||||
"strings"
|
||||
@ -64,7 +63,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
||||
|
||||
hashedPayload := hash()
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
req.Header.Set("x-amz-content-sha256", hashedPayload)
|
||||
req.Header.Set("x-minio-content-sha256", hashedPayload)
|
||||
|
||||
var headers []string
|
||||
vals := make(map[string][]string)
|
||||
@ -133,7 +132,6 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
||||
stringToSign = stringToSign + scope + "\n"
|
||||
stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest)))
|
||||
|
||||
fmt.Println(config)
|
||||
date := sumHMAC([]byte("MINIO"+config.Users["admin"].SecretAccessKey), []byte(t.Format(yyyymmdd)))
|
||||
region := sumHMAC(date, []byte("milkyway"))
|
||||
service := sumHMAC(region, []byte("rpc"))
|
||||
@ -143,7 +141,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
|
||||
|
||||
// final Authorization header
|
||||
parts := []string{
|
||||
rpcAuthHeaderPrefix + " Credential=" + config.Users["admin"].AccessKeyID + "/" + scope,
|
||||
rpcAuthHeaderPrefix + " Credential=admin/" + scope,
|
||||
"SignedHeaders=" + signedHeaders,
|
||||
"Signature=" + signature,
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user