PutObject handler gets initial support for signature v4, working

2025-11-08 21:24:55 -05:00 · 2015-07-09 14:42:04 -07:00
parent 4f29dc9134
commit 89c1215194
12 changed files with 196 additions and 324 deletions
--- a/pkg/server/api/bucket-handlers.go
+++ b/pkg/server/api/bucket-handlers.go
@@ -42,7 +42,7 @@ func (api Minio) isValidOp(w http.ResponseWriter, req *http.Request, acceptsCont
 			return false
 		}
 	case nil:
-		if _, err := stripAuth(req); err != nil {
+		if _, err := StripAccessKeyID(req.Header.Get("Authorization")); err != nil {
 			if bucketMetadata.ACL.IsPrivate() {
 				return true
 				//uncomment this when we have webcli
@@ -194,7 +194,7 @@ func (api Minio) ListBucketsHandler(w http.ResponseWriter, req *http.Request) {
 	acceptsContentType := getContentType(req)
 	// uncomment this when we have webcli
 	// without access key credentials one cannot list buckets
-	// if _, err := stripAuth(req); err != nil {
+	// if _, err := StripAccessKeyID(req); err != nil {
 	//	writeErrorResponse(w, req, AccessDenied, acceptsContentType, req.URL.Path)
 	//	return
 	// }
@@ -231,7 +231,7 @@ func (api Minio) PutBucketHandler(w http.ResponseWriter, req *http.Request) {
 	acceptsContentType := getContentType(req)
 	// uncomment this when we have webcli
 	// without access key credentials one cannot create a bucket
-	// if _, err := stripAuth(req); err != nil {
+	// if _, err := StripAccessKeyID(req); err != nil {
 	// 	writeErrorResponse(w, req, AccessDenied, acceptsContentType, req.URL.Path)
 	//	return
 	// }
--- a/pkg/server/api/generic-handlers.go
+++ b/pkg/server/api/generic-handlers.go
@@ -19,7 +19,6 @@ package api
 import (
 	"errors"
 	"net/http"
-	"strings"
 	"time"

 	"github.com/minio/minio/pkg/auth"
@@ -41,64 +40,12 @@ type resourceHandler struct {
 	handler http.Handler
 }

-type authHeader struct {
-	prefix        string
-	credential    string
-	signedheaders string
-	signature     string
-	accessKey     string
-}
-
 const (
 	iso8601Format = "20060102T150405Z"
 )

-const (
-	authHeaderPrefix = "AWS4-HMAC-SHA256"
-)
-
-// strip auth from authorization header
-func stripAuth(r *http.Request) (*authHeader, error) {
-	ah := r.Header.Get("Authorization")
-	if ah == "" {
-		return nil, errors.New("Missing auth header")
-	}
-	a := new(authHeader)
-	authFields := strings.Split(ah, ",")
-	if len(authFields) != 3 {
-		return nil, errors.New("Missing fields in Auth header")
-	}
-	authPrefixFields := strings.Fields(authFields[0])
-	if len(authPrefixFields) != 2 {
-		return nil, errors.New("Missing fields in Auth header")
-	}
-	if authPrefixFields[0] != authHeaderPrefix {
-		return nil, errors.New("Missing fields is Auth header")
-	}
-	credentials := strings.Split(authPrefixFields[1], "=")
-	if len(credentials) != 2 {
-		return nil, errors.New("Missing fields in Auth header")
-	}
-	signedheaders := strings.Split(authFields[1], "=")
-	if len(signedheaders) != 2 {
-		return nil, errors.New("Missing fields in Auth header")
-	}
-	signature := strings.Split(authFields[2], "=")
-	if len(signature) != 2 {
-		return nil, errors.New("Missing fields in Auth header")
-	}
-	a.credential = credentials[1]
-	a.signedheaders = signedheaders[1]
-	a.signature = signature[1]
-	a.accessKey = strings.Split(a.credential, "/")[0]
-	if !auth.IsValidAccessKey(a.accessKey) {
-		return nil, errors.New("Invalid access key")
-	}
-	return a, nil
-}
-
 func parseDate(req *http.Request) (time.Time, error) {
-	amzDate := req.Header.Get("X-Amz-Date")
+	amzDate := req.Header.Get("x-amz-date")
 	switch {
 	case amzDate != "":
 		if _, err := time.Parse(time.RFC1123, amzDate); err == nil {
@@ -150,7 +97,7 @@ func (h timeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	acceptsContentType := getContentType(r)
 	// Verify if date headers are set, if not reject the request
 	if r.Header.Get("Authorization") != "" {
-		if r.Header.Get("X-Amz-Date") == "" && r.Header.Get("Date") == "" {
+		if r.Header.Get("x-amz-date") == "" && r.Header.Get("Date") == "" {
 			// there is no way to knowing if this is a valid request, could be a attack reject such clients
 			writeErrorResponse(w, r, RequestTimeTooSkewed, acceptsContentType, r.URL.Path)
 			return
@@ -181,20 +128,20 @@ func ValidateAuthHeaderHandler(h http.Handler) http.Handler {
 // validate auth header handler ServeHTTP() wrapper
 func (h validateAuthHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	acceptsContentType := getContentType(r)
-	ah, err := stripAuth(r)
+	accessKeyID, err := StripAccessKeyID(r.Header.Get("Authorization"))
 	switch err.(type) {
 	case nil:
+		// load auth config
 		authConfig, err := auth.LoadConfig()
 		if err != nil {
 			writeErrorResponse(w, r, InternalError, acceptsContentType, r.URL.Path)
 			return
 		}
-		_, ok := authConfig.Users[ah.accessKey]
-		if !ok {
-			writeErrorResponse(w, r, AccessDenied, acceptsContentType, r.URL.Path)
+		// Access key not found
+		if _, ok := authConfig.Users[accessKeyID]; !ok {
+			writeErrorResponse(w, r, InvalidAccessKeyID, acceptsContentType, r.URL.Path)
 			return
 		}
-		// Success
 		h.handler.ServeHTTP(w, r)
 	default:
 		// control reaches here, we should just send the request up the stack - internally
--- a/pkg/server/api/object-handlers.go
+++ b/pkg/server/api/object-handlers.go
@@ -205,7 +205,18 @@ func (api Minio) PutObjectHandler(w http.ResponseWriter, req *http.Request) {
 		return
 	}

-	metadata, err := api.Donut.CreateObject(bucket, object, md5, sizeInt64, req.Body, nil)
+	var signature *donut.Signature
+	if _, ok := req.Header["Authorization"]; ok {
+		// Init signature V4 verification
+		var err error
+		signature, err = InitSignatureV4(req)
+		if err != nil {
+			writeErrorResponse(w, req, InternalError, acceptsContentType, req.URL.Path)
+			return
+		}
+	}
+
+	metadata, err := api.Donut.CreateObject(bucket, object, md5, sizeInt64, req.Body, nil, signature)
 	switch iodine.ToError(err).(type) {
 	case nil:
 		w.Header().Set("ETag", metadata.MD5Sum)
@@ -218,6 +229,10 @@ func (api Minio) PutObjectHandler(w http.ResponseWriter, req *http.Request) {
 		writeErrorResponse(w, req, MethodNotAllowed, acceptsContentType, req.URL.Path)
 	case donut.BadDigest:
 		writeErrorResponse(w, req, BadDigest, acceptsContentType, req.URL.Path)
+	case donut.MissingDateHeader:
+		writeErrorResponse(w, req, RequestTimeTooSkewed, acceptsContentType, req.URL.Path)
+	case donut.SignatureDoesNotMatch:
+		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.IncompleteBody:
 		writeErrorResponse(w, req, IncompleteBody, acceptsContentType, req.URL.Path)
 	case donut.EntityTooLarge:
--- a/pkg/server/api/signature.go
+++ b/pkg/server/api/signature.go
@@ -0,0 +1,85 @@
+/*
+ * Minimalist Object Storage, (C) 2015 Minio, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package api
+
+import (
+	"errors"
+	"net/http"
+	"strings"
+
+	"github.com/minio/minio/pkg/auth"
+	"github.com/minio/minio/pkg/donut"
+	"github.com/minio/minio/pkg/iodine"
+)
+
+const (
+	authHeaderPrefix = "AWS4-HMAC-SHA256"
+)
+
+// StripAccessKeyID - strip only access key id from auth header
+func StripAccessKeyID(ah string) (string, error) {
+	if ah == "" {
+		return "", errors.New("Missing auth header")
+	}
+	authFields := strings.Split(ah, ",")
+	if len(authFields) != 3 {
+		return "", errors.New("Missing fields in Auth header")
+	}
+	authPrefixFields := strings.Fields(authFields[0])
+	if len(authPrefixFields) != 2 {
+		return "", errors.New("Missing fields in Auth header")
+	}
+	if authPrefixFields[0] != authHeaderPrefix {
+		return "", errors.New("Missing fields is Auth header")
+	}
+	credentials := strings.Split(authPrefixFields[1], "=")
+	if len(credentials) != 2 {
+		return "", errors.New("Missing fields in Auth header")
+	}
+	if len(strings.Split(authFields[1], "=")) != 2 {
+		return "", errors.New("Missing fields in Auth header")
+	}
+	if len(strings.Split(authFields[2], "=")) != 2 {
+		return "", errors.New("Missing fields in Auth header")
+	}
+	accessKeyID := strings.Split(credentials[1], "/")[0]
+	if !auth.IsValidAccessKey(accessKeyID) {
+		return "", errors.New("Invalid access key")
+	}
+	return accessKeyID, nil
+}
+
+// InitSignatureV4 initializing signature verification
+func InitSignatureV4(req *http.Request) (*donut.Signature, error) {
+	// strip auth from authorization header
+	ah := req.Header.Get("Authorization")
+	accessKeyID, err := StripAccessKeyID(ah)
+	if err != nil {
+		return nil, iodine.New(err, nil)
+	}
+	authConfig, err := auth.LoadConfig()
+	if _, ok := authConfig.Users[accessKeyID]; !ok {
+		return nil, errors.New("Access ID not found")
+	}
+	signature := &donut.Signature{
+		AccessKeyID:     authConfig.Users[accessKeyID].AccessKeyID,
+		SecretAccessKey: authConfig.Users[accessKeyID].SecretAccessKey,
+		AuthHeader:      ah,
+		Request:         req,
+	}
+	return signature, nil
+}