support passing signatureAge conditional (#18529)

this PR allows following policy ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Deny a presigned URL request if the signature is more than 10 min old", "Effect": "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*", "Condition": { "NumericGreaterThan": { "s3:signatureAge": 600000 } } } ] } ``` This is to basically disable all pre-signed URLs that are older than 10 minutes.
2025-11-07 21:02:58 -05:00 · 2023-11-27 11:30:19 -08:00
parent be02333529
commit 8d9e83fd99
5 changed files with 14 additions and 3 deletions
--- a/cmd/bucket-policy.go
+++ b/cmd/bucket-policy.go
@@ -137,6 +137,10 @@ func getConditionValues(r *http.Request, lc string, cred auth.Credentials) map[s
 	}

 	cloneHeader := r.Header.Clone()
+	if v := cloneHeader.Get("x-amz-signature-age"); v != "" {
+		args["signatureAge"] = []string{v}
+		cloneHeader.Del("x-amz-signature-age")
+	}

 	if userTags := cloneHeader.Get(xhttp.AmzObjectTagging); userTags != "" {
 		tag, _ := tags.ParseObjectTags(userTags)
--- a/cmd/signature-v4-parser.go
+++ b/cmd/signature-v4-parser.go
@@ -232,6 +232,10 @@ func parsePreSignV4(query url.Values, region string, stype serviceType) (psv pre
 		return psv, ErrMaximumExpires
 	}

+	if preSignV4Values.Date.IsZero() || preSignV4Values.Date.Equal(timeSentinel) {
+		return psv, ErrMalformedPresignedDate
+	}
+
 	// Save signed headers.
 	preSignV4Values.SignedHeaders, aec = parseSignedHeader("SignedHeaders=" + query.Get(xhttp.AmzSignedHeaders))
 	if aec != ErrNone {
--- a/cmd/signature-v4.go
+++ b/cmd/signature-v4.go
@@ -334,6 +334,9 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
 	if !compareSignatureV4(req.Form.Get(xhttp.AmzSignature), newSignature) {
 		return ErrSignatureDoesNotMatch
 	}
+
+	r.Header.Set("x-amz-signature-age", strconv.FormatInt(UTCNow().Sub(pSignValues.Date).Milliseconds(), 10))
+
 	return ErrNone
 }