mirror of
https://github.com/minio/minio.git
synced 2025-01-26 06:03:17 -05:00
support passing signatureAge conditional (#18529)
this PR allows following policy ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Deny a presigned URL request if the signature is more than 10 min old", "Effect": "Deny", "Action": "s3:*", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*", "Condition": { "NumericGreaterThan": { "s3:signatureAge": 600000 } } } ] } ``` This is to basically disable all pre-signed URLs that are older than 10 minutes.
This commit is contained in:
parent
be02333529
commit
8d9e83fd99
@ -137,6 +137,10 @@ func getConditionValues(r *http.Request, lc string, cred auth.Credentials) map[s
|
|||||||
}
|
}
|
||||||
|
|
||||||
cloneHeader := r.Header.Clone()
|
cloneHeader := r.Header.Clone()
|
||||||
|
if v := cloneHeader.Get("x-amz-signature-age"); v != "" {
|
||||||
|
args["signatureAge"] = []string{v}
|
||||||
|
cloneHeader.Del("x-amz-signature-age")
|
||||||
|
}
|
||||||
|
|
||||||
if userTags := cloneHeader.Get(xhttp.AmzObjectTagging); userTags != "" {
|
if userTags := cloneHeader.Get(xhttp.AmzObjectTagging); userTags != "" {
|
||||||
tag, _ := tags.ParseObjectTags(userTags)
|
tag, _ := tags.ParseObjectTags(userTags)
|
||||||
|
@ -232,6 +232,10 @@ func parsePreSignV4(query url.Values, region string, stype serviceType) (psv pre
|
|||||||
return psv, ErrMaximumExpires
|
return psv, ErrMaximumExpires
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if preSignV4Values.Date.IsZero() || preSignV4Values.Date.Equal(timeSentinel) {
|
||||||
|
return psv, ErrMalformedPresignedDate
|
||||||
|
}
|
||||||
|
|
||||||
// Save signed headers.
|
// Save signed headers.
|
||||||
preSignV4Values.SignedHeaders, aec = parseSignedHeader("SignedHeaders=" + query.Get(xhttp.AmzSignedHeaders))
|
preSignV4Values.SignedHeaders, aec = parseSignedHeader("SignedHeaders=" + query.Get(xhttp.AmzSignedHeaders))
|
||||||
if aec != ErrNone {
|
if aec != ErrNone {
|
||||||
|
@ -334,6 +334,9 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
|
|||||||
if !compareSignatureV4(req.Form.Get(xhttp.AmzSignature), newSignature) {
|
if !compareSignatureV4(req.Form.Get(xhttp.AmzSignature), newSignature) {
|
||||||
return ErrSignatureDoesNotMatch
|
return ErrSignatureDoesNotMatch
|
||||||
}
|
}
|
||||||
|
|
||||||
|
r.Header.Set("x-amz-signature-age", strconv.FormatInt(UTCNow().Sub(pSignValues.Date).Milliseconds(), 10))
|
||||||
|
|
||||||
return ErrNone
|
return ErrNone
|
||||||
}
|
}
|
||||||
|
|
||||||
|
2
go.mod
2
go.mod
@ -52,7 +52,7 @@ require (
|
|||||||
github.com/minio/madmin-go/v3 v3.0.33
|
github.com/minio/madmin-go/v3 v3.0.33
|
||||||
github.com/minio/minio-go/v7 v7.0.64
|
github.com/minio/minio-go/v7 v7.0.64
|
||||||
github.com/minio/mux v1.9.0
|
github.com/minio/mux v1.9.0
|
||||||
github.com/minio/pkg/v2 v2.0.3-0.20231107172951-8a60b89ec9b4
|
github.com/minio/pkg/v2 v2.0.4
|
||||||
github.com/minio/selfupdate v0.6.0
|
github.com/minio/selfupdate v0.6.0
|
||||||
github.com/minio/sha256-simd v1.0.1
|
github.com/minio/sha256-simd v1.0.1
|
||||||
github.com/minio/simdjson-go v0.4.5
|
github.com/minio/simdjson-go v0.4.5
|
||||||
|
4
go.sum
4
go.sum
@ -497,8 +497,8 @@ github.com/minio/mux v1.9.0 h1:dWafQFyEfGhJvK6AwLOt83bIG5bxKxKJnKMCi0XAaoA=
|
|||||||
github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ=
|
github.com/minio/mux v1.9.0/go.mod h1:1pAare17ZRL5GpmNL+9YmqHoWnLmMZF9C/ioUCfy0BQ=
|
||||||
github.com/minio/pkg v1.7.5 h1:UOUJjewE5zoaDPlCMJtNx/swc1jT1ZR+IajT7hrLd44=
|
github.com/minio/pkg v1.7.5 h1:UOUJjewE5zoaDPlCMJtNx/swc1jT1ZR+IajT7hrLd44=
|
||||||
github.com/minio/pkg v1.7.5/go.mod h1:mEfGMTm5Z0b5EGxKNuPwyb5A2d+CC/VlUyRj6RJtIwo=
|
github.com/minio/pkg v1.7.5/go.mod h1:mEfGMTm5Z0b5EGxKNuPwyb5A2d+CC/VlUyRj6RJtIwo=
|
||||||
github.com/minio/pkg/v2 v2.0.3-0.20231107172951-8a60b89ec9b4 h1:5eHjHtFZrrCQ3eO0sesXomdAUTtcGh0Fpp7Qa6dtjrY=
|
github.com/minio/pkg/v2 v2.0.4 h1:vHQOqxD7AdsJq3X9GylO0PO6WCpcK7aePsVfk0oRYh0=
|
||||||
github.com/minio/pkg/v2 v2.0.3-0.20231107172951-8a60b89ec9b4/go.mod h1:6xTAr5M9yobpUroXAAaTrGJ9fhOZIqKYOT0I87u2yZ4=
|
github.com/minio/pkg/v2 v2.0.4/go.mod h1:ya1jPY/rtVp3HarxwDQJkclR8Rd2QxwxA9kwS436ovs=
|
||||||
github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
|
github.com/minio/selfupdate v0.6.0 h1:i76PgT0K5xO9+hjzKcacQtO7+MjJ4JKA8Ak8XQ9DDwU=
|
||||||
github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
|
github.com/minio/selfupdate v0.6.0/go.mod h1:bO02GTIPCMQFTEvE5h4DjYB58bCoZ35XLeBf0buTDdM=
|
||||||
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
|
github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM=
|
||||||
|
Loading…
x
Reference in New Issue
Block a user