mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
9dca46e156
Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
187 lines
4.9 KiB
Go
187 lines
4.9 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2015 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/md5"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/minio/minio/pkg/probe"
|
|
)
|
|
|
|
// Verify if request has JWT.
|
|
func isRequestJWT(r *http.Request) bool {
|
|
if _, ok := r.Header["Authorization"]; ok {
|
|
if strings.HasPrefix(r.Header.Get("Authorization"), jwtAlgorithm) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Verify if request has AWS Signature Version '4'.
|
|
func isRequestSignatureV4(r *http.Request) bool {
|
|
if _, ok := r.Header["Authorization"]; ok {
|
|
if strings.HasPrefix(r.Header.Get("Authorization"), signV4Algorithm) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Verify if request has AWS Presignature Version '4'.
|
|
func isRequestPresignedSignatureV4(r *http.Request) bool {
|
|
if _, ok := r.URL.Query()["X-Amz-Credential"]; ok {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Verify if request has AWS Post policy Signature Version '4'.
|
|
func isRequestPostPolicySignatureV4(r *http.Request) bool {
|
|
if _, ok := r.Header["Content-Type"]; ok {
|
|
if strings.Contains(r.Header.Get("Content-Type"), "multipart/form-data") && r.Method == "POST" {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Authorization type.
|
|
type authType int
|
|
|
|
// List of all supported auth types.
|
|
const (
|
|
authTypeUnknown authType = iota
|
|
authTypeAnonymous
|
|
authTypePresigned
|
|
authTypePostPolicy
|
|
authTypeSigned
|
|
authTypeJWT
|
|
)
|
|
|
|
// Get request authentication type.
|
|
func getRequestAuthType(r *http.Request) authType {
|
|
if isRequestSignatureV4(r) {
|
|
return authTypeSigned
|
|
} else if isRequestPresignedSignatureV4(r) {
|
|
return authTypePresigned
|
|
} else if isRequestJWT(r) {
|
|
return authTypeJWT
|
|
} else if isRequestPostPolicySignatureV4(r) {
|
|
return authTypePostPolicy
|
|
} else if _, ok := r.Header["Authorization"]; !ok {
|
|
return authTypeAnonymous
|
|
}
|
|
return authTypeUnknown
|
|
}
|
|
|
|
// sum256 calculate sha256 sum for an input byte array
|
|
func sum256(data []byte) []byte {
|
|
hash := sha256.New()
|
|
hash.Write(data)
|
|
return hash.Sum(nil)
|
|
}
|
|
|
|
// sumMD5 calculate md5 sum for an input byte array
|
|
func sumMD5(data []byte) []byte {
|
|
hash := md5.New()
|
|
hash.Write(data)
|
|
return hash.Sum(nil)
|
|
}
|
|
|
|
// Verify if request has valid AWS Signature Version '4'.
|
|
func isReqAuthenticated(r *http.Request) (s3Error APIErrorCode) {
|
|
if r == nil {
|
|
errorIf(probe.NewError(errInvalidArgument), "HTTP request cannot be empty.", nil)
|
|
return ErrInternalError
|
|
}
|
|
payload, e := ioutil.ReadAll(r.Body)
|
|
if e != nil {
|
|
errorIf(probe.NewError(e), "Unable to read HTTP body.", nil)
|
|
return ErrInternalError
|
|
}
|
|
// Verify Content-Md5, if payload is set.
|
|
if r.Header.Get("Content-Md5") != "" {
|
|
if r.Header.Get("Content-Md5") != base64.StdEncoding.EncodeToString(sumMD5(payload)) {
|
|
return ErrBadDigest
|
|
}
|
|
}
|
|
// Populate back the payload.
|
|
r.Body = ioutil.NopCloser(bytes.NewReader(payload))
|
|
if isRequestSignatureV4(r) {
|
|
ok, err := doesSignatureMatch(hex.EncodeToString(sum256(payload)), r)
|
|
if err != nil {
|
|
errorIf(err.Trace(), "Signature verification failed.", nil)
|
|
return ErrInternalError
|
|
}
|
|
if !ok {
|
|
return ErrSignatureDoesNotMatch
|
|
}
|
|
return ErrNone
|
|
} else if isRequestPresignedSignatureV4(r) {
|
|
ok, err := doesPresignedSignatureMatch(r)
|
|
if err != nil {
|
|
errorIf(err.Trace(), "Presigned signature verification failed.", nil)
|
|
return ErrInternalError
|
|
}
|
|
if !ok {
|
|
return ErrSignatureDoesNotMatch
|
|
}
|
|
return ErrNone
|
|
}
|
|
return ErrAccessDenied
|
|
}
|
|
|
|
// authHandler - handles all the incoming authorization headers and
|
|
// validates them if possible.
|
|
type authHandler struct {
|
|
handler http.Handler
|
|
}
|
|
|
|
// setAuthHandler to validate authorization header for the incoming request.
|
|
func setAuthHandler(h http.Handler) http.Handler {
|
|
return authHandler{h}
|
|
}
|
|
|
|
// handler for validating incoming authorization headers.
|
|
func (a authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
switch getRequestAuthType(r) {
|
|
case authTypeAnonymous, authTypePresigned, authTypeSigned, authTypePostPolicy:
|
|
// Let top level caller validate for anonymous and known
|
|
// signed requests.
|
|
a.handler.ServeHTTP(w, r)
|
|
return
|
|
case authTypeJWT:
|
|
// Validate Authorization header if its valid for JWT request.
|
|
if !isJWTReqAuthenticated(r) {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
a.handler.ServeHTTP(w, r)
|
|
default:
|
|
writeErrorResponse(w, r, ErrSignatureVersionNotSupported, r.URL.Path)
|
|
return
|
|
}
|
|
}
|