mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
9dca46e156
Signature calculation has now moved out from being a package to top-level as a layered mechanism. In case of payload calculation with body, go-routines are initiated to simultaneously write and calculate shasum. Errors are sent over the writer so that the lower layer removes the temporary files properly.
392 lines
12 KiB
Go
392 lines
12 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
// This file implements helper functions to validate AWS
|
|
// Signature Version '4' authorization header.
|
|
//
|
|
// This package provides comprehensive helpers for following signature
|
|
// types.
|
|
// - Based on Authorization header.
|
|
// - Based on Query parameters.
|
|
// - Based on Form POST policy.
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/hex"
|
|
"net/http"
|
|
"net/url"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/minio/minio/pkg/crypto/sha256"
|
|
"github.com/minio/minio/pkg/probe"
|
|
)
|
|
|
|
// AWS Signature Version '4' constants.
|
|
const (
|
|
signV4Algorithm = "AWS4-HMAC-SHA256"
|
|
iso8601Format = "20060102T150405Z"
|
|
yyyymmdd = "20060102"
|
|
)
|
|
|
|
// getCanonicalHeaders generate a list of request headers with their values
|
|
func getCanonicalHeaders(signedHeaders http.Header, host string) string {
|
|
var headers []string
|
|
vals := make(http.Header)
|
|
for k, vv := range signedHeaders {
|
|
headers = append(headers, strings.ToLower(k))
|
|
vals[strings.ToLower(k)] = vv
|
|
}
|
|
headers = append(headers, "host")
|
|
sort.Strings(headers)
|
|
|
|
var buf bytes.Buffer
|
|
for _, k := range headers {
|
|
buf.WriteString(k)
|
|
buf.WriteByte(':')
|
|
switch {
|
|
case k == "host":
|
|
buf.WriteString(host)
|
|
fallthrough
|
|
default:
|
|
for idx, v := range vals[k] {
|
|
if idx > 0 {
|
|
buf.WriteByte(',')
|
|
}
|
|
buf.WriteString(v)
|
|
}
|
|
buf.WriteByte('\n')
|
|
}
|
|
}
|
|
return buf.String()
|
|
}
|
|
|
|
// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
|
|
func getSignedHeaders(signedHeaders http.Header) string {
|
|
var headers []string
|
|
for k := range signedHeaders {
|
|
headers = append(headers, strings.ToLower(k))
|
|
}
|
|
headers = append(headers, "host")
|
|
sort.Strings(headers)
|
|
return strings.Join(headers, ";")
|
|
}
|
|
|
|
// getCanonicalRequest generate a canonical request of style
|
|
//
|
|
// canonicalRequest =
|
|
// <HTTPMethod>\n
|
|
// <CanonicalURI>\n
|
|
// <CanonicalQueryString>\n
|
|
// <CanonicalHeaders>\n
|
|
// <SignedHeaders>\n
|
|
// <HashedPayload>
|
|
//
|
|
func getCanonicalRequest(extractedSignedHeaders http.Header, payload, queryStr, urlPath, method, host string) string {
|
|
rawQuery := strings.Replace(queryStr, "+", "%20", -1)
|
|
encodedPath := getURLEncodedName(urlPath)
|
|
// Convert any space strings back to "+".
|
|
encodedPath = strings.Replace(encodedPath, "+", "%20", -1)
|
|
canonicalRequest := strings.Join([]string{
|
|
method,
|
|
encodedPath,
|
|
rawQuery,
|
|
getCanonicalHeaders(extractedSignedHeaders, host),
|
|
getSignedHeaders(extractedSignedHeaders),
|
|
payload,
|
|
}, "\n")
|
|
return canonicalRequest
|
|
}
|
|
|
|
// getCanonicalRequest generate a canonical request of style
|
|
//
|
|
// canonicalRequest =
|
|
// <HTTPMethod>\n
|
|
// <CanonicalURI>\n
|
|
// <CanonicalQueryString>\n
|
|
// <CanonicalHeaders>\n
|
|
// <SignedHeaders>\n
|
|
// <HashedPayload>
|
|
//
|
|
func getPresignCanonicalRequest(extractedSignedHeaders http.Header, presignedQuery, urlPath, method, host string) string {
|
|
rawQuery := strings.Replace(presignedQuery, "+", "%20", -1)
|
|
encodedPath := getURLEncodedName(urlPath)
|
|
// Convert any space strings back to "+".
|
|
encodedPath = strings.Replace(encodedPath, "+", "%20", -1)
|
|
canonicalRequest := strings.Join([]string{
|
|
method,
|
|
encodedPath,
|
|
rawQuery,
|
|
getCanonicalHeaders(extractedSignedHeaders, host),
|
|
getSignedHeaders(extractedSignedHeaders),
|
|
"UNSIGNED-PAYLOAD",
|
|
}, "\n")
|
|
return canonicalRequest
|
|
}
|
|
|
|
// getScope generate a string of a specific date, an AWS region, and a service.
|
|
func getScope(t time.Time, region string) string {
|
|
scope := strings.Join([]string{
|
|
t.Format(yyyymmdd),
|
|
region,
|
|
"s3",
|
|
"aws4_request",
|
|
}, "/")
|
|
return scope
|
|
}
|
|
|
|
// getStringToSign a string based on selected query values.
|
|
func getStringToSign(canonicalRequest string, t time.Time, region string) string {
|
|
stringToSign := signV4Algorithm + "\n" + t.Format(iso8601Format) + "\n"
|
|
stringToSign = stringToSign + getScope(t, region) + "\n"
|
|
canonicalRequestBytes := sha256.Sum256([]byte(canonicalRequest))
|
|
stringToSign = stringToSign + hex.EncodeToString(canonicalRequestBytes[:])
|
|
return stringToSign
|
|
}
|
|
|
|
// getSigningKey hmac seed to calculate final signature.
|
|
func getSigningKey(secretKey string, t time.Time, region string) []byte {
|
|
date := sumHMAC([]byte("AWS4"+secretKey), []byte(t.Format(yyyymmdd)))
|
|
regionBytes := sumHMAC(date, []byte(region))
|
|
service := sumHMAC(regionBytes, []byte("s3"))
|
|
signingKey := sumHMAC(service, []byte("aws4_request"))
|
|
return signingKey
|
|
}
|
|
|
|
// getSignature final signature in hexadecimal form.
|
|
func getSignature(signingKey []byte, stringToSign string) string {
|
|
return hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign)))
|
|
}
|
|
|
|
// doesPolicySignatureMatch - Verify query headers with post policy
|
|
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
|
|
// returns true if matches, false otherwise. if error is not nil then it is always false
|
|
func doesPolicySignatureMatch(formValues map[string]string) (bool, *probe.Error) {
|
|
// Access credentials.
|
|
cred := serverConfig.GetCredential()
|
|
|
|
// Server region.
|
|
region := serverConfig.GetRegion()
|
|
|
|
// Parse credential tag.
|
|
credHeader, err := parseCredentialHeader("Credential=" + formValues["X-Amz-Credential"])
|
|
if err != nil {
|
|
return false, err.Trace(formValues["X-Amz-Credential"])
|
|
}
|
|
|
|
// Verify if the access key id matches.
|
|
if credHeader.accessKey != cred.AccessKeyID {
|
|
return false, ErrInvalidAccessKey("Access key id does not match with our records.", credHeader.accessKey).Trace(credHeader.accessKey)
|
|
}
|
|
|
|
// Verify if the region is valid.
|
|
if !isValidRegion(credHeader.scope.region, region) {
|
|
return false, ErrInvalidRegion("Requested region is not recognized.", credHeader.scope.region).Trace(credHeader.scope.region)
|
|
}
|
|
|
|
// Parse date string.
|
|
t, e := time.Parse(iso8601Format, formValues["X-Amz-Date"])
|
|
if e != nil {
|
|
return false, probe.NewError(e)
|
|
}
|
|
|
|
// Get signing key.
|
|
signingKey := getSigningKey(cred.SecretAccessKey, t, region)
|
|
|
|
// Get signature.
|
|
newSignature := getSignature(signingKey, formValues["Policy"])
|
|
|
|
// Verify signature.
|
|
if newSignature != formValues["X-Amz-Signature"] {
|
|
return false, nil
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// doesPresignedSignatureMatch - Verify query headers with presigned signature
|
|
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
|
|
// returns true if matches, false otherwise. if error is not nil then it is always false
|
|
func doesPresignedSignatureMatch(r *http.Request) (bool, *probe.Error) {
|
|
// Access credentials.
|
|
cred := serverConfig.GetCredential()
|
|
|
|
// Server region.
|
|
region := serverConfig.GetRegion()
|
|
|
|
// Copy request
|
|
req := *r
|
|
|
|
// Parse request query string.
|
|
preSignValues, err := parsePreSignV4(req.URL.Query())
|
|
if err != nil {
|
|
return false, err.Trace(req.URL.String())
|
|
}
|
|
|
|
// Verify if the access key id matches.
|
|
if preSignValues.Credential.accessKey != cred.AccessKeyID {
|
|
return false, ErrInvalidAccessKey("Access key id does not match with our records.", preSignValues.Credential.accessKey).Trace(preSignValues.Credential.accessKey)
|
|
}
|
|
|
|
// Verify if region is valid.
|
|
sRegion := preSignValues.Credential.scope.region
|
|
if !isValidRegion(sRegion, region) {
|
|
return false, ErrInvalidRegion("Requested region is not recognized.", sRegion).Trace(sRegion)
|
|
}
|
|
|
|
// Extract all the signed headers along with its values.
|
|
extractedSignedHeaders := extractSignedHeaders(preSignValues.SignedHeaders, req.Header)
|
|
|
|
// Construct new query.
|
|
query := make(url.Values)
|
|
query.Set("X-Amz-Algorithm", signV4Algorithm)
|
|
|
|
if time.Now().UTC().Sub(preSignValues.Date) > time.Duration(preSignValues.Expires) {
|
|
return false, ErrExpiredPresignRequest("Presigned request already expired, please initiate a new request.")
|
|
}
|
|
|
|
// Save the date and expires.
|
|
t := preSignValues.Date
|
|
expireSeconds := int(time.Duration(preSignValues.Expires) / time.Second)
|
|
|
|
// Construct the query.
|
|
query.Set("X-Amz-Date", t.Format(iso8601Format))
|
|
query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
|
|
query.Set("X-Amz-SignedHeaders", getSignedHeaders(extractedSignedHeaders))
|
|
query.Set("X-Amz-Credential", cred.AccessKeyID+"/"+getScope(t, region))
|
|
|
|
// Save other headers available in the request parameters.
|
|
for k, v := range req.URL.Query() {
|
|
if strings.HasPrefix(strings.ToLower(k), "x-amz") {
|
|
continue
|
|
}
|
|
query[k] = v
|
|
}
|
|
|
|
// Get the encoded query.
|
|
encodedQuery := query.Encode()
|
|
|
|
// Verify if date query is same.
|
|
if req.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
|
|
return false, nil
|
|
}
|
|
// Verify if expires query is same.
|
|
if req.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
|
|
return false, nil
|
|
}
|
|
// Verify if signed headers query is same.
|
|
if req.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
|
|
return false, nil
|
|
}
|
|
// Verify if credential query is same.
|
|
if req.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
|
|
return false, nil
|
|
}
|
|
|
|
/// Verify finally if signature is same.
|
|
|
|
// Get canonical request.
|
|
presignedCanonicalReq := getPresignCanonicalRequest(extractedSignedHeaders, encodedQuery, req.URL.Path, req.Method, req.Host)
|
|
|
|
// Get string to sign from canonical request.
|
|
presignedStringToSign := getStringToSign(presignedCanonicalReq, t, region)
|
|
|
|
// Get hmac presigned signing key.
|
|
presignedSigningKey := getSigningKey(cred.SecretAccessKey, t, region)
|
|
|
|
// Get new signature.
|
|
newSignature := getSignature(presignedSigningKey, presignedStringToSign)
|
|
|
|
// Verify signature.
|
|
if req.URL.Query().Get("X-Amz-Signature") != newSignature {
|
|
return false, nil
|
|
}
|
|
return true, nil
|
|
}
|
|
|
|
// doesSignatureMatch - Verify authorization header with calculated header in accordance with
|
|
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
|
|
// returns true if matches, false otherwise. if error is not nil then it is always false
|
|
func doesSignatureMatch(hashedPayload string, r *http.Request) (bool, *probe.Error) {
|
|
// Access credentials.
|
|
cred := serverConfig.GetCredential()
|
|
|
|
// Server region.
|
|
region := serverConfig.GetRegion()
|
|
|
|
// Copy request.
|
|
req := *r
|
|
|
|
// Save authorization header.
|
|
v4Auth := req.Header.Get("Authorization")
|
|
|
|
// Parse signature version '4' header.
|
|
signV4Values, err := parseSignV4(v4Auth)
|
|
if err != nil {
|
|
return false, err.Trace(v4Auth)
|
|
}
|
|
|
|
// Extract all the signed headers along with its values.
|
|
extractedSignedHeaders := extractSignedHeaders(signV4Values.SignedHeaders, req.Header)
|
|
|
|
// Verify if the access key id matches.
|
|
if signV4Values.Credential.accessKey != cred.AccessKeyID {
|
|
return false, ErrInvalidAccessKey("Access key id does not match with our records.", signV4Values.Credential.accessKey).Trace(signV4Values.Credential.accessKey)
|
|
}
|
|
|
|
// Verify if region is valid.
|
|
sRegion := signV4Values.Credential.scope.region
|
|
if !isValidRegion(sRegion, region) {
|
|
return false, ErrInvalidRegion("Requested region is not recognized.", sRegion).Trace(sRegion)
|
|
}
|
|
|
|
// Extract date, if not present throw error.
|
|
var date string
|
|
if date = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); date == "" {
|
|
if date = r.Header.Get("Date"); date == "" {
|
|
return false, ErrMissingDateHeader("Date header is missing from the request.").Trace()
|
|
}
|
|
}
|
|
// Parse date header.
|
|
t, e := time.Parse(iso8601Format, date)
|
|
if e != nil {
|
|
return false, probe.NewError(e)
|
|
}
|
|
|
|
// Query string.
|
|
queryStr := req.URL.Query().Encode()
|
|
|
|
// Get canonical request.
|
|
canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method, req.Host)
|
|
|
|
// Get string to sign from canonical request.
|
|
stringToSign := getStringToSign(canonicalRequest, t, region)
|
|
|
|
// Get hmac signing key.
|
|
signingKey := getSigningKey(cred.SecretAccessKey, t, region)
|
|
|
|
// Calculate signature.
|
|
newSignature := getSignature(signingKey, stringToSign)
|
|
|
|
// Verify if signature match.
|
|
if newSignature != signV4Values.Signature {
|
|
return false, nil
|
|
}
|
|
return true, nil
|
|
}
|