Handle authorization header better

9 years ago · 19250296c6
parent 2d5e1d3797
commit 19250296c6
2 changed files with 27 additions and 12 deletions
--- a/pkg/api/api_generic_handlers.go
+++ b/pkg/api/api_generic_handlers.go
@ -54,6 +54,10 @@ const (
 	timeFormat = "20060102T150405Z"
 )
 const (
 	authHeaderPrefix = "AWS4-HMAC-SHA256"
 )
 // strip auth from authorization header
 func stripAuth(r *http.Request) (*auth, error) {
 	authHeader := r.Header.Get("Authorization")
@ -61,23 +65,32 @@ func stripAuth(r *http.Request) (*auth, error) {
 		return nil, errors.New("Missing auth header")
 	}
 	a := new(auth)
-	authFields := strings.Fields(authHeader)
+	authFields := strings.Split(authHeader, ",")
-	if len(authFields) < 4 {
+	if len(authFields) != 3 {
 		return nil, errors.New("Missing fields in Auth header")
 	}
 	authPrefixFields := strings.Fields(authFields[0])
 	if len(authPrefixFields) != 2 {
 		return nil, errors.New("Missing fields in Auth header")
 	}
 	if authPrefixFields[0] != authHeaderPrefix {
 		return nil, errors.New("Missing fields is Auth header")
 	}
 	credentials := strings.Split(authPrefixFields[1], "=")
 	if len(credentials) != 2 {
 		return nil, errors.New("Missing fields in Auth header")
 	}
-	a.prefix = authFields[0]
+	signedheaders := strings.Split(authFields[1], "=")
-	credentials := strings.Split(authFields[1], ",")[0]
+	if len(signedheaders) != 2 {
 	if len(credentials) < 2 {
 		return nil, errors.New("Missing fields in Auth header")
 	}
-	signedheaders := strings.Split(authFields[2], ",")[0]
+	signature := strings.Split(authFields[2], "=")
-	if len(signedheaders) < 2 {
+	if len(signature) != 2 {
 		return nil, errors.New("Missing fields in Auth header")
 	}
-	signature := authFields[3]
+	a.credential = credentials[1]
-	a.credential = strings.Split(credentials, "=")[1]
+	a.signedheaders = signedheaders[1]
-	a.signedheaders = strings.Split(signedheaders, "=")[1]
+	a.signature = signature[1]
 	a.signature = strings.Split(signature, "=")[1]
 	a.accessKey = strings.Split(a.credential, "/")[0]
 	if !keys.IsValidAccessKey(a.accessKey) {
 		return nil, errors.New("Invalid access key")
--- a/pkg/api/logging/logging.go
+++ b/pkg/api/logging/logging.go
@ -39,6 +39,7 @@ type LogMessage struct {
 	StartTime       time.Time
 	Duration        time.Duration
 	Status          int
 	StatusText      string
 	ResponseHeaders http.Header
 }
@ -50,6 +51,7 @@ type LogWriter struct {
 // WriteHeader writes headers and stores status in LogMessage
 func (w *LogWriter) WriteHeader(status int) {
 	w.LogMessage.StatusText = http.StatusText(status)
 	w.LogMessage.Status = status
 	w.ResponseWriter.WriteHeader(status)
 }
@ -69,12 +71,12 @@ func (h *logHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		StartTime: time.Now().UTC(),
 	}
 	logWriter := &LogWriter{ResponseWriter: w, LogMessage: logMessage}
 	h.Handler.ServeHTTP(logWriter, req)
 	logMessage.ResponseHeaders = w.Header()
 	logMessage.Request = req
 	logMessage.Duration = time.Now().UTC().Sub(logMessage.StartTime)
 	js, _ := json.Marshal(logMessage)
 	h.Logger <- string(js)
 	h.Handler.ServeHTTP(logWriter, req)
 }
 // LogHandler logs requests