oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #899 from harshavardhana/fix-signature-v4-bugs

Browse Source 
Fix some bugs in controller rpc
master
Harshavardhana 9 years ago
parent 05de60a598 7cde4577d0
commit 2f5fa394ce
4 changed files with 15 additions and 14 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      controller-main.go
  2. 13
      controller-rpc-signature-handler.go
  3. 9
      controller-rpc-signature.go
  4. 6
      rpc-client.go

1
controller-main.go
Unescape View File

@ -194,6 +194,7 @@ func getControllerConfig(c *cli.Context) minioConfig {
CertFile: certFile, CertFile: certFile,
KeyFile: keyFile, KeyFile: keyFile,
RateLimit: c.GlobalInt("ratelimit"), RateLimit: c.GlobalInt("ratelimit"),
Anonymous: c.GlobalBool("anonymous"),
} }
} }

13
controller-rpc-signature-handler.go
Unescape View File

@ -20,6 +20,7 @@ import (
"bytes" "bytes"
"encoding/hex" "encoding/hex"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"sort" "sort"
"strings" "strings"
@ -35,7 +36,7 @@ type rpcSignatureHandler struct {
// RPCSignatureHandler to validate authorization header for the incoming request. // RPCSignatureHandler to validate authorization header for the incoming request.
func RPCSignatureHandler(h http.Handler) http.Handler { func RPCSignatureHandler(h http.Handler) http.Handler {
return signatureHandler{h} return rpcSignatureHandler{h}
} }
type rpcSignature struct { type rpcSignature struct {
@ -114,7 +115,7 @@ func (r rpcSignature) extractSignedHeaders() map[string][]string {
// <HashedPayload> // <HashedPayload>
// //
func (r *rpcSignature) getCanonicalRequest() string { func (r *rpcSignature) getCanonicalRequest() string {
payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-amz-content-sha256")) payload := r.Request.Header.Get(http.CanonicalHeaderKey("x-minio-content-sha256"))
r.Request.URL.RawQuery = strings.Replace(r.Request.URL.Query().Encode(), "+", "%20", -1) r.Request.URL.RawQuery = strings.Replace(r.Request.URL.Query().Encode(), "+", "%20", -1)
encodedPath := getURLEncodedName(r.Request.URL.Path) encodedPath := getURLEncodedName(r.Request.URL.Path)
// convert any space strings back to "+" // convert any space strings back to "+"
@ -143,7 +144,7 @@ func (r rpcSignature) getScope(t time.Time) string {
// getStringToSign a string based on selected query values // getStringToSign a string based on selected query values
func (r rpcSignature) getStringToSign(canonicalRequest string, t time.Time) string { func (r rpcSignature) getStringToSign(canonicalRequest string, t time.Time) string {
stringToSign := authHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n" stringToSign := rpcAuthHeaderPrefix + "\n" + t.Format(iso8601Format) + "\n"
stringToSign = stringToSign + r.getScope(t) + "\n" stringToSign = stringToSign + r.getScope(t) + "\n"
stringToSign = stringToSign + hex.EncodeToString(sha256.Sum256([]byte(canonicalRequest))) stringToSign = stringToSign + hex.EncodeToString(sha256.Sum256([]byte(canonicalRequest)))
return stringToSign return stringToSign
@ -236,8 +237,10 @@ func (s rpcSignatureHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path) writeErrorResponse(w, r, SignatureDoesNotMatch, r.URL.Path)
return return
} }
// Copy the buffer back into request body to be read by the RPC service callers
r.Body = ioutil.NopCloser(buffer)
s.handler.ServeHTTP(w, r) s.handler.ServeHTTP(w, r)
return } else {
}
writeErrorResponse(w, r, AccessDenied, r.URL.Path) writeErrorResponse(w, r, AccessDenied, r.URL.Path)
} }
}

9
controller-rpc-signature.go
Unescape View File

@ -78,25 +78,24 @@ func isValidRPCRegion(authHeaderValue string) *probe.Error {
// stripRPCAccessKeyID - strip only access key id from auth header // stripRPCAccessKeyID - strip only access key id from auth header
func stripRPCAccessKeyID(authHeaderValue string) (string, *probe.Error) { func stripRPCAccessKeyID(authHeaderValue string) (string, *probe.Error) {
if err := isValidRegion(authHeaderValue); err != nil { if err := isValidRPCRegion(authHeaderValue); err != nil {
return "", err.Trace() return "", err.Trace()
} }
credentialElements, err := getRPCCredentialsFromAuth(authHeaderValue) credentialElements, err := getRPCCredentialsFromAuth(authHeaderValue)
if err != nil { if err != nil {
return "", err.Trace() return "", err.Trace()
} }
accessKeyID := credentialElements[0] if credentialElements[0] != "admin" {
if !IsValidAccessKey(accessKeyID) {
return "", probe.NewError(errAccessKeyIDInvalid) return "", probe.NewError(errAccessKeyIDInvalid)
} }
return accessKeyID, nil return credentialElements[0], nil
} }
// initSignatureRPC initializing rpc signature verification // initSignatureRPC initializing rpc signature verification
func initSignatureRPC(req *http.Request) (*rpcSignature, *probe.Error) { func initSignatureRPC(req *http.Request) (*rpcSignature, *probe.Error) {
// strip auth from authorization header // strip auth from authorization header
authHeaderValue := req.Header.Get("Authorization") authHeaderValue := req.Header.Get("Authorization")
accessKeyID, err := stripAccessKeyID(authHeaderValue) accessKeyID, err := stripRPCAccessKeyID(authHeaderValue)
if err != nil { if err != nil {
return nil, err.Trace() return nil, err.Trace()
} }

6
rpc-client.go
Unescape View File

@ -19,7 +19,6 @@ package main
import ( import (
"bytes" "bytes"
"encoding/hex" "encoding/hex"
"fmt"
"net/http" "net/http"
"sort" "sort"
"strings" "strings"
@ -64,7 +63,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
hashedPayload := hash() hashedPayload := hash()
req.Header.Set("Content-Type", "application/json") req.Header.Set("Content-Type", "application/json")
req.Header.Set("x-amz-content-sha256", hashedPayload) req.Header.Set("x-minio-content-sha256", hashedPayload)
var headers []string var headers []string
vals := make(map[string][]string) vals := make(map[string][]string)
@ -133,7 +132,6 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
stringToSign = stringToSign + scope + "\n" stringToSign = stringToSign + scope + "\n"
stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest))) stringToSign = stringToSign + hex.EncodeToString(sum256([]byte(canonicalRequest)))
fmt.Println(config)
date := sumHMAC([]byte("MINIO"+config.Users["admin"].SecretAccessKey), []byte(t.Format(yyyymmdd))) date := sumHMAC([]byte("MINIO"+config.Users["admin"].SecretAccessKey), []byte(t.Format(yyyymmdd)))
region := sumHMAC(date, []byte("milkyway")) region := sumHMAC(date, []byte("milkyway"))
service := sumHMAC(region, []byte("rpc")) service := sumHMAC(region, []byte("rpc"))
@ -143,7 +141,7 @@ func newRPCRequest(config *AuthConfig, url string, op rpcOperation, transport ht
// final Authorization header // final Authorization header
parts := []string{ parts := []string{
rpcAuthHeaderPrefix + " Credential=" + config.Users["admin"].AccessKeyID + "/" + scope, rpcAuthHeaderPrefix + " Credential=admin/" + scope,
"SignedHeaders=" + signedHeaders, "SignedHeaders=" + signedHeaders,
"Signature=" + signature, "Signature=" + signature,
} }

Write Preview
Loading…
Cancel
Save