From 6dd13e68c2002a5de7aa4fe5f5b9140f957110ee Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 17 Jan 2019 01:42:06 +0530 Subject: [PATCH] Support V2 signatures when autoencryption is enabled (#7084) When auto-encryption is turned on, we pro-actively add SSEHeader for all PUT, POST operations. This is unusual for V2 signature calculation because V2 signature doesn't have a pre-defined set of signed headers in the request like V4 signature. According to V2 we should canonicalize all incoming supported HTTP headers. Make sure to validate signatures before we mutate http headers --- cmd/object-handlers.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 9d2a7533f..753e8124c 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -1355,6 +1355,11 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r bucket := vars["bucket"] object := vars["object"] + if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone { + writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r)) + return + } + // This request header needs to be set prior to setting ObjectOptions if globalAutoEncryption && !crypto.SSEC.IsRequested(r.Header) { r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256) @@ -1370,11 +1375,6 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r return } - if s3Error := checkRequestAuthType(ctx, r, policy.PutObjectAction, bucket, object); s3Error != ErrNone { - writeErrorResponse(w, s3Error, r.URL, guessIsBrowserReq(r)) - return - } - // Deny if WORM is enabled if globalWORMEnabled { if _, err = objectAPI.GetObjectInfo(ctx, bucket, object, opts); err == nil {