fix: support pre-sign signature for STS tokens (#8826)

Fixes #8391
master
Harshavardhana 5 years ago committed by kannappanr
parent 8cb6184f1d
commit 88286cf8d0
  1. 29
      cmd/signature-v4.go

@ -222,14 +222,6 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return errCode return errCode
} }
// Construct new query.
query := make(url.Values)
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" {
query.Set(xhttp.AmzContentSha256, hashedPayload)
}
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
// If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the // If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the
// request should still be allowed. // request should still be allowed.
if pSignValues.Date.After(UTCNow().Add(globalMaxSkewTime)) { if pSignValues.Date.After(UTCNow().Add(globalMaxSkewTime)) {
@ -244,6 +236,20 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
t := pSignValues.Date t := pSignValues.Date
expireSeconds := int(pSignValues.Expires / time.Second) expireSeconds := int(pSignValues.Expires / time.Second)
// Construct new query.
query := make(url.Values)
clntHashedPayload := req.URL.Query().Get(xhttp.AmzContentSha256)
if clntHashedPayload != "" {
query.Set(xhttp.AmzContentSha256, hashedPayload)
}
token := req.URL.Query().Get(xhttp.AmzSecurityToken)
if token != "" {
query.Set(xhttp.AmzSecurityToken, cred.SessionToken)
}
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
// Construct the query. // Construct the query.
query.Set(xhttp.AmzDate, t.Format(iso8601Format)) query.Set(xhttp.AmzDate, t.Format(iso8601Format))
query.Set(xhttp.AmzExpires, strconv.Itoa(expireSeconds)) query.Set(xhttp.AmzExpires, strconv.Itoa(expireSeconds))
@ -262,6 +268,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
if strings.Contains(key, "x-amz-server-side-") { if strings.Contains(key, "x-amz-server-side-") {
query.Set(k, v[0]) query.Set(k, v[0])
continue
} }
if strings.HasPrefix(key, "x-amz") { if strings.HasPrefix(key, "x-amz") {
@ -290,10 +297,12 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return ErrSignatureDoesNotMatch return ErrSignatureDoesNotMatch
} }
// Verify if sha256 payload query is same. // Verify if sha256 payload query is same.
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" { if clntHashedPayload != "" && clntHashedPayload != query.Get(xhttp.AmzContentSha256) {
if req.URL.Query().Get(xhttp.AmzContentSha256) != query.Get(xhttp.AmzContentSha256) {
return ErrContentSHA256Mismatch return ErrContentSHA256Mismatch
} }
// Verify if security token is correct.
if token != "" && subtle.ConstantTimeCompare([]byte(token), []byte(cred.SessionToken)) != 1 {
return ErrInvalidToken
} }
/// Verify finally if signature is same. /// Verify finally if signature is same.

Loading…
Cancel
Save