oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix signature v2 and presigned query unescaping. (#4936)

Browse Source 
Simplifies the testing code by using s3signer
package from minio-go library.

Fixes #4927
master
Harshavardhana 7 years ago committed by Dee Koder
parent aceaa1ec48
commit c3ff402fcb
5 changed files with 118 additions and 164 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      cmd/bucket-handlers_test.go
  2. 2
      cmd/object-handlers_test.go
  3. 144
      cmd/signature-v2.go
  4. 57
      cmd/signature-v2_test.go
  5. 78
      cmd/test-utils_test.go

1
cmd/bucket-handlers_test.go
Unescape View File

@ -455,7 +455,6 @@ func testListMultipartUploadsHandler(obj ObjectLayer, instanceType, bucketName s
// verify response for V2 signed HTTP request.
reqV2, err := newTestSignedRequestV2("GET", u, 0, nil, testCase.accessKey, testCase.secretKey)
if err != nil {
t.Fatalf("Test %d: %s: Failed to create HTTP request for PutBucketPolicyHandler: <ERROR> %v", i+1, instanceType, err)
}

2
cmd/object-handlers_test.go
Unescape View File

@ -2813,6 +2813,7 @@ func testAPIPutObjectPartHandlerPreSign(obj ObjectLayer, instanceType, bucketNam
t.Fatalf("[%s] - Failed to create an unsigned request to put object part for %s/%s <ERROR> %v",
instanceType, bucketName, testObject, err)
}
err = preSignV2(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60))
if err != nil {
t.Fatalf("[%s] - Failed to presign an unsigned request to put object part for %s/%s <ERROR> %v",
@ -3301,6 +3302,7 @@ func testAPIListObjectPartsHandlerPreSign(obj ObjectLayer, instanceType, bucketN
instanceType, bucketName, mpartResp.UploadID)
}
req.Header = http.Header{}
err = preSignV2(req, credentials.AccessKey, credentials.SecretKey, int64(10*60*60))
if err != nil {
t.Fatalf("[%s] - Failed to presignV2 an unsigned request to list object parts for bucket %s, uploadId %s",

144
cmd/signature-v2.go
Unescape View File

@ -77,6 +77,20 @@ func doesPolicySignatureV2Match(formValues http.Header) APIErrorCode {
return ErrNone
}
// Escape encodedQuery string into unescaped list of query params, returns error
// if any while unescaping the values.
func unescapeQueries(encodedQuery string) (unescapedQueries []string, err error) {
for _, query := range strings.Split(encodedQuery, "&") {
var unescapedQuery string
unescapedQuery, err = url.QueryUnescape(query)
if err != nil {
return nil, err
}
unescapedQueries = append(unescapedQueries, unescapedQuery)
}
return unescapedQueries, nil
}
// doesPresignV2SignatureMatch - Verify query headers with presigned signature
// - http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
// returns ErrNone if matches. S3 errors otherwise.
@ -92,38 +106,38 @@ func doesPresignV2SignatureMatch(r *http.Request) APIErrorCode {
encodedQuery = tokens[1]
}
queries := strings.Split(encodedQuery, "&")
var filteredQueries []string
var gotSignature string
var expires string
var accessKey string
var err error
for _, query := range queries {
keyval := strings.Split(query, "=")
var (
filteredQueries []string
gotSignature string
expires string
accessKey string
err error
)
var unescapedQueries []string
unescapedQueries, err = unescapeQueries(encodedQuery)
if err != nil {
errorIf(err, "Unable to unescape (%s)", encodedQuery)
return ErrInvalidQueryParams
}
// Extract the necessary values from presigned query, construct a list of new filtered queries.
for _, query := range unescapedQueries {
keyval := strings.SplitN(query, "=", 2)
switch keyval[0] {
case "AWSAccessKeyId":
accessKey, err = url.QueryUnescape(keyval[1])
accessKey = keyval[1]
case "Signature":
gotSignature, err = url.QueryUnescape(keyval[1])
gotSignature = keyval[1]
case "Expires":
expires, err = url.QueryUnescape(keyval[1])
expires = keyval[1]
default:
unescapedQuery, qerr := url.QueryUnescape(query)
if qerr == nil {
filteredQueries = append(filteredQueries, unescapedQuery)
} else {
err = qerr
}
}
// Check if the query unescaped properly.
if err != nil {
errorIf(err, "Unable to unescape query values", queries)
return ErrInvalidQueryParams
filteredQueries = append(filteredQueries, query)
}
}
// Invalid access key.
if accessKey == "" {
// Invalid values returns error.
if accessKey == "" || gotSignature == "" || expires == "" {
return ErrInvalidQueryParams
}
@ -217,7 +231,13 @@ func doesSignV2Match(r *http.Request) APIErrorCode {
encodedQuery = tokens[1]
}
expectedAuth := signatureV2(r.Method, encodedResource, encodedQuery, r.Header)
unescapedQueries, err := unescapeQueries(encodedQuery)
if err != nil {
errorIf(err, "Unable to unescape (%s)", encodedQuery)
return ErrInvalidQueryParams
}
expectedAuth := signatureV2(r.Method, encodedResource, strings.Join(unescapedQueries, "&"), r.Header)
if v2Auth != expectedAuth {
return ErrSignatureDoesNotMatch
}
@ -234,14 +254,14 @@ func calculateSignatureV2(stringToSign string, secret string) string {
// Return signature-v2 for the presigned request.
func preSignatureV2(method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string {
cred := serverConfig.GetCredential()
stringToSign := presignV2STS(method, encodedResource, encodedQuery, headers, expires)
stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, expires)
return calculateSignatureV2(stringToSign, cred.SecretKey)
}
// Return signature-v2 authrization header.
func signatureV2(method string, encodedResource string, encodedQuery string, headers http.Header) string {
cred := serverConfig.GetCredential()
stringToSign := signV2STS(method, encodedResource, encodedQuery, headers)
stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, "")
signature := calculateSignatureV2(stringToSign, cred.SecretKey)
return fmt.Sprintf("%s %s:%s", signV2Algorithm, cred.AccessKey, signature)
}
@ -267,7 +287,7 @@ func canonicalizedAmzHeadersV2(headers http.Header) string {
}
// Return canonical resource string.
func canonicalizedResourceV2(encodedPath string, encodedQuery string) string {
func canonicalizedResourceV2(encodedQuery string) string {
queries := strings.Split(encodedQuery, "&")
keyval := make(map[string]string)
for _, query := range queries {
@ -280,6 +300,7 @@ func canonicalizedResourceV2(encodedPath string, encodedQuery string) string {
}
keyval[key] = val
}
var canonicalQueries []string
for _, key := range resourceList {
val, ok := keyval[key]
@ -290,68 +311,55 @@ func canonicalizedResourceV2(encodedPath string, encodedQuery string) string {
canonicalQueries = append(canonicalQueries, key)
continue
}
// Resources values should be unescaped
unescapedVal, err := url.QueryUnescape(val)
if err != nil {
errorIf(err, "Unable to unescape query value (query = `%s`, value = `%s`)", key, val)
continue
}
canonicalQueries = append(canonicalQueries, key+"="+unescapedVal)
canonicalQueries = append(canonicalQueries, key+"="+val)
}
if len(canonicalQueries) == 0 {
return encodedPath
}
// the queries will be already sorted as resourceList is sorted.
return encodedPath + "?" + strings.Join(canonicalQueries, "&")
// The queries will be already sorted as resourceList is sorted, if canonicalQueries
// is empty strings.Join returns empty.
return strings.Join(canonicalQueries, "&")
}
// Return string to sign for authz header calculation.
func signV2STS(method string, encodedResource string, encodedQuery string, headers http.Header) string {
// Return string to sign under two different conditions.
// - if expires string is set then string to sign includes date instead of the Date header.
// - if expires string is empty then string to sign includes date header instead.
func getStringToSignV2(method string, encodedResource, encodedQuery string, headers http.Header, expires string) string {
canonicalHeaders := canonicalizedAmzHeadersV2(headers)
if len(canonicalHeaders) > 0 {
canonicalHeaders += "\n"
}
date := expires // Date is set to expires date for presign operations.
if date == "" {
// If expires date is empty then request header Date is used.
date = headers.Get("Date")
}
// From the Amazon docs:
//
// StringToSign = HTTP-Verb + "\n" +
// Content-Md5 + "\n" +
// Content-Type + "\n" +
// Date + "\n" +
// Date/Expires + "\n" +
// CanonicalizedProtocolHeaders +
// CanonicalizedResource;
stringToSign := strings.Join([]string{
method,
headers.Get("Content-MD5"),
headers.Get("Content-Type"),
headers.Get("Date"),
date,
canonicalHeaders,
}, "\n") + canonicalizedResourceV2(encodedResource, encodedQuery)
}, "\n")
return stringToSign
}
// For presigned signature no need to filter out based on resourceList,
// just sign whatever is with the request.
if expires != "" {
return stringToSign + encodedResource + "?" + encodedQuery
}
// Return string to sign for pre-sign signature calculation.
func presignV2STS(method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string {
canonicalHeaders := canonicalizedAmzHeadersV2(headers)
if len(canonicalHeaders) > 0 {
canonicalHeaders += "\n"
canonicalResource := canonicalizedResourceV2(encodedQuery)
if canonicalResource != "" {
return stringToSign + encodedResource + "?" + canonicalResource
}
// From the Amazon docs:
//
// StringToSign = HTTP-Verb + "\n" +
// Content-Md5 + "\n" +
// Content-Type + "\n" +
// Expires + "\n" +
// CanonicalizedProtocolHeaders +
// CanonicalizedResource;
stringToSign := strings.Join([]string{
method,
headers.Get("Content-MD5"),
headers.Get("Content-Type"),
expires,
canonicalHeaders,
}, "\n") + canonicalizedResourceV2(encodedResource, encodedQuery)
return stringToSign
return stringToSign + encodedResource
}

57
cmd/signature-v2_test.go
Unescape View File

@ -48,9 +48,12 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
now := UTCNow()
var (
accessKey = serverConfig.GetCredential().AccessKey
secretKey = serverConfig.GetCredential().SecretKey
)
testCases := []struct {
queryParams map[string]string
headers map[string]string
expected APIErrorCode
}{
// (0) Should error without a set URL query.
@ -71,7 +74,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
queryParams: map[string]string{
"Expires": "60s",
"Signature": "badsignature",
"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
"AWSAccessKeyId": accessKey,
},
expected: ErrMalformedExpires,
},
@ -80,7 +83,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
queryParams: map[string]string{
"Expires": "60",
"Signature": "badsignature",
"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
"AWSAccessKeyId": accessKey,
},
expected: ErrExpiredPresignRequest,
},
@ -89,7 +92,7 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
queryParams: map[string]string{
"Expires": fmt.Sprintf("%d", now.Unix()+60),
"Signature": "badsignature",
"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
"AWSAccessKeyId": accessKey,
},
expected: ErrSignatureDoesNotMatch,
},
@ -98,10 +101,17 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
queryParams: map[string]string{
"Expires": fmt.Sprintf("%d", now.Unix()+60),
"Signature": "zOM2YrY/yAQe15VWmT78OlBrK6g=",
"AWSAccessKeyId": serverConfig.GetCredential().AccessKey,
"AWSAccessKeyId": accessKey,
},
expected: ErrSignatureDoesNotMatch,
},
// (6) Should error when the signature does not match.
{
queryParams: map[string]string{
"response-content-disposition": "attachment; filename=\"4K%2d4M.txt\"",
},
expected: ErrNone,
},
}
// Run each test case individually.
@ -111,25 +121,32 @@ func TestDoesPresignedV2SignatureMatch(t *testing.T) {
for key, value := range testCase.queryParams {
query.Set(key, value)
}
// Create a request to use.
req, e := http.NewRequest(http.MethodGet, "http://host/a/b?"+query.Encode(), nil)
if e != nil {
t.Errorf("(%d) failed to create http.Request, got %v", i, e)
req, err := http.NewRequest(http.MethodGet, "http://host/a/b?"+query.Encode(), nil)
if err != nil {
t.Errorf("(%d) failed to create http.Request, got %v", i, err)
}
// Should be set since we are simulating a http server.
req.RequestURI = req.URL.RequestURI()
// Do the same for the headers.
for key, value := range testCase.headers {
req.Header.Set(key, value)
if testCase.expected != ErrNone {
// Should be set since we are simulating a http server.
req.RequestURI = req.URL.RequestURI()
// Check if it matches!
errCode := doesPresignV2SignatureMatch(req)
if errCode != testCase.expected {
t.Errorf("(%d) expected to get %s, instead got %s", i, niceError(testCase.expected), niceError(errCode))
}
} else {
err = preSignV2(req, accessKey, secretKey, now.Unix()+60)
if err != nil {
t.Fatalf("(%d) failed to preSignV2 http request, got %v", i, err)
}
// Should be set since we are simulating a http server.
req.RequestURI = req.URL.RequestURI()
errCode := doesPresignV2SignatureMatch(req)
if errCode != testCase.expected {
t.Errorf("(%d) expected to get success, instead got %s", i, niceError(errCode))
}
}
// Check if it matches!
err := doesPresignV2SignatureMatch(req)
if err != testCase.expected {
t.Errorf("(%d) expected to get %s, instead got %s", i, niceError(testCase.expected), niceError(err))
}
}
}

78
cmd/test-utils_test.go
Unescape View File

@ -20,14 +20,11 @@ import (
"bufio"
"bytes"
"crypto/ecdsa"
"crypto/hmac"
crand "crypto/rand"
"crypto/rsa"
"crypto/sha1"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/hex"
"encoding/json"
"encoding/pem"
@ -52,6 +49,7 @@ import (
"github.com/fatih/color"
router "github.com/gorilla/mux"
"github.com/minio/minio-go/pkg/s3signer"
)
// Tests should initNSLock only once.
@ -882,84 +880,14 @@ func preSignV2(req *http.Request, accessKeyID, secretAccessKey string, expires i
if accessKeyID == "" || secretAccessKey == "" {
return errors.New("Presign cannot be generated without access and secret keys")
}
d := UTCNow()
// Find epoch expires when the request will expire.
epochExpires := d.Unix() + expires
// Add expires header if not present.
expiresStr := req.Header.Get("Expires")
if expiresStr == "" {
expiresStr = strconv.FormatInt(epochExpires, 10)
req.Header.Set("Expires", expiresStr)
}
// url.RawPath will be valid if path has any encoded characters, if not it will
// be empty - in which case we need to consider url.Path (bug in net/http?)
encodedResource := req.URL.RawPath
encodedQuery := req.URL.RawQuery
if encodedResource == "" {
splits := strings.Split(req.URL.Path, "?")
if len(splits) > 0 {
encodedResource = splits[0]
}
}
// Get presigned string to sign.
stringToSign := presignV2STS(req.Method, encodedResource, encodedQuery, req.Header, expiresStr)
hm := hmac.New(sha1.New, []byte(secretAccessKey))
hm.Write([]byte(stringToSign))
// Calculate signature.
signature := base64.StdEncoding.EncodeToString(hm.Sum(nil))
query := req.URL.Query()
// Handle specially for Google Cloud Storage.
query.Set("AWSAccessKeyId", accessKeyID)
// Fill in Expires for presigned query.
query.Set("Expires", strconv.FormatInt(epochExpires, 10))
// Encode query and save.
req.URL.RawQuery = query.Encode()
// Save signature finally.
req.URL.RawQuery += "&Signature=" + url.QueryEscape(signature)
// Success.
req = s3signer.PreSignV2(*req, accessKeyID, secretAccessKey, expires)
return nil
}
// Sign given request using Signature V2.
func signRequestV2(req *http.Request, accessKey, secretKey string) error {
// Initial time.
d := UTCNow()
// Add date if not present.
if date := req.Header.Get("Date"); date == "" {
req.Header.Set("Date", d.Format(http.TimeFormat))
}
splits := strings.Split(req.URL.Path, "?")
var encodedResource string
if len(splits) > 0 {
encodedResource = getURLEncodedName(splits[0])
}
encodedQuery := req.URL.Query().Encode()
// Calculate HMAC for secretAccessKey.
stringToSign := signV2STS(req.Method, encodedResource, encodedQuery, req.Header)
hm := hmac.New(sha1.New, []byte(secretKey))
hm.Write([]byte(stringToSign))
// Prepare auth header.
authHeader := new(bytes.Buffer)
authHeader.WriteString(fmt.Sprintf("%s %s:", signV2Algorithm, accessKey))
encoder := base64.NewEncoder(base64.StdEncoding, authHeader)
encoder.Write(hm.Sum(nil))
encoder.Close()
// Set Authorization header.
req.Header.Set("Authorization", authHeader.String())
req = s3signer.SignV2(*req, accessKey, secretKey)
return nil
}

Write Preview
Loading…
Cancel
Save