@ -167,7 +167,7 @@ func doesPolicySignatureV4Match(formValues http.Header) APIErrorCode {
region := globalServerConfig . GetRegion ( )
region := globalServerConfig . GetRegion ( )
// Parse credential tag.
// Parse credential tag.
credHeader , err := parseCredentialHeader ( "Credential=" + formValues . Get ( "X-Amz-Credential" ) )
credHeader , err := parseCredentialHeader ( "Credential=" + formValues . Get ( "X-Amz-Credential" ) , region )
if err != ErrNone {
if err != ErrNone {
return ErrMissingFields
return ErrMissingFields
}
}
@ -177,14 +177,8 @@ func doesPolicySignatureV4Match(formValues http.Header) APIErrorCode {
return ErrInvalidAccessKeyID
return ErrInvalidAccessKeyID
}
}
// Verify if the region is valid.
sRegion := credHeader . scope . region
if ! isValidRegion ( sRegion , region ) {
return ErrInvalidRegion
}
// Get signing key.
// Get signing key.
signingKey := getSigningKey ( cred . SecretKey , credHeader . scope . date , sR egion)
signingKey := getSigningKey ( cred . SecretKey , credHeader . scope . date , credHeader . scope . region )
// Get signature.
// Get signature.
newSignature := getSignature ( signingKey , formValues . Get ( "Policy" ) )
newSignature := getSignature ( signingKey , formValues . Get ( "Policy" ) )
@ -209,7 +203,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
req := * r
req := * r
// Parse request query string.
// Parse request query string.
pSignValues , err := parsePreSignV4 ( req . URL . Query ( ) )
pSignValues , err := parsePreSignV4 ( req . URL . Query ( ) , region )
if err != ErrNone {
if err != ErrNone {
return err
return err
}
}
@ -219,16 +213,6 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return ErrInvalidAccessKeyID
return ErrInvalidAccessKeyID
}
}
// Verify if region is valid.
sRegion := pSignValues . Credential . scope . region
// Should validate region, only if region is set.
if region == "" {
region = sRegion
}
if ! isValidRegion ( sRegion , region ) {
return ErrInvalidRegion
}
// Extract all the signed headers along with its values.
// Extract all the signed headers along with its values.
extractedSignedHeaders , errCode := extractSignedHeaders ( pSignValues . SignedHeaders , r )
extractedSignedHeaders , errCode := extractSignedHeaders ( pSignValues . SignedHeaders , r )
if errCode != ErrNone {
if errCode != ErrNone {
@ -260,7 +244,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
query . Set ( "X-Amz-Date" , t . Format ( iso8601Format ) )
query . Set ( "X-Amz-Date" , t . Format ( iso8601Format ) )
query . Set ( "X-Amz-Expires" , strconv . Itoa ( expireSeconds ) )
query . Set ( "X-Amz-Expires" , strconv . Itoa ( expireSeconds ) )
query . Set ( "X-Amz-SignedHeaders" , getSignedHeaders ( extractedSignedHeaders ) )
query . Set ( "X-Amz-SignedHeaders" , getSignedHeaders ( extractedSignedHeaders ) )
query . Set ( "X-Amz-Credential" , cred . AccessKey + "/" + getScope ( t , sR egion) )
query . Set ( "X-Amz-Credential" , cred . AccessKey + "/" + getScope ( t , pSignValues . Credential . scope . r egion) )
// Save other headers available in the request parameters.
// Save other headers available in the request parameters.
for k , v := range req . URL . Query ( ) {
for k , v := range req . URL . Query ( ) {
@ -292,7 +276,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
// Verify if sha256 payload query is same.
// Verify if sha256 payload query is same.
if req . URL . Query ( ) . Get ( "X-Amz-Content-Sha256" ) != "" {
if req . URL . Query ( ) . Get ( "X-Amz-Content-Sha256" ) != "" {
if req . URL . Query ( ) . Get ( "X-Amz-Content-Sha256" ) != query . Get ( "X-Amz-Content-Sha256" ) {
if req . URL . Query ( ) . Get ( "X-Amz-Content-Sha256" ) != query . Get ( "X-Amz-Content-Sha256" ) {
return ErrSignatureDoesNotM atch
return ErrContentSHA256Mism atch
}
}
}
}
@ -305,7 +289,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
presignedStringToSign := getStringToSign ( presignedCanonicalReq , t , pSignValues . Credential . getScope ( ) )
presignedStringToSign := getStringToSign ( presignedCanonicalReq , t , pSignValues . Credential . getScope ( ) )
// Get hmac presigned signing key.
// Get hmac presigned signing key.
presignedSigningKey := getSigningKey ( cred . SecretKey , pSignValues . Credential . scope . date , region )
presignedSigningKey := getSigningKey ( cred . SecretKey , pSignValues . Credential . scope . date , pSignValues . Credential . scope . region )
// Get new signature.
// Get new signature.
newSignature := getSignature ( presignedSigningKey , presignedStringToSign )
newSignature := getSignature ( presignedSigningKey , presignedStringToSign )
@ -331,7 +315,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
v4Auth := req . Header . Get ( "Authorization" )
v4Auth := req . Header . Get ( "Authorization" )
// Parse signature version '4' header.
// Parse signature version '4' header.
signV4Values , err := parseSignV4 ( v4Auth )
signV4Values , err := parseSignV4 ( v4Auth , region )
if err != ErrNone {
if err != ErrNone {
return err
return err
}
}
@ -347,20 +331,6 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
return ErrInvalidAccessKeyID
return ErrInvalidAccessKeyID
}
}
// Verify if region is valid.
sRegion := signV4Values . Credential . scope . region
// Region is set to be empty, we use whatever was sent by the
// request and proceed further. This is a work-around to address
// an important problem for ListBuckets() getting signed with
// different regions.
if region == "" {
region = sRegion
}
// Should validate region, only if region is set.
if ! isValidRegion ( sRegion , region ) {
return ErrInvalidRegion
}
// Extract date, if not present throw error.
// Extract date, if not present throw error.
var date string
var date string
if date = req . Header . Get ( http . CanonicalHeaderKey ( "x-amz-date" ) ) ; date == "" {
if date = req . Header . Get ( http . CanonicalHeaderKey ( "x-amz-date" ) ) ; date == "" {
@ -384,7 +354,7 @@ func doesSignatureMatch(hashedPayload string, r *http.Request, region string) AP
stringToSign := getStringToSign ( canonicalRequest , t , signV4Values . Credential . getScope ( ) )
stringToSign := getStringToSign ( canonicalRequest , t , signV4Values . Credential . getScope ( ) )
// Get hmac signing key.
// Get hmac signing key.
signingKey := getSigningKey ( cred . SecretKey , signV4Values . Credential . scope . date , region )
signingKey := getSigningKey ( cred . SecretKey , signV4Values . Credential . scope . date , signV4Values . Credential . scope . region )
// Calculate signature.
// Calculate signature.
newSignature := getSignature ( signingKey , stringToSign )
newSignature := getSignature ( signingKey , stringToSign )