Handle both space and non-space characters, in signature v4 - add errors for all API's

10 years ago · e5006c738d
parent eac92d4647
commit e5006c738d
4 changed files with 36 additions and 23 deletions
--- a/pkg/donut/signature-v4.go
+++ b/pkg/donut/signature-v4.go
@ -226,21 +226,14 @@ func (r *Signature) DoesSignatureMatch(hashedPayload string) (bool, error) {
 	if err != nil {
 		return false, iodine.New(err, nil)
 	}
 	signedHeaders := r.getSignedHeaders()
 	canonicalRequest := r.getCanonicalRequest()
 	scope := r.getScope(t)
 	stringToSign := r.getStringToSign(canonicalRequest, t)
 	signingKey := r.getSigningKey(t)
-	signature := r.getSignature(signingKey, stringToSign)
+	newSignature := r.getSignature(signingKey, stringToSign)
-	// final Authorization header
+	authFields := strings.Split(strings.TrimSpace(r.AuthHeader), ",")
-	parts := []string{
+	signature := strings.Split(strings.TrimSpace(authFields[2]), "=")[1]
-		authHeaderPrefix + " Credential=" + r.AccessKeyID + "/" + scope,
+	if newSignature != signature {
 		"SignedHeaders=" + signedHeaders,
 		"Signature=" + signature,
 	}
 	newAuthHeader := strings.Join(parts, ", ")
 	if newAuthHeader != r.AuthHeader {
 		return false, nil
 	}
 	return true, nil
--- a/pkg/server/api/bucket-handlers.go
+++ b/pkg/server/api/bucket-handlers.go
@ -118,17 +118,15 @@ func (api Minio) ListMultipartUploadsHandler(w http.ResponseWriter, req *http.Re
 			// write body
 			w.Write(encodedSuccessResponse)
 		}
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.BucketNotFound:
 		{
 		writeErrorResponse(w, req, NoSuchBucket, acceptsContentType, req.URL.Path)
 		}
 	default:
 		{
 		log.Error.Println(iodine.New(err, nil))
 		writeErrorResponse(w, req, InternalError, acceptsContentType, req.URL.Path)
 	}
 }
 }
 // ListObjectsHandler - GET Bucket (List Objects)
 // -------------------------
@ -185,6 +183,8 @@ func (api Minio) ListObjectsHandler(w http.ResponseWriter, req *http.Request) {
 		setCommonHeaders(w, getContentTypeString(acceptsContentType), len(encodedSuccessResponse))
 		// write body
 		w.Write(encodedSuccessResponse)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.BucketNameInvalid:
 		writeErrorResponse(w, req, InvalidBucketName, acceptsContentType, req.URL.Path)
 	case donut.BucketNotFound:
@ -242,6 +242,8 @@ func (api Minio) ListBucketsHandler(w http.ResponseWriter, req *http.Request) {
 		setCommonHeaders(w, getContentTypeString(acceptsContentType), len(encodedSuccessResponse))
 		// write response
 		w.Write(encodedSuccessResponse)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	default:
 		log.Error.Println(iodine.New(err, nil))
 		writeErrorResponse(w, req, InternalError, acceptsContentType, req.URL.Path)
@ -300,6 +302,8 @@ func (api Minio) PutBucketHandler(w http.ResponseWriter, req *http.Request) {
 		// Make sure to add Location information here only for bucket
 		w.Header().Set("Location", "/"+bucket)
 		writeSuccessResponse(w, acceptsContentType)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.TooManyBuckets:
 		writeErrorResponse(w, req, TooManyBuckets, acceptsContentType, req.URL.Path)
 	case donut.BucketNameInvalid:
@ -352,6 +356,8 @@ func (api Minio) PutBucketACLHandler(w http.ResponseWriter, req *http.Request) {
 	switch iodine.ToError(err).(type) {
 	case nil:
 		writeSuccessResponse(w, acceptsContentType)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.BucketNameInvalid:
 		writeErrorResponse(w, req, InvalidBucketName, acceptsContentType, req.URL.Path)
 	case donut.BucketNotFound:
@ -398,6 +404,8 @@ func (api Minio) HeadBucketHandler(w http.ResponseWriter, req *http.Request) {
 	switch iodine.ToError(err).(type) {
 	case nil:
 		writeSuccessResponse(w, acceptsContentType)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.BucketNotFound:
 		error := getErrorCode(NoSuchBucket)
 		w.WriteHeader(error.HTTPStatusCode)
--- a/pkg/server/api/object-handlers.go
+++ b/pkg/server/api/object-handlers.go
@ -91,6 +91,8 @@ func (api Minio) GetObjectHandler(w http.ResponseWriter, req *http.Request) {
 				}
 			}
 		}
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.BucketNameInvalid:
 		writeErrorResponse(w, req, InvalidBucketName, acceptsContentType, req.URL.Path)
 	case donut.BucketNotFound:
@ -144,6 +146,10 @@ func (api Minio) HeadObjectHandler(w http.ResponseWriter, req *http.Request) {
 	case nil:
 		setObjectHeaders(w, metadata)
 		w.WriteHeader(http.StatusOK)
 	case donut.SignatureDoesNotMatch:
 		error := getErrorCode(SignatureDoesNotMatch)
 		w.Header().Set("Server", "Minio")
 		w.WriteHeader(error.HTTPStatusCode)
 	case donut.BucketNameInvalid:
 		error := getErrorCode(InvalidBucketName)
 		w.Header().Set("Server", "Minio")
@ -314,6 +320,8 @@ func (api Minio) NewMultipartUploadHandler(w http.ResponseWriter, req *http.Requ
 			// write body
 			w.Write(encodedSuccessResponse)
 		}
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.ObjectExists:
 		writeErrorResponse(w, req, MethodNotAllowed, acceptsContentType, req.URL.Path)
 	default:
@ -450,6 +458,8 @@ func (api Minio) AbortMultipartUploadHandler(w http.ResponseWriter, req *http.Re
 	case nil:
 		setCommonHeaders(w, getContentTypeString(acceptsContentType), 0)
 		w.WriteHeader(http.StatusNoContent)
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.InvalidUploadID:
 		writeErrorResponse(w, req, NoSuchUpload, acceptsContentType, req.URL.Path)
 	default:
@ -505,6 +515,8 @@ func (api Minio) ListObjectPartsHandler(w http.ResponseWriter, req *http.Request
 			// write body
 			w.Write(encodedSuccessResponse)
 		}
 	case donut.SignatureDoesNotMatch:
 		writeErrorResponse(w, req, SignatureDoesNotMatch, acceptsContentType, req.URL.Path)
 	case donut.InvalidUploadID:
 		writeErrorResponse(w, req, NoSuchUpload, acceptsContentType, req.URL.Path)
 	default:
--- a/pkg/server/api/signature.go
+++ b/pkg/server/api/signature.go
@ -35,7 +35,7 @@ func StripAccessKeyID(ah string) (string, error) {
 	if ah == "" {
 		return "", errors.New("Missing auth header")
 	}
-	authFields := strings.Split(ah, ",")
+	authFields := strings.Split(strings.TrimSpace(ah), ",")
 	if len(authFields) != 3 {
 		return "", errors.New("Missing fields in Auth header")
 	}
@ -46,17 +46,17 @@ func StripAccessKeyID(ah string) (string, error) {
 	if authPrefixFields[0] != authHeaderPrefix {
 		return "", errors.New("Missing fields is Auth header")
 	}
-	credentials := strings.Split(authPrefixFields[1], "=")
+	credentials := strings.Split(strings.TrimSpace(authPrefixFields[1]), "=")
 	if len(credentials) != 2 {
 		return "", errors.New("Missing fields in Auth header")
 	}
-	if len(strings.Split(authFields[1], "=")) != 2 {
+	if len(strings.Split(strings.TrimSpace(authFields[1]), "=")) != 2 {
 		return "", errors.New("Missing fields in Auth header")
 	}
-	if len(strings.Split(authFields[2], "=")) != 2 {
+	if len(strings.Split(strings.TrimSpace(authFields[2]), "=")) != 2 {
 		return "", errors.New("Missing fields in Auth header")
 	}
-	accessKeyID := strings.Split(credentials[1], "/")[0]
+	accessKeyID := strings.Split(strings.TrimSpace(credentials[1]), "/")[0]
 	if !auth.IsValidAccessKey(accessKeyID) {
 		return "", errors.New("Invalid access key")
 	}