123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411 |
- package s3api
- import (
- "bufio"
- "bytes"
- "crypto/sha256"
- "encoding/hex"
- "errors"
- "github.com/chrislusf/seaweedfs/weed/s3api/s3err"
- "hash"
- "io"
- "net/http"
- "time"
- "github.com/dustin/go-humanize"
- )
- func getChunkSignature(secretKey string, seedSignature string, region string, date time.Time, hashedChunk string) string {
-
- stringToSign := signV4ChunkedAlgorithm + "\n" +
- date.Format(iso8601Format) + "\n" +
- getScope(date, region) + "\n" +
- seedSignature + "\n" +
- emptySHA256 + "\n" +
- hashedChunk
-
- signingKey := getSigningKey(secretKey, date, region, "s3")
-
- newSignature := getSignature(signingKey, stringToSign)
- return newSignature
- }
- func (iam *IdentityAccessManagement) calculateSeedSignature(r *http.Request) (cred *Credential, signature string, region string, date time.Time, errCode s3err.ErrorCode) {
-
- req := *r
-
- v4Auth := req.Header.Get("Authorization")
-
- signV4Values, errCode := parseSignV4(v4Auth)
- if errCode != s3err.ErrNone {
- return nil, "", "", time.Time{}, errCode
- }
-
- payload := streamingContentSHA256
-
- if payload != req.Header.Get("X-Amz-Content-Sha256") {
- return nil, "", "", time.Time{}, s3err.ErrContentSHA256Mismatch
- }
-
- extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
- if errCode != s3err.ErrNone {
- return nil, "", "", time.Time{}, errCode
- }
-
- identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
- if !found {
- return nil, "", "", time.Time{}, s3err.ErrInvalidAccessKeyID
- }
- bucket, _ := getBucketAndObject(r)
- if !identity.canDo("Write", bucket) {
- errCode = s3err.ErrAccessDenied
- return
- }
-
- region = signV4Values.Credential.scope.region
-
- var dateStr string
- if dateStr = req.Header.Get(http.CanonicalHeaderKey("x-amz-date")); dateStr == "" {
- if dateStr = r.Header.Get("Date"); dateStr == "" {
- return nil, "", "", time.Time{}, s3err.ErrMissingDateHeader
- }
- }
-
- var err error
- date, err = time.Parse(iso8601Format, dateStr)
- if err != nil {
- return nil, "", "", time.Time{}, s3err.ErrMalformedDate
- }
-
- queryStr := req.URL.Query().Encode()
-
- canonicalRequest := getCanonicalRequest(extractedSignedHeaders, payload, queryStr, req.URL.Path, req.Method)
-
- stringToSign := getStringToSign(canonicalRequest, date, signV4Values.Credential.getScope())
-
- signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date, region, "s3")
-
- newSignature := getSignature(signingKey, stringToSign)
-
- if !compareSignatureV4(newSignature, signV4Values.Signature) {
- return nil, "", "", time.Time{}, s3err.ErrSignatureDoesNotMatch
- }
-
- return cred, newSignature, region, date, s3err.ErrNone
- }
- const maxLineLength = 4 * humanize.KiByte
- var errLineTooLong = errors.New("header line too long")
- var errMalformedEncoding = errors.New("malformed chunked encoding")
- func (iam *IdentityAccessManagement) newSignV4ChunkedReader(req *http.Request) (io.ReadCloser, s3err.ErrorCode) {
- ident, seedSignature, region, seedDate, errCode := iam.calculateSeedSignature(req)
- if errCode != s3err.ErrNone {
- return nil, errCode
- }
- return &s3ChunkedReader{
- cred: ident,
- reader: bufio.NewReader(req.Body),
- seedSignature: seedSignature,
- seedDate: seedDate,
- region: region,
- chunkSHA256Writer: sha256.New(),
- state: readChunkHeader,
- }, s3err.ErrNone
- }
- type s3ChunkedReader struct {
- cred *Credential
- reader *bufio.Reader
- seedSignature string
- seedDate time.Time
- region string
- state chunkState
- lastChunk bool
- chunkSignature string
- chunkSHA256Writer hash.Hash
- n uint64
- err error
- }
- func (cr *s3ChunkedReader) readS3ChunkHeader() {
-
- var hexChunkSize, hexChunkSignature []byte
- hexChunkSize, hexChunkSignature, cr.err = readChunkLine(cr.reader)
- if cr.err != nil {
- return
- }
-
- cr.n, cr.err = parseHexUint(hexChunkSize)
- if cr.err != nil {
- return
- }
- if cr.n == 0 {
- cr.err = io.EOF
- }
-
- cr.chunkSignature = string(hexChunkSignature)
- }
- type chunkState int
- const (
- readChunkHeader chunkState = iota
- readChunkTrailer
- readChunk
- verifyChunk
- eofChunk
- )
- func (cs chunkState) String() string {
- stateString := ""
- switch cs {
- case readChunkHeader:
- stateString = "readChunkHeader"
- case readChunkTrailer:
- stateString = "readChunkTrailer"
- case readChunk:
- stateString = "readChunk"
- case verifyChunk:
- stateString = "verifyChunk"
- case eofChunk:
- stateString = "eofChunk"
- }
- return stateString
- }
- func (cr *s3ChunkedReader) Close() (err error) {
- return nil
- }
- func (cr *s3ChunkedReader) Read(buf []byte) (n int, err error) {
- for {
- switch cr.state {
- case readChunkHeader:
- cr.readS3ChunkHeader()
-
- if cr.n == 0 && cr.err == io.EOF {
- cr.state = readChunkTrailer
- cr.lastChunk = true
- continue
- }
- if cr.err != nil {
- return 0, cr.err
- }
- cr.state = readChunk
- case readChunkTrailer:
- cr.err = readCRLF(cr.reader)
- if cr.err != nil {
- return 0, errMalformedEncoding
- }
- cr.state = verifyChunk
- case readChunk:
-
- if len(buf) == 0 {
- return n, nil
- }
- rbuf := buf
-
-
- if uint64(len(rbuf)) > cr.n {
- rbuf = rbuf[:cr.n]
- }
- var n0 int
- n0, cr.err = cr.reader.Read(rbuf)
- if cr.err != nil {
-
- if cr.err == io.EOF {
- cr.err = io.ErrUnexpectedEOF
- }
- return 0, cr.err
- }
-
- cr.chunkSHA256Writer.Write(rbuf[:n0])
-
- n += n0
- buf = buf[n0:]
-
- cr.n -= uint64(n0)
-
- if cr.n == 0 {
- cr.state = readChunkTrailer
- continue
- }
- case verifyChunk:
-
- hashedChunk := hex.EncodeToString(cr.chunkSHA256Writer.Sum(nil))
-
- newSignature := getChunkSignature(cr.cred.SecretKey, cr.seedSignature, cr.region, cr.seedDate, hashedChunk)
- if !compareSignatureV4(cr.chunkSignature, newSignature) {
-
- cr.err = errors.New("chunk signature does not match")
- return 0, cr.err
- }
-
-
- cr.seedSignature = newSignature
- cr.chunkSHA256Writer.Reset()
- if cr.lastChunk {
- cr.state = eofChunk
- } else {
- cr.state = readChunkHeader
- }
- case eofChunk:
- return n, io.EOF
- }
- }
- }
- func readCRLF(reader io.Reader) error {
- buf := make([]byte, 2)
- _, err := io.ReadFull(reader, buf[:2])
- if err != nil {
- return err
- }
- if buf[0] != '\r' || buf[1] != '\n' {
- return errMalformedEncoding
- }
- return nil
- }
- func readChunkLine(b *bufio.Reader) ([]byte, []byte, error) {
- buf, err := b.ReadSlice('\n')
- if err != nil {
-
-
- if err == io.EOF {
- err = io.ErrUnexpectedEOF
- } else if err == bufio.ErrBufferFull {
- err = errLineTooLong
- }
- return nil, nil, err
- }
- if len(buf) >= maxLineLength {
- return nil, nil, errLineTooLong
- }
-
- hexChunkSize, hexChunkSignature := parseS3ChunkExtension(buf)
- return hexChunkSize, hexChunkSignature, nil
- }
- func trimTrailingWhitespace(b []byte) []byte {
- for len(b) > 0 && isASCIISpace(b[len(b)-1]) {
- b = b[:len(b)-1]
- }
- return b
- }
- func isASCIISpace(b byte) bool {
- return b == ' ' || b == '\t' || b == '\n' || b == '\r'
- }
- const s3ChunkSignatureStr = ";chunk-signature="
- func parseS3ChunkExtension(buf []byte) ([]byte, []byte) {
- buf = trimTrailingWhitespace(buf)
- semi := bytes.Index(buf, []byte(s3ChunkSignatureStr))
-
- if semi == -1 {
- return buf, nil
- }
- return buf[:semi], parseChunkSignature(buf[semi:])
- }
- func parseChunkSignature(chunk []byte) []byte {
- chunkSplits := bytes.SplitN(chunk, []byte(s3ChunkSignatureStr), 2)
- return chunkSplits[1]
- }
- func parseHexUint(v []byte) (n uint64, err error) {
- for i, b := range v {
- switch {
- case '0' <= b && b <= '9':
- b = b - '0'
- case 'a' <= b && b <= 'f':
- b = b - 'a' + 10
- case 'A' <= b && b <= 'F':
- b = b - 'A' + 10
- default:
- return 0, errors.New("invalid byte in chunk length")
- }
- if i == 16 {
- return 0, errors.New("http chunk length too large")
- }
- n <<= 4
- n |= uint64(b)
- }
- return
- }
|