/* * The following code tries to reverse engineer the Amazon S3 APIs, * and is mostly copied from minio implementation. */ // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or // implied. See the License for the specific language governing // permissions and limitations under the License. package s3api import ( "crypto/hmac" "crypto/sha1" "crypto/subtle" "encoding/base64" "net/http" "sort" "strconv" "strings" "time" "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" "github.com/seaweedfs/seaweedfs/weed/s3api/s3err" ) // Whitelist resource list that will be used in query string for signature-V2 calculation. // The list should be alphabetically sorted var resourceList = []string{ "acl", "delete", "lifecycle", "location", "logging", "notification", "partNumber", "policy", "requestPayment", "response-cache-control", "response-content-disposition", "response-content-encoding", "response-content-language", "response-content-type", "response-expires", "torrent", "uploadId", "uploads", "versionId", "versioning", "versions", "website", } // Verify if request has AWS Signature Version '2'. func (iam *IdentityAccessManagement) isReqAuthenticatedV2(r *http.Request) (*Identity, s3err.ErrorCode) { if isRequestSignatureV2(r) { return iam.doesSignV2Match(r) } return iam.doesPresignV2SignatureMatch(r) } func (iam *IdentityAccessManagement) doesPolicySignatureV2Match(formValues http.Header) s3err.ErrorCode { accessKey := formValues.Get("AWSAccessKeyId") if accessKey == "" { return s3err.ErrMissingFields } identity, cred, found := iam.lookupByAccessKey(accessKey) if !found { return s3err.ErrInvalidAccessKeyID } bucket := formValues.Get("bucket") if !identity.canDo(s3_constants.ACTION_WRITE, bucket, "") { return s3err.ErrAccessDenied } policy := formValues.Get("Policy") if policy == "" { return s3err.ErrMissingFields } signature := formValues.Get("Signature") if signature == "" { return s3err.ErrMissingFields } if !compareSignatureV2(signature, calculateSignatureV2(policy, cred.SecretKey)) { return s3err.ErrSignatureDoesNotMatch } return s3err.ErrNone } // doesSignV2Match - Verify authorization header with calculated header in accordance with // - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html // // returns ErrNone if the signature matches. func (iam *IdentityAccessManagement) doesSignV2Match(r *http.Request) (*Identity, s3err.ErrorCode) { v2Auth := r.Header.Get("Authorization") accessKey, errCode := validateV2AuthHeader(v2Auth) if errCode != s3err.ErrNone { return nil, errCode } identity, cred, found := iam.lookupByAccessKey(accessKey) if !found { return nil, s3err.ErrInvalidAccessKeyID } bucket, object := s3_constants.GetBucketAndObject(r) if !identity.canDo(s3_constants.ACTION_WRITE, bucket, object) { return nil, s3err.ErrAccessDenied } expectedAuth := signatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header) if !compareSignatureV2(v2Auth, expectedAuth) { return nil, s3err.ErrSignatureDoesNotMatch } return identity, s3err.ErrNone } // doesPresignV2SignatureMatch - Verify query headers with calculated header in accordance with // - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html // // returns ErrNone if the signature matches. func (iam *IdentityAccessManagement) doesPresignV2SignatureMatch(r *http.Request) (*Identity, s3err.ErrorCode) { query := r.URL.Query() expires := query.Get("Expires") if expires == "" { return nil, s3err.ErrMissingFields } expireTimestamp, err := strconv.ParseInt(expires, 10, 64) if err != nil { return nil, s3err.ErrMalformedExpires } if time.Unix(expireTimestamp, 0).Before(time.Now().UTC()) { return nil, s3err.ErrExpiredPresignRequest } accessKey := query.Get("AWSAccessKeyId") if accessKey == "" { return nil, s3err.ErrInvalidAccessKeyID } signature := query.Get("Signature") if signature == "" { return nil, s3err.ErrMissingFields } identity, cred, found := iam.lookupByAccessKey(accessKey) if !found { return nil, s3err.ErrInvalidAccessKeyID } bucket, object := s3_constants.GetBucketAndObject(r) if !identity.canDo(s3_constants.ACTION_READ, bucket, object) { return nil, s3err.ErrAccessDenied } expectedSignature := preSignatureV2(cred, r.Method, r.URL.Path, r.URL.Query().Encode(), r.Header, expires) if !compareSignatureV2(signature, expectedSignature) { return nil, s3err.ErrSignatureDoesNotMatch } return identity, s3err.ErrNone } // validateV2AuthHeader validates AWS Signature Version '2' authentication header. func validateV2AuthHeader(v2Auth string) (accessKey string, errCode s3err.ErrorCode) { if v2Auth == "" { return "", s3err.ErrAuthHeaderEmpty } // Signature V2 authorization header format: // Authorization: AWS AKIAIOSFODNN7EXAMPLE:frJIUN8DYpKDtOLCwo//yllqDzg= if !strings.HasPrefix(v2Auth, signV2Algorithm) { return "", s3err.ErrSignatureVersionNotSupported } // Strip off the Algorithm prefix. v2Auth = v2Auth[len(signV2Algorithm):] authFields := strings.Split(v2Auth, ":") if len(authFields) != 2 { return "", s3err.ErrMissingFields } // The first field is Access Key ID. if authFields[0] == "" { return "", s3err.ErrInvalidAccessKeyID } // The second field is signature. if authFields[1] == "" { return "", s3err.ErrMissingFields } return authFields[0], s3err.ErrNone } // signatureV2 - calculates signature version 2 for request. func signatureV2(cred *Credential, method string, encodedResource string, encodedQuery string, headers http.Header) string { stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, "") signature := calculateSignatureV2(stringToSign, cred.SecretKey) return signV2Algorithm + cred.AccessKey + ":" + signature } // getStringToSignV2 - string to sign in accordance with // - http://docs.aws.amazon.com/AmazonS3/latest/dev/auth-request-sig-v2.html func getStringToSignV2(method string, encodedResource, encodedQuery string, headers http.Header, expires string) string { canonicalHeaders := canonicalizedAmzHeadersV2(headers) if len(canonicalHeaders) > 0 { canonicalHeaders += "\n" } // From the Amazon docs: // // StringToSign = HTTP-Verb + "\n" + // Content-MD5 + "\n" + // Content-Type + "\n" + // Date + "\n" + // CanonicalizedAmzHeaders + // CanonicalizedResource; stringToSign := method + "\n" stringToSign += headers.Get("Content-Md5") + "\n" stringToSign += headers.Get("Content-Type") + "\n" if expires != "" { stringToSign += expires + "\n" } else { stringToSign += headers.Get("Date") + "\n" if v := headers.Get("x-amz-date"); v != "" { stringToSign = strings.Replace(stringToSign, headers.Get("Date")+"\n", "\n", -1) } } stringToSign += canonicalHeaders stringToSign += canonicalizedResourceV2(encodedResource, encodedQuery) return stringToSign } // canonicalizedResourceV2 - canonicalize the resource string for signature V2. func canonicalizedResourceV2(encodedResource, encodedQuery string) string { queries := strings.Split(encodedQuery, "&") keyval := make(map[string]string) for _, query := range queries { key := query val := "" index := strings.Index(query, "=") if index != -1 { key = query[:index] val = query[index+1:] } keyval[key] = val } var canonicalQueries []string for _, resource := range resourceList { if val, ok := keyval[resource]; ok { if val == "" { canonicalQueries = append(canonicalQueries, resource) continue } canonicalQueries = append(canonicalQueries, resource+"="+val) } } // The queries will be already sorted as resourceList is sorted. if len(canonicalQueries) == 0 { return encodedResource } // If queries are present then the canonicalized resource is set to encodedResource + "?" + strings.Join(canonicalQueries, "&") return encodedResource + "?" + strings.Join(canonicalQueries, "&") } // canonicalizedAmzHeadersV2 - canonicalize the x-amz-* headers for signature V2. func canonicalizedAmzHeadersV2(headers http.Header) string { var keys []string keyval := make(map[string]string) for key := range headers { lkey := strings.ToLower(key) if !strings.HasPrefix(lkey, "x-amz-") { continue } keys = append(keys, lkey) keyval[lkey] = strings.Join(headers[key], ",") } sort.Strings(keys) var canonicalHeaders []string for _, key := range keys { canonicalHeaders = append(canonicalHeaders, key+":"+keyval[key]) } return strings.Join(canonicalHeaders, "\n") } // calculateSignatureV2 - calculates signature version 2. func calculateSignatureV2(stringToSign string, secret string) string { hm := hmac.New(sha1.New, []byte(secret)) hm.Write([]byte(stringToSign)) return base64.StdEncoding.EncodeToString(hm.Sum(nil)) } // compareSignatureV2 returns true if and only if both signatures // are equal. The signatures are expected to be base64 encoded strings // according to the AWS S3 signature V2 spec. func compareSignatureV2(sig1, sig2 string) bool { // Decode signature string to binary byte-sequence representation is required // as Base64 encoding of a value is not unique: // For example "aGVsbG8=" and "aGVsbG8=\r" will result in the same byte slice. signature1, err := base64.StdEncoding.DecodeString(sig1) if err != nil { return false } signature2, err := base64.StdEncoding.DecodeString(sig2) if err != nil { return false } return subtle.ConstantTimeCompare(signature1, signature2) == 1 } // Return signature-v2 for the presigned request. func preSignatureV2(cred *Credential, method string, encodedResource string, encodedQuery string, headers http.Header, expires string) string { stringToSign := getStringToSignV2(method, encodedResource, encodedQuery, headers, expires) return calculateSignatureV2(stringToSign, cred.SecretKey) }