aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2023-05-18 00:06:03 +0200
committerAlex Auvolat <alex@adnab.me>2023-05-18 00:06:03 +0200
commit7c56d1040ddc2b39622f751cd6ad5c1638a5d18e (patch)
treeb2362467c68430f162f7c042818d02a1c7cef6b5
parentc26a4308b4454e2f36e2824280b9f587a6918fa9 (diff)
downloadgarage-7c56d1040ddc2b39622f751cd6ad5c1638a5d18e.tar.gz
garage-7c56d1040ddc2b39622f751cd6ad5c1638a5d18e.zip
k2v signature verification: double urlencoding, as expected by rusoto_signature
(s3 is the only service that does not do double-urlencoding when computing signatures...)
-rw-r--r--src/api/signature/payload.rs11
1 files changed, 10 insertions, 1 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index 4c7934e5..e264392b 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -27,8 +27,10 @@ pub async fn check_payload_signature(
headers.insert(key.to_string(), val.to_str()?.to_string());
}
if let Some(query) = request.uri().query() {
+ trace!("got query: {}", query);
let query_pairs = url::form_urlencoded::parse(query.as_bytes());
for (key, val) in query_pairs {
+ trace!("query pair: `{}` = `{}`", key, val);
headers.insert(key.to_lowercase(), val.to_string());
}
}
@@ -56,6 +58,7 @@ pub async fn check_payload_signature(
&headers,
&authorization.signed_headers,
&authorization.content_sha256,
+ service != "s3",
);
let (_, scope) = parse_credential(&authorization.credential)?;
let string_to_sign = string_to_sign(&authorization.date, &scope, &canonical_request);
@@ -236,10 +239,16 @@ pub fn canonical_request(
headers: &HashMap<String, String>,
signed_headers: &str,
content_sha256: &str,
+ double_encode_path: bool,
) -> String {
+ let path: std::borrow::Cow<str> = if double_encode_path {
+ uri_encode(uri.path(), false).into()
+ } else {
+ uri.path().into()
+ };
[
method.as_str(),
- uri.path(),
+ &path,
&canonical_query_string(uri),
&canonical_header_string(headers, signed_headers),
"",