diff options
author | Alex Auvolat <alex@adnab.me> | 2024-02-28 10:51:08 +0100 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2024-02-28 10:51:08 +0100 |
commit | bde70adc9bd00957ac6d64903e0ef2a47a7a9ba9 (patch) | |
tree | 7041171356cfa14a2fb480390c2875bd0b406058 | |
parent | 84d79cadaa722752fda062c23b5ab33924d80320 (diff) | |
download | garage-bde70adc9bd00957ac6d64903e0ef2a47a7a9ba9.tar.gz garage-bde70adc9bd00957ac6d64903e0ef2a47a7a9ba9.zip |
[fix-presigned] new function to merge identical logic in s3 and k2v api
-rw-r--r-- | src/api/k2v/api_server.rs | 18 | ||||
-rw-r--r-- | src/api/s3/api_server.rs | 18 | ||||
-rw-r--r-- | src/api/signature/mod.rs | 29 | ||||
-rw-r--r-- | src/api/signature/payload.rs | 2 |
4 files changed, 34 insertions, 33 deletions
diff --git a/src/api/k2v/api_server.rs b/src/api/k2v/api_server.rs index 5ed7e286..fdb5db4c 100644 --- a/src/api/k2v/api_server.rs +++ b/src/api/k2v/api_server.rs @@ -15,8 +15,7 @@ use garage_model::garage::Garage; use crate::generic_server::*; use crate::k2v::error::*; -use crate::signature::payload::check_payload_signature; -use crate::signature::streaming::*; +use crate::signature::verify_request; use crate::helpers::*; use crate::k2v::batch::*; @@ -69,7 +68,7 @@ impl ApiHandler for K2VApiServer { async fn handle( &self, - mut req: Request<IncomingBody>, + req: Request<IncomingBody>, endpoint: K2VApiEndpoint, ) -> Result<Response<ResBody>, Error> { let K2VApiEndpoint { @@ -86,18 +85,7 @@ impl ApiHandler for K2VApiServer { return Ok(options_res.map(|_empty_body: EmptyBody| empty_body())); } - let (api_key, mut content_sha256) = - check_payload_signature(&garage, "k2v", &mut req).await?; - let api_key = api_key - .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?; - - let req = parse_streaming_body( - &api_key, - req, - &mut content_sha256, - &garage.config.s3_api.s3_region, - "k2v", - )?; + let (req, api_key, _content_sha256) = verify_request(&garage, req, "k2v").await?; let bucket_id = garage .bucket_helper() diff --git a/src/api/s3/api_server.rs b/src/api/s3/api_server.rs index fdfaf0a4..51f19554 100644 --- a/src/api/s3/api_server.rs +++ b/src/api/s3/api_server.rs @@ -17,8 +17,7 @@ use garage_model::key_table::Key; use crate::generic_server::*; use crate::s3::error::*; -use crate::signature::payload::check_payload_signature; -use crate::signature::streaming::*; +use crate::signature::verify_request; use crate::helpers::*; use crate::s3::bucket::*; @@ -107,7 +106,7 @@ impl ApiHandler for S3ApiServer { async fn handle( &self, - mut req: Request<IncomingBody>, + req: Request<IncomingBody>, endpoint: S3ApiEndpoint, ) -> Result<Response<ResBody>, Error> { let S3ApiEndpoint { @@ -125,18 +124,7 @@ impl ApiHandler for S3ApiServer { return Ok(options_res.map(|_empty_body: EmptyBody| empty_body())); } - let (api_key, mut content_sha256) = - check_payload_signature(&garage, "s3", &mut req).await?; - let api_key = api_key - .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?; - - let req = parse_streaming_body( - &api_key, - req, - &mut content_sha256, - &garage.config.s3_api.s3_region, - "s3", - )?; + let (req, api_key, content_sha256) = verify_request(&garage, req, "s3").await?; let bucket_name = match bucket_name { None => { diff --git a/src/api/signature/mod.rs b/src/api/signature/mod.rs index 4b8b990f..6514da43 100644 --- a/src/api/signature/mod.rs +++ b/src/api/signature/mod.rs @@ -2,19 +2,44 @@ use chrono::{DateTime, Utc}; use hmac::{Hmac, Mac}; use sha2::Sha256; +use hyper::{body::Incoming as IncomingBody, Request}; + +use garage_model::garage::Garage; +use garage_model::key_table::Key; use garage_util::data::{sha256sum, Hash}; +use error::*; + pub mod error; pub mod payload; pub mod streaming; -use error::*; - pub const SHORT_DATE: &str = "%Y%m%d"; pub const LONG_DATETIME: &str = "%Y%m%dT%H%M%SZ"; type HmacSha256 = Hmac<Sha256>; +pub async fn verify_request( + garage: &Garage, + mut req: Request<IncomingBody>, + service: &'static str, +) -> Result<(Request<streaming::ReqBody>, Key, Option<Hash>), Error> { + let (api_key, mut content_sha256) = + payload::check_payload_signature(&garage, &mut req, service).await?; + let api_key = + api_key.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?; + + let req = streaming::parse_streaming_body( + &api_key, + req, + &mut content_sha256, + &garage.config.s3_api.s3_region, + service, + )?; + + Ok((req, api_key, content_sha256)) +} + pub fn verify_signed_content(expected_sha256: Hash, body: &[u8]) -> Result<(), Error> { if expected_sha256 != sha256sum(body) { return Err(Error::bad_request( diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index 435b4206..5935724d 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -35,8 +35,8 @@ pub type QueryMap = HashMap<String, String>; pub async fn check_payload_signature( garage: &Garage, - service: &'static str, request: &mut Request<IncomingBody>, + service: &'static str, ) -> Result<(Option<Key>, Option<Hash>), Error> { let query = parse_query_map(request.uri())?; |