aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2024-02-28 10:51:08 +0100
committerAlex Auvolat <alex@adnab.me>2024-02-28 10:51:08 +0100
commitbde70adc9bd00957ac6d64903e0ef2a47a7a9ba9 (patch)
tree7041171356cfa14a2fb480390c2875bd0b406058
parent84d79cadaa722752fda062c23b5ab33924d80320 (diff)
downloadgarage-bde70adc9bd00957ac6d64903e0ef2a47a7a9ba9.tar.gz
garage-bde70adc9bd00957ac6d64903e0ef2a47a7a9ba9.zip
[fix-presigned] new function to merge identical logic in s3 and k2v api
-rw-r--r--src/api/k2v/api_server.rs18
-rw-r--r--src/api/s3/api_server.rs18
-rw-r--r--src/api/signature/mod.rs29
-rw-r--r--src/api/signature/payload.rs2
4 files changed, 34 insertions, 33 deletions
diff --git a/src/api/k2v/api_server.rs b/src/api/k2v/api_server.rs
index 5ed7e286..fdb5db4c 100644
--- a/src/api/k2v/api_server.rs
+++ b/src/api/k2v/api_server.rs
@@ -15,8 +15,7 @@ use garage_model::garage::Garage;
use crate::generic_server::*;
use crate::k2v::error::*;
-use crate::signature::payload::check_payload_signature;
-use crate::signature::streaming::*;
+use crate::signature::verify_request;
use crate::helpers::*;
use crate::k2v::batch::*;
@@ -69,7 +68,7 @@ impl ApiHandler for K2VApiServer {
async fn handle(
&self,
- mut req: Request<IncomingBody>,
+ req: Request<IncomingBody>,
endpoint: K2VApiEndpoint,
) -> Result<Response<ResBody>, Error> {
let K2VApiEndpoint {
@@ -86,18 +85,7 @@ impl ApiHandler for K2VApiServer {
return Ok(options_res.map(|_empty_body: EmptyBody| empty_body()));
}
- let (api_key, mut content_sha256) =
- check_payload_signature(&garage, "k2v", &mut req).await?;
- let api_key = api_key
- .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?;
-
- let req = parse_streaming_body(
- &api_key,
- req,
- &mut content_sha256,
- &garage.config.s3_api.s3_region,
- "k2v",
- )?;
+ let (req, api_key, _content_sha256) = verify_request(&garage, req, "k2v").await?;
let bucket_id = garage
.bucket_helper()
diff --git a/src/api/s3/api_server.rs b/src/api/s3/api_server.rs
index fdfaf0a4..51f19554 100644
--- a/src/api/s3/api_server.rs
+++ b/src/api/s3/api_server.rs
@@ -17,8 +17,7 @@ use garage_model::key_table::Key;
use crate::generic_server::*;
use crate::s3::error::*;
-use crate::signature::payload::check_payload_signature;
-use crate::signature::streaming::*;
+use crate::signature::verify_request;
use crate::helpers::*;
use crate::s3::bucket::*;
@@ -107,7 +106,7 @@ impl ApiHandler for S3ApiServer {
async fn handle(
&self,
- mut req: Request<IncomingBody>,
+ req: Request<IncomingBody>,
endpoint: S3ApiEndpoint,
) -> Result<Response<ResBody>, Error> {
let S3ApiEndpoint {
@@ -125,18 +124,7 @@ impl ApiHandler for S3ApiServer {
return Ok(options_res.map(|_empty_body: EmptyBody| empty_body()));
}
- let (api_key, mut content_sha256) =
- check_payload_signature(&garage, "s3", &mut req).await?;
- let api_key = api_key
- .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?;
-
- let req = parse_streaming_body(
- &api_key,
- req,
- &mut content_sha256,
- &garage.config.s3_api.s3_region,
- "s3",
- )?;
+ let (req, api_key, content_sha256) = verify_request(&garage, req, "s3").await?;
let bucket_name = match bucket_name {
None => {
diff --git a/src/api/signature/mod.rs b/src/api/signature/mod.rs
index 4b8b990f..6514da43 100644
--- a/src/api/signature/mod.rs
+++ b/src/api/signature/mod.rs
@@ -2,19 +2,44 @@ use chrono::{DateTime, Utc};
use hmac::{Hmac, Mac};
use sha2::Sha256;
+use hyper::{body::Incoming as IncomingBody, Request};
+
+use garage_model::garage::Garage;
+use garage_model::key_table::Key;
use garage_util::data::{sha256sum, Hash};
+use error::*;
+
pub mod error;
pub mod payload;
pub mod streaming;
-use error::*;
-
pub const SHORT_DATE: &str = "%Y%m%d";
pub const LONG_DATETIME: &str = "%Y%m%dT%H%M%SZ";
type HmacSha256 = Hmac<Sha256>;
+pub async fn verify_request(
+ garage: &Garage,
+ mut req: Request<IncomingBody>,
+ service: &'static str,
+) -> Result<(Request<streaming::ReqBody>, Key, Option<Hash>), Error> {
+ let (api_key, mut content_sha256) =
+ payload::check_payload_signature(&garage, &mut req, service).await?;
+ let api_key =
+ api_key.ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?;
+
+ let req = streaming::parse_streaming_body(
+ &api_key,
+ req,
+ &mut content_sha256,
+ &garage.config.s3_api.s3_region,
+ service,
+ )?;
+
+ Ok((req, api_key, content_sha256))
+}
+
pub fn verify_signed_content(expected_sha256: Hash, body: &[u8]) -> Result<(), Error> {
if expected_sha256 != sha256sum(body) {
return Err(Error::bad_request(
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index 435b4206..5935724d 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -35,8 +35,8 @@ pub type QueryMap = HashMap<String, String>;
pub async fn check_payload_signature(
garage: &Garage,
- service: &'static str,
request: &mut Request<IncomingBody>,
+ service: &'static str,
) -> Result<(Option<Key>, Option<Hash>), Error> {
let query = parse_query_map(request.uri())?;