diff options
| author | Alex <alex@adnab.me> | 2024-02-28 11:38:00 +0000 |
|---|---|---|
| committer | Alex <alex@adnab.me> | 2024-02-28 11:38:00 +0000 |
| commit | 10031a3a9130a55a832e8aebc00eee942394be93 (patch) | |
| tree | 9bcc9569e7a8806efdf9d542e37ffa06a7689bca /src/api/s3 | |
| parent | 911a83ea7d06143c5a9621f88020ab6c0850ba54 (diff) | |
| parent | 90cab5b8f2b5212668975bf445a1e86f638fe1c7 (diff) | |
| download | garage-10031a3a9130a55a832e8aebc00eee942394be93.tar.gz garage-10031a3a9130a55a832e8aebc00eee942394be93.zip | |
Merge pull request 'Split presigned signature verification + fix conditions' (#735) from fix-presigned into main
Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/735
Diffstat (limited to 'src/api/s3')
| -rw-r--r-- | src/api/s3/api_server.rs | 15 | ||||
| -rw-r--r-- | src/api/s3/post_object.rs | 26 |
2 files changed, 5 insertions, 36 deletions
diff --git a/src/api/s3/api_server.rs b/src/api/s3/api_server.rs index 08405923..51f19554 100644 --- a/src/api/s3/api_server.rs +++ b/src/api/s3/api_server.rs @@ -17,8 +17,7 @@ use garage_model::key_table::Key; use crate::generic_server::*; use crate::s3::error::*; -use crate::signature::payload::check_payload_signature; -use crate::signature::streaming::*; +use crate::signature::verify_request; use crate::helpers::*; use crate::s3::bucket::*; @@ -125,17 +124,7 @@ impl ApiHandler for S3ApiServer { return Ok(options_res.map(|_empty_body: EmptyBody| empty_body())); } - let (api_key, mut content_sha256) = check_payload_signature(&garage, "s3", &req).await?; - let api_key = api_key - .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))?; - - let req = parse_streaming_body( - &api_key, - req, - &mut content_sha256, - &garage.config.s3_api.s3_region, - "s3", - )?; + let (req, api_key, content_sha256) = verify_request(&garage, req, "s3").await?; let bucket_name = match bucket_name { None => { diff --git a/src/api/s3/post_object.rs b/src/api/s3/post_object.rs index bca8d6c6..b542cc1a 100644 --- a/src/api/s3/post_object.rs +++ b/src/api/s3/post_object.rs @@ -21,7 +21,7 @@ use crate::s3::cors::*; use crate::s3::error::*; use crate::s3::put::{get_headers, save_stream}; use crate::s3::xml as s3_xml; -use crate::signature::payload::{parse_date, verify_v4}; +use crate::signature::payload::{verify_v4, Authorization}; pub async fn handle_post_object( garage: Arc<Garage>, @@ -88,22 +88,11 @@ pub async fn handle_post_object( .get("key") .ok_or_bad_request("No key was provided")? .to_str()?; - let credential = params - .get("x-amz-credential") - .ok_or_else(|| Error::forbidden("Garage does not support anonymous access yet"))? - .to_str()?; let policy = params .get("policy") .ok_or_bad_request("No policy was provided")? .to_str()?; - let signature = params - .get("x-amz-signature") - .ok_or_bad_request("No signature was provided")? - .to_str()?; - let date = params - .get("x-amz-date") - .ok_or_bad_request("No date was provided")? - .to_str()?; + let authorization = Authorization::parse_form(¶ms)?; let key = if key.contains("${filename}") { // if no filename is provided, don't replace. This matches the behavior of AWS. @@ -116,16 +105,7 @@ pub async fn handle_post_object( key.to_owned() }; - let date = parse_date(date)?; - let api_key = verify_v4( - &garage, - "s3", - credential, - &date, - signature, - policy.as_bytes(), - ) - .await?; + let api_key = verify_v4(&garage, "s3", &authorization, policy.as_bytes()).await?; let bucket_id = garage .bucket_helper() |