diff options
author | Alex Auvolat <alex@adnab.me> | 2023-05-18 00:06:03 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2023-05-18 00:06:03 +0200 |
commit | 7c56d1040ddc2b39622f751cd6ad5c1638a5d18e (patch) | |
tree | b2362467c68430f162f7c042818d02a1c7cef6b5 /src/api/signature/payload.rs | |
parent | c26a4308b4454e2f36e2824280b9f587a6918fa9 (diff) | |
download | garage-7c56d1040ddc2b39622f751cd6ad5c1638a5d18e.tar.gz garage-7c56d1040ddc2b39622f751cd6ad5c1638a5d18e.zip |
k2v signature verification: double urlencoding, as expected by rusoto_signature
(s3 is the only service that does not do double-urlencoding when
computing signatures...)
Diffstat (limited to 'src/api/signature/payload.rs')
-rw-r--r-- | src/api/signature/payload.rs | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs index 4c7934e5..e264392b 100644 --- a/src/api/signature/payload.rs +++ b/src/api/signature/payload.rs @@ -27,8 +27,10 @@ pub async fn check_payload_signature( headers.insert(key.to_string(), val.to_str()?.to_string()); } if let Some(query) = request.uri().query() { + trace!("got query: {}", query); let query_pairs = url::form_urlencoded::parse(query.as_bytes()); for (key, val) in query_pairs { + trace!("query pair: `{}` = `{}`", key, val); headers.insert(key.to_lowercase(), val.to_string()); } } @@ -56,6 +58,7 @@ pub async fn check_payload_signature( &headers, &authorization.signed_headers, &authorization.content_sha256, + service != "s3", ); let (_, scope) = parse_credential(&authorization.credential)?; let string_to_sign = string_to_sign(&authorization.date, &scope, &canonical_request); @@ -236,10 +239,16 @@ pub fn canonical_request( headers: &HashMap<String, String>, signed_headers: &str, content_sha256: &str, + double_encode_path: bool, ) -> String { + let path: std::borrow::Cow<str> = if double_encode_path { + uri_encode(uri.path(), false).into() + } else { + uri.path().into() + }; [ method.as_str(), - uri.path(), + &path, &canonical_query_string(uri), &canonical_header_string(headers, signed_headers), "", |