aboutsummaryrefslogtreecommitdiff
path: root/src/api/signature
diff options
context:
space:
mode:
authorasonix <asonix@asonix.dog>2024-03-03 16:26:57 -0600
committerAlex Auvolat <alex@adnab.me>2024-03-04 14:29:14 +0100
commit578bc8d7030b2ed369f3a3f346f9d584e3e2aad0 (patch)
treea1b4353977fc3c3efa3c31dfcfc1b1dc595d2628 /src/api/signature
parent6ab80cd36a702877d647e1b9273a595b893cc783 (diff)
downloadgarage-578bc8d7030b2ed369f3a3f346f9d584e3e2aad0.tar.gz
garage-578bc8d7030b2ed369f3a3f346f9d584e3e2aad0.zip
Store original-cased query keys alongside query values
Diffstat (limited to 'src/api/signature')
-rw-r--r--src/api/signature/payload.rs33
1 files changed, 23 insertions, 10 deletions
diff --git a/src/api/signature/payload.rs b/src/api/signature/payload.rs
index eacb7d68..c8b70226 100644
--- a/src/api/signature/payload.rs
+++ b/src/api/signature/payload.rs
@@ -31,7 +31,12 @@ pub const AWS4_HMAC_SHA256: &str = "AWS4-HMAC-SHA256";
pub const UNSIGNED_PAYLOAD: &str = "UNSIGNED-PAYLOAD";
pub const STREAMING_AWS4_HMAC_SHA256_PAYLOAD: &str = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD";
-pub type QueryMap = HashMap<String, String>;
+pub type QueryMap = HashMap<String, QueryValue>;
+
+pub struct QueryValue {
+ key: String,
+ value: String,
+}
pub async fn check_payload_signature(
garage: &Garage,
@@ -122,7 +127,7 @@ async fn check_presigned_signature(
mut query: QueryMap,
) -> Result<(Option<Key>, Option<Hash>), Error> {
let algorithm = query.get(X_AMZ_ALGORITHM.as_str()).unwrap();
- let authorization = Authorization::parse_presigned(algorithm, &query)?;
+ let authorization = Authorization::parse_presigned(&algorithm.value, &query)?;
// Verify that all necessary request headers are included in signed_headers
// For AWSv4 pre-signed URLs, the following must be incldued:
@@ -164,7 +169,7 @@ async fn check_presigned_signature(
let name =
HeaderName::from_bytes(name.as_bytes()).ok_or_bad_request("Invalid header name")?;
if let Some(existing) = headers_mut.get(&name) {
- if signed_headers.contains(&name) && existing.as_bytes() != value.as_bytes() {
+ if signed_headers.contains(&name) && existing.as_bytes() != value.value.as_bytes() {
return Err(Error::bad_request(format!(
"Conflicting values for `{}` in query parameters and request headers",
name
@@ -180,7 +185,7 @@ async fn check_presigned_signature(
// that are not signed, however there is not much reason that this would happen)
headers_mut.insert(
name,
- HeaderValue::from_bytes(value.as_bytes())
+ HeaderValue::from_bytes(value.value.as_bytes())
.ok_or_bad_request("invalid query parameter value")?,
);
}
@@ -196,7 +201,14 @@ pub fn parse_query_map(uri: &http::uri::Uri) -> Result<QueryMap, Error> {
if let Some(query_str) = uri.query() {
let query_pairs = url::form_urlencoded::parse(query_str.as_bytes());
for (key, val) in query_pairs {
- if query.insert(key.to_lowercase().to_string(), val.into_owned()).is_some() {
+ let key = key.into_owned();
+
+ let value = QueryValue {
+ key: key.clone(),
+ value: val.into_owned(),
+ };
+
+ if query.insert(key.to_lowercase(), value).is_some() {
return Err(Error::bad_request(format!(
"duplicate query parameter: `{}`",
key
@@ -305,7 +317,7 @@ pub fn canonical_request(
// Canonical query string from passed HeaderMap
let canonical_query_string = {
let mut items = Vec::with_capacity(query.len());
- for (key, value) in query.iter() {
+ for (_, QueryValue { key, value }) in query.iter() {
items.push(uri_encode(&key, true) + "=" + &uri_encode(&value, true));
}
items.sort();
@@ -475,6 +487,7 @@ impl Authorization {
let duration = query
.get(X_AMZ_EXPIRES.as_str())
.ok_or_bad_request("X-Amz-Expires not found in query parameters")?
+ .value
.parse()
.map_err(|_| Error::bad_request("X-Amz-Expires is not a number".to_string()))?;
@@ -487,18 +500,18 @@ impl Authorization {
let date = query
.get(X_AMZ_DATE.as_str())
.ok_or_bad_request("Missing X-Amz-Date field")?;
- let date = parse_date(date)?;
+ let date = parse_date(&date.value)?;
if Utc::now() - date > Duration::seconds(duration) {
return Err(Error::bad_request("Date is too old".to_string()));
}
- let (key_id, scope) = parse_credential(cred)?;
+ let (key_id, scope) = parse_credential(&cred.value)?;
Ok(Authorization {
key_id,
scope,
- signed_headers: signed_headers.to_string(),
- signature: signature.to_string(),
+ signed_headers: signed_headers.value.clone(),
+ signature: signature.value.clone(),
content_sha256: UNSIGNED_PAYLOAD.to_string(),
date,
})