self-hosted/minio
self-hosted/minio
1
0
Fork 0
mirror of https://github.com/minio/minio synced 2024-07-21 02:14:35 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

fix: support pre-sign signature for STS tokens (#8826)

Browse source 
Fixes #8391
This commit is contained in:
Harshavardhana 2020-01-18 17:04:50 -08:00 committed by kannappanr
parent 8cb6184f1d
commit 88286cf8d0
1 changed files with 21 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
cmd/signature-v4.go
View file

@ -222,14 +222,6 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return errCode
}
// Construct new query.
query := make(url.Values)
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" {
query.Set(xhttp.AmzContentSha256, hashedPayload)
}
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
// If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the
// request should still be allowed.
if pSignValues.Date.After(UTCNow().Add(globalMaxSkewTime)) {
@ -244,6 +236,20 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
t := pSignValues.Date
expireSeconds := int(pSignValues.Expires / time.Second)
// Construct new query.
query := make(url.Values)
clntHashedPayload := req.URL.Query().Get(xhttp.AmzContentSha256)
if clntHashedPayload != "" {
query.Set(xhttp.AmzContentSha256, hashedPayload)
}
token := req.URL.Query().Get(xhttp.AmzSecurityToken)
if token != "" {
query.Set(xhttp.AmzSecurityToken, cred.SessionToken)
}
query.Set(xhttp.AmzAlgorithm, signV4Algorithm)
// Construct the query.
query.Set(xhttp.AmzDate, t.Format(iso8601Format))
query.Set(xhttp.AmzExpires, strconv.Itoa(expireSeconds))
@ -262,6 +268,7 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
if strings.Contains(key, "x-amz-server-side-") {
query.Set(k, v[0])
continue
}
if strings.HasPrefix(key, "x-amz") {
@ -290,10 +297,12 @@ func doesPresignedSignatureMatch(hashedPayload string, r *http.Request, region s
return ErrSignatureDoesNotMatch
}
// Verify if sha256 payload query is same.
if req.URL.Query().Get(xhttp.AmzContentSha256) != "" {
if req.URL.Query().Get(xhttp.AmzContentSha256) != query.Get(xhttp.AmzContentSha256) {
return ErrContentSHA256Mismatch
}
if clntHashedPayload != "" && clntHashedPayload != query.Get(xhttp.AmzContentSha256) {
return ErrContentSHA256Mismatch
}
// Verify if security token is correct.
if token != "" && subtle.ConstantTimeCompare([]byte(token), []byte(cred.SessionToken)) != 1 {
return ErrInvalidToken
}
/// Verify finally if signature is same.