105 lines
3.3 KiB
Go
105 lines
3.3 KiB
Go
/*
|
|
* Minio Cloud Storage, (C) 2016 Minio, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"encoding/hex"
|
|
"fmt"
|
|
"github.com/minio/sha256-simd"
|
|
"hash"
|
|
"io"
|
|
"net/http"
|
|
)
|
|
|
|
// signVerifyReader represents an io.Reader compatible interface which
|
|
// transparently calculates sha256, caller should call `Verify()` to
|
|
// validate the signature header.
|
|
type signVerifyReader struct {
|
|
Request *http.Request // HTTP request to be validated and read.
|
|
HashWriter hash.Hash // sha256 hash writer.
|
|
}
|
|
|
|
// Initializes a new signature verify reader.
|
|
func newSignVerify(req *http.Request) *signVerifyReader {
|
|
return &signVerifyReader{
|
|
Request: req, // Save the request.
|
|
HashWriter: sha256.New(), // Inititalize sha256.
|
|
}
|
|
}
|
|
|
|
// isSignVerify - is given reader a `signVerifyReader`.
|
|
func isSignVerify(reader io.Reader) bool {
|
|
_, ok := reader.(*signVerifyReader)
|
|
return ok
|
|
}
|
|
|
|
// Verify - verifies signature and returns error upon signature mismatch.
|
|
func (v *signVerifyReader) Verify() error {
|
|
validateRegion := true // Defaults to validating region.
|
|
shaPayloadHex := hex.EncodeToString(v.HashWriter.Sum(nil))
|
|
if skipContentSha256Cksum(v.Request) {
|
|
// Sets 'UNSIGNED-PAYLOAD' if client requested to not calculated sha256.
|
|
shaPayloadHex = unsignedPayload
|
|
}
|
|
// Signature verification block.
|
|
var s3Error APIErrorCode
|
|
if isRequestSignatureV4(v.Request) {
|
|
s3Error = doesSignatureMatch(shaPayloadHex, v.Request, validateRegion)
|
|
} else if isRequestPresignedSignatureV4(v.Request) {
|
|
s3Error = doesPresignedSignatureMatch(shaPayloadHex, v.Request, validateRegion)
|
|
} else {
|
|
// Couldn't figure out the request type, set the error as AccessDenied.
|
|
s3Error = ErrAccessDenied
|
|
}
|
|
// Set signature error as 'errSignatureMismatch' if possible.
|
|
var sErr error
|
|
// Validate if we have received signature mismatch or sha256 mismatch.
|
|
if s3Error != ErrNone {
|
|
switch s3Error {
|
|
case ErrContentSHA256Mismatch:
|
|
sErr = errContentSHA256Mismatch
|
|
case ErrSignatureDoesNotMatch:
|
|
sErr = errSignatureMismatch
|
|
default:
|
|
sErr = fmt.Errorf("%v", getAPIError(s3Error))
|
|
}
|
|
return sErr
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Reads from request body and writes to hash writer. All reads performed
|
|
// through it are matched with corresponding writes to hash writer. There is
|
|
// no internal buffering the write must complete before the read completes.
|
|
// Any error encountered while writing is reported as a read error. As a
|
|
// special case `Read()` skips writing to hash writer if the client requested
|
|
// for the payload to be skipped.
|
|
func (v *signVerifyReader) Read(b []byte) (n int, err error) {
|
|
n, err = v.Request.Body.Read(b)
|
|
if n > 0 {
|
|
// Skip calculating the hash.
|
|
if skipContentSha256Cksum(v.Request) {
|
|
return
|
|
}
|
|
// Stagger all reads to its corresponding writes to hash writer.
|
|
if n, err = v.HashWriter.Write(b[:n]); err != nil {
|
|
return n, err
|
|
}
|
|
}
|
|
return
|
|
}
|