mirror
/
s3proxy
kopia lustrzana https://github.com/gaul/s3proxy
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

add getters for S3AuthorizationHeader fields and make fields private

pull/359/head
Mikko Kortelainen 2021-04-28 19:02:06 +03:00 zatwierdzone przez Andrew Gaul
rodzic 85b2fa0321
commit 99ff5f950b
3 zmienionych plików z 68 dodań i 32 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

13
src/main/java/org/gaul/s3proxy/AwsSignature.java
Wyświetl plik

@ -323,17 +323,18 @@ final class AwsSignature {
throws InvalidKeyException, IOException, NoSuchAlgorithmException,
S3Exception {
String canonicalRequest = createCanonicalRequest(request, uri, payload,
authHeader.hashAlgorithm);
String algorithm = authHeader.hmacAlgorithm;
authHeader.getHashAlgorithm());
String algorithm = authHeader.getHmacAlgorithm();
byte[] dateKey = signMessage(
authHeader.date.getBytes(StandardCharsets.UTF_8),
authHeader.getDate().getBytes(StandardCharsets.UTF_8),
("AWS4" + credential).getBytes(StandardCharsets.UTF_8),
algorithm);
byte[] dateRegionKey = signMessage(
authHeader.region.getBytes(StandardCharsets.UTF_8), dateKey,
authHeader.getRegion().getBytes(StandardCharsets.UTF_8),
dateKey,
algorithm);
byte[] dateRegionServiceKey = signMessage(
authHeader.service.getBytes(StandardCharsets.UTF_8),
authHeader.getService().getBytes(StandardCharsets.UTF_8),
dateRegionKey, algorithm);
byte[] signingKey = signMessage(
"aws4_request".getBytes(StandardCharsets.UTF_8),
@ -344,7 +345,7 @@ final class AwsSignature {
}
String signatureString = "AWS4-HMAC-SHA256\n" +
date + "\n" +
authHeader.date + "/" + authHeader.region +
authHeader.getDate() + "/" + authHeader.getRegion() +
"/s3/aws4_request\n" +
canonicalRequest;
byte[] signature = signMessage(

51
src/main/java/org/gaul/s3proxy/S3AuthorizationHeader.java
Wyświetl plik

@ -33,17 +33,14 @@ final class S3AuthorizationHeader {
private static final String SIGNATURE_FIELD = "Signature=";
private static final String CREDENTIAL_FIELD = "Credential=";
// TODO: these fields should have accessors
// CHECKSTYLE:OFF
final AuthenticationType authenticationType;
@Nullable final String hmacAlgorithm;
@Nullable final String hashAlgorithm;
@Nullable final String region;
@Nullable final String date;
@Nullable final String service;
final String identity;
final String signature;
// CHECKSTYLE:ON
private final AuthenticationType authenticationType;
@Nullable private final String hmacAlgorithm;
@Nullable private final String hashAlgorithm;
@Nullable private final String region;
@Nullable private final String date;
@Nullable private final String service;
private final String identity;
private final String signature;
S3AuthorizationHeader(String header) {
if (header.startsWith("AWS ")) {
@ -122,4 +119,36 @@ final class S3AuthorizationHeader {
return header.substring(signatureIndex, signatureEnd);
}
}
public AuthenticationType getAuthenticationType() {
return authenticationType;
}
public String getHmacAlgorithm() {
return hmacAlgorithm;
}
public String getHashAlgorithm() {
return hashAlgorithm;
}
public String getRegion() {
return region;
}
public String getDate() {
return date;
}
public String getService() {
return service;
}
public String getIdentity() {
return identity;
}
public String getSignature() {
return signature;
}
}

36
src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
Wyświetl plik

@ -407,7 +407,7 @@ public class S3ProxyHandler {
} catch (IllegalArgumentException iae) {
throw new S3Exception(S3ErrorCode.INVALID_ARGUMENT, iae);
}
requestIdentity = authHeader.identity;
requestIdentity = authHeader.getIdentity();
}
long dateSkew = 0; //date for timeskew check
@ -420,12 +420,14 @@ public class S3ProxyHandler {
boolean haveDate = true;
AuthenticationType finalAuthType = null;
if (authHeader.authenticationType == AuthenticationType.AWS_V2 &&
if (authHeader.getAuthenticationType() ==
AuthenticationType.AWS_V2 &&
(authenticationType == AuthenticationType.AWS_V2 ||
authenticationType == AuthenticationType.AWS_V2_OR_V4)) {
finalAuthType = AuthenticationType.AWS_V2;
} else if (
authHeader.authenticationType == AuthenticationType.AWS_V4 &&
authHeader.getAuthenticationType() ==
AuthenticationType.AWS_V4 &&
(authenticationType == AuthenticationType.AWS_V4 ||
authenticationType == AuthenticationType.AWS_V2_OR_V4)) {
finalAuthType = AuthenticationType.AWS_V4;
@ -517,7 +519,7 @@ public class S3ProxyHandler {
}
}
// The aim ?
switch (authHeader.authenticationType) {
switch (authHeader.getAuthenticationType()) {
case AWS_V2:
switch (authenticationType) {
case AWS_V2:
@ -542,12 +544,12 @@ public class S3ProxyHandler {
break;
default:
throw new IllegalArgumentException("Unhandled type: " +
authHeader.authenticationType);
authHeader.getAuthenticationType());
}
String expectedSignature = null;
if (authHeader.hmacAlgorithm == null) { //v2
if (authHeader.getHmacAlgorithm() == null) { //v2
// When presigned url is generated, it doesn't consider
// service path
String uriForSigning = presignedUrl ? uri : this.servicePath +
@ -581,7 +583,7 @@ public class S3ProxyHandler {
// maybe we should check this when signing,
// a lot of dup code with aws sign code.
MessageDigest md = MessageDigest.getInstance(
authHeader.hashAlgorithm);
authHeader.getHashAlgorithm());
byte[] hash = md.digest(payload);
if (!contentSha256.equals(
BaseEncoding.base16().lowerCase()
@ -604,7 +606,8 @@ public class S3ProxyHandler {
}
}
if (!constantTimeEquals(expectedSignature, authHeader.signature)) {
if (!constantTimeEquals(expectedSignature,
authHeader.getSignature())) {
throw new S3Exception(S3ErrorCode.SIGNATURE_DOES_NOT_MATCH);
}
}
@ -2053,7 +2056,7 @@ public class S3ProxyHandler {
throw new S3Exception(S3ErrorCode.INVALID_ARGUMENT, iae);
}
switch (authHeader.authenticationType) {
switch (authHeader.getAuthenticationType()) {
case AWS_V2:
switch (authenticationType) {
case AWS_V2:
@ -2078,11 +2081,11 @@ public class S3ProxyHandler {
break;
default:
throw new IllegalArgumentException("Unhandled type: " +
authHeader.authenticationType);
authHeader.getAuthenticationType());
}
Map.Entry<String, BlobStore> provider =
blobStoreLocator.locateBlobStore(authHeader.identity, null,
blobStoreLocator.locateBlobStore(authHeader.getIdentity(), null,
null);
if (provider == null) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
@ -2094,11 +2097,14 @@ public class S3ProxyHandler {
byte[] kSecret = ("AWS4" + credential).getBytes(
StandardCharsets.UTF_8);
byte[] kDate = hmac("HmacSHA256",
authHeader.date.getBytes(StandardCharsets.UTF_8), kSecret);
authHeader.getDate().getBytes(StandardCharsets.UTF_8),
kSecret);
byte[] kRegion = hmac("HmacSHA256",
authHeader.region.getBytes(StandardCharsets.UTF_8), kDate);
byte[] kService = hmac("HmacSHA256", authHeader.service.getBytes(
StandardCharsets.UTF_8), kRegion);
authHeader.getRegion().getBytes(StandardCharsets.UTF_8),
kDate);
byte[] kService = hmac("HmacSHA256",
authHeader.getService().getBytes(StandardCharsets.UTF_8),
kRegion);
byte[] kSigning = hmac("HmacSHA256",
"aws4_request".getBytes(StandardCharsets.UTF_8), kService);
String expectedSignature = BaseEncoding.base16().lowerCase().encode(