[ARVADOS] updated: 1.3.0-3196-gbbc159040

Git user git at public.arvados.org
Fri Sep 25 04:45:01 UTC 2020 

Summary of changes:
 services/keep-web/s3.go | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

       via  bbc1590401a1d15a4ca101df37415c9a2aa99ac9 (commit)
       via  6d419ba53592a3e60c8aef5be7bc99643ab3a6ac (commit)
      from  580d77ef4d6b244971bc26c649e017e912ca8737 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit bbc1590401a1d15a4ca101df37415c9a2aa99ac9
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Fri Sep 25 00:42:01 2020 -0400

    16809: Fix empty Host header value used in signature check.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index 15f35f360..f3edf9894 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -90,7 +90,7 @@ func s3stringToSign(alg, scope, signedHeaders string, r *http.Request) (string,
 	var canonicalHeaders string
 	for _, h := range strings.Split(signedHeaders, ";") {
 		if h == "host" {
-			canonicalHeaders += h + ":" + r.URL.Host + "\n"
+			canonicalHeaders += h + ":" + r.Host + "\n"
 		} else {
 			canonicalHeaders += h + ":" + r.Header.Get(h) + "\n"
 		}

commit 6d419ba53592a3e60c8aef5be7bc99643ab3a6ac
Author: Tom Clegg <tom at tomclegg.ca>
Date:   Fri Sep 25 00:41:26 2020 -0400

    16809: Improve signature error reporting/logging.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>

diff --git a/services/keep-web/s3.go b/services/keep-web/s3.go
index d555cb5b7..15f35f360 100644
--- a/services/keep-web/s3.go
+++ b/services/keep-web/s3.go
@@ -10,6 +10,7 @@ import (
 	"encoding/xml"
 	"errors"
 	"fmt"
+	"hash"
 	"io"
 	"net/http"
 	"net/url"
@@ -37,6 +38,11 @@ func hmacstring(msg string, key []byte) []byte {
 	return h.Sum(nil)
 }
 
+func hashdigest(h hash.Hash, payload string) string {
+	io.WriteString(h, payload)
+	return fmt.Sprintf("%x", h.Sum(nil))
+}
+
 // Signing key for given secret key and request attrs.
 func s3signatureKey(key, datestamp, regionName, serviceName string) []byte {
 	return hmacstring("aws4_request",
@@ -68,7 +74,7 @@ func s3querystring(u *url.URL) string {
 	return strings.Join(keys, "&")
 }
 
-func s3signature(alg, secretKey, scope, signedHeaders string, r *http.Request) (string, error) {
+func s3stringToSign(alg, scope, signedHeaders string, r *http.Request) (string, error) {
 	timefmt, timestr := "20060102T150405Z", r.Header.Get("X-Amz-Date")
 	if timestr == "" {
 		timefmt, timestr = time.RFC1123, r.Header.Get("Date")
@@ -90,22 +96,19 @@ func s3signature(alg, secretKey, scope, signedHeaders string, r *http.Request) (
 		}
 	}
 
-	crhash := sha256.New()
-	fmt.Fprintf(crhash, "%s\n%s\n%s\n%s\n%s\n%s", r.Method, r.URL.EscapedPath(), s3querystring(r.URL), canonicalHeaders, signedHeaders, r.Header.Get("X-Amz-Content-Sha256"))
-	crdigest := fmt.Sprintf("%x", crhash.Sum(nil))
-
-	payload := fmt.Sprintf("%s\n%s\n%s\n%s", alg, r.Header.Get("X-Amz-Date"), scope, crdigest)
+	canonicalRequest := fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", r.Method, r.URL.EscapedPath(), s3querystring(r.URL), canonicalHeaders, signedHeaders, r.Header.Get("X-Amz-Content-Sha256"))
+	ctxlog.FromContext(r.Context()).Debugf("s3stringToSign: canonicalRequest %s", canonicalRequest)
+	return fmt.Sprintf("%s\n%s\n%s\n%s", alg, r.Header.Get("X-Amz-Date"), scope, hashdigest(sha256.New(), canonicalRequest)), nil
+}
 
+func s3signature(secretKey, scope, signedHeaders, stringToSign string) (string, error) {
 	// scope is {datestamp}/{region}/{service}/aws4_request
 	drs := strings.Split(scope, "/")
 	if len(drs) != 4 {
 		return "", fmt.Errorf("invalid scope %q", scope)
 	}
-
 	key := s3signatureKey(secretKey, drs[0], drs[1], drs[2])
-	h := hmac.New(sha256.New, key)
-	h.Write([]byte(payload))
-	return fmt.Sprintf("%x", h.Sum(nil)), nil
+	return hashdigest(hmac.New(sha256.New, key), stringToSign), nil
 }
 
 // checks3signature verifies the given S3 V4 signature and returns the
@@ -157,11 +160,15 @@ func (h *handler) checks3signature(r *http.Request) (string, error) {
 		ctxlog.FromContext(r.Context()).WithError(err).WithField("UUID", key).Info("token lookup failed")
 		return "", errors.New("invalid access key")
 	}
-	expect, err := s3signature(s3SignAlgorithm, secret, scope, signedHeaders, r)
+	stringToSign, err := s3stringToSign(s3SignAlgorithm, scope, signedHeaders, r)
+	if err != nil {
+		return "", err
+	}
+	expect, err := s3signature(secret, scope, signedHeaders, stringToSign)
 	if err != nil {
 		return "", err
 	} else if expect != signature {
-		return "", errors.New("signature does not match")
+		return "", fmt.Errorf("signature does not match (scope %q signedHeaders %q stringToSign %q)", scope, signedHeaders, stringToSign)
 	}
 	return secret, nil
 }

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list