Sydonian
1 year ago
1 changed files with 27 additions and 13 deletions
Split View
Diff Options
-
+27 -13client/internal/http/aws_auth.go
+ 27
- 13
client/internal/http/aws_auth.go
View File
| @@ -66,6 +66,17 @@ func (a *AWSAuth) Auth(c *gin.Context) { | |||
| return | |||
| } | |||
| timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) | |||
| if err != nil { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) | |||
| return | |||
| } | |||
| if time.Now().After(timestamp.Add(5 * time.Minute)) { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired")) | |||
| return | |||
| } | |||
| payloadHash := sha256.Sum256(body) | |||
| hexPayloadHash := hex.EncodeToString(payloadHash[:]) | |||
| @@ -79,12 +90,7 @@ func (a *AWSAuth) Auth(c *gin.Context) { | |||
| verifyReq.Header.Add(h, c.Request.Header.Get(h)) | |||
| } | |||
| verifyReq.Host = c.Request.Host | |||
| timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) | |||
| if err != nil { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) | |||
| return | |||
| } | |||
| verifyReq.ContentLength = c.Request.ContentLength | |||
| signer := v4.NewSigner() | |||
| err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp) | |||
| @@ -96,6 +102,7 @@ func (a *AWSAuth) Auth(c *gin.Context) { | |||
| verifySig := getSignatureFromAWSHeader(verifyReq) | |||
| if !strings.EqualFold(verifySig, reqSig) { | |||
| logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig) | |||
| c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) | |||
| return | |||
| } | |||
| @@ -118,6 +125,17 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { | |||
| return | |||
| } | |||
| timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) | |||
| if err != nil { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) | |||
| return | |||
| } | |||
| if time.Now().After(timestamp.Add(5 * time.Minute)) { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired")) | |||
| return | |||
| } | |||
| // 构造验签用的请求 | |||
| verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil) | |||
| if err != nil { | |||
| @@ -128,12 +146,7 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { | |||
| verifyReq.Header.Add(h, c.Request.Header.Get(h)) | |||
| } | |||
| verifyReq.Host = c.Request.Host | |||
| timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) | |||
| if err != nil { | |||
| c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) | |||
| return | |||
| } | |||
| verifyReq.ContentLength = c.Request.ContentLength | |||
| err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp) | |||
| @@ -144,7 +157,8 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { | |||
| } | |||
| verifySig := getSignatureFromAWSHeader(verifyReq) | |||
| if strings.EqualFold(verifySig, reqSig) { | |||
| if !strings.EqualFold(verifySig, reqSig) { | |||
| logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig) | |||
| c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) | |||
| return | |||
| } | |||