From bca3ca3e2e183072747e9b7bddd8ff8a04d8ea2f Mon Sep 17 00:00:00 2001 From: Sydonian <794346190@qq.com> Date: Tue, 11 Mar 2025 14:35:21 +0800 Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E6=97=B6=E9=97=B4=E6=88=B3?= =?UTF-8?q?=E6=A3=80=E6=9F=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- client/internal/http/aws_auth.go | 40 +++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/client/internal/http/aws_auth.go b/client/internal/http/aws_auth.go index 71a4a95..6303175 100644 --- a/client/internal/http/aws_auth.go +++ b/client/internal/http/aws_auth.go @@ -66,6 +66,17 @@ func (a *AWSAuth) Auth(c *gin.Context) { return } + timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) + if err != nil { + c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) + return + } + + if time.Now().After(timestamp.Add(5 * time.Minute)) { + c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired")) + return + } + payloadHash := sha256.Sum256(body) hexPayloadHash := hex.EncodeToString(payloadHash[:]) @@ -79,12 +90,7 @@ func (a *AWSAuth) Auth(c *gin.Context) { verifyReq.Header.Add(h, c.Request.Header.Get(h)) } verifyReq.Host = c.Request.Host - - timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) - if err != nil { - c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) - return - } + verifyReq.ContentLength = c.Request.ContentLength signer := v4.NewSigner() err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp) @@ -96,6 +102,7 @@ func (a *AWSAuth) Auth(c *gin.Context) { verifySig := getSignatureFromAWSHeader(verifyReq) if !strings.EqualFold(verifySig, reqSig) { + logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig) c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) return } @@ -118,6 +125,17 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { return } + timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) + if err != nil { + c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) + return + } + + if time.Now().After(timestamp.Add(5 * time.Minute)) { + c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired")) + return + } + // 构造验签用的请求 verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil) if err != nil { @@ -128,12 +146,7 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { verifyReq.Header.Add(h, c.Request.Header.Get(h)) } verifyReq.Host = c.Request.Host - - timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date")) - if err != nil { - c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format")) - return - } + verifyReq.ContentLength = c.Request.ContentLength err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp) @@ -144,7 +157,8 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) { } verifySig := getSignatureFromAWSHeader(verifyReq) - if strings.EqualFold(verifySig, reqSig) { + if !strings.EqualFold(verifySig, reqSig) { + logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig) c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) return }