JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
Browse Source

增加时间戳检查

gitlink
Sydonian 1 year ago
parent
6488b47e6a
commit
bca3ca3e2e
1 changed files with 27 additions and 13 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +27
    -13
      client/internal/http/aws_auth.go

+ 27
- 13
client/internal/http/aws_auth.go View File

@@ -66,6 +66,17 @@ func (a *AWSAuth) Auth(c *gin.Context) {
return return
} }


timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))
return
}

if time.Now().After(timestamp.Add(5 * time.Minute)) {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired"))
return
}

payloadHash := sha256.Sum256(body) payloadHash := sha256.Sum256(body)
hexPayloadHash := hex.EncodeToString(payloadHash[:]) hexPayloadHash := hex.EncodeToString(payloadHash[:])


@@ -79,12 +90,7 @@ func (a *AWSAuth) Auth(c *gin.Context) {
verifyReq.Header.Add(h, c.Request.Header.Get(h)) verifyReq.Header.Add(h, c.Request.Header.Get(h))
} }
verifyReq.Host = c.Request.Host verifyReq.Host = c.Request.Host

timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))
return
}
verifyReq.ContentLength = c.Request.ContentLength


signer := v4.NewSigner() signer := v4.NewSigner()
err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp) err = signer.SignHTTP(context.TODO(), a.cred, verifyReq, hexPayloadHash, AuthService, AuthRegion, timestamp)
@@ -96,6 +102,7 @@ func (a *AWSAuth) Auth(c *gin.Context) {


verifySig := getSignatureFromAWSHeader(verifyReq) verifySig := getSignatureFromAWSHeader(verifyReq)
if !strings.EqualFold(verifySig, reqSig) { if !strings.EqualFold(verifySig, reqSig) {
logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig)
c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))
return return
} }
@@ -118,6 +125,17 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) {
return return
} }


timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))
return
}

if time.Now().After(timestamp.Add(5 * time.Minute)) {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "X-Amz-Date is expired"))
return
}

// 构造验签用的请求 // 构造验签用的请求
verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil) verifyReq, err := http.NewRequest(c.Request.Method, c.Request.URL.String(), nil)
if err != nil { if err != nil {
@@ -128,12 +146,7 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) {
verifyReq.Header.Add(h, c.Request.Header.Get(h)) verifyReq.Header.Add(h, c.Request.Header.Get(h))
} }
verifyReq.Host = c.Request.Host verifyReq.Host = c.Request.Host

timestamp, err := time.Parse("20060102T150405Z", c.GetHeader("X-Amz-Date"))
if err != nil {
c.AbortWithStatusJSON(http.StatusBadRequest, Failed(errorcode.BadArgument, "invalid X-Amz-Date header format"))
return
}
verifyReq.ContentLength = c.Request.ContentLength


err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp) err = a.signer.SignHTTP(context.TODO(), a.cred, verifyReq, "", AuthService, AuthRegion, timestamp)


@@ -144,7 +157,8 @@ func (a *AWSAuth) AuthWithoutBody(c *gin.Context) {
} }


verifySig := getSignatureFromAWSHeader(verifyReq) verifySig := getSignatureFromAWSHeader(verifyReq)
if strings.EqualFold(verifySig, reqSig) {
if !strings.EqualFold(verifySig, reqSig) {
logger.Warnf("signature mismatch, expect(%d): %s, actual(%d): %s", len(reqSig), reqSig, len(verifySig), verifySig)
c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch")) c.AbortWithStatusJSON(http.StatusOK, Failed(errorcode.Unauthorized, "signature mismatch"))
return return
} }


Write Preview
Loading…
Cancel
Save