fm-cdera commented on code in PR #9343:
URL: https://github.com/apache/ozone/pull/9343#discussion_r2594259205
##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3/signature/AWSSignatureProcessor.java:
##########
@@ -89,13 +99,56 @@ public SignatureInfo parseSignature() throws OS3Exception {
}
}
if (signatureInfo == null) {
- signatureInfo = new SignatureInfo.Builder(Version.NONE).build();
+ signatureInfo = new
SignatureInfo.Builder(Version.NONE).setService("s3").build();
}
+ String payloadHash = getPayloadHash(headers, signatureInfo);
+ signatureInfo.setPayloadHash(payloadHash);
signatureInfo.setUnfilteredURI(
context.getUriInfo().getRequestUri().getPath());
return signatureInfo;
}
+ private String getPayloadHash(Map<String, String> headers, SignatureInfo
signatureInfo)
+ throws OS3Exception, NoSuchAlgorithmException, IOException {
+ if (signatureInfo.getVersion() == Version.V2) {
+ return "";
+ }
+ if (signatureInfo.getService().equals("s3")) {
+ if (!signatureInfo.isSignPayload()) {
+ // According to AWS Signature V4 documentation using Query Parameters
+ //
https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
+ return UNSIGNED_PAYLOAD;
+ }
+ String contentSignatureHeaderValue = headers.get(X_AMZ_CONTENT_SHA256);
+ // According to AWS Signature V4 documentation using Authorization Header
+ //
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
+ // The x-amz-content-sha256 header is required
+ // for all AWS Signature Version 4 requests using Authorization header.
+ if (contentSignatureHeaderValue == null) {
+ LOG.error("The request must include " + X_AMZ_CONTENT_SHA256
+ + " header for signed payload");
+ throw S3_AUTHINFO_CREATION_ERROR;
+ }
+ // Simply return the header value of x-amz-content-sha256 as the payload
hash
+ // These are the possible cases:
+ // 1. Actual payload checksum for single chunk upload
+ // 2. Unsigned payloads for multiple chunks upload
+ // - UNSIGNED-PAYLOAD
+ // - STREAMING-UNSIGNED-PAYLOAD-TRAILER
+ // 3. Signed payloads for multiple chunks upload
+ // - STREAMING-AWS4-HMAC-SHA256-PAYLOAD
+ // - STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER
+ // - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD
+ // - STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER
+ return contentSignatureHeaderValue;
+ }
+ InputStream in = context.getEntityStream();
+ byte[] body = readAllBytes(in);
+ String payloadHash =
Hex.encode(MessageDigest.getInstance("SHA-256").digest(body));
+ context.setEntityStream(new ByteArrayInputStream(body));
+ return payloadHash;
Review Comment:
it doesn't appear the previous `getPayloadHash()` method was reading all the
bytes into memory - curious what is the reason we are doing that now?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
