mirror of
https://github.com/ferdzo/fs.git
synced 2026-06-04 05:06:46 +00:00
Harden S3 auth boundaries
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent) Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
75
auth/payload_hash_test.go
Normal file
75
auth/payload_hash_test.go
Normal file
@@ -0,0 +1,75 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestPayloadHashVerifierAllowsMatchingBody(t *testing.T) {
|
||||
body := "payload"
|
||||
req := newPayloadHashRequest(t, body, body)
|
||||
|
||||
if err := wrapPayloadHashVerifier(req); err != nil {
|
||||
t.Fatalf("wrapPayloadHashVerifier returned error: %v", err)
|
||||
}
|
||||
got, err := io.ReadAll(req.Body)
|
||||
if err != nil {
|
||||
t.Fatalf("ReadAll returned error: %v", err)
|
||||
}
|
||||
if string(got) != body {
|
||||
t.Fatalf("unexpected body: got %q want %q", string(got), body)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPayloadHashVerifierRejectsMismatchedBody(t *testing.T) {
|
||||
req := newPayloadHashRequest(t, "signed-payload", "actual-payload")
|
||||
|
||||
if err := wrapPayloadHashVerifier(req); err != nil {
|
||||
t.Fatalf("wrapPayloadHashVerifier returned error: %v", err)
|
||||
}
|
||||
_, err := io.ReadAll(req.Body)
|
||||
if !errors.Is(err, ErrSignatureDoesNotMatch) {
|
||||
t.Fatalf("ReadAll error = %v, want ErrSignatureDoesNotMatch", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPayloadSigningRejectsSignedStreamingMode(t *testing.T) {
|
||||
req, err := http.NewRequest(http.MethodPut, "http://example.com/b/k", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
req.Header.Set("x-amz-content-sha256", "STREAMING-AWS4-HMAC-SHA256-PAYLOAD")
|
||||
|
||||
err = validatePayloadSigningMode(req, &sigV4Input{})
|
||||
if !errors.Is(err, ErrAuthorizationHeaderMalformed) {
|
||||
t.Fatalf("validatePayloadSigningMode error = %v, want ErrAuthorizationHeaderMalformed", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestPayloadSigningAllowsUnsignedStreamingMode(t *testing.T) {
|
||||
req, err := http.NewRequest(http.MethodPut, "http://example.com/b/k", nil)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
req.Header.Set("x-amz-content-sha256", "STREAMING-UNSIGNED-PAYLOAD-TRAILER")
|
||||
|
||||
if err := validatePayloadSigningMode(req, &sigV4Input{}); err != nil {
|
||||
t.Fatalf("validatePayloadSigningMode returned error: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func newPayloadHashRequest(t *testing.T, signedBody, actualBody string) *http.Request {
|
||||
t.Helper()
|
||||
req, err := http.NewRequest(http.MethodPut, "http://example.com/b/k", strings.NewReader(actualBody))
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
sum := sha256.Sum256([]byte(signedBody))
|
||||
req.Header.Set("x-amz-content-sha256", hex.EncodeToString(sum[:]))
|
||||
return req
|
||||
}
|
||||
Reference in New Issue
Block a user