utils/aws: Omit datestamp expiration checks when not needed
The signing code is used in two ways -- by alternator to verify the arrived signed request and by S3 client to prepare the signed request. In the former case date expiration check is performed, but for the latter this is not required, because date stamp is most likely now (or close to it). So this patch makes the orig_datestamp argument optional meaning that expiration checks can be omited. Signed-off-by: Pavel Emelyanov <xemul@scylladb.com>
This commit is contained in:
Pavel Emelyanov
@@ -76,19 +76,21 @@ void check_expiry(std::string_view signature_date) {
|
||||
|
||||
std::string get_signature(std::string_view access_key_id, std::string_view secret_access_key,
|
||||
std::string_view host, std::string_view canonical_uri, std::string_view method,
|
||||
std::string_view orig_datestamp, std::string_view signed_headers_str, const std::map<std::string_view, std::string_view>& signed_headers_map,
|
||||
std::optional<std::string_view> orig_datestamp, std::string_view signed_headers_str, const std::map<std::string_view, std::string_view>& signed_headers_map,
|
||||
const std::vector<temporary_buffer<char>>* body_content, std::string_view region, std::string_view service, std::string_view query_string) {
|
||||
auto amz_date_it = signed_headers_map.find("x-amz-date");
|
||||
if (amz_date_it == signed_headers_map.end()) {
|
||||
throw std::runtime_error("X-Amz-Date header is mandatory for signature verification");
|
||||
}
|
||||
std::string_view amz_date = amz_date_it->second;
|
||||
check_expiry(amz_date);
|
||||
std::string_view datestamp = amz_date.substr(0, 8);
|
||||
if (datestamp != orig_datestamp) {
|
||||
throw std::runtime_error(
|
||||
format("X-Amz-Date date does not match the provided datestamp. Expected {}, got {}",
|
||||
orig_datestamp, datestamp));
|
||||
if (orig_datestamp) {
|
||||
check_expiry(amz_date);
|
||||
if (datestamp != *orig_datestamp) {
|
||||
throw std::runtime_error(
|
||||
format("X-Amz-Date date does not match the provided datestamp. Expected {}, got {}",
|
||||
*orig_datestamp, datestamp));
|
||||
}
|
||||
}
|
||||
|
||||
std::stringstream canonical_headers;
|
||||
|
||||
@@ -31,11 +31,13 @@ namespace aws {
|
||||
|
||||
std::string get_signature(std::string_view access_key_id, std::string_view secret_access_key,
|
||||
std::string_view host, std::string_view canonical_uri, std::string_view method,
|
||||
std::string_view orig_datestamp, std::string_view signed_headers_str, const std::map<std::string_view, std::string_view>& signed_headers_map,
|
||||
std::optional<std::string_view> orig_datestamp, std::string_view signed_headers_str, const std::map<std::string_view, std::string_view>& signed_headers_map,
|
||||
const std::vector<temporary_buffer<char>>* body_content, std::string_view region, std::string_view service, std::string_view query_string);
|
||||
|
||||
// Convenience alias not to pass obscure nullptr argument to get_signature()
|
||||
static inline constexpr std::vector<temporary_buffer<char>>* unsigned_content = nullptr;
|
||||
// Same for datestamp checking
|
||||
static inline auto omit_datestamp_expiration_check = std::nullopt;
|
||||
|
||||
} // aws namespace
|
||||
} // utils namespace
|
||||
|
||||
Reference in New Issue
Block a user