fix signature check when content length not included

cmd/versitygw/main.go

@@ -34,6 +34,7 @@ var (
 	adminSecret       string
 	region            string
 	certFile, keyFile string
+	debug             bool
 )
 
 var (
@@ -119,6 +120,11 @@ func initFlags() []cli.Flag {
 			Usage:       "TLS key file",
 			Destination: &keyFile,
 		},
+		&cli.BoolFlag{
+			Name:        "debug",
+			Usage:       "enable debug output",
+			Destination: &debug,
+		},
 	}
 }
 
@@ -145,6 +151,10 @@ func runGateway(be backend.Backend) error {
 		opts = append(opts, s3api.WithTLS(cert))
 	}
 
+	if debug {
+		opts = append(opts, s3api.WithDebug())
+	}
+
 	srv, err := s3api.New(app, be, port,
 		middlewares.AdminConfig{
 			AdminAccess: adminAccess,

go.mod

@@ -5,6 +5,7 @@ go 1.20
 require (
 	github.com/aws/aws-sdk-go-v2 v1.18.0
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.33.1
+	github.com/aws/smithy-go v1.13.5
 	github.com/gofiber/fiber/v2 v2.46.0
 	github.com/google/uuid v1.3.0
 	github.com/pkg/xattr v0.4.9
@@ -23,7 +24,6 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.28 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.14.2 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/klauspost/compress v1.16.5 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect

s3api/middlewares/authentication.go

@@ -17,11 +17,13 @@ package middlewares
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"os"
 	"strings"
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
+	"github.com/aws/smithy-go/logging"
 	"github.com/gofiber/fiber/v2"
 	"github.com/versity/versitygw/backend/auth"
 	"github.com/versity/versitygw/s3api/controllers"
@@ -39,7 +41,7 @@ type AdminConfig struct {
 	Region      string
 }
 
-func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler {
+func VerifyV4Signature(config AdminConfig, iam auth.IAMService, debug bool) fiber.Handler {
 	acct := accounts{
 		admin: config,
 		iam:   iam,
@@ -115,8 +117,10 @@ func VerifyV4Signature(config AdminConfig, iam auth.IAMService) fiber.Handler {
 			AccessKeyID:     creds[0],
 			SecretAccessKey: secret,
 		}, req, hexPayload, creds[3], config.Region, tdate, func(options *v4.SignerOptions) {
-			//options.LogSigning = true
-			//options.Logger = logging.NewStandardLogger(os.Stdout)
+			if debug {
+				options.LogSigning = true
+				options.Logger = logging.NewStandardLogger(os.Stderr)
+			}
 		})
 		if signErr != nil {
 			return controllers.Responce[any](ctx, nil, s3err.GetAPIError(s3err.ErrInternalError))

s3api/server.go

@@ -30,6 +30,7 @@ type S3ApiServer struct {
 	router  *S3ApiRouter
 	port    string
 	cert    *tls.Certificate
+	debug   bool
 }
 
 func New(app *fiber.App, be backend.Backend, port string, adminUser middlewares.AdminConfig, iam auth.IAMService, opts ...Option) (*S3ApiServer, error) {
@@ -44,7 +45,7 @@ func New(app *fiber.App, be backend.Backend, port string, adminUser middlewares.
 		opt(server)
 	}
 
-	app.Use(middlewares.VerifyV4Signature(adminUser, iam))
+	app.Use(middlewares.VerifyV4Signature(adminUser, iam, server.debug))
 	app.Use(logger.New())
 	app.Use(middlewares.VerifyMD5Body())
 	server.router.Init(app, be)
@@ -59,6 +60,11 @@ func WithTLS(cert tls.Certificate) Option {
 	return func(s *S3ApiServer) { s.cert = &cert }
 }
 
+// WithDebug sets debug output
+func WithDebug() Option {
+	return func(s *S3ApiServer) { s.debug = true }
+}
+
 func (sa *S3ApiServer) Serve() (err error) {
 	if sa.cert != nil {
 		return sa.app.ListenTLSWithCertificate(sa.port, *sa.cert)

s3api/utils/utils.go

@@ -54,6 +54,12 @@ func CreateHttpRequestFromCtx(ctx *fiber.Ctx, signedHdrs []string) (*http.Reques
 		}
 	})
 
+	// Check if Content-Length in signed headers
+	// If content length is non 0, then the header will be included
+	if !includeHeader("Content-Length", signedHdrs) {
+		httpReq.ContentLength = 0
+	}
+
 	// Set the Host header
 	httpReq.Host = string(req.Header.Host())