PyPI - object-storage-proxy - Versions diffs - 0.3.0__tar.gz → 0.3.1__tar.gz - Mend

object-storage-proxy 0.3.0tar.gz → 0.3.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/Cargo.lock RENAMED Viewed

@@ -1701,7 +1701,7 @@ dependencies = [
 [[package]]
 name = "object-storage-proxy"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "async-trait",
  "chrono",

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/Cargo.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "object-storage-proxy"
-version = "0.3.0"
+version = "0.3.1"
 edition = "2024"
 [dependencies]

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: object-storage-proxy
-Version: 0.3.0
+Version: 0.3.1
 Classifier: Programming Language :: Rust
 Classifier: Programming Language :: Python :: Implementation :: CPython
 Classifier: Programming Language :: Python :: Implementation :: PyPy

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/src/credentials/signer.rs RENAMED Viewed

@@ -2,7 +2,7 @@ use chrono::{DateTime, NaiveDateTime, Utc};
 use http::header::HeaderMap;
 use pingora::{http::RequestHeader, proxy::Session};
 use sha256::digest;
-use tracing::{debug, error, info};
+use tracing::{debug, error};
 use std::{collections::HashMap, fmt};
 use url::Url;
@@ -106,7 +106,7 @@ impl<'a> AwsSign<'a, HashMap<String, String>> {
             ]
         };
-        dbg!(&url);
+        debug!("{:#?}", &url);
         let url: Url = url.parse().unwrap();
         let headers: HashMap<String, String> = headers
             .iter()
@@ -227,7 +227,7 @@ where
             signed_headers = signed_headers,
             signature = signature
         );
-        info!("sign_string: {}", sign_string);
+        debug!("sign_string: {}", sign_string);
         sign_string
     }
 }
@@ -388,122 +388,6 @@ pub(crate) async fn sign_request(
 }
-/// Validate the signature of the request
-// pub async fn signature_is_valid(
-//     auth_header: &str,
-//     session: &Session,
-//     secret_key: &str,
-// ) -> Result<bool, Box<dyn std::error::Error>> {
-//     let signed_headers_str = auth_header
-//         .split("SignedHeaders=")
-//         .nth(1)
-//         .and_then(|s| s.split(',').next())
-//         .unwrap_or("");
-//     let signed_headers: Vec<String> =
-//         signed_headers_str.split(';').map(|s| s.to_lowercase()).collect();
-//     // extract access key from Authorization header
-//     let (_, local_access_key) = parse_token_from_header(auth_header)
-//         .map_err(|_| pingora::Error::new_str("Failed to parse token"))?;
-//     let local_access_key = local_access_key.to_string();
-//     if local_access_key.is_empty() {
-//         error!("Missing access key");
-//         return Ok(false);
-//     }
-//     // extract provided signature
-//     let provided_signature = auth_header
-//         .split("Signature=")
-//         .nth(1)
-//         .ok_or_else(|| pingora::Error::new_str("Invalid Authorization header: no Signature"))?
-//         .to_string();
-//     // parse x-amz-date header
-//     let dt_header = session
-//         .req_header()
-//         .headers
-//         .get("x-amz-date")
-//         .ok_or_else(|| pingora::Error::new_str("Missing x-amz-date header"))?
-//         .to_str()?;
-//     // use NaiveDateTime then assign Utc timezone (format: %Y%m%dT%H%M%SZ)
-//     let naive = NaiveDateTime::parse_from_str(dt_header, LONG_DATETIME)
-//         .map_err(|_| {
-//             pingora::Error::new_str("invalid date")
-//         })?;
-//     let datetime = naive.and_utc();
-//     info!("parsing the region and service");
-//     let (_, (region, service)) = parse_credential_scope(auth_header)
-//         .map_err(|_| pingora::Error::new_str("Invalid Credential scope"))?;
-//     dbg!(&region);
-//     dbg!(&service);
-//     // determine payload hash header
-//     let content_sha256 = session
-//         .req_header()
-//         .headers
-//         .get("x-amz-content-sha256")
-//         .and_then(|h| h.to_str().ok())
-//         .ok_or_else(|| pingora::Error::new_str("Missing x-amz-content-sha256 header"))?;
-//     let (body_bytes, payload_override) = if content_sha256 == "UNSIGNED-PAYLOAD" {
-//         (b"UNSIGNED-PAYLOAD" as &[u8], None)
-//     } else {
-//         // we don't have the raw body here, but we do have its hash:
-//         // tell AwsSign to use this string directly
-//         (&[] as &[u8], Some(content_sha256.to_owned()))
-//     };
-//     let original_uri = session.req_header().uri.to_string();
-//     let full_url = if original_uri.starts_with('/') {
-//         let host = session
-//             .req_header()
-//             .headers
-//             .get("host")
-//             .ok_or_else(|| pingora::Error::new_str("Missing host header"))?
-//             .to_str()?;
-//         format!("https://{}{}", host, original_uri)
-//     } else {
-//         original_uri
-//     };
-//     // construct AwsSign and compute signature
-//     let method = session.req_header().method.to_string();
-//     let mut signer = AwsSign::new(
-//         &method,
-//         &full_url,
-//         &datetime,
-//         &session.req_header().headers,
-//         region,
-//         &local_access_key,
-//         &secret_key,
-//         service,
-//         body_bytes,
-//         Some(&signed_headers),
-//     );
-//     if let Some(ov) = payload_override {
-//         signer.set_payload_override(ov);
-//     }
-//     let signature = signer.sign();
-//     let computed_signature = signature
-//         .split("Signature=")
-//         .nth(1)
-//         .unwrap_or_default();
-//     info!("Provided signature: {}", provided_signature);
-//     info!("Computed signature: {}", computed_signature);
-//     Ok(computed_signature == provided_signature)
-// }
 /// Core signature validation: compares provided vs computed
 async fn signature_is_valid_core(
     method: &str,
@@ -520,7 +404,7 @@ async fn signature_is_valid_core(
     body_bytes: &[u8],
 ) -> Result<bool, Box<dyn std::error::Error>> {
     // Build AwsSign for authorization header style
-    dbg!(&headers);
+    debug!("{:#?}", &headers);
     let mut signer = AwsSign::new(
         method,
         full_url,
@@ -538,8 +422,8 @@ async fn signature_is_valid_core(
     }
     let signature = signer.sign();
     let computed = signature.split("Signature=").nth(1).unwrap_or_default();
-    info!("Provided signature: {}", provided_signature);
-    info!("Computed signature: {}", computed);
+    debug!("Provided signature: {}", provided_signature);
+    debug!("Computed signature: {}", computed);
     Ok(computed == provided_signature)
 }
@@ -653,7 +537,7 @@ pub async fn signature_is_valid_for_presigned(
     let mut url = Url::parse(&full_uri)?;
-    info!("full_url: {}", url);
+    debug!("full_url: {}", url);
     let mut provided_signature = None;
     let mut qp: Vec<(String,String)> = vec![];
     for (k, v) in url.query_pairs() {
@@ -664,7 +548,6 @@ pub async fn signature_is_valid_for_presigned(
         }
     }
     let provided_signature = provided_signature.ok_or("Missing X-Amz-Signature")?;
-    // ----------------------------------------------------------------------
     // rebuild query string without the signature
     qp.sort();
@@ -676,19 +559,15 @@ pub async fn signature_is_valid_for_presigned(
     // params map (also without the signature)
     let params: HashMap<_, _> = qp.into_iter().collect();
-    info!("params: {:?}", params);
-    info!("url: {:?}", url);
-    // Required signature and credential
-    // let provided_signature = params
-    //     .get("X-Amz-Signature")
-    //     .ok_or("Missing X-Amz-Signature")?;
-    info!("provided signature: {}", provided_signature);
+    debug!("params: {:?}", params);
+    debug!("url: {:?}", url);
+    debug!("provided signature: {}", provided_signature);
     let credential = params
         .get("X-Amz-Credential")
         .ok_or("Missing X-Amz-Credential")?;
-    info!("credential: {}", credential);
+    debug!("credential: {}", credential);
     // Parse credential: <access_key>/<date>/<region>/<service>/aws4_request
     let mut parts = credential.split('/');
@@ -697,9 +576,9 @@ pub async fn signature_is_valid_for_presigned(
     let region = parts.next().ok_or("Malformed Credential")?;
     let service = parts.next().ok_or("Malformed Credential")?;
-    info!("access_key: {}", access_key);
-    info!("region: {}", region);
-    info!("service: {}", service);
+    debug!("access_key: {}", access_key);
+    debug!("region: {}", region);
+    debug!("service: {}", service);
     // Parse date from query
     let date_str = params
@@ -707,25 +586,12 @@ pub async fn signature_is_valid_for_presigned(
         .ok_or("Missing X-Amz-Date")?;
     let datetime = NaiveDateTime::parse_from_str(date_str, LONG_DATETIME)?.and_utc();
-    info!("datetime: {}", datetime);
-    // // Determine payload override
-    // let payload_override = params
-    //     .get("X-Amz-Content-Sha256")
-    //     .filter(|v| *v != "UNSIGNED-PAYLOAD")
-    //     .map(|v| v.to_string());
-    // info!("payload_override: {:?}", payload_override);
-    // let body_bytes: &[u8] = if params.get("X-Amz-Content-Sha256")
-    //     == Some(&"UNSIGNED-PAYLOAD".to_string()) {
-    //     b"UNSIGNED-PAYLOAD"
-    // } else {
-    //     &[]
-    // };
+    debug!("datetime: {}", datetime);
     let body_bytes: &[u8] = b"UNSIGNED-PAYLOAD";
     let payload_override = None;
-    info!("body_bytes: {:?}", body_bytes);
+    debug!("body_bytes: {:?}", body_bytes);
     // Collect signed headers list
     let signed_headers = params
@@ -755,7 +621,7 @@ pub async fn signature_is_valid_for_presigned(
-    info!("signed_headers: {:?}", signed_headers);
+    debug!("signed_headers: {:?}", signed_headers);
     // Delegate to core validator
     signature_is_valid_core(
         session.req_header().method.as_str(),

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/src/lib.rs RENAMED Viewed

@@ -315,11 +315,23 @@ impl ProxyHttp for MyProxy {
             map.get(bucket).and_then(|c| c.ttl).unwrap_or(0)
         };
         let mut access_key: String = String::new();
+        if auth_header.is_empty() {
+            if let Some(q) = session.req_header().uri.query() {
+                if q.contains("X-Amz-Credential") {
+                    let (_, p) = parse_presigned_params(&format!("?{q}"))
+                        .map_err(|_| pingora::Error::new_str("Failed to parse presigned params"))?;
+                    access_key = p.access_key.clone();
+                }
+            }
+        } else {
+            access_key = parse_token_from_header(&auth_header)
+            .map_err(|_| pingora::Error::new_str("Failed to parse access_key"))?
+            .1
+            .to_string();
+        }
         let is_authorized = if let Some(py_cb) = &ctx.validator {
-            // let access_key = parse_token_from_header(&auth_header)
-            //     .map_err(|_| pingora::Error::new_str("Failed to parse access_key"))?
-            //     .1
-            //     .to_string();
             let is_multipart = session
                 .req_header()
@@ -328,7 +340,6 @@ impl ProxyHttp for MyProxy {
                 .map_or(false, |q| q.contains("uploadId="));
             info!("CHECKING SIGNATURE");
             if let Some(skip) = self.skip_signature_validation {
                 if skip || is_multipart {
@@ -341,18 +352,11 @@ impl ProxyHttp for MyProxy {
                     let uri_q = session.req_header().uri.query().unwrap_or("");
                     if auth_header.is_empty() && uri_q.contains("X-Amz-Signature") {
-                        let full_q = format!("?{uri_q}");
                         ctx.is_presigned = Some(true);
-                        let (_, presigned_params) = parse_presigned_params(&full_q)
-                            .map_err(|_| pingora::Error::new_str("Failed to parse presigned params"))?;
-                        access_key = presigned_params.access_key.clone();
-                        // let access_key = parse_credential_scope(uri_q)
-                        //     .map_err(|_| pingora::Error::new_str("Failed to parse access_key"))?
-                        //     .1
-                        //     .to_string();
                         // ensure we have the secret_key in the keystore
                         if !ctx.hmac_keystore.read().await.contains_key(&access_key) {
-                            info!("No key in keystore, trying to fetch via hmac_fetche for ->{}<-", access_key);
+                            debug!("No key in keystore, trying to fetch via hmac_fetcher for ->{}<-", access_key);
                             // fetch via hmac_fetcher exactly as you do below…
                             if let Some(py_fetcher) = &ctx.hmac_fetcher {
                                 // call Python callback
@@ -361,10 +365,10 @@ impl ProxyHttp for MyProxy {
                                     cb.call1(py, (&access_key,))
                                       .and_then(|r| r.extract(py))
                                 });
-                                info!("Got secret: {:#?}", secret);
+                                debug!("Got secret: {:#?}", secret);
                                 match secret {
                                     Ok(secret_key) => {
-                                        info!("got key and inserting into keystore");
+                                        debug!("got key and inserting into keystore");
                                         ctx.hmac_keystore.write().await.insert(access_key.clone().to_string(), secret_key);
                                     }
                                     Err(_) => {
@@ -379,9 +383,11 @@ impl ProxyHttp for MyProxy {
                             }
                         }
-                        info!("now checking if the signature is valid for presigned...");
+                        debug!("now checking if the signature is valid for presigned...");
                         let sk = ctx.hmac_keystore.read().await.get(&access_key).unwrap().clone();
-                        info!("got secret {} from keystore", sk);
+                        debug!("got secret {} from keystore", sk);
+                        debug!("RAW_PATH       = {}", &session.req_header().uri);
+                        debug!("RAW_HOST_HDR   = {:?}", &session.req_header().headers.get("host"));
                         let ok = match signature_is_valid_for_presigned(&session, &sk).await {
                             Ok(b)  => b,
                             Err(e) => {
@@ -396,11 +402,6 @@ impl ProxyHttp for MyProxy {
                         }
                     } else {
                     info!("processing a regular request");
-                    // hmac request
-                    access_key = parse_token_from_header(&auth_header)
-                        .map_err(|_| pingora::Error::new_str("Failed to parse access_key"))?
-                        .1
-                        .to_string();
                     let has_key = {
                         let map = ctx.hmac_keystore.read().await;
@@ -463,7 +464,7 @@ impl ProxyHttp for MyProxy {
             }
             info!("Signature check passed, continuing now onto the bespoke validation");
             let cache_key = format!("{}:{}", &access_key, bucket);
-            info!("Cache key: {}", cache_key);
+            debug!("Cache key: {}", cache_key);
             let bucket_clone = bucket.to_string();
             let callback_clone: PyObject = Python::with_gil(|py| py_cb.clone_ref(py));
@@ -494,11 +495,8 @@ impl ProxyHttp for MyProxy {
             let map = ctx.cos_mapping.read().await;
             map.get(&hdr_bucket).cloned()
         };
-        // access_key = parse_token_from_header(&auth_header)
-        //     .map_err(|_| pingora::Error::new_str("Failed to parse access_key"))?
-        //     .1
-        //     .to_string();
-        info!("Access key: {}", &access_key);
+        debug!("Access key: {}", &access_key);
         // we have to check for some available credentials here to be able to return unauthorized already if not
         match bucket_config.clone() {
@@ -728,7 +726,7 @@ pub fn run_server(py: Python, run_args: &ProxyServerConfig) {
         parse_hmac_list(py, &run_args.hmac_keystore).unwrap_or(HashMap::new())
     };
-    info!("HMAC keys: {:#?}", &local_hmac_map);
+    debug!("HMAC keys: {:#?}", &local_hmac_map);
     let cosmap = Arc::new(RwLock::new(parse_cos_map(py, &run_args.cos_map).unwrap()));
     let hmac_keystore = Arc::new(RwLock::new(local_hmac_map));

{object_storage_proxy-0.3.0 → object_storage_proxy-0.3.1}/src/parsers/credentials.rs RENAMED Viewed

@@ -37,15 +37,15 @@ pub fn parse_credential_scope(input: &str) -> IResult<&str, (&str, &str)> {
 #[derive(Debug, PartialEq)]
 pub struct PresignedParams {
-    pub algorithm: String,        // X-Amz-Algorithm
-    pub access_key: String,       // from X-Amz-Credential
-    pub credential_date: String,  // from X-Amz-Credential
-    pub region: String,           // from X-Amz-Credential
-    pub service: String,          // from X-Amz-Credential
-    pub amz_date: String,         // X-Amz-Date
-    pub expires: String,          // X-Amz-Expires
-    pub signed_headers: String,   // X-Amz-SignedHeaders
-    pub signature: String,        // X-Amz-Signature
+    pub algorithm: String,
+    pub access_key: String,
+    pub credential_date: String,
+    pub region: String,
+    pub service: String,
+    pub amz_date: String,
+    pub expires: String,
+    pub signed_headers: String,
+    pub signature: String,
 }
 /// key chars: letters, digits, dash, dot