s3-orchestrator

auth

import "github.com/afreidah/s3-orchestrator/internal/transport/auth"

Package auth provides S3 SigV4 (header and presigned URL) and token-based request authentication with multi-bucket credential resolution.

Index

Constants

MaxChunkBytes is the largest single declared chunk size accepted by the reader. AWS SDKs use 64 KiB by default; the cap defends against adversarial declarations of huge chunks that would never be delivered.

const MaxChunkBytes = 16 * 1024 * 1024

Variables

ErrChunkMalformed indicates the chunk framing did not parse: missing CRLF, malformed hex, missing chunk-signature, premature EOF, etc. Maps to S3 InvalidRequest.

var ErrChunkMalformed = errors.New("malformed chunk framing")

ErrChunkSignatureMismatch indicates a per-chunk signature did not match the value computed from the chain. Maps to S3 SignatureDoesNotMatch.

var ErrChunkSignatureMismatch = errors.New("chunk signature mismatch")

ErrChunkTooLarge indicates a declared chunk size exceeded MaxChunkBytes. Maps to S3 InvalidRequest.

var ErrChunkTooLarge = errors.New("chunk size exceeds limit")

ErrDecodedLengthMismatch indicates the running total of chunk bytes disagreed with x-amz-decoded-content-length. Maps to S3 IncompleteBody.

var ErrDecodedLengthMismatch = errors.New("decoded length does not match declared")

ErrTrailerMalformed indicates the trailer block did not parse: missing declared trailer header, missing trailer signature, oversized block. Maps to S3 InvalidRequest.

var ErrTrailerMalformed = errors.New("malformed trailer block")

ErrTrailerSignatureMismatch indicates the trailer block’s signature did not match the value computed from the chain. Maps to S3 SignatureDoesNotMatch.

var ErrTrailerSignatureMismatch = errors.New("trailer signature mismatch")

func NewChunkReader

func NewChunkReader(body io.ReadCloser, mat *StreamingMaterial) io.ReadCloser

NewChunkReader wraps body with a verifying decoder. The returned reader yields decoded user payload bytes only; chunk framing is consumed and validated as part of each Read. After EOF the reader has fully verified the chain, including the trailer block where applicable. mat is taken by pointer to avoid copying the embedded signing key on every request.

func VerifySigV4

func VerifySigV4(r *http.Request, accessKeyID, secretAccessKey string) error

VerifySigV4 checks an AWS Signature Version 4 Authorization header against the provided credentials. The caller is responsible for resolving the correct credentials via BucketRegistry. Returns nil if the signature is valid.

type BucketRegistry

BucketRegistry resolves client credentials to virtual bucket names.

type BucketRegistry struct {
    // contains filtered or unexported fields
}

func NewBucketRegistry

func NewBucketRegistry(buckets []config.BucketConfig) *BucketRegistry

NewBucketRegistry builds a credential-to-bucket lookup from the config.

func (*BucketRegistry) AuthenticateAndResolveBucket

func (br *BucketRegistry) AuthenticateAndResolveBucket(r *http.Request) (string, *StreamingMaterial, error)

AuthenticateAndResolveBucket authenticates the request and returns the authorized bucket name plus, when the SigV4 seed signature declares a streaming payload, the StreamingMaterial that the transport layer needs to verify and decode the chunk chain. The streaming return is nil for non-streaming requests, presigned URLs, and proxy-token authentication.

func (*BucketRegistry) MaxMultipartUploads

func (br *BucketRegistry) MaxMultipartUploads(bucket string) int

MaxMultipartUploads returns the configured limit for active multipart uploads on the given bucket. Returns 0 if unlimited.

type StreamingMaterial

StreamingMaterial is the data the chunk reader needs to verify the chain. Built by the auth layer immediately after the seed signature verifies; carries the same signing-key derivation the seed used so the chain is bound to the request.

type StreamingMaterial struct {
    Variant      StreamingVariant
    SeedSig      string
    SigningKey   []byte
    CredScope    string
    AmzDate      string
    DecodedLen   int64
    TrailerNames []string // sorted, lowercased; only used for trailer variants
}

type StreamingVariant

StreamingVariant identifies which AWS streaming-payload mode a request declares via X-Amz-Content-Sha256.

type StreamingVariant int

const (
    // StreamingNone indicates the request body is not a streaming
    // payload; the regular SigV4 payload-hash applies.
    StreamingNone StreamingVariant = iota
    // StreamingSigned: STREAMING-AWS4-HMAC-SHA256-PAYLOAD. Chunks carry
    // per-chunk signatures chained from the seed signature; no trailer.
    StreamingSigned
    // StreamingSignedTrailer: STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER.
    // Chunks carry per-chunk signatures and a signed trailer block
    // follows the zero-size chunk.
    StreamingSignedTrailer
    // StreamingUnsignedTrailer: STREAMING-UNSIGNED-PAYLOAD-TRAILER.
    // Chunks are not authenticated; only the trailer block is signed.
    StreamingUnsignedTrailer
)

func DetectStreamingVariant

func DetectStreamingVariant(payloadHash string) StreamingVariant

DetectStreamingVariant maps the X-Amz-Content-Sha256 value to a streaming variant. Returns StreamingNone when the value is empty or a regular hex payload hash.

func (StreamingVariant) Label

func (v StreamingVariant) Label() string

Label returns a stable, lowercase identifier for the variant suitable as a Prometheus label value. The mapping is fixed across releases so dashboards and alert rules can match by variant without ambiguity.

Generated by gomarkdoc