|
| 1 | +const crypto = require('crypto'); |
| 2 | +const { errors: ArsenalErrors } = require('arsenal'); |
| 3 | +const { config } = require('../../../Config'); |
| 4 | + |
| 5 | +const ChecksumError = Object.freeze({ |
| 6 | + MD5Mismatch: 'MD5Mismatch', |
| 7 | + MissingChecksum: 'MissingChecksum', |
| 8 | +}); |
| 9 | + |
| 10 | +/** |
| 11 | + * validateChecksumsNoChunking - Validate the checksums of a request. |
| 12 | + * @param {object} headers - http headers |
| 13 | + * @param {Buffer} body - http request body |
| 14 | + * @return {object} - error |
| 15 | + */ |
| 16 | +function validateChecksumsNoChunking(headers, body) { |
| 17 | + if (headers && 'content-md5' in headers) { |
| 18 | + const md5 = crypto.createHash('md5').update(body).digest('base64'); |
| 19 | + if (md5 !== headers['content-md5']) { |
| 20 | + return { error: ChecksumError.MD5Mismatch, details: { calculated: md5, expected: headers['content-md5'] } }; |
| 21 | + } |
| 22 | + |
| 23 | + return null; |
| 24 | + } |
| 25 | + |
| 26 | + return { error: ChecksumError.MissingChecksum, details: null }; |
| 27 | +} |
| 28 | + |
| 29 | +function defaultValidationFunc(request, body, log) { |
| 30 | + const err = validateChecksumsNoChunking(request.headers, body); |
| 31 | + if (err && err.error !== ChecksumError.MissingChecksum) { |
| 32 | + log.debug('failed checksum validation', { method: request.apiMethod }, err); |
| 33 | + return ArsenalErrors.BadDigest; |
| 34 | + } |
| 35 | + |
| 36 | + return null; |
| 37 | +} |
| 38 | + |
| 39 | +const methodValidationFunc = Object.freeze({ |
| 40 | + 'bucketPutACL': defaultValidationFunc, |
| 41 | + 'bucketPutCors': defaultValidationFunc, |
| 42 | + 'bucketPutEncryption': defaultValidationFunc, |
| 43 | + 'bucketPutLifecycle': defaultValidationFunc, |
| 44 | + 'bucketPutNotification': defaultValidationFunc, |
| 45 | + 'bucketPutObjectLock': defaultValidationFunc, |
| 46 | + 'bucketPutPolicy': defaultValidationFunc, |
| 47 | + 'bucketPutReplication': defaultValidationFunc, |
| 48 | + 'bucketPutVersioning': defaultValidationFunc, |
| 49 | + 'bucketPutWebsite': defaultValidationFunc, |
| 50 | + // TODO: DeleteObjects requires a checksum. Should return an error if ChecksumError.MissingChecksum. |
| 51 | + 'multiObjectDelete': defaultValidationFunc, |
| 52 | + 'objectPutACL': defaultValidationFunc, |
| 53 | + 'objectPutLegalHold': defaultValidationFunc, |
| 54 | + 'objectPutTagging': defaultValidationFunc, |
| 55 | + 'objectPutRetention': defaultValidationFunc, |
| 56 | +}); |
| 57 | + |
| 58 | +/** |
| 59 | + * validateMethodChecksumsNoChunking - Validate the checksums of a request. |
| 60 | + * @param {object} request - http request |
| 61 | + * @param {Buffer} body - http request body |
| 62 | + * @param {object} log - logger |
| 63 | + * @return {object} - error |
| 64 | + */ |
| 65 | +function validateMethodChecksumNoChunking(request, body, log) { |
| 66 | + if (config.integrityChecks[request.apiMethod]) { |
| 67 | + const validationFunc = methodValidationFunc[request.apiMethod]; |
| 68 | + if (!validationFunc) { |
| 69 | + return null; |
| 70 | + } |
| 71 | + |
| 72 | + return validationFunc(request, body, log); |
| 73 | + } |
| 74 | + |
| 75 | + return null; |
| 76 | +} |
| 77 | + |
| 78 | +module.exports = { |
| 79 | + ChecksumError, |
| 80 | + validateChecksumsNoChunking, |
| 81 | + validateMethodChecksumNoChunking, |
| 82 | +}; |
0 commit comments