Fix v4 auth to allow fallback to other auth methods

zubron · zubron · commit 1f3d9f79ec00 · 2025-12-01T09:47:25.000-05:00
This change ensures that when a request doesn't have the v4 algorithm
URL parameter (`x-amz-algorithm`), the chained authenticator tries the
next auth method instead of failing. Previously, requests using other
signature versions would fail because v4 parsing returned and error that
blocked the chain.
diff --git a/pkg/gateway/sig/sig.go b/pkg/gateway/sig/sig.go
@@ -15,7 +15,8 @@ import (
 )
 
 var (
-	ErrHeaderMalformed = errors.New("header malformed")
+	ErrHeaderMalformed        = errors.New("header malformed")
+	ErrBadAuthorizationFormat = errors.New("authorization format not supported by this authenticator")
 
 	// reservedObjectNames - if object matches reserved string, no need to encode them
 	reservedObjectNames = regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")
@@ -99,7 +100,10 @@ func (c *chainedAuthenticator) Parse() (SigContext, error) {
 		if err == nil {
 			c.chosen = method
 			return sigContext, nil
-		} else if !errors.Is(err, ErrHeaderMalformed) {
+		} else if !errors.Is(err, ErrHeaderMalformed) && !errors.Is(err, ErrBadAuthorizationFormat) {
+			// ErrHeaderMalformed and ErrBadAuthorizationFormat indicate "wrong auth format, try next method".
+			// All other errors mean the request matched this method's format but failed validation,
+			// so return immediately without trying remaining methods.
 			return nil, err
 		}
 	}
diff --git a/pkg/gateway/sig/v4.go b/pkg/gateway/sig/v4.go
@@ -33,7 +33,7 @@ const (
 	v4scopeTerminator        = "aws4_request"
 	v4timeFormat             = "20060102T150405Z"
 	v4shortTimeFormat        = "20060102"
-	maxExpires               = 604800
+	AmzPresignMaxExpires     = 7 * 24 * time.Hour // 7 days or 604800 seconds
 
 	v4AmzAlgorithm = "X-Amz-Algorithm"
 	//nolint:gosec
@@ -81,29 +81,36 @@ func parseExpires(expiresStr string) (int64, error) {
 	if expires < 0 {
 		return 0, errors.ErrNegativeExpires
 	}
-	if expires > maxExpires {
+	if expires > int64(AmzPresignMaxExpires.Seconds()) {
 		return 0, errors.ErrMaximumExpires
 	}
 	return expires, nil
 }
 
-func hasRequiredParams(values url.Values) bool {
-	var requiredPresignedParams = []string{
-		v4AmzAlgorithm,
+func isV4PresignedRequest(query url.Values) error {
+	algorithm, ok := query[v4AmzAlgorithm]
+	if !ok {
+		// Not a V4 presigned request, try next auth method
+		return ErrBadAuthorizationFormat
+	}
+	if len(algorithm) == 0 || !strings.EqualFold(algorithm[0], V4authHeaderPrefix) {
+		return errors.ErrInvalidQuerySignatureAlgo
+	}
+
+	requiredParams := []string{
 		v4AmzCredential,
 		v4AmzSignature,
 		v4AmzDate,
 		v4AmzSignedHeaders,
 		v4AmzExpires,
 	}
-
-	for _, param := range requiredPresignedParams {
-		if _, ok := values[param]; !ok {
-			return false
+	for _, param := range requiredParams {
+		if _, ok := query[param]; !ok {
+			return errors.ErrMissingFields
 		}
 	}
 
-	return true
+	return nil
 }
 
 func ParseV4AuthContext(r *http.Request) (V4Auth, error) {
@@ -138,16 +145,13 @@ func ParseV4AuthContext(r *http.Request) (V4Auth, error) {
 	}
 
 	query := r.URL.Query()
-	// otherwise, see if we have all the required query parameters
-	if !hasRequiredParams(query) {
-		return ctx, errors.ErrInvalidQueryParams
-	}
-	ctx.IsPresigned = true
 
-	algorithm := query.Get(v4AmzAlgorithm)
-	if len(algorithm) == 0 || !strings.EqualFold(algorithm, V4authHeaderPrefix) {
-		return ctx, errors.ErrInvalidQuerySignatureAlgo
+	// If we couldn't find the auth header, try to parse the request as a presigned URL
+	if err := isV4PresignedRequest(query); err != nil {
+		return ctx, err
 	}
+
+	ctx.IsPresigned = true
 	credentialScope := query.Get(v4AmzCredential)
 	if len(credentialScope) == 0 {
 		return ctx, errors.ErrMissingCredTag
@@ -357,9 +361,9 @@ func (ctx *verificationCtx) getAmzDate() (string, error) {
 
 func (ctx *verificationCtx) verifyExpiration() error {
 	if !ctx.AuthValue.IsPresigned {
-		// TODO: we currently don't have handling for this
 		return nil
 	}
+
 	// Get and validate the request timestamp
 	amzDate, err := ctx.getAmzDate()
 	if err != nil {
diff --git a/pkg/gateway/sig/v4_expiration_internal_test.go b/pkg/gateway/sig/v4_expiration_internal_test.go
@@ -183,14 +183,14 @@ func TestParseExpires(t *testing.T) {
 	}
 }
 
-func TestHasRequiredParams(t *testing.T) {
+func TestIsV4PresignedRequest(t *testing.T) {
 	testCases := []struct {
-		name     string
-		query    url.Values
-		expected bool
+		name          string
+		query         url.Values
+		expectedError error
 	}{
 		{
-			name: "all required params present",
+			name: "valid V4 presigned request",
 			query: url.Values{
 				v4AmzAlgorithm:     {"AWS4-HMAC-SHA256"},
 				v4AmzCredential:    {"AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/s3/aws4_request"},
@@ -199,43 +199,65 @@ func TestHasRequiredParams(t *testing.T) {
 				v4AmzSignedHeaders: {"host"},
 				v4AmzExpires:       {"3600"},
 			},
-			expected: true,
+			expectedError: nil,
 		},
 		{
-			name: "missing a parameter",
+			name: "missing algorithm - not a V4 request",
 			query: url.Values{
 				v4AmzCredential:    {"AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/s3/aws4_request"},
 				v4AmzSignature:     {"abcd1234"},
 				v4AmzDate:          {"20230101T120000Z"},
 				v4AmzSignedHeaders: {"host"},
 				v4AmzExpires:       {"3600"},
 			},
-			expected: false,
+			expectedError: ErrBadAuthorizationFormat,
+		},
+		{
+			name: "invalid algorithm",
+			query: url.Values{
+				v4AmzAlgorithm:     {"AWS4-HMAC-SHA512"},
+				v4AmzCredential:    {"AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/s3/aws4_request"},
+				v4AmzSignature:     {"abcd1234"},
+				v4AmzDate:          {"20230101T120000Z"},
+				v4AmzSignedHeaders: {"host"},
+				v4AmzExpires:       {"3600"},
+			},
+			expectedError: errors.ErrInvalidQuerySignatureAlgo,
+		},
+		{
+			name: "missing required param (credential)",
+			query: url.Values{
+				v4AmzAlgorithm:     {"AWS4-HMAC-SHA256"},
+				v4AmzSignature:     {"abcd1234"},
+				v4AmzDate:          {"20230101T120000Z"},
+				v4AmzSignedHeaders: {"host"},
+				v4AmzExpires:       {"3600"},
+			},
+			expectedError: errors.ErrMissingFields,
 		},
 		{
-			name: "parameter is present but empty",
+			name: "missing required param (expires)",
 			query: url.Values{
 				v4AmzAlgorithm:     {"AWS4-HMAC-SHA256"},
 				v4AmzCredential:    {"AKIAIOSFODNN7EXAMPLE/20230101/us-east-1/s3/aws4_request"},
 				v4AmzSignature:     {"abcd1234"},
 				v4AmzDate:          {"20230101T120000Z"},
 				v4AmzSignedHeaders: {"host"},
-				v4AmzExpires:       {""},
 			},
-			expected: true, // Key exists in map, even if empty
+			expectedError: errors.ErrMissingFields,
 		},
 		{
-			name:     "empty query params",
-			query:    url.Values{},
-			expected: false,
+			name:          "empty query params - not a V4 request",
+			query:         url.Values{},
+			expectedError: ErrBadAuthorizationFormat,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			result := hasRequiredParams(tc.query)
-			if result != tc.expected {
-				t.Errorf("expected %v, got %v", tc.expected, result)
+			err := isV4PresignedRequest(tc.query)
+			if err != tc.expectedError {
+				t.Errorf("expected error %v, got %v", tc.expectedError, err)
 			}
 		})
 	}

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@ import (`
`15`	`15`	`)`
`16`	`16`
`17`	`17`	`var (`
`18`		`- ErrHeaderMalformed = errors.New("header malformed")`
	`18`	`+ ErrHeaderMalformed = errors.New("header malformed")`
	`19`	`+ ErrBadAuthorizationFormat = errors.New("authorization format not supported by this authenticator")`
`19`	`20`
`20`	`21`	`// reservedObjectNames - if object matches reserved string, no need to encode them`
`21`	`22`	`reservedObjectNames = regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")`
`@@ -99,7 +100,10 @@ func (c *chainedAuthenticator) Parse() (SigContext, error) {`
`99`	`100`	`if err == nil {`
`100`	`101`	`c.chosen = method`
`101`	`102`	`return sigContext, nil`
`102`		`- } else if !errors.Is(err, ErrHeaderMalformed) {`
	`103`	`+ } else if !errors.Is(err, ErrHeaderMalformed) && !errors.Is(err, ErrBadAuthorizationFormat) {`
	`104`	`+ // ErrHeaderMalformed and ErrBadAuthorizationFormat indicate "wrong auth format, try next method".`
	`105`	`+ // All other errors mean the request matched this method's format but failed validation,`
	`106`	`+ // so return immediately without trying remaining methods.`
`103`	`107`	`return nil, err`
`104`	`108`	`}`
`105`	`109`	`}`