add compatibility with CEPH S3

handler.go

@@ -16,8 +16,10 @@ import (
 	v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
 	log "github.com/sirupsen/logrus"
 )
-
-var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-z]+-?[a-z]+-?[0-9]+)/s3/aws4_request")
+// - new less strict regexp in order to allow different region naming (compatibility with other providers)
+// - east-eu-1 => pass (aws style)
+// - gra => pass (ceph style)
+var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-zA-Z-0-9]+)/s3/aws4_request")
 var awsAuthorizationSignedHeadersRegexp = regexp.MustCompile("SignedHeaders=([a-zA-Z0-9;-]+)")
 
 // Handler is a special handler that re-signs any AWS S3 request and sends it upstream
@@ -225,9 +227,16 @@ func (h *Handler) buildUpstreamRequest(req *http.Request) (*http.Request, error)
 		return nil, err
 	}
 
+    // WORKAROUND S3CMD which dont use white space before the some commas in the authorization header
+    fakeAuthorizationStr := fakeReq.Header.Get("Authorization")
+    // Sanitize fakeReq to remove white spaces before the comma signature
+    authorizationStr :=  strings.Replace(req.Header["Authorization"][0],",Signature",", Signature",1)
+    // Sanitize fakeReq to remove white spaces before the comma signheaders
+    authorizationStr =  strings.Replace(authorizationStr,",SignedHeaders",", SignedHeaders",1)
+
 	// Verify that the fake request and the incoming request have the same signature
 	// This ensures it was sent and signed by a client with correct AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
-	cmpResult := subtle.ConstantTimeCompare([]byte(fakeReq.Header["Authorization"][0]), []byte(req.Header["Authorization"][0]))
+	cmpResult := subtle.ConstantTimeCompare([]byte(fakeAuthorizationStr), []byte(authorizationStr))
 	if cmpResult == 0 {
 		v, _ := httputil.DumpRequest(fakeReq, false)
 		log.Debugf("Fake request: %v", string(v))

handler_test.go

@@ -79,6 +79,12 @@ func verifySignature(w http.ResponseWriter, r *http.Request) {
 	signer.Sign(r, body, "s3", "eu-test-1", signTime)
 	expectedAuthorization := r.Header["Authorization"][0]
 
+    // WORKAROUND S3CMD who dont use white space before the comma in the authorization header
+    // Sanitize fakeReq to remove white spaces before the comma signature
+    receivedAuthorization =  strings.Replace(receivedAuthorization,",Signature",", Signature",1)
+    // Sanitize fakeReq to remove white spaces before the comma signheaders
+    receivedAuthorization =  strings.Replace(receivedAuthorization,",SignedHeaders",", SignedHeaders",1)
+
 	// verify signature
 	fmt.Fprintln(w, receivedAuthorization, expectedAuthorization)
 	if receivedAuthorization == expectedAuthorization {
@@ -143,6 +149,20 @@ func TestHandlerValidSignature(t *testing.T) {
 	assert.Equal(t, 200, resp.Code)
 	assert.Contains(t, resp.Body.String(), "Hello, client")
 }
+func TestHandlerValidSignatureS3cmd(t *testing.T) {
+	h := newTestProxy(t)
+
+	req := httptest.NewRequest(http.MethodGet, "http://foobar.example.com", nil)
+	signRequest(req)
+	authorizationReq := req.Header.Get("Authorization");
+    authorizationReq =  strings.Replace(authorizationReq,", Signature",",Signature",1)
+    authorizationReq =  strings.Replace(authorizationReq,", SignedHeaders",",SignedHeaders",1)
+    req.Header.Set("Authorization",authorizationReq);
+	resp := httptest.NewRecorder()
+	h.ServeHTTP(resp, req)
+	assert.Equal(t, 200, resp.Code)
+	assert.Contains(t, resp.Body.String(), "Hello, client")
+}
 
 func TestHandlerInvalidCredential(t *testing.T) {
 	h := newTestProxy(t)

main.go

@@ -100,7 +100,10 @@ func NewAwsS3ReverseProxy(opts Options) (*Handler, error) {
 	}
 	return handler, nil
 }
-
+//handle /health path
+func health(w http.ResponseWriter, req *http.Request){
+   fmt.Fprintf(w,"ok")
+}
 func main() {
 	opts := NewOptions()
 	handler, err := NewAwsS3ReverseProxy(opts)
@@ -136,6 +139,8 @@ func main() {
 	var wrappedHandler http.Handler = handler
 	if len(opts.MetricsListenAddr) > 0 && len(strings.Split(opts.MetricsListenAddr, ":")) == 2 {
 		metricsHandler := http.NewServeMux()
+		//add health on metrics http to serve k8s liveness
+        metricsHandler.HandleFunc("/health",health)
 		metricsHandler.Handle("/metrics", promhttp.Handler())
 
 		log.Infof("Listening for secure Prometheus metrics on %s", opts.MetricsListenAddr)