Add force STORAGE_CLASS in config and headers

README.md

@@ -47,6 +47,7 @@ GitHub](https://github.com/Kriechi/aws-s3-reverse-proxy/releases).
   * uses secure HTTPS for upstream connections by default
   * run as single binary or Docker container
   * configuration via CLI, or using the same options in a config file
+  * force a storage class when proxying request with env (STORAGE_CLASS) or config (--storage-class) 
 
 ## Getting Started
 

handler.go

@@ -17,7 +17,10 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-z]+-?[a-z]+-?[0-9]+)/s3/aws4_request")
+// - new less strict regexp in order to allow different region naming (compatibility with other providers)
+// - east-eu-1 => pass (aws style)
+// - gra => pass (ceph style)
+var awsAuthorizationCredentialRegexp = regexp.MustCompile("Credential=([a-zA-Z0-9]+)/[0-9]+/([a-zA-Z-0-9]+)/s3/aws4_request")
 var awsAuthorizationSignedHeadersRegexp = regexp.MustCompile("SignedHeaders=([a-zA-Z0-9;-]+)")
 
 // Handler is a special handler that re-signs any AWS S3 request and sends it upstream
@@ -45,6 +48,9 @@ type Handler struct {
 
 	// Reverse Proxy
 	Proxy *httputil.ReverseProxy
+
+	// Storage Class
+	StorageClass string
 }
 
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -190,7 +196,10 @@ func (h *Handler) assembleUpstreamReq(signer *v4.Signer, req *http.Request, regi
 	if val, ok := req.Header["Content-Md5"]; ok {
 		proxyReq.Header["Content-Md5"] = val
 	}
-
+	// check if storage class is forced
+	if h.StorageClass != "" {
+		proxyReq.Header.Set("X-Amz-Storage-Class", h.StorageClass)
+	}
 	// Sign the upstream request
 	if err := h.sign(signer, proxyReq, region); err != nil {
 		return nil, err
@@ -225,9 +234,16 @@ func (h *Handler) buildUpstreamRequest(req *http.Request) (*http.Request, error)
 		return nil, err
 	}
 
+	// WORKAROUND S3CMD which dont use white space before the some commas in the authorization header
+	fakeAuthorizationStr := fakeReq.Header.Get("Authorization")
+	// Sanitize fakeReq to remove white spaces before the comma signature
+	authorizationStr := strings.Replace(req.Header["Authorization"][0], ",Signature", ", Signature", 1)
+	// Sanitize fakeReq to remove white spaces before the comma signheaders
+	authorizationStr = strings.Replace(authorizationStr, ",SignedHeaders", ", SignedHeaders", 1)
+
 	// Verify that the fake request and the incoming request have the same signature
 	// This ensures it was sent and signed by a client with correct AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
-	cmpResult := subtle.ConstantTimeCompare([]byte(fakeReq.Header["Authorization"][0]), []byte(req.Header["Authorization"][0]))
+	cmpResult := subtle.ConstantTimeCompare([]byte(fakeAuthorizationStr), []byte(authorizationStr))
 	if cmpResult == 0 {
 		v, _ := httputil.DumpRequest(fakeReq, false)
 		log.Debugf("Fake request: %v", string(v))

handler_test.go

@@ -79,6 +79,12 @@ func verifySignature(w http.ResponseWriter, r *http.Request) {
 	signer.Sign(r, body, "s3", "eu-test-1", signTime)
 	expectedAuthorization := r.Header["Authorization"][0]
 
+	// WORKAROUND S3CMD who dont use white space before the comma in the authorization header
+	// Sanitize fakeReq to remove white spaces before the comma signature
+	receivedAuthorization = strings.Replace(receivedAuthorization, ",Signature", ", Signature", 1)
+	// Sanitize fakeReq to remove white spaces before the comma signheaders
+	receivedAuthorization = strings.Replace(receivedAuthorization, ",SignedHeaders", ", SignedHeaders", 1)
+
 	// verify signature
 	fmt.Fprintln(w, receivedAuthorization, expectedAuthorization)
 	if receivedAuthorization == expectedAuthorization {
@@ -143,6 +149,24 @@ func TestHandlerValidSignature(t *testing.T) {
 	assert.Equal(t, 200, resp.Code)
 	assert.Contains(t, resp.Body.String(), "Hello, client")
 }
+func TestHandlerValidSignatureS3cmd(t *testing.T) {
+	h := newTestProxy(t)
+
+	req := httptest.NewRequest(http.MethodGet, "http://foobar.example.com", nil)
+	signRequest(req)
+	// get the generated signed authorization header in order to simulate the s3cmd syntax
+	authorizationReq := req.Header.Get("Authorization")
+	// simulating s3cmd syntax and remove the whites space after the comma of the Signature part
+	authorizationReq = strings.Replace(authorizationReq, ", Signature", ",Signature", 1)
+	// simulating s3cmd syntax and remove the whites space before the comma of the SignedHeaders part
+	authorizationReq = strings.Replace(authorizationReq, ", SignedHeaders", ",SignedHeaders", 1)
+	// push the edited authorization header
+	req.Header.Set("Authorization", authorizationReq)
+	resp := httptest.NewRecorder()
+	h.ServeHTTP(resp, req)
+	assert.Equal(t, 200, resp.Code)
+	assert.Contains(t, resp.Body.String(), "Hello, client")
+}
 
 func TestHandlerInvalidCredential(t *testing.T) {
 	h := newTestProxy(t)

main.go

@@ -30,6 +30,7 @@ type Options struct {
 	UpstreamEndpoint      string
 	CertFile              string
 	KeyFile               string
+	StorageClass          string
 }
 
 // NewOptions defines and parses the raw command line arguments
@@ -47,6 +48,7 @@ func NewOptions() Options {
 	kingpin.Flag("upstream-endpoint", "use this S3 endpoint for upstream connections, instead of public AWS S3 (env - UPSTREAM_ENDPOINT)").Envar("UPSTREAM_ENDPOINT").StringVar(&opts.UpstreamEndpoint)
 	kingpin.Flag("cert-file", "path to the certificate file (env - CERT_FILE)").Envar("CERT_FILE").Default("").StringVar(&opts.CertFile)
 	kingpin.Flag("key-file", "path to the private key file (env - KEY_FILE)").Envar("KEY_FILE").Default("").StringVar(&opts.KeyFile)
+	kingpin.Flag("storage-class", "default storage class to use (env - STORAGE_CLASS)").Envar("STORAGE_CLASS").Default("").StringVar(&opts.StorageClass)
 	kingpin.Parse()
 	return opts
 }
@@ -97,10 +99,10 @@ func NewAwsS3ReverseProxy(opts Options) (*Handler, error) {
 		AllowedSourceSubnet:   parsedAllowedSourceSubnet,
 		AWSCredentials:        parsedAwsCredentials,
 		Signers:               signers,
+		StorageClass:          opts.StorageClass,
 	}
 	return handler, nil
 }
-
 func main() {
 	opts := NewOptions()
 	handler, err := NewAwsS3ReverseProxy(opts)