implement auth middleware for s3

[chanwit]

Signed-off-by: Chanwit Kaewkasi chanwit@weave.works

[pjbgf]

After the review I noticed that upstream exposes some of this functionality:
https://github.com/aws/aws-sdk-go-v2/blob/main/aws/signer/v4/v4.go

We may benefit from using their implementation for the signing and verification part. They also have a middleware implementation, but I am not sure how useful that would be for us.

[chanwit]

After the review I noticed that upstream exposes some of this functionality: https://github.com/aws/aws-sdk-go-v2/blob/main/aws/signer/v4/v4.go

We may benefit from using their implementation for the signing and verification part. They also have a middleware implementation, but I am not sure how useful that would be for us.

Here's some background.
The codes I'm using was taken from the v4 signing of the MinIO lib (Apache license, also used by Flux).
Instead of signing, I reverse its process to implement the verification method.

[pjbgf]

Here's some background.
The codes I'm using was taken from the v4 signing of the MinIO lib (Apache license, also used by Flux).
Instead of signing, I reverse its process to implement the verification method.

@chanwit thank you for the context. Unfortunately neither MiniIO nor AWS seems to expose the entire logic, so it does make sense the approach.

[pjbgf]

LGTM

thanks @chanwit! 🙇

[makkes]

Tested it locally with:

AWS_ACCESS_KEY_ID=foo AWS_SECRET_ACCESS_KEY=some_secret_key ./bin/gitops-bucket-server --cert-file ~/dev/local-ca/ca.pem --key-file ~/dev/local-ca/ca.key

and the minio CLI:

$ mc alias set test https://localhost:9443 foo some_secret_key --insecure
Added `test` successfully.
$ $ /tmp/mc ls test --insecure
[2022-12-05 10:48:01 CET]     0B probe-bucket-sign-gza44hmacqgz/
[2022-12-05 10:48:29 CET]     0B minio/
[2022-12-05 10:55:29 CET]     0B probe-bucket-sign-wt0spypubjre/

Works fine, good job!

Just a remark on picking a different package name for the middleware code.