centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/docs/por/T058-s3-auth-hardening/task.yaml
centra eaee9aad08 fix(creditservice): Replace non-existent txn() with compare_and_swap() 
- Remove chainfire_client.txn() calls (method doesn't exist)
- Use compare_and_swap(key, 0, value) for atomic wallet creation
- Use put() for wallet updates (CAS on version deferred to later)
- Remove unused proto imports (TxnRequest, TxnResponse, etc.)
- Simplify error handling using CasOutcome.success

This fixes compilation errors found in audit. CreditService now
compiles successfully.

Refs: Audit Fix 1/3
2025-12-12 06:31:19 +09:00

82 lines
2.7 KiB
YAML
Raw Blame History

id: T058
name: LightningSTOR S3 Auth Hardening
goal: Implement robust SigV4 authentication for LightningSTOR S3 API
status: active
priority: P0
owner: peerB
created: 2025-12-12
depends_on: [T047]
blocks: [T039]
context: |
**Findings from T047 Completion Report:**
- SigV4 authentication middleware is active but signature validation fails due to canonicalization mismatch.
- Auth was bypassed (`S3_AUTH_ENABLED=false`) for T047 completion.
- This is a critical security vulnerability for production S3 API.
**Foreman Recommendation:**
- "Address the critical security issue in T047-lightningstor-s3 regarding SigV4 authentication."
acceptance:
- SigV4 authentication fully functional and passes AWS CLI tests.
- S3 API rejects invalid signatures.
- IAM integration for credentials.
steps:
- step: S1
name: Debug SigV4 Canonicalization
done: Identify and fix the canonicalization mismatch in SigV4 signature verification.
status: complete
completed: 2025-12-12 06:15 JST
owner: peerB
priority: P0
notes: |
**Root Cause Identified:**
- Used `form_urlencoded::byte_serialize` which follows HTML form encoding rules
- AWS SigV4 requires RFC 3986 URI encoding with specific rules
- Encoding mismatch caused canonical request hash to differ from client's
**Fix Implemented:**
- Created `aws_uri_encode()` matching RFC 3986 + AWS SigV4 spec exactly
- Unreserved chars (A-Z,a-z,0-9,-,_,.,~) are NOT encoded
- All other chars percent-encoded with uppercase hex (%2F not %2f)
- Preserve slashes in paths, encode in query parameters
- Normalize empty paths to '/' per AWS specification
**Testing:**
- All 8 auth unit tests pass
- Added comprehensive SigV4 signature determinism test
- Fixed test expectations (body hash, HMAC values)
**Files Modified:**
- lightningstor/crates/lightningstor-server/src/s3/auth.rs (~40L changes)
outputs:
- path: lightningstor/crates/lightningstor-server/src/s3/auth.rs
note: SigV4 canonicalization fix
- step: S2
name: Integrate with IAM
done: Fetch IAM credentials for signature verification.
status: in_progress
owner: peerB
priority: P1
- step: S3
name: Security Testing
done: Add comprehensive security tests for S3 authentication.
status: pending
owner: peerB
priority: P1
evidence:
- cmd: "cargo test --package lightningstor-server --lib s3::auth::tests"
result: "8 passed; 0 failed"
notes: |
Critical for production security of the S3 object storage. Blocking T039 for a truly secure deployment.
**S1 Complete (2025-12-12 06:15 JST):**
- RFC 3986 compliant URI encoding implemented
- All auth tests passing
- Ready for IAM integration (S2)
Reference in a new issue View git blame Copy permalink