feat(client): sign presigned URLs against a public endpoint#109
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #109 +/- ##
==========================================
+ Coverage 87.03% 87.08% +0.04%
==========================================
Files 39 39
Lines 2167 2175 +8
==========================================
+ Hits 1886 1894 +8
Misses 173 173
Partials 108 108
🚀 New features to boost your workflow:
|
Presigned URLs were signed against Endpoint, which in clustered deployments is an internal address unreachable from outside the cluster. Add an optional PresignEndpoint (S3_PRESIGN_ENDPOINT) that, when set, builds a dedicated presign client signing against the public-facing host while all data operations keep using Endpoint. Empty PresignEndpoint preserves prior behavior. For path-style addressing the SigV4 query signature does not cover the host, so swapping the base endpoint on the presign client yields a valid signature against the public host. Also pin toolchain go1.26.4 so the build uses the patched standard library, clearing reachable govulncheck findings GO-2026-5039 (net/textproto) and GO-2026-5037 (crypto/x509). TestNew_PresignEndpoint asserts the signed URL host is the public endpoint when set and falls back to Endpoint when empty.
cjimti
force-pushed
the
feat/presign-public-endpoint
branch
from
e11697a to
321746c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Clientbuilds its presign client from the sames3.Clientused for data operations, so presigned URLs are signed againstConfig.Endpoint. In clustered deploymentsEndpointis an internal/cluster address (for example a SeaweedFS service DNS name likehttp://seaweedfs-s3:8333). Presigned URLs handed back to a browser or an external agent therefore point at a host that is not resolvable or reachable from outside the cluster, so the download fails.Change
Add an optional public-facing endpoint used only when signing presigned URLs:
Config.PresignEndpoint(envS3_PRESIGN_ENDPOINT) inpkg/client/config.go. When set, presigned URLs sign against it; when empty it falls back toEndpoint, preserving prior behavior. Added toFromEnv,Clone, and aPresignBaseEndpoint()helper.New(pkg/client/client.go), whenPresignEndpointis set, build a dedicated presign client whoseBaseEndpointis the public endpoint (carryingUsePathStyleover). Data operations keep using the internal-Endpointclient. With no presign endpoint configured, both are the same client, so behavior is unchanged.This is safe for path-style addressing because the SigV4 query signature on a presigned URL does not cover the host, so swapping the base endpoint on the presign client still yields a signature that validates against the public host.
Stdlib vulnerability fix
make verify(govulncheck) flagged two reachable Go standard-library vulnerabilities because the build floated to the unpatchedgo1.26.3toolchain (go.modhad notoolchaindirective):GO-2026-5039—net/textproto, reachable viaClient.GetObject->io.ReadAllGO-2026-5037—crypto/x509, reachable via the same path andmainPinned
toolchain go1.26.4(the patched release) ingo.mod.actions/setup-gohonors it viago-version-file: go.mod, and CI now installs the patched toolchain.govulncheckreports 0 reachable vulnerabilities.Tests
TestNew_PresignEndpoint(pkg/client/client_test.go) builds a real client viaNew(presigning is local, no network) and asserts:PresignEndpointset, the signed URL host is the public endpoint;Endpoint.Verified adversarially: reverting the
client.gochange makes the test fail with the internal host (http://internal:8333) instead of the public host.make verifypasses end to end (tidy, lint, test, coverage, security, deadcode, build-check).Downstream
Enables the consuming platform to hand out externally reachable presigned URLs by setting
S3_PRESIGN_ENDPOINT/PresignEndpointto the public S3 address while keeping the internal endpoint for data traffic. The platform-side wiring (apublic_endpointconfig mapped toPresignEndpoint) lands once this is released.