rewrite, simplify, avoid unused functions #6989
Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Service-level responses need both Access-Control-Allow-Methods and Access-Control-Allow-Headers. After setting Access-Control-Allow-Origin and Access-Control-Expose-Headers, also set Access-Control-Allow-Methods: * and Access-Control-Allow-Headers: * so service endpoints satisfy CORS preflight requirements.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Summary of Changes
Hello @chrislusf, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly enhances the S3 API by implementing full Cross-Origin Resource Sharing (CORS) capabilities, providing developers with granular control over cross-origin access to their data. Alongside this major feature addition, it introduces a robust, dedicated test suite for CORS and includes important refactorings to the existing AWS Signature authentication mechanisms, improving code clarity and efficiency.
Highlights
- CORS Functionality: Introduced comprehensive Cross-Origin Resource Sharing (CORS) support for the S3 API, allowing bucket owners to define rules for cross-origin access to their resources. This includes API endpoints for
PutBucketCors,GetBucketCors, andDeleteBucketCors. - CORS Test Suite: Added a new, dedicated Go module (
test/s3/cors) with extensive integration tests for CORS. This suite covers configuration management, preflight and actual request handling, origin/header/method matching, wildcard support, rule limits, caching, and error handling. - Signature Authentication Refactoring: Refactored and simplified the AWS Signature Version 2 and Version 4 authentication logic. This involved removing several unused helper functions, streamlining the string-to-sign generation, and optimizing the signature calculation process by removing the
sync.Poolbased hash pool for V4 signatures. - CORS Middleware Integration: Integrated a new CORS middleware into the S3 API server to automatically handle CORS preflight (OPTIONS) requests and inject appropriate
Access-Control-*headers into responses for both bucket-specific and service-level requests. - Robust Header Management: Enhanced the
passThroughResponsemechanism to correctly capture and restore CORS headers set by the middleware, preventing them from being overwritten by proxy responses during object operations.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
weed/s3api/s3api_object_handlers.go
Outdated
| // Capture existing CORS headers that may have been set by middleware | ||
| capturedCORSHeaders := captureCORSHeaders(w, corsHeaders) | ||
|
|
||
| // Copy headers from proxy response | ||
| for k, v := range proxyResponse.Header { | ||
| w.Header()[k] = v | ||
| } | ||
|
|
||
| // Restore CORS headers that were set by middleware | ||
| restoreCORSHeaders(w, capturedCORSHeaders) |
There was a problem hiding this comment.
It is important to preserve CORS headers set by middleware during proxy responses. The code should capture and restore these headers to ensure CORS settings are correctly applied.
| // Capture existing CORS headers that may have been set by middleware | |
| capturedCORSHeaders := captureCORSHeaders(w, corsHeaders) | |
| // Copy headers from proxy response | |
| for k, v := range proxyResponse.Header { | |
| w.Header()[k] = v | |
| } | |
| // Restore CORS headers that were set by middleware | |
| restoreCORSHeaders(w, capturedCORSHeaders) | |
| // Capture existing CORS headers that may have been set by middleware | |
| capturedCORSHeaders := captureCORSHeaders(w, corsHeaders) | |
| // Copy headers from proxy response | |
| for k, v := range proxyResponse.Header { | |
| w.Header()[k] = v | |
| } | |
| // Restore CORS headers that were set by middleware | |
| restoreCORSHeaders(w, capturedCORSHeaders) |
weed/s3api/auth_signature_v4.go
Outdated
| // X-Amz-Content-Sha256 header value is optional for presigned requests. | ||
| defaultSha256Cksum = unsignedPayload | ||
| v, ok = r.URL.Query()["X-Amz-Content-Sha256"] | ||
| if !ok { | ||
| v, ok = r.Header["X-Amz-Content-Sha256"] | ||
| } | ||
| } else { | ||
| // X-Amz-Content-Sha256, if not set in signed requests, checksum | ||
| // will default to sha256([]byte("")). | ||
| // X-Amz-Content-Sha256 header value is required for all non-presigned requests. | ||
| defaultSha256Cksum = emptySHA256 | ||
| v, ok = r.Header["X-Amz-Content-Sha256"] | ||
| } | ||
|
|
||
| // We found 'X-Amz-Content-Sha256' return the captured value. | ||
| if ok { | ||
| // If the client sends a SHA256 checksum of the object in this header, use it. | ||
| if v, ok = r.Header["X-Amz-Content-Sha256"]; ok { | ||
| return v[0] | ||
| } |
There was a problem hiding this comment.
It is better to retrieve the header value directly instead of using a local variable. This reduces the number of variables and makes the code more concise.
| // X-Amz-Content-Sha256 header value is optional for presigned requests. | |
| defaultSha256Cksum = unsignedPayload | |
| v, ok = r.URL.Query()["X-Amz-Content-Sha256"] | |
| if !ok { | |
| v, ok = r.Header["X-Amz-Content-Sha256"] | |
| } | |
| } else { | |
| // X-Amz-Content-Sha256, if not set in signed requests, checksum | |
| // will default to sha256([]byte("")). | |
| // X-Amz-Content-Sha256 header value is required for all non-presigned requests. | |
| defaultSha256Cksum = emptySHA256 | |
| v, ok = r.Header["X-Amz-Content-Sha256"] | |
| } | |
| // We found 'X-Amz-Content-Sha256' return the captured value. | |
| if ok { | |
| // If the client sends a SHA256 checksum of the object in this header, use it. | |
| if v, ok = r.Header["X-Amz-Content-Sha256"]; ok { | |
| return v[0] | |
| } | |
| if v, ok = r.Header["X-Amz-Content-Sha256"]; ok { | |
| return v[0] | |
| } |
weed/s3api/auth_signature_v4.go
Outdated
| for _, header := range signedHeaders { | ||
| headerKey := http.CanonicalHeaderKey(header) | ||
| if header == "host" { | ||
| extractedSignedHeaders.Set("host", r.Host) |
There was a problem hiding this comment.
It is better to retrieve the header value directly instead of using a local variable. This reduces the number of variables and makes the code more concise.
if header == "host" {
extractedSignedHeaders[header] = []string{r.Host}
continue
}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull Request Overview
This PR removes unused S3 helper functions and refactors the V4 and V2 signature code to use shared signing utilities, simplifies the chunked reader, and updates tests accordingly.
- Unified signature logic by introducing
getSigningKeyandgetSignature, removing the old hash pool mechanism. - Simplified chunked reader by replacing custom CRLF helpers and consolidating chunk signature computation.
- Overhauled
auth_signature_v4.go, stripping legacy streaming and presign logic and adding streamlined implementations with updated imports.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| weed/s3api/chunked_reader_v4.go | Replaced pooled signature calls with getSigningKey/getSignature; removed CRLF helpers and unified signature computation. |
| weed/s3api/auto_signature_v4_test.go | Removed old presign helper; added new preSignV4 implementation and adjusted imports. |
| weed/s3api/auth_signature_v4.go | Massive refactor of V4 auth: removed legacy code, consolidated signing, updated header extraction, and added new helper functions. |
| weed/s3api/auth_signature_v2.go | Simplified V2 auth paths, removed unneeded URL parsing, and aligned signature calls with shared utilities. |
Comments suppressed due to low confidence (3)
weed/s3api/chunked_reader_v4.go:121
- Deriving the signing key on each chunk read may be expensive; consider caching the signing key per reader instance to avoid repeated HMAC computations for every chunk.
signingKey := getSigningKey(cred.SecretKey, signV4Values.Credential.scope.date.Format(yyyymmdd), region, "s3")
weed/s3api/auto_signature_v4_test.go:211
- [nitpick] The new preSignV4 helper is not covered by existing tests; consider adding unit tests to verify presigned URL generation and parameter handling.
func preSignV4(iam *IdentityAccessManagement, req *http.Request, accessKey, secretKey string, expires int64) error {
weed/s3api/auth_signature_v4.go:65
- getContentSha256Cksum does not read 'X-Amz-Content-Sha256' from query parameters for presigned requests, potentially ignoring a provided payload checksum; consider also checking URL query parameters for this header when presigned.
if isRequestPresignedSignatureV4(r) {
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This reverts commit fce2d4e.
No description provided.