s3api: Make UNSIGNED-PAYLOAD requests work again

Previously, we unconditionally lower-cased the client-provided
X-Amz-Content-SHA256 header, which led to SignatureDoesNotMatch errors
since the client and server didn't agree on the canonical request.

Now, only lower-case the value when making comparisons; leave it alone
for signature-calculation purposes.

Change-Id: I746d8e641c884ccd7838082ff07f958ee101de18
Related-Change: I3d6e2e4542a5ed03a6d31ec0ef4837d1de30a045
Closes-Bug: #1910827

1 files changed, 4 insertions, 4 deletions

diff --git a/swift/common/middleware/s3api/s3request.py b/swift/common/middleware/s3api/s3request.py
index 059c2b784..56740e36a 100644
--- a/swift/common/middleware/s3api/s3request.py
+++ b/swift/common/middleware/s3api/s3request.py
@@ -448,10 +448,10 @@ class SigV4Mixin(object):
                   'x-amz-content-sha256'
             raise InvalidRequest(msg)
         else:
-            hashed_payload = self.headers['X-Amz-Content-SHA256'].lower()
-            if hashed_payload != 'unsigned-payload':
+            hashed_payload = self.headers['X-Amz-Content-SHA256']
+            if hashed_payload != 'UNSIGNED-PAYLOAD':
                 if self.content_length == 0:
-                    if hashed_payload != sha256().hexdigest():
+                    if hashed_payload.lower() != sha256().hexdigest():
                         raise BadDigest(
                             'The X-Amz-Content-SHA56 you specified did not '
                             'match what we received.')
@@ -460,7 +460,7 @@ class SigV4Mixin(object):
                         self.environ['wsgi.input'],
                         self.content_length,
                         sha256,
-                        hashed_payload)
+                        hashed_payload.lower())
                 # else, length not provided -- Swift will kick out a
                 # 411 Length Required which will get translated back
                 # to a S3-style response in S3Request._swift_error_codes