1 year ago · 73c54abd4e
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
				 
			
 
				 ## [Unreleased]
			
 
				 ### Add
			
 
				+- Add the [IMGPROXY_TRUSTED_SIGNATURES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_TRUSTED_SIGNATURES) config.
			
 
				 - (pro) Add the [hashsum](https://docs.imgproxy.net/latest/usage/processing#hashsum) processing and info options.
			
 
				 - (pro) Add the [calc_hashsums](https://docs.imgproxy.net/latest/usage/getting_info#calc-hashsums) info option.
			
 
				 - (pro) Add the [IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES](https://docs.imgproxy.net/latest/configuration/options#IMGPROXY_VIDEO_THUMBNAIL_TILE_AUTO_KEYFRAMES) config.
			
--- a/config/config.go
+++ b/config/config.go
@@ -74,9 +74,10 @@ var (
 
				 	UseLinearColorspace bool
			
 
				 	DisableShrinkOnLoad bool
			
 
				 
			
 
				-	Keys          [][]byte
			
 
				-	Salts         [][]byte
			
 
				-	SignatureSize int
			
 
				+	Keys              [][]byte
			
 
				+	Salts             [][]byte
			
 
				+	SignatureSize     int
			
 
				+	TrustedSignatures []string
			
 
				 
			
 
				 	Secret string
			
 
				 
			
@@ -275,6 +276,7 @@ func Reset() {
 
				 	Keys = make([][]byte, 0)
			
 
				 	Salts = make([][]byte, 0)
			
 
				 	SignatureSize = 32
			
 
				+	TrustedSignatures = make([]string, 0)
			
 
				 
			
 
				 	Secret = ""
			
 
				 
			
@@ -483,6 +485,7 @@ func Configure() error {
 
				 		return err
			
 
				 	}
			
 
				 	configurators.Int(&SignatureSize, "IMGPROXY_SIGNATURE_SIZE")
			
 
				+	configurators.StringSlice(&TrustedSignatures, "IMGPROXY_TRUSTED_SIGNATURES")
			
 
				 
			
 
				 	if err := configurators.HexSliceFile(&Keys, keyPath); err != nil {
			
 
				 		return err
			
--- a/security/signature.go
+++ b/security/signature.go
@@ -19,6 +19,12 @@ func VerifySignature(signature, path string) error {
 
				 		return nil
			
 
				 	}
			
 
				 
			
 
				+	for _, s := range config.TrustedSignatures {
			
 
				+		if s == signature {
			
 
				+			return nil
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	messageMAC, err := base64.RawURLEncoding.DecodeString(signature)
			
 
				 	if err != nil {
			
 
				 		return ErrInvalidSignatureEncoding
			
--- a/security/signature_test.go
+++ b/security/signature_test.go
@@ -51,6 +51,19 @@ func (s *SignatureTestSuite) TestVerifySignatureMultiplePairs() {
 
				 	require.Error(s.T(), err)
			
 
				 }
			
 
				 
			
 
				+func (s *SignatureTestSuite) TestVerifySignatureTrusted() {
			
 
				+	config.TrustedSignatures = []string{"truested"}
			
 
				+	defer func() {
			
 
				+		config.TrustedSignatures = []string{}
			
 
				+	}()
			
 
				+
			
 
				+	err := VerifySignature("truested", "asd")
			
 
				+	require.Nil(s.T(), err)
			
 
				+
			
 
				+	err = VerifySignature("untrusted", "asd")
			
 
				+	require.Error(s.T(), err)
			
 
				+}
			
 
				+
			
 
				 func TestSignature(t *testing.T) {
			
 
				 	suite.Run(t, new(SignatureTestSuite))
			
 
				 }