JustAnotherArchivist
/
transfer.sh
forked from kiska/transfer.sh
1
0
Fork 1
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
190 Commits
17 Branches
34 MiB
 
 
 
Tree: 049d73ec21
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '049d73ec21'
${ noResults }
transfer.sh/transfersh-server/vendor/github.com/goamz/goamz/aws/sign.go

358 lines
10 KiB
Raw Blame History 

  1. package aws

  2. 

  3. import (

  4. 	"bytes"

  5. 	"crypto/hmac"

  6. 	"crypto/sha256"

  7. 	"encoding/base64"

  8. 	"fmt"

  9. 	"io/ioutil"

  10. 	"net/http"

  11. 	"net/url"

  12. 	"path"

  13. 	"sort"

  14. 	"strings"

  15. 	"time"

  16. )

  17. 

  18. type V2Signer struct {

  19. 	auth    Auth

  20. 	service ServiceInfo

  21. 	host    string

  22. }

  23. 

  24. var b64 = base64.StdEncoding

  25. 

  26. func NewV2Signer(auth Auth, service ServiceInfo) (*V2Signer, error) {

  27. 	u, err := url.Parse(service.Endpoint)

  28. 	if err != nil {

  29. 		return nil, err

  30. 	}

  31. 	return &V2Signer{auth: auth, service: service, host: u.Host}, nil

  32. }

  33. 

  34. func (s *V2Signer) Sign(method, path string, params map[string]string) {

  35. 	params["AWSAccessKeyId"] = s.auth.AccessKey

  36. 	params["SignatureVersion"] = "2"

  37. 	params["SignatureMethod"] = "HmacSHA256"

  38. 	if s.auth.Token() != "" {

  39. 		params["SecurityToken"] = s.auth.Token()

  40. 	}

  41. 

  42. 	// AWS specifies that the parameters in a signed request must

  43. 	// be provided in the natural order of the keys. This is distinct

  44. 	// from the natural order of the encoded value of key=value.

  45. 	// Percent and Equals affect the sorting order.

  46. 	var keys, sarray []string

  47. 	for k, _ := range params {

  48. 		keys = append(keys, k)

  49. 	}

  50. 	sort.Strings(keys)

  51. 	for _, k := range keys {

  52. 		sarray = append(sarray, Encode(k)+"="+Encode(params[k]))

  53. 	}

  54. 	joined := strings.Join(sarray, "&")

  55. 	payload := method + "\n" + s.host + "\n" + path + "\n" + joined

  56. 	hash := hmac.New(sha256.New, []byte(s.auth.SecretKey))

  57. 	hash.Write([]byte(payload))

  58. 	signature := make([]byte, b64.EncodedLen(hash.Size()))

  59. 	b64.Encode(signature, hash.Sum(nil))

  60. 

  61. 	params["Signature"] = string(signature)

  62. }

  63. 

  64. // Common date formats for signing requests

  65. const (

  66. 	ISO8601BasicFormat      = "20060102T150405Z"

  67. 	ISO8601BasicFormatShort = "20060102"

  68. )

  69. 

  70. type Route53Signer struct {

  71. 	auth Auth

  72. }

  73. 

  74. func NewRoute53Signer(auth Auth) *Route53Signer {

  75. 	return &Route53Signer{auth: auth}

  76. }

  77. 

  78. // getCurrentDate fetches the date stamp from the aws servers to

  79. // ensure the auth headers are within 5 minutes of the server time

  80. func (s *Route53Signer) getCurrentDate() string {

  81. 	response, err := http.Get("https://route53.amazonaws.com/date")

  82. 	if err != nil {

  83. 		fmt.Print("Unable to get date from amazon: ", err)

  84. 		return ""

  85. 	}

  86. 

  87. 	response.Body.Close()

  88. 	return response.Header.Get("Date")

  89. }

  90. 

  91. // Creates the authorize signature based on the date stamp and secret key

  92. func (s *Route53Signer) getHeaderAuthorize(message string) string {

  93. 	hmacSha256 := hmac.New(sha256.New, []byte(s.auth.SecretKey))

  94. 	hmacSha256.Write([]byte(message))

  95. 	cryptedString := hmacSha256.Sum(nil)

  96. 

  97. 	return base64.StdEncoding.EncodeToString(cryptedString)

  98. }

  99. 

  100. // Adds all the required headers for AWS Route53 API to the request

  101. // including the authorization

  102. func (s *Route53Signer) Sign(req *http.Request) {

  103. 	date := s.getCurrentDate()

  104. 	authHeader := fmt.Sprintf("AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=%s,Signature=%s",

  105. 		s.auth.AccessKey, "HmacSHA256", s.getHeaderAuthorize(date))

  106. 

  107. 	req.Header.Set("Host", req.Host)

  108. 	req.Header.Set("X-Amzn-Authorization", authHeader)

  109. 	req.Header.Set("X-Amz-Date", date)

  110. 	req.Header.Set("Content-Type", "application/xml")

  111. }

  112. 

  113. /*

  114. The V4Signer encapsulates all of the functionality to sign a request with the AWS

  115. Signature Version 4 Signing Process. (http://goo.gl/u1OWZz)

  116. */

  117. type V4Signer struct {

  118. 	auth        Auth

  119. 	serviceName string

  120. 	region      Region

  121. }

  122. 

  123. /*

  124. Return a new instance of a V4Signer capable of signing AWS requests.

  125. */

  126. func NewV4Signer(auth Auth, serviceName string, region Region) *V4Signer {

  127. 	return &V4Signer{auth: auth, serviceName: serviceName, region: region}

  128. }

  129. 

  130. /*

  131. Sign a request according to the AWS Signature Version 4 Signing Process. (http://goo.gl/u1OWZz)

  132. 

  133. The signed request will include an "x-amz-date" header with a current timestamp if a valid "x-amz-date"

  134. or "date" header was not available in the original request. In addition, AWS Signature Version 4 requires

  135. the "host" header to be a signed header, therefor the Sign method will manually set a "host" header from

  136. the request.Host.

  137. 

  138. The signed request will include a new "Authorization" header indicating that the request has been signed.

  139. 

  140. Any changes to the request after signing the request will invalidate the signature.

  141. */

  142. func (s *V4Signer) Sign(req *http.Request) {

  143. 	req.Header.Set("host", req.Host)                  // host header must be included as a signed header

  144. 	t := s.requestTime(req)                           // Get requst time

  145. 	creq := s.canonicalRequest(req)                   // Build canonical request

  146. 	sts := s.stringToSign(t, creq)                    // Build string to sign

  147. 	signature := s.signature(t, sts)                  // Calculate the AWS Signature Version 4

  148. 	auth := s.authorization(req.Header, t, signature) // Create Authorization header value

  149. 	req.Header.Set("Authorization", auth)             // Add Authorization header to request

  150. 	return

  151. }

  152. 

  153. /*

  154. requestTime method will parse the time from the request "x-amz-date" or "date" headers.

  155. If the "x-amz-date" header is present, that will take priority over the "date" header.

  156. If neither header is defined or we are unable to parse either header as a valid date

  157. then we will create a new "x-amz-date" header with the current time.

  158. */

  159. func (s *V4Signer) requestTime(req *http.Request) time.Time {

  160. 

  161. 	// Get "x-amz-date" header

  162. 	date := req.Header.Get("x-amz-date")

  163. 

  164. 	// Attempt to parse as ISO8601BasicFormat

  165. 	t, err := time.Parse(ISO8601BasicFormat, date)

  166. 	if err == nil {

  167. 		return t

  168. 	}

  169. 

  170. 	// Attempt to parse as http.TimeFormat

  171. 	t, err = time.Parse(http.TimeFormat, date)

  172. 	if err == nil {

  173. 		req.Header.Set("x-amz-date", t.Format(ISO8601BasicFormat))

  174. 		return t

  175. 	}

  176. 

  177. 	// Get "date" header

  178. 	date = req.Header.Get("date")

  179. 

  180. 	// Attempt to parse as http.TimeFormat

  181. 	t, err = time.Parse(http.TimeFormat, date)

  182. 	if err == nil {

  183. 		return t

  184. 	}

  185. 

  186. 	// Create a current time header to be used

  187. 	t = time.Now().UTC()

  188. 	req.Header.Set("x-amz-date", t.Format(ISO8601BasicFormat))

  189. 	return t

  190. }

  191. 

  192. /*

  193. canonicalRequest method creates the canonical request according to Task 1 of the AWS Signature Version 4 Signing Process. (http://goo.gl/eUUZ3S)

  194. 

  195.     CanonicalRequest =

  196.       HTTPRequestMethod + '\n' +

  197.       CanonicalURI + '\n' +

  198.       CanonicalQueryString + '\n' +

  199.       CanonicalHeaders + '\n' +

  200.       SignedHeaders + '\n' +

  201.       HexEncode(Hash(Payload))

  202. */

  203. func (s *V4Signer) canonicalRequest(req *http.Request) string {

  204. 	c := new(bytes.Buffer)

  205. 	fmt.Fprintf(c, "%s\n", req.Method)

  206. 	fmt.Fprintf(c, "%s\n", s.canonicalURI(req.URL))

  207. 	fmt.Fprintf(c, "%s\n", s.canonicalQueryString(req.URL))

  208. 	fmt.Fprintf(c, "%s\n\n", s.canonicalHeaders(req.Header))

  209. 	fmt.Fprintf(c, "%s\n", s.signedHeaders(req.Header))

  210. 	fmt.Fprintf(c, "%s", s.payloadHash(req))

  211. 	return c.String()

  212. }

  213. 

  214. func (s *V4Signer) canonicalURI(u *url.URL) string {

  215. 	canonicalPath := u.RequestURI()

  216. 	if u.RawQuery != "" {

  217. 		canonicalPath = canonicalPath[:len(canonicalPath)-len(u.RawQuery)-1]

  218. 	}

  219. 	slash := strings.HasSuffix(canonicalPath, "/")

  220. 	canonicalPath = path.Clean(canonicalPath)

  221. 	if canonicalPath != "/" && slash {

  222. 		canonicalPath += "/"

  223. 	}

  224. 	return canonicalPath

  225. }

  226. 

  227. func (s *V4Signer) canonicalQueryString(u *url.URL) string {

  228. 	var a []string

  229. 	for k, vs := range u.Query() {

  230. 		k = Encode(k)

  231. 		for _, v := range vs {

  232. 			if v == "" {

  233. 				a = append(a, k+"=")

  234. 			} else {

  235. 				v = Encode(v)

  236. 				a = append(a, k+"="+v)

  237. 			}

  238. 		}

  239. 	}

  240. 	sort.Strings(a)

  241. 	return strings.Join(a, "&")

  242. }

  243. 

  244. func (s *V4Signer) canonicalHeaders(h http.Header) string {

  245. 	i, a := 0, make([]string, len(h))

  246. 	for k, v := range h {

  247. 		for j, w := range v {

  248. 			v[j] = strings.Trim(w, " ")

  249. 		}

  250. 		sort.Strings(v)

  251. 		a[i] = strings.ToLower(k) + ":" + strings.Join(v, ",")

  252. 		i++

  253. 	}

  254. 	sort.Strings(a)

  255. 	return strings.Join(a, "\n")

  256. }

  257. 

  258. func (s *V4Signer) signedHeaders(h http.Header) string {

  259. 	i, a := 0, make([]string, len(h))

  260. 	for k, _ := range h {

  261. 		a[i] = strings.ToLower(k)

  262. 		i++

  263. 	}

  264. 	sort.Strings(a)

  265. 	return strings.Join(a, ";")

  266. }

  267. 

  268. func (s *V4Signer) payloadHash(req *http.Request) string {

  269. 	var b []byte

  270. 	if req.Body == nil {

  271. 		b = []byte("")

  272. 	} else {

  273. 		var err error

  274. 		b, err = ioutil.ReadAll(req.Body)

  275. 		if err != nil {

  276. 			// TODO: I REALLY DON'T LIKE THIS PANIC!!!!

  277. 			panic(err)

  278. 		}

  279. 	}

  280. 	req.Body = ioutil.NopCloser(bytes.NewBuffer(b))

  281. 	return s.hash(string(b))

  282. }

  283. 

  284. /*

  285. stringToSign method creates the string to sign accorting to Task 2 of the AWS Signature Version 4 Signing Process. (http://goo.gl/es1PAu)

  286. 

  287.     StringToSign  =

  288.       Algorithm + '\n' +

  289.       RequestDate + '\n' +

  290.       CredentialScope + '\n' +

  291.       HexEncode(Hash(CanonicalRequest))

  292. */

  293. func (s *V4Signer) stringToSign(t time.Time, creq string) string {

  294. 	w := new(bytes.Buffer)

  295. 	fmt.Fprint(w, "AWS4-HMAC-SHA256\n")

  296. 	fmt.Fprintf(w, "%s\n", t.Format(ISO8601BasicFormat))

  297. 	fmt.Fprintf(w, "%s\n", s.credentialScope(t))

  298. 	fmt.Fprintf(w, "%s", s.hash(creq))

  299. 	return w.String()

  300. }

  301. 

  302. func (s *V4Signer) credentialScope(t time.Time) string {

  303. 	return fmt.Sprintf("%s/%s/%s/aws4_request", t.Format(ISO8601BasicFormatShort), s.region.Name, s.serviceName)

  304. }

  305. 

  306. /*

  307. signature method calculates the AWS Signature Version 4 according to Task 3 of the AWS Signature Version 4 Signing Process. (http://goo.gl/j0Yqe1)

  308. 

  309. 	signature = HexEncode(HMAC(derived-signing-key, string-to-sign))

  310. */

  311. func (s *V4Signer) signature(t time.Time, sts string) string {

  312. 	h := s.hmac(s.derivedKey(t), []byte(sts))

  313. 	return fmt.Sprintf("%x", h)

  314. }

  315. 

  316. /*

  317. derivedKey method derives a signing key to be used for signing a request.

  318. 

  319. 	kSecret = Your AWS Secret Access Key

  320.     kDate = HMAC("AWS4" + kSecret, Date)

  321.     kRegion = HMAC(kDate, Region)

  322.     kService = HMAC(kRegion, Service)

  323.     kSigning = HMAC(kService, "aws4_request")

  324. */

  325. func (s *V4Signer) derivedKey(t time.Time) []byte {

  326. 	h := s.hmac([]byte("AWS4"+s.auth.SecretKey), []byte(t.Format(ISO8601BasicFormatShort)))

  327. 	h = s.hmac(h, []byte(s.region.Name))

  328. 	h = s.hmac(h, []byte(s.serviceName))

  329. 	h = s.hmac(h, []byte("aws4_request"))

  330. 	return h

  331. }

  332. 

  333. /*

  334. authorization method generates the authorization header value.

  335. */

  336. func (s *V4Signer) authorization(header http.Header, t time.Time, signature string) string {

  337. 	w := new(bytes.Buffer)

  338. 	fmt.Fprint(w, "AWS4-HMAC-SHA256 ")

  339. 	fmt.Fprintf(w, "Credential=%s/%s, ", s.auth.AccessKey, s.credentialScope(t))

  340. 	fmt.Fprintf(w, "SignedHeaders=%s, ", s.signedHeaders(header))

  341. 	fmt.Fprintf(w, "Signature=%s", signature)

  342. 	return w.String()

  343. }

  344. 

  345. // hash method calculates the sha256 hash for a given string

  346. func (s *V4Signer) hash(in string) string {

  347. 	h := sha256.New()

  348. 	fmt.Fprintf(h, "%s", in)

  349. 	return fmt.Sprintf("%x", h.Sum(nil))

  350. }

  351. 

  352. // hmac method calculates the sha256 hmac for a given slice of bytes

  353. func (s *V4Signer) hmac(key, data []byte) []byte {

  354. 	h := hmac.New(sha256.New, key)

  355. 	h.Write(data)

  356. 	return h.Sum(nil)

  357. }