wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: c40434bae2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c40434bae2'
${ noResults }
aiforge/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go

317 lines
9.2 kB
Raw Blame History 

  1. /*

  2.  * Minio Go Library for Amazon S3 Compatible Cloud Storage

  3.  * Copyright 2015-2017 Minio, Inc.

  4.  *

  5.  * Licensed under the Apache License, Version 2.0 (the "License");

  6.  * you may not use this file except in compliance with the License.

  7.  * You may obtain a copy of the License at

  8.  *

  9.  *     http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. 

  18. package s3signer

  19. 

  20. import (

  21. 	"bytes"

  22. 	"crypto/hmac"

  23. 	"crypto/sha1"

  24. 	"encoding/base64"

  25. 	"fmt"

  26. 	"net/http"

  27. 	"net/url"

  28. 	"sort"

  29. 	"strconv"

  30. 	"strings"

  31. 	"time"

  32. 

  33. 	"github.com/minio/minio-go/pkg/s3utils"

  34. )

  35. 

  36. // Signature and API related constants.

  37. const (

  38. 	signV2Algorithm = "AWS"

  39. )

  40. 

  41. // Encode input URL path to URL encoded path.

  42. func encodeURL2Path(req *http.Request, virtualHost bool) (path string) {

  43. 	if virtualHost {

  44. 		reqHost := getHostAddr(req)

  45. 		dotPos := strings.Index(reqHost, ".")

  46. 		if dotPos > -1 {

  47. 			bucketName := reqHost[:dotPos]

  48. 			path = "/" + bucketName

  49. 			path += req.URL.Path

  50. 			path = s3utils.EncodePath(path)

  51. 			return

  52. 		}

  53. 	}

  54. 	path = s3utils.EncodePath(req.URL.Path)

  55. 	return

  56. }

  57. 

  58. // PreSignV2 - presign the request in following style.

  59. // https://${S3_BUCKET}.s3.amazonaws.com/${S3_OBJECT}?AWSAccessKeyId=${S3_ACCESS_KEY}&Expires=${TIMESTAMP}&Signature=${SIGNATURE}.

  60. func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64, virtualHost bool) *http.Request {

  61. 	// Presign is not needed for anonymous credentials.

  62. 	if accessKeyID == "" || secretAccessKey == "" {

  63. 		return &req

  64. 	}

  65. 

  66. 	d := time.Now().UTC()

  67. 	// Find epoch expires when the request will expire.

  68. 	epochExpires := d.Unix() + expires

  69. 

  70. 	// Add expires header if not present.

  71. 	if expiresStr := req.Header.Get("Expires"); expiresStr == "" {

  72. 		req.Header.Set("Expires", strconv.FormatInt(epochExpires, 10))

  73. 	}

  74. 

  75. 	// Get presigned string to sign.

  76. 	stringToSign := preStringToSignV2(req, virtualHost)

  77. 	hm := hmac.New(sha1.New, []byte(secretAccessKey))

  78. 	hm.Write([]byte(stringToSign))

  79. 

  80. 	// Calculate signature.

  81. 	signature := base64.StdEncoding.EncodeToString(hm.Sum(nil))

  82. 

  83. 	query := req.URL.Query()

  84. 	// Handle specially for Google Cloud Storage.

  85. 	if strings.Contains(getHostAddr(&req), ".storage.googleapis.com") {

  86. 		query.Set("GoogleAccessId", accessKeyID)

  87. 	} else {

  88. 		query.Set("AWSAccessKeyId", accessKeyID)

  89. 	}

  90. 

  91. 	// Fill in Expires for presigned query.

  92. 	query.Set("Expires", strconv.FormatInt(epochExpires, 10))

  93. 

  94. 	// Encode query and save.

  95. 	req.URL.RawQuery = s3utils.QueryEncode(query)

  96. 

  97. 	// Save signature finally.

  98. 	req.URL.RawQuery += "&Signature=" + s3utils.EncodePath(signature)

  99. 

  100. 	// Return.

  101. 	return &req

  102. }

  103. 

  104. // PostPresignSignatureV2 - presigned signature for PostPolicy

  105. // request.

  106. func PostPresignSignatureV2(policyBase64, secretAccessKey string) string {

  107. 	hm := hmac.New(sha1.New, []byte(secretAccessKey))

  108. 	hm.Write([]byte(policyBase64))

  109. 	signature := base64.StdEncoding.EncodeToString(hm.Sum(nil))

  110. 	return signature

  111. }

  112. 

  113. // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;

  114. // Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) );

  115. //

  116. // StringToSign = HTTP-Verb + "\n" +

  117. //  	Content-Md5 + "\n" +

  118. //  	Content-Type + "\n" +

  119. //  	Date + "\n" +

  120. //  	CanonicalizedProtocolHeaders +

  121. //  	CanonicalizedResource;

  122. //

  123. // CanonicalizedResource = [ "/" + Bucket ] +

  124. //  	<HTTP-Request-URI, from the protocol name up to the query string> +

  125. //  	[ subresource, if present. For example "?acl", "?location", "?logging", or "?torrent"];

  126. //

  127. // CanonicalizedProtocolHeaders = <described below>

  128. 

  129. // SignV2 sign the request before Do() (AWS Signature Version 2).

  130. func SignV2(req http.Request, accessKeyID, secretAccessKey string, virtualHost bool) *http.Request {

  131. 	// Signature calculation is not needed for anonymous credentials.

  132. 	if accessKeyID == "" || secretAccessKey == "" {

  133. 		return &req

  134. 	}

  135. 

  136. 	// Initial time.

  137. 	d := time.Now().UTC()

  138. 

  139. 	// Add date if not present.

  140. 	if date := req.Header.Get("Date"); date == "" {

  141. 		req.Header.Set("Date", d.Format(http.TimeFormat))

  142. 	}

  143. 

  144. 	// Calculate HMAC for secretAccessKey.

  145. 	stringToSign := stringToSignV2(req, virtualHost)

  146. 	hm := hmac.New(sha1.New, []byte(secretAccessKey))

  147. 	hm.Write([]byte(stringToSign))

  148. 

  149. 	// Prepare auth header.

  150. 	authHeader := new(bytes.Buffer)

  151. 	authHeader.WriteString(fmt.Sprintf("%s %s:", signV2Algorithm, accessKeyID))

  152. 	encoder := base64.NewEncoder(base64.StdEncoding, authHeader)

  153. 	encoder.Write(hm.Sum(nil))

  154. 	encoder.Close()

  155. 

  156. 	// Set Authorization header.

  157. 	req.Header.Set("Authorization", authHeader.String())

  158. 

  159. 	return &req

  160. }

  161. 

  162. // From the Amazon docs:

  163. //

  164. // StringToSign = HTTP-Verb + "\n" +

  165. // 	 Content-Md5 + "\n" +

  166. //	 Content-Type + "\n" +

  167. //	 Expires + "\n" +

  168. //	 CanonicalizedProtocolHeaders +

  169. //	 CanonicalizedResource;

  170. func preStringToSignV2(req http.Request, virtualHost bool) string {

  171. 	buf := new(bytes.Buffer)

  172. 	// Write standard headers.

  173. 	writePreSignV2Headers(buf, req)

  174. 	// Write canonicalized protocol headers if any.

  175. 	writeCanonicalizedHeaders(buf, req)

  176. 	// Write canonicalized Query resources if any.

  177. 	writeCanonicalizedResource(buf, req, virtualHost)

  178. 	return buf.String()

  179. }

  180. 

  181. // writePreSignV2Headers - write preSign v2 required headers.

  182. func writePreSignV2Headers(buf *bytes.Buffer, req http.Request) {

  183. 	buf.WriteString(req.Method + "\n")

  184. 	buf.WriteString(req.Header.Get("Content-Md5") + "\n")

  185. 	buf.WriteString(req.Header.Get("Content-Type") + "\n")

  186. 	buf.WriteString(req.Header.Get("Expires") + "\n")

  187. }

  188. 

  189. // From the Amazon docs:

  190. //

  191. // StringToSign = HTTP-Verb + "\n" +

  192. // 	 Content-Md5 + "\n" +

  193. //	 Content-Type + "\n" +

  194. //	 Date + "\n" +

  195. //	 CanonicalizedProtocolHeaders +

  196. //	 CanonicalizedResource;

  197. func stringToSignV2(req http.Request, virtualHost bool) string {

  198. 	buf := new(bytes.Buffer)

  199. 	// Write standard headers.

  200. 	writeSignV2Headers(buf, req)

  201. 	// Write canonicalized protocol headers if any.

  202. 	writeCanonicalizedHeaders(buf, req)

  203. 	// Write canonicalized Query resources if any.

  204. 	writeCanonicalizedResource(buf, req, virtualHost)

  205. 	return buf.String()

  206. }

  207. 

  208. // writeSignV2Headers - write signV2 required headers.

  209. func writeSignV2Headers(buf *bytes.Buffer, req http.Request) {

  210. 	buf.WriteString(req.Method + "\n")

  211. 	buf.WriteString(req.Header.Get("Content-Md5") + "\n")

  212. 	buf.WriteString(req.Header.Get("Content-Type") + "\n")

  213. 	buf.WriteString(req.Header.Get("Date") + "\n")

  214. }

  215. 

  216. // writeCanonicalizedHeaders - write canonicalized headers.

  217. func writeCanonicalizedHeaders(buf *bytes.Buffer, req http.Request) {

  218. 	var protoHeaders []string

  219. 	vals := make(map[string][]string)

  220. 	for k, vv := range req.Header {

  221. 		// All the AMZ headers should be lowercase

  222. 		lk := strings.ToLower(k)

  223. 		if strings.HasPrefix(lk, "x-amz") {

  224. 			protoHeaders = append(protoHeaders, lk)

  225. 			vals[lk] = vv

  226. 		}

  227. 	}

  228. 	sort.Strings(protoHeaders)

  229. 	for _, k := range protoHeaders {

  230. 		buf.WriteString(k)

  231. 		buf.WriteByte(':')

  232. 		for idx, v := range vals[k] {

  233. 			if idx > 0 {

  234. 				buf.WriteByte(',')

  235. 			}

  236. 			if strings.Contains(v, "\n") {

  237. 				// TODO: "Unfold" long headers that

  238. 				// span multiple lines (as allowed by

  239. 				// RFC 2616, section 4.2) by replacing

  240. 				// the folding white-space (including

  241. 				// new-line) by a single space.

  242. 				buf.WriteString(v)

  243. 			} else {

  244. 				buf.WriteString(v)

  245. 			}

  246. 		}

  247. 		buf.WriteByte('\n')

  248. 	}

  249. }

  250. 

  251. // AWS S3 Signature V2 calculation rule is give here:

  252. // http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationStringToSign

  253. 

  254. // Whitelist resource list that will be used in query string for signature-V2 calculation.

  255. // The list should be alphabetically sorted

  256. var resourceList = []string{

  257. 	"acl",

  258. 	"delete",

  259. 	"lifecycle",

  260. 	"location",

  261. 	"logging",

  262. 	"notification",

  263. 	"partNumber",

  264. 	"policy",

  265. 	"requestPayment",

  266. 	"response-cache-control",

  267. 	"response-content-disposition",

  268. 	"response-content-encoding",

  269. 	"response-content-language",

  270. 	"response-content-type",

  271. 	"response-expires",

  272. 	"torrent",

  273. 	"uploadId",

  274. 	"uploads",

  275. 	"versionId",

  276. 	"versioning",

  277. 	"versions",

  278. 	"website",

  279. }

  280. 

  281. // From the Amazon docs:

  282. //

  283. // CanonicalizedResource = [ "/" + Bucket ] +

  284. // 	  <HTTP-Request-URI, from the protocol name up to the query string> +

  285. // 	  [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];

  286. func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request, virtualHost bool) {

  287. 	// Save request URL.

  288. 	requestURL := req.URL

  289. 	// Get encoded URL path.

  290. 	buf.WriteString(encodeURL2Path(&req, virtualHost))

  291. 	if requestURL.RawQuery != "" {

  292. 		var n int

  293. 		vals, _ := url.ParseQuery(requestURL.RawQuery)

  294. 		// Verify if any sub resource queries are present, if yes

  295. 		// canonicallize them.

  296. 		for _, resource := range resourceList {

  297. 			if vv, ok := vals[resource]; ok && len(vv) > 0 {

  298. 				n++

  299. 				// First element

  300. 				switch n {

  301. 				case 1:

  302. 					buf.WriteByte('?')

  303. 				// The rest

  304. 				default:

  305. 					buf.WriteByte('&')

  306. 				}

  307. 				buf.WriteString(resource)

  308. 				// Request parameters

  309. 				if len(vv[0]) > 0 {

  310. 					buf.WriteByte('=')

  311. 					buf.WriteString(vv[0])

  312. 				}

  313. 			}

  314. 		}

  315. 	}

  316. }