signature

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 29, 2020 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source 
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

Variables

View Source 
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)

Functions

func CalculateSeedSignature 

func CalculateSeedSignature(r *http.Request, brand Brand) (credential common.Credential, signature string, region string, date time.Time, err error)

calculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func CheckPostPolicy 

func CheckPostPolicy(formValues map[string]string, brand Brand) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2 

func DoesPolicySignatureMatchV2(formValues map[string]string, brand Brand) (credential common.Credential,
	err error)

func DoesPolicySignatureMatchV4 

func DoesPolicySignatureMatchV4(formValues map[string]string, brand Brand) (credential common.Credential, err error)

doesPolicySignatureMatch - Verify query headers with post policy

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2 

func DoesPresignedSignatureMatchV2(r *http.Request, brand Brand) (credential common.Credential, err error)

func DoesPresignedSignatureMatchV4 

func DoesPresignedSignatureMatchV4(r *http.Request, brand Brand,
	validateRegion bool) (credential common.Credential, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2 

func DoesSignatureMatchV2(r *http.Request, brand Brand) (credential common.Credential, err error)

func DoesSignatureMatchV4 

func DoesSignatureMatchV4(hashedPayload string, r *http.Request, brand Brand,
	validateRegion bool) (credential common.Credential, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated 

func IsReqAuthenticated(r *http.Request) (c common.Credential, e error)

A helper function to verify if request has valid AWS Signature

func TrimAwsChunkedContentEncoding 

func TrimAwsChunkedContentEncoding(contentEnc string, brand Brand) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

func VerifyUpload 

func VerifyUpload(r *http.Request, brand Brand) (credential common.Credential,
	dataReader io.ReadCloser, err error)

Types

type AuthType 

type AuthType int

Authorization type. 

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType 

func GetRequestAuthType(r *http.Request, brand Brand) AuthType

Get request authentication type.

type PostPolicyForm 

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		// Conditional policy structure.
		Policies []struct {
			Operator string
			Key      string
			Value    string
		}
		ContentLengthRange contentLengthRange
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType 

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType 

func GetPostPolicyType(formValues map[string]string, brand Brand) PostPolicyType

type SignVerifyReadCloser 

type SignVerifyReadCloser struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReadCloser represents an io.ReadCloser compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReadCloser.Verify()` to validate the signature header.

func (*SignVerifyReadCloser) Close 

func (v *SignVerifyReadCloser) Close() error

func (*SignVerifyReadCloser) Read 

func (v *SignVerifyReadCloser) Read(b []byte) (int, error)

func (*SignVerifyReadCloser) Verify 

func (v *SignVerifyReadCloser) Verify() (common.Credential, error)

Verify - verifies signature and returns error upon signature mismatch.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.