Documentation ¶
Overview ¶
This file implements helper functions to validate AWS Signature Version '4' authorization header.
This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.
Index ¶
- Constants
- Variables
- func CheckPostPolicy(formValues map[string]string, postPolicyVersion PostPolicyType) error
- func DoesPolicySignatureMatchV2(formValues map[string]string) (credential iam.Credential, err error)
- func DoesPolicySignatureMatchV4(formValues map[string]string) (credential iam.Credential, err error)
- func DoesPresignedSignatureMatchV2(r *http.Request) (credential iam.Credential, err error)
- func DoesPresignedSignatureMatchV4(r *http.Request, validateRegion bool) (credential iam.Credential, err error)
- func DoesSignatureMatchV2(r *http.Request) (credential iam.Credential, err error)
- func DoesSignatureMatchV4(hashedPayload string, r *http.Request, validateRegion bool) (credential iam.Credential, err error)
- func IsReqAuthenticated(r *http.Request) (c iam.Credential, e error)
- func VerifyUpload(r *http.Request) (credential iam.Credential, dataReader io.Reader, err error)
- type AuthType
- type PostPolicyForm
- type PostPolicyType
- type SignVerifyReader
Constants ¶
const ( SignV2Algorithm = "AWS" SignV4Algorithm = "AWS4-HMAC-SHA256" )
const (
UnsignedPayload = "UNSIGNED-PAYLOAD"
)
http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.
Variables ¶
var ( // Convert to Canonical Form before compare EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" + "|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" + "|X-Amz-Meta-.+") StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" + "|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+") IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+") )
var ( // Convert to Canonical Form before compare EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" + "|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" + "|X-Amz-.+|X-Amz-Meta-.+") StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" + "|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+") IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+") )
Functions ¶
func CheckPostPolicy ¶
func CheckPostPolicy(formValues map[string]string, postPolicyVersion PostPolicyType) error
checkPostPolicy - apply policy conditions and validate input values.
func DoesPolicySignatureMatchV2 ¶
func DoesPolicySignatureMatchV2(formValues map[string]string) (credential iam.Credential, err error)
func DoesPolicySignatureMatchV4 ¶
func DoesPolicySignatureMatchV4(formValues map[string]string) (credential iam.Credential, err error)
doesPolicySignatureMatch - Verify query headers with post policy
returns true if matches, false otherwise. if error is not nil then it is always false
func DoesPresignedSignatureMatchV2 ¶
func DoesPresignedSignatureMatchV2(r *http.Request) (credential iam.Credential, err error)
func DoesPresignedSignatureMatchV4 ¶
func DoesPresignedSignatureMatchV4(r *http.Request, validateRegion bool) (credential iam.Credential, err error)
doesPresignedSignatureMatch - Verify query headers with presigned signature
returns true if matches, false otherwise. if error is not nil then it is always false
func DoesSignatureMatchV2 ¶
func DoesSignatureMatchV2(r *http.Request) (credential iam.Credential, err error)
func DoesSignatureMatchV4 ¶
func DoesSignatureMatchV4(hashedPayload string, r *http.Request, validateRegion bool) (credential iam.Credential, err error)
doesSignatureMatch - Verify authorization header with calculated header in accordance with
returns true if matches, false otherwise. if error is not nil then it is always false
func IsReqAuthenticated ¶
func IsReqAuthenticated(r *http.Request) (c iam.Credential, e error)
A helper function to verify if request has valid AWS Signature
func VerifyUpload ¶
Types ¶
type AuthType ¶
type AuthType int
Authorization type.
const ( AuthTypeUnknown AuthType = iota AuthTypeAnonymous AuthTypePresignedV4 AuthTypePresignedV2 AuthTypePostPolicy // including v2 and v4, handled specially in API endpoint AuthTypeSignedV4 AuthTypeSignedV2 )
List of all supported auth types.
func GetRequestAuthType ¶
Get request authentication type.
type PostPolicyForm ¶
type PostPolicyForm struct { Expiration time.Time // Expiration date and time of the POST policy. Conditions struct { Policies map[string]struct { Operator string Value string } ContentLengthRange struct { Min int Max int } } }
PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.
type PostPolicyType ¶
type PostPolicyType int
const ( PostPolicyUnknown PostPolicyType = iota PostPolicyV2 PostPolicyV4 PostPolicyAnonymous )
func GetPostPolicyType ¶
func GetPostPolicyType(formValues map[string]string) PostPolicyType
type SignVerifyReader ¶ added in v1.1.0
SignVerifyReader represents an io.Reader compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReader.Verify()` to validate the signature header.
func (*SignVerifyReader) Read ¶ added in v1.1.0
func (v *SignVerifyReader) Read(b []byte) (int, error)
func (*SignVerifyReader) Verify ¶ added in v1.1.0
func (v *SignVerifyReader) Verify() (iam.Credential, error)
Verify - verifies signature and returns error upon signature mismatch.