signature

package
v1.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 6, 2018 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source
const (
	SignV2Algorithm = "AWS"
	SignV4Algorithm = "AWS4-HMAC-SHA256"
)
View Source
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

Variables

View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)
View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-.+|X-Amz-Meta-.+")
	StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+")
)

Functions

func CheckPostPolicy

func CheckPostPolicy(formValues map[string]string,
	postPolicyVersion PostPolicyType) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2

func DoesPolicySignatureMatchV2(formValues map[string]string) (credential common.Credential,
	err error)

func DoesPolicySignatureMatchV4

func DoesPolicySignatureMatchV4(formValues map[string]string) (credential common.Credential, err error)

doesPolicySignatureMatch - Verify query headers with post policy

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2

func DoesPresignedSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesPresignedSignatureMatchV4

func DoesPresignedSignatureMatchV4(r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2

func DoesSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesSignatureMatchV4

func DoesSignatureMatchV4(hashedPayload string, r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated

func IsReqAuthenticated(r *http.Request) (c common.Credential, e error)

A helper function to verify if request has valid AWS Signature

func VerifyUpload

func VerifyUpload(r *http.Request) (credential common.Credential, dataReader io.Reader, err error)

Types

type AuthType

type AuthType int

Authorization type.

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy // including v2 and v4, handled specially in API endpoint
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType

func GetRequestAuthType(r *http.Request) AuthType

Get request authentication type.

type PostPolicyForm

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		Policies map[string]struct {
			Operator string
			Value    string
		}
		ContentLengthRange struct {
			Min int
			Max int
		}
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType

func GetPostPolicyType(formValues map[string]string) PostPolicyType

type SignVerifyReader added in v1.1.0

type SignVerifyReader struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReader represents an io.Reader compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReader.Verify()` to validate the signature header.

func (*SignVerifyReader) Read added in v1.1.0

func (v *SignVerifyReader) Read(b []byte) (int, error)

func (*SignVerifyReader) Verify added in v1.1.0

func (v *SignVerifyReader) Verify() (common.Credential, error)

Verify - verifies signature and returns error upon signature mismatch.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL