signature

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 5, 2019 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source
const (
	SignV2Algorithm = "AWS"
	SignV4Algorithm = "AWS4-HMAC-SHA256"
)
View Source
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

Variables

View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)
View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-.+|X-Amz-Meta-.+")
	StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+")
)

Functions

func CalculateSeedSignature

func CalculateSeedSignature(r *http.Request) (credential common.Credential, signature string, region string, date time.Time, err error)

calculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func CheckPostPolicy

func CheckPostPolicy(formValues map[string]string,
	postPolicyVersion PostPolicyType) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2

func DoesPolicySignatureMatchV2(formValues map[string]string) (credential common.Credential,
	err error)

func DoesPolicySignatureMatchV4

func DoesPolicySignatureMatchV4(formValues map[string]string) (credential common.Credential, err error)

doesPolicySignatureMatch - Verify query headers with post policy

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2

func DoesPresignedSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesPresignedSignatureMatchV4

func DoesPresignedSignatureMatchV4(r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2

func DoesSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesSignatureMatchV4

func DoesSignatureMatchV4(hashedPayload string, r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated

func IsReqAuthenticated(r *http.Request) (c common.Credential, e error)

A helper function to verify if request has valid AWS Signature

func TrimAwsChunkedContentEncoding

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

func VerifyUpload

func VerifyUpload(r *http.Request) (credential common.Credential, dataReader io.Reader, err error)

Types

type AuthType

type AuthType int

Authorization type.

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType

func GetRequestAuthType(r *http.Request) AuthType

Get request authentication type.

type PostPolicyForm

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		Policies map[string]struct {
			Operator string
			Value    string
		}
		ContentLengthRange struct {
			Min int
			Max int
		}
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType

func GetPostPolicyType(formValues map[string]string) PostPolicyType

type SignVerifyReader added in v1.1.0

type SignVerifyReader struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReader represents an io.Reader compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReader.Verify()` to validate the signature header.

func (*SignVerifyReader) Read added in v1.1.0

func (v *SignVerifyReader) Read(b []byte) (int, error)

func (*SignVerifyReader) Verify added in v1.1.0

func (v *SignVerifyReader) Verify() (common.Credential, error)

Verify - verifies signature and returns error upon signature mismatch.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL