Documentation ¶
Overview ¶
Attribution: https://github.com/aws/aws-sdk-go-v2/blob/main/aws/signer/v4/v4.go
Index ¶
- Constants
- Variables
- func GetURIPath(u *url.URL) string
- func HMACSHA256(key []byte, data []byte) []byte
- func HasPrefixFold(s, prefix string) bool
- func SanitizeHostForHeader(r *http.Request)
- func StripExcessSpaces(str string) string
- type Blacklist
- type HTTPSigner
- type InclusiveRules
- type MapRule
- type Patterns
- type Rule
- type Rules
- type Signer
- type SignerOptions
- type SigningKeyDeriver
- type SigningTime
- type Whitelist
Constants ¶
const ( // EmptyStringSHA256 is the hex encoded sha256 value of an empty string EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` // UnsignedPayload indicates that the request payload body is unsigned UnsignedPayload = "UNSIGNED-PAYLOAD" // AmzAlgorithmKey indicates the signing algorithm AmzAlgorithmKey = "X-Amz-Algorithm" // AmzSecurityTokenKey indicates the security token to be used with temporary credentials AmzSecurityTokenKey = "X-Amz-Security-Token" // AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD'T'HHMMSS'Z' AmzDateKey = "X-Amz-Date" // AmzCredentialKey is the access key ID and credential scope AmzCredentialKey = "X-Amz-Credential" // AmzSignedHeadersKey is the set of headers signed for the request AmzSignedHeadersKey = "X-Amz-SignedHeaders" // AmzSignatureKey is the query parameter to store the SigV4 signature AmzSignatureKey = "X-Amz-Signature" // TimeFormat is the time format to be used in the X-Amz-Date header or query parameter TimeFormat = "20060102T150405Z" // ShortTimeFormat is the shorten time format used in the credential scope ShortTimeFormat = "20060102" // ContentSHAKey is the SHA256 of request body ContentSHAKey = "X-Amz-Content-Sha256" )
Variables ¶
var AllowedQueryHoisting = InclusiveRules{ Blacklist{RequiredSignedHeaders}, Patterns{"X-Amz-"}, }
AllowedQueryHoisting is a whitelist for Build query headers. The boolean value represents whether or not it is a pattern.
var IgnoredHeaders = Rules{ Blacklist{ MapRule{ "Authorization": struct{}{}, "User-Agent": struct{}{}, "X-Amzn-Trace-Id": struct{}{}, }, }, }
IgnoredHeaders is a list of headers that are ignored during signing
var RequiredSignedHeaders = Rules{ Whitelist{ MapRule{ "Cache-Control": struct{}{}, "Content-Disposition": struct{}{}, "Content-Encoding": struct{}{}, "Content-Language": struct{}{}, "Content-Md5": struct{}{}, "Content-Type": struct{}{}, "Expires": struct{}{}, "If-Match": struct{}{}, "If-Modified-Since": struct{}{}, "If-None-Match": struct{}{}, "If-Unmodified-Since": struct{}{}, "Range": struct{}{}, "X-Amz-Acl": struct{}{}, "X-Amz-Copy-Source": struct{}{}, "X-Amz-Copy-Source-If-Match": struct{}{}, "X-Amz-Copy-Source-If-Modified-Since": struct{}{}, "X-Amz-Copy-Source-If-None-Match": struct{}{}, "X-Amz-Copy-Source-If-Unmodified-Since": struct{}{}, "X-Amz-Copy-Source-Range": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, "X-Amz-Grant-Full-control": struct{}{}, "X-Amz-Grant-Read": struct{}{}, "X-Amz-Grant-Read-Acp": struct{}{}, "X-Amz-Grant-Write": struct{}{}, "X-Amz-Grant-Write-Acp": struct{}{}, "X-Amz-Metadata-Directive": struct{}{}, "X-Amz-Mfa": struct{}{}, "X-Amz-Request-Payer": struct{}{}, "X-Amz-Server-Side-Encryption": struct{}{}, "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": struct{}{}, "X-Amz-Server-Side-Encryption-Customer-Algorithm": struct{}{}, "X-Amz-Server-Side-Encryption-Customer-Key": struct{}{}, "X-Amz-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, "X-Amz-Storage-Class": struct{}{}, "X-Amz-Website-Redirect-Location": struct{}{}, "X-Amz-Content-Sha256": struct{}{}, "X-Amz-Tagging": struct{}{}, }, }, Patterns{"X-Amz-Meta-"}, }
RequiredSignedHeaders is a whitelist for Build canonical headers.
Functions ¶
func GetURIPath ¶
GetURIPath returns the escaped URI component from the provided URL
func HMACSHA256 ¶
HMACSHA256 computes a HMAC-SHA256 of data given the provided key.
func HasPrefixFold ¶
func SanitizeHostForHeader ¶
SanitizeHostForHeader removes default port from host and updates request.Host
func StripExcessSpaces ¶
StripExcessSpaces will rewrite the passed in slice's string values to not contain muliple side-by-side spaces.
Types ¶
type HTTPSigner ¶
type HTTPSigner interface { // SignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(*SignerOptions)) error SignHTTP(ctx context.Context, credentials hmaccred.PKCSSigner, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(*SignerOptions)) error }
HTTPSigner is an interface to a SigV4 signer that can sign HTTP requests
type InclusiveRules ¶
type InclusiveRules []Rule
InclusiveRules rules allow for rules to depend on one another
func (InclusiveRules) IsValid ¶
func (r InclusiveRules) IsValid(value string) bool
IsValid will return true if all rules are true
type Rule ¶
Rule interface allows for more flexible rules and just simply checks whether or not a value adheres to that Rule
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer applies AWS v4 signing to given request. Use this to sign requests that need to be signed with AWS V4 Signatures.
func NewSigner ¶
func NewSigner(optFns ...func(signer *SignerOptions)) *Signer
NewSigner returns a new SigV4 Signer
func (*Signer) PresignHTTP ¶
func (s *Signer) PresignHTTP( ctx context.Context, credentials hmaccred.PKCSSigner, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(*SignerOptions), ) (signedURI string, signedHeaders http.Header, err error)
PresignHTTP signs AWS v4 requests with the payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.
Returns the signed URL and the map of HTTP headers that were included in the signature or an error if signing the request failed. For presigned requests these headers and their values must be included on the HTTP request when it is made. This is helpful to know what header values need to be shared with the party the presigned request will be distributed to.
The payloadHash is the hex encoded SHA-256 hash of the request payload, and must be provided. Even if the request has no payload (aka body). If the request has no payload you should use the hex encoded SHA-256 of an empty string as the payloadHash value.
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Some services such as Amazon S3 accept alternative values for the payload hash, such as "UNSIGNED-PAYLOAD" for requests where the body will not be included in the request signature.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
PresignHTTP differs from SignHTTP in that it will sign the request using query string instead of header values. This allows you to share the Presigned Request's URL with third parties, or distribute it throughout your system with minimal dependencies.
PresignHTTP will not set the expires time of the presigned request automatically. To specify the expire duration for a request add the "X-Amz-Expires" query parameter on the request with the value as the duration in seconds the presigned URL should be considered valid for. This parameter is not used by all AWS services, and is most notable used by Amazon S3 APIs.
expires := 20 * time.Minute query := req.URL.Query() query.Set("X-Amz-Expires", strconv.FormatInt(int64(expires/time.Second), 10) req.URL.RawQuery = query.Encode()
This method does not modify the provided request.
func (Signer) SignHTTP ¶
func (s Signer) SignHTTP(ctx context.Context, credentials hmaccred.PKCSSigner, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(options *SignerOptions)) error
SignHTTP signs AWS v4 requests with the provided payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.
The payloadHash is the hex encoded SHA-256 hash of the request payload, and must be provided. Even if the request has no payload (aka body). If the request has no payload you should use the hex encoded SHA-256 of an empty string as the payloadHash value.
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Some services such as Amazon S3 accept alternative values for the payload hash, such as "UNSIGNED-PAYLOAD" for requests where the body will not be included in the request signature.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Sign differs from Presign in that it will sign the request using HTTP header values. This type of signing is intended for http.Request values that will not be shared, or are shared in a way the header values on the request will not be lost.
The passed in request will be modified in place. func (s Signer) SignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(options *SignerOptions)) error {
type SignerOptions ¶
type SignerOptions struct { // Disables the Signer's moving HTTP header key/value pairs from the HTTP // request header to the request's query string. This is most commonly used // with pre-signed requests preventing headers from being added to the // request's query string. DisableHeaderHoisting bool // Disables the automatic escaping of the URI path of the request for the // siganture's canonical string's path. For services that do not need additional // escaping then use this to disable the signer escaping the path. // // S3 is an example of a service that does not need additional escaping. // // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html DisableURIPathEscaping bool // The logger to send log messages to. Logger logging.Logger // Enable logging of signed requests. // This will enable logging of the canonical request, the string to sign, and for presigning the subsequent // presigned URL. LogSigning bool }
SignerOptions is the SigV4 Signer options.
type SigningKeyDeriver ¶
type SigningKeyDeriver struct {
// contains filtered or unexported fields
}
SigningKeyDeriver derives a signing key from a set of credentials
func NewSigningKeyDeriver ¶
func NewSigningKeyDeriver() *SigningKeyDeriver
NewSigningKeyDeriver returns a new SigningKeyDeriver
func (*SigningKeyDeriver) DeriveKey ¶
func (k *SigningKeyDeriver) DeriveKey(credential hmaccred.PKCSSigner, service, region string, signingTime SigningTime) ([]byte, error)
DeriveKey returns a derived signing key from the given credentials to be used with SigV4 signing.
type SigningTime ¶
SigningTime provides a wrapper around a time.Time which provides cached values for SigV4 signing.
func NewSigningTime ¶
func NewSigningTime(t time.Time) SigningTime
NewSigningTime creates a new SigningTime given a time.Time
func (*SigningTime) ShortTimeFormat ¶
func (m *SigningTime) ShortTimeFormat() string
ShortTimeFormat provides a time formatted of 20060102.
func (*SigningTime) TimeFormat ¶
func (m *SigningTime) TimeFormat() string
TimeFormat provides a time formatted in the X-Amz-Date format.