signature

package
Version: v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2020 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Copyright 2019 The OpenSDS Authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

* Minio Cloud Storage, (C) 2015, 2016 Minio, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*     http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source
const (
	SignV2Algorithm = "AWS"
	SignV4Algorithm = "AWS4-HMAC-SHA256"
)
View Source
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

Variables

View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)
View Source
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-.+|X-Amz-Meta-.+")
	StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+")
)
View Source
var IsValidAccessKey = regexp.MustCompile(`^[a-zA-Z0-9\\-\\.\\_\\~]{5,20}$`)

IsValidAccessKey - validate access key.

View Source
var IsValidSecretKey = regexp.MustCompile(`^.{8,40}$`)

IsValidSecretKey - validate secret key.

Functions

func CalculateSeedSignature

func CalculateSeedSignature(r *http.Request) (credential credentials.Value, signature string, region string, date time.Time, err error)

calculateSeedSignature - Calculate seed signature in accordance with

- http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func CheckPostPolicy

func CheckPostPolicy(ctx context.Context, formValues map[string]string,
	postPolicyVersion PostPolicyType) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2

func DoesPolicySignatureMatchV2(formValues map[string]string) (credential credentials.Value,
	err error)

func DoesPolicySignatureMatchV4

func DoesPolicySignatureMatchV4(formValues map[string]string) (credential credentials.Value, err error)

doesPolicySignatureMatch - Verify query headers with post policy

- http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2

func DoesPresignedSignatureMatchV2(r *http.Request) (credential credentials.Value, err error)

func DoesPresignedSignatureMatchV4

func DoesPresignedSignatureMatchV4(r *http.Request,
	validateRegion bool) (credential credentials.Value, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

- http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2

func DoesSignatureMatchV2(r *http.Request) (credential credentials.Value, err error)

func DoesSignatureMatchV4

func DoesSignatureMatchV4(hashedPayload string, r *http.Request,
	validateRegion bool) (credential credentials.Value, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

- http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated

func IsReqAuthenticated(r *http.Request) (credential credentials.Value, e error)

A helper function to verify if request has valid AWS Signature

func TrimAwsChunkedContentEncoding

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

func VerifyUpload

func VerifyUpload(r *http.Request) (credential credentials.Value, dataReader io.Reader, err error)

Types

type AuthType

type AuthType int

Authorization type.

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType

func GetRequestAuthType(r *http.Request) AuthType

Get request authentication type.

type PostPolicyForm

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		Policies map[string]struct {
			Operator string
			Value    string
		}
		ContentLengthRange struct {
			Min int
			Max int
		}
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType

func GetPostPolicyType(formValues map[string]string) PostPolicyType

type SignVerifyReader

type SignVerifyReader struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReader represents an io.Reader compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReader.Verify()` to validate the signature header.

func (*SignVerifyReader) Read

func (v *SignVerifyReader) Read(b []byte) (int, error)

func (*SignVerifyReader) Verify

func (v *SignVerifyReader) Verify() (credentials.Value, error)

Verify - verifies signature and returns error upon signature mismatch.

Directories

Path Synopsis
Package signer implements signing and signature validation for opensds multi-cloud signer.
Package signer implements signing and signature validation for opensds multi-cloud signer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL