signature

package
v1.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 28, 2022 License: Apache-2.0 Imports: 33 Imported by: 2

Documentation

Overview

Copyright 2019 The OpenSDS Authors.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

  • Minio Cloud Storage, (C) 2015, 2016 Minio, Inc. *
  • Licensed under the Apache License, Version 2.0 (the "License");
  • you may not use this file except in compliance with the License.
  • You may obtain a copy of the License at *
  • http://www.apache.org/licenses/LICENSE-2.0 *
  • Unless required by applicable law or agreed to in writing, software
  • distributed under the License is distributed on an "AS IS" BASIS,
  • WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  • See the License for the specific language governing permissions and
  • limitations under the License.

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source 
const (
	SignV2Algorithm = "AWS"
	SignV4Algorithm = "AWS4-HMAC-SHA256"
)
View Source 
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

View Source 
const XAMZContentSha256 = "X-Amz-Content-Sha256"

Variables

View Source 
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)
View Source 
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-.+|X-Amz-Meta-.+")
	StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+")
)
View Source 
var IsValidAccessKey = regexp.MustCompile(`^[a-zA-Z0-9\\-\\.\\_\\~]{5,20}$`)

IsValidAccessKey - validate access key.

View Source 
var IsValidSecretKey = regexp.MustCompile(`^.{8,40}$`)

IsValidSecretKey - validate secret key.

Functions

func CalculateSeedSignature 

func CalculateSeedSignature(r *http.Request) (credential credentials.Value, signature string, region string, date time.Time, err error)

calculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func CheckPostPolicy 

func CheckPostPolicy(ctx context.Context, formValues map[string]string,
	postPolicyVersion PostPolicyType) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2 

func DoesPolicySignatureMatchV2(formValues map[string]string) (credential credentials.Value,
	err error)

func DoesPolicySignatureMatchV4 

func DoesPolicySignatureMatchV4(formValues map[string]string) (credential credentials.Value, err error)

doesPolicySignatureMatch - Verify query headers with post policy

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2 

func DoesPresignedSignatureMatchV2(r *http.Request) (credential credentials.Value, err error)

func DoesPresignedSignatureMatchV4 

func DoesPresignedSignatureMatchV4(r *http.Request,
	validateRegion bool) (credential credentials.Value, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2 

func DoesSignatureMatchV2(r *http.Request) (credential credentials.Value, err error)

func DoesSignatureMatchV4 

func DoesSignatureMatchV4(hashedPayload string, r *http.Request,
	validateRegion bool) (credential credentials.Value, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated 

func IsReqAuthenticated(r *http.Request) (credential credentials.Value, e error)

A helper function to verify if request has valid AWS Signature

func PayloadCheck added in v1.0.0 

func PayloadCheck(request *restful.Request, response *restful.Response) error

func TrimAwsChunkedContentEncoding 

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

func VerifyUpload 

func VerifyUpload(r *http.Request) (credential credentials.Value, dataReader io.Reader, err error)

Types

type AuthType 

type AuthType int

Authorization type. 

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType 

func GetRequestAuthType(r *http.Request) AuthType

Get request authentication type.

type PostPolicyForm 

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		Policies map[string]struct {
			Operator string
			Value    string
		}
		ContentLengthRange struct {
			Min int
			Max int
		}
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType 

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType 

func GetPostPolicyType(formValues map[string]string) PostPolicyType

type SignVerifyReader 

type SignVerifyReader struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReader represents an io.Reader compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReader.Verify()` to validate the signature header.

func (*SignVerifyReader) Read 

func (v *SignVerifyReader) Read(b []byte) (int, error)

func (*SignVerifyReader) Verify 

func (v *SignVerifyReader) Verify() (credentials.Value, error)

Verify - verifies signature and returns error upon signature mismatch.

Source Files

View all Source files

Directories

Path Synopsis
keystonecredentials
Package signer implements signing and signature validation for opensds multi-cloud signer.
 Package signer implements signing and signature validation for opensds multi-cloud signer.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.