signature

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 30, 2019 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package cmd This file implements helper functions to validate Streaming AWS Signature Version '4' authorization header.

This file implements helper functions to validate AWS Signature Version '4' authorization header.

This package provides comprehensive helpers for following signature types. - Based on Authorization header. - Based on Query parameters. - Based on Form POST policy.

Index

Constants

View Source 
const (
	SignV2Algorithm = "AWS"
	SignV4Algorithm = "AWS4-HMAC-SHA256"
)
View Source 
const (
	UnsignedPayload = "UNSIGNED-PAYLOAD"
)

http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the client did not calculate sha256 of the payload.

Variables

View Source 
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-Meta-.+")
	StartsWithPolicyRegExpV2 = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExpV2 = regexp.MustCompile("(?i)Awsaccesskeyid|Signature|File|Policy|X-Ignore-.+")
)
View Source 
var (
	// Convert to Canonical Form before compare
	EqPolicyRegExp = regexp.MustCompile("(?i)Acl|Bucket|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|Success_action_status" +
		"|X-Amz-.+|X-Amz-Meta-.+")
	StartsWithPolicyRegExp = regexp.MustCompile("(?i)Acl|Cache-Control|Content-Type|Content-Disposition" +
		"|Content-Encoding|Expires|Key|Success_action_redirect|Redirect|X-Amz-Meta-.+")
	IgnoredFormRegExp = regexp.MustCompile("(?i)X-Amz-Signature|File|Policy|X-Ignore-.+")
)

Functions

func CalculateSeedSignature 

func CalculateSeedSignature(r *http.Request) (credential common.Credential, signature string, region string, date time.Time, err error)

calculateSeedSignature - Calculate seed signature in accordance with

returns signature, error otherwise if the signature mismatches or any other error while parsing and validating.

func CheckPostPolicy 

func CheckPostPolicy(formValues map[string]string,
	postPolicyVersion PostPolicyType) error

checkPostPolicy - apply policy conditions and validate input values.

func DoesPolicySignatureMatchV2 

func DoesPolicySignatureMatchV2(formValues map[string]string) (credential common.Credential,
	err error)

func DoesPolicySignatureMatchV4 

func DoesPolicySignatureMatchV4(formValues map[string]string) (credential common.Credential, err error)

doesPolicySignatureMatch - Verify query headers with post policy

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesPresignedSignatureMatchV2 

func DoesPresignedSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesPresignedSignatureMatchV4 

func DoesPresignedSignatureMatchV4(r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesPresignedSignatureMatch - Verify query headers with presigned signature

returns true if matches, false otherwise. if error is not nil then it is always false

func DoesSignatureMatchV2 

func DoesSignatureMatchV2(r *http.Request) (credential common.Credential, err error)

func DoesSignatureMatchV4 

func DoesSignatureMatchV4(hashedPayload string, r *http.Request,
	validateRegion bool) (credential common.Credential, err error)

doesSignatureMatch - Verify authorization header with calculated header in accordance with

returns true if matches, false otherwise. if error is not nil then it is always false

func IsReqAuthenticated 

func IsReqAuthenticated(r *http.Request) (c common.Credential, e error)

A helper function to verify if request has valid AWS Signature

func TrimAwsChunkedContentEncoding 

func TrimAwsChunkedContentEncoding(contentEnc string) (trimmedContentEnc string)

Trims away `aws-chunked` from the content-encoding header if present. Streaming signature clients can have custom content-encoding such as `aws-chunked,gzip` here we need to only save `gzip`. For more refer http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

func VerifyUpload 

func VerifyUpload(r *http.Request) (credential common.Credential,
	dataReader io.ReadCloser, err error)

Types

type AuthType 

type AuthType int

Authorization type. 

const (
	AuthTypeUnknown AuthType = iota
	AuthTypeAnonymous
	AuthTypePresignedV4
	AuthTypePresignedV2
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeSignedV4
	AuthTypeSignedV2
)

List of all supported auth types.

func GetRequestAuthType 

func GetRequestAuthType(r *http.Request) AuthType

Get request authentication type.

type PostPolicyForm 

type PostPolicyForm struct {
	Expiration time.Time // Expiration date and time of the POST policy.
	Conditions struct {
		Policies map[string]struct {
			Operator string
			Value    string
		}
		ContentLengthRange struct {
			Min int
			Max int
		}
	}
}

PostPolicyForm provides strict static type conversion and validation for Amazon S3's POST policy JSON string.

type PostPolicyType 

type PostPolicyType int
const (
	PostPolicyUnknown PostPolicyType = iota
	PostPolicyV2
	PostPolicyV4
	PostPolicyAnonymous
)

func GetPostPolicyType 

func GetPostPolicyType(formValues map[string]string) PostPolicyType

type SignVerifyReadCloser 

type SignVerifyReadCloser struct {
	Request      *http.Request
	Reader       io.Reader
	Sha256Writer hash.Hash
}

SignVerifyReadCloser represents an io.ReadCloser compatible interface which transparently calculates SHA256 for v4 signed authentication. Caller should call `SignVerifyReadCloser.Verify()` to validate the signature header.

func (*SignVerifyReadCloser) Close 

func (v *SignVerifyReadCloser) Close() error

func (*SignVerifyReadCloser) Read 

func (v *SignVerifyReadCloser) Read(b []byte) (int, error)

func (*SignVerifyReadCloser) Verify 

func (v *SignVerifyReadCloser) Verify() (common.Credential, error)

Verify - verifies signature and returns error upon signature mismatch.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.