introduce new aws-http-auth module which implements sigv4 and sigv4a #541
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| // Package credentials exposes container types for AWS credentials. | ||
| package credentials | ||
|
|
||
| import ( | ||
| "time" | ||
| ) | ||
|
|
||
| // Credentials describes a shared-secret AWS credential identity. | ||
| type Credentials struct { | ||
| AccessKeyID string | ||
| SecretAccessKey string | ||
| SessionToken string | ||
| Expires time.Time | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| module github.com/aws/smithy-go/aws-http-auth | ||
|
|
||
| go 1.21 |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,225 @@ | ||
| package v4 | ||
|
|
||
| import ( | ||
| "encoding/hex" | ||
| "fmt" | ||
| "io" | ||
| "net/http" | ||
| "sort" | ||
| "strings" | ||
| "time" | ||
|
|
||
| "github.com/aws/smithy-go/aws-http-auth/credentials" | ||
| v4 "github.com/aws/smithy-go/aws-http-auth/v4" | ||
| ) | ||
|
|
||
| const ( | ||
| // TimeFormat is the full-width form to be used in the X-Amz-Date header. | ||
| TimeFormat = "20060102T150405Z" | ||
|
|
||
| // ShortTimeFormat is the shortened form used in credential scope. | ||
| ShortTimeFormat = "20060102" | ||
| ) | ||
|
|
||
| // Signer is the implementation structure for all variants of v4 signing. | ||
| type Signer struct { | ||
| Request *http.Request | ||
| PayloadHash []byte | ||
| Time time.Time | ||
| Credentials credentials.Credentials | ||
| Options v4.SignerOptions | ||
|
|
||
| // variant-specific inputs | ||
| Algorithm string | ||
| CredentialScope string | ||
| Finalizer Finalizer | ||
| } | ||
|
|
||
| // Finalizer performs the final step in v4 signing, deriving a signature for | ||
| // the string-to-sign with algorithm-specific key material. | ||
| type Finalizer interface { | ||
| SignString(string) (string, error) | ||
| } | ||
|
|
||
| // Do performs v4 signing, modifying the request in-place with the | ||
| // signature. | ||
| // | ||
| // Do should be called exactly once for a configured Signer. The behavior of | ||
| // doing otherwise is undefined. | ||
| func (s *Signer) Do() error { | ||
| if err := s.init(); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| s.setRequiredHeaders() | ||
|
|
||
| canonicalRequest, signedHeaders := s.buildCanonicalRequest() | ||
| stringToSign := s.buildStringToSign(canonicalRequest) | ||
| signature, err := s.Finalizer.SignString(stringToSign) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| s.Request.Header.Set("Authorization", | ||
| s.buildAuthorizationHeader(signature, signedHeaders)) | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| func (s *Signer) init() error { | ||
| // it might seem like time should also get defaulted/normalized here, but | ||
| // in practice sigv4 and sigv4a both need to do that beforehand to | ||
| // calculate scope, so there's no point | ||
|
|
||
| if s.Options.HeaderRules == nil { | ||
| s.Options.HeaderRules = defaultHeaderRules{} | ||
| } | ||
|
|
||
| if err := s.resolvePayloadHash(); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| // ensure we have a value for payload hash, whether that be explicit, implicit, | ||
| // or the unsigned sentinel | ||
| func (s *Signer) resolvePayloadHash() error { | ||
| if len(s.PayloadHash) > 0 { | ||
| return nil | ||
| } | ||
|
|
||
| rs, ok := s.Request.Body.(io.ReadSeeker) | ||
| if !ok || s.Options.DisableImplicitPayloadHashing { | ||
| s.PayloadHash = []byte(v4.UnsignedPayload) | ||
| return nil | ||
| } | ||
|
|
||
| p, err := rtosha(rs) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| s.PayloadHash = p | ||
| return nil | ||
| } | ||
|
|
||
| func (s *Signer) setRequiredHeaders() { | ||
| headers := s.Request.Header | ||
|
|
||
| s.Request.Header.Set("Host", s.Request.Host) | ||
|
There was a problem hiding this comment. Unsure of the support in Go, but the V4 spec does talk about using There was a problem hiding this comment. I'm inclined to leave this until we get engagement about it for the reason you've cited. |
||
| s.Request.Header.Set("X-Amz-Date", s.Time.Format(TimeFormat)) | ||
|
|
||
| if len(s.Credentials.SessionToken) > 0 { | ||
| s.Request.Header.Set("X-Amz-Security-Token", s.Credentials.SessionToken) | ||
| } | ||
| if len(s.PayloadHash) > 0 && s.Options.AddPayloadHashHeader { | ||
| headers.Set("X-Amz-Content-Sha256", payloadHashString(s.PayloadHash)) | ||
| } | ||
| } | ||
|
|
||
| func (s *Signer) buildCanonicalRequest() (string, string) { | ||
| canonPath := s.Request.URL.EscapedPath() | ||
| // https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html: | ||
| // if input has no path, "/" is used | ||
| if len(canonPath) == 0 { | ||
| canonPath = "/" | ||
| } | ||
| if !s.Options.DisableDoublePathEscape { | ||
| canonPath = uriEncode(canonPath) | ||
| } | ||
|
|
||
| query := s.Request.URL.Query() | ||
|
There was a problem hiding this comment. Aren't we missing this case on query parameters?
There was a problem hiding this comment. Will check and make sure a test covers this There was a problem hiding this comment. Yeah, Query() handles this. Added test. |
||
| for key := range query { | ||
| sort.Strings(query[key]) | ||
| } | ||
| canonQuery := strings.Replace(query.Encode(), "+", "%20", -1) | ||
|
There was a problem hiding this comment. Docs say we need to do sorting after encoding
There was a problem hiding this comment. That's already happening on 134 - Query() turns URL.RawQuery into a map, RawQuery is already in encoded form. There was a problem hiding this comment. Added a test that demonstrates this. |
||
|
|
||
| canonHeaders, signedHeaders := s.buildCanonicalHeaders() | ||
|
|
||
| req := strings.Join([]string{ | ||
| s.Request.Method, | ||
| canonPath, | ||
| canonQuery, | ||
| canonHeaders, | ||
| signedHeaders, | ||
| payloadHashString(s.PayloadHash), | ||
| }, "\n") | ||
|
|
||
| return req, signedHeaders | ||
| } | ||
|
|
||
| func (s *Signer) buildCanonicalHeaders() (canon, signed string) { | ||
| var canonHeaders []string | ||
| signedHeaders := map[string][]string{} | ||
|
|
||
| // step 1: find what we're signing | ||
| for header, values := range s.Request.Header { | ||
| lowercase := strings.ToLower(header) | ||
| if !s.Options.HeaderRules.IsSigned(lowercase) { | ||
| continue | ||
| } | ||
|
|
||
| canonHeaders = append(canonHeaders, lowercase) | ||
| signedHeaders[lowercase] = values | ||
| } | ||
| sort.Strings(canonHeaders) | ||
|
|
||
| // step 2: indexing off of the list we built previously (which guarantees | ||
| // alphabetical order), build the canonical list | ||
| var ch strings.Builder | ||
| for i := range canonHeaders { | ||
| ch.WriteString(canonHeaders[i]) | ||
| ch.WriteRune(':') | ||
|
|
||
| // headers can have multiple values | ||
| values := signedHeaders[canonHeaders[i]] | ||
| for j, value := range values { | ||
| ch.WriteString(strings.TrimSpace(value)) | ||
| if j < len(values)-1 { | ||
| ch.WriteRune(',') | ||
| } | ||
| } | ||
| ch.WriteRune('\n') | ||
| } | ||
|
|
||
| return ch.String(), strings.Join(canonHeaders, ";") | ||
| } | ||
|
|
||
| func (s *Signer) buildStringToSign(canonicalRequest string) string { | ||
| return strings.Join([]string{ | ||
| s.Algorithm, | ||
| s.Time.Format(TimeFormat), | ||
| s.CredentialScope, | ||
| hex.EncodeToString(Stosha(canonicalRequest)), | ||
| }, "\n") | ||
| } | ||
|
|
||
| func (s *Signer) buildAuthorizationHeader(signature, headers string) string { | ||
| return fmt.Sprintf("%s Credential=%s, SignedHeaders=%s, Signature=%s", | ||
| s.Algorithm, | ||
| s.Credentials.AccessKeyID+"/"+s.CredentialScope, | ||
| headers, | ||
| signature) | ||
| } | ||
|
|
||
| func payloadHashString(p []byte) string { | ||
| if string(p) == "UNSIGNED-PAYLOAD" { | ||
| return string(p) // sentinel, do not hex-encode | ||
| } | ||
| return hex.EncodeToString(p) | ||
| } | ||
|
|
||
| // ResolveTime initializes a time value for signing. | ||
| func ResolveTime(t time.Time) time.Time { | ||
| if t.IsZero() { | ||
| return time.Now().UTC() | ||
| } | ||
| return t.UTC() | ||
| } | ||
|
|
||
| type defaultHeaderRules struct{} | ||
|
|
||
| func (defaultHeaderRules) IsSigned(h string) bool { | ||
| return h == "host" || strings.HasPrefix(h, "x-amz-") | ||
|
There was a problem hiding this comment. The docs say
EDIT but then it says in another place
So, I guess do what you feel it's best 🤷 There was a problem hiding this comment. Yeah I noticed this and ended up leaving it out because testing shows it's not actually required (at least by us). |
||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't a request with no payload needs to hash the empty string instead of the magic string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes but that's not what this case is checking. This is just saying "if we can't compute the payload ourselves (or they shut it off) do explicit unsigned"