2015-07-08 19:54:32 -04:00
/ *
2015-07-24 20:51:40 -04:00
* Minio Cloud Storage , ( C ) 2015 Minio , Inc .
2015-07-08 19:54:32 -04:00
*
* Licensed under the Apache License , Version 2.0 ( the "License" ) ;
* you may not use this file except in compliance with the License .
* You may obtain a copy of the License at
*
* http : //www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing , software
* distributed under the License is distributed on an "AS IS" BASIS ,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
* See the License for the specific language governing permissions and
* limitations under the License .
* /
2016-02-21 20:57:05 -05:00
// Package signature4 implements helper functions to validate AWS
// Signature Version '4' authorization header.
//
// This package provides comprehensive helpers for following signature
// types.
// - Based on Authorization header.
// - Based on Query parameters.
// - Based on Form POST policy.
package signature4
2015-07-08 19:54:32 -04:00
import (
"bytes"
"encoding/hex"
"net/http"
2015-10-01 01:59:52 -04:00
"net/url"
2015-07-08 19:54:32 -04:00
"sort"
2015-10-01 01:59:52 -04:00
"strconv"
2015-07-08 19:54:32 -04:00
"strings"
"time"
2016-02-10 19:40:09 -05:00
"github.com/minio/minio/pkg/crypto/sha256"
"github.com/minio/minio/pkg/probe"
2015-07-08 19:54:32 -04:00
)
2016-02-21 20:57:05 -05:00
// Sign - local variables
type Sign struct {
2016-02-15 20:42:39 -05:00
accessKeyID string
secretAccessKey string
region string
httpRequest * http . Request
extractedSignedHeaders http . Header
2015-07-08 19:54:32 -04:00
}
2016-02-21 20:57:05 -05:00
// AWS Signature Version '4' constants.
2015-07-08 19:54:32 -04:00
const (
2016-02-15 20:42:39 -05:00
signV4Algorithm = "AWS4-HMAC-SHA256"
iso8601Format = "20060102T150405Z"
yyyymmdd = "20060102"
2015-07-08 19:54:32 -04:00
)
2016-02-15 20:42:39 -05:00
// New - initialize a new authorization checkes.
2016-02-21 20:57:05 -05:00
func New ( accessKeyID , secretAccessKey , region string ) ( * Sign , * probe . Error ) {
2016-02-15 20:42:39 -05:00
if ! isValidAccessKey . MatchString ( accessKeyID ) {
return nil , ErrInvalidAccessKeyID ( "Invalid access key id." , accessKeyID ) . Trace ( accessKeyID )
}
if ! isValidSecretKey . MatchString ( secretAccessKey ) {
return nil , ErrInvalidAccessKeyID ( "Invalid secret key." , secretAccessKey ) . Trace ( secretAccessKey )
}
if region == "" {
return nil , ErrRegionISEmpty ( "Region is empty." ) . Trace ( )
}
2016-02-21 20:57:05 -05:00
signature := & Sign {
2016-02-15 20:42:39 -05:00
accessKeyID : accessKeyID ,
secretAccessKey : secretAccessKey ,
region : region ,
}
return signature , nil
2015-07-08 19:54:32 -04:00
}
2016-02-15 20:42:39 -05:00
// SetHTTPRequestToVerify - sets the http request which needs to be verified.
2016-03-02 14:22:58 -05:00
func ( s * Sign ) SetHTTPRequestToVerify ( r * http . Request ) Sign {
2016-02-15 20:42:39 -05:00
// Do not set http request if its 'nil'.
if r == nil {
2016-03-02 14:22:58 -05:00
return * s
2015-07-08 19:54:32 -04:00
}
2016-02-15 20:42:39 -05:00
s . httpRequest = r
2016-03-02 14:22:58 -05:00
return * s
2015-07-08 19:54:32 -04:00
}
// getCanonicalHeaders generate a list of request headers with their values
2016-02-21 20:57:05 -05:00
func ( s Sign ) getCanonicalHeaders ( signedHeaders http . Header ) string {
2015-07-08 19:54:32 -04:00
var headers [ ] string
2016-02-15 20:42:39 -05:00
vals := make ( http . Header )
2015-07-10 20:21:53 -04:00
for k , vv := range signedHeaders {
2015-07-08 19:54:32 -04:00
headers = append ( headers , strings . ToLower ( k ) )
vals [ strings . ToLower ( k ) ] = vv
}
headers = append ( headers , "host" )
sort . Strings ( headers )
var buf bytes . Buffer
for _ , k := range headers {
buf . WriteString ( k )
buf . WriteByte ( ':' )
switch {
case k == "host" :
2016-02-15 20:42:39 -05:00
buf . WriteString ( s . httpRequest . Host )
2015-07-08 19:54:32 -04:00
fallthrough
default :
for idx , v := range vals [ k ] {
if idx > 0 {
buf . WriteByte ( ',' )
}
buf . WriteString ( v )
}
buf . WriteByte ( '\n' )
}
}
return buf . String ( )
}
// getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
2016-02-21 20:57:05 -05:00
func ( s Sign ) getSignedHeaders ( signedHeaders http . Header ) string {
2015-07-08 19:54:32 -04:00
var headers [ ] string
2015-07-10 20:21:53 -04:00
for k := range signedHeaders {
2015-07-08 19:54:32 -04:00
headers = append ( headers , strings . ToLower ( k ) )
}
headers = append ( headers , "host" )
sort . Strings ( headers )
return strings . Join ( headers , ";" )
}
// getCanonicalRequest generate a canonical request of style
//
// canonicalRequest =
// <HTTPMethod>\n
// <CanonicalURI>\n
// <CanonicalQueryString>\n
// <CanonicalHeaders>\n
// <SignedHeaders>\n
// <HashedPayload>
//
2016-02-21 20:57:05 -05:00
func ( s * Sign ) getCanonicalRequest ( ) string {
2016-02-15 20:42:39 -05:00
payload := s . httpRequest . Header . Get ( http . CanonicalHeaderKey ( "x-amz-content-sha256" ) )
s . httpRequest . URL . RawQuery = strings . Replace ( s . httpRequest . URL . Query ( ) . Encode ( ) , "+" , "%20" , - 1 )
encodedPath := getURLEncodedName ( s . httpRequest . URL . Path )
// Convert any space strings back to "+".
2015-07-08 19:54:32 -04:00
encodedPath = strings . Replace ( encodedPath , "+" , "%20" , - 1 )
canonicalRequest := strings . Join ( [ ] string {
2016-02-15 20:42:39 -05:00
s . httpRequest . Method ,
2015-07-08 19:54:32 -04:00
encodedPath ,
2016-02-15 20:42:39 -05:00
s . httpRequest . URL . RawQuery ,
s . getCanonicalHeaders ( s . extractedSignedHeaders ) ,
s . getSignedHeaders ( s . extractedSignedHeaders ) ,
2015-10-01 01:59:52 -04:00
payload ,
} , "\n" )
return canonicalRequest
}
// getCanonicalRequest generate a canonical request of style
//
// canonicalRequest =
// <HTTPMethod>\n
// <CanonicalURI>\n
// <CanonicalQueryString>\n
// <CanonicalHeaders>\n
// <SignedHeaders>\n
// <HashedPayload>
//
2016-02-21 20:57:05 -05:00
func ( s Sign ) getPresignedCanonicalRequest ( presignedQuery string ) string {
2015-10-01 01:59:52 -04:00
rawQuery := strings . Replace ( presignedQuery , "+" , "%20" , - 1 )
2016-02-15 20:42:39 -05:00
encodedPath := getURLEncodedName ( s . httpRequest . URL . Path )
// Convert any space strings back to "+".
2015-10-01 01:59:52 -04:00
encodedPath = strings . Replace ( encodedPath , "+" , "%20" , - 1 )
canonicalRequest := strings . Join ( [ ] string {
2016-02-15 20:42:39 -05:00
s . httpRequest . Method ,
2015-10-01 01:59:52 -04:00
encodedPath ,
rawQuery ,
2016-02-15 20:42:39 -05:00
s . getCanonicalHeaders ( s . extractedSignedHeaders ) ,
s . getSignedHeaders ( s . extractedSignedHeaders ) ,
2015-10-01 01:59:52 -04:00
"UNSIGNED-PAYLOAD" ,
2015-07-08 19:54:32 -04:00
} , "\n" )
return canonicalRequest
}
2016-02-15 20:42:39 -05:00
// getScope generate a string of a specific date, an AWS region, and a service.
2016-02-21 20:57:05 -05:00
func ( s Sign ) getScope ( t time . Time ) string {
2015-07-08 19:54:32 -04:00
scope := strings . Join ( [ ] string {
t . Format ( yyyymmdd ) ,
2016-02-15 20:42:39 -05:00
s . region ,
2015-07-08 19:54:32 -04:00
"s3" ,
"aws4_request" ,
} , "/" )
return scope
}
2016-02-15 20:42:39 -05:00
// getStringToSign a string based on selected query values.
2016-02-21 20:57:05 -05:00
func ( s Sign ) getStringToSign ( canonicalRequest string , t time . Time ) string {
2016-02-15 20:42:39 -05:00
stringToSign := signV4Algorithm + "\n" + t . Format ( iso8601Format ) + "\n"
stringToSign = stringToSign + s . getScope ( t ) + "\n"
2016-02-10 19:40:09 -05:00
canonicalRequestBytes := sha256 . Sum256 ( [ ] byte ( canonicalRequest ) )
stringToSign = stringToSign + hex . EncodeToString ( canonicalRequestBytes [ : ] )
2015-07-08 19:54:32 -04:00
return stringToSign
}
2016-02-15 20:42:39 -05:00
// getSigningKey hmac seed to calculate final signature.
2016-02-21 20:57:05 -05:00
func ( s Sign ) getSigningKey ( t time . Time ) [ ] byte {
2016-02-15 20:42:39 -05:00
secret := s . secretAccessKey
2015-07-08 19:54:32 -04:00
date := sumHMAC ( [ ] byte ( "AWS4" + secret ) , [ ] byte ( t . Format ( yyyymmdd ) ) )
2016-02-15 20:42:39 -05:00
region := sumHMAC ( date , [ ] byte ( s . region ) )
2015-07-08 19:54:32 -04:00
service := sumHMAC ( region , [ ] byte ( "s3" ) )
signingKey := sumHMAC ( service , [ ] byte ( "aws4_request" ) )
return signingKey
}
2016-02-15 20:42:39 -05:00
// getSignature final signature in hexadecimal form.
2016-02-21 20:57:05 -05:00
func ( s Sign ) getSignature ( signingKey [ ] byte , stringToSign string ) string {
2015-07-08 19:54:32 -04:00
return hex . EncodeToString ( sumHMAC ( signingKey , [ ] byte ( stringToSign ) ) )
}
2015-10-01 01:59:52 -04:00
// DoesPolicySignatureMatch - Verify query headers with post policy
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
// returns true if matches, false otherwise. if error is not nil then it is always false
2016-02-21 20:57:05 -05:00
func ( s * Sign ) DoesPolicySignatureMatch ( formValues map [ string ] string ) ( bool , * probe . Error ) {
2016-02-15 20:42:39 -05:00
// Parse credential tag.
2016-02-21 20:57:05 -05:00
credential , err := parseCredential ( "Credential=" + formValues [ "X-Amz-Credential" ] )
2015-10-02 02:51:17 -04:00
if err != nil {
2016-02-15 20:42:39 -05:00
return false , err . Trace ( formValues [ "X-Amz-Credential" ] )
}
// Verify if the access key id matches.
2016-02-21 20:57:05 -05:00
if credential . accessKeyID != s . accessKeyID {
return false , ErrInvalidAccessKeyID ( "Access key id does not match with our records." , credential . accessKeyID ) . Trace ( credential . accessKeyID )
2016-02-15 20:42:39 -05:00
}
// Verify if the region is valid.
2016-02-21 20:57:05 -05:00
reqRegion := credential . scope . region
2016-02-15 20:42:39 -05:00
if ! isValidRegion ( reqRegion , s . region ) {
return false , ErrInvalidRegion ( "Requested region is not recognized." , reqRegion ) . Trace ( reqRegion )
}
// Save region.
s . region = reqRegion
// Parse date string.
t , e := time . Parse ( iso8601Format , formValues [ "X-Amz-Date" ] )
if e != nil {
return false , probe . NewError ( e )
2015-10-02 02:51:17 -04:00
}
2016-02-15 20:42:39 -05:00
signingKey := s . getSigningKey ( t )
newSignature := s . getSignature ( signingKey , formValues [ "Policy" ] )
if newSignature != formValues [ "X-Amz-Signature" ] {
2015-10-02 02:51:17 -04:00
return false , nil
}
2015-10-01 01:59:52 -04:00
return true , nil
}
// DoesPresignedSignatureMatch - Verify query headers with presigned signature
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
// returns true if matches, false otherwise. if error is not nil then it is always false
2016-02-21 20:57:05 -05:00
func ( s * Sign ) DoesPresignedSignatureMatch ( ) ( bool , * probe . Error ) {
2016-02-15 20:42:39 -05:00
// Parse request query string.
2016-02-21 20:57:05 -05:00
preSignValues , err := parsePreSignV4 ( s . httpRequest . URL . Query ( ) )
2015-10-01 01:59:52 -04:00
if err != nil {
2016-02-15 20:42:39 -05:00
return false , err . Trace ( s . httpRequest . URL . String ( ) )
2015-10-01 01:59:52 -04:00
}
2016-02-15 20:42:39 -05:00
// Verify if the access key id matches.
2016-02-21 20:57:05 -05:00
if preSignValues . Credential . accessKeyID != s . accessKeyID {
return false , ErrInvalidAccessKeyID ( "Access key id does not match with our records." , preSignValues . Credential . accessKeyID ) . Trace ( preSignValues . Credential . accessKeyID )
2015-10-01 01:59:52 -04:00
}
2016-02-15 20:42:39 -05:00
// Verify if region is valid.
2016-02-21 20:57:05 -05:00
reqRegion := preSignValues . Credential . scope . region
2016-02-15 20:42:39 -05:00
if ! isValidRegion ( reqRegion , s . region ) {
return false , ErrInvalidRegion ( "Requested region is not recognized." , reqRegion ) . Trace ( reqRegion )
2015-10-01 01:59:52 -04:00
}
2016-02-15 20:42:39 -05:00
// Save region.
s . region = reqRegion
// Extract all the signed headers along with its values.
2016-02-21 20:57:05 -05:00
s . extractedSignedHeaders = extractSignedHeaders ( preSignValues . SignedHeaders , s . httpRequest . Header )
2016-02-15 20:42:39 -05:00
// Construct new query.
query := make ( url . Values )
query . Set ( "X-Amz-Algorithm" , signV4Algorithm )
2016-02-21 20:57:05 -05:00
if time . Now ( ) . UTC ( ) . Sub ( preSignValues . Date ) > time . Duration ( preSignValues . Expires ) {
2016-02-15 20:42:39 -05:00
return false , ErrExpiredPresignRequest ( "Presigned request already expired, please initiate a new request." )
2015-10-01 01:59:52 -04:00
}
2016-02-15 20:42:39 -05:00
// Save the date and expires.
2016-02-21 20:57:05 -05:00
t := preSignValues . Date
expireSeconds := int ( time . Duration ( preSignValues . Expires ) / time . Second )
2016-02-15 20:42:39 -05:00
2016-02-18 05:13:52 -05:00
// Construct the query.
2015-10-01 01:59:52 -04:00
query . Set ( "X-Amz-Date" , t . Format ( iso8601Format ) )
query . Set ( "X-Amz-Expires" , strconv . Itoa ( expireSeconds ) )
2016-02-15 20:42:39 -05:00
query . Set ( "X-Amz-SignedHeaders" , s . getSignedHeaders ( s . extractedSignedHeaders ) )
query . Set ( "X-Amz-Credential" , s . accessKeyID + "/" + s . getScope ( t ) )
2016-02-07 06:37:54 -05:00
// Save other headers available in the request parameters.
2016-02-15 20:42:39 -05:00
for k , v := range s . httpRequest . URL . Query ( ) {
2016-02-07 06:37:54 -05:00
if strings . HasPrefix ( strings . ToLower ( k ) , "x-amz" ) {
continue
}
query [ k ] = v
}
2016-02-18 05:13:52 -05:00
// Get the encoded query.
2015-10-01 01:59:52 -04:00
encodedQuery := query . Encode ( )
2016-01-28 14:55:00 -05:00
// Verify if date query is same.
2016-02-15 20:42:39 -05:00
if s . httpRequest . URL . Query ( ) . Get ( "X-Amz-Date" ) != query . Get ( "X-Amz-Date" ) {
2016-01-28 14:55:00 -05:00
return false , nil
}
// Verify if expires query is same.
2016-02-15 20:42:39 -05:00
if s . httpRequest . URL . Query ( ) . Get ( "X-Amz-Expires" ) != query . Get ( "X-Amz-Expires" ) {
2016-01-28 14:55:00 -05:00
return false , nil
}
// Verify if signed headers query is same.
2016-02-15 20:42:39 -05:00
if s . httpRequest . URL . Query ( ) . Get ( "X-Amz-SignedHeaders" ) != query . Get ( "X-Amz-SignedHeaders" ) {
2016-01-28 14:55:00 -05:00
return false , nil
}
// Verify if credential query is same.
2016-02-15 20:42:39 -05:00
if s . httpRequest . URL . Query ( ) . Get ( "X-Amz-Credential" ) != query . Get ( "X-Amz-Credential" ) {
2016-01-28 14:55:00 -05:00
return false , nil
}
// Verify finally if signature is same.
2016-02-15 20:42:39 -05:00
newSignature := s . getSignature ( s . getSigningKey ( t ) , s . getStringToSign ( s . getPresignedCanonicalRequest ( encodedQuery ) , t ) )
if s . httpRequest . URL . Query ( ) . Get ( "X-Amz-Signature" ) != newSignature {
2015-10-01 01:59:52 -04:00
return false , nil
}
return true , nil
}
// DoesSignatureMatch - Verify authorization header with calculated header in accordance with
// - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
// returns true if matches, false otherwise. if error is not nil then it is always false
2016-02-21 20:57:05 -05:00
func ( s * Sign ) DoesSignatureMatch ( hashedPayload string ) ( bool , * probe . Error ) {
2016-02-15 20:42:39 -05:00
// Save authorization header.
v4Auth := s . httpRequest . Header . Get ( "Authorization" )
// Parse signature version '4' header.
signV4Values , err := parseSignV4 ( v4Auth )
if err != nil {
return false , err . Trace ( v4Auth )
}
// Extract all the signed headers along with its values.
s . extractedSignedHeaders = extractSignedHeaders ( signV4Values . SignedHeaders , s . httpRequest . Header )
// Verify if the access key id matches.
2016-02-21 20:57:05 -05:00
if signV4Values . Credential . accessKeyID != s . accessKeyID {
return false , ErrInvalidAccessKeyID ( "Access key id does not match with our records." , signV4Values . Credential . accessKeyID ) . Trace ( signV4Values . Credential . accessKeyID )
2016-02-15 20:42:39 -05:00
}
2015-07-09 17:42:04 -04:00
2016-02-15 20:42:39 -05:00
// Verify if region is valid.
2016-02-21 20:57:05 -05:00
reqRegion := signV4Values . Credential . scope . region
2016-02-15 20:42:39 -05:00
if ! isValidRegion ( reqRegion , s . region ) {
return false , ErrInvalidRegion ( "Requested region is not recognized." , reqRegion ) . Trace ( reqRegion )
}
// Save region.
s . region = reqRegion
// Set input payload.
s . httpRequest . Header . Set ( "X-Amz-Content-Sha256" , hashedPayload )
// Extract date, if not present throw error.
2015-07-08 19:54:32 -04:00
var date string
2016-02-15 20:42:39 -05:00
if date = s . httpRequest . Header . Get ( http . CanonicalHeaderKey ( "x-amz-date" ) ) ; date == "" {
if date = s . httpRequest . Header . Get ( "Date" ) ; date == "" {
return false , ErrMissingDateHeader ( "Date header is missing from the request." ) . Trace ( )
2015-07-08 19:54:32 -04:00
}
}
2016-02-15 20:42:39 -05:00
// Parse date header.
t , e := time . Parse ( iso8601Format , date )
if e != nil {
return false , probe . NewError ( e )
2015-07-08 19:54:32 -04:00
}
2016-02-15 20:42:39 -05:00
// Signature version '4'.
canonicalRequest := s . getCanonicalRequest ( )
stringToSign := s . getStringToSign ( canonicalRequest , t )
signingKey := s . getSigningKey ( t )
newSignature := s . getSignature ( signingKey , stringToSign )
// Verify if signature match.
if newSignature != signV4Values . Signature {
2015-07-09 17:42:04 -04:00
return false , nil
}
return true , nil
2015-07-08 19:54:32 -04:00
}