| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990 |
- package s3api
- import (
- "net/http"
- "strings"
- )
- // AWS Signature Version '4' constants.
- const (
- signV4Algorithm = "AWS4-HMAC-SHA256"
- signV2Algorithm = "AWS"
- )
- // Verify if request has JWT.
- func isRequestJWT(r *http.Request) bool {
- return strings.HasPrefix(r.Header.Get("Authorization"), "Bearer")
- }
- // Verify if request has AWS Signature Version '4'.
- func isRequestSignatureV4(r *http.Request) bool {
- return strings.HasPrefix(r.Header.Get("Authorization"), signV4Algorithm)
- }
- // Verify if request has AWS Signature Version '2'.
- func isRequestSignatureV2(r *http.Request) bool {
- return (!strings.HasPrefix(r.Header.Get("Authorization"), signV4Algorithm) &&
- strings.HasPrefix(r.Header.Get("Authorization"), signV2Algorithm))
- }
- // Verify if request has AWS PreSign Version '4'.
- func isRequestPresignedSignatureV4(r *http.Request) bool {
- _, ok := r.URL.Query()["X-Amz-Credential"]
- return ok
- }
- // Verify request has AWS PreSign Version '2'.
- func isRequestPresignedSignatureV2(r *http.Request) bool {
- _, ok := r.URL.Query()["AWSAccessKeyId"]
- return ok
- }
- // Verify if request has AWS Post policy Signature Version '4'.
- func isRequestPostPolicySignatureV4(r *http.Request) bool {
- return strings.Contains(r.Header.Get("Content-Type"), "multipart/form-data") &&
- r.Method == http.MethodPost
- }
- // Verify if the request has AWS Streaming Signature Version '4'. This is only valid for 'PUT' operation.
- func isRequestSignStreamingV4(r *http.Request) bool {
- return r.Header.Get("x-amz-content-sha256") == streamingContentSHA256 &&
- r.Method == http.MethodPut
- }
- // Authorization type.
- type authType int
- // List of all supported auth types.
- const (
- authTypeUnknown authType = iota
- authTypeAnonymous
- authTypePresigned
- authTypePresignedV2
- authTypePostPolicy
- authTypeStreamingSigned
- authTypeSigned
- authTypeSignedV2
- authTypeJWT
- )
- // Get request authentication type.
- func getRequestAuthType(r *http.Request) authType {
- if isRequestSignatureV2(r) {
- return authTypeSignedV2
- } else if isRequestPresignedSignatureV2(r) {
- return authTypePresignedV2
- } else if isRequestSignStreamingV4(r) {
- return authTypeStreamingSigned
- } else if isRequestSignatureV4(r) {
- return authTypeSigned
- } else if isRequestPresignedSignatureV4(r) {
- return authTypePresigned
- } else if isRequestJWT(r) {
- return authTypeJWT
- } else if isRequestPostPolicySignatureV4(r) {
- return authTypePostPolicy
- } else if _, ok := r.Header["Authorization"]; !ok {
- return authTypeAnonymous
- }
- return authTypeUnknown
- }
|
