auth_signature_v4.go 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839
  1. /*
  2. * The following code tries to reverse engineer the Amazon S3 APIs,
  3. * and is mostly copied from minio implementation.
  4. */
  5. // Licensed under the Apache License, Version 2.0 (the "License");
  6. // you may not use this file except in compliance with the License.
  7. // You may obtain a copy of the License at
  8. //
  9. // http://www.apache.org/licenses/LICENSE-2.0
  10. //
  11. // Unless required by applicable law or agreed to in writing, software
  12. // distributed under the License is distributed on an "AS IS" BASIS,
  13. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
  14. // implied. See the License for the specific language governing
  15. // permissions and limitations under the License.
  16. package s3api
  17. import (
  18. "bytes"
  19. "crypto/hmac"
  20. "crypto/sha256"
  21. "crypto/subtle"
  22. "encoding/hex"
  23. "hash"
  24. "io"
  25. "net/http"
  26. "net/url"
  27. "regexp"
  28. "sort"
  29. "strconv"
  30. "strings"
  31. "sync"
  32. "sync/atomic"
  33. "time"
  34. "unicode/utf8"
  35. "github.com/seaweedfs/seaweedfs/weed/s3api/s3err"
  36. )
  37. func (iam *IdentityAccessManagement) reqSignatureV4Verify(r *http.Request) (*Identity, s3err.ErrorCode) {
  38. sha256sum := getContentSha256Cksum(r)
  39. switch {
  40. case isRequestSignatureV4(r):
  41. return iam.doesSignatureMatch(sha256sum, r)
  42. case isRequestPresignedSignatureV4(r):
  43. return iam.doesPresignedSignatureMatch(sha256sum, r)
  44. }
  45. return nil, s3err.ErrAccessDenied
  46. }
  47. // Streaming AWS Signature Version '4' constants.
  48. const (
  49. emptySHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
  50. streamingContentSHA256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
  51. signV4ChunkedAlgorithm = "AWS4-HMAC-SHA256-PAYLOAD"
  52. // http Header "x-amz-content-sha256" == "UNSIGNED-PAYLOAD" indicates that the
  53. // client did not calculate sha256 of the payload.
  54. unsignedPayload = "UNSIGNED-PAYLOAD"
  55. )
  56. // Returns SHA256 for calculating canonical-request.
  57. func getContentSha256Cksum(r *http.Request) string {
  58. var (
  59. defaultSha256Cksum string
  60. v []string
  61. ok bool
  62. )
  63. // For a presigned request we look at the query param for sha256.
  64. if isRequestPresignedSignatureV4(r) {
  65. // X-Amz-Content-Sha256, if not set in presigned requests, checksum
  66. // will default to 'UNSIGNED-PAYLOAD'.
  67. defaultSha256Cksum = unsignedPayload
  68. v, ok = r.URL.Query()["X-Amz-Content-Sha256"]
  69. if !ok {
  70. v, ok = r.Header["X-Amz-Content-Sha256"]
  71. }
  72. } else {
  73. // X-Amz-Content-Sha256, if not set in signed requests, checksum
  74. // will default to sha256([]byte("")).
  75. defaultSha256Cksum = emptySHA256
  76. v, ok = r.Header["X-Amz-Content-Sha256"]
  77. }
  78. // We found 'X-Amz-Content-Sha256' return the captured value.
  79. if ok {
  80. return v[0]
  81. }
  82. // We couldn't find 'X-Amz-Content-Sha256'.
  83. return defaultSha256Cksum
  84. }
  85. // Verify authorization header - http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
  86. func (iam *IdentityAccessManagement) doesSignatureMatch(hashedPayload string, r *http.Request) (*Identity, s3err.ErrorCode) {
  87. // Copy request.
  88. req := *r
  89. // Save authorization header.
  90. v4Auth := req.Header.Get("Authorization")
  91. // Parse signature version '4' header.
  92. signV4Values, err := parseSignV4(v4Auth)
  93. if err != s3err.ErrNone {
  94. return nil, err
  95. }
  96. // Extract all the signed headers along with its values.
  97. extractedSignedHeaders, errCode := extractSignedHeaders(signV4Values.SignedHeaders, r)
  98. if errCode != s3err.ErrNone {
  99. return nil, errCode
  100. }
  101. // Verify if the access key id matches.
  102. identity, cred, found := iam.lookupByAccessKey(signV4Values.Credential.accessKey)
  103. if !found {
  104. return nil, s3err.ErrInvalidAccessKeyID
  105. }
  106. // Extract date, if not present throw error.
  107. var date string
  108. if date = req.Header.Get(http.CanonicalHeaderKey("X-Amz-Date")); date == "" {
  109. if date = r.Header.Get("Date"); date == "" {
  110. return nil, s3err.ErrMissingDateHeader
  111. }
  112. }
  113. // Parse date header.
  114. t, e := time.Parse(iso8601Format, date)
  115. if e != nil {
  116. return nil, s3err.ErrMalformedDate
  117. }
  118. // Query string.
  119. queryStr := req.URL.Query().Encode()
  120. // Get hashed Payload
  121. if signV4Values.Credential.scope.service != "s3" && hashedPayload == emptySHA256 && r.Body != nil {
  122. buf, _ := io.ReadAll(r.Body)
  123. r.Body = io.NopCloser(bytes.NewBuffer(buf))
  124. b, _ := io.ReadAll(bytes.NewBuffer(buf))
  125. if len(b) != 0 {
  126. bodyHash := sha256.Sum256(b)
  127. hashedPayload = hex.EncodeToString(bodyHash[:])
  128. }
  129. }
  130. // Get canonical request.
  131. canonicalRequest := getCanonicalRequest(extractedSignedHeaders, hashedPayload, queryStr, req.URL.Path, req.Method)
  132. // Get string to sign from canonical request.
  133. stringToSign := getStringToSign(canonicalRequest, t, signV4Values.Credential.getScope())
  134. // Calculate signature.
  135. newSignature := iam.getSignature(
  136. cred.SecretKey,
  137. signV4Values.Credential.scope.date,
  138. signV4Values.Credential.scope.region,
  139. signV4Values.Credential.scope.service,
  140. stringToSign,
  141. )
  142. // Verify if signature match.
  143. if !compareSignatureV4(newSignature, signV4Values.Signature) {
  144. return nil, s3err.ErrSignatureDoesNotMatch
  145. }
  146. // Return error none.
  147. return identity, s3err.ErrNone
  148. }
  149. // credentialHeader data type represents structured form of Credential
  150. // string from authorization header.
  151. type credentialHeader struct {
  152. accessKey string
  153. scope struct {
  154. date time.Time
  155. region string
  156. service string
  157. request string
  158. }
  159. }
  160. // signValues data type represents structured form of AWS Signature V4 header.
  161. type signValues struct {
  162. Credential credentialHeader
  163. SignedHeaders []string
  164. Signature string
  165. }
  166. // Return scope string.
  167. func (c credentialHeader) getScope() string {
  168. return strings.Join([]string{
  169. c.scope.date.Format(yyyymmdd),
  170. c.scope.region,
  171. c.scope.service,
  172. c.scope.request,
  173. }, "/")
  174. }
  175. // Authorization: algorithm Credential=accessKeyID/credScope, \
  176. // SignedHeaders=signedHeaders, Signature=signature
  177. func parseSignV4(v4Auth string) (sv signValues, aec s3err.ErrorCode) {
  178. // Replace all spaced strings, some clients can send spaced
  179. // parameters and some won't. So we pro-actively remove any spaces
  180. // to make parsing easier.
  181. v4Auth = strings.Replace(v4Auth, " ", "", -1)
  182. if v4Auth == "" {
  183. return sv, s3err.ErrAuthHeaderEmpty
  184. }
  185. // Verify if the header algorithm is supported or not.
  186. if !strings.HasPrefix(v4Auth, signV4Algorithm) {
  187. return sv, s3err.ErrSignatureVersionNotSupported
  188. }
  189. // Strip off the Algorithm prefix.
  190. v4Auth = strings.TrimPrefix(v4Auth, signV4Algorithm)
  191. authFields := strings.Split(strings.TrimSpace(v4Auth), ",")
  192. if len(authFields) != 3 {
  193. return sv, s3err.ErrMissingFields
  194. }
  195. // Initialize signature version '4' structured header.
  196. signV4Values := signValues{}
  197. var err s3err.ErrorCode
  198. // Save credential values.
  199. signV4Values.Credential, err = parseCredentialHeader(authFields[0])
  200. if err != s3err.ErrNone {
  201. return sv, err
  202. }
  203. // Save signed headers.
  204. signV4Values.SignedHeaders, err = parseSignedHeader(authFields[1])
  205. if err != s3err.ErrNone {
  206. return sv, err
  207. }
  208. // Save signature.
  209. signV4Values.Signature, err = parseSignature(authFields[2])
  210. if err != s3err.ErrNone {
  211. return sv, err
  212. }
  213. // Return the structure here.
  214. return signV4Values, s3err.ErrNone
  215. }
  216. // parse credentialHeader string into its structured form.
  217. func parseCredentialHeader(credElement string) (ch credentialHeader, aec s3err.ErrorCode) {
  218. creds := strings.Split(strings.TrimSpace(credElement), "=")
  219. if len(creds) != 2 {
  220. return ch, s3err.ErrMissingFields
  221. }
  222. if creds[0] != "Credential" {
  223. return ch, s3err.ErrMissingCredTag
  224. }
  225. credElements := strings.Split(strings.TrimSpace(creds[1]), "/")
  226. if len(credElements) != 5 {
  227. return ch, s3err.ErrCredMalformed
  228. }
  229. // Save access key id.
  230. cred := credentialHeader{
  231. accessKey: credElements[0],
  232. }
  233. var e error
  234. cred.scope.date, e = time.Parse(yyyymmdd, credElements[1])
  235. if e != nil {
  236. return ch, s3err.ErrMalformedCredentialDate
  237. }
  238. cred.scope.region = credElements[2]
  239. cred.scope.service = credElements[3] // "s3"
  240. cred.scope.request = credElements[4] // "aws4_request"
  241. return cred, s3err.ErrNone
  242. }
  243. // Parse slice of signed headers from signed headers tag.
  244. func parseSignedHeader(signedHdrElement string) ([]string, s3err.ErrorCode) {
  245. signedHdrFields := strings.Split(strings.TrimSpace(signedHdrElement), "=")
  246. if len(signedHdrFields) != 2 {
  247. return nil, s3err.ErrMissingFields
  248. }
  249. if signedHdrFields[0] != "SignedHeaders" {
  250. return nil, s3err.ErrMissingSignHeadersTag
  251. }
  252. if signedHdrFields[1] == "" {
  253. return nil, s3err.ErrMissingFields
  254. }
  255. signedHeaders := strings.Split(signedHdrFields[1], ";")
  256. return signedHeaders, s3err.ErrNone
  257. }
  258. // Parse signature from signature tag.
  259. func parseSignature(signElement string) (string, s3err.ErrorCode) {
  260. signFields := strings.Split(strings.TrimSpace(signElement), "=")
  261. if len(signFields) != 2 {
  262. return "", s3err.ErrMissingFields
  263. }
  264. if signFields[0] != "Signature" {
  265. return "", s3err.ErrMissingSignTag
  266. }
  267. if signFields[1] == "" {
  268. return "", s3err.ErrMissingFields
  269. }
  270. signature := signFields[1]
  271. return signature, s3err.ErrNone
  272. }
  273. // doesPolicySignatureV4Match - Verify query headers with post policy
  274. // - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html
  275. //
  276. // returns ErrNone if the signature matches.
  277. func (iam *IdentityAccessManagement) doesPolicySignatureV4Match(formValues http.Header) s3err.ErrorCode {
  278. // Parse credential tag.
  279. credHeader, err := parseCredentialHeader("Credential=" + formValues.Get("X-Amz-Credential"))
  280. if err != s3err.ErrNone {
  281. return s3err.ErrMissingFields
  282. }
  283. _, cred, found := iam.lookupByAccessKey(credHeader.accessKey)
  284. if !found {
  285. return s3err.ErrInvalidAccessKeyID
  286. }
  287. // Get signature.
  288. newSignature := iam.getSignature(
  289. cred.SecretKey,
  290. credHeader.scope.date,
  291. credHeader.scope.region,
  292. credHeader.scope.service,
  293. formValues.Get("Policy"),
  294. )
  295. // Verify signature.
  296. if !compareSignatureV4(newSignature, formValues.Get("X-Amz-Signature")) {
  297. return s3err.ErrSignatureDoesNotMatch
  298. }
  299. // Success.
  300. return s3err.ErrNone
  301. }
  302. // check query headers with presigned signature
  303. // - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
  304. func (iam *IdentityAccessManagement) doesPresignedSignatureMatch(hashedPayload string, r *http.Request) (*Identity, s3err.ErrorCode) {
  305. // Copy request
  306. req := *r
  307. // Parse request query string.
  308. pSignValues, err := parsePreSignV4(req.URL.Query())
  309. if err != s3err.ErrNone {
  310. return nil, err
  311. }
  312. // Verify if the access key id matches.
  313. identity, cred, found := iam.lookupByAccessKey(pSignValues.Credential.accessKey)
  314. if !found {
  315. return nil, s3err.ErrInvalidAccessKeyID
  316. }
  317. // Extract all the signed headers along with its values.
  318. extractedSignedHeaders, errCode := extractSignedHeaders(pSignValues.SignedHeaders, r)
  319. if errCode != s3err.ErrNone {
  320. return nil, errCode
  321. }
  322. // Construct new query.
  323. query := make(url.Values)
  324. if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
  325. query.Set("X-Amz-Content-Sha256", hashedPayload)
  326. }
  327. query.Set("X-Amz-Algorithm", signV4Algorithm)
  328. now := time.Now().UTC()
  329. // If the host which signed the request is slightly ahead in time (by less than globalMaxSkewTime) the
  330. // request should still be allowed.
  331. if pSignValues.Date.After(now.Add(15 * time.Minute)) {
  332. return nil, s3err.ErrRequestNotReadyYet
  333. }
  334. if now.Sub(pSignValues.Date) > pSignValues.Expires {
  335. return nil, s3err.ErrExpiredPresignRequest
  336. }
  337. // Save the date and expires.
  338. t := pSignValues.Date
  339. expireSeconds := int(pSignValues.Expires / time.Second)
  340. // Construct the query.
  341. query.Set("X-Amz-Date", t.Format(iso8601Format))
  342. query.Set("X-Amz-Expires", strconv.Itoa(expireSeconds))
  343. query.Set("X-Amz-SignedHeaders", getSignedHeaders(extractedSignedHeaders))
  344. query.Set("X-Amz-Credential", cred.AccessKey+"/"+getScope(t, pSignValues.Credential.scope.region))
  345. // Save other headers available in the request parameters.
  346. for k, v := range req.URL.Query() {
  347. // Handle the metadata in presigned put query string
  348. if strings.Contains(strings.ToLower(k), "x-amz-meta-") {
  349. query.Set(k, v[0])
  350. }
  351. if strings.HasPrefix(strings.ToLower(k), "x-amz") {
  352. continue
  353. }
  354. query[k] = v
  355. }
  356. // Get the encoded query.
  357. encodedQuery := query.Encode()
  358. // Verify if date query is same.
  359. if req.URL.Query().Get("X-Amz-Date") != query.Get("X-Amz-Date") {
  360. return nil, s3err.ErrSignatureDoesNotMatch
  361. }
  362. // Verify if expires query is same.
  363. if req.URL.Query().Get("X-Amz-Expires") != query.Get("X-Amz-Expires") {
  364. return nil, s3err.ErrSignatureDoesNotMatch
  365. }
  366. // Verify if signed headers query is same.
  367. if req.URL.Query().Get("X-Amz-SignedHeaders") != query.Get("X-Amz-SignedHeaders") {
  368. return nil, s3err.ErrSignatureDoesNotMatch
  369. }
  370. // Verify if credential query is same.
  371. if req.URL.Query().Get("X-Amz-Credential") != query.Get("X-Amz-Credential") {
  372. return nil, s3err.ErrSignatureDoesNotMatch
  373. }
  374. // Verify if sha256 payload query is same.
  375. if req.URL.Query().Get("X-Amz-Content-Sha256") != "" {
  376. if req.URL.Query().Get("X-Amz-Content-Sha256") != query.Get("X-Amz-Content-Sha256") {
  377. return nil, s3err.ErrContentSHA256Mismatch
  378. }
  379. }
  380. // / Verify finally if signature is same.
  381. // Get canonical request.
  382. presignedCanonicalReq := getCanonicalRequest(extractedSignedHeaders, hashedPayload, encodedQuery, req.URL.Path, req.Method)
  383. // Get string to sign from canonical request.
  384. presignedStringToSign := getStringToSign(presignedCanonicalReq, t, pSignValues.Credential.getScope())
  385. // Get new signature.
  386. newSignature := iam.getSignature(
  387. cred.SecretKey,
  388. pSignValues.Credential.scope.date,
  389. pSignValues.Credential.scope.region,
  390. pSignValues.Credential.scope.service,
  391. presignedStringToSign,
  392. )
  393. // Verify signature.
  394. if !compareSignatureV4(req.URL.Query().Get("X-Amz-Signature"), newSignature) {
  395. return nil, s3err.ErrSignatureDoesNotMatch
  396. }
  397. return identity, s3err.ErrNone
  398. }
  399. func (iam *IdentityAccessManagement) getSignature(secretKey string, t time.Time, region string, service string, stringToSign string) string {
  400. pool := iam.getSignatureHashPool(secretKey, t, region, service)
  401. h := pool.Get().(hash.Hash)
  402. defer pool.Put(h)
  403. h.Reset()
  404. h.Write([]byte(stringToSign))
  405. sig := hex.EncodeToString(h.Sum(nil))
  406. return sig
  407. }
  408. func (iam *IdentityAccessManagement) getSignatureHashPool(secretKey string, t time.Time, region string, service string) *sync.Pool {
  409. // Build a caching key for the pool.
  410. date := t.Format(yyyymmdd)
  411. hashID := "AWS4" + secretKey + "/" + date + "/" + region + "/" + service + "/" + "aws4_request"
  412. // Try to find an existing pool and return it.
  413. iam.hashMu.RLock()
  414. pool, ok := iam.hashes[hashID]
  415. iam.hashMu.RUnlock()
  416. if !ok {
  417. iam.hashMu.Lock()
  418. defer iam.hashMu.Unlock()
  419. pool, ok = iam.hashes[hashID]
  420. }
  421. if ok {
  422. atomic.StoreInt32(iam.hashCounters[hashID], 1)
  423. return pool
  424. }
  425. // Create a pool that returns HMAC hashers for the requested parameters to avoid expensive re-initializing
  426. // of new instances on every request.
  427. iam.hashes[hashID] = &sync.Pool{
  428. New: func() any {
  429. signingKey := getSigningKey(secretKey, date, region, service)
  430. return hmac.New(sha256.New, signingKey)
  431. },
  432. }
  433. iam.hashCounters[hashID] = new(int32)
  434. // Clean up unused pools automatically after one hour of inactivity
  435. ticker := time.NewTicker(time.Hour)
  436. go func() {
  437. for range ticker.C {
  438. old := atomic.SwapInt32(iam.hashCounters[hashID], 0)
  439. if old == 0 {
  440. break
  441. }
  442. }
  443. ticker.Stop()
  444. iam.hashMu.Lock()
  445. delete(iam.hashes, hashID)
  446. delete(iam.hashCounters, hashID)
  447. iam.hashMu.Unlock()
  448. }()
  449. return iam.hashes[hashID]
  450. }
  451. func contains(list []string, elem string) bool {
  452. for _, t := range list {
  453. if t == elem {
  454. return true
  455. }
  456. }
  457. return false
  458. }
  459. // preSignValues data type represents structured form of AWS Signature V4 query string.
  460. type preSignValues struct {
  461. signValues
  462. Date time.Time
  463. Expires time.Duration
  464. }
  465. // Parses signature version '4' query string of the following form.
  466. //
  467. // querystring = X-Amz-Algorithm=algorithm
  468. // querystring += &X-Amz-Credential= urlencode(accessKey + '/' + credential_scope)
  469. // querystring += &X-Amz-Date=date
  470. // querystring += &X-Amz-Expires=timeout interval
  471. // querystring += &X-Amz-SignedHeaders=signed_headers
  472. // querystring += &X-Amz-Signature=signature
  473. //
  474. // verifies if any of the necessary query params are missing in the presigned request.
  475. func doesV4PresignParamsExist(query url.Values) s3err.ErrorCode {
  476. v4PresignQueryParams := []string{"X-Amz-Algorithm", "X-Amz-Credential", "X-Amz-Signature", "X-Amz-Date", "X-Amz-SignedHeaders", "X-Amz-Expires"}
  477. for _, v4PresignQueryParam := range v4PresignQueryParams {
  478. if _, ok := query[v4PresignQueryParam]; !ok {
  479. return s3err.ErrInvalidQueryParams
  480. }
  481. }
  482. return s3err.ErrNone
  483. }
  484. // Parses all the presigned signature values into separate elements.
  485. func parsePreSignV4(query url.Values) (psv preSignValues, aec s3err.ErrorCode) {
  486. var err s3err.ErrorCode
  487. // verify whether the required query params exist.
  488. err = doesV4PresignParamsExist(query)
  489. if err != s3err.ErrNone {
  490. return psv, err
  491. }
  492. // Verify if the query algorithm is supported or not.
  493. if query.Get("X-Amz-Algorithm") != signV4Algorithm {
  494. return psv, s3err.ErrInvalidQuerySignatureAlgo
  495. }
  496. // Initialize signature version '4' structured header.
  497. preSignV4Values := preSignValues{}
  498. // Save credential.
  499. preSignV4Values.Credential, err = parseCredentialHeader("Credential=" + query.Get("X-Amz-Credential"))
  500. if err != s3err.ErrNone {
  501. return psv, err
  502. }
  503. var e error
  504. // Save date in native time.Time.
  505. preSignV4Values.Date, e = time.Parse(iso8601Format, query.Get("X-Amz-Date"))
  506. if e != nil {
  507. return psv, s3err.ErrMalformedPresignedDate
  508. }
  509. // Save expires in native time.Duration.
  510. preSignV4Values.Expires, e = time.ParseDuration(query.Get("X-Amz-Expires") + "s")
  511. if e != nil {
  512. return psv, s3err.ErrMalformedExpires
  513. }
  514. if preSignV4Values.Expires < 0 {
  515. return psv, s3err.ErrNegativeExpires
  516. }
  517. // Check if Expiry time is less than 7 days (value in seconds).
  518. if preSignV4Values.Expires.Seconds() > 604800 {
  519. return psv, s3err.ErrMaximumExpires
  520. }
  521. // Save signed headers.
  522. preSignV4Values.SignedHeaders, err = parseSignedHeader("SignedHeaders=" + query.Get("X-Amz-SignedHeaders"))
  523. if err != s3err.ErrNone {
  524. return psv, err
  525. }
  526. // Save signature.
  527. preSignV4Values.Signature, err = parseSignature("Signature=" + query.Get("X-Amz-Signature"))
  528. if err != s3err.ErrNone {
  529. return psv, err
  530. }
  531. // Return structured form of signature query string.
  532. return preSignV4Values, s3err.ErrNone
  533. }
  534. // extractSignedHeaders extract signed headers from Authorization header
  535. func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header, s3err.ErrorCode) {
  536. reqHeaders := r.Header
  537. // find whether "host" is part of list of signed headers.
  538. // if not return ErrUnsignedHeaders. "host" is mandatory.
  539. if !contains(signedHeaders, "host") {
  540. return nil, s3err.ErrUnsignedHeaders
  541. }
  542. extractedSignedHeaders := make(http.Header)
  543. for _, header := range signedHeaders {
  544. // `host` will not be found in the headers, can be found in r.Host.
  545. // but its alway necessary that the list of signed headers containing host in it.
  546. val, ok := reqHeaders[http.CanonicalHeaderKey(header)]
  547. if ok {
  548. for _, enc := range val {
  549. extractedSignedHeaders.Add(header, enc)
  550. }
  551. continue
  552. }
  553. switch header {
  554. case "expect":
  555. // Golang http server strips off 'Expect' header, if the
  556. // client sent this as part of signed headers we need to
  557. // handle otherwise we would see a signature mismatch.
  558. // `aws-cli` sets this as part of signed headers.
  559. //
  560. // According to
  561. // http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20
  562. // Expect header is always of form:
  563. //
  564. // Expect = "Expect" ":" 1#expectation
  565. // expectation = "100-continue" | expectation-extension
  566. //
  567. // So it safe to assume that '100-continue' is what would
  568. // be sent, for the time being keep this work around.
  569. // Adding a *TODO* to remove this later when Golang server
  570. // doesn't filter out the 'Expect' header.
  571. extractedSignedHeaders.Set(header, "100-continue")
  572. case "host":
  573. // Go http server removes "host" from Request.Header
  574. if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
  575. extractedSignedHeaders.Set(header, forwardedFor)
  576. } else {
  577. extractedSignedHeaders.Set(header, r.Host)
  578. }
  579. case "transfer-encoding":
  580. for _, enc := range r.TransferEncoding {
  581. extractedSignedHeaders.Add(header, enc)
  582. }
  583. case "content-length":
  584. // Signature-V4 spec excludes Content-Length from signed headers list for signature calculation.
  585. // But some clients deviate from this rule. Hence we consider Content-Length for signature
  586. // calculation to be compatible with such clients.
  587. extractedSignedHeaders.Set(header, strconv.FormatInt(r.ContentLength, 10))
  588. default:
  589. return nil, s3err.ErrUnsignedHeaders
  590. }
  591. }
  592. return extractedSignedHeaders, s3err.ErrNone
  593. }
  594. // getSignedHeaders generate a string i.e alphabetically sorted, semicolon-separated list of lowercase request header names
  595. func getSignedHeaders(signedHeaders http.Header) string {
  596. var headers []string
  597. for k := range signedHeaders {
  598. headers = append(headers, strings.ToLower(k))
  599. }
  600. sort.Strings(headers)
  601. return strings.Join(headers, ";")
  602. }
  603. // getScope generate a string of a specific date, an AWS region, and a service.
  604. func getScope(t time.Time, region string) string {
  605. scope := strings.Join([]string{
  606. t.Format(yyyymmdd),
  607. region,
  608. "s3",
  609. "aws4_request",
  610. }, "/")
  611. return scope
  612. }
  613. // getCanonicalRequest generate a canonical request of style
  614. //
  615. // canonicalRequest =
  616. //
  617. // <HTTPMethod>\n
  618. // <CanonicalURI>\n
  619. // <CanonicalQueryString>\n
  620. // <CanonicalHeaders>\n
  621. // <SignedHeaders>\n
  622. // <HashedPayload>
  623. func getCanonicalRequest(extractedSignedHeaders http.Header, payload, queryStr, urlPath, method string) string {
  624. rawQuery := strings.Replace(queryStr, "+", "%20", -1)
  625. encodedPath := encodePath(urlPath)
  626. canonicalRequest := strings.Join([]string{
  627. method,
  628. encodedPath,
  629. rawQuery,
  630. getCanonicalHeaders(extractedSignedHeaders),
  631. getSignedHeaders(extractedSignedHeaders),
  632. payload,
  633. }, "\n")
  634. return canonicalRequest
  635. }
  636. // getStringToSign a string based on selected query values.
  637. func getStringToSign(canonicalRequest string, t time.Time, scope string) string {
  638. stringToSign := signV4Algorithm + "\n" + t.Format(iso8601Format) + "\n"
  639. stringToSign = stringToSign + scope + "\n"
  640. canonicalRequestBytes := sha256.Sum256([]byte(canonicalRequest))
  641. stringToSign = stringToSign + hex.EncodeToString(canonicalRequestBytes[:])
  642. return stringToSign
  643. }
  644. // sumHMAC calculate hmac between two input byte array.
  645. func sumHMAC(key []byte, data []byte) []byte {
  646. hash := hmac.New(sha256.New, key)
  647. hash.Write(data)
  648. return hash.Sum(nil)
  649. }
  650. // getSigningKey hmac seed to calculate final signature.
  651. func getSigningKey(secretKey string, time string, region string, service string) []byte {
  652. date := sumHMAC([]byte("AWS4"+secretKey), []byte(time))
  653. regionBytes := sumHMAC(date, []byte(region))
  654. serviceBytes := sumHMAC(regionBytes, []byte(service))
  655. signingKey := sumHMAC(serviceBytes, []byte("aws4_request"))
  656. return signingKey
  657. }
  658. // getCanonicalHeaders generate a list of request headers with their values
  659. func getCanonicalHeaders(signedHeaders http.Header) string {
  660. var headers []string
  661. vals := make(http.Header)
  662. for k, vv := range signedHeaders {
  663. headers = append(headers, strings.ToLower(k))
  664. vals[strings.ToLower(k)] = vv
  665. }
  666. sort.Strings(headers)
  667. var buf bytes.Buffer
  668. for _, k := range headers {
  669. buf.WriteString(k)
  670. buf.WriteByte(':')
  671. for idx, v := range vals[k] {
  672. if idx > 0 {
  673. buf.WriteByte(',')
  674. }
  675. buf.WriteString(signV4TrimAll(v))
  676. }
  677. buf.WriteByte('\n')
  678. }
  679. return buf.String()
  680. }
  681. // Trim leading and trailing spaces and replace sequential spaces with one space, following Trimall()
  682. // in http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
  683. func signV4TrimAll(input string) string {
  684. // Compress adjacent spaces (a space is determined by
  685. // unicode.IsSpace() internally here) to one space and return
  686. return strings.Join(strings.Fields(input), " ")
  687. }
  688. // if object matches reserved string, no need to encode them
  689. var reservedObjectNames = regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")
  690. // EncodePath encode the strings from UTF-8 byte representations to HTML hex escape sequences
  691. //
  692. // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
  693. // non english characters cannot be parsed due to the nature in which url.Encode() is written
  694. //
  695. // This function on the other hand is a direct replacement for url.Encode() technique to support
  696. // pretty much every UTF-8 character.
  697. func encodePath(pathName string) string {
  698. if reservedObjectNames.MatchString(pathName) {
  699. return pathName
  700. }
  701. var encodedPathname string
  702. for _, s := range pathName {
  703. if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
  704. encodedPathname = encodedPathname + string(s)
  705. continue
  706. }
  707. switch s {
  708. case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
  709. encodedPathname = encodedPathname + string(s)
  710. continue
  711. default:
  712. len := utf8.RuneLen(s)
  713. if len < 0 {
  714. // if utf8 cannot convert return the same string as is
  715. return pathName
  716. }
  717. u := make([]byte, len)
  718. utf8.EncodeRune(u, s)
  719. for _, r := range u {
  720. hex := hex.EncodeToString([]byte{r})
  721. encodedPathname = encodedPathname + "%" + strings.ToUpper(hex)
  722. }
  723. }
  724. }
  725. return encodedPathname
  726. }
  727. // compareSignatureV4 returns true if and only if both signatures
  728. // are equal. The signatures are expected to be HEX encoded strings
  729. // according to the AWS S3 signature V4 spec.
  730. func compareSignatureV4(sig1, sig2 string) bool {
  731. // The CTC using []byte(str) works because the hex encoding
  732. // is unique for a sequence of bytes. See also compareSignatureV2.
  733. return subtle.ConstantTimeCompare([]byte(sig1), []byte(sig2)) == 1
  734. }