diff options
author | Rutger Broekhoff | 2023-12-29 21:31:53 +0100 |
---|---|---|
committer | Rutger Broekhoff | 2023-12-29 21:31:53 +0100 |
commit | 404aeae4545d2426c089a5f8d5e82dae56f5212b (patch) | |
tree | 2d84e00af272b39fc04f3795ae06bc48970e57b5 /vendor/github.com/minio/minio-go/v7/pkg/signer | |
parent | 209d8b0187ed025dec9ac149ebcced3462877bff (diff) | |
download | gitolfs3-404aeae4545d2426c089a5f8d5e82dae56f5212b.tar.gz gitolfs3-404aeae4545d2426c089a5f8d5e82dae56f5212b.zip |
Make Nix builds work
Diffstat (limited to 'vendor/github.com/minio/minio-go/v7/pkg/signer')
5 files changed, 1359 insertions, 0 deletions
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming-unsigned-trailer.go b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming-unsigned-trailer.go new file mode 100644 index 0000000..77540e2 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming-unsigned-trailer.go | |||
@@ -0,0 +1,224 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2022 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package signer | ||
19 | |||
20 | import ( | ||
21 | "bytes" | ||
22 | "fmt" | ||
23 | "io" | ||
24 | "net/http" | ||
25 | "strconv" | ||
26 | "strings" | ||
27 | "time" | ||
28 | ) | ||
29 | |||
30 | // getUnsignedChunkLength - calculates the length of chunk metadata | ||
31 | func getUnsignedChunkLength(chunkDataSize int64) int64 { | ||
32 | return int64(len(fmt.Sprintf("%x", chunkDataSize))) + | ||
33 | crlfLen + | ||
34 | chunkDataSize + | ||
35 | crlfLen | ||
36 | } | ||
37 | |||
38 | // getUSStreamLength - calculates the length of the overall stream (data + metadata) | ||
39 | func getUSStreamLength(dataLen, chunkSize int64, trailers http.Header) int64 { | ||
40 | if dataLen <= 0 { | ||
41 | return 0 | ||
42 | } | ||
43 | |||
44 | chunksCount := int64(dataLen / chunkSize) | ||
45 | remainingBytes := int64(dataLen % chunkSize) | ||
46 | streamLen := int64(0) | ||
47 | streamLen += chunksCount * getUnsignedChunkLength(chunkSize) | ||
48 | if remainingBytes > 0 { | ||
49 | streamLen += getUnsignedChunkLength(remainingBytes) | ||
50 | } | ||
51 | streamLen += getUnsignedChunkLength(0) | ||
52 | if len(trailers) > 0 { | ||
53 | for name, placeholder := range trailers { | ||
54 | if len(placeholder) > 0 { | ||
55 | streamLen += int64(len(name) + len(trailerKVSeparator) + len(placeholder[0]) + 1) | ||
56 | } | ||
57 | } | ||
58 | streamLen += crlfLen | ||
59 | } | ||
60 | |||
61 | return streamLen | ||
62 | } | ||
63 | |||
64 | // prepareStreamingRequest - prepares a request with appropriate | ||
65 | // headers before computing the seed signature. | ||
66 | func prepareUSStreamingRequest(req *http.Request, sessionToken string, dataLen int64, timestamp time.Time) { | ||
67 | req.TransferEncoding = []string{"aws-chunked"} | ||
68 | if sessionToken != "" { | ||
69 | req.Header.Set("X-Amz-Security-Token", sessionToken) | ||
70 | } | ||
71 | |||
72 | req.Header.Set("X-Amz-Date", timestamp.Format(iso8601DateFormat)) | ||
73 | // Set content length with streaming signature for each chunk included. | ||
74 | req.ContentLength = getUSStreamLength(dataLen, int64(payloadChunkSize), req.Trailer) | ||
75 | } | ||
76 | |||
77 | // StreamingUSReader implements chunked upload signature as a reader on | ||
78 | // top of req.Body's ReaderCloser chunk header;data;... repeat | ||
79 | type StreamingUSReader struct { | ||
80 | contentLen int64 // Content-Length from req header | ||
81 | baseReadCloser io.ReadCloser // underlying io.Reader | ||
82 | bytesRead int64 // bytes read from underlying io.Reader | ||
83 | buf bytes.Buffer // holds signed chunk | ||
84 | chunkBuf []byte // holds raw data read from req Body | ||
85 | chunkBufLen int // no. of bytes read so far into chunkBuf | ||
86 | done bool // done reading the underlying reader to EOF | ||
87 | chunkNum int | ||
88 | totalChunks int | ||
89 | lastChunkSize int | ||
90 | trailer http.Header | ||
91 | } | ||
92 | |||
93 | // writeChunk - signs a chunk read from s.baseReader of chunkLen size. | ||
94 | func (s *StreamingUSReader) writeChunk(chunkLen int, addCrLf bool) { | ||
95 | s.buf.WriteString(strconv.FormatInt(int64(chunkLen), 16) + "\r\n") | ||
96 | |||
97 | // Write chunk data into streaming buffer | ||
98 | s.buf.Write(s.chunkBuf[:chunkLen]) | ||
99 | |||
100 | // Write the chunk trailer. | ||
101 | if addCrLf { | ||
102 | s.buf.Write([]byte("\r\n")) | ||
103 | } | ||
104 | |||
105 | // Reset chunkBufLen for next chunk read. | ||
106 | s.chunkBufLen = 0 | ||
107 | s.chunkNum++ | ||
108 | } | ||
109 | |||
110 | // addSignedTrailer - adds a trailer with the provided headers, | ||
111 | // then signs a chunk and adds it to output. | ||
112 | func (s *StreamingUSReader) addTrailer(h http.Header) { | ||
113 | olen := len(s.chunkBuf) | ||
114 | s.chunkBuf = s.chunkBuf[:0] | ||
115 | for k, v := range h { | ||
116 | s.chunkBuf = append(s.chunkBuf, []byte(strings.ToLower(k)+trailerKVSeparator+v[0]+"\n")...) | ||
117 | } | ||
118 | |||
119 | s.buf.Write(s.chunkBuf) | ||
120 | s.buf.WriteString("\r\n\r\n") | ||
121 | |||
122 | // Reset chunkBufLen for next chunk read. | ||
123 | s.chunkBuf = s.chunkBuf[:olen] | ||
124 | s.chunkBufLen = 0 | ||
125 | s.chunkNum++ | ||
126 | } | ||
127 | |||
128 | // StreamingUnsignedV4 - provides chunked upload | ||
129 | func StreamingUnsignedV4(req *http.Request, sessionToken string, dataLen int64, reqTime time.Time) *http.Request { | ||
130 | // Set headers needed for streaming signature. | ||
131 | prepareUSStreamingRequest(req, sessionToken, dataLen, reqTime) | ||
132 | |||
133 | if req.Body == nil { | ||
134 | req.Body = io.NopCloser(bytes.NewReader([]byte(""))) | ||
135 | } | ||
136 | |||
137 | stReader := &StreamingUSReader{ | ||
138 | baseReadCloser: req.Body, | ||
139 | chunkBuf: make([]byte, payloadChunkSize), | ||
140 | contentLen: dataLen, | ||
141 | chunkNum: 1, | ||
142 | totalChunks: int((dataLen+payloadChunkSize-1)/payloadChunkSize) + 1, | ||
143 | lastChunkSize: int(dataLen % payloadChunkSize), | ||
144 | } | ||
145 | if len(req.Trailer) > 0 { | ||
146 | stReader.trailer = req.Trailer | ||
147 | // Remove... | ||
148 | req.Trailer = nil | ||
149 | } | ||
150 | |||
151 | req.Body = stReader | ||
152 | |||
153 | return req | ||
154 | } | ||
155 | |||
156 | // Read - this method performs chunk upload signature providing a | ||
157 | // io.Reader interface. | ||
158 | func (s *StreamingUSReader) Read(buf []byte) (int, error) { | ||
159 | switch { | ||
160 | // After the last chunk is read from underlying reader, we | ||
161 | // never re-fill s.buf. | ||
162 | case s.done: | ||
163 | |||
164 | // s.buf will be (re-)filled with next chunk when has lesser | ||
165 | // bytes than asked for. | ||
166 | case s.buf.Len() < len(buf): | ||
167 | s.chunkBufLen = 0 | ||
168 | for { | ||
169 | n1, err := s.baseReadCloser.Read(s.chunkBuf[s.chunkBufLen:]) | ||
170 | // Usually we validate `err` first, but in this case | ||
171 | // we are validating n > 0 for the following reasons. | ||
172 | // | ||
173 | // 1. n > 0, err is one of io.EOF, nil (near end of stream) | ||
174 | // A Reader returning a non-zero number of bytes at the end | ||
175 | // of the input stream may return either err == EOF or err == nil | ||
176 | // | ||
177 | // 2. n == 0, err is io.EOF (actual end of stream) | ||
178 | // | ||
179 | // Callers should always process the n > 0 bytes returned | ||
180 | // before considering the error err. | ||
181 | if n1 > 0 { | ||
182 | s.chunkBufLen += n1 | ||
183 | s.bytesRead += int64(n1) | ||
184 | |||
185 | if s.chunkBufLen == payloadChunkSize || | ||
186 | (s.chunkNum == s.totalChunks-1 && | ||
187 | s.chunkBufLen == s.lastChunkSize) { | ||
188 | // Sign the chunk and write it to s.buf. | ||
189 | s.writeChunk(s.chunkBufLen, true) | ||
190 | break | ||
191 | } | ||
192 | } | ||
193 | if err != nil { | ||
194 | if err == io.EOF { | ||
195 | // No more data left in baseReader - last chunk. | ||
196 | // Done reading the last chunk from baseReader. | ||
197 | s.done = true | ||
198 | |||
199 | // bytes read from baseReader different than | ||
200 | // content length provided. | ||
201 | if s.bytesRead != s.contentLen { | ||
202 | return 0, fmt.Errorf("http: ContentLength=%d with Body length %d", s.contentLen, s.bytesRead) | ||
203 | } | ||
204 | |||
205 | // Sign the chunk and write it to s.buf. | ||
206 | s.writeChunk(0, len(s.trailer) == 0) | ||
207 | if len(s.trailer) > 0 { | ||
208 | // Trailer must be set now. | ||
209 | s.addTrailer(s.trailer) | ||
210 | } | ||
211 | break | ||
212 | } | ||
213 | return 0, err | ||
214 | } | ||
215 | |||
216 | } | ||
217 | } | ||
218 | return s.buf.Read(buf) | ||
219 | } | ||
220 | |||
221 | // Close - this method makes underlying io.ReadCloser's Close method available. | ||
222 | func (s *StreamingUSReader) Close() error { | ||
223 | return s.baseReadCloser.Close() | ||
224 | } | ||
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming.go b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming.go new file mode 100644 index 0000000..1c2f1dc --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-streaming.go | |||
@@ -0,0 +1,403 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2017 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package signer | ||
19 | |||
20 | import ( | ||
21 | "bytes" | ||
22 | "encoding/hex" | ||
23 | "fmt" | ||
24 | "io" | ||
25 | "net/http" | ||
26 | "strconv" | ||
27 | "strings" | ||
28 | "time" | ||
29 | |||
30 | md5simd "github.com/minio/md5-simd" | ||
31 | ) | ||
32 | |||
33 | // Reference for constants used below - | ||
34 | // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html#example-signature-calculations-streaming | ||
35 | const ( | ||
36 | streamingSignAlgorithm = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD" | ||
37 | streamingSignTrailerAlgorithm = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER" | ||
38 | streamingPayloadHdr = "AWS4-HMAC-SHA256-PAYLOAD" | ||
39 | streamingTrailerHdr = "AWS4-HMAC-SHA256-TRAILER" | ||
40 | emptySHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" | ||
41 | payloadChunkSize = 64 * 1024 | ||
42 | chunkSigConstLen = 17 // ";chunk-signature=" | ||
43 | signatureStrLen = 64 // e.g. "f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2" | ||
44 | crlfLen = 2 // CRLF | ||
45 | trailerKVSeparator = ":" | ||
46 | trailerSignature = "x-amz-trailer-signature" | ||
47 | ) | ||
48 | |||
49 | // Request headers to be ignored while calculating seed signature for | ||
50 | // a request. | ||
51 | var ignoredStreamingHeaders = map[string]bool{ | ||
52 | "Authorization": true, | ||
53 | "User-Agent": true, | ||
54 | "Content-Type": true, | ||
55 | } | ||
56 | |||
57 | // getSignedChunkLength - calculates the length of chunk metadata | ||
58 | func getSignedChunkLength(chunkDataSize int64) int64 { | ||
59 | return int64(len(fmt.Sprintf("%x", chunkDataSize))) + | ||
60 | chunkSigConstLen + | ||
61 | signatureStrLen + | ||
62 | crlfLen + | ||
63 | chunkDataSize + | ||
64 | crlfLen | ||
65 | } | ||
66 | |||
67 | // getStreamLength - calculates the length of the overall stream (data + metadata) | ||
68 | func getStreamLength(dataLen, chunkSize int64, trailers http.Header) int64 { | ||
69 | if dataLen <= 0 { | ||
70 | return 0 | ||
71 | } | ||
72 | |||
73 | chunksCount := int64(dataLen / chunkSize) | ||
74 | remainingBytes := int64(dataLen % chunkSize) | ||
75 | streamLen := int64(0) | ||
76 | streamLen += chunksCount * getSignedChunkLength(chunkSize) | ||
77 | if remainingBytes > 0 { | ||
78 | streamLen += getSignedChunkLength(remainingBytes) | ||
79 | } | ||
80 | streamLen += getSignedChunkLength(0) | ||
81 | if len(trailers) > 0 { | ||
82 | for name, placeholder := range trailers { | ||
83 | if len(placeholder) > 0 { | ||
84 | streamLen += int64(len(name) + len(trailerKVSeparator) + len(placeholder[0]) + 1) | ||
85 | } | ||
86 | } | ||
87 | streamLen += int64(len(trailerSignature)+len(trailerKVSeparator)) + signatureStrLen + crlfLen + crlfLen | ||
88 | } | ||
89 | |||
90 | return streamLen | ||
91 | } | ||
92 | |||
93 | // buildChunkStringToSign - returns the string to sign given chunk data | ||
94 | // and previous signature. | ||
95 | func buildChunkStringToSign(t time.Time, region, previousSig, chunkChecksum string) string { | ||
96 | stringToSignParts := []string{ | ||
97 | streamingPayloadHdr, | ||
98 | t.Format(iso8601DateFormat), | ||
99 | getScope(region, t, ServiceTypeS3), | ||
100 | previousSig, | ||
101 | emptySHA256, | ||
102 | chunkChecksum, | ||
103 | } | ||
104 | |||
105 | return strings.Join(stringToSignParts, "\n") | ||
106 | } | ||
107 | |||
108 | // buildTrailerChunkStringToSign - returns the string to sign given chunk data | ||
109 | // and previous signature. | ||
110 | func buildTrailerChunkStringToSign(t time.Time, region, previousSig, chunkChecksum string) string { | ||
111 | stringToSignParts := []string{ | ||
112 | streamingTrailerHdr, | ||
113 | t.Format(iso8601DateFormat), | ||
114 | getScope(region, t, ServiceTypeS3), | ||
115 | previousSig, | ||
116 | chunkChecksum, | ||
117 | } | ||
118 | |||
119 | return strings.Join(stringToSignParts, "\n") | ||
120 | } | ||
121 | |||
122 | // prepareStreamingRequest - prepares a request with appropriate | ||
123 | // headers before computing the seed signature. | ||
124 | func prepareStreamingRequest(req *http.Request, sessionToken string, dataLen int64, timestamp time.Time) { | ||
125 | // Set x-amz-content-sha256 header. | ||
126 | if len(req.Trailer) == 0 { | ||
127 | req.Header.Set("X-Amz-Content-Sha256", streamingSignAlgorithm) | ||
128 | } else { | ||
129 | req.Header.Set("X-Amz-Content-Sha256", streamingSignTrailerAlgorithm) | ||
130 | for k := range req.Trailer { | ||
131 | req.Header.Add("X-Amz-Trailer", strings.ToLower(k)) | ||
132 | } | ||
133 | req.TransferEncoding = []string{"aws-chunked"} | ||
134 | } | ||
135 | |||
136 | if sessionToken != "" { | ||
137 | req.Header.Set("X-Amz-Security-Token", sessionToken) | ||
138 | } | ||
139 | |||
140 | req.Header.Set("X-Amz-Date", timestamp.Format(iso8601DateFormat)) | ||
141 | // Set content length with streaming signature for each chunk included. | ||
142 | req.ContentLength = getStreamLength(dataLen, int64(payloadChunkSize), req.Trailer) | ||
143 | req.Header.Set("x-amz-decoded-content-length", strconv.FormatInt(dataLen, 10)) | ||
144 | } | ||
145 | |||
146 | // buildChunkHeader - returns the chunk header. | ||
147 | // e.g string(IntHexBase(chunk-size)) + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n | ||
148 | func buildChunkHeader(chunkLen int64, signature string) []byte { | ||
149 | return []byte(strconv.FormatInt(chunkLen, 16) + ";chunk-signature=" + signature + "\r\n") | ||
150 | } | ||
151 | |||
152 | // buildChunkSignature - returns chunk signature for a given chunk and previous signature. | ||
153 | func buildChunkSignature(chunkCheckSum string, reqTime time.Time, region, | ||
154 | previousSignature, secretAccessKey string, | ||
155 | ) string { | ||
156 | chunkStringToSign := buildChunkStringToSign(reqTime, region, | ||
157 | previousSignature, chunkCheckSum) | ||
158 | signingKey := getSigningKey(secretAccessKey, region, reqTime, ServiceTypeS3) | ||
159 | return getSignature(signingKey, chunkStringToSign) | ||
160 | } | ||
161 | |||
162 | // buildChunkSignature - returns chunk signature for a given chunk and previous signature. | ||
163 | func buildTrailerChunkSignature(chunkChecksum string, reqTime time.Time, region, | ||
164 | previousSignature, secretAccessKey string, | ||
165 | ) string { | ||
166 | chunkStringToSign := buildTrailerChunkStringToSign(reqTime, region, | ||
167 | previousSignature, chunkChecksum) | ||
168 | signingKey := getSigningKey(secretAccessKey, region, reqTime, ServiceTypeS3) | ||
169 | return getSignature(signingKey, chunkStringToSign) | ||
170 | } | ||
171 | |||
172 | // getSeedSignature - returns the seed signature for a given request. | ||
173 | func (s *StreamingReader) setSeedSignature(req *http.Request) { | ||
174 | // Get canonical request | ||
175 | canonicalRequest := getCanonicalRequest(*req, ignoredStreamingHeaders, getHashedPayload(*req)) | ||
176 | |||
177 | // Get string to sign from canonical request. | ||
178 | stringToSign := getStringToSignV4(s.reqTime, s.region, canonicalRequest, ServiceTypeS3) | ||
179 | |||
180 | signingKey := getSigningKey(s.secretAccessKey, s.region, s.reqTime, ServiceTypeS3) | ||
181 | |||
182 | // Calculate signature. | ||
183 | s.seedSignature = getSignature(signingKey, stringToSign) | ||
184 | } | ||
185 | |||
186 | // StreamingReader implements chunked upload signature as a reader on | ||
187 | // top of req.Body's ReaderCloser chunk header;data;... repeat | ||
188 | type StreamingReader struct { | ||
189 | accessKeyID string | ||
190 | secretAccessKey string | ||
191 | sessionToken string | ||
192 | region string | ||
193 | prevSignature string | ||
194 | seedSignature string | ||
195 | contentLen int64 // Content-Length from req header | ||
196 | baseReadCloser io.ReadCloser // underlying io.Reader | ||
197 | bytesRead int64 // bytes read from underlying io.Reader | ||
198 | buf bytes.Buffer // holds signed chunk | ||
199 | chunkBuf []byte // holds raw data read from req Body | ||
200 | chunkBufLen int // no. of bytes read so far into chunkBuf | ||
201 | done bool // done reading the underlying reader to EOF | ||
202 | reqTime time.Time | ||
203 | chunkNum int | ||
204 | totalChunks int | ||
205 | lastChunkSize int | ||
206 | trailer http.Header | ||
207 | sh256 md5simd.Hasher | ||
208 | } | ||
209 | |||
210 | // signChunk - signs a chunk read from s.baseReader of chunkLen size. | ||
211 | func (s *StreamingReader) signChunk(chunkLen int, addCrLf bool) { | ||
212 | // Compute chunk signature for next header | ||
213 | s.sh256.Reset() | ||
214 | s.sh256.Write(s.chunkBuf[:chunkLen]) | ||
215 | chunckChecksum := hex.EncodeToString(s.sh256.Sum(nil)) | ||
216 | |||
217 | signature := buildChunkSignature(chunckChecksum, s.reqTime, | ||
218 | s.region, s.prevSignature, s.secretAccessKey) | ||
219 | |||
220 | // For next chunk signature computation | ||
221 | s.prevSignature = signature | ||
222 | |||
223 | // Write chunk header into streaming buffer | ||
224 | chunkHdr := buildChunkHeader(int64(chunkLen), signature) | ||
225 | s.buf.Write(chunkHdr) | ||
226 | |||
227 | // Write chunk data into streaming buffer | ||
228 | s.buf.Write(s.chunkBuf[:chunkLen]) | ||
229 | |||
230 | // Write the chunk trailer. | ||
231 | if addCrLf { | ||
232 | s.buf.Write([]byte("\r\n")) | ||
233 | } | ||
234 | |||
235 | // Reset chunkBufLen for next chunk read. | ||
236 | s.chunkBufLen = 0 | ||
237 | s.chunkNum++ | ||
238 | } | ||
239 | |||
240 | // addSignedTrailer - adds a trailer with the provided headers, | ||
241 | // then signs a chunk and adds it to output. | ||
242 | func (s *StreamingReader) addSignedTrailer(h http.Header) { | ||
243 | olen := len(s.chunkBuf) | ||
244 | s.chunkBuf = s.chunkBuf[:0] | ||
245 | for k, v := range h { | ||
246 | s.chunkBuf = append(s.chunkBuf, []byte(strings.ToLower(k)+trailerKVSeparator+v[0]+"\n")...) | ||
247 | } | ||
248 | |||
249 | s.sh256.Reset() | ||
250 | s.sh256.Write(s.chunkBuf) | ||
251 | chunkChecksum := hex.EncodeToString(s.sh256.Sum(nil)) | ||
252 | // Compute chunk signature | ||
253 | signature := buildTrailerChunkSignature(chunkChecksum, s.reqTime, | ||
254 | s.region, s.prevSignature, s.secretAccessKey) | ||
255 | |||
256 | // For next chunk signature computation | ||
257 | s.prevSignature = signature | ||
258 | |||
259 | s.buf.Write(s.chunkBuf) | ||
260 | s.buf.WriteString("\r\n" + trailerSignature + trailerKVSeparator + signature + "\r\n\r\n") | ||
261 | |||
262 | // Reset chunkBufLen for next chunk read. | ||
263 | s.chunkBuf = s.chunkBuf[:olen] | ||
264 | s.chunkBufLen = 0 | ||
265 | s.chunkNum++ | ||
266 | } | ||
267 | |||
268 | // setStreamingAuthHeader - builds and sets authorization header value | ||
269 | // for streaming signature. | ||
270 | func (s *StreamingReader) setStreamingAuthHeader(req *http.Request) { | ||
271 | credential := GetCredential(s.accessKeyID, s.region, s.reqTime, ServiceTypeS3) | ||
272 | authParts := []string{ | ||
273 | signV4Algorithm + " Credential=" + credential, | ||
274 | "SignedHeaders=" + getSignedHeaders(*req, ignoredStreamingHeaders), | ||
275 | "Signature=" + s.seedSignature, | ||
276 | } | ||
277 | |||
278 | // Set authorization header. | ||
279 | auth := strings.Join(authParts, ",") | ||
280 | req.Header.Set("Authorization", auth) | ||
281 | } | ||
282 | |||
283 | // StreamingSignV4 - provides chunked upload signatureV4 support by | ||
284 | // implementing io.Reader. | ||
285 | func StreamingSignV4(req *http.Request, accessKeyID, secretAccessKey, sessionToken, | ||
286 | region string, dataLen int64, reqTime time.Time, sh256 md5simd.Hasher, | ||
287 | ) *http.Request { | ||
288 | // Set headers needed for streaming signature. | ||
289 | prepareStreamingRequest(req, sessionToken, dataLen, reqTime) | ||
290 | |||
291 | if req.Body == nil { | ||
292 | req.Body = io.NopCloser(bytes.NewReader([]byte(""))) | ||
293 | } | ||
294 | |||
295 | stReader := &StreamingReader{ | ||
296 | baseReadCloser: req.Body, | ||
297 | accessKeyID: accessKeyID, | ||
298 | secretAccessKey: secretAccessKey, | ||
299 | sessionToken: sessionToken, | ||
300 | region: region, | ||
301 | reqTime: reqTime, | ||
302 | chunkBuf: make([]byte, payloadChunkSize), | ||
303 | contentLen: dataLen, | ||
304 | chunkNum: 1, | ||
305 | totalChunks: int((dataLen+payloadChunkSize-1)/payloadChunkSize) + 1, | ||
306 | lastChunkSize: int(dataLen % payloadChunkSize), | ||
307 | sh256: sh256, | ||
308 | } | ||
309 | if len(req.Trailer) > 0 { | ||
310 | stReader.trailer = req.Trailer | ||
311 | // Remove... | ||
312 | req.Trailer = nil | ||
313 | } | ||
314 | |||
315 | // Add the request headers required for chunk upload signing. | ||
316 | |||
317 | // Compute the seed signature. | ||
318 | stReader.setSeedSignature(req) | ||
319 | |||
320 | // Set the authorization header with the seed signature. | ||
321 | stReader.setStreamingAuthHeader(req) | ||
322 | |||
323 | // Set seed signature as prevSignature for subsequent | ||
324 | // streaming signing process. | ||
325 | stReader.prevSignature = stReader.seedSignature | ||
326 | req.Body = stReader | ||
327 | |||
328 | return req | ||
329 | } | ||
330 | |||
331 | // Read - this method performs chunk upload signature providing a | ||
332 | // io.Reader interface. | ||
333 | func (s *StreamingReader) Read(buf []byte) (int, error) { | ||
334 | switch { | ||
335 | // After the last chunk is read from underlying reader, we | ||
336 | // never re-fill s.buf. | ||
337 | case s.done: | ||
338 | |||
339 | // s.buf will be (re-)filled with next chunk when has lesser | ||
340 | // bytes than asked for. | ||
341 | case s.buf.Len() < len(buf): | ||
342 | s.chunkBufLen = 0 | ||
343 | for { | ||
344 | n1, err := s.baseReadCloser.Read(s.chunkBuf[s.chunkBufLen:]) | ||
345 | // Usually we validate `err` first, but in this case | ||
346 | // we are validating n > 0 for the following reasons. | ||
347 | // | ||
348 | // 1. n > 0, err is one of io.EOF, nil (near end of stream) | ||
349 | // A Reader returning a non-zero number of bytes at the end | ||
350 | // of the input stream may return either err == EOF or err == nil | ||
351 | // | ||
352 | // 2. n == 0, err is io.EOF (actual end of stream) | ||
353 | // | ||
354 | // Callers should always process the n > 0 bytes returned | ||
355 | // before considering the error err. | ||
356 | if n1 > 0 { | ||
357 | s.chunkBufLen += n1 | ||
358 | s.bytesRead += int64(n1) | ||
359 | |||
360 | if s.chunkBufLen == payloadChunkSize || | ||
361 | (s.chunkNum == s.totalChunks-1 && | ||
362 | s.chunkBufLen == s.lastChunkSize) { | ||
363 | // Sign the chunk and write it to s.buf. | ||
364 | s.signChunk(s.chunkBufLen, true) | ||
365 | break | ||
366 | } | ||
367 | } | ||
368 | if err != nil { | ||
369 | if err == io.EOF { | ||
370 | // No more data left in baseReader - last chunk. | ||
371 | // Done reading the last chunk from baseReader. | ||
372 | s.done = true | ||
373 | |||
374 | // bytes read from baseReader different than | ||
375 | // content length provided. | ||
376 | if s.bytesRead != s.contentLen { | ||
377 | return 0, fmt.Errorf("http: ContentLength=%d with Body length %d", s.contentLen, s.bytesRead) | ||
378 | } | ||
379 | |||
380 | // Sign the chunk and write it to s.buf. | ||
381 | s.signChunk(0, len(s.trailer) == 0) | ||
382 | if len(s.trailer) > 0 { | ||
383 | // Trailer must be set now. | ||
384 | s.addSignedTrailer(s.trailer) | ||
385 | } | ||
386 | break | ||
387 | } | ||
388 | return 0, err | ||
389 | } | ||
390 | |||
391 | } | ||
392 | } | ||
393 | return s.buf.Read(buf) | ||
394 | } | ||
395 | |||
396 | // Close - this method makes underlying io.ReadCloser's Close method available. | ||
397 | func (s *StreamingReader) Close() error { | ||
398 | if s.sh256 != nil { | ||
399 | s.sh256.Close() | ||
400 | s.sh256 = nil | ||
401 | } | ||
402 | return s.baseReadCloser.Close() | ||
403 | } | ||
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v2.go b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v2.go new file mode 100644 index 0000000..fa4f8c9 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v2.go | |||
@@ -0,0 +1,319 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2015-2017 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package signer | ||
19 | |||
20 | import ( | ||
21 | "bytes" | ||
22 | "crypto/hmac" | ||
23 | "crypto/sha1" | ||
24 | "encoding/base64" | ||
25 | "fmt" | ||
26 | "net/http" | ||
27 | "net/url" | ||
28 | "sort" | ||
29 | "strconv" | ||
30 | "strings" | ||
31 | "time" | ||
32 | |||
33 | "github.com/minio/minio-go/v7/pkg/s3utils" | ||
34 | ) | ||
35 | |||
36 | // Signature and API related constants. | ||
37 | const ( | ||
38 | signV2Algorithm = "AWS" | ||
39 | ) | ||
40 | |||
41 | // Encode input URL path to URL encoded path. | ||
42 | func encodeURL2Path(req *http.Request, virtualHost bool) (path string) { | ||
43 | if virtualHost { | ||
44 | reqHost := getHostAddr(req) | ||
45 | dotPos := strings.Index(reqHost, ".") | ||
46 | if dotPos > -1 { | ||
47 | bucketName := reqHost[:dotPos] | ||
48 | path = "/" + bucketName | ||
49 | path += req.URL.Path | ||
50 | path = s3utils.EncodePath(path) | ||
51 | return | ||
52 | } | ||
53 | } | ||
54 | path = s3utils.EncodePath(req.URL.Path) | ||
55 | return | ||
56 | } | ||
57 | |||
58 | // PreSignV2 - presign the request in following style. | ||
59 | // https://${S3_BUCKET}.s3.amazonaws.com/${S3_OBJECT}?AWSAccessKeyId=${S3_ACCESS_KEY}&Expires=${TIMESTAMP}&Signature=${SIGNATURE}. | ||
60 | func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64, virtualHost bool) *http.Request { | ||
61 | // Presign is not needed for anonymous credentials. | ||
62 | if accessKeyID == "" || secretAccessKey == "" { | ||
63 | return &req | ||
64 | } | ||
65 | |||
66 | d := time.Now().UTC() | ||
67 | // Find epoch expires when the request will expire. | ||
68 | epochExpires := d.Unix() + expires | ||
69 | |||
70 | // Add expires header if not present. | ||
71 | if expiresStr := req.Header.Get("Expires"); expiresStr == "" { | ||
72 | req.Header.Set("Expires", strconv.FormatInt(epochExpires, 10)) | ||
73 | } | ||
74 | |||
75 | // Get presigned string to sign. | ||
76 | stringToSign := preStringToSignV2(req, virtualHost) | ||
77 | hm := hmac.New(sha1.New, []byte(secretAccessKey)) | ||
78 | hm.Write([]byte(stringToSign)) | ||
79 | |||
80 | // Calculate signature. | ||
81 | signature := base64.StdEncoding.EncodeToString(hm.Sum(nil)) | ||
82 | |||
83 | query := req.URL.Query() | ||
84 | // Handle specially for Google Cloud Storage. | ||
85 | if strings.Contains(getHostAddr(&req), ".storage.googleapis.com") { | ||
86 | query.Set("GoogleAccessId", accessKeyID) | ||
87 | } else { | ||
88 | query.Set("AWSAccessKeyId", accessKeyID) | ||
89 | } | ||
90 | |||
91 | // Fill in Expires for presigned query. | ||
92 | query.Set("Expires", strconv.FormatInt(epochExpires, 10)) | ||
93 | |||
94 | // Encode query and save. | ||
95 | req.URL.RawQuery = s3utils.QueryEncode(query) | ||
96 | |||
97 | // Save signature finally. | ||
98 | req.URL.RawQuery += "&Signature=" + s3utils.EncodePath(signature) | ||
99 | |||
100 | // Return. | ||
101 | return &req | ||
102 | } | ||
103 | |||
104 | // PostPresignSignatureV2 - presigned signature for PostPolicy | ||
105 | // request. | ||
106 | func PostPresignSignatureV2(policyBase64, secretAccessKey string) string { | ||
107 | hm := hmac.New(sha1.New, []byte(secretAccessKey)) | ||
108 | hm.Write([]byte(policyBase64)) | ||
109 | signature := base64.StdEncoding.EncodeToString(hm.Sum(nil)) | ||
110 | return signature | ||
111 | } | ||
112 | |||
113 | // Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature; | ||
114 | // Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ); | ||
115 | // | ||
116 | // StringToSign = HTTP-Verb + "\n" + | ||
117 | // Content-Md5 + "\n" + | ||
118 | // Content-Type + "\n" + | ||
119 | // Date + "\n" + | ||
120 | // CanonicalizedProtocolHeaders + | ||
121 | // CanonicalizedResource; | ||
122 | // | ||
123 | // CanonicalizedResource = [ "/" + Bucket ] + | ||
124 | // <HTTP-Request-URI, from the protocol name up to the query string> + | ||
125 | // [ subresource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; | ||
126 | // | ||
127 | // CanonicalizedProtocolHeaders = <described below> | ||
128 | |||
129 | // SignV2 sign the request before Do() (AWS Signature Version 2). | ||
130 | func SignV2(req http.Request, accessKeyID, secretAccessKey string, virtualHost bool) *http.Request { | ||
131 | // Signature calculation is not needed for anonymous credentials. | ||
132 | if accessKeyID == "" || secretAccessKey == "" { | ||
133 | return &req | ||
134 | } | ||
135 | |||
136 | // Initial time. | ||
137 | d := time.Now().UTC() | ||
138 | |||
139 | // Add date if not present. | ||
140 | if date := req.Header.Get("Date"); date == "" { | ||
141 | req.Header.Set("Date", d.Format(http.TimeFormat)) | ||
142 | } | ||
143 | |||
144 | // Calculate HMAC for secretAccessKey. | ||
145 | stringToSign := stringToSignV2(req, virtualHost) | ||
146 | hm := hmac.New(sha1.New, []byte(secretAccessKey)) | ||
147 | hm.Write([]byte(stringToSign)) | ||
148 | |||
149 | // Prepare auth header. | ||
150 | authHeader := new(bytes.Buffer) | ||
151 | authHeader.WriteString(fmt.Sprintf("%s %s:", signV2Algorithm, accessKeyID)) | ||
152 | encoder := base64.NewEncoder(base64.StdEncoding, authHeader) | ||
153 | encoder.Write(hm.Sum(nil)) | ||
154 | encoder.Close() | ||
155 | |||
156 | // Set Authorization header. | ||
157 | req.Header.Set("Authorization", authHeader.String()) | ||
158 | |||
159 | return &req | ||
160 | } | ||
161 | |||
162 | // From the Amazon docs: | ||
163 | // | ||
164 | // StringToSign = HTTP-Verb + "\n" + | ||
165 | // | ||
166 | // Content-Md5 + "\n" + | ||
167 | // Content-Type + "\n" + | ||
168 | // Expires + "\n" + | ||
169 | // CanonicalizedProtocolHeaders + | ||
170 | // CanonicalizedResource; | ||
171 | func preStringToSignV2(req http.Request, virtualHost bool) string { | ||
172 | buf := new(bytes.Buffer) | ||
173 | // Write standard headers. | ||
174 | writePreSignV2Headers(buf, req) | ||
175 | // Write canonicalized protocol headers if any. | ||
176 | writeCanonicalizedHeaders(buf, req) | ||
177 | // Write canonicalized Query resources if any. | ||
178 | writeCanonicalizedResource(buf, req, virtualHost) | ||
179 | return buf.String() | ||
180 | } | ||
181 | |||
182 | // writePreSignV2Headers - write preSign v2 required headers. | ||
183 | func writePreSignV2Headers(buf *bytes.Buffer, req http.Request) { | ||
184 | buf.WriteString(req.Method + "\n") | ||
185 | buf.WriteString(req.Header.Get("Content-Md5") + "\n") | ||
186 | buf.WriteString(req.Header.Get("Content-Type") + "\n") | ||
187 | buf.WriteString(req.Header.Get("Expires") + "\n") | ||
188 | } | ||
189 | |||
190 | // From the Amazon docs: | ||
191 | // | ||
192 | // StringToSign = HTTP-Verb + "\n" + | ||
193 | // | ||
194 | // Content-Md5 + "\n" + | ||
195 | // Content-Type + "\n" + | ||
196 | // Date + "\n" + | ||
197 | // CanonicalizedProtocolHeaders + | ||
198 | // CanonicalizedResource; | ||
199 | func stringToSignV2(req http.Request, virtualHost bool) string { | ||
200 | buf := new(bytes.Buffer) | ||
201 | // Write standard headers. | ||
202 | writeSignV2Headers(buf, req) | ||
203 | // Write canonicalized protocol headers if any. | ||
204 | writeCanonicalizedHeaders(buf, req) | ||
205 | // Write canonicalized Query resources if any. | ||
206 | writeCanonicalizedResource(buf, req, virtualHost) | ||
207 | return buf.String() | ||
208 | } | ||
209 | |||
210 | // writeSignV2Headers - write signV2 required headers. | ||
211 | func writeSignV2Headers(buf *bytes.Buffer, req http.Request) { | ||
212 | buf.WriteString(req.Method + "\n") | ||
213 | buf.WriteString(req.Header.Get("Content-Md5") + "\n") | ||
214 | buf.WriteString(req.Header.Get("Content-Type") + "\n") | ||
215 | buf.WriteString(req.Header.Get("Date") + "\n") | ||
216 | } | ||
217 | |||
218 | // writeCanonicalizedHeaders - write canonicalized headers. | ||
219 | func writeCanonicalizedHeaders(buf *bytes.Buffer, req http.Request) { | ||
220 | var protoHeaders []string | ||
221 | vals := make(map[string][]string) | ||
222 | for k, vv := range req.Header { | ||
223 | // All the AMZ headers should be lowercase | ||
224 | lk := strings.ToLower(k) | ||
225 | if strings.HasPrefix(lk, "x-amz") { | ||
226 | protoHeaders = append(protoHeaders, lk) | ||
227 | vals[lk] = vv | ||
228 | } | ||
229 | } | ||
230 | sort.Strings(protoHeaders) | ||
231 | for _, k := range protoHeaders { | ||
232 | buf.WriteString(k) | ||
233 | buf.WriteByte(':') | ||
234 | for idx, v := range vals[k] { | ||
235 | if idx > 0 { | ||
236 | buf.WriteByte(',') | ||
237 | } | ||
238 | buf.WriteString(v) | ||
239 | } | ||
240 | buf.WriteByte('\n') | ||
241 | } | ||
242 | } | ||
243 | |||
244 | // AWS S3 Signature V2 calculation rule is give here: | ||
245 | // http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationStringToSign | ||
246 | |||
247 | // Whitelist resource list that will be used in query string for signature-V2 calculation. | ||
248 | // | ||
249 | // This list should be kept alphabetically sorted, do not hastily edit. | ||
250 | var resourceList = []string{ | ||
251 | "acl", | ||
252 | "cors", | ||
253 | "delete", | ||
254 | "encryption", | ||
255 | "legal-hold", | ||
256 | "lifecycle", | ||
257 | "location", | ||
258 | "logging", | ||
259 | "notification", | ||
260 | "partNumber", | ||
261 | "policy", | ||
262 | "replication", | ||
263 | "requestPayment", | ||
264 | "response-cache-control", | ||
265 | "response-content-disposition", | ||
266 | "response-content-encoding", | ||
267 | "response-content-language", | ||
268 | "response-content-type", | ||
269 | "response-expires", | ||
270 | "retention", | ||
271 | "select", | ||
272 | "select-type", | ||
273 | "tagging", | ||
274 | "torrent", | ||
275 | "uploadId", | ||
276 | "uploads", | ||
277 | "versionId", | ||
278 | "versioning", | ||
279 | "versions", | ||
280 | "website", | ||
281 | } | ||
282 | |||
283 | // From the Amazon docs: | ||
284 | // | ||
285 | // CanonicalizedResource = [ "/" + Bucket ] + | ||
286 | // | ||
287 | // <HTTP-Request-URI, from the protocol name up to the query string> + | ||
288 | // [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; | ||
289 | func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request, virtualHost bool) { | ||
290 | // Save request URL. | ||
291 | requestURL := req.URL | ||
292 | // Get encoded URL path. | ||
293 | buf.WriteString(encodeURL2Path(&req, virtualHost)) | ||
294 | if requestURL.RawQuery != "" { | ||
295 | var n int | ||
296 | vals, _ := url.ParseQuery(requestURL.RawQuery) | ||
297 | // Verify if any sub resource queries are present, if yes | ||
298 | // canonicallize them. | ||
299 | for _, resource := range resourceList { | ||
300 | if vv, ok := vals[resource]; ok && len(vv) > 0 { | ||
301 | n++ | ||
302 | // First element | ||
303 | switch n { | ||
304 | case 1: | ||
305 | buf.WriteByte('?') | ||
306 | // The rest | ||
307 | default: | ||
308 | buf.WriteByte('&') | ||
309 | } | ||
310 | buf.WriteString(resource) | ||
311 | // Request parameters | ||
312 | if len(vv[0]) > 0 { | ||
313 | buf.WriteByte('=') | ||
314 | buf.WriteString(vv[0]) | ||
315 | } | ||
316 | } | ||
317 | } | ||
318 | } | ||
319 | } | ||
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v4.go b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v4.go new file mode 100644 index 0000000..ffd2514 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/request-signature-v4.go | |||
@@ -0,0 +1,351 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2015-2017 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package signer | ||
19 | |||
20 | import ( | ||
21 | "bytes" | ||
22 | "encoding/hex" | ||
23 | "net/http" | ||
24 | "sort" | ||
25 | "strconv" | ||
26 | "strings" | ||
27 | "time" | ||
28 | |||
29 | "github.com/minio/minio-go/v7/pkg/s3utils" | ||
30 | ) | ||
31 | |||
32 | // Signature and API related constants. | ||
33 | const ( | ||
34 | signV4Algorithm = "AWS4-HMAC-SHA256" | ||
35 | iso8601DateFormat = "20060102T150405Z" | ||
36 | yyyymmdd = "20060102" | ||
37 | ) | ||
38 | |||
39 | // Different service types | ||
40 | const ( | ||
41 | ServiceTypeS3 = "s3" | ||
42 | ServiceTypeSTS = "sts" | ||
43 | ) | ||
44 | |||
45 | // Excerpts from @lsegal - | ||
46 | // https:/github.com/aws/aws-sdk-js/issues/659#issuecomment-120477258. | ||
47 | // | ||
48 | // * User-Agent | ||
49 | // This is ignored from signing because signing this causes problems with generating pre-signed | ||
50 | // URLs (that are executed by other agents) or when customers pass requests through proxies, which | ||
51 | // may modify the user-agent. | ||
52 | // | ||
53 | // * Authorization | ||
54 | // Is skipped for obvious reasons. | ||
55 | // | ||
56 | // * Accept-Encoding | ||
57 | // Some S3 servers like Hitachi Content Platform do not honor this header for signature | ||
58 | // calculation. | ||
59 | var v4IgnoredHeaders = map[string]bool{ | ||
60 | "Accept-Encoding": true, | ||
61 | "Authorization": true, | ||
62 | "User-Agent": true, | ||
63 | } | ||
64 | |||
65 | // getSigningKey hmac seed to calculate final signature. | ||
66 | func getSigningKey(secret, loc string, t time.Time, serviceType string) []byte { | ||
67 | date := sumHMAC([]byte("AWS4"+secret), []byte(t.Format(yyyymmdd))) | ||
68 | location := sumHMAC(date, []byte(loc)) | ||
69 | service := sumHMAC(location, []byte(serviceType)) | ||
70 | signingKey := sumHMAC(service, []byte("aws4_request")) | ||
71 | return signingKey | ||
72 | } | ||
73 | |||
74 | // getSignature final signature in hexadecimal form. | ||
75 | func getSignature(signingKey []byte, stringToSign string) string { | ||
76 | return hex.EncodeToString(sumHMAC(signingKey, []byte(stringToSign))) | ||
77 | } | ||
78 | |||
79 | // getScope generate a string of a specific date, an AWS region, and a | ||
80 | // service. | ||
81 | func getScope(location string, t time.Time, serviceType string) string { | ||
82 | scope := strings.Join([]string{ | ||
83 | t.Format(yyyymmdd), | ||
84 | location, | ||
85 | serviceType, | ||
86 | "aws4_request", | ||
87 | }, "/") | ||
88 | return scope | ||
89 | } | ||
90 | |||
91 | // GetCredential generate a credential string. | ||
92 | func GetCredential(accessKeyID, location string, t time.Time, serviceType string) string { | ||
93 | scope := getScope(location, t, serviceType) | ||
94 | return accessKeyID + "/" + scope | ||
95 | } | ||
96 | |||
97 | // getHashedPayload get the hexadecimal value of the SHA256 hash of | ||
98 | // the request payload. | ||
99 | func getHashedPayload(req http.Request) string { | ||
100 | hashedPayload := req.Header.Get("X-Amz-Content-Sha256") | ||
101 | if hashedPayload == "" { | ||
102 | // Presign does not have a payload, use S3 recommended value. | ||
103 | hashedPayload = unsignedPayload | ||
104 | } | ||
105 | return hashedPayload | ||
106 | } | ||
107 | |||
108 | // getCanonicalHeaders generate a list of request headers for | ||
109 | // signature. | ||
110 | func getCanonicalHeaders(req http.Request, ignoredHeaders map[string]bool) string { | ||
111 | var headers []string | ||
112 | vals := make(map[string][]string) | ||
113 | for k, vv := range req.Header { | ||
114 | if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok { | ||
115 | continue // ignored header | ||
116 | } | ||
117 | headers = append(headers, strings.ToLower(k)) | ||
118 | vals[strings.ToLower(k)] = vv | ||
119 | } | ||
120 | if !headerExists("host", headers) { | ||
121 | headers = append(headers, "host") | ||
122 | } | ||
123 | sort.Strings(headers) | ||
124 | |||
125 | var buf bytes.Buffer | ||
126 | // Save all the headers in canonical form <header>:<value> newline | ||
127 | // separated for each header. | ||
128 | for _, k := range headers { | ||
129 | buf.WriteString(k) | ||
130 | buf.WriteByte(':') | ||
131 | switch { | ||
132 | case k == "host": | ||
133 | buf.WriteString(getHostAddr(&req)) | ||
134 | buf.WriteByte('\n') | ||
135 | default: | ||
136 | for idx, v := range vals[k] { | ||
137 | if idx > 0 { | ||
138 | buf.WriteByte(',') | ||
139 | } | ||
140 | buf.WriteString(signV4TrimAll(v)) | ||
141 | } | ||
142 | buf.WriteByte('\n') | ||
143 | } | ||
144 | } | ||
145 | return buf.String() | ||
146 | } | ||
147 | |||
148 | func headerExists(key string, headers []string) bool { | ||
149 | for _, k := range headers { | ||
150 | if k == key { | ||
151 | return true | ||
152 | } | ||
153 | } | ||
154 | return false | ||
155 | } | ||
156 | |||
157 | // getSignedHeaders generate all signed request headers. | ||
158 | // i.e lexically sorted, semicolon-separated list of lowercase | ||
159 | // request header names. | ||
160 | func getSignedHeaders(req http.Request, ignoredHeaders map[string]bool) string { | ||
161 | var headers []string | ||
162 | for k := range req.Header { | ||
163 | if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok { | ||
164 | continue // Ignored header found continue. | ||
165 | } | ||
166 | headers = append(headers, strings.ToLower(k)) | ||
167 | } | ||
168 | if !headerExists("host", headers) { | ||
169 | headers = append(headers, "host") | ||
170 | } | ||
171 | sort.Strings(headers) | ||
172 | return strings.Join(headers, ";") | ||
173 | } | ||
174 | |||
175 | // getCanonicalRequest generate a canonical request of style. | ||
176 | // | ||
177 | // canonicalRequest = | ||
178 | // | ||
179 | // <HTTPMethod>\n | ||
180 | // <CanonicalURI>\n | ||
181 | // <CanonicalQueryString>\n | ||
182 | // <CanonicalHeaders>\n | ||
183 | // <SignedHeaders>\n | ||
184 | // <HashedPayload> | ||
185 | func getCanonicalRequest(req http.Request, ignoredHeaders map[string]bool, hashedPayload string) string { | ||
186 | req.URL.RawQuery = strings.ReplaceAll(req.URL.Query().Encode(), "+", "%20") | ||
187 | canonicalRequest := strings.Join([]string{ | ||
188 | req.Method, | ||
189 | s3utils.EncodePath(req.URL.Path), | ||
190 | req.URL.RawQuery, | ||
191 | getCanonicalHeaders(req, ignoredHeaders), | ||
192 | getSignedHeaders(req, ignoredHeaders), | ||
193 | hashedPayload, | ||
194 | }, "\n") | ||
195 | return canonicalRequest | ||
196 | } | ||
197 | |||
198 | // getStringToSign a string based on selected query values. | ||
199 | func getStringToSignV4(t time.Time, location, canonicalRequest, serviceType string) string { | ||
200 | stringToSign := signV4Algorithm + "\n" + t.Format(iso8601DateFormat) + "\n" | ||
201 | stringToSign = stringToSign + getScope(location, t, serviceType) + "\n" | ||
202 | stringToSign += hex.EncodeToString(sum256([]byte(canonicalRequest))) | ||
203 | return stringToSign | ||
204 | } | ||
205 | |||
206 | // PreSignV4 presign the request, in accordance with | ||
207 | // http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html. | ||
208 | func PreSignV4(req http.Request, accessKeyID, secretAccessKey, sessionToken, location string, expires int64) *http.Request { | ||
209 | // Presign is not needed for anonymous credentials. | ||
210 | if accessKeyID == "" || secretAccessKey == "" { | ||
211 | return &req | ||
212 | } | ||
213 | |||
214 | // Initial time. | ||
215 | t := time.Now().UTC() | ||
216 | |||
217 | // Get credential string. | ||
218 | credential := GetCredential(accessKeyID, location, t, ServiceTypeS3) | ||
219 | |||
220 | // Get all signed headers. | ||
221 | signedHeaders := getSignedHeaders(req, v4IgnoredHeaders) | ||
222 | |||
223 | // Set URL query. | ||
224 | query := req.URL.Query() | ||
225 | query.Set("X-Amz-Algorithm", signV4Algorithm) | ||
226 | query.Set("X-Amz-Date", t.Format(iso8601DateFormat)) | ||
227 | query.Set("X-Amz-Expires", strconv.FormatInt(expires, 10)) | ||
228 | query.Set("X-Amz-SignedHeaders", signedHeaders) | ||
229 | query.Set("X-Amz-Credential", credential) | ||
230 | // Set session token if available. | ||
231 | if sessionToken != "" { | ||
232 | query.Set("X-Amz-Security-Token", sessionToken) | ||
233 | } | ||
234 | req.URL.RawQuery = query.Encode() | ||
235 | |||
236 | // Get canonical request. | ||
237 | canonicalRequest := getCanonicalRequest(req, v4IgnoredHeaders, getHashedPayload(req)) | ||
238 | |||
239 | // Get string to sign from canonical request. | ||
240 | stringToSign := getStringToSignV4(t, location, canonicalRequest, ServiceTypeS3) | ||
241 | |||
242 | // Gext hmac signing key. | ||
243 | signingKey := getSigningKey(secretAccessKey, location, t, ServiceTypeS3) | ||
244 | |||
245 | // Calculate signature. | ||
246 | signature := getSignature(signingKey, stringToSign) | ||
247 | |||
248 | // Add signature header to RawQuery. | ||
249 | req.URL.RawQuery += "&X-Amz-Signature=" + signature | ||
250 | |||
251 | return &req | ||
252 | } | ||
253 | |||
254 | // PostPresignSignatureV4 - presigned signature for PostPolicy | ||
255 | // requests. | ||
256 | func PostPresignSignatureV4(policyBase64 string, t time.Time, secretAccessKey, location string) string { | ||
257 | // Get signining key. | ||
258 | signingkey := getSigningKey(secretAccessKey, location, t, ServiceTypeS3) | ||
259 | // Calculate signature. | ||
260 | signature := getSignature(signingkey, policyBase64) | ||
261 | return signature | ||
262 | } | ||
263 | |||
264 | // SignV4STS - signature v4 for STS request. | ||
265 | func SignV4STS(req http.Request, accessKeyID, secretAccessKey, location string) *http.Request { | ||
266 | return signV4(req, accessKeyID, secretAccessKey, "", location, ServiceTypeSTS, nil) | ||
267 | } | ||
268 | |||
269 | // Internal function called for different service types. | ||
270 | func signV4(req http.Request, accessKeyID, secretAccessKey, sessionToken, location, serviceType string, trailer http.Header) *http.Request { | ||
271 | // Signature calculation is not needed for anonymous credentials. | ||
272 | if accessKeyID == "" || secretAccessKey == "" { | ||
273 | return &req | ||
274 | } | ||
275 | |||
276 | // Initial time. | ||
277 | t := time.Now().UTC() | ||
278 | |||
279 | // Set x-amz-date. | ||
280 | req.Header.Set("X-Amz-Date", t.Format(iso8601DateFormat)) | ||
281 | |||
282 | // Set session token if available. | ||
283 | if sessionToken != "" { | ||
284 | req.Header.Set("X-Amz-Security-Token", sessionToken) | ||
285 | } | ||
286 | |||
287 | if len(trailer) > 0 { | ||
288 | for k := range trailer { | ||
289 | req.Header.Add("X-Amz-Trailer", strings.ToLower(k)) | ||
290 | } | ||
291 | |||
292 | req.Header.Set("Content-Encoding", "aws-chunked") | ||
293 | req.Header.Set("x-amz-decoded-content-length", strconv.FormatInt(req.ContentLength, 10)) | ||
294 | } | ||
295 | |||
296 | hashedPayload := getHashedPayload(req) | ||
297 | if serviceType == ServiceTypeSTS { | ||
298 | // Content sha256 header is not sent with the request | ||
299 | // but it is expected to have sha256 of payload for signature | ||
300 | // in STS service type request. | ||
301 | req.Header.Del("X-Amz-Content-Sha256") | ||
302 | } | ||
303 | |||
304 | // Get canonical request. | ||
305 | canonicalRequest := getCanonicalRequest(req, v4IgnoredHeaders, hashedPayload) | ||
306 | |||
307 | // Get string to sign from canonical request. | ||
308 | stringToSign := getStringToSignV4(t, location, canonicalRequest, serviceType) | ||
309 | |||
310 | // Get hmac signing key. | ||
311 | signingKey := getSigningKey(secretAccessKey, location, t, serviceType) | ||
312 | |||
313 | // Get credential string. | ||
314 | credential := GetCredential(accessKeyID, location, t, serviceType) | ||
315 | |||
316 | // Get all signed headers. | ||
317 | signedHeaders := getSignedHeaders(req, v4IgnoredHeaders) | ||
318 | |||
319 | // Calculate signature. | ||
320 | signature := getSignature(signingKey, stringToSign) | ||
321 | |||
322 | // If regular request, construct the final authorization header. | ||
323 | parts := []string{ | ||
324 | signV4Algorithm + " Credential=" + credential, | ||
325 | "SignedHeaders=" + signedHeaders, | ||
326 | "Signature=" + signature, | ||
327 | } | ||
328 | |||
329 | // Set authorization header. | ||
330 | auth := strings.Join(parts, ", ") | ||
331 | req.Header.Set("Authorization", auth) | ||
332 | |||
333 | if len(trailer) > 0 { | ||
334 | // Use custom chunked encoding. | ||
335 | req.Trailer = trailer | ||
336 | return StreamingUnsignedV4(&req, sessionToken, req.ContentLength, time.Now().UTC()) | ||
337 | } | ||
338 | return &req | ||
339 | } | ||
340 | |||
341 | // SignV4 sign the request before Do(), in accordance with | ||
342 | // http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. | ||
343 | func SignV4(req http.Request, accessKeyID, secretAccessKey, sessionToken, location string) *http.Request { | ||
344 | return signV4(req, accessKeyID, secretAccessKey, sessionToken, location, ServiceTypeS3, nil) | ||
345 | } | ||
346 | |||
347 | // SignV4Trailer sign the request before Do(), in accordance with | ||
348 | // http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html | ||
349 | func SignV4Trailer(req http.Request, accessKeyID, secretAccessKey, sessionToken, location string, trailer http.Header) *http.Request { | ||
350 | return signV4(req, accessKeyID, secretAccessKey, sessionToken, location, ServiceTypeS3, trailer) | ||
351 | } | ||
diff --git a/vendor/github.com/minio/minio-go/v7/pkg/signer/utils.go b/vendor/github.com/minio/minio-go/v7/pkg/signer/utils.go new file mode 100644 index 0000000..87c9939 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/pkg/signer/utils.go | |||
@@ -0,0 +1,62 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2015-2017 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package signer | ||
19 | |||
20 | import ( | ||
21 | "crypto/hmac" | ||
22 | "crypto/sha256" | ||
23 | "net/http" | ||
24 | "strings" | ||
25 | ) | ||
26 | |||
27 | // unsignedPayload - value to be set to X-Amz-Content-Sha256 header when | ||
28 | const unsignedPayload = "UNSIGNED-PAYLOAD" | ||
29 | |||
30 | // sum256 calculate sha256 sum for an input byte array. | ||
31 | func sum256(data []byte) []byte { | ||
32 | hash := sha256.New() | ||
33 | hash.Write(data) | ||
34 | return hash.Sum(nil) | ||
35 | } | ||
36 | |||
37 | // sumHMAC calculate hmac between two input byte array. | ||
38 | func sumHMAC(key, data []byte) []byte { | ||
39 | hash := hmac.New(sha256.New, key) | ||
40 | hash.Write(data) | ||
41 | return hash.Sum(nil) | ||
42 | } | ||
43 | |||
44 | // getHostAddr returns host header if available, otherwise returns host from URL | ||
45 | func getHostAddr(req *http.Request) string { | ||
46 | host := req.Header.Get("host") | ||
47 | if host != "" && req.Host != host { | ||
48 | return host | ||
49 | } | ||
50 | if req.Host != "" { | ||
51 | return req.Host | ||
52 | } | ||
53 | return req.URL.Host | ||
54 | } | ||
55 | |||
56 | // Trim leading and trailing spaces and replace sequential spaces with one space, following Trimall() | ||
57 | // in http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html | ||
58 | func signV4TrimAll(input string) string { | ||
59 | // Compress adjacent spaces (a space is determined by | ||
60 | // unicode.IsSpace() internally here) to one space and return | ||
61 | return strings.Join(strings.Fields(input), " ") | ||
62 | } | ||