diff options
Diffstat (limited to 'vendor/github.com/minio/minio-go/v7/api-presigned.go')
-rw-r--r-- | vendor/github.com/minio/minio-go/v7/api-presigned.go | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/vendor/github.com/minio/minio-go/v7/api-presigned.go b/vendor/github.com/minio/minio-go/v7/api-presigned.go new file mode 100644 index 0000000..9e85f81 --- /dev/null +++ b/vendor/github.com/minio/minio-go/v7/api-presigned.go | |||
@@ -0,0 +1,228 @@ | |||
1 | /* | ||
2 | * MinIO Go Library for Amazon S3 Compatible Cloud Storage | ||
3 | * Copyright 2015-2017 MinIO, Inc. | ||
4 | * | ||
5 | * Licensed under the Apache License, Version 2.0 (the "License"); | ||
6 | * you may not use this file except in compliance with the License. | ||
7 | * You may obtain a copy of the License at | ||
8 | * | ||
9 | * http://www.apache.org/licenses/LICENSE-2.0 | ||
10 | * | ||
11 | * Unless required by applicable law or agreed to in writing, software | ||
12 | * distributed under the License is distributed on an "AS IS" BASIS, | ||
13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
14 | * See the License for the specific language governing permissions and | ||
15 | * limitations under the License. | ||
16 | */ | ||
17 | |||
18 | package minio | ||
19 | |||
20 | import ( | ||
21 | "context" | ||
22 | "errors" | ||
23 | "net/http" | ||
24 | "net/url" | ||
25 | "time" | ||
26 | |||
27 | "github.com/minio/minio-go/v7/pkg/s3utils" | ||
28 | "github.com/minio/minio-go/v7/pkg/signer" | ||
29 | ) | ||
30 | |||
31 | // presignURL - Returns a presigned URL for an input 'method'. | ||
32 | // Expires maximum is 7days - ie. 604800 and minimum is 1. | ||
33 | func (c *Client) presignURL(ctx context.Context, method, bucketName, objectName string, expires time.Duration, reqParams url.Values, extraHeaders http.Header) (u *url.URL, err error) { | ||
34 | // Input validation. | ||
35 | if method == "" { | ||
36 | return nil, errInvalidArgument("method cannot be empty.") | ||
37 | } | ||
38 | if err = s3utils.CheckValidBucketName(bucketName); err != nil { | ||
39 | return nil, err | ||
40 | } | ||
41 | if err = isValidExpiry(expires); err != nil { | ||
42 | return nil, err | ||
43 | } | ||
44 | |||
45 | // Convert expires into seconds. | ||
46 | expireSeconds := int64(expires / time.Second) | ||
47 | reqMetadata := requestMetadata{ | ||
48 | presignURL: true, | ||
49 | bucketName: bucketName, | ||
50 | objectName: objectName, | ||
51 | expires: expireSeconds, | ||
52 | queryValues: reqParams, | ||
53 | extraPresignHeader: extraHeaders, | ||
54 | } | ||
55 | |||
56 | // Instantiate a new request. | ||
57 | // Since expires is set newRequest will presign the request. | ||
58 | var req *http.Request | ||
59 | if req, err = c.newRequest(ctx, method, reqMetadata); err != nil { | ||
60 | return nil, err | ||
61 | } | ||
62 | return req.URL, nil | ||
63 | } | ||
64 | |||
65 | // PresignedGetObject - Returns a presigned URL to access an object | ||
66 | // data without credentials. URL can have a maximum expiry of | ||
67 | // upto 7days or a minimum of 1sec. Additionally you can override | ||
68 | // a set of response headers using the query parameters. | ||
69 | func (c *Client) PresignedGetObject(ctx context.Context, bucketName, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) { | ||
70 | if err = s3utils.CheckValidObjectName(objectName); err != nil { | ||
71 | return nil, err | ||
72 | } | ||
73 | return c.presignURL(ctx, http.MethodGet, bucketName, objectName, expires, reqParams, nil) | ||
74 | } | ||
75 | |||
76 | // PresignedHeadObject - Returns a presigned URL to access | ||
77 | // object metadata without credentials. URL can have a maximum expiry | ||
78 | // of upto 7days or a minimum of 1sec. Additionally you can override | ||
79 | // a set of response headers using the query parameters. | ||
80 | func (c *Client) PresignedHeadObject(ctx context.Context, bucketName, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) { | ||
81 | if err = s3utils.CheckValidObjectName(objectName); err != nil { | ||
82 | return nil, err | ||
83 | } | ||
84 | return c.presignURL(ctx, http.MethodHead, bucketName, objectName, expires, reqParams, nil) | ||
85 | } | ||
86 | |||
87 | // PresignedPutObject - Returns a presigned URL to upload an object | ||
88 | // without credentials. URL can have a maximum expiry of upto 7days | ||
89 | // or a minimum of 1sec. | ||
90 | func (c *Client) PresignedPutObject(ctx context.Context, bucketName, objectName string, expires time.Duration) (u *url.URL, err error) { | ||
91 | if err = s3utils.CheckValidObjectName(objectName); err != nil { | ||
92 | return nil, err | ||
93 | } | ||
94 | return c.presignURL(ctx, http.MethodPut, bucketName, objectName, expires, nil, nil) | ||
95 | } | ||
96 | |||
97 | // PresignHeader - similar to Presign() but allows including HTTP headers that | ||
98 | // will be used to build the signature. The request using the resulting URL will | ||
99 | // need to have the exact same headers to be added for signature validation to | ||
100 | // pass. | ||
101 | // | ||
102 | // FIXME: The extra header parameter should be included in Presign() in the next | ||
103 | // major version bump, and this function should then be deprecated. | ||
104 | func (c *Client) PresignHeader(ctx context.Context, method, bucketName, objectName string, expires time.Duration, reqParams url.Values, extraHeaders http.Header) (u *url.URL, err error) { | ||
105 | return c.presignURL(ctx, method, bucketName, objectName, expires, reqParams, extraHeaders) | ||
106 | } | ||
107 | |||
108 | // Presign - returns a presigned URL for any http method of your choice along | ||
109 | // with custom request params and extra signed headers. URL can have a maximum | ||
110 | // expiry of upto 7days or a minimum of 1sec. | ||
111 | func (c *Client) Presign(ctx context.Context, method, bucketName, objectName string, expires time.Duration, reqParams url.Values) (u *url.URL, err error) { | ||
112 | return c.presignURL(ctx, method, bucketName, objectName, expires, reqParams, nil) | ||
113 | } | ||
114 | |||
115 | // PresignedPostPolicy - Returns POST urlString, form data to upload an object. | ||
116 | func (c *Client) PresignedPostPolicy(ctx context.Context, p *PostPolicy) (u *url.URL, formData map[string]string, err error) { | ||
117 | // Validate input arguments. | ||
118 | if p.expiration.IsZero() { | ||
119 | return nil, nil, errors.New("Expiration time must be specified") | ||
120 | } | ||
121 | if _, ok := p.formData["key"]; !ok { | ||
122 | return nil, nil, errors.New("object key must be specified") | ||
123 | } | ||
124 | if _, ok := p.formData["bucket"]; !ok { | ||
125 | return nil, nil, errors.New("bucket name must be specified") | ||
126 | } | ||
127 | |||
128 | bucketName := p.formData["bucket"] | ||
129 | // Fetch the bucket location. | ||
130 | location, err := c.getBucketLocation(ctx, bucketName) | ||
131 | if err != nil { | ||
132 | return nil, nil, err | ||
133 | } | ||
134 | |||
135 | isVirtualHost := c.isVirtualHostStyleRequest(*c.endpointURL, bucketName) | ||
136 | |||
137 | u, err = c.makeTargetURL(bucketName, "", location, isVirtualHost, nil) | ||
138 | if err != nil { | ||
139 | return nil, nil, err | ||
140 | } | ||
141 | |||
142 | // Get credentials from the configured credentials provider. | ||
143 | credValues, err := c.credsProvider.Get() | ||
144 | if err != nil { | ||
145 | return nil, nil, err | ||
146 | } | ||
147 | |||
148 | var ( | ||
149 | signerType = credValues.SignerType | ||
150 | sessionToken = credValues.SessionToken | ||
151 | accessKeyID = credValues.AccessKeyID | ||
152 | secretAccessKey = credValues.SecretAccessKey | ||
153 | ) | ||
154 | |||
155 | if signerType.IsAnonymous() { | ||
156 | return nil, nil, errInvalidArgument("Presigned operations are not supported for anonymous credentials") | ||
157 | } | ||
158 | |||
159 | // Keep time. | ||
160 | t := time.Now().UTC() | ||
161 | // For signature version '2' handle here. | ||
162 | if signerType.IsV2() { | ||
163 | policyBase64 := p.base64() | ||
164 | p.formData["policy"] = policyBase64 | ||
165 | // For Google endpoint set this value to be 'GoogleAccessId'. | ||
166 | if s3utils.IsGoogleEndpoint(*c.endpointURL) { | ||
167 | p.formData["GoogleAccessId"] = accessKeyID | ||
168 | } else { | ||
169 | // For all other endpoints set this value to be 'AWSAccessKeyId'. | ||
170 | p.formData["AWSAccessKeyId"] = accessKeyID | ||
171 | } | ||
172 | // Sign the policy. | ||
173 | p.formData["signature"] = signer.PostPresignSignatureV2(policyBase64, secretAccessKey) | ||
174 | return u, p.formData, nil | ||
175 | } | ||
176 | |||
177 | // Add date policy. | ||
178 | if err = p.addNewPolicy(policyCondition{ | ||
179 | matchType: "eq", | ||
180 | condition: "$x-amz-date", | ||
181 | value: t.Format(iso8601DateFormat), | ||
182 | }); err != nil { | ||
183 | return nil, nil, err | ||
184 | } | ||
185 | |||
186 | // Add algorithm policy. | ||
187 | if err = p.addNewPolicy(policyCondition{ | ||
188 | matchType: "eq", | ||
189 | condition: "$x-amz-algorithm", | ||
190 | value: signV4Algorithm, | ||
191 | }); err != nil { | ||
192 | return nil, nil, err | ||
193 | } | ||
194 | |||
195 | // Add a credential policy. | ||
196 | credential := signer.GetCredential(accessKeyID, location, t, signer.ServiceTypeS3) | ||
197 | if err = p.addNewPolicy(policyCondition{ | ||
198 | matchType: "eq", | ||
199 | condition: "$x-amz-credential", | ||
200 | value: credential, | ||
201 | }); err != nil { | ||
202 | return nil, nil, err | ||
203 | } | ||
204 | |||
205 | if sessionToken != "" { | ||
206 | if err = p.addNewPolicy(policyCondition{ | ||
207 | matchType: "eq", | ||
208 | condition: "$x-amz-security-token", | ||
209 | value: sessionToken, | ||
210 | }); err != nil { | ||
211 | return nil, nil, err | ||
212 | } | ||
213 | } | ||
214 | |||
215 | // Get base64 encoded policy. | ||
216 | policyBase64 := p.base64() | ||
217 | |||
218 | // Fill in the form data. | ||
219 | p.formData["policy"] = policyBase64 | ||
220 | p.formData["x-amz-algorithm"] = signV4Algorithm | ||
221 | p.formData["x-amz-credential"] = credential | ||
222 | p.formData["x-amz-date"] = t.Format(iso8601DateFormat) | ||
223 | if sessionToken != "" { | ||
224 | p.formData["x-amz-security-token"] = sessionToken | ||
225 | } | ||
226 | p.formData["x-amz-signature"] = signer.PostPresignSignatureV4(policyBase64, t, secretAccessKey, location) | ||
227 | return u, p.formData, nil | ||
228 | } | ||