diff --git a/google/internal/externalaccount/aws.go b/google/internal/externalaccount/aws.go index a061345..fd3d682 100644 --- a/google/internal/externalaccount/aws.go +++ b/google/internal/externalaccount/aws.go @@ -20,19 +20,11 @@ import ( ) // RequestSigner is a utility class to sign http requests using a AWS V4 signature. -type RequestSigner struct { +type awsRequestSigner struct { RegionName string AwsSecurityCredentials map[string]string } -// NewRequestSigner is a method to create a RequestSigner with the appropriately filled out fields. -func NewRequestSigner(regionName string, awsSecurityCredentials map[string]string) *RequestSigner { - return &RequestSigner{ - RegionName: regionName, - AwsSecurityCredentials: awsSecurityCredentials, - } -} - const ( // AWS Signature Version 4 signing algorithm identifier. awsAlgorithm = "AWS4-HMAC-SHA256" @@ -164,19 +156,12 @@ func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeader return "", err } - return strings.Join([]string{ - req.Method, - canonicalPath(req), - canonicalQuery(req), - canonicalHeaderData, - canonicalHeaderColumns, - dataHash, - }, "\n"), nil + return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil } // SignRequest adds the appropriate headers to an http.Request // or returns an error if something prevented this. -func (rs *RequestSigner) SignRequest(req *http.Request) error { +func (rs *awsRequestSigner) SignRequest(req *http.Request) error { signedRequest := cloneRequest(req) timestamp := now() @@ -200,14 +185,14 @@ func (rs *RequestSigner) SignRequest(req *http.Request) error { return nil } -func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) { +func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) { secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"] if !ok { - return "", errors.New("Missing Secret Access Key") + return "", errors.New("oauth2/google: missing secret_access_key header") } accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"] if !ok { - return "", errors.New("Missing Access Key Id") + return "", errors.New("oauth2/google: missing access_key_id header") } canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req) @@ -229,12 +214,7 @@ func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp tim return "", err } - stringToSign := strings.Join([]string{ - awsAlgorithm, - timestamp.Format(awsTimeFormatLong), - credentialScope, - requestHash, - }, "\n") + stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash) signingKey := []byte("AWS4" + secretAccessKey) for _, signingInput := range []string{ diff --git a/google/internal/externalaccount/aws_test.go b/google/internal/externalaccount/aws_test.go index d5e06a1..206c3a1 100644 --- a/google/internal/externalaccount/aws_test.go +++ b/google/internal/externalaccount/aws_test.go @@ -21,20 +21,26 @@ func setTime(testTime time.Time) func() time.Time { } } -var defaultRequestSigner = NewRequestSigner("us-east-1", map[string]string{ - "access_key_id": "AKIDEXAMPLE", - "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", -}) +var defaultRequestSigner = &awsRequestSigner{ + RegionName: "us-east-1", + AwsSecurityCredentials: map[string]string{ + "access_key_id": "AKIDEXAMPLE", + "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", + }, +} const accessKeyId = "ASIARD4OQDT6A77FR3CL" const secretAccessKey = "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx" const securityToken = "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/Vi8pNcM2/VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkbjuz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/A5R/0QfEKOZL1/k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3mz1cg4Ekgcrn/E09NTsxAqD8NcZ7C7ECom9r+X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA==" -var requestSignerWithToken = NewRequestSigner("us-east-2", map[string]string{ - "access_key_id": accessKeyId, - "secret_access_key": secretAccessKey, - "security_token": securityToken, -}) +var requestSignerWithToken = &awsRequestSigner{ + RegionName: "us-east-2", + AwsSecurityCredentials: map[string]string{ + "access_key_id": accessKeyId, + "secret_access_key": secretAccessKey, + "security_token": securityToken, + }, +} func setDefaultTime(req *http.Request) { // Don't use time.Format for this @@ -42,7 +48,9 @@ func setDefaultTime(req *http.Request) { req.Header.Add("date", "Mon, 09 Sep 2011 23:36:00 GMT") } -func testRequestSigner(t *testing.T, rs *RequestSigner, input, expectedOutput *http.Request) { +func testRequestSigner(t *testing.T, rs *awsRequestSigner, input, expectedOutput *http.Request) { + t.Helper() + err := rs.SignRequest(input) if err != nil { t.Errorf("unexpected error: %q", err.Error()) @@ -363,10 +371,13 @@ func TestAwsV4Signature_PostRequestWithSecurityTokenAndAdditionalHeaders(t *test } func TestAwsV4Signature_PostRequestWithAmzDateButNoSecurityToken(t *testing.T) { - var requestSigner = NewRequestSigner("us-east-2", map[string]string{ - "access_key_id": accessKeyId, - "secret_access_key": secretAccessKey, - }) + var requestSigner = &awsRequestSigner{ + RegionName: "us-east-2", + AwsSecurityCredentials: map[string]string{ + "access_key_id": accessKeyId, + "secret_access_key": secretAccessKey, + }, + } input, _ := http.NewRequest("POST", "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", nil)