Fixes requested by codyoss@

This commit is contained in:
Ryan Kohler 2021-01-21 12:48:08 -08:00
parent ff3aac6c19
commit 88fab8941c
2 changed files with 32 additions and 41 deletions

View File

@ -20,19 +20,11 @@ import (
) )
// RequestSigner is a utility class to sign http requests using a AWS V4 signature. // RequestSigner is a utility class to sign http requests using a AWS V4 signature.
type RequestSigner struct { type awsRequestSigner struct {
RegionName string RegionName string
AwsSecurityCredentials map[string]string AwsSecurityCredentials map[string]string
} }
// NewRequestSigner is a method to create a RequestSigner with the appropriately filled out fields.
func NewRequestSigner(regionName string, awsSecurityCredentials map[string]string) *RequestSigner {
return &RequestSigner{
RegionName: regionName,
AwsSecurityCredentials: awsSecurityCredentials,
}
}
const ( const (
// AWS Signature Version 4 signing algorithm identifier. // AWS Signature Version 4 signing algorithm identifier.
awsAlgorithm = "AWS4-HMAC-SHA256" awsAlgorithm = "AWS4-HMAC-SHA256"
@ -164,19 +156,12 @@ func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeader
return "", err return "", err
} }
return strings.Join([]string{ return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil
req.Method,
canonicalPath(req),
canonicalQuery(req),
canonicalHeaderData,
canonicalHeaderColumns,
dataHash,
}, "\n"), nil
} }
// SignRequest adds the appropriate headers to an http.Request // SignRequest adds the appropriate headers to an http.Request
// or returns an error if something prevented this. // or returns an error if something prevented this.
func (rs *RequestSigner) SignRequest(req *http.Request) error { func (rs *awsRequestSigner) SignRequest(req *http.Request) error {
signedRequest := cloneRequest(req) signedRequest := cloneRequest(req)
timestamp := now() timestamp := now()
@ -200,14 +185,14 @@ func (rs *RequestSigner) SignRequest(req *http.Request) error {
return nil return nil
} }
func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) { func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) {
secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"] secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"]
if !ok { if !ok {
return "", errors.New("Missing Secret Access Key") return "", errors.New("oauth2/google: missing secret_access_key header")
} }
accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"] accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"]
if !ok { if !ok {
return "", errors.New("Missing Access Key Id") return "", errors.New("oauth2/google: missing access_key_id header")
} }
canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req) canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req)
@ -229,12 +214,7 @@ func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp tim
return "", err return "", err
} }
stringToSign := strings.Join([]string{ stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash)
awsAlgorithm,
timestamp.Format(awsTimeFormatLong),
credentialScope,
requestHash,
}, "\n")
signingKey := []byte("AWS4" + secretAccessKey) signingKey := []byte("AWS4" + secretAccessKey)
for _, signingInput := range []string{ for _, signingInput := range []string{

View File

@ -21,20 +21,26 @@ func setTime(testTime time.Time) func() time.Time {
} }
} }
var defaultRequestSigner = NewRequestSigner("us-east-1", map[string]string{ var defaultRequestSigner = &awsRequestSigner{
"access_key_id": "AKIDEXAMPLE", RegionName: "us-east-1",
"secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY", AwsSecurityCredentials: map[string]string{
}) "access_key_id": "AKIDEXAMPLE",
"secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
},
}
const accessKeyId = "ASIARD4OQDT6A77FR3CL" const accessKeyId = "ASIARD4OQDT6A77FR3CL"
const secretAccessKey = "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx" const secretAccessKey = "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx"
const securityToken = "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/Vi8pNcM2/VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkbjuz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/A5R/0QfEKOZL1/k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3mz1cg4Ekgcrn/E09NTsxAqD8NcZ7C7ECom9r+X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA==" const securityToken = "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/Vi8pNcM2/VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkbjuz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/A5R/0QfEKOZL1/k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3mz1cg4Ekgcrn/E09NTsxAqD8NcZ7C7ECom9r+X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA=="
var requestSignerWithToken = NewRequestSigner("us-east-2", map[string]string{ var requestSignerWithToken = &awsRequestSigner{
"access_key_id": accessKeyId, RegionName: "us-east-2",
"secret_access_key": secretAccessKey, AwsSecurityCredentials: map[string]string{
"security_token": securityToken, "access_key_id": accessKeyId,
}) "secret_access_key": secretAccessKey,
"security_token": securityToken,
},
}
func setDefaultTime(req *http.Request) { func setDefaultTime(req *http.Request) {
// Don't use time.Format for this // Don't use time.Format for this
@ -42,7 +48,9 @@ func setDefaultTime(req *http.Request) {
req.Header.Add("date", "Mon, 09 Sep 2011 23:36:00 GMT") req.Header.Add("date", "Mon, 09 Sep 2011 23:36:00 GMT")
} }
func testRequestSigner(t *testing.T, rs *RequestSigner, input, expectedOutput *http.Request) { func testRequestSigner(t *testing.T, rs *awsRequestSigner, input, expectedOutput *http.Request) {
t.Helper()
err := rs.SignRequest(input) err := rs.SignRequest(input)
if err != nil { if err != nil {
t.Errorf("unexpected error: %q", err.Error()) t.Errorf("unexpected error: %q", err.Error())
@ -363,10 +371,13 @@ func TestAwsV4Signature_PostRequestWithSecurityTokenAndAdditionalHeaders(t *test
} }
func TestAwsV4Signature_PostRequestWithAmzDateButNoSecurityToken(t *testing.T) { func TestAwsV4Signature_PostRequestWithAmzDateButNoSecurityToken(t *testing.T) {
var requestSigner = NewRequestSigner("us-east-2", map[string]string{ var requestSigner = &awsRequestSigner{
"access_key_id": accessKeyId, RegionName: "us-east-2",
"secret_access_key": secretAccessKey, AwsSecurityCredentials: map[string]string{
}) "access_key_id": accessKeyId,
"secret_access_key": secretAccessKey,
},
}
input, _ := http.NewRequest("POST", "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", nil) input, _ := http.NewRequest("POST", "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", nil)