Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity

Fixes requested by codyoss@

This commit is contained in:
Ryan Kohler 2021-01-21 12:48:08 -08:00
parent ff3aac6c19
commit 88fab8941c
2 changed files with 32 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
google/internal/externalaccount/aws.go
View File

@ -20,19 +20,11 @@ import (
)
// RequestSigner is a utility class to sign http requests using a AWS V4 signature.
type RequestSigner struct {
type awsRequestSigner struct {
RegionName string
AwsSecurityCredentials map[string]string
}
// NewRequestSigner is a method to create a RequestSigner with the appropriately filled out fields.
func NewRequestSigner(regionName string, awsSecurityCredentials map[string]string) *RequestSigner {
return &RequestSigner{
RegionName: regionName,
AwsSecurityCredentials: awsSecurityCredentials,
}
}
const (
// AWS Signature Version 4 signing algorithm identifier.
awsAlgorithm = "AWS4-HMAC-SHA256"
@ -164,19 +156,12 @@ func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeader
return "", err
}
return strings.Join([]string{
req.Method,
canonicalPath(req),
canonicalQuery(req),
canonicalHeaderData,
canonicalHeaderColumns,
dataHash,
}, "\n"), nil
return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil
}
// SignRequest adds the appropriate headers to an http.Request
// or returns an error if something prevented this.
func (rs *RequestSigner) SignRequest(req *http.Request) error {
func (rs *awsRequestSigner) SignRequest(req *http.Request) error {
signedRequest := cloneRequest(req)
timestamp := now()
@ -200,14 +185,14 @@ func (rs *RequestSigner) SignRequest(req *http.Request) error {
return nil
}
func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) {
func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) {
secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"]
if !ok {
return "", errors.New("Missing Secret Access Key")
return "", errors.New("oauth2/google: missing secret_access_key header")
}
accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"]
if !ok {
return "", errors.New("Missing Access Key Id")
return "", errors.New("oauth2/google: missing access_key_id header")
}
canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req)
@ -229,12 +214,7 @@ func (rs *RequestSigner) generateAuthentication(req *http.Request, timestamp tim
return "", err
}
stringToSign := strings.Join([]string{
awsAlgorithm,
timestamp.Format(awsTimeFormatLong),
credentialScope,
requestHash,
}, "\n")
stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash)
signingKey := []byte("AWS4" + secretAccessKey)
for _, signingInput := range []string{

25
google/internal/externalaccount/aws_test.go
View File

@ -21,20 +21,26 @@ func setTime(testTime time.Time) func() time.Time {
}
}
var defaultRequestSigner = NewRequestSigner("us-east-1", map[string]string{
var defaultRequestSigner = &awsRequestSigner{
RegionName: "us-east-1",
AwsSecurityCredentials: map[string]string{
"access_key_id": "AKIDEXAMPLE",
"secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
})
},
}
const accessKeyId = "ASIARD4OQDT6A77FR3CL"
const secretAccessKey = "Y8AfSaucF37G4PpvfguKZ3/l7Id4uocLXxX0+VTx"
const securityToken = "IQoJb3JpZ2luX2VjEIz//////////wEaCXVzLWVhc3QtMiJGMEQCIH7MHX/Oy/OB8OlLQa9GrqU1B914+iMikqWQW7vPCKlgAiA/Lsv8Jcafn14owfxXn95FURZNKaaphj0ykpmS+Ki+CSq0AwhlEAAaDDA3NzA3MTM5MTk5NiIMx9sAeP1ovlMTMKLjKpEDwuJQg41/QUKx0laTZYjPlQvjwSqS3OB9P1KAXPWSLkliVMMqaHqelvMF/WO/glv3KwuTfQsavRNs3v5pcSEm4SPO3l7mCs7KrQUHwGP0neZhIKxEXy+Ls//1C/Bqt53NL+LSbaGv6RPHaX82laz2qElphg95aVLdYgIFY6JWV5fzyjgnhz0DQmy62/Vi8pNcM2/VnxeCQ8CC8dRDSt52ry2v+nc77vstuI9xV5k8mPtnaPoJDRANh0bjwY5Sdwkbp+mGRUJBAQRlNgHUJusefXQgVKBCiyJY4w3Csd8Bgj9IyDV+Azuy1jQqfFZWgP68LSz5bURyIjlWDQunO82stZ0BgplKKAa/KJHBPCp8Qi6i99uy7qh76FQAqgVTsnDuU6fGpHDcsDSGoCls2HgZjZFPeOj8mmRhFk1Xqvkbjuz8V1cJk54d3gIJvQt8gD2D6yJQZecnuGWd5K2e2HohvCc8Fc9kBl1300nUJPV+k4tr/A5R/0QfEKOZL1/k5lf1g9CREnrM8LVkGxCgdYMxLQow1uTL+QU67AHRRSp5PhhGX4Rek+01vdYSnJCMaPhSEgcLqDlQkhk6MPsyT91QMXcWmyO+cAZwUPwnRamFepuP4K8k2KVXs/LIJHLELwAZ0ekyaS7CptgOqS7uaSTFG3U+vzFZLEnGvWQ7y9IPNQZ+Dffgh4p3vF4J68y9049sI6Sr5d5wbKkcbm8hdCDHZcv4lnqohquPirLiFQ3q7B17V9krMPu3mz1cg4Ekgcrn/E09NTsxAqD8NcZ7C7ECom9r+X3zkDOxaajW6hu3Az8hGlyylDaMiFfRbBJpTIlxp7jfa7CxikNgNtEKLH9iCzvuSg2vhA=="
var requestSignerWithToken = NewRequestSigner("us-east-2", map[string]string{
var requestSignerWithToken = &awsRequestSigner{
RegionName: "us-east-2",
AwsSecurityCredentials: map[string]string{
"access_key_id": accessKeyId,
"secret_access_key": secretAccessKey,
"security_token": securityToken,
})
},
}
func setDefaultTime(req *http.Request) {
// Don't use time.Format for this
@ -42,7 +48,9 @@ func setDefaultTime(req *http.Request) {
req.Header.Add("date", "Mon, 09 Sep 2011 23:36:00 GMT")
}
func testRequestSigner(t *testing.T, rs *RequestSigner, input, expectedOutput *http.Request) {
func testRequestSigner(t *testing.T, rs *awsRequestSigner, input, expectedOutput *http.Request) {
t.Helper()
err := rs.SignRequest(input)
if err != nil {
t.Errorf("unexpected error: %q", err.Error())
@ -363,10 +371,13 @@ func TestAwsV4Signature_PostRequestWithSecurityTokenAndAdditionalHeaders(t *test
}
func TestAwsV4Signature_PostRequestWithAmzDateButNoSecurityToken(t *testing.T) {
var requestSigner = NewRequestSigner("us-east-2", map[string]string{
var requestSigner = &awsRequestSigner{
RegionName: "us-east-2",
AwsSecurityCredentials: map[string]string{
"access_key_id": accessKeyId,
"secret_access_key": secretAccessKey,
})
},
}
input, _ := http.NewRequest("POST", "https://sts.us-east-2.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15", nil)