登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 0

zhuchance / kubernetes

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
v4.go 7.85 KB
一键复制 编辑 原始数据 按行查看 历史
Trevor Pounds 提交于 2015-06-03 22:55 . Update Godeps.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
// Package v4 implements signing for AWS V4 signer

package v4



import (

	"crypto/hmac"

	"crypto/sha256"

	"encoding/hex"

	"fmt"

	"io"

	"net/http"

	"net/url"

	"sort"

	"strconv"

	"strings"

	"time"



	"github.com/aws/aws-sdk-go/aws/credentials"

	"github.com/aws/aws-sdk-go/internal/protocol/rest"



	"github.com/aws/aws-sdk-go/aws"

)



const (

	authHeaderPrefix = "AWS4-HMAC-SHA256"

	timeFormat       = "20060102T150405Z"

	shortTimeFormat  = "20060102"

)



var ignoredHeaders = map[string]bool{

	"Authorization":  true,

	"Content-Type":   true,

	"Content-Length": true,

	"User-Agent":     true,

}



type signer struct {

	Request         *http.Request

	Time            time.Time

	ExpireTime      time.Duration

	ServiceName     string

	Region          string

	AccessKeyID     string

	SecretAccessKey string

	SessionToken    string

	Query           url.Values

	Body            io.ReadSeeker

	Debug           uint

	Logger          io.Writer



	isPresign          bool

	formattedTime      string

	formattedShortTime string



	signedHeaders    string

	canonicalHeaders string

	canonicalString  string

	credentialString string

	stringToSign     string

	signature        string

	authorization    string

}



// Sign requests with signature version 4.

//

// Will sign the requests with the service config's Credentials object

// Signing is skipped if the credentials is the credentials.AnonymousCredentials

// object.

func Sign(req *aws.Request) {

	// If the request does not need to be signed ignore the signing of the

	// request if the AnonymousCredentials object is used.

	if req.Service.Config.Credentials == credentials.AnonymousCredentials {

		return

	}

	creds, err := req.Service.Config.Credentials.Get()

	if err != nil {

		req.Error = err

		return

	}



	region := req.Service.SigningRegion

	if region == "" {

		region = req.Service.Config.Region

	}



	name := req.Service.SigningName

	if name == "" {

		name = req.Service.ServiceName

	}



	s := signer{

		Request:         req.HTTPRequest,

		Time:            req.Time,

		ExpireTime:      req.ExpireTime,

		Query:           req.HTTPRequest.URL.Query(),

		Body:            req.Body,

		ServiceName:     name,

		Region:          region,

		AccessKeyID:     creds.AccessKeyID,

		SecretAccessKey: creds.SecretAccessKey,

		SessionToken:    creds.SessionToken,

		Debug:           req.Service.Config.LogLevel,

		Logger:          req.Service.Config.Logger,

	}

	s.sign()

	return

}



func (v4 *signer) sign() {

	if v4.ExpireTime != 0 {

		v4.isPresign = true

	}



	if v4.isPresign {

		v4.Query.Set("X-Amz-Algorithm", authHeaderPrefix)

		if v4.SessionToken != "" {

			v4.Query.Set("X-Amz-Security-Token", v4.SessionToken)

		} else {

			v4.Query.Del("X-Amz-Security-Token")

		}

	} else if v4.SessionToken != "" {

		v4.Request.Header.Set("X-Amz-Security-Token", v4.SessionToken)

	}



	v4.build()



	if v4.Debug > 0 {

		out := v4.Logger

		fmt.Fprintf(out, "---[ CANONICAL STRING  ]-----------------------------\n")

		fmt.Fprintln(out, v4.canonicalString)

		fmt.Fprintf(out, "---[ STRING TO SIGN ]--------------------------------\n")

		fmt.Fprintln(out, v4.stringToSign)

		if v4.isPresign {

			fmt.Fprintf(out, "---[ SIGNED URL ]--------------------------------\n")

			fmt.Fprintln(out, v4.Request.URL)

		}

		fmt.Fprintf(out, "-----------------------------------------------------\n")

	}

}



func (v4 *signer) build() {

	v4.buildTime()             // no depends

	v4.buildCredentialString() // no depends

	if v4.isPresign {

		v4.buildQuery() // no depends

	}

	v4.buildCanonicalHeaders() // depends on cred string

	v4.buildCanonicalString()  // depends on canon headers / signed headers

	v4.buildStringToSign()     // depends on canon string

	v4.buildSignature()        // depends on string to sign



	if v4.isPresign {

		v4.Request.URL.RawQuery += "&X-Amz-Signature=" + v4.signature

	} else {

		parts := []string{

			authHeaderPrefix + " Credential=" + v4.AccessKeyID + "/" + v4.credentialString,

			"SignedHeaders=" + v4.signedHeaders,

			"Signature=" + v4.signature,

		}

		v4.Request.Header.Set("Authorization", strings.Join(parts, ", "))

	}

}



func (v4 *signer) buildTime() {

	v4.formattedTime = v4.Time.UTC().Format(timeFormat)

	v4.formattedShortTime = v4.Time.UTC().Format(shortTimeFormat)



	if v4.isPresign {

		duration := int64(v4.ExpireTime / time.Second)

		v4.Query.Set("X-Amz-Date", v4.formattedTime)

		v4.Query.Set("X-Amz-Expires", strconv.FormatInt(duration, 10))

	} else {

		v4.Request.Header.Set("X-Amz-Date", v4.formattedTime)

	}

}



func (v4 *signer) buildCredentialString() {

	v4.credentialString = strings.Join([]string{

		v4.formattedShortTime,

		v4.Region,

		v4.ServiceName,

		"aws4_request",

	}, "/")



	if v4.isPresign {

		v4.Query.Set("X-Amz-Credential", v4.AccessKeyID+"/"+v4.credentialString)

	}

}



func (v4 *signer) buildQuery() {

	for k, h := range v4.Request.Header {

		if strings.HasPrefix(http.CanonicalHeaderKey(k), "X-Amz-") {

			continue // never hoist x-amz-* headers, they must be signed

		}

		if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {

			continue // never hoist ignored headers

		}



		v4.Request.Header.Del(k)

		v4.Query.Del(k)

		for _, v := range h {

			v4.Query.Add(k, v)

		}

	}

}



func (v4 *signer) buildCanonicalHeaders() {

	var headers []string

	headers = append(headers, "host")

	for k := range v4.Request.Header {

		if _, ok := ignoredHeaders[http.CanonicalHeaderKey(k)]; ok {

			continue // ignored header

		}

		headers = append(headers, strings.ToLower(k))

	}

	sort.Strings(headers)



	v4.signedHeaders = strings.Join(headers, ";")



	if v4.isPresign {

		v4.Query.Set("X-Amz-SignedHeaders", v4.signedHeaders)

	}



	headerValues := make([]string, len(headers))

	for i, k := range headers {

		if k == "host" {

			headerValues[i] = "host:" + v4.Request.URL.Host

		} else {

			headerValues[i] = k + ":" +

				strings.Join(v4.Request.Header[http.CanonicalHeaderKey(k)], ",")

		}

	}



	v4.canonicalHeaders = strings.Join(headerValues, "\n")

}



func (v4 *signer) buildCanonicalString() {

	v4.Request.URL.RawQuery = strings.Replace(v4.Query.Encode(), "+", "%20", -1)

	uri := v4.Request.URL.Opaque

	if uri != "" {

		uri = "/" + strings.Join(strings.Split(uri, "/")[3:], "/")

	} else {

		uri = v4.Request.URL.Path

	}

	if uri == "" {

		uri = "/"

	}



	if v4.ServiceName != "s3" {

		uri = rest.EscapePath(uri, false)

	}



	v4.canonicalString = strings.Join([]string{

		v4.Request.Method,

		uri,

		v4.Request.URL.RawQuery,

		v4.canonicalHeaders + "\n",

		v4.signedHeaders,

		v4.bodyDigest(),

	}, "\n")

}



func (v4 *signer) buildStringToSign() {

	v4.stringToSign = strings.Join([]string{

		authHeaderPrefix,

		v4.formattedTime,

		v4.credentialString,

		hex.EncodeToString(makeSha256([]byte(v4.canonicalString))),

	}, "\n")

}



func (v4 *signer) buildSignature() {

	secret := v4.SecretAccessKey

	date := makeHmac([]byte("AWS4"+secret), []byte(v4.formattedShortTime))

	region := makeHmac(date, []byte(v4.Region))

	service := makeHmac(region, []byte(v4.ServiceName))

	credentials := makeHmac(service, []byte("aws4_request"))

	signature := makeHmac(credentials, []byte(v4.stringToSign))

	v4.signature = hex.EncodeToString(signature)

}



func (v4 *signer) bodyDigest() string {

	hash := v4.Request.Header.Get("X-Amz-Content-Sha256")

	if hash == "" {

		if v4.isPresign && v4.ServiceName == "s3" {

			hash = "UNSIGNED-PAYLOAD"

		} else if v4.Body == nil {

			hash = hex.EncodeToString(makeSha256([]byte{}))

		} else {

			hash = hex.EncodeToString(makeSha256Reader(v4.Body))

		}

		v4.Request.Header.Add("X-Amz-Content-Sha256", hash)

	}

	return hash

}



func makeHmac(key []byte, data []byte) []byte {

	hash := hmac.New(sha256.New, key)

	hash.Write(data)

	return hash.Sum(nil)

}



func makeSha256(data []byte) []byte {

	hash := sha256.New()

	hash.Write(data)

	return hash.Sum(nil)

}



func makeSha256Reader(reader io.ReadSeeker) []byte {

	packet := make([]byte, 4096)

	hash := sha256.New()



	start, _ := reader.Seek(0, 1)

	defer reader.Seek(start, 0)



	for {

		n, err := reader.Read(packet)

		if n > 0 {

			hash.Write(packet[0:n])

		}

		if err == io.EOF || n == 0 {

			break

		}

	}



	return hash.Sum(nil)

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/meoom/kubernetes.git
git@gitee.com:meoom/kubernetes.git
meoom
kubernetes
kubernetes
v1.2.0-alpha.1
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
344bd9b3 5694891 D2dac590 5694891