This repository has been archived by the owner on Nov 20, 2018. It is now read-only.
/
util.js
489 lines (412 loc) · 20.1 KB
/
util.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
/*globals qq */
qq.s3 = qq.s3 || {};
qq.s3.util = qq.s3.util || (function() {
"use strict";
return {
ALGORITHM_PARAM_NAME: "x-amz-algorithm",
AWS_PARAM_PREFIX: "x-amz-meta-",
CREDENTIAL_PARAM_NAME: "x-amz-credential",
DATE_PARAM_NAME: "x-amz-date",
REDUCED_REDUNDANCY_PARAM_NAME: "x-amz-storage-class",
REDUCED_REDUNDANCY_PARAM_VALUE: "REDUCED_REDUNDANCY",
SERVER_SIDE_ENCRYPTION_PARAM_NAME: "x-amz-server-side-encryption",
SERVER_SIDE_ENCRYPTION_PARAM_VALUE: "AES256",
SESSION_TOKEN_PARAM_NAME: "x-amz-security-token",
V4_ALGORITHM_PARAM_VALUE: "AWS4-HMAC-SHA256",
V4_SIGNATURE_PARAM_NAME: "x-amz-signature",
CASE_SENSITIVE_PARAM_NAMES: [
"Cache-Control",
"Content-Disposition",
"Content-Encoding",
"Content-MD5"
],
UNPREFIXED_PARAM_NAMES: [
"Cache-Control",
"Content-Disposition",
"Content-Encoding",
"Content-MD5",
"x-amz-server-side-encryption-customer-algorithm",
"x-amz-server-side-encryption-customer-key",
"x-amz-server-side-encryption-customer-key-MD5"
],
/**
* This allows for the region to be specified in the bucket's endpoint URL, or not.
*
* Examples of some valid endpoints are:
* http://foo.s3.amazonaws.com
* https://foo.s3.amazonaws.com
* http://foo.s3-ap-northeast-1.amazonaws.com
* foo.s3.amazonaws.com
* http://foo.bar.com
* http://s3.amazonaws.com/foo.bar.com
* ...etc
*
* @param endpoint The bucket's URL.
* @returns {String || undefined} The bucket name, or undefined if the URL cannot be parsed.
*/
getBucket: function(endpoint) {
var patterns = [
//bucket in domain
/^(?:https?:\/\/)?([a-z0-9.\-_]+)\.s3(?:-[a-z0-9\-]+)?\.amazonaws\.com/i,
//bucket in path
/^(?:https?:\/\/)?s3(?:-[a-z0-9\-]+)?\.amazonaws\.com\/([a-z0-9.\-_]+)/i,
//custom domain
/^(?:https?:\/\/)?([a-z0-9.\-_]+)/i
],
bucket;
qq.each(patterns, function(idx, pattern) {
var match = pattern.exec(endpoint);
if (match) {
bucket = match[1];
return false;
}
});
return bucket;
},
/** Create Prefixed request headers which are appropriate for S3.
*
* If the request header is appropriate for S3 (e.g. Cache-Control) then pass
* it along without a metadata prefix. For all other request header parameter names,
* apply qq.s3.util.AWS_PARAM_PREFIX before the name.
* See: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
*/
_getPrefixedParamName: function(name) {
if (qq.indexOf(qq.s3.util.UNPREFIXED_PARAM_NAMES, name) >= 0) {
return name;
}
return qq.s3.util.AWS_PARAM_PREFIX + name;
},
/**
* Create a policy document to be signed and sent along with the S3 upload request.
*
* @param spec Object with properties use to construct the policy document.
* @returns {Object} Policy doc.
*/
getPolicy: function(spec) {
var policy = {},
conditions = [],
bucket = spec.bucket,
date = spec.date,
drift = spec.clockDrift,
key = spec.key,
accessKey = spec.accessKey,
acl = spec.acl,
type = spec.type,
expectedStatus = spec.expectedStatus,
sessionToken = spec.sessionToken,
params = spec.params,
successRedirectUrl = qq.s3.util.getSuccessRedirectAbsoluteUrl(spec.successRedirectUrl),
minFileSize = spec.minFileSize,
maxFileSize = spec.maxFileSize,
reducedRedundancy = spec.reducedRedundancy,
region = spec.region,
serverSideEncryption = spec.serverSideEncryption,
signatureVersion = spec.signatureVersion;
policy.expiration = qq.s3.util.getPolicyExpirationDate(date, drift);
conditions.push({acl: acl});
conditions.push({bucket: bucket});
if (type) {
conditions.push({"Content-Type": type});
}
// jscs:disable requireCamelCaseOrUpperCaseIdentifiers
if (expectedStatus) {
conditions.push({success_action_status: expectedStatus.toString()});
}
if (successRedirectUrl) {
conditions.push({success_action_redirect: successRedirectUrl});
}
// jscs:enable
if (reducedRedundancy) {
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.REDUCED_REDUNDANCY_PARAM_NAME] = qq.s3.util.REDUCED_REDUNDANCY_PARAM_VALUE;
}
if (sessionToken) {
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.SESSION_TOKEN_PARAM_NAME] = sessionToken;
}
if (serverSideEncryption) {
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.SERVER_SIDE_ENCRYPTION_PARAM_NAME] = qq.s3.util.SERVER_SIDE_ENCRYPTION_PARAM_VALUE;
}
if (signatureVersion === 2) {
conditions.push({key: key});
}
else if (signatureVersion === 4) {
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.ALGORITHM_PARAM_NAME] = qq.s3.util.V4_ALGORITHM_PARAM_VALUE;
conditions.push({});
conditions[conditions.length - 1].key = key;
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.CREDENTIAL_PARAM_NAME] =
qq.s3.util.getV4CredentialsString({date: date, key: accessKey, region: region});
conditions.push({});
conditions[conditions.length - 1][qq.s3.util.DATE_PARAM_NAME] =
qq.s3.util.getV4PolicyDate(date, drift);
}
// user metadata
qq.each(params, function(name, val) {
var awsParamName = qq.s3.util._getPrefixedParamName(name),
param = {};
if (qq.indexOf(qq.s3.util.UNPREFIXED_PARAM_NAMES, awsParamName) >= 0) {
param[awsParamName] = val;
}
else {
param[awsParamName] = encodeURIComponent(val);
}
conditions.push(param);
});
policy.conditions = conditions;
qq.s3.util.enforceSizeLimits(policy, minFileSize, maxFileSize);
return policy;
},
/**
* Update a previously constructed policy document with updated credentials. Currently, this only requires we
* update the session token. This is only relevant if requests are being signed client-side.
*
* @param policy Live policy document
* @param newSessionToken Updated session token.
*/
refreshPolicyCredentials: function(policy, newSessionToken) {
var sessionTokenFound = false;
qq.each(policy.conditions, function(oldCondIdx, oldCondObj) {
qq.each(oldCondObj, function(oldCondName, oldCondVal) {
if (oldCondName === qq.s3.util.SESSION_TOKEN_PARAM_NAME) {
oldCondObj[oldCondName] = newSessionToken;
sessionTokenFound = true;
}
});
});
if (!sessionTokenFound) {
policy.conditions.push({});
policy.conditions[policy.conditions.length - 1][qq.s3.util.SESSION_TOKEN_PARAM_NAME] = newSessionToken;
}
},
/**
* Generates all parameters to be passed along with the S3 upload request. This includes invoking a callback
* that is expected to asynchronously retrieve a signature for the policy document. Note that the server
* signing the request should reject a "tainted" policy document that includes unexpected values, since it is
* still possible for a malicious user to tamper with these values during policy document generation,
* before it is sent to the server for signing.
*
* @param spec Object with properties: `params`, `type`, `key`, `accessKey`, `acl`, `expectedStatus`, `successRedirectUrl`,
* `reducedRedundancy`, `region`, `serverSideEncryption`, `version`, and `log()`, along with any options associated with `qq.s3.util.getPolicy()`.
* @returns {qq.Promise} Promise that will be fulfilled once all parameters have been determined.
*/
generateAwsParams: function(spec, signPolicyCallback) {
var awsParams = {},
customParams = spec.params,
promise = new qq.Promise(),
sessionToken = spec.sessionToken,
drift = spec.clockDrift,
type = spec.type,
key = spec.key,
accessKey = spec.accessKey,
acl = spec.acl,
expectedStatus = spec.expectedStatus,
successRedirectUrl = qq.s3.util.getSuccessRedirectAbsoluteUrl(spec.successRedirectUrl),
reducedRedundancy = spec.reducedRedundancy,
region = spec.region,
serverSideEncryption = spec.serverSideEncryption,
signatureVersion = spec.signatureVersion,
now = new Date(),
log = spec.log,
policyJson;
spec.date = now;
policyJson = qq.s3.util.getPolicy(spec);
awsParams.key = key;
if (type) {
awsParams["Content-Type"] = type;
}
// jscs:disable requireCamelCaseOrUpperCaseIdentifiers
if (expectedStatus) {
awsParams.success_action_status = expectedStatus;
}
if (successRedirectUrl) {
awsParams.success_action_redirect = successRedirectUrl;
}
// jscs:enable
if (reducedRedundancy) {
awsParams[qq.s3.util.REDUCED_REDUNDANCY_PARAM_NAME] = qq.s3.util.REDUCED_REDUNDANCY_PARAM_VALUE;
}
if (serverSideEncryption) {
awsParams[qq.s3.util.SERVER_SIDE_ENCRYPTION_PARAM_NAME] = qq.s3.util.SERVER_SIDE_ENCRYPTION_PARAM_VALUE;
}
if (sessionToken) {
awsParams[qq.s3.util.SESSION_TOKEN_PARAM_NAME] = sessionToken;
}
awsParams.acl = acl;
// Custom (user-supplied) params must be prefixed with the value of `qq.s3.util.AWS_PARAM_PREFIX`.
// Params such as Cache-Control or Content-Disposition will not be prefixed.
// Prefixed param values will be URI encoded as well.
qq.each(customParams, function(name, val) {
var awsParamName = qq.s3.util._getPrefixedParamName(name);
if (qq.indexOf(qq.s3.util.UNPREFIXED_PARAM_NAMES, awsParamName) >= 0) {
awsParams[awsParamName] = val;
}
else {
awsParams[awsParamName] = encodeURIComponent(val);
}
});
if (signatureVersion === 2) {
awsParams.AWSAccessKeyId = accessKey;
}
else if (signatureVersion === 4) {
awsParams[qq.s3.util.ALGORITHM_PARAM_NAME] = qq.s3.util.V4_ALGORITHM_PARAM_VALUE;
awsParams[qq.s3.util.CREDENTIAL_PARAM_NAME] = qq.s3.util.getV4CredentialsString({date: now, key: accessKey, region: region});
awsParams[qq.s3.util.DATE_PARAM_NAME] = qq.s3.util.getV4PolicyDate(now, drift);
}
// Invoke a promissory callback that should provide us with a base64-encoded policy doc and an
// HMAC signature for the policy doc.
signPolicyCallback(policyJson).then(
function(policyAndSignature, updatedAccessKey, updatedSessionToken) {
awsParams.policy = policyAndSignature.policy;
if (spec.signatureVersion === 2) {
awsParams.signature = policyAndSignature.signature;
if (updatedAccessKey) {
awsParams.AWSAccessKeyId = updatedAccessKey;
}
}
else if (spec.signatureVersion === 4) {
awsParams[qq.s3.util.V4_SIGNATURE_PARAM_NAME] = policyAndSignature.signature;
}
if (updatedSessionToken) {
awsParams[qq.s3.util.SESSION_TOKEN_PARAM_NAME] = updatedSessionToken;
}
promise.success(awsParams);
},
function(errorMessage) {
errorMessage = errorMessage || "Can't continue further with request to S3 as we did not receive " +
"a valid signature and policy from the server.";
log("Policy signing failed. " + errorMessage, "error");
promise.failure(errorMessage);
}
);
return promise;
},
/**
* Add a condition to an existing S3 upload request policy document used to ensure AWS enforces any size
* restrictions placed on files server-side. This is important to do, in case users mess with the client-side
* checks already in place.
*
* @param policy Policy document as an `Object`, with a `conditions` property already attached
* @param minSize Minimum acceptable size, in bytes
* @param maxSize Maximum acceptable size, in bytes (0 = unlimited)
*/
enforceSizeLimits: function(policy, minSize, maxSize) {
var adjustedMinSize = minSize < 0 ? 0 : minSize,
// Adjust a maxSize of 0 to the largest possible integer, since we must specify a high and a low in the request
adjustedMaxSize = maxSize <= 0 ? 9007199254740992 : maxSize;
if (minSize > 0 || maxSize > 0) {
policy.conditions.push(["content-length-range", adjustedMinSize.toString(), adjustedMaxSize.toString()]);
}
},
getPolicyExpirationDate: function(date, drift) {
var adjustedDate = new Date(date.getTime() + drift);
return qq.s3.util.getPolicyDate(adjustedDate, 5);
},
getCredentialsDate: function(date) {
return date.getUTCFullYear() + "" +
("0" + (date.getUTCMonth() + 1)).slice(-2) +
("0" + date.getUTCDate()).slice(-2);
},
getPolicyDate: function(date, _minutesToAdd_) {
var minutesToAdd = _minutesToAdd_ || 0,
pad, r;
/*jshint -W014 */
// Is this going to be a problem if we encounter this moments before 2 AM just before daylight savings time ends?
date.setMinutes(date.getMinutes() + (minutesToAdd || 0));
if (Date.prototype.toISOString) {
return date.toISOString();
}
else {
pad = function(number) {
r = String(number);
if (r.length === 1) {
r = "0" + r;
}
return r;
};
return date.getUTCFullYear()
+ "-" + pad(date.getUTCMonth() + 1)
+ "-" + pad(date.getUTCDate())
+ "T" + pad(date.getUTCHours())
+ ":" + pad(date.getUTCMinutes())
+ ":" + pad(date.getUTCSeconds())
+ "." + String((date.getUTCMilliseconds() / 1000).toFixed(3)).slice(2, 5)
+ "Z";
}
},
/**
* Looks at a response from S3 contained in an iframe and parses the query string in an attempt to identify
* the associated resource.
*
* @param iframe Iframe containing response
* @returns {{bucket: *, key: *, etag: *}}
*/
parseIframeResponse: function(iframe) {
var doc = iframe.contentDocument || iframe.contentWindow.document,
queryString = doc.location.search,
match = /bucket=(.+)&key=(.+)&etag=(.+)/.exec(queryString);
if (match) {
return {
bucket: match[1],
key: match[2],
etag: match[3].replace(/%22/g, "")
};
}
},
/**
* @param successRedirectUrl Relative or absolute location of success redirect page
* @returns {*|string} undefined if the parameter is undefined, otherwise the absolute location of the success redirect page
*/
getSuccessRedirectAbsoluteUrl: function(successRedirectUrl) {
if (successRedirectUrl) {
var targetAnchorContainer = document.createElement("div"),
targetAnchor;
if (qq.ie7()) {
// Note that we must make use of `innerHTML` for IE7 only instead of simply creating an anchor via
// `document.createElement('a')` and setting the `href` attribute. The latter approach does not allow us to
// obtain an absolute URL in IE7 if the `endpoint` is a relative URL.
targetAnchorContainer.innerHTML = "<a href='" + successRedirectUrl + "'></a>";
targetAnchor = targetAnchorContainer.firstChild;
return targetAnchor.href;
}
else {
// IE8 and IE9 do not seem to derive an absolute URL from a relative URL using the `innerHTML`
// approach above, so we'll just create an anchor this way and set it's `href` attribute.
// Due to yet another quirk in IE8 and IE9, we have to set the `href` equal to itself
// in order to ensure relative URLs will be properly parsed.
targetAnchor = document.createElement("a");
targetAnchor.href = successRedirectUrl;
targetAnchor.href = targetAnchor.href;
return targetAnchor.href;
}
}
},
getV4CredentialsString: function(spec) {
return spec.key + "/" +
qq.s3.util.getCredentialsDate(spec.date) + "/" +
spec.region + "/s3/aws4_request";
},
getV4PolicyDate: function(date, drift) {
var adjustedDate = new Date(date.getTime() + drift);
return qq.s3.util.getCredentialsDate(adjustedDate) + "T" +
("0" + adjustedDate.getUTCHours()).slice(-2) +
("0" + adjustedDate.getUTCMinutes()).slice(-2) +
("0" + adjustedDate.getUTCSeconds()).slice(-2) +
"Z";
},
// AWS employs a strict interpretation of [RFC 3986](http://tools.ietf.org/html/rfc3986#page-12).
// So, we must ensure all reserved characters listed in the spec are percent-encoded,
// and spaces are replaced with "+".
encodeQueryStringParam: function(param) {
var percentEncoded = encodeURIComponent(param);
// %-encode characters not handled by `encodeURIComponent` (to follow RFC 3986)
percentEncoded = percentEncoded.replace(/[!'()]/g, escape);
// %-encode characters not handled by `escape` (to follow RFC 3986)
percentEncoded = percentEncoded.replace(/\*/g, "%2A");
// replace percent-encoded spaces with a "+"
return percentEncoded.replace(/%20/g, "+");
}
};
}());