-
Notifications
You must be signed in to change notification settings - Fork 0
/
lib.rs
executable file
·450 lines (387 loc) · 19.6 KB
/
lib.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
#![cfg_attr(not(feature = "std"), no_std)]
// use ink_lang as ink;
use pink_extension as pink;
#[pink::contract(env=PinkEnvironment)]
mod fat_contract_s3_sync {
use super::pink;
use ink_prelude::{string::{String, ToString}, vec::Vec};
use ink_prelude::vec;
use ink_prelude::format;
use ink_env;
use ink_env::debug_println;
use scale::{Decode, Encode};
// To make HTTP request
use pink::{http_get, PinkEnvironment};
// To generate AWS4 Signature
use hmac::{Hmac, Mac};
use sha2::Sha256;
use sha2::Digest;
// To format block timestamp for http request headers
use chrono::{TimeZone, Utc};
// To encrypt/decrypt HTTP payloads
use aes_gcm_siv::aead::{Aead, KeyInit, Nonce};
use aes_gcm_siv::Aes256GcmSiv;
use pink::chain_extension::signing;
use cipher::{consts::{U12, U32}, generic_array::GenericArray};
use base16;
// Wrap PUT request in macro
macro_rules! http_put {
($url: expr, $data: expr, $headers: expr) => {{
use pink::chain_extension::HttpRequest;
let headers = $headers;
let body = $data.into();
let request = HttpRequest {
url: $url.into(),
method: "PUT".into(),
headers,
body,
};
pink::ext().http_request(request)
}};
($url: expr, $data: expr) => {{
pink::http_put!($url, $data, Default::default())
}};
}
// Make macro available for use inside/outside of module
pub(crate) use http_put;
#[ink(storage)]
#[cfg_attr(feature = "std", derive(scale_info::TypeInfo))]
pub struct FatContractS3Sync {
access_key: String,
secret_key: String
}
#[derive(Encode, Decode, Debug, PartialEq, Eq, Copy, Clone)]
#[cfg_attr(feature = "std", derive(scale_info::TypeInfo))]
pub enum Error {
RequestFailed,
EncryptionFailed,
DecryptionFailed,
PlatformNotFound,
CredentialsNotSealed
}
impl FatContractS3Sync {
#[ink(constructor)]
pub fn new() -> Self {
Self {
access_key: "Not Sealed".to_string(),
secret_key: "Not Sealed".to_string()
}
}
#[ink(message)]
pub fn seal_credentials(&mut self, access_key: String, secret_key: String) -> () {
self.access_key = access_key;
self.secret_key = secret_key;
}
pub fn get_time(&self) -> (String, String) {
// Get block time (UNIX time in nano seconds)and convert to Utc datetime object
let time = self.env().block_timestamp()/1000;
let datetime = Utc.timestamp(time.try_into().unwrap(), 0);
// Format both date and datetime for AWS4 signature
let datestamp = datetime.format("%Y%m%d").to_string();
let datetimestamp = datetime.format("%Y%m%dT%H%M%SZ").to_string();
(datestamp, datetimestamp)
}
/// HTTP GETs and decrypts the data from the specified storage platform.
/// Must seal the correct credentials before calling this function
#[ink(message)]
pub fn get_object(&self, platform: String, object_key: String, bucket_name: String, region: Option<String>) -> Result<String, Error> {
if self.access_key == "Not Sealed" || self.secret_key == "Not Sealed" {
return Err(Error::CredentialsNotSealed)
}
// Set request values
let method = "GET";
let service = "s3";
let region = region.unwrap_or(String::from("us-east-1"));
let host = if platform == "s3" {
format!("{}.s3.amazonaws.com", bucket_name)
} else if platform == "4everland" {
"endpoint.4everland.co".to_string()
} else if platform == "storj" {
"gateway.storjshare.io".to_string()
} else if platform == "filebase" {
"s3.filebase.com".to_string()
} else {
return Err(Error::PlatformNotFound)
};
let payload_hash = format!("{:x}", Sha256::digest(b"")); // GET has default payload empty byte
// Get current time: datestamp (e.g. 20220727) and amz_date (e.g. 20220727T141618Z)
let (datestamp, amz_date) = self.get_time();
// 1. Create canonical request
let canonical_uri: String = if platform == "s3" {
format!("/{}", object_key)
} else {
format!("/{}/{}", bucket_name, object_key)
};
let canonical_querystring = "";
let canonical_headers = format!("host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n", host, payload_hash, amz_date);
let signed_headers = "host;x-amz-content-sha256;x-amz-date";
let canonical_request = format!("{}\n{}\n{}\n{}\n{}\n{}",
method,
canonical_uri,
canonical_querystring,
canonical_headers,
signed_headers,
payload_hash);
debug_println!(" ----- Canonical request ----- \n{}\n", canonical_request);
// ----- Canonical request -----
// GET
// /test/api-upload
//
// host:fat-contract-s3-sync.s3.amazonaws.com
// x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
// x-amz-date:19700101T000000Z
//
// host;x-amz-content-sha256;x-amz-date
// e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
// 2. Create "String to sign"
let algorithm = "AWS4-HMAC-SHA256";
let credential_scope = format!("{}/{}/{}/aws4_request", datestamp, region, service);
let canonical_request_hash = format!("{:x}", Sha256::digest(&canonical_request.as_bytes()));
let string_to_sign = format!("{}\n{}\n{}\n{}",
algorithm,
amz_date,
credential_scope,
canonical_request_hash);
debug_println!(" ----- String to sign ----- \n{}\n", string_to_sign);
// ----- String to sign -----
// AWS4-HMAC-SHA256
// 19700101T000000Z
// 19700101/ap-southeast-1/s3/aws4_request
// ec70fa653b4f867cda7a59007db15a7e95ed45d70bacdfb55902a2fb09b6367f
// 3. Calculate signature
let signature_key = get_signature_key(
self.secret_key.as_bytes(),
&datestamp.as_bytes(),
®ion.as_bytes(),
&service.as_bytes());
let signature_bytes = hmac_sign(&signature_key, &string_to_sign.as_bytes());
let signature = format!("{}", base16::encode_lower(&signature_bytes));
debug_println!(" ----- Signature ----- \n{}\n", &signature);
// ----- Signature -----
// 485e174a7fed1691de34f116a968981709ed5a00f4975470bd3d0dd06ccd3e1d
// 4. Create authorization header
let authorization_header = format!("{} Credential={}/{}, SignedHeaders={}, Signature={}",
algorithm,
self.access_key,
credential_scope,
signed_headers,
signature);
debug_println!(" ----- Authorization header ----- \nAuthorization: {}\n", &authorization_header);
// ----- Authorization header -----
// Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/19700101/ap-southeast-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=485e174a7fed1691de34f116a968981709ed5a00f4975470bd3d0dd06ccd3e1d
let headers: Vec<(String, String)> = vec![
("Host".into(), host.to_string()),
("Authorization".into(), authorization_header.clone()),
("x-amz-content-sha256".into(), payload_hash),
("x-amz-date".into(), amz_date)];
// Make HTTP GET request
let request_url: String = if platform == "s3" {
format!("https://{}.s3.{}.amazonaws.com/{}", bucket_name, region, object_key)
} else {
format!("https://{}/{}/{}", host, bucket_name, object_key)
};
let response = http_get!(request_url, headers);
if response.status_code != 200 {
return Err(Error::RequestFailed);
}
// Generate key and nonce
let key_bytes: Vec<u8> = signing::derive_sr25519_key(object_key.as_bytes())[..32].to_vec();
let key: &GenericArray<u8, U32> = GenericArray::from_slice(&key_bytes);
let nonce_bytes: Vec<u8> = self.access_key.as_bytes()[..12].to_vec();
let nonce: &GenericArray<u8, U12> = Nonce::<Aes256GcmSiv>::from_slice(&nonce_bytes);
// Decrypt payload
let cipher = Aes256GcmSiv::new(key.into());
let decrypted_byte = cipher.decrypt(&nonce, response.body.as_ref()).or(Err(Error::DecryptionFailed));
let result = format!("{}", String::from_utf8_lossy(&decrypted_byte.unwrap()));
Ok(result)
}
/// Encrypts and HTTP PUTs the data to the specified storage platform as byte stream.
/// Must seal the correct credentials before calling this function.
#[ink(message)]
pub fn put_object(&self, platform: String, object_key: String, bucket_name: String, region: String, payload: String) -> Result<String, Error> {
if self.access_key == "Not Sealed" || self.secret_key == "Not Sealed" {
return Err(Error::CredentialsNotSealed)
}
// Generate key and nonce
let key_bytes: Vec<u8> = signing::derive_sr25519_key(object_key.as_bytes())[..32].to_vec();
let key: &GenericArray<u8, U32> = GenericArray::from_slice(&key_bytes);
let nonce_bytes: Vec<u8> = self.access_key.as_bytes()[..12].to_vec();
let nonce: &GenericArray<u8, U12> = Nonce::<Aes256GcmSiv>::from_slice(&nonce_bytes);
// Encrypt payload
let cipher = Aes256GcmSiv::new(key.into());
let encrypted_bytes: Vec<u8> = cipher.encrypt(nonce, payload.as_bytes().as_ref()).unwrap();
// Set request values
let method = "PUT";
let service = "s3";
// let region = region.unwrap_or(String::from("us-east-1"));
let host = if platform == "s3" {
format!("{}.s3.amazonaws.com", bucket_name)
} else if platform == "4everland" {
"endpoint.4everland.co".to_string()
} else if platform == "storj" {
"gateway.storjshare.io".to_string()
} else if platform == "filebase" {
"s3.filebase.com".to_string()
} else {
return Err(Error::PlatformNotFound)
};
let payload_hash = format!("{:x}", Sha256::digest(&encrypted_bytes));
let content_length = format!("{}", encrypted_bytes.clone().len());
// Get datestamp (20220727) and amz_date (20220727T141618Z)
let (datestamp, amz_date) = self.get_time();
// 1. Create canonical request
let canonical_uri: String = if platform == "s3" {
format!("/{}", object_key)
} else {
format!("/{}/{}", bucket_name, object_key)
};
let canonical_querystring = "";
let canonical_headers = format!("host:{}\nx-amz-content-sha256:{}\nx-amz-date:{}\n", host, payload_hash, amz_date);
let signed_headers = "host;x-amz-content-sha256;x-amz-date";
let canonical_request = format!("{}\n{}\n{}\n{}\n{}\n{}",
method,
canonical_uri,
canonical_querystring,
canonical_headers,
signed_headers,
payload_hash);
debug_println!(" ----- Canonical request ----- \n{}\n", canonical_request);
// ----- Canonical request -----
// PUT
// /test/api-upload
//
// host:fat-contract-s3-sync.s3.amazonaws.com
// x-amz-content-sha256:505f2ec6d688d6e15f718b5c91edd07c45310e08e8c221018a7c0f103515fa28
// x-amz-date:19700101T000000Z
//
// host;x-amz-content-sha256;x-amz-date
// 505f2ec6d688d6e15f718b5c91edd07c45310e08e8c221018a7c0f103515fa28
// 2. Create string to sign
let algorithm = "AWS4-HMAC-SHA256";
let credential_scope = format!("{}/{}/{}/aws4_request", datestamp, region, service);
let canonical_request_hash = format!("{:x}", Sha256::digest(&canonical_request.as_bytes()));
let string_to_sign = format!("{}\n{}\n{}\n{}",
algorithm,
amz_date,
credential_scope,
canonical_request_hash);
debug_println!(" ----- String to sign ----- \n{}\n", string_to_sign);
// ----- String to sign -----
// AWS4-HMAC-SHA256
// 19700101T000000Z
// 19700101/ap-southeast-1/s3/aws4_request
// efd07a6d8013f3c35d4c3d6b7f52f86ae682c51a8639fe80b8f68198107e3039
// 3. Calculate signature
let signature_key = get_signature_key(
self.secret_key.as_bytes(),
&datestamp.as_bytes(),
®ion.as_bytes(),
&service.as_bytes());
let signature_bytes = hmac_sign(&signature_key, &string_to_sign.as_bytes());
let signature = format!("{}", base16::encode_lower(&signature_bytes));
debug_println!(" ----- Signature ----- \n{}\n", &signature);
// ----- Signature -----
// 84bf2db9f7a0007f5124cf2e9c0e1b7e1cec2b1b1b209ab9458387caa3b8da52
// 4. Create authorization header
let authorization_header = format!("{} Credential={}/{},SignedHeaders={},Signature={}",
algorithm,
self.access_key,
credential_scope,
signed_headers,
signature);
debug_println!(" ----- Authorization header ----- \nAuthorization: {}\n", &authorization_header);
// ----- Authorization header -----
// Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/19700101/ap-southeast-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b9b6bcb29b1369678e3a3cfae411a5277c084c8c1796bb6e78407f402f9e3f3d
let request_url: String = if platform == "s3" {
format!("https://{}.s3.{}.amazonaws.com/{}", bucket_name, region, object_key)
} else {
format!("https://{}/{}/{}", host, bucket_name, object_key)
};
let headers: Vec<(String, String)> = vec![
("Host".into(), host),
("Authorization".into(), authorization_header),
("Content-Length".into(), content_length),
("Content-Type".into(), "binary/octet-stream".into()),
("x-amz-content-sha256".into(), payload_hash),
("x-amz-date".into(), amz_date)];
let response = http_put!(request_url, encrypted_bytes, headers);
// if response.status_code != 200 {
// return Err(Error::RequestFailed);
// }
Ok(format!("{}\n{}\n{}\n{:?}", response.status_code, response.reason_phrase, String::from_utf8_lossy(&response.body), response.headers))
}
}
// Create alias for HMAC-SHA256
type HmacSha256 = Hmac<Sha256>;
// Returns encrypted hex bytes of key and message using SHA256
pub fn hmac_sign (key: &[u8], msg: &[u8]) -> Vec<u8> {
let mut mac = <HmacSha256 as Mac>::new_from_slice(key).expect("Could not instantiate HMAC instance");
mac.update(msg);
let result = mac.finalize().into_bytes();
result.to_vec()
}
// Returns the signature key for the complicated version
pub fn get_signature_key(key: &[u8], datestamp: &[u8], region_name: &[u8], service_name: &[u8]) -> Vec<u8> {
let k_date = hmac_sign(&[b"AWS4", key].concat(), datestamp);
let k_region = hmac_sign(&k_date, region_name);
let k_service = hmac_sign(&k_region, service_name);
let k_signing = hmac_sign(&k_service, b"aws4_request");
return k_signing
}
#[cfg(test)]
mod tests {
use super::*;
use ink_lang as ink;
// #[ink::test]
// fn put_object_works() {
// use pink_extension::chain_extension::{mock, HttpResponse};
//
// mock::mock_http_request(|request| {
// if request.url == "https://s3.filebase.com/fat-contract-filebase-sync/test/api-upload" {
// HttpResponse::ok(b"Success".to_vec())
// } else {
// HttpResponse::not_found()
// }
// });
//
// let mut contract = FatContractS3Sync::new();
// contract.seal_credentials("AKIAIOSFODNN7EXAMPLE".to_string(), "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".to_string());
// let response = contract.put_object(
// "filebase".to_string(),
// "test/api-upload".to_string(),
// "fat-contract-filebase-sync".to_string(),
// "us-east-1".to_string(),
// "This is a test comment".to_string());
// assert!(false);
// }
//
// #[ink::test]
// fn aead_works() {
//
// let payload = "test";
//
// // Generate key and nonce
// let key_bytes: Vec<u8> = vec![0; 32];
// let key: &GenericArray<u8, U32> = GenericArray::from_slice(&key_bytes);
// let nonce_bytes: Vec<u8> = vec![0; 12];
// let nonce: &GenericArray<u8, U12> = Nonce::<Aes256GcmSiv>::from_slice(&nonce_bytes);
//
// // Encrypt payload
// let cipher = Aes256GcmSiv::new(key.into());
// let encrypted_text: Vec<u8> = cipher.encrypt(nonce, payload.as_bytes().as_ref()).unwrap();
//
// // Generate key and nonce
// let key_bytes: Vec<u8> = vec![0; 32];
// let key: &GenericArray<u8, U32> = GenericArray::from_slice(&key_bytes);
// let nonce_bytes: Vec<u8> = vec![0; 12];
// let nonce: &GenericArray<u8, U12> = Nonce::<Aes256GcmSiv>::from_slice(&nonce_bytes);
//
// // Decrypt payload
// let cipher = Aes256GcmSiv::new(key.into());
// let decrypted_text = cipher.decrypt(&nonce, encrypted_text.as_ref()).unwrap();
//
// assert_eq!(payload.as_bytes(), decrypted_text);
// assert_eq!(payload, String::from_utf8_lossy(&decrypted_text));
// }
}
}