forked from djannot/aws-sdk-go
/
unik.go
151 lines (140 loc) · 4.26 KB
/
unik.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
// Intercept s3 requests for the UnikHub
package v4
import (
"bytes"
"crypto/tls"
"encoding/hex"
"encoding/json"
"errors"
"net/http"
"net/url"
"strings"
)
type RequestToValidate struct {
Pass string `json:"pass"`
Method string `json:"method"`
Path string `json:"path"`
Query url.Values `json:"query"`
Header http.Header `json:"headers"`
}
type ValidationResponse struct {
Message string `json:"message"`
AccessKeyID string `json:"access_key_id"`
Region string `json:"region"`
Bucket string `json:"bucket"`
}
type RequestToSign struct {
RequestToValidate RequestToValidate `json:"request_to_validate"`
FormattedShortTime string `json:"formatted_short_time"`
ServiceName string `json:"service_name"`
StringToSign string `json:"string_to_sign"`
}
type SignatureResponse struct {
Signature []byte `json:"signature"`
Err string `json:"err"`
}
// Validate the request with the UnikHub
func (v4 *signer) validateRequest(s3AuthProxyUrl string) error {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
httpClient := &http.Client{Transport: tr}
// Send the API request to the UnikHub
authReq, err := http.NewRequest("GET", s3AuthProxyUrl+"/aws_info", nil)
if err != nil {
return err
}
authReq.Header.Set("Content-Type", "application/json")
resp, err := httpClient.Do(authReq)
if err != nil {
return err
}
defer resp.Body.Close()
decoder := json.NewDecoder(resp.Body)
var validationResponse ValidationResponse
err = decoder.Decode(&validationResponse)
if err != nil {
return err
}
// If the response code is 200, then the request is validated by the UnikHub
if resp.StatusCode == 200 {
// The s3 region and bucket aren't known by the UnikHubClient. They are provided by the UnikHub
v4.CredValues.AccessKeyID = validationResponse.AccessKeyID
v4.Region = validationResponse.Region
newURL := strings.Replace(v4.Request.URL.String(), "AWSREGION", validationResponse.Region, 1)
v4.Request.URL, err = url.Parse(newURL)
if err != nil {
err = errors.New("Can't replace the Aws Region in the request")
return err
}
newURL = strings.Replace(v4.Request.URL.String(), "AWSBUCKET", validationResponse.Bucket, 1)
v4.Request.URL, err = url.Parse(newURL)
if err != nil {
err = errors.New("Can't replace the Aws Bucket in the request")
return err
}
v4.pass = v4.Request.Header.Get("X-Amz-Meta-Unik-Password")
// Remove the X-Amz-Meta-Unik-Password and X-Amz-Meta-Unik-Email headers because they shouldn't be stored with the /bucket/user/image/version object
v4.Request.Header.Del("X-Amz-Meta-Unik-Password")
} else {
err = errors.New(validationResponse.Message)
return err
}
return nil
}
// Get a signature from the UnikHub
func (v4 *signer) getSignature(s3AuthProxyUrl string) error {
// Get the URL and parse it (to get the Path)
u, err := url.Parse(v4.Request.URL.String())
if err != nil {
return err
}
pass := v4.pass
// Prepare the data to send to the UnikHub
requestToValidate := RequestToValidate{
Pass: pass,
Method: v4.Request.Method,
Path: u.Path,
Query: u.Query(),
Header: v4.Request.Header,
}
// Prepare the data to send to the UnikHub
requestToSign := RequestToSign{
RequestToValidate: requestToValidate,
FormattedShortTime: v4.formattedShortTime,
ServiceName: v4.ServiceName,
StringToSign: v4.stringToSign,
}
j, err := json.Marshal(requestToSign)
if err != nil {
return err
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
httpClient := &http.Client{Transport: tr}
// Send the API request to the UnikHub
authReq, err := http.NewRequest("POST", s3AuthProxyUrl+"/sign", bytes.NewBuffer(j))
if err != nil {
return err
}
authReq.Header.Set("Content-Type", "application/json")
resp, err := httpClient.Do(authReq)
if err != nil {
return err
}
defer resp.Body.Close()
decoder := json.NewDecoder(resp.Body)
var signatureResponse SignatureResponse
err = decoder.Decode(&signatureResponse)
if err != nil {
return err
}
if resp.StatusCode != 200 {
err = errors.New(signatureResponse.Err)
return err
}
//v4.CredValues.AccessKeyID = awsCredentials.AccessKeyID
v4.signature = hex.EncodeToString(signatureResponse.Signature)
return nil
}