Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Amazon Webservices HMAC-style API example #53

Merged
merged 4 commits into from

2 participants

@hypernumbers

I have added another example.

It is a reference implementation of an AWS-style HMAC public/private keypair API for use with mochiweb.

It contains:

  • a client-side implementation in Erlang
  • server-side implementation in Erlang

It has a full test suite which is designed to be ported in other languages so that API clients can be built with native unit tests and not debugged against a production system.

It also have full implementation documentation and references.

hypernumbers added some commits
@hypernumbers hypernumbers An example of an Amazon Web Services style HMAC api for mochiweb.
This is designed to make it easy to build API authentication without re-inventing the crypto/schema wheel.

It should enable a common set of client libraries to be built.

Includes:
* complete documentation of:
  - the schema
  - the reference implementation
  - how to create and deploy a custom implementation
* unit tests against the Amazon API documentation
2d3e7ea
@hypernumbers hypernumbers tweak to doco 6664d2a
@etrepum
Owner

Wow, I only took a very brief look at this but it seems like really great stuff. I'll try and give it a full look this weekend and merge it in!

@etrepum

I would probably define this as a string and use "?headerprefix ++ L" rather than [?headerprefix | L]". Easier to read and should be about the same in modern erlang since it's a constant.

@etrepum

I think there's a typo here, "x-mochiwapi-" does not match "x-mochiapi-date". Not that it matters, since this code is commented out.

Well spotted!

@etrepum

I think there is a syntax error here, the RFC2116_HT define doesn't end and there's probably no reason to put export_all in anyway

Dunno how that define losts it end bit. Must have been an emacs fart somehow.

Yeah, and the export_all should have been taken out, its a debugging artifact.

Erlang bugs pointed out that the preprocesser thinks this is the define:

-defineRFC2116_HT, "\t" -compile(export_all).

As I was neither using the define or export_all I never got a runtime error (Duh!).

Anyhoo removed 'em both on the grounds of redundancy.

@etrepum

In general we use %% comments everywhere because erlang-mode indents them correctly, so after merging this I'm probably going to do some reformatting.

hypernumbers added some commits
@hypernumbers hypernumbers Fix up of README
Proper spell-checking and re-read for sense. A couple of minor additions but mostly spelling/grammer
c135144
@hypernumbers hypernumbers Fixed up the code
Removed the misformed define (and reported it to erlang-bugs as it shouldn't have ever compiled)
Rewritten the headers stuff
Removed export all
e6e40d7
@etrepum etrepum merged commit e6e40d7 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 22, 2011
  1. @hypernumbers

    An example of an Amazon Web Services style HMAC api for mochiweb.

    hypernumbers authored
    This is designed to make it easy to build API authentication without re-inventing the crypto/schema wheel.
    
    It should enable a common set of client libraries to be built.
    
    Includes:
    * complete documentation of:
      - the schema
      - the reference implementation
      - how to create and deploy a custom implementation
    * unit tests against the Amazon API documentation
  2. @hypernumbers

    tweak to doco

    hypernumbers authored
Commits on Jul 26, 2011
  1. @hypernumbers

    Fix up of README

    hypernumbers authored
    Proper spell-checking and re-read for sense. A couple of minor additions but mostly spelling/grammer
  2. @hypernumbers

    Fixed up the code

    hypernumbers authored
    Removed the misformed define (and reported it to erlang-bugs as it shouldn't have ever compiled)
    Rewritten the headers stuff
    Removed export all
This page is out of date. Refresh to see the latest.
View
206 examples/hmac_api/README
@@ -0,0 +1,206 @@
+Introduction
+------------
+
+This example shows how to make an Amazon-style HMAC authentication system for an API with mochiweb.
+
+Purpose
+-------
+
+The purpose of this example is to:
+* make it easy to implement an API in mochiweb
+ - using a proven approach so that 'amateurs' don't have to reinvent crypto
+* make it easy to generate client libraries for that API so that client-side implementers can:
+ - reuse closely related code examples
+ - build compatibility unit tests instead of fiddling around debugging their library against live implementations of the system
+
+Scope
+-----
+
+The scope of this document is:
+* a description of the client-server exchange
+* a reference implementation of
+ - the server-side implementation of the exchange
+ - the client-side implementation of the exchange
+* developing a custom implementation of an API
+* deploying that implementation to new client-side users to build their client libraries
+
+Contents
+--------
+
+Subsequent sections of this document are:
+* the client-server exchange
+* the reference implementation in this example
+* building a custom implementation
+* deploying a custom implementation
+
+The Client-Server Exchange
+--------------------------
+
+OVERVIEW
+
+This section describes the client-server exchange for an Amazon-style API authentication schema. It has the following characteristics:
+* based on a public key/private key
+* used to authenticate non-SSL api requests
+* not a full once-use schema and is vulnerable to replay attacks within a short time window
+
+TYPE OF API
+
+The api described in this document is:
+* suitable for machine-machine communication
+
+The api described in this document is NOT:
+* an implementation of 2-legged OAUTH
+ - see https://github.com/tim/erlang-oauth
+* an implementation of 3-legged OAUTH
+
+It is not suitable for use in applications where an end user has to log into a service and piggy-back on top of a keypair security system.
+
+THE CLIENT LIBRARY HERE IS **NOT** AN AMAZON CLIENT LIBRARY. AMAZON DOES FUNKY STUFF WITH HOSTNAMES AND PUSHES THEM ONTO THE URL IN CANONICALIZATION! THE CLIENT LIBRARY IS AMAZON-A-LIKE ENOUGH TO USE THE AMAZON DOCOS TO BUILD A TEST SUITE.
+
+STEP 1
+
+The client is issued with a pair of keys, one public, one private, for example:
+* public: "bcaa49f2a4f7d4f92ac36c8bf66d5bb6"
+* private: "92bc93d6b8aaec1cde772f903e06daf5"
+
+In the Amazon docs these are referred to as:
+* AWSAccessKeyId (public)
+* AWSSecretAccessKey (private)
+
+These can be generated by the function:
+hmac_api_lib:get_api_keypair/0
+
+This function returns cryptographically strong random numbers using the openSSL crypto library under the covers.
+
+The public key is used as a declaration of identity, "I am bcaa49..."
+
+The private key is never passed over the wire and is used to construct the same hash on both the client- and the server-side.
+
+STEP 2
+
+The client prepares their request:
+* url
+* time of request
+* action (GET, POST, etc)
+* type of request (application/json, etc)
+* contents of request
+* etc, etc
+
+These components are then turned into a string called the canonical form.
+
+The HTTP protocol is permissive; it treats different requests as if they were the same. For instance it doesn't care about the order in which headers are sent, and allows the same header to contain multiple values as a list or be specified multiple times as a key-value pair.
+
+Intermediate machines between the client and server MAY pack and repack the HTTP request as long as they don't alter its meaning in a narrow sense. This means that the format of the HTTP request is not guaranteed to be maintained.
+
+The canonical form simply ensures that all the valid ways of making the same request are represented by the same string - irrespective of how this is done.
+
+The canonical form handles POST bodies and query parameters and silently discards anchors in URL's.
+
+A hash of this string is made with the private key.
+
+STEP 3
+
+The client makes the request to the server:
+* the signature is included in the request in the standard HTTPAuthorization header. (As the Amazon documentation points out this is infelicitous as it is being used for Authentication not Authorization, but hey!).
+
+The Authorization header constructed has the form:
+<schema name><space><public key><colon><signature>
+
+An Amazon one looks like:
+Authorization: AWS 0PN5J17HBGZHT7JJ3X82:frJIUN8DYpKDtOLCwo//yllqDzg=
+ --- -------------------- ----------------------------
+ sch public key signature
+
+The HTTP request is made.
+
+STEP 4
+
+The request is processed:
+* the server receives the request
+* the server constructs the canonical form from the attributes of the request:
+ - url
+ - date header
+ - action (GET, POST, etc)
+ - content type of request (application/json, etc)
+ - some custom headers
+ - etc, etc
+* the server takes the client's public key from the HTTPAuthorization header and looks up the client's private key
+* the server signs the canonical form with the private key
+* the server compares:
+ - the signature in the request to the signature it has just generated
+ - the time encoded in the request with the server time
+* the request is accepted or denied
+
+The time comparison is 'fuzzy'. Different server's clocks will be out of sync to a degree, the request may have acquired a time from an intermediate machine along the way, etc, etc. Normally a 'clock skew' time is allowed - in Amazon's case this is 15 minutes.
+
+NOTA BENE: THIS CLOCK SKEW TIME ALLOWS FOR REPLAY ATTACKS WHERE A BAD GUY SIMPLY CAPTURES AND REPLAYS TRAFFIC.
+
+EXTENSION
+
+It is possible to extend this schema to prevent replay attacks. The server issues a nonce token (a random string) which is included in the signature. When the server authorizes the request it stores the token and prevents any request with that token (ie a replay) being authorized again.
+
+The client receives its next nonce token in the response to a successful request.
+
+The Reference Implementation In This Example
+--------------------------------------------
+
+The reference implementation used in this example is that described in the Amazon documentation here:
+http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html
+
+The try out the reference implementation:
+* create a new mochiweb project as per the mochiweb README
+ - make app PROJECT=project_name
+* copy hmac_api_lib.erl and hmac_api_client.erl into project_name/src
+* copy hmac_api.hrl into project_name/include
+* edit project_name_web.erl and add a call to hmac_api_lib:authorize_request/1
+
+authorize/request/1 should be called in the loop of project_name_web.erl as per:
+
+ loop(Req, DocRoot) ->
+ Auth = hmac_api_lib:authorize_request(Req),
+ io:format("Auth is ~p~n", [Auth]),
+ "/" ++ Path = Req:get(path),
+ ...
+
+When this is done you are ready to test the api:
+* run 'make' in project_name/ to build the Erlang
+* start the web server with 'start-dev.sh' in project_name/ (this will also open an Erlang shell to the Erlang VM)
+
+To test the api run this command in the Erlang shell:
+* hmac_api_client:fire().
+
+The reference implementation uses 5 constants defined in hmac_api.hrl.
+* schema
+* headerprefix
+* dateheader
+* publickey
+* privatekey
+
+Building A Custom Implementation
+--------------------------------
+
+The simplest custom implementation is to simply take the existing code and change the values of the following constants:
+* schema
+* headerprefix
+* dateheader
+
+If the API is to be used 'as is', please use the values which are commented out in hmac_api.hrl. This will make easier for software developers to work out which version of which client-side libraries they can use.
+
+Client libraries written in other languages than Erlang can reemployment the test suite in hmac_api_lib.erl.
+
+More sophisticated changes will involve changes to the canonicalization functions.
+
+Use of a generic schema should make reuse of client libraries easier across different platforms.
+
+If you develop an ‘as-is’ client-side library in another language please consider submitting its code to this example.
+
+Deploying A Custom Implementation
+---------------------------------
+
+When deploying a custom implementation, the server-side code should be released with unit tests so the client-side developer can easily build a robust client.
+
+In addition to that you will need to specify:
+* description of how the API works:
+ - ie the acceptable methods and urls
+ - custom headers and their usage (if appropriate)
+
View
43 examples/hmac_api/hmac_api.hrl
@@ -0,0 +1,43 @@
+-author("Hypernumbers Ltd <gordon@hypernumbers.com>").
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% %%%
+%%% Reference values for testing against Amazon documents %%%
+%%% %%%
+%%% These need to be changed in production! %%%
+%%% %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+-define(schema, "AWS").
+% defines the prefix for headers to be included in the signature
+-define(headerprefix, "x-amz-").
+% defines the date header
+-define(dateheader, "x-amz-date").
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% %%%
+%%% Default values for defining a generic API %%%
+%%% %%%
+%%% Only change these if you alter the canonicalisation %%%
+%%% %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%-define(schema, "MOCHIAPI").
+%-define(headerprefix, "x-mochiapi-").
+%-define(dateheader, "x-mochiapi-date").
+
+% a couple of keys for testing
+% these are taken from the document
+% % http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html
+% they are not valid keys!
+-define(publickey, "0PN5J17HBGZHT7JJ3X82").
+-define(privatekey, "uV3F3YluFJax1cknvbcGwgjvx4QpvB+leU8dUj2o").
+
+
+-record(hmac_signature,
+ {
+ method,
+ contentmd5,
+ contenttype,
+ date,
+ headers,
+ resource
+ }).
View
34 examples/hmac_api/hmac_api_client.erl
@@ -0,0 +1,34 @@
+-module(hmac_api_client).
+
+-export([
+ fire/0
+ ]).
+
+-include("hmac_api.hrl").
+-author("Hypernumbers Ltd <gordon@hypernumbers.com>").
+
+fire() ->
+ URL = "http://127.0.0.1:8080/some/page/yeah/",
+ % Dates SHOULD conform to Section 3.3 of RFC2616
+ % the examples from the RFC are:
+ % Sun, 06 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123
+ % Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036
+ % Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format
+
+ % Dates can be conveniently generated using dh_date.erl
+ % https://github.com/daleharvey/dh_date
+ % which is largely compatible with
+ % http://uk.php.net/date
+
+ % You MIGHT find it convenient to insist on times in UTC only
+ % as it reduces the errors caused by summer time and other
+ % conversion issues
+ Method = post,
+ Headers = [{"content-type", "application/json"},
+ {"date", "Sun, 10 Jul 2011 05:07:19"}],
+ ContentType = "application/json",
+ Body = "blah",
+ HTTPAuthHeader = hmac_api_lib:sign(?privatekey, Method, URL,
+ Headers, ContentType),
+ httpc:request(Method, {URL, [HTTPAuthHeader | Headers],
+ ContentType, Body}, [], []).
View
435 examples/hmac_api/hmac_api_lib.erl
@@ -0,0 +1,435 @@
+-module(hmac_api_lib).
+
+-include("hmac_api.hrl").
+-include_lib("eunit/include/eunit.hrl").
+
+-author("Hypernumbers Ltd <gordon@hypernumbers.com>").
+
+%%% this library supports the hmac_sha api on both the client-side
+%%% AND the server-side
+%%%
+%%% sign/5 is used client-side to sign a request
+%%% - it returns an HTTPAuthorization header
+%%%
+%%% authorize_request/1 takes a mochiweb Request as an arguement
+%%% and checks that the request matches the signature
+%%%
+%%% get_api_keypair/0 creates a pair of public/private keys
+%%%
+%%% THIS LIB DOESN'T IMPLEMENT THE AMAZON API IT ONLY IMPLEMENTS
+%%% ENOUGH OF IT TO GENERATE A TEST SUITE.
+%%%
+%%% THE AMAZON API MUNGES HOSTNAME AND PATHS IN A CUSTOM WAY
+%%% THIS IMPLEMENTATION DOESN'T
+-export([
+ authorize_request/1,
+ sign/5,
+ get_api_keypair/0
+ ]).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% %%%
+%%% API %%%
+%%% %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+authorize_request(Req) ->
+ Method = Req:get(method),
+ Path = Req:get(path),
+ Headers = normalise(mochiweb_headers:to_list(Req:get(headers))),
+ ContentMD5 = get_header(Headers, "content-md5"),
+ ContentType = get_header(Headers, "content-type"),
+ Date = get_header(Headers, "date"),
+ IncAuth = get_header(Headers, "authorization"),
+ {_Schema, _PublicKey, _Sig} = breakout(IncAuth),
+ % normally you would use the public key to look up the private key
+ PrivateKey = ?privatekey,
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = Path},
+ Signed = sign_data(PrivateKey, Signature),
+ {_, AuthHeader} = make_HTTPAuth_header(Signed),
+ case AuthHeader of
+ IncAuth -> "match";
+ _ -> "no_match"
+ end.
+
+sign(PrivateKey, Method, URL, Headers, ContentType) ->
+ Headers2 = normalise(Headers),
+ ContentMD5 = get_header(Headers2, "content-md5"),
+ Date = get_header(Headers2, "date"),
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ SignedSig = sign_data(PrivateKey, Signature),
+ make_HTTPAuth_header(SignedSig).
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% %%%
+%%% Internal Functions %%%
+%%% %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+breakout(Header) ->
+ [Schema, Tail] = string:tokens(Header, " "),
+ [PublicKey, Signature] = string:tokens(Tail, ":"),
+ {Schema, PublicKey, Signature}.
+
+get_api_keypair() ->
+ Public = mochihex:to_hex(binary_to_list(crypto:strong_rand_bytes(16))),
+ Private = mochihex:to_hex(binary_to_list(crypto:strong_rand_bytes(16))),
+ {Public, Private}.
+
+make_HTTPAuth_header(Signature) ->
+ {"Authorization", ?schema ++ " "
+ ++ ?publickey ++ ":" ++ Signature}.
+
+make_signature_string(#hmac_signature{} = S) ->
+ Date = get_date(S#hmac_signature.headers, S#hmac_signature.date),
+ string:to_upper(atom_to_list(S#hmac_signature.method)) ++ "\n"
+ ++ S#hmac_signature.contentmd5 ++ "\n"
+ ++ S#hmac_signature.contenttype ++ "\n"
+ ++ Date ++ "\n"
+ ++ canonicalise_headers(S#hmac_signature.headers)
+ ++ canonicalise_resource(S#hmac_signature.resource).
+
+sign_data(PrivateKey, #hmac_signature{} = Signature) ->
+ Str = make_signature_string(Signature),
+ sign2(PrivateKey, Str).
+
+% this fn is the entry point for a unit test which is why it is broken out...
+% if yer encryption and utf8 and base45 doo-dahs don't work then
+% yer Donald is well and truly Ducked so ye may as weel test it...
+sign2(PrivateKey, Str) ->
+ Sign = xmerl_ucs:to_utf8(Str),
+ binary_to_list(base64:encode(crypto:sha_mac(PrivateKey, Sign))).
+
+canonicalise_headers([]) -> "\n";
+canonicalise_headers(List) when is_list(List) ->
+ List2 = [{string:to_lower(K), V} || {K, V} <- lists:sort(List)],
+ c_headers2(consolidate(List2, []), []).
+
+c_headers2([], Acc) -> string:join(Acc, "\n") ++ "\n";
+c_headers2([{?headerprefix ++ Rest, Key} | T], Acc) ->
+ Hd = string:strip(?headerprefix ++ Rest) ++ ":" ++ string:strip(Key),
+ c_headers2(T, [Hd | Acc]);
+c_headers2([_H | T], Acc) -> c_headers2(T, Acc).
+
+consolidate([H | []], Acc) -> [H | Acc];
+consolidate([{H, K1}, {H, K2} | Rest], Acc) ->
+ consolidate([{H, join(K1, K2)} | Rest], Acc);
+consolidate([{H1, K1}, {H2, K2} | Rest], Acc) ->
+ consolidate([{rectify(H2), rectify(K2)} | Rest], [{H1, K1} | Acc]).
+
+join(A, B) -> string:strip(A) ++ ";" ++ string:strip(B).
+
+% removes line spacing as per RFC 2616 Section 4.2
+rectify(String) ->
+ Re = "[\x20* | \t*]+",
+ re:replace(String, Re, " ", [{return, list}, global]).
+
+canonicalise_resource("http://" ++ Rest) -> c_res2(Rest);
+canonicalise_resource("https://" ++ Rest) -> c_res2(Rest);
+canonicalise_resource(X) -> c_res3(X).
+
+c_res2(Rest) ->
+ N = string:str(Rest, "/"),
+ {_, Tail} = lists:split(N, Rest),
+ c_res3("/" ++ Tail).
+
+c_res3(Tail) ->
+ URL = case string:str(Tail, "#") of
+ 0 -> Tail;
+ N -> {U, _Anchor} = lists:split(N, Tail),
+ U
+ end,
+ U3 = case string:str(URL, "?") of
+ 0 -> URL;
+ N2 -> {U2, Q} = lists:split(N2, URL),
+ U2 ++ canonicalise_query(Q)
+ end,
+ string:to_lower(U3).
+
+canonicalise_query(List) ->
+ List1 = string:to_lower(List),
+ List2 = string:tokens(List1, "&"),
+ string:join(lists:sort(List2), "&").
+
+%% if there's a header date take it and ditch the date
+get_date([], Date) -> Date;
+get_date([{K, _V} | T], Date) -> case string:to_lower(K) of
+ ?dateheader -> [];
+ _ -> get_date(T, Date)
+ end.
+
+normalise(List) -> norm2(List, []).
+
+norm2([], Acc) -> Acc;
+norm2([{K, V} | T], Acc) when is_atom(K) ->
+ norm2(T, [{string:to_lower(atom_to_list(K)), V} | Acc]);
+norm2([H | T], Acc) -> norm2(T, [H | Acc]).
+
+get_header(Headers, Type) ->
+ case lists:keyfind(Type, 1, Headers) of
+ false -> [];
+ {_K, V} -> V
+ end.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% %%%
+%%% Unit Tests %%%
+%%% %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% taken from Amazon docs
+% http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html
+hash_test1(_) ->
+ Sig = "DELETE\n\n\n\nx-amz-date:Tue, 27 Mar 2007 21:20:26 +0000\n/johnsmith/photos/puppy.jpg",
+ Key = ?privatekey,
+ Hash = sign2(Key, Sig),
+ Expected = "k3nL7gH3+PadhTEVn5Ip83xlYzk=",
+ ?assertEqual(Expected, Hash).
+
+% taken from Amazon docs
+% http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html
+hash_test2(_) ->
+ Sig = "GET\n\n\nTue, 27 Mar 2007 19:44:46 +0000\n/johnsmith/?acl",
+ Key = "uV3F3YluFJax1cknvbcGwgjvx4QpvB+leU8dUj2o",
+ Hash = sign2(Key, Sig),
+ Expected = "thdUi9VAkzhkniLj96JIrOPGi0g=",
+ ?assertEqual(Expected, Hash).
+
+% taken from Amazon docs
+% http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html
+hash_test3(_) ->
+ Sig = "GET\n\n\nWed, 28 Mar 2007 01:49:49 +0000\n/dictionary/"
+ ++ "fran%C3%A7ais/pr%c3%a9f%c3%a8re",
+ Key = "uV3F3YluFJax1cknvbcGwgjvx4QpvB+leU8dUj2o",
+ Hash = sign2(Key, Sig),
+ Expected = "dxhSBHoI6eVSPcXJqEghlUzZMnY=",
+ ?assertEqual(Expected, Hash).
+
+signature_test1(_) ->
+ URL = "http://example.com:90/tongs/ya/bas",
+ Method = post,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "POST\n\n\nSun, 10 Jul 2011 05:07:19 UTC\n\n/tongs/ya/bas",
+ ?assertEqual(Expected, Sig).
+
+signature_test2(_) ->
+ URL = "http://example.com:90/tongs/ya/bas",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [{"x-amz-acl", "public-read"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\nx-amz-acl:public-read\n/tongs/ya/bas",
+ ?assertEqual(Expected, Sig).
+
+signature_test3(_) ->
+ URL = "http://example.com:90/tongs/ya/bas",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [{"x-amz-acl", "public-read"},
+ {"yantze", "blast-off"},
+ {"x-amz-doobie", "bongwater"},
+ {"x-amz-acl", "public-write"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\nx-amz-acl:public-read;public-write\nx-amz-doobie:bongwater\n/tongs/ya/bas",
+ ?assertEqual(Expected, Sig).
+
+signature_test4(_) ->
+ URL = "http://example.com:90/tongs/ya/bas",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [{"x-amz-acl", "public-read"},
+ {"yantze", "blast-off"},
+ {"x-amz-doobie oobie \t boobie ", "bongwater"},
+ {"x-amz-acl", "public-write"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\nx-amz-acl:public-read;public-write\nx-amz-doobie oobie boobie:bongwater\n/tongs/ya/bas",
+ ?assertEqual(Expected, Sig).
+
+signature_test5(_) ->
+ URL = "http://example.com:90/tongs/ya/bas",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [{"x-amz-acl", "public-Read"},
+ {"yantze", "Blast-Off"},
+ {"x-amz-doobie Oobie \t boobie ", "bongwater"},
+ {"x-amz-acl", "public-write"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\nx-amz-acl:public-Read;public-write\nx-amz-doobie oobie boobie:bongwater\n/tongs/ya/bas",
+ ?assertEqual(Expected, Sig).
+
+signature_test6(_) ->
+ URL = "http://example.com:90/tongs/ya/bas/?andy&zbish=bash&bosh=burp",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\n\n"
+ ++ "/tongs/ya/bas/?andy&bosh=burp&zbish=bash",
+ ?assertEqual(Expected, Sig).
+
+signature_test7(_) ->
+ URL = "http://exAMPLE.Com:90/tONgs/ya/bas/?ANdy&ZBish=Bash&bOsh=burp",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\nSun, 10 Jul 2011 05:07:19 UTC\n\n"
+ ++"/tongs/ya/bas/?andy&bosh=burp&zbish=bash",
+ ?assertEqual(Expected, Sig).
+
+signature_test8(_) ->
+ URL = "http://exAMPLE.Com:90/tONgs/ya/bas/?ANdy&ZBish=Bash&bOsh=burp",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "",
+ Headers = [{"x-aMz-daTe", "Tue, 27 Mar 2007 21:20:26 +0000"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\n\n"
+ ++"x-amz-date:Tue, 27 Mar 2007 21:20:26 +0000\n"
+ ++"/tongs/ya/bas/?andy&bosh=burp&zbish=bash",
+ ?assertEqual(Expected, Sig).
+
+signature_test9(_) ->
+ URL = "http://exAMPLE.Com:90/tONgs/ya/bas/?ANdy&ZBish=Bash&bOsh=burp",
+ Method = get,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "Sun, 10 Jul 2011 05:07:19 UTC",
+ Headers = [{"x-amz-date", "Tue, 27 Mar 2007 21:20:26 +0000"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = make_signature_string(Signature),
+ Expected = "GET\n\n\n\n"
+ ++"x-amz-date:Tue, 27 Mar 2007 21:20:26 +0000\n"
+ ++"/tongs/ya/bas/?andy&bosh=burp&zbish=bash",
+ ?assertEqual(Expected, Sig).
+
+amazon_test1(_) ->
+ URL = "http://exAMPLE.Com:90/johnsmith/photos/puppy.jpg",
+ Method = delete,
+ ContentMD5 = "",
+ ContentType = "",
+ Date = "",
+ Headers = [{"x-amz-date", "Tue, 27 Mar 2007 21:20:26 +0000"}],
+ Signature = #hmac_signature{method = Method,
+ contentmd5 = ContentMD5,
+ contenttype = ContentType,
+ date = Date,
+ headers = Headers,
+ resource = URL},
+ Sig = sign_data(?privatekey, Signature),
+ Expected = "k3nL7gH3+PadhTEVn5Ip83xlYzk=",
+ ?assertEqual(Expected, Sig).
+
+unit_test_() ->
+ Setup = fun() -> ok end,
+ Cleanup = fun(_) -> ok end,
+
+ Series1 = [
+ fun hash_test1/1,
+ fun hash_test2/1,
+ fun hash_test3/1
+ ],
+
+ Series2 = [
+ fun signature_test1/1,
+ fun signature_test2/1,
+ fun signature_test3/1,
+ fun signature_test4/1,
+ fun signature_test5/1,
+ fun signature_test6/1,
+ fun signature_test7/1,
+ fun signature_test8/1,
+ fun signature_test9/1
+ ],
+
+ Series3 = [
+ fun amazon_test1/1
+ ],
+
+ {setup, Setup, Cleanup, [
+ {with, [], Series1},
+ {with, [], Series2},
+ {with, [], Series3}
+ ]}.
Something went wrong with that request. Please try again.