github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/chat/s3/sign.go (about)

     1  package s3
     2  
     3  import (
     4  	"log"
     5  	"sort"
     6  	"strings"
     7  )
     8  
     9  // ----------------------------------------------------------------------------
    10  // S3 signing (http://goo.gl/G1LrK)
    11  
    12  var s3ParamsToSign = map[string]bool{
    13  	"acl":                          true,
    14  	"location":                     true,
    15  	"logging":                      true,
    16  	"notification":                 true,
    17  	"partNumber":                   true,
    18  	"policy":                       true,
    19  	"requestPayment":               true,
    20  	"torrent":                      true,
    21  	"uploadId":                     true,
    22  	"uploads":                      true,
    23  	"versionId":                    true,
    24  	"versioning":                   true,
    25  	"versions":                     true,
    26  	"response-content-type":        true,
    27  	"response-content-language":    true,
    28  	"response-expires":             true,
    29  	"response-cache-control":       true,
    30  	"response-content-disposition": true,
    31  	"response-content-encoding":    true,
    32  	"website":                      true,
    33  	"delete":                       true,
    34  }
    35  
    36  type keySortableTupleList []keySortableTuple
    37  
    38  type keySortableTuple struct {
    39  	Key         string
    40  	TupleString string
    41  }
    42  
    43  func (l keySortableTupleList) StringSlice() []string {
    44  	slice := make([]string, len(l))
    45  	for i, v := range l {
    46  		slice[i] = v.TupleString
    47  	}
    48  	return slice
    49  }
    50  
    51  func (l keySortableTupleList) Len() int {
    52  	return len(l)
    53  }
    54  
    55  func (l keySortableTupleList) Less(i, j int) bool {
    56  	return l[i].Key < l[j].Key
    57  }
    58  
    59  func (l keySortableTupleList) Swap(i, j int) {
    60  	l[i], l[j] = l[j], l[i]
    61  }
    62  
    63  func (s *S3) sign(method, canonicalPath string, params, headers map[string][]string) error {
    64  	var md5, ctype, date, xamz string
    65  	var xamzDate bool
    66  	var sarray keySortableTupleList
    67  	for k, v := range headers {
    68  		k = strings.ToLower(k)
    69  		switch k {
    70  		case "content-md5":
    71  			md5 = v[0]
    72  		case "content-type":
    73  			ctype = v[0]
    74  		case "date":
    75  			if !xamzDate {
    76  				date = v[0]
    77  			}
    78  		default:
    79  			if strings.HasPrefix(k, "x-amz-") {
    80  				vall := strings.Join(v, ",")
    81  				sarray = append(sarray, keySortableTuple{k, k + ":" + vall})
    82  				if k == "x-amz-date" {
    83  					xamzDate = true
    84  					date = ""
    85  				}
    86  			}
    87  		}
    88  	}
    89  	if len(sarray) > 0 {
    90  		sort.Sort(sarray)
    91  		xamz = strings.Join(sarray.StringSlice(), "\n") + "\n"
    92  	}
    93  
    94  	expires := false
    95  	if v, ok := params["Expires"]; ok {
    96  		// Query string request authentication alternative.
    97  		expires = true
    98  		date = v[0]
    99  		params["AWSAccessKeyId"] = []string{s.AccessKey}
   100  	}
   101  
   102  	sarray = sarray[0:0]
   103  	for k, v := range params {
   104  		if s3ParamsToSign[k] {
   105  			for _, vi := range v {
   106  				if vi == "" {
   107  					sarray = append(sarray, keySortableTuple{k, k})
   108  				} else {
   109  					// "When signing you do not encode these values."
   110  					sarray = append(sarray, keySortableTuple{k, k + "=" + vi})
   111  				}
   112  			}
   113  		}
   114  	}
   115  	if len(sarray) > 0 {
   116  		sort.Sort(sarray)
   117  		canonicalPath = canonicalPath + "?" + strings.Join(sarray.StringSlice(), "&")
   118  	}
   119  
   120  	payload := method + "\n" + md5 + "\n" + ctype + "\n" + date + "\n" + xamz + canonicalPath
   121  
   122  	signature, err := s.Signer.Sign([]byte(payload))
   123  	if err != nil {
   124  		return err
   125  	}
   126  
   127  	if expires {
   128  		params["Signature"] = []string{string(signature)}
   129  	} else {
   130  		headers["Authorization"] = []string{"AWS " + s.AccessKey + ":" + string(signature)}
   131  	}
   132  	if debug {
   133  		log.Printf("Signature payload: %q", payload)
   134  		log.Printf("Signature: %q", signature)
   135  	}
   136  
   137  	return nil
   138  }