Package: v4

import "../ibm-cos-sdk-go-v2/aws/signer/internal/v4"

Constants

const EmptyStringSHA256 = readonly

EmptyStringSHA256 is the hex encoded sha256 value of an empty string

Value:

`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`

const UnsignedPayload = readonly

UnsignedPayload indicates that the request payload body is unsigned

Value:

"UNSIGNED-PAYLOAD"

const AmzAlgorithmKey = readonly

AmzAlgorithmKey indicates the signing algorithm

Value:

"X-Amz-Algorithm"

const AmzSecurityTokenKey = readonly

AmzSecurityTokenKey indicates the security token to be used with temporary credentials

Value:

"X-Amz-Security-Token"

const AmzDateKey = readonly

AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD’T’HHMMSS’Z’

Value:

"X-Amz-Date"

const AmzCredentialKey = readonly

AmzCredentialKey is the access key ID and credential scope

Value:

"X-Amz-Credential"

const AmzSignedHeadersKey = readonly

AmzSignedHeadersKey is the set of headers signed for the request

Value:

"X-Amz-SignedHeaders"

const AmzSignatureKey = readonly

AmzSignatureKey is the query parameter to store the SigV4 signature

Value:

"X-Amz-Signature"

const TimeFormat = readonly

TimeFormat is the time format to be used in the X-Amz-Date header or query parameter

Value:

"20060102T150405Z"

const ShortTimeFormat = readonly

ShortTimeFormat is the shorten time format used in the credential scope

Value:

"20060102"

const ContentSHAKey = readonly

ContentSHAKey is the SHA256 of request body

Value:

"X-Amz-Content-Sha256"

const StreamingEventsPayload = readonly

StreamingEventsPayload indicates that the request payload body is a signed event stream.

Value:

"STREAMING-AWS4-HMAC-SHA256-EVENTS"

Variables

var IgnoredHeaders = writable

IgnoredHeaders is a list of headers that are ignored during signing

Value:

Rules{
	ExcludeList{
		MapRule{
			"Authorization":     struct{}{},
			"User-Agent":        struct{}{},
			"X-Amzn-Trace-Id":   struct{}{},
			"Expect":            struct{}{},
			"Transfer-Encoding": struct{}{},
		},
	},
}

var RequiredSignedHeaders = writable

RequiredSignedHeaders is a allow list for Build canonical headers.

Value:

Rules{
	AllowList{
		MapRule{
			"Cache-Control":                         struct{}{},
			"Content-Disposition":                   struct{}{},
			"Content-Encoding":                      struct{}{},
			"Content-Language":                      struct{}{},
			"Content-Md5":                           struct{}{},
			"Content-Type":                          struct{}{},
			"Expires":                               struct{}{},
			"If-Match":                              struct{}{},
			"If-Modified-Since":                     struct{}{},
			"If-None-Match":                         struct{}{},
			"If-Unmodified-Since":                   struct{}{},
			"Range":                                 struct{}{},
			"X-Amz-Acl":                             struct{}{},
			"X-Amz-Copy-Source":                     struct{}{},
			"X-Amz-Copy-Source-If-Match":            struct{}{},
			"X-Amz-Copy-Source-If-Modified-Since":   struct{}{},
			"X-Amz-Copy-Source-If-None-Match":       struct{}{},
			"X-Amz-Copy-Source-If-Unmodified-Since": struct{}{},
			"X-Amz-Copy-Source-Range":               struct{}{},
			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
			"X-Amz-Grant-Full-control":                                    struct{}{},
			"X-Amz-Grant-Read":                                            struct{}{},
			"X-Amz-Grant-Read-Acp":                                        struct{}{},
			"X-Amz-Grant-Write":                                           struct{}{},
			"X-Amz-Grant-Write-Acp":                                       struct{}{},
			"X-Amz-Metadata-Directive":                                    struct{}{},
			"X-Amz-Mfa":                                                   struct{}{},
			"X-Amz-Server-Side-Encryption":                                struct{}{},
			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
			"X-Amz-Server-Side-Encryption-Context":                        struct{}{},
			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},
			"X-Amz-Storage-Class":                                         struct{}{},
			"X-Amz-Website-Redirect-Location":                             struct{}{},
			"X-Amz-Content-Sha256":                                        struct{}{},
			"X-Amz-Tagging":                                               struct{}{},
		},
	},
	Patterns{"X-Amz-Object-Lock-"},
	Patterns{"X-Amz-Meta-"},
}

var AllowedQueryHoisting = writable

AllowedQueryHoisting is a allowed list for Build query headers. The boolean value represents whether or not it is a pattern.

Value:

InclusiveRules{
	ExcludeList{RequiredSignedHeaders},
	Patterns{"X-Amz-"},
}

Type Summary collapse

AllowList struct

AllowList is a generic Rule for include listing.
ExcludeList struct

ExcludeList is a generic Rule for exclude listing.
InclusiveRules struct

IsValid will return true if all rules are true.
MapRule struct

IsValid for the map Rule satisfies whether it exists in the map.
Patterns struct

IsValid for Patterns checks each pattern and returns if a match has been found.
Rules struct

IsValid will iterate through all rules and see if any rules apply to the value and supports nested rules.
SigningKeyDeriver struct

SigningKeyDeriver derives a signing key from a set of credentials.
SigningTime struct

SigningTime provides a wrapper around a time.Time which provides cached values for SigV4 signing.

Interface Summary collapse

Rule interface

Rule interface allows for more flexible rules and just simply checks whether or not a value adheres to that Rule.

Function Summary collapse

func BuildCredentialScope(signingTime SigningTime, region, service string) string

BuildCredentialScope builds the Signature Version 4 (SigV4) signing scope.
func GetURIPath(u *url.URL) string

GetURIPath returns the escaped URI component from the provided URL.
func HMACSHA256(key []byte, data []byte) []byte

HMACSHA256 computes a HMAC-SHA256 of data given the provided key.
func NewSigningTime(t time.Time) SigningTime

NewSigningTime creates a new SigningTime given a time.Time.
func SanitizeHostForHeader(r *http.Request)

SanitizeHostForHeader removes default port from host and updates request.Host.
func StripExcessSpaces(str string) string

StripExcessSpaces will rewrite the passed in slice’s string values to not contain multiple side-by-side spaces.

Function Details

func BuildCredentialScope(signingTime SigningTime, region, service string) string

BuildCredentialScope builds the Signature Version 4 (SigV4) signing scope

// File 'aws/signer/internal/v4/scope.go', line 5

func BuildCredentialScope(signingTime SigningTime, region, service string) string {
	return strings.Join([]string{
		signingTime.ShortTimeFormat(),
		region,
		service,
		"aws4_request",
	}, "/")
}

func GetURIPath(u *url.URL) string

GetURIPath returns the escaped URI component from the provided URL.

// File 'aws/signer/internal/v4/util.go', line 49

func GetURIPath(u *url.URL) string {
	var uriPath string

	if len(u.Opaque) > 0 {
		const schemeSep, pathSep, queryStart = "//", "/", "?"

		opaque := u.Opaque
		// Cut off the query string if present.
		if idx := strings.Index(opaque, queryStart); idx >= 0 {
			opaque = opaque[:idx]
		}

		// Cutout the scheme separator if present.
		if strings.Index(opaque, schemeSep) == 0 {
			opaque = opaque[len(schemeSep):]
		}

		// capture URI path starting with first path separator.
		if idx := strings.Index(opaque, pathSep); idx >= 0 {
			uriPath = opaque[idx:]
		}
	} else {
		uriPath = u.EscapedPath()
	}

	if len(uriPath) == 0 {
		uriPath = "/"
	}

	return uriPath
}

func HMACSHA256(key []byte, data []byte) []byte

HMACSHA256 computes a HMAC-SHA256 of data given the provided key.

// File 'aws/signer/internal/v4/hmac.go', line 8

func HMACSHA256(key []byte, data []byte) []byte {
	hash := hmac.New(sha256.New, key)
	hash.Write(data)
	return hash.Sum(nil)
}

func NewSigningTime(t time.Time) SigningTime

NewSigningTime creates a new SigningTime given a time.Time

// File 'aws/signer/internal/v4/time.go', line 12

func NewSigningTime(t time.Time) SigningTime {
	return SigningTime{
		Time: t,
	}
}

func SanitizeHostForHeader(r *http.Request)

SanitizeHostForHeader removes default port from host and updates request.Host

// File 'aws/signer/internal/v4/host.go', line 8

func SanitizeHostForHeader(r *http.Request) {
	host := getHost(r)
	port := portOnly(host)
	if port != "" && isDefaultPort(r.URL.Scheme, port) {
		r.Host = stripPort(host)
	}
}

func StripExcessSpaces(str string) string

StripExcessSpaces will rewrite the passed in slice’s string values to not contain multiple side-by-side spaces.

// File 'aws/signer/internal/v4/util.go', line 11

func StripExcessSpaces(str string) string {
	var j, k, l, m, spaces int
	// Trim trailing spaces
	for j = len(str) - 1; j >= 0 && str[j] == ' '; j-- {
	}

	// Trim leading spaces
	for k = 0; k < j && str[k] == ' '; k++ {
	}
	str = str[k : j+1]

	// Strip multiple spaces.
	j = strings.Index(str, doubleSpace)
	if j < 0 {
		return str
	}

	buf := []byte(str)
	for k, m, l = j, j, len(buf); k < l; k++ {
		if buf[k] == ' ' {
			if spaces == 0 {
				// First space.
				buf[m] = buf[k]
				m++
			}
			spaces++
		} else {
			// End of multiple spaces.
			spaces = 0
			buf[m] = buf[k]
			m++
		}
	}

	return string(buf[:m])
}