package v4

import "github.com/aws/aws-sdk-go-v2/aws/signer/v4"

Package v4 implements signing for AWS V4 signer

Provides request signing for request that need to be signed with AWS V4 Signatures.

Standalone Signer

Generally using the signer outside of the SDK should not require any additional 

The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires

additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent to the service as.

The signer will first check the URL.Opaque field, and use its value if set. The signer does require the URL.Opaque field to be set in the form of: 

"//<hostname>/<path>"

// e.g.
"//example.com/some/path"

The leading "//" and hostname are required or the URL.Opaque escaping will not work correctly.

If URL.Opaque is not set the signer will fallback to the URL.EscapedPath() method and using the returned value.

AWS v4 signature validation requires that the canonical string's URI path element must be the URI escaped form of the HTTP request's path. http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

The Go HTTP client will perform escaping automatically on the request. Some of these escaping may cause signature validation errors because the HTTP request differs from the URI path or query that the signature was generated. https://golang.org/pkg/net/url/#URL.EscapedPath

Because of this, it is recommended that when using the signer outside of the SDK that explicitly escaping the request prior to being signed is preferable, and will help prevent signature validation errors. This can be done by setting the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then call URL.EscapedPath() if Opaque is not set.

Test `TestStandaloneSign` provides a complete example of using the signer outside of the SDK and pre-escaping the URI path.

Index

Functions

func AddComputePayloadSHA256Middleware 

func AddComputePayloadSHA256Middleware(stack *middleware.Stack)

AddComputePayloadSHA256Middleware adds computePayloadSHA256Middleware to the operation middleware stack

func AddContentSHA256HeaderMiddleware 

func AddContentSHA256HeaderMiddleware(stack *middleware.Stack)

AddContentSHA256HeaderMiddleware adds ContentSHA256HeaderMiddleware to the operation middleware stack

func AddUnsignedPayloadMiddleware 

func AddUnsignedPayloadMiddleware(stack *middleware.Stack)

AddUnsignedPayloadMiddleware adds unsignedPayloadMiddleware to the operation middleware stack

func GetPayloadHash 

func GetPayloadHash(ctx context.Context) (v string)

GetPayloadHash retrieves the payload hash to use for signing

func SetPayloadHash 

func SetPayloadHash(ctx context.Context, hash string) context.Context

SetPayloadHash sets the payload hash to be used for signing the request

Types

type HTTPSigner 

type HTTPSigner interface {
	SignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time) error
}

HTTPSigner is an interface to a SigV4 signer that can sign HTTP requests

type HashComputationError 

type HashComputationError struct {
	Err error
}

HashComputationError indicates an error occurred while computing the signing hash

func (*HashComputationError) Error 

func (e *HashComputationError) Error() string

Error is the error message

func (*HashComputationError) Unwrap 

func (e *HashComputationError) Unwrap() error

Unwrap returns the underlying error if one is set

type SignHTTPRequestMiddleware 

type SignHTTPRequestMiddleware struct {
	// contains filtered or unexported fields
}

SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation for SigV4 HTTP Signing

func NewSignHTTPRequestMiddleware 

func NewSignHTTPRequestMiddleware(credentialsProvider aws.CredentialsProvider, signer HTTPSigner) *SignHTTPRequestMiddleware

NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given Signer for signing requests

func (*SignHTTPRequestMiddleware) HandleFinalize 

func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
)

HandleFinalize will take the provided input and sign the request using the SigV4 authentication scheme

func (*SignHTTPRequestMiddleware) ID 

func (s *SignHTTPRequestMiddleware) ID() string

ID is the SignHTTPRequestMiddleware identifier

type Signer 

type Signer struct {
	// Disables the Signer's moving HTTP header key/value pairs from the HTTP
	// request header to the request's query string. This is most commonly used
	// with pre-signed requests preventing headers from being added to the
	// request's query string.
	DisableHeaderHoisting bool

	// Disables the automatic escaping of the URI path of the request for the
	// siganture's canonical string's path. For services that do not need additional
	// escaping then use this to disable the signer escaping the path.
	//
	// S3 is an example of a service that does not need additional escaping.
	//
	// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
	DisableURIPathEscaping bool
	// contains filtered or unexported fields
}

Signer applies AWS v4 signing to given request. Use this to sign requests that need to be signed with AWS V4 Signatures.

func NewSigner 

func NewSigner(optFns ...func(signer *Signer)) *Signer

NewSigner returns a new SigV4 Signer

func (*Signer) PresignHTTP 

func (v4 *Signer) PresignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, expireTime time.Duration, signingTime time.Time) (signedURI string, signedHeaders http.Header, err error)

PresignHTTP signs AWS v4 requests with the payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.

Returns the signed URL and the map of HTTP headers that were included in the signature or an error if signing the request failed. For presigned requests these headers and their values must be included on the HTTP request when it is made. This is helpful to know what header values need to be shared with the party the presigned request will be distributed to.

PresignHTTP differs from SignHTTP in that it will sign the request using query string instead of header values. This allows you to share the Presigned Request's URL with third parties, or distribute it throughout your system with minimal dependencies.

PresignHTTP also takes an exp value which is the duration the signed request will be valid after the signing time. This is allows you to set when the request will expire.

This method does not modify the provided request.

func (Signer) SignHTTP 

func (v4 Signer) SignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time) error

SignHTTP signs AWS v4 requests with the provided payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.

Sign differs from Presign in that it will sign the request using HTTP header values. This type of signing is intended for http.Request values that will not be shared, or are shared in a way the header values on the request will not be lost.

The passed in request will be modified in place.

type SigningError 

type SigningError struct {
	Err error
}

SigningError indicates an error condition occurred while performing SigV4 signing

func (*SigningError) Error 

func (e *SigningError) Error() string

func (*SigningError) Unwrap 

func (e *SigningError) Unwrap() error

Unwrap returns the underlying error cause

Source Files

middleware.go v4.go

Version
v0.27.0
Published
Oct 17, 2020
Platform
darwin/amd64
Imports
19 packages
Last checked
6 minutes ago

Tools for package owners.