minio/pkg/signature/utils.go

package signature

import (
	"crypto/hmac"
	"encoding/hex"
	"net/http"
	"regexp"
	"strings"
	"unicode/utf8"

	"github.com/minio/minio/pkg/crypto/sha256"
)

// AccessID and SecretID length in bytes
const (
	MinioAccessID = 20
	MinioSecretID = 40
)

/// helpers

// isValidSecretKey - validate secret key.
var isValidSecretKey = regexp.MustCompile("^.{40}$")

// isValidAccessKey - validate access key.
var isValidAccessKey = regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$")

// isValidRegion - verify if incoming region value is valid with configured Region.
func isValidRegion(reqRegion string, confRegion string) bool {
	if confRegion == "" || confRegion == "US" {
		confRegion = "us-east-1"
	}
	// Some older s3 clients set region as "US" instead of
	// "us-east-1", handle it.
	if reqRegion == "US" {
		reqRegion = "us-east-1"
	}
	return reqRegion == confRegion
}

// sumHMAC calculate hmac between two input byte array.
func sumHMAC(key []byte, data []byte) []byte {
	hash := hmac.New(sha256.New, key)
	hash.Write(data)
	return hash.Sum(nil)
}

// getURLEncodedName encode the strings from UTF-8 byte representations to HTML hex escape sequences
//
// This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8
// non english characters cannot be parsed due to the nature in which url.Encode() is written
//
// This function on the other hand is a direct replacement for url.Encode() technique to support
// pretty much every UTF-8 character.
func getURLEncodedName(name string) string {
	// if object matches reserved string, no need to encode them
	reservedNames := regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")
	if reservedNames.MatchString(name) {
		return name
	}
	var encodedName string
	for _, s := range name {
		if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)
			encodedName = encodedName + string(s)
			continue
		}
		switch s {
		case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)
			encodedName = encodedName + string(s)
			continue
		default:
			len := utf8.RuneLen(s)
			if len < 0 {
				return name
			}
			u := make([]byte, len)
			utf8.EncodeRune(u, s)
			for _, r := range u {
				hex := hex.EncodeToString([]byte{r})
				encodedName = encodedName + "%" + strings.ToUpper(hex)
			}
		}
	}
	return encodedName
}

// extractSignedHeaders extract signed headers from Authorization header
func extractSignedHeaders(signedHeaders []string, reqHeaders http.Header) http.Header {
	extractedSignedHeaders := make(http.Header)
	for _, header := range signedHeaders {
		val, ok := reqHeaders[http.CanonicalHeaderKey(header)]
		if !ok {
			// Golang http server strips off 'Expect' header, if the
			// client sent this as part of signed headers we need to
			// handle otherwise we would see a signature mismatch.
			// `aws-cli` sets this as part of signed headers.
			//
			// According to
			// http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20
			// Expect header is always of form:
			//
			//   Expect       =  "Expect" ":" 1#expectation
			//   expectation  =  "100-continue" | expectation-extension
			//
			// So it safe to assume that '100-continue' is what would
			// be sent, for the time being keep this work around.
			// Adding a *TODO* to remove this later when Golang server
			// doesn't filter out the 'Expect' header.
			if header == "expect" {
				extractedSignedHeaders[header] = []string{"100-continue"}
			}
			// If not found continue, we will fail later.
			continue
		}
		extractedSignedHeaders[header] = val
	}
	return extractedSignedHeaders
}
signature: Rewrite signature handling and move it into a library. 2016-02-16 02:42:39 +01:00			`package signature`

			`import (`
			`"crypto/hmac"`
			`"encoding/hex"`
			`"net/http"`
			`"regexp"`
			`"strings"`
			`"unicode/utf8"`

			`"github.com/minio/minio/pkg/crypto/sha256"`
			`)`

			`// AccessID and SecretID length in bytes`
			`const (`
			`MinioAccessID = 20`
			`MinioSecretID = 40`
			`)`

			`/// helpers`

			`// isValidSecretKey - validate secret key.`
			`var isValidSecretKey = regexp.MustCompile("^.{40}$")`

			`// isValidAccessKey - validate access key.`
			`var isValidAccessKey = regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$")`

			`// isValidRegion - verify if incoming region value is valid with configured Region.`
			`func isValidRegion(reqRegion string, confRegion string) bool {`
			`if confRegion == "" \|\| confRegion == "US" {`
			`confRegion = "us-east-1"`
			`}`
			`// Some older s3 clients set region as "US" instead of`
			`// "us-east-1", handle it.`
			`if reqRegion == "US" {`
			`reqRegion = "us-east-1"`
			`}`
			`return reqRegion == confRegion`
			`}`

			`// sumHMAC calculate hmac between two input byte array.`
			`func sumHMAC(key []byte, data []byte) []byte {`
			`hash := hmac.New(sha256.New, key)`
			`hash.Write(data)`
			`return hash.Sum(nil)`
			`}`

			`// getURLEncodedName encode the strings from UTF-8 byte representations to HTML hex escape sequences`
			`//`
			`// This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8`
			`// non english characters cannot be parsed due to the nature in which url.Encode() is written`
			`//`
			`// This function on the other hand is a direct replacement for url.Encode() technique to support`
			`// pretty much every UTF-8 character.`
			`func getURLEncodedName(name string) string {`
			`// if object matches reserved string, no need to encode them`
			`reservedNames := regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$")`
			`if reservedNames.MatchString(name) {`
			`return name`
			`}`
			`var encodedName string`
			`for _, s := range name {`
			`if 'A' <= s && s <= 'Z' \|\| 'a' <= s && s <= 'z' \|\| '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark)`
			`encodedName = encodedName + string(s)`
			`continue`
			`}`
			`switch s {`
			`case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark)`
			`encodedName = encodedName + string(s)`
			`continue`
			`default:`
			`len := utf8.RuneLen(s)`
			`if len < 0 {`
			`return name`
			`}`
			`u := make([]byte, len)`
			`utf8.EncodeRune(u, s)`
			`for _, r := range u {`
			`hex := hex.EncodeToString([]byte{r})`
			`encodedName = encodedName + "%" + strings.ToUpper(hex)`
			`}`
			`}`
			`}`
			`return encodedName`
			`}`

			`// extractSignedHeaders extract signed headers from Authorization header`
			`func extractSignedHeaders(signedHeaders []string, reqHeaders http.Header) http.Header {`
			`extractedSignedHeaders := make(http.Header)`
			`for _, header := range signedHeaders {`
			`val, ok := reqHeaders[http.CanonicalHeaderKey(header)]`
			`if !ok {`
			`// Golang http server strips off 'Expect' header, if the`
			`// client sent this as part of signed headers we need to`
			`// handle otherwise we would see a signature mismatch.`
			// `aws-cli` sets this as part of signed headers.
			`//`
			`// According to`
			`// http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20`
			`// Expect header is always of form:`
			`//`
			`// Expect = "Expect" ":" 1#expectation`
			`// expectation = "100-continue" \| expectation-extension`
			`//`
			`// So it safe to assume that '100-continue' is what would`
			`// be sent, for the time being keep this work around.`
			`// Adding a TODO to remove this later when Golang server`
			`// doesn't filter out the 'Expect' header.`
			`if header == "expect" {`
			`extractedSignedHeaders[header] = []string{"100-continue"}`
			`}`
			`// If not found continue, we will fail later.`
			`continue`
			`}`
			`extractedSignedHeaders[header] = val`
			`}`
			`return extractedSignedHeaders`
			`}`