Move s3 signature v4 and v2 to a separate pkg

minio · Dec 10, 2016 · beaa71d · beaa71d
1 parent e06b3b7
commit beaa71d
Show file tree

Hide file tree

Showing 15 changed files with 305 additions and 134 deletions.
diff --git a/api-presigned.go b/api-presigned.go
@@ -20,6 +20,8 @@ import (
 	"errors"
 	"net/url"
 	"time"
+
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 // supportedGetReqParams - supported request parameters for GET presigned request.
@@ -133,7 +135,7 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 			p.formData["AWSAccessKeyId"] = c.accessKeyID
 		}
 		// Sign the policy.
-		p.formData["signature"] = postPresignSignatureV2(policyBase64, c.secretAccessKey)
+		p.formData["signature"] = s3signer.PostPresignSignatureV2(policyBase64, c.secretAccessKey)
 		return u, p.formData, nil
 	}
 
@@ -156,7 +158,7 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 	}
 
 	// Add a credential policy.
-	credential := getCredential(c.accessKeyID, location, t)
+	credential := s3signer.GetCredential(c.accessKeyID, location, t)
 	if err = p.addNewPolicy(policyCondition{
 		matchType: "eq",
 		condition: "$x-amz-credential",
@@ -172,6 +174,6 @@ func (c Client) PresignedPostPolicy(p *PostPolicy) (u *url.URL, formData map[str
 	p.formData["x-amz-algorithm"] = signV4Algorithm
 	p.formData["x-amz-credential"] = credential
 	p.formData["x-amz-date"] = t.Format(iso8601DateFormat)
-	p.formData["x-amz-signature"] = postPresignSignatureV4(policyBase64, t, c.secretAccessKey, location)
+	p.formData["x-amz-signature"] = s3signer.PostPresignSignatureV4(policyBase64, t, c.secretAccessKey, location)
 	return u, p.formData, nil
 }
diff --git a/api-put-bucket.go b/api-put-bucket.go
@@ -28,6 +28,7 @@ import (
 	"net/url"
 
 	"github.com/minio/minio-go/pkg/policy"
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 /// Bucket operations
@@ -133,9 +134,9 @@ func (c Client) makeBucketRequest(bucketName string, location string) (*http.Req
 	if c.signature.isV4() {
 		// Signature calculated for MakeBucket request should be for 'us-east-1',
 		// regardless of the bucket's location constraint.
-		req = signV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
+		req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
 	} else if c.signature.isV2() {
-		req = signV2(*req, c.accessKeyID, c.secretAccessKey)
+		req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
 	}
 
 	// Return signed request.

diff --git a/api-put-bucket_test.go b/api-put-bucket_test.go
@@ -26,6 +26,8 @@ import (
 	"net/http"
 	"net/url"
 	"testing"
+
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 // Tests validate http request formulated for creation of bucket.
@@ -78,9 +80,9 @@ func TestMakeBucketRequest(t *testing.T) {
 		if c.signature.isV4() {
 			// Signature calculated for MakeBucket request should be for 'us-east-1',
 			// regardless of the bucket's location constraint.
-			req = signV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
+			req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
 		} else if c.signature.isV2() {
-			req = signV2(*req, c.accessKeyID, c.secretAccessKey)
+			req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
 		}
 
 		// Return signed request.

diff --git a/api.go b/api.go
@@ -33,6 +33,8 @@ import (
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 // Client implements Amazon S3 compatible methods.
@@ -580,10 +582,10 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 		}
 		if c.signature.isV2() {
 			// Presign URL with signature v2.
-			req = preSignV2(*req, c.accessKeyID, c.secretAccessKey, metadata.expires)
+			req = s3signer.PreSignV2(*req, c.accessKeyID, c.secretAccessKey, metadata.expires)
 		} else {
 			// Presign URL with signature v4.
-			req = preSignV4(*req, c.accessKeyID, c.secretAccessKey, location, metadata.expires)
+			req = s3signer.PreSignV4(*req, c.accessKeyID, c.secretAccessKey, location, metadata.expires)
 		}
 		return req, nil
 	}
@@ -640,10 +642,10 @@ func (c Client) newRequest(method string, metadata requestMetadata) (req *http.R
 	if !c.anonymous {
 		if c.signature.isV2() {
 			// Add signature version '2' authorization header.
-			req = signV2(*req, c.accessKeyID, c.secretAccessKey)
+			req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
 		} else if c.signature.isV4() {
 			// Add signature version '4' authorization header.
-			req = signV4(*req, c.accessKeyID, c.secretAccessKey, location)
+			req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, location)
 		}
 	}
 

diff --git a/api_unit_test.go b/api_unit_test.go
@@ -18,11 +18,9 @@ package minio
 
 import (
 	"bytes"
-	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
-	"net/url"
 	"os"
 	"strings"
 	"testing"
@@ -202,49 +200,6 @@ func TestTempFile(t *testing.T) {
 	}
 }
 
-// Tests url encoding.
-func TestEncodeURL2Path(t *testing.T) {
-	type urlStrings struct {
-		objName        string
-		encodedObjName string
-	}
-
-	bucketName := "bucketName"
-	want := []urlStrings{
-		{
-			objName:        "本語",
-			encodedObjName: "%E6%9C%AC%E8%AA%9E",
-		},
-		{
-			objName:        "本語.1",
-			encodedObjName: "%E6%9C%AC%E8%AA%9E.1",
-		},
-		{
-			objName:        ">123>3123123",
-			encodedObjName: "%3E123%3E3123123",
-		},
-		{
-			objName:        "test 1 2.txt",
-			encodedObjName: "test%201%202.txt",
-		},
-		{
-			objName:        "test++ 1.txt",
-			encodedObjName: "test%2B%2B%201.txt",
-		},
-	}
-
-	for _, o := range want {
-		u, err := url.Parse(fmt.Sprintf("https://%s.s3.amazonaws.com/%s", bucketName, o.objName))
-		if err != nil {
-			t.Fatal("Error:", err)
-		}
-		urlPath := "/" + bucketName + "/" + o.encodedObjName
-		if urlPath != encodeURL2Path(u) {
-			t.Fatal("Error")
-		}
-	}
-}
-
 // Tests error response structure.
 func TestErrorResponse(t *testing.T) {
 	var err error
@@ -270,53 +225,6 @@ func TestErrorResponse(t *testing.T) {
 	}
 }
 
-// Tests signature calculation.
-func TestSignatureCalculation(t *testing.T) {
-	req, err := http.NewRequest("GET", "https://s3.amazonaws.com", nil)
-	if err != nil {
-		t.Fatal("Error:", err)
-	}
-	req = signV4(*req, "", "", "us-east-1")
-	if req.Header.Get("Authorization") != "" {
-		t.Fatal("Error: anonymous credentials should not have Authorization header.")
-	}
-
-	req = preSignV4(*req, "", "", "us-east-1", 0)
-	if strings.Contains(req.URL.RawQuery, "X-Amz-Signature") {
-		t.Fatal("Error: anonymous credentials should not have Signature query resource.")
-	}
-
-	req = signV2(*req, "", "")
-	if req.Header.Get("Authorization") != "" {
-		t.Fatal("Error: anonymous credentials should not have Authorization header.")
-	}
-
-	req = preSignV2(*req, "", "", 0)
-	if strings.Contains(req.URL.RawQuery, "Signature") {
-		t.Fatal("Error: anonymous credentials should not have Signature query resource.")
-	}
-
-	req = signV4(*req, "ACCESS-KEY", "SECRET-KEY", "us-east-1")
-	if req.Header.Get("Authorization") == "" {
-		t.Fatal("Error: normal credentials should have Authorization header.")
-	}
-
-	req = preSignV4(*req, "ACCESS-KEY", "SECRET-KEY", "us-east-1", 0)
-	if !strings.Contains(req.URL.RawQuery, "X-Amz-Signature") {
-		t.Fatal("Error: normal credentials should have Signature query resource.")
-	}
-
-	req = signV2(*req, "ACCESS-KEY", "SECRET-KEY")
-	if req.Header.Get("Authorization") == "" {
-		t.Fatal("Error: normal credentials should have Authorization header.")
-	}
-
-	req = preSignV2(*req, "ACCESS-KEY", "SECRET-KEY", 0)
-	if !strings.Contains(req.URL.RawQuery, "Signature") {
-		t.Fatal("Error: normal credentials should not have Signature query resource.")
-	}
-}
-
 // Tests signature type.
 func TestSignatureType(t *testing.T) {
 	clnt := Client{}

diff --git a/bucket-cache.go b/bucket-cache.go
@@ -23,6 +23,8 @@ import (
 	"path"
 	"strings"
 	"sync"
+
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 // bucketLocationCache - Provides simple mechanism to hold bucket
@@ -189,9 +191,9 @@ func (c Client) getBucketLocationRequest(bucketName string) (*http.Request, erro
 
 	// Sign the request.
 	if c.signature.isV4() {
-		req = signV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
+		req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
 	} else if c.signature.isV2() {
-		req = signV2(*req, c.accessKeyID, c.secretAccessKey)
+		req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
 	}
 	return req, nil
 }
diff --git a/bucket-cache_test.go b/bucket-cache_test.go
@@ -26,6 +26,8 @@ import (
 	"path"
 	"reflect"
 	"testing"
+
+	"github.com/minio/minio-go/pkg/s3signer"
 )
 
 // Test validates `newBucketLocationCache`.
@@ -93,9 +95,9 @@ func TestGetBucketLocationRequest(t *testing.T) {
 
 		// Sign the request.
 		if c.signature.isV4() {
-			req = signV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
+			req = s3signer.SignV4(*req, c.accessKeyID, c.secretAccessKey, "us-east-1")
 		} else if c.signature.isV2() {
-			req = signV2(*req, c.accessKeyID, c.secretAccessKey)
+			req = s3signer.SignV2(*req, c.accessKeyID, c.secretAccessKey)
 		}
 		return req, nil
 

diff --git a/constants.go b/constants.go
@@ -44,3 +44,9 @@ const optimalReadBufferSize = 1024 * 1024 * 5
 // unsignedPayload - value to be set to X-Amz-Content-Sha256 header when
 // we don't want to sign the request payload
 const unsignedPayload = "UNSIGNED-PAYLOAD"
+
+// Signature related constants.
+const (
+	signV4Algorithm   = "AWS4-HMAC-SHA256"
+	iso8601DateFormat = "20060102T150405Z"
+)
diff --git a/request-signature-v2.go → pkg/s3signer/request-signature-v2.go b/request-signature-v2.go → pkg/s3signer/request-signature-v2.go
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package minio
+package s3signer
 
 import (
 	"bytes"
@@ -58,9 +58,9 @@ func encodeURL2Path(u *url.URL) (path string) {
 	return
 }
 
-// preSignV2 - presign the request in following style.
+// PreSignV2 - presign the request in following style.
 // https://${S3_BUCKET}.s3.amazonaws.com/${S3_OBJECT}?AWSAccessKeyId=${S3_ACCESS_KEY}&Expires=${TIMESTAMP}&Signature=${SIGNATURE}.
-func preSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64) *http.Request {
+func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64) *http.Request {
 	// Presign is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req
@@ -104,9 +104,9 @@ func preSignV2(req http.Request, accessKeyID, secretAccessKey string, expires in
 	return &req
 }
 
-// postPresignSignatureV2 - presigned signature for PostPolicy
+// PostPresignSignatureV2 - presigned signature for PostPolicy
 // request.
-func postPresignSignatureV2(policyBase64, secretAccessKey string) string {
+func PostPresignSignatureV2(policyBase64, secretAccessKey string) string {
 	hm := hmac.New(sha1.New, []byte(secretAccessKey))
 	hm.Write([]byte(policyBase64))
 	signature := base64.StdEncoding.EncodeToString(hm.Sum(nil))
@@ -129,8 +129,8 @@ func postPresignSignatureV2(policyBase64, secretAccessKey string) string {
 //
 // CanonicalizedProtocolHeaders = <described below>
 
-// signV2 sign the request before Do() (AWS Signature Version 2).
-func signV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request {
+// SignV2 sign the request before Do() (AWS Signature Version 2).
+func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request {
 	// Signature calculation is not needed for anonymous credentials.
 	if accessKeyID == "" || secretAccessKey == "" {
 		return &req

diff --git a/request-signature-v2_test.go → pkg/s3signer/request-signature-v2_test.go b/request-signature-v2_test.go → pkg/s3signer/request-signature-v2_test.go
@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-package minio
+package s3signer
 
 import (
 	"sort"