frostfs-s3-gw/api/auth/presign.go

package auth

import (
	"fmt"
	"net/http"
	"os"
	"strconv"
	"strings"
	"time"

	v4 "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth/signer/v4"
	v4a "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth/signer/v4asdk2"
	credentialsv2 "github.com/aws/aws-sdk-go-v2/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/private/protocol/rest"
	"github.com/aws/smithy-go/logging"
)

type RequestData struct {
	Method   string
	Endpoint string
	Bucket   string
	Object   string
}

type PresignData struct {
	Service  string
	Region   string
	Lifetime time.Duration
	SignTime time.Time
	Headers  map[string]string
}

// PresignRequest forms pre-signed request to access objects without aws credentials.
func PresignRequest(creds *credentials.Credentials, reqData RequestData, presignData PresignData) (*http.Request, error) {
	urlStr := fmt.Sprintf("%s/%s/%s", reqData.Endpoint, rest.EscapePath(reqData.Bucket, false), rest.EscapePath(reqData.Object, false))
	req, err := http.NewRequest(strings.ToUpper(reqData.Method), urlStr, nil)
	if err != nil {
		return nil, fmt.Errorf("failed to create new request: %w", err)
	}

	req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))

	for k, v := range presignData.Headers {
		req.Header.Set(k, v)
	}

	signer := v4.NewSigner(creds)
	signer.DisableURIPathEscaping = true

	if _, err = signer.Presign(req, nil, presignData.Service, presignData.Region, presignData.Lifetime, presignData.SignTime); err != nil {
		return nil, fmt.Errorf("presign: %w", err)
	}

	return req, nil
}

// PresignRequestV4a forms pre-signed request to access objects without aws credentials.
func PresignRequestV4a(credProvider credentialsv2.StaticCredentialsProvider, reqData RequestData, presignData PresignData) (*http.Request, error) {
	urlStr := fmt.Sprintf("%s/%s/%s", reqData.Endpoint, rest.EscapePath(reqData.Bucket, false), rest.EscapePath(reqData.Object, false))
	req, err := http.NewRequest(strings.ToUpper(reqData.Method), urlStr, nil)
	if err != nil {
		return nil, fmt.Errorf("failed to create new request: %w", err)
	}

	req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))
	req.Header.Set(ContentTypeHdr, "text/plain")
	req.Header.Set(AmzExpires, strconv.Itoa(int(presignData.Lifetime.Seconds())))

	signer := v4a.NewSigner(func(options *v4a.SignerOptions) {
		options.DisableURIPathEscaping = true
		options.LogSigning = true
		options.Logger = logging.NewStandardLogger(os.Stdout)
	})

	credAdapter := v4a.SymmetricCredentialAdaptor{
		SymmetricProvider: credProvider,
	}

	creds, err := credAdapter.RetrievePrivateKey(req.Context())
	if err != nil {
		return nil, fmt.Errorf("failed to derive assymetric key from credentials: %w", err)
	}
	presignedURL, _, err := signer.PresignHTTP(req.Context(), creds, req, "", presignData.Service, []string{presignData.Region}, presignData.SignTime)
	if err != nil {
		return nil, fmt.Errorf("presign: %w", err)
	}

	fmt.Println(presignedURL)

	return http.NewRequest(reqData.Method, presignedURL, nil)
}
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00			`package auth`

			`import (`
			`"fmt"`
			`"net/http"`
[#339] Add aws-sdk-go-v2 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-27 06:14:58 +00:00			`"os"`
			`"strconv"`
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00			`"strings"`
			`"time"`

			`v4 "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth/signer/v4"`
[#339] Add aws-sdk-go-v2 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-27 06:14:58 +00:00			`v4a "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth/signer/v4asdk2"`
			`credentialsv2 "github.com/aws/aws-sdk-go-v2/credentials"`
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00			`"github.com/aws/aws-sdk-go/aws/credentials"`
			`"github.com/aws/aws-sdk-go/private/protocol/rest"`
[#339] Add aws-sdk-go-v2 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-27 06:14:58 +00:00			`"github.com/aws/smithy-go/logging"`
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00			`)`

			`type RequestData struct {`
			`Method string`
			`Endpoint string`
			`Bucket string`
			`Object string`
			`}`

			`type PresignData struct {`
			`Service string`
			`Region string`
			`Lifetime time.Duration`
			`SignTime time.Time`
[#505] authmate: Add flag for headers in generate-presigned-url cmd Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-10-29 13:26:01 +00:00			`Headers map[string]string`
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00			`}`

			`// PresignRequest forms pre-signed request to access objects without aws credentials.`
			`func PresignRequest(creds credentials.Credentials, reqData RequestData, presignData PresignData) (http.Request, error) {`
			`urlStr := fmt.Sprintf("%s/%s/%s", reqData.Endpoint, rest.EscapePath(reqData.Bucket, false), rest.EscapePath(reqData.Object, false))`
			`req, err := http.NewRequest(strings.ToUpper(reqData.Method), urlStr, nil)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to create new request: %w", err)`
			`}`

			`req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))`
[#505] authmate: Add flag for headers in generate-presigned-url cmd Signed-off-by: Marina Biryukova <m.biryukova@yadro.com> 2024-10-29 13:26:01 +00:00
			`for k, v := range presignData.Headers {`
			`req.Header.Set(k, v)`
			`}`
[#125] api/auth: DisableURIPathEscaping for presign Don't use escaping when presign url. Escape manually before. Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2023-06-01 11:30:49 +00:00
			`signer := v4.NewSigner(creds)`
			`signer.DisableURIPathEscaping = true`

			`if _, err = signer.Presign(req, nil, presignData.Service, presignData.Region, presignData.Lifetime, presignData.SignTime); err != nil {`
			`return nil, fmt.Errorf("presign: %w", err)`
			`}`

			`return req, nil`
			`}`
[#339] Add aws-sdk-go-v2 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com> 2024-03-27 06:14:58 +00:00
			`// PresignRequestV4a forms pre-signed request to access objects without aws credentials.`
			`func PresignRequestV4a(credProvider credentialsv2.StaticCredentialsProvider, reqData RequestData, presignData PresignData) (*http.Request, error) {`
			`urlStr := fmt.Sprintf("%s/%s/%s", reqData.Endpoint, rest.EscapePath(reqData.Bucket, false), rest.EscapePath(reqData.Object, false))`
			`req, err := http.NewRequest(strings.ToUpper(reqData.Method), urlStr, nil)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to create new request: %w", err)`
			`}`

			`req.Header.Set(AmzDate, presignData.SignTime.Format("20060102T150405Z"))`
			`req.Header.Set(ContentTypeHdr, "text/plain")`
			`req.Header.Set(AmzExpires, strconv.Itoa(int(presignData.Lifetime.Seconds())))`

			`signer := v4a.NewSigner(func(options *v4a.SignerOptions) {`
			`options.DisableURIPathEscaping = true`
			`options.LogSigning = true`
			`options.Logger = logging.NewStandardLogger(os.Stdout)`
			`})`

			`credAdapter := v4a.SymmetricCredentialAdaptor{`
			`SymmetricProvider: credProvider,`
			`}`

			`creds, err := credAdapter.RetrievePrivateKey(req.Context())`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to derive assymetric key from credentials: %w", err)`
			`}`
			`presignedURL, _, err := signer.PresignHTTP(req.Context(), creds, req, "", presignData.Service, []string{presignData.Region}, presignData.SignTime)`
			`if err != nil {`
			`return nil, fmt.Errorf("presign: %w", err)`
			`}`

			`fmt.Println(presignedURL)`

			`return http.NewRequest(reqData.Method, presignedURL, nil)`
			`}`