Package v4 implements the AWS signature version 4 algorithm (commonly known as SigV4).
For more information about SigV4, see Signing AWS API requests in the IAM user guide.
While this implementation CAN work in an external context, it is developed primarily for SDK use and you may encounter fringe behaviors around header canonicalization.
Pre-escaping a request URI ¶AWS v4 signature validation requires that the canonical string's URI path component must be the escaped form of the HTTP request's path.
The Go HTTP client will perform escaping automatically on the HTTP request. This may cause signature validation errors because the request differs from the URI path or query from which the signature was generated.
Because of this, we recommend that you explicitly escape the request when using this signer outside of the SDK to prevent possible signature mismatch. This can be done by setting URL.Opaque on the request. The signer will prefer that value, falling back to the return of URL.EscapedPath if unset.
When setting URL.Opaque you must do so in the form of:
"//<hostname>/<path>" // e.g. "//example.com/some/path"
The leading "//" and hostname are required or the escaping will not work correctly.
The TestStandaloneSign unit test provides a complete example of using the signer outside of the SDK and pre-escaping the URI path.
This section is empty.
AddComputePayloadSHA256Middleware adds computePayloadSHA256 to the operation middleware stack
AddContentSHA256HeaderMiddleware adds ContentSHA256Header to the operation middleware stack
AddStreamingEventsPayload adds the streamingEventsPayload middleware to the stack.
AddUnsignedPayloadMiddleware adds unsignedPayload to the operation middleware stack
GetPayloadHash retrieves the payload hash to use for signing
Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues to clear all stack values.
GetSignedRequestSignature attempts to extract the signature of the request. Returning an error if the request is unsigned, or unable to extract the signature.
RemoveComputePayloadSHA256Middleware removes computePayloadSHA256 from the operation middleware stack
RemoveContentSHA256HeaderMiddleware removes contentSHA256Header middleware from the operation middleware stack
SetPayloadHash sets the payload hash to be used for signing the request
Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues to clear all stack values.
SwapComputePayloadSHA256ForUnsignedPayloadMiddleware replaces the ComputePayloadSHA256 middleware with the UnsignedPayload middleware.
Use this to disable computing the Payload SHA256 checksum and instead use UNSIGNED-PAYLOAD for the SHA256 value.
UseDynamicPayloadSigningMiddleware swaps the compute payload sha256 middleware with a resolver middleware that switches between unsigned and signed payload based on TLS state for request. This middleware should not be used for AWS APIs that do not support unsigned payload signing auth. By default, SDK uses this middleware for known AWS APIs that support such TLS based auth selection .
Usage example - S3 PutObject API allows unsigned payload signing auth usage when TLS is enabled, and uses this middleware to dynamically switch between unsigned and signed payload based on TLS state for request.
type ComputePayloadSHA256 struct{}
ComputePayloadSHA256 computes SHA256 payload hash to sign.
Will not set the Unsigned Payload magic SHA value, if a SHA has already been stored in the context. (e.g. application pre-computed SHA256 before making API call).
This middleware does not check the X-Amz-Content-Sha256 header, if that header is serialized a middleware must translate it into the context.
func (*ComputePayloadSHA256) HandleFinalize ¶ added in v1.25.2HandleFinalize computes the payload hash for the request, storing it to the context. This is a no-op if a caller has previously set that value.
ID is the middleware name
type ContentSHA256Header struct{}
ContentSHA256Header sets the X-Amz-Content-Sha256 header value to the Payload hash stored in the context.
func (*ContentSHA256Header) HandleFinalize ¶ added in v1.25.2HandleFinalize sets the X-Amz-Content-Sha256 header value to the Payload hash stored in the context.
ID returns the ContentSHA256HeaderMiddleware identifier
EventStreamSigner is an AWS EventStream protocol signer.
type HTTPPresigner interface {
PresignHTTP(
ctx context.Context, credentials aws.Credentials, r *http.Request,
payloadHash string, service string, region string, signingTime time.Time,
optFns ...func(*SignerOptions),
) (url string, signedHeader http.Header, err error)
}
HTTPPresigner is an interface to a SigV4 signer that can sign create a presigned URL for a HTTP requests.
HTTPSigner is an interface to a SigV4 signer that can sign HTTP requests
type HashComputationError struct {
Err error
}
HashComputationError indicates an error occurred while computing the signing hash
Error is the error message
Unwrap returns the underlying error if one is set
type PresignHTTPRequestMiddleware struct {
}
PresignHTTPRequestMiddleware provides the Finalize middleware for creating a presigned URL for an HTTP request.
Will short circuit the middleware stack and not forward onto the next Finalize handler.
NewPresignHTTPRequestMiddleware returns a new PresignHTTPRequestMiddleware initialized with the presigner.
func (*PresignHTTPRequestMiddleware) HandleFinalize ¶ added in v0.28.0HandleFinalize will take the provided input and create a presigned url for the http request using the SigV4 presign authentication scheme.
Since the signed request is not a valid HTTP request
ID provides the middleware ID.
PresignHTTPRequestMiddlewareOptions is the options for the PresignHTTPRequestMiddleware middleware.
type PresignedHTTPRequest struct {
URL string
Method string
}
PresignedHTTPRequest provides the URL and signed headers that are included in the presigned URL.
type SignHTTPRequestMiddleware struct {
}
SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation for SigV4 HTTP Signing.
Deprecated: AWS service clients no longer use this middleware. Signing as an SDK operation is now performed through an internal per-service middleware which opaquely selects and uses the signer from the resolved auth scheme.
NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given Signer for signing requests.
Deprecated: SignHTTPRequestMiddleware is deprecated.
func (*SignHTTPRequestMiddleware) HandleFinalize deprecated added in v0.21.0HandleFinalize will take the provided input and sign the request using the SigV4 authentication scheme.
Deprecated: SignHTTPRequestMiddleware is deprecated.
ID is the SignHTTPRequestMiddleware identifier.
Deprecated: SignHTTPRequestMiddleware is deprecated.
Signer applies AWS v4 signing to given request. Use this to sign requests that need to be signed with AWS V4 Signatures.
NewSigner returns a new SigV4 Signer
func (s *Signer) PresignHTTP( ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(*SignerOptions), ) (signedURI string, signedHeaders http.Header, err error)
PresignHTTP signs AWS v4 requests with the payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.
Returns the signed URL and the map of HTTP headers that were included in the signature or an error if signing the request failed. For presigned requests these headers and their values must be included on the HTTP request when it is made. This is helpful to know what header values need to be shared with the party the presigned request will be distributed to.
The payloadHash is the hex encoded SHA-256 hash of the request payload, and must be provided. Even if the request has no payload (aka body). If the request has no payload you should use the hex encoded SHA-256 of an empty string as the payloadHash value.
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Some services such as Amazon S3 accept alternative values for the payload hash, such as "UNSIGNED-PAYLOAD" for requests where the body will not be included in the request signature.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
PresignHTTP differs from SignHTTP in that it will sign the request using query string instead of header values. This allows you to share the Presigned Request's URL with third parties, or distribute it throughout your system with minimal dependencies.
PresignHTTP will not set the expires time of the presigned request automatically. To specify the expire duration for a request add the "X-Amz-Expires" query parameter on the request with the value as the duration in seconds the presigned URL should be considered valid for. This parameter is not used by all AWS services, and is most notable used by Amazon S3 APIs.
expires := 20 * time.Minute
query := req.URL.Query()
query.Set("X-Amz-Expires", strconv.FormatInt(int64(expires/time.Second), 10))
req.URL.RawQuery = query.Encode()
This method does not modify the provided request.
SignHTTP signs AWS v4 requests with the provided payload hash, service name, region the request is made to, and time the request is signed at. The signTime allows you to specify that a request is signed for the future, and cannot be used until then.
The payloadHash is the hex encoded SHA-256 hash of the request payload, and must be provided. Even if the request has no payload (aka body). If the request has no payload you should use the hex encoded SHA-256 of an empty string as the payloadHash value.
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
Some services such as Amazon S3 accept alternative values for the payload hash, such as "UNSIGNED-PAYLOAD" for requests where the body will not be included in the request signature.
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Sign differs from Presign in that it will sign the request using HTTP header values. This type of signing is intended for http.Request values that will not be shared, or are shared in a way the header values on the request will not be lost.
The passed in request will be modified in place.
type SignerOptions struct {
DisableHeaderHoisting bool
DisableURIPathEscaping bool
Logger logging.Logger
LogSigning bool
DisableSessionToken bool
}
SignerOptions is the SigV4 Signer options.
type SigningError struct {
Err error
}
SigningError indicates an error condition occurred while performing SigV4 signing
Unwrap returns the underlying error cause
type StreamSigner struct {
}
StreamSigner implements Signature Version 4 (SigV4) signing of event stream encoded payloads.
NewStreamSigner returns a new AWS EventStream protocol signer.
GetSignature signs the provided header and payload bytes.
type StreamSignerOptions struct{}
StreamSignerOptions is the configuration options for StreamSigner.
type StreamingEventsPayload struct{}
StreamingEventsPayload signs input event stream messages.
func (*StreamingEventsPayload) HandleFinalize ¶ added in v1.25.2HandleFinalize marks the input stream to be signed with SigV4.
ID identifies the middleware.
type UnsignedPayload struct{}
UnsignedPayload sets the SigV4 request payload hash to unsigned.
Will not set the Unsigned Payload magic SHA value, if a SHA has already been stored in the context. (e.g. application pre-computed SHA256 before making API call).
This middleware does not check the X-Amz-Content-Sha256 header, if that header is serialized a middleware must translate it into the context.
func (*UnsignedPayload) HandleFinalize ¶ added in v1.25.2HandleFinalize sets the payload hash magic value to the unsigned sentinel.
ID returns the unsignedPayload identifier
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4