package signature import ( "crypto/hmac" "encoding/hex" "net/http" "regexp" "strings" "unicode/utf8" "github.com/minio/minio/pkg/crypto/sha256" ) // AccessID and SecretID length in bytes const ( MinioAccessID = 20 MinioSecretID = 40 ) /// helpers // isValidSecretKey - validate secret key. var isValidSecretKey = regexp.MustCompile("^.{40}$") // isValidAccessKey - validate access key. var isValidAccessKey = regexp.MustCompile("^[A-Z0-9\\-\\.\\_\\~]{20}$") // isValidRegion - verify if incoming region value is valid with configured Region. func isValidRegion(reqRegion string, confRegion string) bool { if confRegion == "" || confRegion == "US" { confRegion = "us-east-1" } // Some older s3 clients set region as "US" instead of // "us-east-1", handle it. if reqRegion == "US" { reqRegion = "us-east-1" } return reqRegion == confRegion } // sumHMAC calculate hmac between two input byte array. func sumHMAC(key []byte, data []byte) []byte { hash := hmac.New(sha256.New, key) hash.Write(data) return hash.Sum(nil) } // getURLEncodedName encode the strings from UTF-8 byte representations to HTML hex escape sequences // // This is necessary since regular url.Parse() and url.Encode() functions do not support UTF-8 // non english characters cannot be parsed due to the nature in which url.Encode() is written // // This function on the other hand is a direct replacement for url.Encode() technique to support // pretty much every UTF-8 character. func getURLEncodedName(name string) string { // if object matches reserved string, no need to encode them reservedNames := regexp.MustCompile("^[a-zA-Z0-9-_.~/]+$") if reservedNames.MatchString(name) { return name } var encodedName string for _, s := range name { if 'A' <= s && s <= 'Z' || 'a' <= s && s <= 'z' || '0' <= s && s <= '9' { // §2.3 Unreserved characters (mark) encodedName = encodedName + string(s) continue } switch s { case '-', '_', '.', '~', '/': // §2.3 Unreserved characters (mark) encodedName = encodedName + string(s) continue default: len := utf8.RuneLen(s) if len < 0 { return name } u := make([]byte, len) utf8.EncodeRune(u, s) for _, r := range u { hex := hex.EncodeToString([]byte{r}) encodedName = encodedName + "%" + strings.ToUpper(hex) } } } return encodedName } // extractSignedHeaders extract signed headers from Authorization header func extractSignedHeaders(signedHeaders []string, reqHeaders http.Header) http.Header { extractedSignedHeaders := make(http.Header) for _, header := range signedHeaders { val, ok := reqHeaders[http.CanonicalHeaderKey(header)] if !ok { // Golang http server strips off 'Expect' header, if the // client sent this as part of signed headers we need to // handle otherwise we would see a signature mismatch. // `aws-cli` sets this as part of signed headers. // // According to // http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.20 // Expect header is always of form: // // Expect = "Expect" ":" 1#expectation // expectation = "100-continue" | expectation-extension // // So it safe to assume that '100-continue' is what would // be sent, for the time being keep this work around. // Adding a *TODO* to remove this later when Golang server // doesn't filter out the 'Expect' header. if header == "expect" { extractedSignedHeaders[header] = []string{"100-continue"} } // If not found continue, we will fail later. continue } extractedSignedHeaders[header] = val } return extractedSignedHeaders }