signature

package
v0.0.0-...-79da9bc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2026 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AuthHeaderV4 = "AWS4-HMAC-SHA256"
	AuthHeaderV2 = "AWS"

	Iso8601BasicFormat = "20060102T150405Z"
	Iso8601DateFormat  = "20060102"

	UnsignedPayload         = "UNSIGNED-PAYLOAD"
	StreamingPayload        = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
	StreamingPayloadTrailer = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER"

	// Precomputed SHA256 hash of an empty payload
	HashedEmptyPayload = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
)
View Source 
const (
	// Maximum chunk size (64MB - same as AWS default)
	MaxChunkSize = 64 * 1024 * 1024
)

Variables

View Source 
var (
	ErrInvalidChunkFormat       = errors.New("invalid chunk format")
	ErrChunkSignatureMismatch   = errors.New("chunk signature mismatch")
	ErrChunkTooLarge            = errors.New("chunk size exceeds maximum")
	ErrTrailerSignatureMismatch = errors.New("trailer signature mismatch")
	ErrInvalidTrailerFormat     = errors.New("invalid trailer format")
)

Functions

This section is empty.

Types

type AuthType 

type AuthType int
const (
	AuthTypeNone AuthType = iota
	AuthTypeAnonymous
	AuthTypeV2
	AuthTypeV4
	AuthTypePresignedV2
	AuthTypePresignedV4
	AuthTypePostPolicy
	AuthTypeStreamingSigned
	AuthTypeStreamingSignedTrailer
	AuthTypeStreamingUnsignedTrailer
)

func GetAuthType 

func GetAuthType(d *data.Data) AuthType

func (AuthType) String 

func (a AuthType) String() string

type ChunkReader 

type ChunkReader struct {
	// contains filtered or unexported fields
}

ChunkReader wraps an io.Reader and parses AWS chunked transfer encoding. It implements io.Reader and returns only the actual data (stripping framing).

NOTE: This basic reader does NOT verify chunk data signatures for performance. It only verifies the final (empty) chunk signature. For strict signature verification of all chunks, use VerifyingChunkReader instead.

This reader is suitable for internal/trusted sources or when verification is handled at a different layer.

func NewChunkReader 

func NewChunkReader(cfg ChunkReaderConfig) *ChunkReader

NewChunkReader creates a new ChunkReader for verifying chunked uploads

func (*ChunkReader) Read 

func (c *ChunkReader) Read(p []byte) (n int, err error)

Read implements io.Reader, returning verified chunk data

type ChunkReaderConfig 

type ChunkReaderConfig struct {
	Body          io.Reader
	SigningKey    []byte // Derived signing key
	SeedSignature string // Initial request signature
	Timestamp     string // Request timestamp (ISO8601)
	Region        string
	Service       string
}

ChunkReaderConfig holds configuration for creating a ChunkReader

type PolicyDocument 

type PolicyDocument struct {
	Expiration string        `json:"expiration"`
	Conditions []interface{} `json:"conditions"`
}

PolicyDocument represents the decoded POST policy

type PostFormData 

type PostFormData struct {
	// Required fields
	Key        string // Object key (may contain ${filename} substitution)
	Policy     string // Base64-encoded policy document
	Signature  string // x-amz-signature
	Algorithm  string // x-amz-algorithm (must be AWS4-HMAC-SHA256)
	Date       string // x-amz-date (ISO8601 format)
	Credential string // x-amz-credential (accessKey/date/region/s3/aws4_request)

	// Optional fields
	ACL                   string
	ContentType           string
	ContentDisposition    string
	ContentEncoding       string
	CacheControl          string
	Expires               string
	SuccessActionRedirect string
	SuccessActionStatus   int
	Tagging               string

	// Custom x-amz-meta-* headers
	Metadata map[string]string

	// File content (populated by caller)
	Filename string
	FileSize int64
}

PostFormData contains the parsed form fields from a POST upload

type PostPolicyResult 

type PostPolicyResult struct {
	Identity    *iam.Identity
	Key         string // Final object key after ${filename} substitution
	ContentType string
	ACL         string
	Metadata    map[string]string
}

PostPolicyResult contains the result of a successful POST policy verification

type PostPolicyVerifier 

type PostPolicyVerifier struct {
	// contains filtered or unexported fields
}

PostPolicyVerifier verifies AWS Signature V4 for POST form uploads

func NewPostPolicyVerifier 

func NewPostPolicyVerifier(iamManager *iam.Manager, region string) *PostPolicyVerifier

NewPostPolicyVerifier creates a new POST policy verifier

func (*PostPolicyVerifier) VerifyPostForm 

func (v *PostPolicyVerifier) VerifyPostForm(ctx context.Context, form *PostFormData, bucket string) (*PostPolicyResult, s3err.ErrorCode)

VerifyPostForm verifies the POST form data against the policy

type StreamingAuthResult 

type StreamingAuthResult struct {
	Identity      *iam.Identity
	SigningKey    []byte // Derived signing key for chunk verification
	SeedSignature string // Initial request signature (seed for chunk chain)
	Timestamp     string // ISO8601 timestamp from request
	Region        string
	Service       string
}

StreamingAuthResult contains the authentication result and signing context needed for verifying chunked upload signatures.

type TrailerChunkReader 

type TrailerChunkReader struct {
	*VerifyingChunkReader
	// contains filtered or unexported fields
}

TrailerChunkReader extends VerifyingChunkReader with support for trailing checksums. It parses and verifies trailer headers (e.g., x-amz-checksum-crc32c) and their signature.

AWS chunked encoding with trailers format: <chunk-size-hex>;chunk-signature=<signature>\r\n <chunk-data>\r\n ... repeat ... 0;chunk-signature=<final-signature>\r\n x-amz-checksum-crc32c:<base64-checksum>\r\n x-amz-trailer-signature:<trailer-signature>\r\n \r\n

See: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming-trailers.html

func NewTrailerChunkReader 

func NewTrailerChunkReader(cfg ChunkReaderConfig) *TrailerChunkReader

NewTrailerChunkReader creates a ChunkReader that supports trailing checksums

func (*TrailerChunkReader) GetTrailer 

func (t *TrailerChunkReader) GetTrailer(name string) string

GetTrailer returns a specific trailer value, or empty string if not present.

func (*TrailerChunkReader) Read 

func (t *TrailerChunkReader) Read(p []byte) (n int, err error)

Read implements io.Reader, returning verified chunk data and parsing trailers at EOF

func (*TrailerChunkReader) Trailers 

func (t *TrailerChunkReader) Trailers() map[string]string

Trailers returns the parsed trailing headers (e.g., x-amz-checksum-crc32c). This should be called after reading all data (after io.EOF). Returns nil if no trailers were present or trailers haven't been read yet.

type V2Verifier 

type V2Verifier struct {
	// contains filtered or unexported fields
}

V2Verifier verifies AWS Signature Version 2 authentication

func NewV2Verifier 

func NewV2Verifier(iamManager *iam.Manager) *V2Verifier

NewV2Verifier creates a new signature v2 verifier

func (*V2Verifier) VerifyRequest 

func (v *V2Verifier) VerifyRequest(r *http.Request) (*iam.Identity, s3err.ErrorCode)

VerifyRequest verifies AWS Signature V2 for a request Returns the authenticated identity or an error code

type V4Verifier 

type V4Verifier struct {
	// contains filtered or unexported fields
}

V4Verifier verifies AWS Signature Version 4 authentication

func NewV4Verifier 

func NewV4Verifier(iamManager *iam.Manager) *V4Verifier

NewV4Verifier creates a new signature v4 verifier

func (*V4Verifier) VerifyRequest 

func (v *V4Verifier) VerifyRequest(r *http.Request) (*iam.Identity, s3err.ErrorCode)

VerifyRequest verifies AWS Signature V4 for a request Returns the authenticated identity or an error code

func (*V4Verifier) VerifyStreamingRequest 

func (v *V4Verifier) VerifyStreamingRequest(r *http.Request) (*StreamingAuthResult, s3err.ErrorCode)

VerifyStreamingRequest verifies the initial request signature for streaming uploads and returns the signing context needed for chunk-level verification.

type VerifyingChunkReader 

type VerifyingChunkReader struct {
	*ChunkReader
	// contains filtered or unexported fields
}

VerifyingChunkReader wraps ChunkReader and verifies each chunk's signature after reading its data. This provides strict verification at the cost of buffering chunk data.

func NewVerifyingChunkReader 

func NewVerifyingChunkReader(cfg ChunkReaderConfig) *VerifyingChunkReader

NewVerifyingChunkReader creates a ChunkReader with strict signature verification

func (*VerifyingChunkReader) Read 

func (v *VerifyingChunkReader) Read(p []byte) (n int, err error)

Read implements io.Reader with strict signature verification

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.