登录
golang
/
flannel
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 88d3536b8f
分支列表 标签列表
flannel
/
vendor
/
github.com
/
aws
/
aws-sdk-go
/
service
/
cloudfront
/
sign
/
policy.go

policy.go 6.1 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 
  1. package sign
    2. 

  2. 

  3. import (
    4. 

  4. 	"bytes"
    5. 

  5. 	"crypto"
    6. 

  6. 	"crypto/rand"
    7. 

  7. 	"crypto/rsa"
    8. 

  8. 	"crypto/sha1"
    9. 

  9. 	"encoding/base64"
    10. 

  10. 	"encoding/json"
    11. 

  11. 	"fmt"
    12. 

  12. 	"io"
    13. 

  13. 	"net/url"
    14. 

  14. 	"strings"
    15. 

  15. 	"time"
    16. 

  16. )
    17. 

  17. 

  18. // An AWSEpochTime wraps a time value providing JSON serialization needed for
    19. 

  19. // AWS Policy epoch time fields.
    20. 

  20. type AWSEpochTime struct {
    21. 

  21. 	time.Time
    22. 

  22. }
    23. 

  23. 

  24. // NewAWSEpochTime returns a new AWSEpochTime pointer wrapping the Go time provided.
    25. 

  25. func NewAWSEpochTime(t time.Time) *AWSEpochTime {
    26. 

  26. 	return &AWSEpochTime{t}
    27. 

  27. }
    28. 

  28. 

  29. // MarshalJSON serializes the epoch time as AWS Profile epoch time.
    30. 

  30. func (t AWSEpochTime) MarshalJSON() ([]byte, error) {
    31. 

  31. 	return []byte(fmt.Sprintf(`{"AWS:EpochTime":%d}`, t.UTC().Unix())), nil
    32. 

  32. }
    33. 

  33. 

  34. // An IPAddress wraps an IPAddress source IP providing JSON serialization information
    35. 

  35. type IPAddress struct {
    36. 

  36. 	SourceIP string `json:"AWS:SourceIp"`
    37. 

  37. }
    38. 

  38. 

  39. // A Condition defines the restrictions for how a signed URL can be used.
    40. 

  40. type Condition struct {
    41. 

  41. 	// Optional IP address mask the signed URL must be requested from.
    42. 

  42. 	IPAddress *IPAddress `json:"IpAddress,omitempty"`
    43. 

  43. 

  44. 	// Optional date that the signed URL cannot be used until. It is invalid
    45. 

  45. 	// to make requests with the signed URL prior to this date.
    46. 

  46. 	DateGreaterThan *AWSEpochTime `json:",omitempty"`
    47. 

  47. 

  48. 	// Required date that the signed URL will expire. A DateLessThan is required
    49. 

  49. 	// sign cloud front URLs
    50. 

  50. 	DateLessThan *AWSEpochTime `json:",omitempty"`
    51. 

  51. }
    52. 

  52. 

  53. // A Statement is a collection of conditions for resources
    54. 

  54. type Statement struct {
    55. 

  55. 	// The Web or RTMP resource the URL will be signed for
    56. 

  56. 	Resource string
    57. 

  57. 

  58. 	// The set of conditions for this resource
    59. 

  59. 	Condition Condition
    60. 

  60. }
    61. 

  61. 

  62. // A Policy defines the resources that a signed will be signed for.
    63. 

  63. //
    64. 

  64. // See the following page for more information on how policies are constructed.
    65. 

  65. // http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
    66. 

  66. type Policy struct {
    67. 

  67. 	// List of resource and condition statements.
    68. 

  68. 	// Signed URLs should only provide a single statement.
    69. 

  69. 	Statements []Statement `json:"Statement"`
    70. 

  70. }
    71. 

  71. 

  72. // Override for testing to mock out usage of crypto/rand.Reader
    73. 

  73. var randReader = rand.Reader
    74. 

  74. 

  75. // Sign will sign a policy using an RSA private key. It will return a base 64
    76. 

  76. // encoded signature and policy if no error is encountered.
    77. 

  77. //
    78. 

  78. // The signature and policy should be added to the signed URL following the
    79. 

  79. // guidelines in:
    80. 

  80. // http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
    81. 

  81. func (p *Policy) Sign(privKey *rsa.PrivateKey) (b64Signature, b64Policy []byte, err error) {
    82. 

  82. 	if len(p.Statements) != 1 {
    83. 

  83. 		return nil, nil, fmt.Errorf("invalid number of policy statements expected 1 got %d", len(p.Statements))
    84. 

  84. 	}
    85. 

  85. 	if p.Statements[0].Resource == "" {
    86. 

  86. 		return nil, nil, fmt.Errorf("no resource in profile statement")
    87. 

  87. 	}
    88. 

  88. 

  89. 	// Build and escape the policy
    90. 

  90. 	b64Policy, jsonPolicy, err := encodePolicy(p)
    91. 

  91. 	if err != nil {
    92. 

  92. 		return nil, nil, err
    93. 

  93. 	}
    94. 

  94. 	awsEscapeEncoded(b64Policy)
    95. 

  95. 

  96. 	// Build and escape the signature
    97. 

  97. 	b64Signature, err = signEncodedPolicy(randReader, jsonPolicy, privKey)
    98. 

  98. 	if err != nil {
    99. 

  99. 		return nil, nil, err
    100. 

  100. 	}
    101. 

  101. 	awsEscapeEncoded(b64Signature)
    102. 

  102. 

  103. 	return b64Signature, b64Policy, nil
    104. 

  104. }
    105. 

  105. 

  106. // CreateResource constructs, validates, and returns a resource URL string. An
    107. 

  107. // error will be returned if unable to create the resource string.
    108. 

  108. func CreateResource(scheme, u string) (string, error) {
    109. 

  109. 	scheme = strings.ToLower(scheme)
    110. 

  110. 

  111. 	if scheme == "http" || scheme == "https" {
    112. 

  112. 		return u, nil
    113. 

  113. 	}
    114. 

  114. 

  115. 	if scheme == "rtmp" {
    116. 

  116. 		parsed, err := url.Parse(u)
    117. 

  117. 		if err != nil {
    118. 

  118. 			return "", fmt.Errorf("unable to parse rtmp URL, err: %s", err)
    119. 

  119. 		}
    120. 

  120. 

  121. 		rtmpURL := strings.TrimLeft(parsed.Path, "/")
    122. 

  122. 		if parsed.RawQuery != "" {
    123. 

  123. 			rtmpURL = fmt.Sprintf("%s?%s", rtmpURL, parsed.RawQuery)
    124. 

  124. 		}
    125. 

  125. 

  126. 		return rtmpURL, nil
    127. 

  127. 	}
    128. 

  128. 

  129. 	return "", fmt.Errorf("invalid URL scheme must be http, https, or rtmp. Provided: %s", scheme)
    130. 

  130. }
    131. 

  131. 

  132. // NewCannedPolicy returns a new Canned Policy constructed using the resource
    133. 

  133. // and expires time. This can be used to generate the basic model for a Policy
    134. 

  134. // that can be then augmented with additional conditions.
    135. 

  135. //
    136. 

  136. // See the following page for more information on how policies are constructed.
    137. 

  137. // http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement
    138. 

  138. func NewCannedPolicy(resource string, expires time.Time) *Policy {
    139. 

  139. 	return &Policy{
    140. 

  140. 		Statements: []Statement{
    141. 

  141. 			{
    142. 

  142. 				Resource: resource,
    143. 

  143. 				Condition: Condition{
    144. 

  144. 					DateLessThan: NewAWSEpochTime(expires),
    145. 

  145. 				},
    146. 

  146. 			},
    147. 

  147. 		},
    148. 

  148. 	}
    149. 

  149. }
    150. 

  150. 

  151. // encodePolicy encodes the Policy as JSON and also base 64 encodes it.
    152. 

  152. func encodePolicy(p *Policy) (b64Policy, jsonPolicy []byte, err error) {
    153. 

  153. 	jsonPolicy, err = json.Marshal(p)
    154. 

  154. 	if err != nil {
    155. 

  155. 		return nil, nil, fmt.Errorf("failed to encode policy, %s", err.Error())
    156. 

  156. 	}
    157. 

  157. 

  158. 	// Remove leading and trailing white space, JSON encoding will note include
    159. 

  159. 	// whitespace within the encoding.
    160. 

  160. 	jsonPolicy = bytes.TrimSpace(jsonPolicy)
    161. 

  161. 

  162. 	b64Policy = make([]byte, base64.StdEncoding.EncodedLen(len(jsonPolicy)))
    163. 

  163. 	base64.StdEncoding.Encode(b64Policy, jsonPolicy)
    164. 

  164. 	return b64Policy, jsonPolicy, nil
    165. 

  165. }
    166. 

  166. 

  167. // signEncodedPolicy will sign and base 64 encode the JSON encoded policy.
    168. 

  168. func signEncodedPolicy(randReader io.Reader, jsonPolicy []byte, privKey *rsa.PrivateKey) ([]byte, error) {
    169. 

  169. 	hash := sha1.New()
    170. 

  170. 	if _, err := bytes.NewReader(jsonPolicy).WriteTo(hash); err != nil {
    171. 

  171. 		return nil, fmt.Errorf("failed to calculate signing hash, %s", err.Error())
    172. 

  172. 	}
    173. 

  173. 

  174. 	sig, err := rsa.SignPKCS1v15(randReader, privKey, crypto.SHA1, hash.Sum(nil))
    175. 

  175. 	if err != nil {
    176. 

  176. 		return nil, fmt.Errorf("failed to sign policy, %s", err.Error())
    177. 

  177. 	}
    178. 

  178. 

  179. 	b64Sig := make([]byte, base64.StdEncoding.EncodedLen(len(sig)))
    180. 

  180. 	base64.StdEncoding.Encode(b64Sig, sig)
    181. 

  181. 	return b64Sig, nil
    182. 

  182. }
    183. 

  183. 

  184. // special characters to be replaced with awsEscapeEncoded
    185. 

  185. var invalidEncodedChar = map[byte]byte{
    186. 

  186. 	'+': '-',
    187. 

  187. 	'=': '_',
    188. 

  188. 	'/': '~',
    189. 

  189. }
    190. 

  190. 

  191. // awsEscapeEncoded will replace base64 encoding's special characters to be URL safe.
    192. 

  192. func awsEscapeEncoded(b []byte) {
    193. 

  193. 	for i, v := range b {
    194. 

  194. 		if r, ok := invalidEncodedChar[v]; ok {
    195. 

  195. 			b[i] = r
    196. 

  196. 		}
    197. 

  197. 	}
    198. 

  198. }
    199.