-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathverifier_v4.go
39 lines (35 loc) · 1.12 KB
/
verifier_v4.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package toyhose
import (
"errors"
"io"
"net/http"
"strings"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
v4 "github.com/aws/aws-sdk-go/aws/signer/v4"
)
var (
errInvalidSignature = errors.New("invalid signature")
)
func verifyV4(c *aws.Config, req *http.Request, body io.ReadSeeker) error {
refAuth := req.Header.Get("Authorization")
sigHeaders := strings.Split(refAuth, ", ")[1]
sigHeaderVal := strings.Split(sigHeaders, "=")[1]
ts, _ := time.Parse("20060102T150405Z", req.Header.Get("X-Amz-Date"))
copiedReq := req.Clone(req.Context())
remainHeaders := http.Header{}
for _, key := range strings.Split(sigHeaderVal, ";") {
if val := req.Header.Get(key); val != "" {
remainHeaders.Set(key, val)
}
}
copiedReq.Header = remainHeaders
if _, err := v4.NewSigner(c.Credentials).Sign(copiedReq, body, "firehose", *c.Region, ts); err != nil {
return awserr.New("IncompleteSignature", "failed to build sign", err)
}
if a := copiedReq.Header.Get("Authorization"); a != refAuth {
return awserr.New("AccessDeniedException", "signature mismatched", errInvalidSignature)
}
return nil
}