aws4.js 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383
  1. var aws4 = exports,
  2. url = require('url'),
  3. querystring = require('querystring'),
  4. crypto = require('crypto'),
  5. lru = require('./lru'),
  6. credentialsCache = lru(1000)
  7. // http://docs.amazonwebservices.com/general/latest/gr/signature-version-4.html
  8. function hmac(key, string, encoding) {
  9. return crypto.createHmac('sha256', key).update(string, 'utf8').digest(encoding)
  10. }
  11. function hash(string, encoding) {
  12. return crypto.createHash('sha256').update(string, 'utf8').digest(encoding)
  13. }
  14. // This function assumes the string has already been percent encoded
  15. function encodeRfc3986(urlEncodedString) {
  16. return urlEncodedString.replace(/[!'()*]/g, function(c) {
  17. return '%' + c.charCodeAt(0).toString(16).toUpperCase()
  18. })
  19. }
  20. function encodeRfc3986Full(str) {
  21. return encodeRfc3986(encodeURIComponent(str))
  22. }
  23. // A bit of a combination of:
  24. // https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59
  25. // https://github.com/aws/aws-sdk-js/blob/18cb7e5b463b46239f9fdd4a65e2ff8c81831e8f/lib/signers/v4.js#L191-L199
  26. // https://github.com/mhart/aws4fetch/blob/b3aed16b6f17384cf36ea33bcba3c1e9f3bdfefd/src/main.js#L25-L34
  27. var HEADERS_TO_IGNORE = {
  28. 'authorization': true,
  29. 'connection': true,
  30. 'x-amzn-trace-id': true,
  31. 'user-agent': true,
  32. 'expect': true,
  33. 'presigned-expires': true,
  34. 'range': true,
  35. }
  36. // request: { path | body, [host], [method], [headers], [service], [region] }
  37. // credentials: { accessKeyId, secretAccessKey, [sessionToken] }
  38. function RequestSigner(request, credentials) {
  39. if (typeof request === 'string') request = url.parse(request)
  40. var headers = request.headers = Object.assign({}, (request.headers || {})),
  41. hostParts = (!this.service || !this.region) && this.matchHost(request.hostname || request.host || headers.Host || headers.host)
  42. this.request = request
  43. this.credentials = credentials || this.defaultCredentials()
  44. this.service = request.service || hostParts[0] || ''
  45. this.region = request.region || hostParts[1] || 'us-east-1'
  46. // SES uses a different domain from the service name
  47. if (this.service === 'email') this.service = 'ses'
  48. if (!request.method && request.body)
  49. request.method = 'POST'
  50. if (!headers.Host && !headers.host) {
  51. headers.Host = request.hostname || request.host || this.createHost()
  52. // If a port is specified explicitly, use it as is
  53. if (request.port)
  54. headers.Host += ':' + request.port
  55. }
  56. if (!request.hostname && !request.host)
  57. request.hostname = headers.Host || headers.host
  58. this.isCodeCommitGit = this.service === 'codecommit' && request.method === 'GIT'
  59. this.extraHeadersToIgnore = request.extraHeadersToIgnore || Object.create(null)
  60. this.extraHeadersToInclude = request.extraHeadersToInclude || Object.create(null)
  61. }
  62. RequestSigner.prototype.matchHost = function(host) {
  63. var match = (host || '').match(/([^\.]{1,63})\.(?:([^\.]{0,63})\.)?amazonaws\.com(\.cn)?$/)
  64. var hostParts = (match || []).slice(1, 3)
  65. // ES's hostParts are sometimes the other way round, if the value that is expected
  66. // to be region equals ‘es’ switch them back
  67. // e.g. search-cluster-name-aaaa00aaaa0aaa0aaaaaaa0aaa.us-east-1.es.amazonaws.com
  68. if (hostParts[1] === 'es' || hostParts[1] === 'aoss')
  69. hostParts = hostParts.reverse()
  70. if (hostParts[1] == 's3') {
  71. hostParts[0] = 's3'
  72. hostParts[1] = 'us-east-1'
  73. } else {
  74. for (var i = 0; i < 2; i++) {
  75. if (/^s3-/.test(hostParts[i])) {
  76. hostParts[1] = hostParts[i].slice(3)
  77. hostParts[0] = 's3'
  78. break
  79. }
  80. }
  81. }
  82. return hostParts
  83. }
  84. // http://docs.aws.amazon.com/general/latest/gr/rande.html
  85. RequestSigner.prototype.isSingleRegion = function() {
  86. // Special case for S3 and SimpleDB in us-east-1
  87. if (['s3', 'sdb'].indexOf(this.service) >= 0 && this.region === 'us-east-1') return true
  88. return ['cloudfront', 'ls', 'route53', 'iam', 'importexport', 'sts']
  89. .indexOf(this.service) >= 0
  90. }
  91. RequestSigner.prototype.createHost = function() {
  92. var region = this.isSingleRegion() ? '' : '.' + this.region,
  93. subdomain = this.service === 'ses' ? 'email' : this.service
  94. return subdomain + region + '.amazonaws.com'
  95. }
  96. RequestSigner.prototype.prepareRequest = function() {
  97. this.parsePath()
  98. var request = this.request, headers = request.headers, query
  99. if (request.signQuery) {
  100. this.parsedPath.query = query = this.parsedPath.query || {}
  101. if (this.credentials.sessionToken)
  102. query['X-Amz-Security-Token'] = this.credentials.sessionToken
  103. if (this.service === 's3' && !query['X-Amz-Expires'])
  104. query['X-Amz-Expires'] = 86400
  105. if (query['X-Amz-Date'])
  106. this.datetime = query['X-Amz-Date']
  107. else
  108. query['X-Amz-Date'] = this.getDateTime()
  109. query['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
  110. query['X-Amz-Credential'] = this.credentials.accessKeyId + '/' + this.credentialString()
  111. query['X-Amz-SignedHeaders'] = this.signedHeaders()
  112. } else {
  113. if (!request.doNotModifyHeaders && !this.isCodeCommitGit) {
  114. if (request.body && !headers['Content-Type'] && !headers['content-type'])
  115. headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=utf-8'
  116. if (request.body && !headers['Content-Length'] && !headers['content-length'])
  117. headers['Content-Length'] = Buffer.byteLength(request.body)
  118. if (this.credentials.sessionToken && !headers['X-Amz-Security-Token'] && !headers['x-amz-security-token'])
  119. headers['X-Amz-Security-Token'] = this.credentials.sessionToken
  120. if (this.service === 's3' && !headers['X-Amz-Content-Sha256'] && !headers['x-amz-content-sha256'])
  121. headers['X-Amz-Content-Sha256'] = hash(this.request.body || '', 'hex')
  122. if (headers['X-Amz-Date'] || headers['x-amz-date'])
  123. this.datetime = headers['X-Amz-Date'] || headers['x-amz-date']
  124. else
  125. headers['X-Amz-Date'] = this.getDateTime()
  126. }
  127. delete headers.Authorization
  128. delete headers.authorization
  129. }
  130. }
  131. RequestSigner.prototype.sign = function() {
  132. if (!this.parsedPath) this.prepareRequest()
  133. if (this.request.signQuery) {
  134. this.parsedPath.query['X-Amz-Signature'] = this.signature()
  135. } else {
  136. this.request.headers.Authorization = this.authHeader()
  137. }
  138. this.request.path = this.formatPath()
  139. return this.request
  140. }
  141. RequestSigner.prototype.getDateTime = function() {
  142. if (!this.datetime) {
  143. var headers = this.request.headers,
  144. date = new Date(headers.Date || headers.date || new Date)
  145. this.datetime = date.toISOString().replace(/[:\-]|\.\d{3}/g, '')
  146. // Remove the trailing 'Z' on the timestamp string for CodeCommit git access
  147. if (this.isCodeCommitGit) this.datetime = this.datetime.slice(0, -1)
  148. }
  149. return this.datetime
  150. }
  151. RequestSigner.prototype.getDate = function() {
  152. return this.getDateTime().substr(0, 8)
  153. }
  154. RequestSigner.prototype.authHeader = function() {
  155. return [
  156. 'AWS4-HMAC-SHA256 Credential=' + this.credentials.accessKeyId + '/' + this.credentialString(),
  157. 'SignedHeaders=' + this.signedHeaders(),
  158. 'Signature=' + this.signature(),
  159. ].join(', ')
  160. }
  161. RequestSigner.prototype.signature = function() {
  162. var date = this.getDate(),
  163. cacheKey = [this.credentials.secretAccessKey, date, this.region, this.service].join(),
  164. kDate, kRegion, kService, kCredentials = credentialsCache.get(cacheKey)
  165. if (!kCredentials) {
  166. kDate = hmac('AWS4' + this.credentials.secretAccessKey, date)
  167. kRegion = hmac(kDate, this.region)
  168. kService = hmac(kRegion, this.service)
  169. kCredentials = hmac(kService, 'aws4_request')
  170. credentialsCache.set(cacheKey, kCredentials)
  171. }
  172. return hmac(kCredentials, this.stringToSign(), 'hex')
  173. }
  174. RequestSigner.prototype.stringToSign = function() {
  175. return [
  176. 'AWS4-HMAC-SHA256',
  177. this.getDateTime(),
  178. this.credentialString(),
  179. hash(this.canonicalString(), 'hex'),
  180. ].join('\n')
  181. }
  182. RequestSigner.prototype.canonicalString = function() {
  183. if (!this.parsedPath) this.prepareRequest()
  184. var pathStr = this.parsedPath.path,
  185. query = this.parsedPath.query,
  186. headers = this.request.headers,
  187. queryStr = '',
  188. normalizePath = this.service !== 's3',
  189. decodePath = this.service === 's3' || this.request.doNotEncodePath,
  190. decodeSlashesInPath = this.service === 's3',
  191. firstValOnly = this.service === 's3',
  192. bodyHash
  193. if (this.service === 's3' && this.request.signQuery) {
  194. bodyHash = 'UNSIGNED-PAYLOAD'
  195. } else if (this.isCodeCommitGit) {
  196. bodyHash = ''
  197. } else {
  198. bodyHash = headers['X-Amz-Content-Sha256'] || headers['x-amz-content-sha256'] ||
  199. hash(this.request.body || '', 'hex')
  200. }
  201. if (query) {
  202. var reducedQuery = Object.keys(query).reduce(function(obj, key) {
  203. if (!key) return obj
  204. obj[encodeRfc3986Full(key)] = !Array.isArray(query[key]) ? query[key] :
  205. (firstValOnly ? query[key][0] : query[key])
  206. return obj
  207. }, {})
  208. var encodedQueryPieces = []
  209. Object.keys(reducedQuery).sort().forEach(function(key) {
  210. if (!Array.isArray(reducedQuery[key])) {
  211. encodedQueryPieces.push(key + '=' + encodeRfc3986Full(reducedQuery[key]))
  212. } else {
  213. reducedQuery[key].map(encodeRfc3986Full).sort()
  214. .forEach(function(val) { encodedQueryPieces.push(key + '=' + val) })
  215. }
  216. })
  217. queryStr = encodedQueryPieces.join('&')
  218. }
  219. if (pathStr !== '/') {
  220. if (normalizePath) pathStr = pathStr.replace(/\/{2,}/g, '/')
  221. pathStr = pathStr.split('/').reduce(function(path, piece) {
  222. if (normalizePath && piece === '..') {
  223. path.pop()
  224. } else if (!normalizePath || piece !== '.') {
  225. if (decodePath) piece = decodeURIComponent(piece.replace(/\+/g, ' '))
  226. path.push(encodeRfc3986Full(piece))
  227. }
  228. return path
  229. }, []).join('/')
  230. if (pathStr[0] !== '/') pathStr = '/' + pathStr
  231. if (decodeSlashesInPath) pathStr = pathStr.replace(/%2F/g, '/')
  232. }
  233. return [
  234. this.request.method || 'GET',
  235. pathStr,
  236. queryStr,
  237. this.canonicalHeaders() + '\n',
  238. this.signedHeaders(),
  239. bodyHash,
  240. ].join('\n')
  241. }
  242. RequestSigner.prototype.filterHeaders = function() {
  243. var headers = this.request.headers,
  244. extraHeadersToInclude = this.extraHeadersToInclude,
  245. extraHeadersToIgnore = this.extraHeadersToIgnore
  246. this.filteredHeaders = Object.keys(headers)
  247. .map(function(key) { return [key.toLowerCase(), headers[key]] })
  248. .filter(function(entry) {
  249. return extraHeadersToInclude[entry[0]] ||
  250. (HEADERS_TO_IGNORE[entry[0]] == null && !extraHeadersToIgnore[entry[0]])
  251. })
  252. .sort(function(a, b) { return a[0] < b[0] ? -1 : 1 })
  253. }
  254. RequestSigner.prototype.canonicalHeaders = function() {
  255. if (!this.filteredHeaders) this.filterHeaders()
  256. return this.filteredHeaders.map(function(entry) {
  257. return entry[0] + ':' + entry[1].toString().trim().replace(/\s+/g, ' ')
  258. }).join('\n')
  259. }
  260. RequestSigner.prototype.signedHeaders = function() {
  261. if (!this.filteredHeaders) this.filterHeaders()
  262. return this.filteredHeaders.map(function(entry) { return entry[0] }).join(';')
  263. }
  264. RequestSigner.prototype.credentialString = function() {
  265. return [
  266. this.getDate(),
  267. this.region,
  268. this.service,
  269. 'aws4_request',
  270. ].join('/')
  271. }
  272. RequestSigner.prototype.defaultCredentials = function() {
  273. var env = process.env
  274. return {
  275. accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,
  276. secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,
  277. sessionToken: env.AWS_SESSION_TOKEN,
  278. }
  279. }
  280. RequestSigner.prototype.parsePath = function() {
  281. var path = this.request.path || '/'
  282. // S3 doesn't always encode characters > 127 correctly and
  283. // all services don't encode characters > 255 correctly
  284. // So if there are non-reserved chars (and it's not already all % encoded), just encode them all
  285. if (/[^0-9A-Za-z;,/?:@&=+$\-_.!~*'()#%]/.test(path)) {
  286. path = encodeURI(decodeURI(path))
  287. }
  288. var queryIx = path.indexOf('?'),
  289. query = null
  290. if (queryIx >= 0) {
  291. query = querystring.parse(path.slice(queryIx + 1))
  292. path = path.slice(0, queryIx)
  293. }
  294. this.parsedPath = {
  295. path: path,
  296. query: query,
  297. }
  298. }
  299. RequestSigner.prototype.formatPath = function() {
  300. var path = this.parsedPath.path,
  301. query = this.parsedPath.query
  302. if (!query) return path
  303. // Services don't support empty query string keys
  304. if (query[''] != null) delete query['']
  305. return path + '?' + encodeRfc3986(querystring.stringify(query))
  306. }
  307. aws4.RequestSigner = RequestSigner
  308. aws4.sign = function(request, credentials) {
  309. return new RequestSigner(request, credentials).sign()
  310. }