private void TestS3Signer(bool requestUseSigV4, string clientConfigSignatureVersion, bool awsConfigsS3UseSignatureVersion4, bool expectSigV4) { var originalAWSConfigsS3UseSignatureVersion4 = AWSConfigsS3.UseSignatureVersion4; try { AWSConfigsS3.UseSignatureVersion4 = awsConfigsS3UseSignatureVersion4; var signer = new S3Signer(); var putObjectRequest = new PutObjectRequest(); var iRequest = new DefaultRequest(putObjectRequest, "s3") { UseSigV4 = requestUseSigV4, Endpoint = new System.Uri("https://does_not_matter.com") }; var config = new AmazonS3Config { SignatureVersion = clientConfigSignatureVersion, RegionEndpoint = RegionEndpoint.USWest1 }; signer.Sign(iRequest, config, new RequestMetrics(), "ACCESS", "SECRET"); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.AreEqual(expectSigV4, iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("aws4_request")); } finally { AWSConfigsS3.UseSignatureVersion4 = originalAWSConfigsS3UseSignatureVersion4; } }
public void TestS3SignerSignatureVersion(SignatureVersion signatureVersion, string clientConfigSignatureVersion, bool awsConfigsS3UseSignatureVersion4, SignatureVersion expectedSignatureVersion) { var originalAWSConfigsS3UseSignatureVersion4 = AWSConfigsS3.UseSignatureVersion4; try { AWSConfigsS3.UseSignatureVersion4 = awsConfigsS3UseSignatureVersion4; var signer = new S3Signer(); var putObjectRequest = new PutObjectRequest(); var iRequest = new DefaultRequest(putObjectRequest, "s3") { SignatureVersion = signatureVersion, Endpoint = new System.Uri("https://does_not_matter.com") }; var config = new AmazonS3Config { SignatureVersion = clientConfigSignatureVersion, RegionEndpoint = RegionEndpoint.USWest1 }; signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); if (expectedSignatureVersion == SignatureVersion.SigV4a) { Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS4-ECDSA-P256-SHA256")); } else if (expectedSignatureVersion == SignatureVersion.SigV4) { Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS4-HMAC-SHA256")); } else if (expectedSignatureVersion == SignatureVersion.SigV2) { Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS ACCESS")); } } finally { AWSConfigsS3.UseSignatureVersion4 = originalAWSConfigsS3UseSignatureVersion4; } }
public void WriteGetObjectResponseSignerTest() { var signer = new S3Signer(); var request = new WriteGetObjectResponseRequest { RequestRoute = "route", RequestToken = "token" }; var config = new AmazonS3Config { RegionEndpoint = RegionEndpoint.EUWest1 }; var iRequest = S3ArnTestUtils.RunMockRequest(request, WriteGetObjectResponseRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-object-lambda")); }
public void S3ObjectLambdaSignerTest() { var signer = new S3Signer(); var arnString = "arn:aws:s3-object-lambda:us-east-1:123456789012:accesspoint/mybanner"; var request = new GetObjectRequest() { BucketName = arnString, Key = "foo.txt" }; var config = new AmazonS3Config { RegionEndpoint = RegionEndpoint.USEast1 }; var iRequest = S3ArnTestUtils.RunMockRequest(request, GetObjectRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-object-lambda")); }
public void TestS3OutpostsSignerGetBucket() { var signer = new S3Signer(); var bucketArn = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket"; var getBucketRequest = new GetBucketRequest { Bucket = bucketArn }; var config = new AmazonS3ControlConfig { UseArnRegion = true, RegionEndpoint = RegionEndpoint.USWest2 }; var originalAuthService = config.AuthenticationServiceName; var iRequest = S3ControlArnTestUtils.RunMockRequest(getBucketRequest, GetBucketRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts")); Assert.IsTrue(config.AuthenticationServiceName == originalAuthService); }
public void TestS3OutpostsSignerCreateAccessPointWithArn() { var signer = new S3Signer(); var createAccessPointRequest = new CreateAccessPointRequest { Bucket = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket", Name = "myaccesspoint", }; var config = new AmazonS3ControlConfig { UseArnRegion = true, RegionEndpoint = RegionEndpoint.USWest2 }; var originalAuthService = config.AuthenticationServiceName; var iRequest = S3ControlArnTestUtils.RunMockRequest(createAccessPointRequest, CreateAccessPointRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), "ACCESS", "SECRET"); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts")); Assert.IsTrue(config.AuthenticationServiceName == originalAuthService); }
public void TestS3OutpostsSigner() { var signer = new S3Signer(); var outpostsArn = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint"; var putObjectRequest = new PutObjectRequest() { BucketName = outpostsArn, Key = "foo.txt", ContentBody = "data" }; var config = new AmazonS3Config { UseArnRegion = true, RegionEndpoint = RegionEndpoint.USWest2 }; var iRequest = S3ArnTestUtils.RunMockRequest(putObjectRequest, PutObjectRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts")); }
public void TestS3OutpostsSignerCreateBucket() { var signer = new S3Signer(); var createBucketRequest = new CreateBucketRequest { Bucket = "test", OutpostId = "op-123456789012" }; var config = new AmazonS3ControlConfig { SignatureVersion = "4", UseArnRegion = true, RegionEndpoint = RegionEndpoint.USWest2 }; var originalAuthService = config.AuthenticationServiceName; var iRequest = S3ControlArnTestUtils.RunMockRequest(createBucketRequest, CreateBucketRequestMarshaller.Instance, config); signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", "")); Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader)); Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts")); Assert.IsTrue(config.AuthenticationServiceName == originalAuthService); }
/// <summary> /// Create a signed URL allowing access to a resource that would /// usually require authentication. /// </summary> /// <remarks> /// <para> /// When using query string authentication you create a query, /// specify an expiration time for the query, sign it with your /// signature, place the data in an HTTP request, and distribute /// the request to a user or embed the request in a web page. /// </para> /// <para> /// A PreSigned URL can be generated for GET, PUT, DELETE and HEAD /// operations on your bucketName, keys, and versions. /// </para> /// </remarks> /// <param name="request">The GetPreSignedUrlRequest that defines the /// parameters of the operation.</param> /// <param name="useSigV2Fallback">determines if signing will fall back to SigV2 if the /// signing region is us-east-1 /// <returns>A string that is the signed http request.</returns> /// <exception cref="T:System.ArgumentException" /> /// <exception cref="T:System.ArgumentNullException" /> internal string GetPreSignedURLInternal(GetPreSignedUrlRequest request, bool useSigV2Fallback = true) { if (Credentials == null) { throw new AmazonS3Exception("Credentials must be specified, cannot call method anonymously"); } if (request == null) { throw new ArgumentNullException("request", "The PreSignedUrlRequest specified is null!"); } if (!request.IsSetExpires()) { throw new InvalidOperationException("The Expires specified is null!"); } var aws4Signing = AWSConfigsS3.UseSignatureVersion4; var region = AWS4Signer.DetermineSigningRegion(Config, "s3", alternateEndpoint: null, request: null); if (aws4Signing && string.IsNullOrEmpty(region)) { throw new InvalidOperationException("To use AWS4 signing, a region must be specified in the client configuration using the AuthenticationRegion or Region properties, or be determinable from the service URL."); } RegionEndpoint endpoint = RegionEndpoint.GetBySystemName(region); if (endpoint.GetEndpointForService("s3").SignatureVersionOverride == "4" || endpoint.GetEndpointForService("s3").SignatureVersionOverride == null) { aws4Signing = true; } var fallbackToSigV2 = useSigV2Fallback && !AWSConfigsS3.UseSigV4SetExplicitly; if (endpoint == RegionEndpoint.USEast1 && fallbackToSigV2) { aws4Signing = false; } // If the expiration is longer than SigV4 will allow then automatically use SigV2 instead. // But only if the region we're signing for allows SigV2. if (aws4Signing) { var secondsUntilExpiration = GetSecondsUntilExpiration(request, aws4Signing); if (secondsUntilExpiration > AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry && endpoint.GetEndpointForService("s3").SignatureVersionOverride == "2") { aws4Signing = false; } } var immutableCredentials = Credentials.GetCredentials(); var irequest = Marshall(request, immutableCredentials.AccessKey, immutableCredentials.Token, aws4Signing); irequest.Endpoint = EndpointResolver.DetermineEndpoint(this.Config, irequest); var context = new Amazon.Runtime.Internal.ExecutionContext(new Amazon.Runtime.Internal.RequestContext(true) { Request = irequest, ClientConfig = this.Config }, null); AmazonS3PostMarshallHandler.ProcessRequestHandlers(context); var metrics = new RequestMetrics(); string authorization; if (aws4Signing) { var aws4Signer = new AWS4PreSignedUrlSigner(); var signingResult = aws4Signer.SignRequest(irequest, this.Config, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey); authorization = "&" + signingResult.ForQueryParameters; } else { S3Signer.SignRequest(irequest, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey); authorization = irequest.Headers[HeaderKeys.AuthorizationHeader]; authorization = authorization.Substring(authorization.IndexOf(":", StringComparison.Ordinal) + 1); authorization = "&Signature=" + AmazonS3Util.UrlEncode(authorization, false); } Uri url = AmazonServiceClient.ComposeUrl(irequest); string result = url.AbsoluteUri + authorization; Protocol protocol = DetermineProtocol(); if (request.Protocol != protocol) { switch (protocol) { case Protocol.HTTP: result = result.Replace("http://", "https://"); break; case Protocol.HTTPS: result = result.Replace("https://", "http://"); break; } } return(result); }