/**
* Add authentication related and version parameters
*/
private void AddRequiredParameters(IDictionary <string, string> parameters)
{
using (ImmutableCredentials immutableCredentials = this.credentials.GetCredentials())
{
if (String.IsNullOrEmpty(immutableCredentials.AccessKey))
{
throw new AmazonSimpleNotificationServiceException("The AWS Access Key ID cannot be NULL or a Zero length string");
}
if (immutableCredentials.UseToken)
{
parameters["SecurityToken"] = immutableCredentials.Token;
}
parameters["AWSAccessKeyId"] = immutableCredentials.AccessKey;
parameters["SignatureVersion"] = config.SignatureVersion;
parameters["SignatureMethod"] = config.SignatureMethod;
parameters["Timestamp"] = AWSSDKUtils.FormattedCurrentTimestampISO8601;
parameters["Version"] = config.ServiceVersion;
if (!config.SignatureVersion.Equals("2"))
{
throw new AmazonSimpleNotificationServiceException("Invalid Signature Version specified");
}
string url;
if (config.RegionEndpoint != null)
{
url = "https://" + config.RegionEndpoint.GetEndpointForService(config.RegionEndpointServiceName).Hostname;
}
else
{
url = config.ServiceURL;
}
string toSign = AWSSDKUtils.CalculateStringToSignV2(parameters, url);
KeyedHashAlgorithm algorithm = KeyedHashAlgorithm.Create(config.SignatureMethod.ToUpper());
string auth;
if (immutableCredentials.UseSecureStringForSecretKey)
{
auth = AWSSDKUtils.HMACSign(toSign, immutableCredentials.SecureSecretKey, algorithm);
}
else
{
auth = AWSSDKUtils.HMACSign(toSign, immutableCredentials.ClearSecretKey, algorithm);
}
parameters["Signature"] = auth;
}
}
private void SetPowershellSamlProfile(ImmutableCredentials awsSessionCredentials)
{
// create a pipeline and feed it the script text
string script = String.Format("Set-AWSCredentials -AccessKey '{0}' -SecretKey '{1}' -SessionToken '{2}'", awsSessionCredentials.AccessKey, awsSessionCredentials.SecretKey, awsSessionCredentials.Token);
Runspace theRunSpace = System.Management.Automation.Runspaces.Runspace.DefaultRunspace;
if (theRunSpace.RunspaceStateInfo.State == RunspaceState.Opened)
{
using (Pipeline thePipeline = theRunSpace.CreateNestedPipeline(script, true))
{
Collection <PSObject> theRetVal = thePipeline.Invoke();
}
}
}
public static S3PostUploadSignedPolicy GetSignedPolicy(string policy, AWSCredentials credentials)
{
ImmutableCredentials credentials2 = credentials.GetCredentials();
string text = Convert.ToBase64String(credentials2.get_UseToken() ? addTokenToPolicy(policy, credentials2.get_Token()) : Encoding.UTF8.GetBytes(policy.Trim()));
string signature = CryptoUtilFactory.get_CryptoInstance().HMACSign(Encoding.UTF8.GetBytes(text), credentials2.get_SecretKey(), 0);
return(new S3PostUploadSignedPolicy
{
Policy = text,
Signature = signature,
AccessKeyId = credentials2.get_AccessKey(),
SecurityToken = credentials2.get_Token(),
SignatureVersion = "2"
});
}
private static string GetHeadBucketPreSignedUrl(string bucketName, ImmutableCredentials credentials)
{
GetPreSignedUrlRequest request = new GetPreSignedUrlRequest
{
BucketName = bucketName,
Expires = DateTime.Now.AddDays(1.0),
Verb = HttpVerb.HEAD,
Protocol = Protocol.HTTP
};
using (AmazonS3Client amazonS3Client = GetUsEast1ClientFromCredentials(credentials))
{
return(amazonS3Client.GetPreSignedURLInternal(request, useSigV2Fallback: false));
}
}
private static void AddHeaders(
HttpRequestMessage request,
DateTime now,
string serviceName,
ImmutableCredentials credentials,
string contentHash)
{
// Add required headers
request.AddHeader(HeaderKeys.XAmzDateHeader, now.ToIso8601BasicDateTime());
// Add conditional headers
request.AddHeaderIf(credentials.UseToken, HeaderKeys.XAmzSecurityTokenHeader, credentials.Token);
request.AddHeaderIf(!request.Headers.Contains(HeaderKeys.HostHeader), HeaderKeys.HostHeader, request.RequestUri !.Host);
request.AddHeaderIf(serviceName == ServiceName.S3, HeaderKeys.XAmzContentSha256Header, contentHash);
}
/// <summary>
/// Computes and returns an AWS4 signature for the specified canonicalized request
/// </summary>
/// <param name="credentials"></param>
/// <param name="region"></param>
/// <param name="signedAt"></param>
/// <param name="service"></param>
/// <param name="signedHeaders"></param>
/// <param name="canonicalRequest"></param>
/// <returns></returns>
public static AWS4SigningResult ComputeSignature(ImmutableCredentials credentials,
string region,
DateTime signedAt,
string service,
string signedHeaders,
string canonicalRequest)
{
return(ComputeSignature(credentials.AccessKey,
credentials.SecretKey,
region,
signedAt,
service,
signedHeaders,
canonicalRequest));
}
/// <summary>
/// Send a Signature Version 4 signed PUT request with a cancellation token as an
/// asynchronous operation.
/// </summary>
/// <param name="self">
/// The extension target.
/// </param>
/// <param name="requestUri">
/// The Uri the request is sent to.
/// </param>
/// <param name="content">
/// The HTTP request content sent to the server.
/// </param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of
/// cancellation.
/// </param>
/// <param name="regionName">
/// The system name of the AWS region associated with the endpoint, e.g. "us-east-1".
/// </param>
/// <param name="serviceName">
/// The signing name of the service, e.g. "execute-api".
/// </param>
/// <param name="credentials">
/// AWS credentials containing the following parameters:
/// - The AWS public key for the account making the service call.
/// - The AWS secret key for the account making the call, in clear text.
/// - The session token obtained from STS if request is authenticated using temporary
/// security credentials, e.g. a role.
/// </param>
/// <returns>
/// The task object representing the asynchronous operation.
/// </returns>
/// <exception cref="ArgumentNullException">
/// The <paramref name="requestUri"/> is null.
/// </exception>
/// <exception cref="HttpRequestException">
/// The request failed due to an underlying issue such as network connectivity, DNS
/// failure, server certificate validation or timeout.
/// </exception>
/// <remarks>
/// This operation will not block. The returned <see cref="Task{TResult}"/> object will
/// complete once the entire response including content is read.
/// </remarks>
public static Task <HttpResponseMessage> PutAsync(
this HttpClient self,
string requestUri,
HttpContent content,
CancellationToken cancellationToken,
string regionName,
string serviceName,
ImmutableCredentials credentials) =>
self.PutAsync(
requestUri.ToUri(),
content,
cancellationToken,
regionName,
serviceName,
credentials);
/// <summary>
/// Send a Signature Version 4 signed GET request to the specified Uri with an HTTP
/// completion option and a cancellation token as an asynchronous operation.
/// </summary>
/// <param name="self">
/// The extension target.
/// </param>
/// <param name="requestUri">
/// The Uri the request is sent to.
/// </param>
/// <param name="completionOption">
/// An HTTP completion option value that indicates when the operation should be considered
/// completed.
/// </param>
/// <param name="cancellationToken">
/// A cancellation token that can be used by other objects or threads to receive notice of
/// cancellation.
/// </param>
/// <param name="regionName">
/// The system name of the AWS region associated with the endpoint, e.g. "us-east-1".
/// </param>
/// <param name="serviceName">
/// The signing name of the service, e.g. "execute-api".
/// </param>
/// <param name="credentials">
/// AWS credentials containing the following parameters:
/// - The AWS public key for the account making the service call.
/// - The AWS secret key for the account making the call, in clear text.
/// - The session token obtained from STS if request is authenticated using temporary
/// security credentials, e.g. a role.
/// </param>
/// <returns>
/// The task object representing the asynchronous operation.
/// </returns>
/// <exception cref="ArgumentNullException">
/// The <paramref name="requestUri"/> is null.
/// </exception>
/// <exception cref="HttpRequestException">
/// The request failed due to an underlying issue such as network connectivity, DNS
/// failure, server certificate validation or timeout.
/// </exception>
/// <remarks>
/// This operation will not block. Depending on the value of the
/// <paramref name="completionOption"/> parameter, the returned <see cref="Task{TResult}"/>
/// object will complete as soon as a response is available or the entire response
/// including content is read.
/// </remarks>
public static Task <HttpResponseMessage> GetAsync(
this HttpClient self,
Uri requestUri,
HttpCompletionOption completionOption,
CancellationToken cancellationToken,
string regionName,
string serviceName,
ImmutableCredentials credentials) =>
self.SendAsync(
new HttpRequestMessage(HttpMethod.Get, requestUri),
completionOption,
cancellationToken,
regionName,
serviceName,
credentials);
private static AmazonS3Client GetUsEast1ClientFromCredentials(ImmutableCredentials credentials)
{
if (credentials == null)
{
return(new AmazonS3Client(new AnonymousAWSCredentials(), RegionEndpoint.USEast1));
}
else if (credentials.UseToken)
{
return(new AmazonS3Client(credentials.AccessKey, credentials.SecretKey, credentials.Token, RegionEndpoint.USEast1));
}
else
{
return(new AmazonS3Client(credentials.AccessKey, credentials.SecretKey, RegionEndpoint.USEast1));
}
}
private static string WriteCreds(string profileName, ImmutableCredentials ic)
{
string configPath = Path.GetFullPath("credentials");
using (var stream = File.Open(configPath, FileMode.Create, FileAccess.Write, FileShare.None))
using (var writer = new StreamWriter(stream))
{
AppendCredentialsSet(writer, profileName + "0", basicCreds);
AppendCredentialsSet(writer, profileName + "1", sessionCreds);
AppendCredentialsSet(writer, profileName, ic);
AppendCredentialsSet(writer, profileName + "2", basicCreds);
AppendCredentialsSet(writer, profileName + "3", sessionCreds);
}
return(configPath);
}
public void ProcessAuthorizationHeaderSuccess()
{
var request = new HttpRequestMessage();
var creds = new ImmutableCredentials("accessKeyId", "secretKey", "token");
ServerModeHttpClientAuthorizationHandler.AddAuthorizationHeader(request, creds);
if (!request.Headers.TryGetValues("Authorization", out var value))
{
throw new Exception("Missing Authorization header");
}
var authResults = AwsCredentialsAuthenticationHandler.ProcessAuthorizationHeader(value.FirstOrDefault(), new NoEncryptionProvider());
Assert.True(authResults.Succeeded);
}
/// <summary>
/// Calls pre invoke logic before calling the next handler
/// in the pipeline.
/// </summary>
/// <typeparam name="T">The response type for the current request.</typeparam>
/// <param name="executionContext">The execution context, it contains the
/// request and response context.</param>
/// <returns>A task that represents the asynchronous operation.</returns>
public override async System.Threading.Tasks.Task <T> InvokeAsync <T>(IExecutionContext executionContext)
{
ImmutableCredentials ic = null;
if (Credentials != null && !(Credentials is AnonymousAWSCredentials))
{
using (executionContext.RequestContext.Metrics.StartEvent(Metric.CredentialsRequestTime))
{
ic = await Credentials.GetCredentialsAsync().ConfigureAwait(false);
}
}
executionContext.RequestContext.ImmutableCredentials = ic;
return(await base.InvokeAsync <T>(executionContext).ConfigureAwait(false));
}
// https://gist.github.com/jesusnoseq/da3b259dcef697fc310be878800d1c33
void AuthenticatedGet(ImmutableCredentials cognitoCredentials)
{
// ************* REQUEST VALUES *************
string accessKey = cognitoCredentials.AccessKey;
string secretKey = cognitoCredentials.SecretKey;
string securityToken = cognitoCredentials.Token;
string algorithm = "AWS4-HMAC-SHA256";
string method = "GET";
string service = "execute-api";
string serviceForSigning = "apigateway";
string contentType = "application/json";
string expires = "900";
string amzDate = DateTime.UtcNow.ToString("yyyyMMddTHHmmssZ");
string dateStamp = DateTime.UtcNow.ToString("yyyyMMdd");
}
private static void ValidateArguments(
HttpRequestMessage request,
string regionName,
string serviceName,
ImmutableCredentials credentials)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (request.Headers.Contains(HeaderKeys.XAmzDateHeader))
{
throw new ArgumentException(ErrorMessages.XAmzDateHeaderExists, nameof(request));
}
if (request.Headers.Authorization != null)
{
throw new ArgumentException(ErrorMessages.AuthorizationHeaderExists, nameof(request));
}
if (request.Headers.Contains(HeaderKeys.AuthorizationHeader))
{
throw new ArgumentException(ErrorMessages.AuthorizationHeaderExists, nameof(request));
}
if (regionName == null)
{
throw new ArgumentNullException(nameof(regionName));
}
if (regionName == string.Empty)
{
throw new ArgumentException(ErrorMessages.InvalidRegionName, nameof(regionName));
}
if (serviceName == null)
{
throw new ArgumentNullException(nameof(serviceName));
}
if (serviceName == string.Empty)
{
throw new ArgumentException(ErrorMessages.InvalidServiceName, nameof(serviceName));
}
if (serviceName == ServiceName.S3 && request.Method == HttpMethod.Post)
{
throw new NotSupportedException(ErrorMessages.S3DoesNotSupportPost);
}
if (credentials == null)
{
throw new ArgumentNullException(nameof(credentials));
}
}
/// /// <summary>
/// Calculates the signature for the specified request using the Asymmetric SigV4
/// signing protocol in preparation for generating a presigned URL.
/// </summary>
/// <param name="request">
/// The request to compute the signature for. Additional headers mandated by the
/// SigV4a protocol will be added to the request before signing.
/// </param>
/// <param name="clientConfig">
/// Client configuration data encompassing the service call (notably authentication
/// region, endpoint and service name).
/// </param>
/// <param name="metrics">Metrics for the request</param>
/// <param name="credentials">The AWS credentials for the account making the service call</param>
/// <param name="service">Service to sign the request for</param>
/// <param name="overrideSigningRegion">Region to sign the request for</param>
/// <returns>AWS4aSigningResult for the given request</returns>
public AWS4aSigningResult Presign4a(IRequest request,
IClientConfig clientConfig,
RequestMetrics metrics,
ImmutableCredentials credentials,
string service,
string overrideSigningRegion)
{
var signedAt = AWS4Signer.InitializeHeaders(request.Headers, request.Endpoint);
var regionSet = overrideSigningRegion ?? AWS4Signer.DetermineSigningRegion(clientConfig, service, request.AlternateEndpoint, request);
var signingConfig = PrepareCRTSigningConfig(AwsSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS, regionSet, service, signedAt, credentials);
if (AWS4PreSignedUrlSigner.ServicesUsingUnsignedPayload.Contains(service))
{
signingConfig.SignedBodyValue = AWS4Signer.UnsignedPayload;
}
else
{
signingConfig.SignedBodyValue = AWS4Signer.EmptyBodySha256;
}
// The expiration may have already be set in a header when marshalling the GetPreSignedUrlRequest -> IRequest
if (request.Parameters != null && request.Parameters.ContainsKey(HeaderKeys.XAmzExpires))
{
signingConfig.ExpirationInSeconds = Convert.ToUInt64(request.Parameters[HeaderKeys.XAmzExpires]);
}
var crtRequest = CrtHttpRequestConverter.ConvertToCrtRequest(request);
var signingResult = AwsSigner.SignHttpRequest(crtRequest, signingConfig);
string authorizationValue = Encoding.Default.GetString(signingResult.Get().Signature);
var dateStamp = AWS4Signer.FormatDateTime(signedAt, AWSSDKUtils.ISO8601BasicDateFormat);
var scope = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}", dateStamp, service, AWS4Signer.Terminator);
AWS4aSigningResult result = new AWS4aSigningResult(
credentials.AccessKey,
signedAt,
CrtHttpRequestConverter.ExtractSignedHeaders(signingResult.Get().SignedRequest),
scope,
regionSet,
authorizationValue,
service,
signingResult.Get().SignedRequest.Uri,
credentials);
return(result);
}
/// <summary>
/// Given a policy and AWS credentials, produce a S3PostUploadSignedPolicy.
/// </summary>
/// <param name="policy">JSON string representing the policy to sign</param>
/// <param name="credentials">Credentials to sign the policy with</param>
/// <returns>A signed policy object for use with an S3PostUploadRequest.</returns>
public static S3PostUploadSignedPolicy GetSignedPolicy(string policy, AWSCredentials credentials)
{
ImmutableCredentials iCreds = credentials.GetCredentials();
var policyBytes = iCreds.UseToken
? addTokenToPolicy(policy, iCreds.Token)
: Encoding.UTF8.GetBytes(policy.Trim());
var base64Policy = Convert.ToBase64String(policyBytes);
string signature = CryptoUtilFactory.CryptoInstance.HMACSign(Encoding.UTF8.GetBytes(base64Policy), iCreds.SecretKey, SigningAlgorithm.HmacSHA1);
return(new S3PostUploadSignedPolicy
{
Policy = base64Policy,
Signature = signature,
AccessKeyId = iCreds.AccessKey,
SecurityToken = iCreds.Token
});
}
protected override void PreInvoke(IExecutionContext executionContext)
{
ImmutableCredentials ic = null;
if (Credentials != null && (Credentials is BasicServiceCredentials))
{
try
{
ic = Credentials.GetCredentials();
}
finally
{
}
}
executionContext.RequestContext.ImmutableCredentials = ic;
}
public TestSuiteContext()
{
RegionName = "us-east-1";
ServiceName = "service";
UtcNow = new DateTime(
2015,
8,
30,
12,
36,
00,
DateTimeKind.Utc);
Credentials = new ImmutableCredentials(
"AKIDEXAMPLE",
"wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
null);
}
/// <summary>
/// Constructs a new signing result instance for a computed signature
/// </summary>
/// <param name="awsAccessKeyId">The access key that was included in the signature</param>
/// <param name="signedAt">Date/time (UTC) that the signature was computed</param>
/// <param name="signedHeaders">The collection of headers names that were included in the signature</param>
/// <param name="scope">Formatted 'scope' value for signing (YYYYMMDD/region/service/aws4_request)</param>
/// <param name="regionSet">The set of AWS regions this signature is valid for</param>
/// <param name="signature">Computed signature</param>
/// <param name="service">Service the request was signed for</param>
/// <param name="presignedUri">Presigned Uri</param>
/// <param name="credentials">Credentials of the AWS account making the signed request</param>
public AWS4aSigningResult(string awsAccessKeyId,
DateTime signedAt,
string signedHeaders,
string scope,
string regionSet,
string signature,
string service,
string presignedUri,
ImmutableCredentials credentials) :
base(awsAccessKeyId, signedAt, signedHeaders, scope)
{
_regionSet = regionSet;
_signature = signature;
_service = service;
_presignedUri = presignedUri;
_credentials = credentials;
}
private IEnumerator CognitoCredentialsForIdentity(string identityId, Dictionary <string, string> logins = null)
{
var amzDate = DateTime.Now.ToString("yyyyMMddTHHmmssZ");
var request = new Dictionary <string, object> {
{ "IdentityId", identityId }
};
if (logins != null)
{
request.Add("Logins", logins);
}
var dataString = JsonConvert.SerializeObject(request);
var data = System.Text.Encoding.UTF8.GetBytes(dataString);
var post = UnityWebRequest.Put("https://cognito-identity.us-east-1.amazonaws.com/", data);
post.SetRequestHeader("Content-Type", "application/x-amz-json-1.1");
post.SetRequestHeader("X-AMZ-TARGET", "com.amazonaws.cognito.identity.model.AWSCognitoIdentityService.GetCredentialsForIdentity");
post.SetRequestHeader("X-Amz-Date", amzDate);
post.method = UnityWebRequest.kHttpVerbPOST;
yield return(post.SendWebRequest());
if (!post.isNetworkError && !post.isHttpError)
{
var response = JObject.Parse(post.downloadHandler.text);
if (identityId != response["IdentityId"].ToString())
{
_dbg("Cognito user has been changed! Old: " + identityId + " New: " + response["IdentityId"].ToString());
}
credentials = new ImmutableCredentials(
//response["IdentityId"].ToString(),
response["Credentials"]["AccessKeyId"].ToString(),
response["Credentials"]["SecretKey"].ToString(),
response["Credentials"]["SessionToken"].ToString()
//Convert.ToUInt64(response["Credentials"]["Expiration"].ToString()),
//logins != null
);
//_dbg("credentials:");
//_dbg($"\t* AccessKey:{credentials.AccessKey}");
//_dbg($"\t* SecretKey:{credentials.SecretKey}");
//_dbg($"\t* SessionToken:{credentials.Token}");
}
else
{
_dbg("Ups! Credentials not found");
}
}
internal static void SignRequest(IRequestContext requestContext)
{
ImmutableCredentials immutableCredentials = requestContext.ImmutableCredentials;
if (immutableCredentials == null)
{
return;
}
try
{
requestContext.Signer.Sign(requestContext.Request, immutableCredentials.AccessKey, immutableCredentials.SecretKey, immutableCredentials.SecurityToken);
}
finally
{
}
}
/// <summary>
/// Calculates the signature for the specified request using the Asymmetric SigV4 signing protocol
/// </summary>
/// <param name="request">
/// The request to compute the signature for. Additional headers mandated by the
/// SigV4a protocol will be added to the request before signing.
/// </param>
/// <param name="clientConfig">
/// Client configuration data encompassing the service call (notably authentication
/// region, endpoint and service name).
/// </param>
/// <param name="metrics">Metrics for the request</param>
/// <param name="credentials">The AWS credentials for the account making the service call</param>
/// <returns>AWS4aSigningResult for the given request</returns>
public AWS4aSigningResult SignRequest(IRequest request,
IClientConfig clientConfig,
RequestMetrics metrics,
ImmutableCredentials credentials)
{
var signedAt = AWS4Signer.InitializeHeaders(request.Headers, request.Endpoint);
var serviceSigningName = !string.IsNullOrEmpty(request.OverrideSigningServiceName) ? request.OverrideSigningServiceName : AWS4Signer.DetermineService(clientConfig);
var regionSet = AWS4Signer.DetermineSigningRegion(clientConfig, clientConfig.RegionEndpointServiceName, request.AlternateEndpoint, request);
request.DeterminedSigningRegion = regionSet;
AWS4Signer.SetXAmzTrailerHeader(request.Headers, request.TrailingHeaders);
var signingConfig = PrepareCRTSigningConfig(AwsSignatureType.HTTP_REQUEST_VIA_HEADERS, regionSet, serviceSigningName, signedAt, credentials);
// If the request should use a fixed x-amz-content-sha256 header value, determine the appropriate one
var fixedBodyHash = request.TrailingHeaders?.Count > 0
? AWS4Signer.V4aStreamingBodySha256WithTrailer
: AWS4Signer.V4aStreamingBodySha256;
signingConfig.SignedBodyValue = AWS4Signer.SetRequestBodyHash(request, SignPayload, fixedBodyHash, ChunkedUploadWrapperStream.V4A_SIGNATURE_LENGTH);
var crtRequest = CrtHttpRequestConverter.ConvertToCrtRequest(request);
var signingResult = AwsSigner.SignHttpRequest(crtRequest, signingConfig);
var authorizationValue = Encoding.Default.GetString(signingResult.Get().Signature);
var signedCrtRequest = signingResult.Get().SignedRequest;
CrtHttpRequestConverter.CopyHeadersFromCrtRequest(request, signedCrtRequest);
var dateStamp = AWS4Signer.FormatDateTime(signedAt, AWSSDKUtils.ISO8601BasicDateFormat);
var scope = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}", dateStamp, serviceSigningName, AWS4Signer.Terminator);
AWS4aSigningResult result = new AWS4aSigningResult(
credentials.AccessKey,
signedAt,
CrtHttpRequestConverter.ExtractSignedHeaders(signedCrtRequest),
scope,
regionSet,
authorizationValue,
serviceSigningName,
"",
credentials);
return(result);
}
public static S3PostUploadSignedPolicy GetSignedPolicyV4(string policy, AWSCredentials credentials, RegionEndpoint region)
{
DateTime correctedUtcNow = AWSSDKUtils.get_CorrectedUtcNow();
ImmutableCredentials credentials2 = credentials.GetCredentials();
string text = "AWS4-HMAC-SHA256";
string text2 = AWS4Signer.FormatDateTime(correctedUtcNow, "yyyyMMdd");
string text3 = AWS4Signer.FormatDateTime(correctedUtcNow, "yyyyMMddTHHmmssZ");
string text4 = string.Format(CultureInfo.InvariantCulture, "{0}/{1}/{2}/{3}/{4}/", credentials2.get_AccessKey(), text2, region.get_SystemName(), "s3", "aws4_request");
Dictionary <string, string> dictionary = new Dictionary <string, string>
{
{
S3Constants.PostFormDataXAmzCredential,
text4
},
{
S3Constants.PostFormDataXAmzAlgorithm,
text
},
{
S3Constants.PostFormDataXAmzDate,
text3
}
};
if (credentials2.get_UseToken())
{
dictionary[S3Constants.PostFormDataSecurityToken] = credentials2.get_Token();
}
string text5 = Convert.ToBase64String(addConditionsToPolicy(policy, dictionary));
byte[] array = AWS4Signer.ComposeSigningKey(credentials2.get_SecretKey(), region.get_SystemName(), text2, "s3");
string signature = AWSSDKUtils.ToHex(AWS4Signer.ComputeKeyedHash(1, array, text5), true);
return(new S3PostUploadSignedPolicy
{
Policy = text5,
Signature = signature,
AccessKeyId = credentials2.get_AccessKey(),
SecurityToken = credentials2.get_Token(),
SignatureVersion = "4",
Algorithm = text,
Date = text3,
Credential = text4
});
}
/// Resolves the AWS credentials that will be used to authenticate to AWS
/// by way of signing a request to the AWS STS <c>GetCallerIdentity</c>
/// API endpoint. If explicity credentials have been provided in the
/// configuration options passed into this instance constructure, then they
/// will be used, otherwise, the credentials will be resolved as described
/// in the AWS SDK process for
/// <see cref="https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html#creds-locate"
/// >Accessing Credentials and Profiles in an Application</see>.
public async Task AuthenticateToAwsIamAsync()
{
if (_awsCreds == null)
{
_logger.LogInformation("explicity AWS credentials are not provided,"
+ " attempting to resolve from the running context");
var creds = FallbackCredentialsFactory.GetCredentials(false);
_awsCreds = await creds.GetCredentialsAsync();
_logger.LogInformation("resolved to Access Key: " + _awsCreds.AccessKey);
}
if (_awsCreds == null)
{
throw new Exception("AWS credentials could not be resolved");
}
}
private async void initFields(AWSCredentialsProfile profile)
{
toggleFields(false);
// Get this profile's credentials asynchronously
_origProfile = profile;
using (new WaitCursor()) {
_origCreds = await profile.Credentials.GetCredentialsAsync();
}
// Initialize controls with these credentials
this.Text = string.Format(EditProfileTitle, _origProfile.Name);
TxtProfileName.Text = _origProfile.Name;
TxtAccessKeyID.Text = _origCreds.AccessKey;
TxtSecretAccessKey.Text = _origCreds.SecretKey;
toggleFields(true);
}
/// <summary>
/// Retrieves the credentials to be used for the current call before
/// invoking the next handler.
/// </summary>
/// <param name="executionContext"></param>
protected override void PreInvoke(IExecutionContext executionContext)
{
ImmutableCredentials ic = null;
if (_credentials == null || _credentials is AnonymousAWSCredentials)
{
ic = null;
}
else
{
using (executionContext.RequestContext.Metrics.StartEvent(Metric.CredentialsRequestTime))
{
ic = _credentials.GetCredentials();
}
}
executionContext.RequestContext.ImmutableCredentials = ic;
}
/// <summary>
/// Send an Signature Version 4 signed HTTP request as an asynchronous operation.
/// </summary>
/// <param name="self">
/// The extension target.
/// </param>
/// <param name="request">
/// The HTTP request message to send.
/// </param>
/// <param name="completionOption">
/// When the operation should complete (as soon as a response is available or after reading
/// the whole response content).
/// </param>
/// <param name="cancellationToken">
/// The cancellation token to cancel operation.
/// </param>
/// <param name="regionName">
/// The system name of the AWS region associated with the endpoint, e.g. "us-east-1".
/// </param>
/// <param name="serviceName">
/// The signing name of the service, e.g. "execute-api".
/// </param>
/// <param name="credentials">
/// AWS credentials containing the following parameters:
/// - The AWS public key for the account making the service call.
/// - The AWS secret key for the account making the call, in clear text.
/// - The session token obtained from STS if request is authenticated using temporary
/// security credentials, e.g. a role.
/// </param>
/// <returns>
/// The task object representing the asynchronous operation.
/// </returns>
/// <exception cref="ArgumentNullException">
/// The <paramref name="request"/> is null.
/// </exception>
/// <exception cref="InvalidOperationException">
/// The request message was already sent by the <see cref="HttpClient"/> instance.
/// </exception>
/// <exception cref="HttpRequestException">
/// The request failed due to an underlying issue such as network connectivity, DNS
/// failure, server certificate validation or timeout.
/// </exception>
/// <remarks>
/// This operation will not block. Depending on the value of the
/// <paramref name="completionOption"/> parameter, the returned <see cref="Task{TResult}"/>
/// object will complete as soon as a response is available or the entire response
/// including content is read.
/// </remarks>
public static async Task <HttpResponseMessage> SendAsync(
this HttpClient self,
HttpRequestMessage request,
HttpCompletionOption completionOption,
CancellationToken cancellationToken,
string regionName,
string serviceName,
ImmutableCredentials credentials)
{
if (self == null)
{
throw new ArgumentNullException(nameof(self));
}
await Signer.SignAsync(self, request, DateTime.UtcNow, regionName, serviceName, credentials);
return(await self.SendAsync(request, completionOption, cancellationToken));
}
private string Sign(ImmutableCredentials credentialsImmutable, string hashedRequestPayload, string requestMethod, string canonicalUri, string canonicalQueryString)
{
var currentDateTime = DateTime.UtcNow;
var dateStamp = currentDateTime.ToString("yyyMMdd");
var requestDate = currentDateTime.ToString("yyyyMMddTHHmmssZ");
var credentialsScope = string.Format("{0}/{1}/{2}/aws4_request", dateStamp, ServiceRegion.ToString(), ServiceName);
var headers = new SortedDictionary <string, string>
{
{ "content-type", ContentType },
{ "host", Host },
{ "x-amz-date", requestDate },
{ "x-amz-security-token", credentialsImmutable.Token }
};
string canonicalHeaders = string.Join("\n", headers.Select(x => x.Key.ToLowerInvariant() + ":" + x.Value.Trim())) + "\n";
// Task 1: Create a Canonical Request For Signature Version 4
string canonicalRequest = requestMethod + "\n" + canonicalUri + "\n" + canonicalQueryString + "\n" + canonicalHeaders + "\n" + SignedHeaders + "\n" + hashedRequestPayload;
string hashedCanonicalRequest = HexEncode(Hash(ToBytes(canonicalRequest)));
// Task 2: Create a String to Sign for Signature Version 4
string stringToSign = Algorithm + "\n" + requestDate + "\n" + credentialsScope + "\n" + hashedCanonicalRequest;
// Task 3: Calculate the AWS Signature Version 4
byte[] signingKey = GetSignatureKey(credentialsImmutable.SecretKey, dateStamp, ServiceRegion.ToString(), ServiceName);
string signature = HexEncode(HmacSha256(stringToSign, signingKey));
// Task 4: Prepare a signed request
// Authorization: algorithm Credential=access key ID/credential scope, SignedHeadaers=SignedHeaders, Signature=signature
string authorization = string.Format("{0} Credential={1}/{2}/{3}/{4}/aws4_request, SignedHeaders={5}, Signature={6}",
Algorithm,
credentialsImmutable.AccessKey,
dateStamp,
ServiceRegion,
ServiceName,
SignedHeaders,
signature
);
return(authorization);
}
public ReportHandlerTests()
{
var chain = new CredentialProfileStoreChain();
AWSCredentials awsCredentials;
chain.TryGetAWSCredentials("DD MWS", out awsCredentials);
creds = awsCredentials.GetCredentials();
serviceContext.MwsAuthToken = mWSAuthToken;
serviceContext.AppVersion = appVersion;
serviceContext.AccessKey = creds.AccessKey;
serviceContext.SecretKey = creds.SecretKey;
serviceContext.SellerId = sellerId;
serviceContext.ApplicationName = "test";
serviceContext.MwsServiceUrl = serviceURL;
mockLogger = new Mock <ILogger>();
reportHandler = new ReportHandler(serviceContext, mockLogger.Object);
}
public async Task <Creds> GetCredsAsync()
{
ImmutableCredentials iCreds = null;
try
{
iCreds = await Credentials.GetCredentialsAsync();
return(new Creds()
{
AccessKey = iCreds.AccessKey,
SecretKey = iCreds.SecretKey,
Token = iCreds.Token
});
} catch (Exception e)
{
return(new Creds());
}
}
/// <summary>
/// Computes and returns an AWS4 signature for the specified canonicalized request
/// </summary>
/// <param name="credentials"></param>
/// <param name="region"></param>
/// <param name="signedAt"></param>
/// <param name="service"></param>
/// <param name="signedHeaders"></param>
/// <param name="canonicalRequest"></param>
/// <returns></returns>
public static AWS4SigningResult ComputeSignature(ImmutableCredentials credentials,
string region,
DateTime signedAt,
string service,
string signedHeaders,
string canonicalRequest)
{
return ComputeSignature(credentials.AccessKey,
credentials.SecretKey,
region,
signedAt,
service,
signedHeaders,
canonicalRequest);
}
/// <summary>
/// Return the credentials for the profile if valid credentials can be found.
/// </summary>
/// <param name="profileName">name of profile to find credentials for</param>
/// <param name="credentials">the credentials for the profile</param>
/// <returns>true if the profile was found and it contained valid credentials, false otherwise</returns>
public bool TryGetCredentials(string profileName, out ImmutableCredentials credentials)
{
credentials = GetCredentials(profileName, false);
return credentials != null;
}
