protected override void PreInvoke(IExecutionContext executionContext)
{
var request = executionContext.RequestContext.OriginalRequest;
var config = executionContext.RequestContext.ClientConfig;
var copySnapshotRequest = request as CopySnapshotRequest;
if (copySnapshotRequest != null)
{
if (string.IsNullOrEmpty(copySnapshotRequest.DestinationRegion))
{
copySnapshotRequest.DestinationRegion = AWS4Signer.DetermineSigningRegion(config, "ec2", alternateEndpoint: null);
}
if (string.IsNullOrEmpty(copySnapshotRequest.SourceRegion))
{
throw new AmazonEC2Exception("SourceRegion is required to perform the copy snapshot.");
}
var endpoint = RegionEndpoint.GetBySystemName(copySnapshotRequest.SourceRegion);
if (endpoint == null)
{
throw new AmazonEC2Exception(string.Format(CultureInfo.InvariantCulture, "No endpoint for region {0}.", copySnapshotRequest.SourceRegion));
}
// Make sure the presigned URL is currently null so we don't attempt to generate
// a presigned URL with a presigned URL.
copySnapshotRequest.PresignedUrl = null;
// Marshall this request but switch to the source region and make it a GET request.
var marshaller = new CopySnapshotRequestMarshaller();
var irequest = marshaller.Marshall(copySnapshotRequest);
irequest.UseQueryString = true;
irequest.HttpMethod = "GET";
irequest.Parameters.Add("X-Amz-Expires", AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry.ToString(CultureInfo.InvariantCulture));
irequest.Endpoint = new Uri("https://" + endpoint.GetEndpointForService(config.RegionEndpointServiceName).Hostname);
// Create presigned URL.
var metrics = new RequestMetrics();
var immutableCredentials = _credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
irequest.Parameters["X-Amz-Security-Token"] = immutableCredentials.Token;
}
var signingResult = AWS4PreSignedUrlSigner.SignRequest(irequest,
config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey,
"ec2",
copySnapshotRequest.SourceRegion);
var authorization = "&" + signingResult.ForQueryParameters;
var url = AmazonServiceClient.ComposeUrl(irequest);
copySnapshotRequest.PresignedUrl = url.AbsoluteUri + authorization;
}
}
/// <summary>
/// Generate a token for IAM authentication to an RDS database.
/// </summary>
/// <param name="credentials">The credentials for the token.</param>
/// <param name="region">The region of the RDS database.</param>
/// <param name="hostname">Hostname of the RDS database.</param>
/// <param name="port">Port of the RDS database.</param>
/// <param name="dbUser">Database user for the token.</param>
/// <returns></returns>
public static string GenerateAuthToken(AWSCredentials credentials, RegionEndpoint region, string hostname, int port, string dbUser)
{
if (credentials == null)
{
throw new ArgumentNullException("credentials");
}
if (region == null)
{
throw new ArgumentNullException("region");
}
if (port < 0 || port > 65535)
{
throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, "{0} is an invalid port. Port must be 0 to 65535.", port));
}
hostname = hostname?.Trim();
if (string.IsNullOrEmpty(hostname))
{
throw new ArgumentException("Hostname must not be null or empty.");
}
dbUser = dbUser?.Trim();
if (string.IsNullOrEmpty(dbUser))
{
throw new ArgumentException("DBUser must not be null or empty.");
}
GenerateRDSAuthTokenRequest authTokenRequest = new GenerateRDSAuthTokenRequest();
IRequest request = new DefaultRequest(authTokenRequest, RDSServiceName);
request.UseQueryString = true;
request.HttpMethod = HTTPGet;
request.Parameters.Add(XAmzExpires, FifteenMinutes.TotalSeconds.ToString(CultureInfo.InvariantCulture));
request.Parameters.Add(DBUserKey, dbUser);
request.Parameters.Add(ActionKey, ActionValue);
request.Endpoint = new UriBuilder(HTTPS, hostname, port).Uri;
var immutableCredentials = credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
request.Parameters[XAmzSecurityToken] = immutableCredentials.Token;
}
var signingResult = AWS4PreSignedUrlSigner.SignRequest(request, null, new RequestMetrics(), immutableCredentials.AccessKey,
immutableCredentials.SecretKey, RDSServiceName, region.SystemName);
var authorization = "&" + signingResult.ForQueryParameters;
var url = AmazonServiceClient.ComposeUrl(request);
// remove the https:// and append the authorization
return(url.AbsoluteUri.Substring(HTTPS.Length + URISchemeDelimiter.Length) + authorization);
}
protected override void ProcessPreRequestHandlers(AmazonWebServiceRequest request)
{
base.ProcessPreRequestHandlers(request);
var requestCopySnapshot = request as CopySnapshotRequest;
if (requestCopySnapshot != null)
{
if (string.IsNullOrEmpty(requestCopySnapshot.DestinationRegion))
{
requestCopySnapshot.DestinationRegion = AWS4Signer.DetermineSigningRegion(this.Config, "ec2");
}
if (string.IsNullOrEmpty(requestCopySnapshot.SourceRegion))
{
throw new AmazonEC2Exception("SourceRegion is required to perform the copy snapshot.");
}
var endpoint = RegionEndpoint.GetBySystemName(requestCopySnapshot.SourceRegion);
if (endpoint == null)
{
throw new AmazonEC2Exception(string.Format(CultureInfo.InvariantCulture, "No endpoint for region {0}.", requestCopySnapshot.SourceRegion));
}
// Make sure the presigned URL is currently null so we don't attempt to generate
// a presigned URL with a presigned URL.
requestCopySnapshot.PresignedUrl = null;
// Marshall this request but switch to the source region and make it a GET request.
CopySnapshotRequestMarshaller marshaller = new CopySnapshotRequestMarshaller();
var irequest = marshaller.Marshall(requestCopySnapshot);
irequest.UseQueryString = true;
irequest.HttpMethod = "GET";
irequest.Parameters.Add("X-Amz-Expires", AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry.ToString(CultureInfo.InvariantCulture));
irequest.Endpoint = new Uri("https://" + endpoint.GetEndpointForService(this.Config.RegionEndpointServiceName).Hostname);
// Create presigned URL.
var metrics = new RequestMetrics();
var immutableCredentials = Credentials.GetCredentials();
var signingResult = AWS4PreSignedUrlSigner.SignRequest(irequest,
this.Config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey,
"ec2",
requestCopySnapshot.SourceRegion);
var authorization = "&" + signingResult.ForQueryParameters;
Uri url = ComposeUrl(irequest, irequest.Endpoint);
requestCopySnapshot.PresignedUrl = url.AbsoluteUri + authorization;
}
}
/// <summary>
/// Auto-generates pre-signed URLs for requests that implement <see cref="IPreSignedUrlRequest"/>.
/// if the PreSignedUrl property isn't set and the SourceRegion property is set.
/// </summary>
/// <param name="executionContext"></param>
protected virtual void PreInvoke(IExecutionContext executionContext)
{
var preSignedUrlRequest = executionContext.RequestContext.OriginalRequest as IPreSignedUrlRequest;
if (preSignedUrlRequest != null && preSignedUrlRequest.SourceRegion != null && preSignedUrlRequest.PreSignedUrl == null)
{
var config = executionContext.RequestContext.ClientConfig;
var endpoint = RegionEndpoint.GetBySystemName(preSignedUrlRequest.SourceRegion);
if (endpoint == null)
{
throw new AmazonRDSException(string.Format(CultureInfo.InvariantCulture, "No endpoint for region {0}.", preSignedUrlRequest.SourceRegion));
}
// Marshall this request and prepare it to be signed
var marshaller = executionContext.RequestContext.Marshaller;
var iRequest = marshaller.Marshall(preSignedUrlRequest as AmazonWebServiceRequest);
iRequest.UseQueryString = true;
iRequest.HttpMethod = HTTPGet;
iRequest.Endpoint = new UriBuilder(UriSchemeHTTPS, endpoint.GetEndpointForService(config.RegionEndpointServiceName).Hostname).Uri;
iRequest.Parameters[DestinationRegionParameterKey] = executionContext.RequestContext.ClientConfig.RegionEndpoint.SystemName;
// Most pre signed URLS also have an X-Amz-Expires header. But RDS just ignores it and always imposes a +/- 14 minute time limit instead.
var immutableCredentials = _credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
// Don't use HeaderKeys.XAmzSecurityTokenHeader because RDS treats this as case-sensitive
iRequest.Parameters["X-Amz-Security-Token"] = immutableCredentials.Token;
}
// Create presigned URL and assign it
var signingResult = AWS4PreSignedUrlSigner.SignRequest(iRequest, config, new RequestMetrics(),
immutableCredentials.AccessKey, immutableCredentials.SecretKey, RDSServiceNameForSigning, preSignedUrlRequest.SourceRegion);
var authorization = "&" + signingResult.ForQueryParameters;
preSignedUrlRequest.PreSignedUrl = AmazonServiceClient.ComposeUrl(iRequest).AbsoluteUri + authorization;
}
}
/// <summary>
/// <para>
/// Auto-generates pre-signed URLs for requests that implement <see cref="IPreSignedUrlRequest"/>.
/// if the PreSignedUrl property isn't set and the SourceRegion property is set.
/// </para>
/// </summary>
/// <param name="executionContext"></param>
protected virtual void PreInvoke(IExecutionContext executionContext)
{
var preSignedUrlRequest = executionContext.RequestContext.OriginalRequest as IPreSignedUrlRequest;
if (preSignedUrlRequest != null && preSignedUrlRequest.SourceRegion != null && preSignedUrlRequest.PreSignedUrl == null)
{
var config = executionContext.RequestContext.ClientConfig;
var endpoint = RegionEndpoint.GetBySystemName(preSignedUrlRequest.SourceRegion);
if (endpoint == null)
{
throw new AmazonNeptuneException(string.Format(CultureInfo.InvariantCulture, "No endpoint for region {0}.", preSignedUrlRequest.SourceRegion));
}
// Marshall this request and prepare it to be signed
var marshaller = executionContext.RequestContext.Marshaller;
var iRequest = marshaller.Marshall(preSignedUrlRequest as AmazonWebServiceRequest);
iRequest.UseQueryString = true;
iRequest.HttpMethod = HTTPGet;
iRequest.Endpoint = new UriBuilder(UriSchemeHTTPS, endpoint.GetEndpointForService(config).Hostname).Uri;
iRequest.Parameters[DestinationRegionParameterKey] = executionContext.RequestContext.ClientConfig.RegionEndpoint.SystemName;
iRequest.Parameters[XAmzExpires] = ((int)ExpirationTime.TotalSeconds).ToString(CultureInfo.InvariantCulture);
var immutableCredentials = _credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
iRequest.Parameters[XAmzSecurityToken] = immutableCredentials.Token;
}
// Create presigned URL and assign it
var signingResult = AWS4PreSignedUrlSigner.SignRequest(iRequest, config, new RequestMetrics(),
immutableCredentials.AccessKey, immutableCredentials.SecretKey, NeptuneServiceNameForSigning, preSignedUrlRequest.SourceRegion);
var authorization = "&" + signingResult.ForQueryParameters;
preSignedUrlRequest.PreSignedUrl = AmazonServiceClient.ComposeUrl(iRequest).AbsoluteUri + authorization;
}
}
/// <summary>
/// Create a signed URL allowing access to a resource that would
/// usually require authentication.
/// </summary>
/// <remarks>
/// <para>
/// When using query string authentication you create a query,
/// specify an expiration time for the query, sign it with your
/// signature, place the data in an HTTP request, and distribute
/// the request to a user or embed the request in a web page.
/// </para>
/// <para>
/// A PreSigned URL can be generated for GET, PUT, DELETE and HEAD
/// operations on your bucketName, keys, and versions.
/// </para>
/// </remarks>
/// <param name="request">The GetPreSignedUrlRequest that defines the
/// parameters of the operation.</param>
/// <param name="useSigV2Fallback">determines if signing will fall back to SigV2 if the
/// signing region is us-east-1
/// <returns>A string that is the signed http request.</returns>
/// <exception cref="T:System.ArgumentException" />
/// <exception cref="T:System.ArgumentNullException" />
internal string GetPreSignedURLInternal(GetPreSignedUrlRequest request, bool useSigV2Fallback = true)
{
if (Credentials == null)
{
throw new AmazonS3Exception("Credentials must be specified, cannot call method anonymously");
}
if (request == null)
{
throw new ArgumentNullException("request", "The PreSignedUrlRequest specified is null!");
}
if (!request.IsSetExpires())
{
throw new InvalidOperationException("The Expires specified is null!");
}
var aws4Signing = AWSConfigsS3.UseSignatureVersion4;
var region = AWS4Signer.DetermineSigningRegion(Config, "s3", alternateEndpoint: null, request: null);
if (aws4Signing && string.IsNullOrEmpty(region))
{
throw new InvalidOperationException("To use AWS4 signing, a region must be specified in the client configuration using the AuthenticationRegion or Region properties, or be determinable from the service URL.");
}
RegionEndpoint endpoint = RegionEndpoint.GetBySystemName(region);
if (endpoint.GetEndpointForService("s3").SignatureVersionOverride == "4" || endpoint.GetEndpointForService("s3").SignatureVersionOverride == null)
{
aws4Signing = true;
}
var fallbackToSigV2 = useSigV2Fallback && !AWSConfigsS3.UseSigV4SetExplicitly;
if (endpoint == RegionEndpoint.USEast1 && fallbackToSigV2)
{
aws4Signing = false;
}
// If the expiration is longer than SigV4 will allow then automatically use SigV2 instead.
// But only if the region we're signing for allows SigV2.
if (aws4Signing)
{
var secondsUntilExpiration = GetSecondsUntilExpiration(request, aws4Signing);
if (secondsUntilExpiration > AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry &&
endpoint.GetEndpointForService("s3").SignatureVersionOverride == "2")
{
aws4Signing = false;
}
}
var immutableCredentials = Credentials.GetCredentials();
var irequest = Marshall(request, immutableCredentials.AccessKey, immutableCredentials.Token, aws4Signing);
irequest.Endpoint = EndpointResolver.DetermineEndpoint(this.Config, irequest);
var context = new Amazon.Runtime.Internal.ExecutionContext(new Amazon.Runtime.Internal.RequestContext(true)
{
Request = irequest, ClientConfig = this.Config
}, null);
AmazonS3PostMarshallHandler.ProcessRequestHandlers(context);
var metrics = new RequestMetrics();
string authorization;
if (aws4Signing)
{
var aws4Signer = new AWS4PreSignedUrlSigner();
var signingResult = aws4Signer.SignRequest(irequest,
this.Config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey);
authorization = "&" + signingResult.ForQueryParameters;
}
else
{
S3Signer.SignRequest(irequest, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);
authorization = irequest.Headers[HeaderKeys.AuthorizationHeader];
authorization = authorization.Substring(authorization.IndexOf(":", StringComparison.Ordinal) + 1);
authorization = "&Signature=" + AmazonS3Util.UrlEncode(authorization, false);
}
Uri url = AmazonServiceClient.ComposeUrl(irequest);
string result = url.AbsoluteUri + authorization;
Protocol protocol = DetermineProtocol();
if (request.Protocol != protocol)
{
switch (protocol)
{
case Protocol.HTTP:
result = result.Replace("http://", "https://");
break;
case Protocol.HTTPS:
result = result.Replace("https://", "http://");
break;
}
}
return(result);
}
/// <summary>
/// Custom pipeline handler
/// </summary>
/// <param name="executionContext"></param>
protected void PreInvoke(IExecutionContext executionContext)
{
var request = executionContext.RequestContext.OriginalRequest;
var config = executionContext.RequestContext.ClientConfig;
var runInstancesRequest = request as RunInstancesRequest;
if (runInstancesRequest != null)
{
if (runInstancesRequest.IsSetBlockDeviceMappings())
{
var mappings = runInstancesRequest.BlockDeviceMappings;
foreach (var mapping in mappings)
{
if (mapping.IsSetEbs())
{
var ebs = mapping.Ebs;
if (ebs.IsSetSnapshotId() &&
ebs.IsSetEncrypted() &&
ebs.Encrypted == false)
{
ebs.ClearEncryptedFlag();
}
}
}
}
}
// replace null Tag.Value with empty string
var createTagsRequest = request as CreateTagsRequest;
if (createTagsRequest != null)
{
if (createTagsRequest.IsSetTags())
{
var tags = createTagsRequest.Tags;
foreach (var tag in tags)
{
if (tag != null && tag.Value == null)
{
tag.Value = string.Empty;
}
}
}
}
var copySnapshotRequest = request as CopySnapshotRequest;
if (copySnapshotRequest != null)
{
if (string.IsNullOrEmpty(copySnapshotRequest.DestinationRegion))
{
copySnapshotRequest.DestinationRegion = AWS4Signer.DetermineSigningRegion(config, "ec2", alternateEndpoint: null, request: null);
}
if (string.IsNullOrEmpty(copySnapshotRequest.SourceRegion))
{
throw new AmazonEC2Exception("SourceRegion is required to perform the copy snapshot.");
}
var endpoint = RegionEndpoint.GetBySystemName(copySnapshotRequest.SourceRegion);
if (endpoint == null)
{
throw new AmazonEC2Exception(string.Format(CultureInfo.InvariantCulture, "No endpoint for region {0}.", copySnapshotRequest.SourceRegion));
}
// Make sure the presigned URL is currently null so we don't attempt to generate
// a presigned URL with a presigned URL.
copySnapshotRequest.PresignedUrl = null;
// Marshall this request but switch to the source region and make it a GET request.
var marshaller = new CopySnapshotRequestMarshaller();
var irequest = marshaller.Marshall(copySnapshotRequest);
irequest.UseQueryString = true;
irequest.HttpMethod = "GET";
irequest.Parameters.Add("X-Amz-Expires", AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry.ToString(CultureInfo.InvariantCulture));
irequest.Endpoint = new Uri("https://" + endpoint.GetEndpointForService(config.RegionEndpointServiceName).Hostname);
// Create presigned URL.
var metrics = new RequestMetrics();
var immutableCredentials = _credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
irequest.Parameters["X-Amz-Security-Token"] = immutableCredentials.Token;
}
var signingResult = AWS4PreSignedUrlSigner.SignRequest(irequest,
config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey,
"ec2",
copySnapshotRequest.SourceRegion);
var authorization = "&" + signingResult.ForQueryParameters;
var url = AmazonServiceClient.ComposeUrl(irequest);
copySnapshotRequest.PresignedUrl = url.AbsoluteUri + authorization;
}
var authorizeSecurityGroupEgressRequest = request as AuthorizeSecurityGroupEgressRequest;
if (authorizeSecurityGroupEgressRequest != null)
{
if (authorizeSecurityGroupEgressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(authorizeSecurityGroupEgressRequest.IpPermissions);
}
}
var authorizeSecurityGroupIngressRequest = request as AuthorizeSecurityGroupIngressRequest;
if (authorizeSecurityGroupIngressRequest != null)
{
if (authorizeSecurityGroupIngressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(authorizeSecurityGroupIngressRequest.IpPermissions);
}
}
var revokeSecurityGroupEgressRequest = request as RevokeSecurityGroupEgressRequest;
if (revokeSecurityGroupEgressRequest != null)
{
if (revokeSecurityGroupEgressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(revokeSecurityGroupEgressRequest.IpPermissions);
}
}
var revokeSecurityGroupIngressRequest = request as RevokeSecurityGroupIngressRequest;
if (revokeSecurityGroupIngressRequest != null)
{
if (revokeSecurityGroupIngressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(revokeSecurityGroupIngressRequest.IpPermissions);
}
}
var updateSecurityGroupRuleDescriptionsEgressRequest = request as UpdateSecurityGroupRuleDescriptionsEgressRequest;
if (updateSecurityGroupRuleDescriptionsEgressRequest != null)
{
if (updateSecurityGroupRuleDescriptionsEgressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(updateSecurityGroupRuleDescriptionsEgressRequest.IpPermissions);
}
}
var updateSecurityGroupRuleDescriptionsIngressRequest = request as UpdateSecurityGroupRuleDescriptionsIngressRequest;
if (updateSecurityGroupRuleDescriptionsIngressRequest != null)
{
if (updateSecurityGroupRuleDescriptionsIngressRequest.IsSetIpPermissions())
{
SelectModifiedIpRange(updateSecurityGroupRuleDescriptionsIngressRequest.IpPermissions);
}
}
}
/// <summary>
/// Create a signed URL allowing access to a resource that would
/// usually require authentication.
/// </summary>
/// <remarks>
/// <para>
/// When using query string authentication you create a query,
/// specify an expiration time for the query, sign it with your
/// signature, place the data in an HTTP request, and distribute
/// the request to a user or embed the request in a web page.
/// </para>
/// <para>
/// A PreSigned URL can be generated for GET, PUT, DELETE and HEAD
/// operations on your bucketName, keys, and versions.
/// </para>
/// </remarks>
/// <param name="request">The GetPreSignedUrlRequest that defines the
/// parameters of the operation.</param>
/// <returns>A string that is the signed http request.</returns>
/// <exception cref="T:System.ArgumentException" />
/// <exception cref="T:System.ArgumentNullException" />
public string GetPreSignedURL(GetPreSignedUrlRequest request)
{
if (Credentials == null)
{
throw new AmazonS3Exception("Credentials must be specified, cannot call method anonymously");
}
if (request == null)
{
throw new ArgumentNullException("request", "The PreSignedUrlRequest specified is null!");
}
if (!request.IsSetExpires())
{
throw new InvalidOperationException("The Expires specified is null!");
}
var aws4Signing = AWSConfigs.S3UseSignatureVersion4;
var region = AWS4Signer.DetermineRegion(Config);
if (aws4Signing && string.IsNullOrEmpty(region))
{
throw new InvalidOperationException("To use AWS4 signing, a region must be specified in the client configuration using the AuthenticationRegion or Region properties, or be determinable from the service URL.");
}
if (region.Equals(RegionEndpoint.CNNorth1.SystemName, StringComparison.OrdinalIgnoreCase))
{
aws4Signing = true;
}
var immutableCredentials = Credentials.GetCredentials();
var irequest = Marshall(request, immutableCredentials.AccessKey, immutableCredentials.Token, aws4Signing);
irequest.Endpoint = DetermineEndpoint(irequest);
ProcessRequestHandlers(irequest);
var metrics = new RequestMetrics();
string authorization;
if (aws4Signing)
{
var aws4Signer = new AWS4PreSignedUrlSigner();
var signingResult = aws4Signer.SignRequest(irequest,
this.Config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey);
authorization = "&" + signingResult.ForQueryParameters;
}
else
{
signer.SignRequest(irequest, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);
authorization = irequest.Headers[S3QueryParameter.Authorization.ToString()];
authorization = authorization.Substring(authorization.IndexOf(":", StringComparison.Ordinal) + 1);
authorization = "&Signature=" + AmazonS3Util.UrlEncode(authorization, false);
}
Uri url = ComposeUrl(irequest, irequest.Endpoint);
string result = url.AbsoluteUri + authorization;
Protocol protocol = DetermineProtocol();
if (request.Protocol != protocol)
{
switch (protocol)
{
case Protocol.HTTP:
result = result.Replace("http://", "https://");
break;
case Protocol.HTTPS:
result = result.Replace("https://", "http://");
break;
}
}
return(result);
}
/// <summary>
/// Create a signed URL allowing access to a resource that would
/// usually require authentication.
/// </summary>
/// <remarks>
/// <para>
/// When using query string authentication you create a query,
/// specify an expiration time for the query, sign it with your
/// signature, place the data in an HTTP request, and distribute
/// the request to a user or embed the request in a web page.
/// </para>
/// <para>
/// A PreSigned URL can be generated for GET, PUT, DELETE and HEAD
/// operations on your bucketName, keys, and versions.
/// </para>
/// </remarks>
/// <param name="request">The GetPreSignedUrlRequest that defines the
/// parameters of the operation.</param>
/// <param name="useSigV2Fallback">determines if signing will fall back to SigV2 if the
/// signing region is us-east-1</param>
/// <returns>A string that is the signed http request.</returns>
/// <exception cref="T:System.ArgumentException" />
/// <exception cref="T:System.ArgumentNullException" />
internal string GetPreSignedURLInternal(GetPreSignedUrlRequest request, bool useSigV2Fallback = true)
{
if (Credentials == null)
{
throw new AmazonS3Exception("Credentials must be specified, cannot call method anonymously");
}
if (request == null)
{
throw new ArgumentNullException("request", "The PreSignedUrlRequest specified is null!");
}
if (!request.IsSetExpires())
{
throw new InvalidOperationException("The Expires specified is null!");
}
var signatureVersionToUse = AWSConfigsS3.UseSignatureVersion4 ? SignatureVersion.SigV4 : SignatureVersion.SigV2;
Arn arn;
string accessPoint;
if (Arn.TryParse(request.BucketName, out arn) &&
(arn.TryParseAccessPoint(out accessPoint) || arn.IsOutpostArn()))
{
signatureVersionToUse = SignatureVersion.SigV4;
if (arn.IsMRAPArn())
{
signatureVersionToUse = SignatureVersion.SigV4a;
}
}
else
{
var region = AWS4Signer.DetermineSigningRegion(Config, "s3", alternateEndpoint: null, request: null);
if (signatureVersionToUse == SignatureVersion.SigV4 && string.IsNullOrEmpty(region))
{
throw new InvalidOperationException("To use AWS4 signing, a region must be specified in the client configuration using the AuthenticationRegion or Region properties, or be determinable from the service URL.");
}
RegionEndpoint endpoint = RegionEndpoint.GetBySystemName(region);
var s3SignatureVersionOverride = endpoint.GetEndpointForService("s3", Config.ToGetEndpointForServiceOptions()).SignatureVersionOverride;
if (s3SignatureVersionOverride == "4" || s3SignatureVersionOverride == null)
{
signatureVersionToUse = SignatureVersion.SigV4;
}
var fallbackToSigV2 = useSigV2Fallback && !AWSConfigsS3.UseSigV4SetExplicitly;
if (endpoint?.SystemName == RegionEndpoint.USEast1.SystemName && fallbackToSigV2)
{
signatureVersionToUse = SignatureVersion.SigV2;
}
// If the expiration is longer than SigV4 will allow then automatically use SigV2 instead.
// But only if the region we're signing for allows SigV2.
if (signatureVersionToUse == SignatureVersion.SigV4)
{
var secondsUntilExpiration = GetSecondsUntilExpiration(this.Config, request, signatureVersionToUse);
if (secondsUntilExpiration > AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry &&
s3SignatureVersionOverride == "2")
{
signatureVersionToUse = SignatureVersion.SigV2;
}
}
}
var immutableCredentials = Credentials.GetCredentials();
var irequest = Marshall(this.Config, request, immutableCredentials.AccessKey, immutableCredentials.Token, signatureVersionToUse);
irequest.Endpoint = EndpointResolver.DetermineEndpoint(this.Config, irequest);
var context = new Amazon.Runtime.Internal.ExecutionContext(new Amazon.Runtime.Internal.RequestContext(true, new NullSigner())
{
Request = irequest, ClientConfig = this.Config
}, null);
AmazonS3PostMarshallHandler.ProcessRequestHandlers(context);
var metrics = new RequestMetrics();
string result;
string authorization;
switch (signatureVersionToUse)
{
case SignatureVersion.SigV4a:
var aws4aSigner = new AWS4aSignerCRTWrapper();
var signingResult4a = aws4aSigner.Presign4a(irequest,
Config,
metrics,
immutableCredentials,
"s3",
arn.IsMRAPArn() ? "*" : "");
result = signingResult4a.PresignedUri;
break;
case SignatureVersion.SigV4:
var aws4Signer = new AWS4PreSignedUrlSigner();
var signingResult4 = aws4Signer.SignRequest(irequest,
Config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey);
authorization = "&" + signingResult4.ForQueryParameters;
result = ComposeUrl(irequest).AbsoluteUri + authorization;
break;
default: // SigV2
Amazon.S3.Internal.S3Signer.SignRequest(irequest, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);
authorization = irequest.Headers[HeaderKeys.AuthorizationHeader];
authorization = authorization.Substring(authorization.IndexOf(":", StringComparison.Ordinal) + 1);
authorization = "&Signature=" + AmazonS3Util.UrlEncode(authorization, false);
result = ComposeUrl(irequest).AbsoluteUri + authorization;
break;
}
Protocol protocol = DetermineProtocol();
if (request.Protocol != protocol)
{
switch (protocol)
{
case Protocol.HTTP:
result = result.Replace("http://", "https://");
break;
case Protocol.HTTPS:
result = result.Replace("https://", "http://");
break;
}
}
return(result);
}
/// <summary>
/// Generate a presigned URL based on a <see cref="SynthesizeSpeechRequest"/>.
/// </summary>
/// <param name="credentials">The credentials to use in the presigned URL.</param>
/// <param name="region">The region for the URL.</param>
/// <param name="request">The request to base the presigned URL on.</param>
/// <returns></returns>
public static string GeneratePresignedUrl(AWSCredentials credentials, RegionEndpoint region, SynthesizeSpeechRequest request)
{
if (credentials == null)
{
throw new ArgumentNullException("credentials");
}
if (region == null)
{
throw new ArgumentNullException("region");
}
if (request == null)
{
throw new ArgumentNullException("request");
}
// Marshall this request and prepare it to be signed
var marshaller = new SynthesizeSpeechRequestMarshaller();
var iRequest = marshaller.Marshall(request);
iRequest.UseQueryString = true;
iRequest.HttpMethod = HTTPGet;
iRequest.Endpoint = new UriBuilder(HTTPS, region.GetEndpointForService(PollyServiceName).Hostname).Uri;
iRequest.Parameters[XAmzExpires] = ((int)FifteenMinutes.TotalSeconds).ToString(CultureInfo.InvariantCulture);
if (request.IsSetLexiconNames())
{
iRequest.ParameterCollection.Add("LexiconNames", request.LexiconNames);
}
if (request.IsSetOutputFormat())
{
iRequest.Parameters["OutputFormat"] = request.OutputFormat.ToString();
}
if (request.IsSetSampleRate())
{
iRequest.Parameters["SampleRate"] = request.SampleRate.ToString();
}
if (request.IsSetText())
{
iRequest.Parameters["Text"] = request.Text;
}
if (request.IsSetTextType())
{
iRequest.Parameters["TextType"] = request.TextType.ToString();
}
if (request.IsSetVoiceId())
{
iRequest.Parameters["VoiceId"] = request.VoiceId;
}
if (request.IsSetSpeechMarkTypes())
{
iRequest.ParameterCollection.Add("SpeechMarkTypes", request.SpeechMarkTypes);
}
if (request.IsSetLanguageCode())
{
iRequest.ParameterCollection.Add("LanguageCode", request.LanguageCode);
}
var immutableCredentials = credentials.GetCredentials();
if (immutableCredentials.UseToken)
{
// Don't use HeaderKeys.XAmzSecurityTokenHeader because Polly treats this as case-sensitive
iRequest.Parameters["X-Amz-Security-Token"] = immutableCredentials.Token;
}
// Only the host header should be signed, and the signer adds that.
// So clear out headers.
iRequest.Headers.Clear();
// Create presigned URL and assign it
var signingResult = AWS4PreSignedUrlSigner.SignRequest(iRequest, null, new RequestMetrics(),
immutableCredentials.AccessKey, immutableCredentials.SecretKey, PollyServiceName, region.SystemName);
var authorization = "&" + signingResult.ForQueryParameters;
return(AmazonServiceClient.ComposeUrl(iRequest).AbsoluteUri + authorization);
}
