private void TestS3Signer(bool requestUseSigV4, string clientConfigSignatureVersion,
bool awsConfigsS3UseSignatureVersion4, bool expectSigV4)
{
var originalAWSConfigsS3UseSignatureVersion4 = AWSConfigsS3.UseSignatureVersion4;
try
{
AWSConfigsS3.UseSignatureVersion4 = awsConfigsS3UseSignatureVersion4;
var signer = new S3Signer();
var putObjectRequest = new PutObjectRequest();
var iRequest = new DefaultRequest(putObjectRequest, "s3")
{
UseSigV4 = requestUseSigV4,
Endpoint = new System.Uri("https://does_not_matter.com")
};
var config = new AmazonS3Config
{
SignatureVersion = clientConfigSignatureVersion,
RegionEndpoint = RegionEndpoint.USWest1
};
signer.Sign(iRequest, config, new RequestMetrics(), "ACCESS", "SECRET");
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.AreEqual(expectSigV4, iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("aws4_request"));
}
finally
{
AWSConfigsS3.UseSignatureVersion4 = originalAWSConfigsS3UseSignatureVersion4;
}
}
public void TestS3SignerSignatureVersion(SignatureVersion signatureVersion, string clientConfigSignatureVersion,
bool awsConfigsS3UseSignatureVersion4, SignatureVersion expectedSignatureVersion)
{
var originalAWSConfigsS3UseSignatureVersion4 = AWSConfigsS3.UseSignatureVersion4;
try
{
AWSConfigsS3.UseSignatureVersion4 = awsConfigsS3UseSignatureVersion4;
var signer = new S3Signer();
var putObjectRequest = new PutObjectRequest();
var iRequest = new DefaultRequest(putObjectRequest, "s3")
{
SignatureVersion = signatureVersion,
Endpoint = new System.Uri("https://does_not_matter.com")
};
var config = new AmazonS3Config
{
SignatureVersion = clientConfigSignatureVersion,
RegionEndpoint = RegionEndpoint.USWest1
};
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
if (expectedSignatureVersion == SignatureVersion.SigV4a)
{
Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS4-ECDSA-P256-SHA256"));
}
else if (expectedSignatureVersion == SignatureVersion.SigV4)
{
Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS4-HMAC-SHA256"));
}
else if (expectedSignatureVersion == SignatureVersion.SigV2)
{
Assert.IsTrue(iRequest.Headers[HeaderKeys.AuthorizationHeader].Contains("AWS ACCESS"));
}
}
finally
{
AWSConfigsS3.UseSignatureVersion4 = originalAWSConfigsS3UseSignatureVersion4;
}
}
public void WriteGetObjectResponseSignerTest()
{
var signer = new S3Signer();
var request = new WriteGetObjectResponseRequest
{
RequestRoute = "route",
RequestToken = "token"
};
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.EUWest1
};
var iRequest = S3ArnTestUtils.RunMockRequest(request, WriteGetObjectResponseRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-object-lambda"));
}
public void S3ObjectLambdaSignerTest()
{
var signer = new S3Signer();
var arnString = "arn:aws:s3-object-lambda:us-east-1:123456789012:accesspoint/mybanner";
var request = new GetObjectRequest()
{
BucketName = arnString,
Key = "foo.txt"
};
var config = new AmazonS3Config
{
RegionEndpoint = RegionEndpoint.USEast1
};
var iRequest = S3ArnTestUtils.RunMockRequest(request, GetObjectRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-object-lambda"));
}
public void TestS3OutpostsSignerGetBucket()
{
var signer = new S3Signer();
var bucketArn = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket";
var getBucketRequest = new GetBucketRequest
{
Bucket = bucketArn
};
var config = new AmazonS3ControlConfig
{
UseArnRegion = true,
RegionEndpoint = RegionEndpoint.USWest2
};
var originalAuthService = config.AuthenticationServiceName;
var iRequest = S3ControlArnTestUtils.RunMockRequest(getBucketRequest, GetBucketRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts"));
Assert.IsTrue(config.AuthenticationServiceName == originalAuthService);
}
public void TestS3OutpostsSignerCreateAccessPointWithArn()
{
var signer = new S3Signer();
var createAccessPointRequest = new CreateAccessPointRequest
{
Bucket = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:bucket:mybucket",
Name = "myaccesspoint",
};
var config = new AmazonS3ControlConfig
{
UseArnRegion = true,
RegionEndpoint = RegionEndpoint.USWest2
};
var originalAuthService = config.AuthenticationServiceName;
var iRequest = S3ControlArnTestUtils.RunMockRequest(createAccessPointRequest, CreateAccessPointRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), "ACCESS", "SECRET");
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts"));
Assert.IsTrue(config.AuthenticationServiceName == originalAuthService);
}
public void TestS3OutpostsSigner()
{
var signer = new S3Signer();
var outpostsArn = "arn:aws:s3-outposts:us-west-2:123456789012:outpost:op-01234567890123456:accesspoint:myaccesspoint";
var putObjectRequest = new PutObjectRequest()
{
BucketName = outpostsArn,
Key = "foo.txt",
ContentBody = "data"
};
var config = new AmazonS3Config
{
UseArnRegion = true,
RegionEndpoint = RegionEndpoint.USWest2
};
var iRequest = S3ArnTestUtils.RunMockRequest(putObjectRequest, PutObjectRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts"));
}
public void TestS3OutpostsSignerCreateBucket()
{
var signer = new S3Signer();
var createBucketRequest = new CreateBucketRequest
{
Bucket = "test",
OutpostId = "op-123456789012"
};
var config = new AmazonS3ControlConfig
{
SignatureVersion = "4",
UseArnRegion = true,
RegionEndpoint = RegionEndpoint.USWest2
};
var originalAuthService = config.AuthenticationServiceName;
var iRequest = S3ControlArnTestUtils.RunMockRequest(createBucketRequest, CreateBucketRequestMarshaller.Instance, config);
signer.Sign(iRequest, config, new RequestMetrics(), new ImmutableCredentials("ACCESS", "SECRET", ""));
Assert.IsTrue(iRequest.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
Assert.IsTrue((iRequest.Headers["Authorization"]).Contains("s3-outposts"));
Assert.IsTrue(config.AuthenticationServiceName == originalAuthService);
}
/// <summary>
/// Create a signed URL allowing access to a resource that would
/// usually require authentication.
/// </summary>
/// <remarks>
/// <para>
/// When using query string authentication you create a query,
/// specify an expiration time for the query, sign it with your
/// signature, place the data in an HTTP request, and distribute
/// the request to a user or embed the request in a web page.
/// </para>
/// <para>
/// A PreSigned URL can be generated for GET, PUT, DELETE and HEAD
/// operations on your bucketName, keys, and versions.
/// </para>
/// </remarks>
/// <param name="request">The GetPreSignedUrlRequest that defines the
/// parameters of the operation.</param>
/// <param name="useSigV2Fallback">determines if signing will fall back to SigV2 if the
/// signing region is us-east-1
/// <returns>A string that is the signed http request.</returns>
/// <exception cref="T:System.ArgumentException" />
/// <exception cref="T:System.ArgumentNullException" />
internal string GetPreSignedURLInternal(GetPreSignedUrlRequest request, bool useSigV2Fallback = true)
{
if (Credentials == null)
{
throw new AmazonS3Exception("Credentials must be specified, cannot call method anonymously");
}
if (request == null)
{
throw new ArgumentNullException("request", "The PreSignedUrlRequest specified is null!");
}
if (!request.IsSetExpires())
{
throw new InvalidOperationException("The Expires specified is null!");
}
var aws4Signing = AWSConfigsS3.UseSignatureVersion4;
var region = AWS4Signer.DetermineSigningRegion(Config, "s3", alternateEndpoint: null, request: null);
if (aws4Signing && string.IsNullOrEmpty(region))
{
throw new InvalidOperationException("To use AWS4 signing, a region must be specified in the client configuration using the AuthenticationRegion or Region properties, or be determinable from the service URL.");
}
RegionEndpoint endpoint = RegionEndpoint.GetBySystemName(region);
if (endpoint.GetEndpointForService("s3").SignatureVersionOverride == "4" || endpoint.GetEndpointForService("s3").SignatureVersionOverride == null)
{
aws4Signing = true;
}
var fallbackToSigV2 = useSigV2Fallback && !AWSConfigsS3.UseSigV4SetExplicitly;
if (endpoint == RegionEndpoint.USEast1 && fallbackToSigV2)
{
aws4Signing = false;
}
// If the expiration is longer than SigV4 will allow then automatically use SigV2 instead.
// But only if the region we're signing for allows SigV2.
if (aws4Signing)
{
var secondsUntilExpiration = GetSecondsUntilExpiration(request, aws4Signing);
if (secondsUntilExpiration > AWS4PreSignedUrlSigner.MaxAWS4PreSignedUrlExpiry &&
endpoint.GetEndpointForService("s3").SignatureVersionOverride == "2")
{
aws4Signing = false;
}
}
var immutableCredentials = Credentials.GetCredentials();
var irequest = Marshall(request, immutableCredentials.AccessKey, immutableCredentials.Token, aws4Signing);
irequest.Endpoint = EndpointResolver.DetermineEndpoint(this.Config, irequest);
var context = new Amazon.Runtime.Internal.ExecutionContext(new Amazon.Runtime.Internal.RequestContext(true)
{
Request = irequest, ClientConfig = this.Config
}, null);
AmazonS3PostMarshallHandler.ProcessRequestHandlers(context);
var metrics = new RequestMetrics();
string authorization;
if (aws4Signing)
{
var aws4Signer = new AWS4PreSignedUrlSigner();
var signingResult = aws4Signer.SignRequest(irequest,
this.Config,
metrics,
immutableCredentials.AccessKey,
immutableCredentials.SecretKey);
authorization = "&" + signingResult.ForQueryParameters;
}
else
{
S3Signer.SignRequest(irequest, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);
authorization = irequest.Headers[HeaderKeys.AuthorizationHeader];
authorization = authorization.Substring(authorization.IndexOf(":", StringComparison.Ordinal) + 1);
authorization = "&Signature=" + AmazonS3Util.UrlEncode(authorization, false);
}
Uri url = AmazonServiceClient.ComposeUrl(irequest);
string result = url.AbsoluteUri + authorization;
Protocol protocol = DetermineProtocol();
if (request.Protocol != protocol)
{
switch (protocol)
{
case Protocol.HTTP:
result = result.Replace("http://", "https://");
break;
case Protocol.HTTPS:
result = result.Replace("https://", "http://");
break;
}
}
return(result);
}
