func ExampleV4Signer() {
// Get auth from env vars
auth, err := aws.EnvAuth()
if err != nil {
fmt.Println(err)
}
// Create a signer with the auth, name of the service, and aws region
signer := aws.NewV4Signer(auth, "dynamodb", aws.USEast)
// Create a request
req, err := http.NewRequest("POST", aws.USEast.DynamoDBEndpoint, strings.NewReader("sample_request"))
if err != nil {
fmt.Println(err)
}
// Date or x-amz-date header is required to sign a request
req.Header.Add("Date", time.Now().UTC().Format(http.TimeFormat))
// Sign the request
signer.Sign(req)
// Issue signed request
http.DefaultClient.Do(req)
}
func (s *Server) queryServer(target string, query *Query) ([]byte, error) {
data := strings.NewReader(query.String())
hreq, err := http.NewRequest("POST", s.Region.DynamoDBEndpoint+"/", data)
if err != nil {
return nil, err
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.0")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
hreq.Header.Set("X-Amz-Target", target)
signer := aws.NewV4Signer(s.Auth, "dynamodb", s.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
fmt.Printf("Error calling Amazon")
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Printf("Could not read response body")
return nil, err
}
return body, nil
}
func (s *V4SignerSuite) TestCases(c *gocheck.C) {
signer := aws.NewV4Signer(s.auth, "host", s.region)
for _, testCase := range s.cases {
req, err := http.NewRequest(testCase.request.method, "http://"+testCase.request.host+testCase.request.url, strings.NewReader(testCase.request.body))
c.Assert(err, gocheck.IsNil, gocheck.Commentf("Testcase: %s", testCase.label))
for _, v := range testCase.request.headers {
h := strings.SplitN(v, ":", 2)
req.Header.Add(h[0], h[1])
}
req.Header.Set("host", req.Host)
t := signer.RequestTime(req)
canonicalRequest := signer.CanonicalRequest(req)
c.Check(canonicalRequest, gocheck.Equals, testCase.canonicalRequest, gocheck.Commentf("Testcase: %s", testCase.label))
stringToSign := signer.StringToSign(t, canonicalRequest)
c.Check(stringToSign, gocheck.Equals, testCase.stringToSign, gocheck.Commentf("Testcase: %s", testCase.label))
signature := signer.Signature(t, stringToSign)
c.Check(signature, gocheck.Equals, testCase.signature, gocheck.Commentf("Testcase: %s", testCase.label))
authorization := signer.Authorization(req.Header, t, signature)
c.Check(authorization, gocheck.Equals, testCase.authorization, gocheck.Commentf("Testcase: %s", testCase.label))
signer.Sign(req)
c.Check(req.Header.Get("Authorization"), gocheck.Equals, testCase.authorization, gocheck.Commentf("Testcase: %s", testCase.label))
}
}
// queryV4Signprepares and runs the req request, signed with aws v4 signatures.
// If resp is not nil, the XML data contained in the response
// body will be unmarshalled on it.
func (s3 *S3) queryV4Sign(req *request, resp interface{}) error {
if req.headers == nil {
req.headers = map[string][]string{}
}
err := s3.setBaseURL(req)
if err != nil {
return err
}
hreq, err := s3.setupHttpRequest(req)
if err != nil {
return err
}
// req.Host must be set for V4 signature calculation
hreq.Host = hreq.URL.Host
signer := aws.NewV4Signer(s3.Auth, "s3", s3.Region)
signer.IncludeXAmzContentSha256 = true
signer.Sign(hreq)
_, err = s3.doHttpRequest(hreq, resp)
return err
}
func (s *Server) queryServer(target string, query Query) ([]byte, error) {
numRetries := 0
for {
data := strings.NewReader(query.String())
hreq, err := http.NewRequest("POST", s.Region.DynamoDBEndpoint+"/", data)
if err != nil {
return nil, err
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.0")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
hreq.Header.Set("X-Amz-Target", target)
token := s.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
signer := aws.NewV4Signer(s.Auth, "dynamodb", s.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
if s.RetryPolicy.ShouldRetry(target, resp, err, numRetries) {
time.Sleep(s.RetryPolicy.Delay(target, resp, err, numRetries))
numRetries++
continue
}
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
if s.RetryPolicy.ShouldRetry(target, resp, err, numRetries) {
time.Sleep(s.RetryPolicy.Delay(target, resp, err, numRetries))
numRetries++
continue
}
return nil, err
}
// http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ErrorHandling.html
// "A response code of 200 indicates the operation was successful."
if resp.StatusCode != 200 {
err := buildError(resp, body)
if s.RetryPolicy.ShouldRetry(target, resp, err, numRetries) {
time.Sleep(s.RetryPolicy.Delay(target, resp, err, numRetries))
numRetries++
continue
}
return nil, err
}
return body, nil
}
}
func (rds *RDS) DownloadCompleteDBLogFile(id, filename string) (io.ReadCloser, error) {
url := fmt.Sprintf(
"%s/v13/downloadCompleteLogFile/%s/%s",
rds.Region.RDSEndpoint.Endpoint,
id,
filename,
)
hreq, err := http.NewRequest("GET", url, nil)
if err != nil {
if debug {
log.Printf("Error http.NewRequest GET %s", url)
}
return nil, err
}
token := rds.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
signer := aws.NewV4Signer(rds.Auth, "rds", rds.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
if debug {
log.Print("Error calling Amazon")
}
return nil, err
}
if resp.StatusCode == 200 {
return resp.Body, nil
} else {
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
if debug {
log.Printf("Could not read response body")
}
return nil, err
}
msg := fmt.Sprintf(
"Responce:\n\tStatusCode: %d\n\tBody: %s\n",
resp.StatusCode,
string(body),
)
if debug {
log.Printf(msg)
}
err = errors.New(msg)
return nil, err
}
}
func (s *SQS) query(queueUrl string, params map[string]string, resp interface{}) (err error) {
var url_ *url.URL
if queueUrl != "" && len(queueUrl) > len(s.Region.SQSEndpoint) {
url_, err = url.Parse(queueUrl)
} else {
url_, err = url.Parse(s.Region.SQSEndpoint)
}
if err != nil {
return err
}
params["Version"] = "2012-11-05"
hreq, err := http.NewRequest("POST", url_.String(), strings.NewReader(multimap(params).Encode()))
if err != nil {
return err
}
hreq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
if s.Auth.Token() != "" {
hreq.Header.Set("X-Amz-Security-Token", s.Auth.Token())
}
signer := aws.NewV4Signer(s.Auth, "sqs", s.Region)
signer.Sign(hreq)
r, err := http.DefaultClient.Do(hreq)
if err != nil {
return err
}
defer r.Body.Close()
if debug {
dump, _ := httputil.DumpResponse(r, true)
log.Printf("DUMP:\n", string(dump))
}
if r.StatusCode != 200 {
return buildError(r)
}
err = xml.NewDecoder(r.Body).Decode(resp)
io.Copy(ioutil.Discard, r.Body)
return err
}
func (c *Client) Do(req *RawRequest) *Response {
j, jerr := json.Marshal(req.Param)
if jerr != nil {
return &Response{jerr, nil}
}
hreq, err := http.NewRequest("POST", c.Region.DynamoDBEndpoint+"/", bytes.NewReader(j))
if err != nil {
return &Response{err, nil}
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.0")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
hreq.Header.Set("X-Amz-Target", target(req.Target))
token := c.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
signer := aws.NewV4Signer(c.Auth, "dynamodb", c.Region)
signer.Sign(hreq)
for attempt := attempts.Start(); attempt.Next(); {
resp, err := c.HTTPClient.Do(hreq)
if err != nil {
if shouldRetry(err) {
continue
}
return &Response{err, nil}
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return &Response{ErrFailedtoReadResponse, nil}
}
if resp.StatusCode != 200 {
err = NewError(resp, body)
if shouldRetry(err) {
continue
}
return &Response{err, nil}
}
return &Response{nil, body}
}
return &Response{err, nil}
}
func main() {
var (
auth aws.Auth
targetURL url.URL
listenAddress string
serviceName string
region aws.Region
)
const flagEnvPrefix = "AWS_AUTH_PROXY"
fs := flag.NewFlagSet("aws-auth-proxy", flag.ExitOnError)
fs.StringVar(&auth.AccessKey, "access-key", "", "aws access key id")
fs.StringVar(&auth.SecretKey, "secret-key", "", "aws secret access key")
fs.StringVar(&serviceName, "service-name", "", "aws service name")
var regionName string
fs.StringVar(®ionName, "region-name", "", "aws region name")
fs.StringVar(&targetURL.Host, "upstream-host", "", "host or host:port for upstream endpoint")
fs.StringVar(&targetURL.Scheme, "upstream-scheme", "https", "scheme for upstream endpoint")
fs.StringVar(&listenAddress, "listen-address", ":8080", "address for proxy to listen on")
if err := flagutil.SetFlagsFromEnv(fs, flagEnvPrefix); err != nil {
log.Fatal(err)
}
if len(os.Args) >= 2 && os.Args[1] == "--help" {
fs.PrintDefaults()
fmt.Printf("\nflagutil prefix is '%s'\n", flagEnvPrefix)
fmt.Printf("example:\n\t-access-key=xxx OR export %s_ACCESS_KEY=xxx\n", flagEnvPrefix)
os.Exit(0)
}
fs.Parse(os.Args[1:])
region = aws.GetRegion(regionName)
signer := aws.NewV4Signer(auth, serviceName, region)
proxyHandler := &AWSProxy{
TargetURL: &targetURL,
Signer: signer,
}
fmt.Printf("Listening on %s\n", listenAddress)
log.Fatal(http.ListenAndServe(listenAddress, proxyHandler))
}
func (s *Server) queryServer(target string, query *Query) ([]byte, error) {
data := strings.NewReader(query.String())
fmt.Println("data in server request", data, reflect.TypeOf(data))
hreq, err := http.NewRequest("POST", s.Region.DynamoDBEndpoint+"/", data)
if err != nil {
return nil, err
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.0")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
hreq.Header.Set("X-Amz-Target", target)
token := s.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
signer := aws.NewV4Signer(s.Auth, "dynamodb", s.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
log.Printf("Error calling Amazon")
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Printf("Could not read response body")
return nil, err
}
// http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ErrorHandling.html
// "A response code of 200 indicates the operation was successful."
if resp.StatusCode != 200 {
ddbErr := buildError(resp, body)
return nil, ddbErr
}
return body, nil
}
// queryV4Signprepares and runs the req request, signed with aws v4 signatures.
// If resp is not nil, the XML data contained in the response
// body will be unmarshalled on it.
func (s3 *S3) queryV4Sign(req *request, resp interface{}) error {
if req.headers == nil {
req.headers = map[string][]string{}
}
s3.setBaseURL(req)
hreq, err := s3.setupHttpRequest(req)
if err != nil {
return err
}
signer := aws.NewV4Signer(s3.Auth, "s3", s3.Region)
signer.IncludeXAmzContentSha256 = true
signer.Sign(hreq)
_, err = s3.doHttpRequest(hreq, resp)
return err
}
func (k *Kinesis) query(target string, query *Query) ([]byte, error) {
data := strings.NewReader(query.String())
hreq, err := http.NewRequest("POST", k.Region.KinesisEndpoint+"/", data)
if err != nil {
return nil, err
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.1")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
hreq.Header.Set("X-Amz-Target", target)
signer := aws.NewV4Signer(k.Auth, "kinesis", k.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
log.Printf("kinesis: Error calling Amazon\n: %v", err)
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Printf("kinesis: Could not read response body\n")
return nil, err
}
if debug {
log.Printf("kinesis: response:\n")
log.Printf("kinesis: %s", string(body))
}
// "A response code of 200 indicates the operation was successful."
if resp.StatusCode != 200 {
err = buildError(resp, body)
return nil, err
}
return body, nil
}
func (sts *STS) query(params map[string]string, resp interface{}) error {
params["Version"] = "2011-06-15"
data := strings.NewReader(multimap(params).Encode())
hreq, err := http.NewRequest("POST", sts.Region.STSEndpoint+"/", data)
if err != nil {
return err
}
hreq.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
token := sts.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
signer := aws.NewV4Signer(sts.Auth, "sts", sts.Region)
signer.Sign(hreq)
if debug {
log.Printf("%v -> {\n", hreq)
}
r, err := http.DefaultClient.Do(hreq)
if err != nil {
log.Printf("Error calling Amazon")
return err
}
defer r.Body.Close()
if debug {
dump, _ := httputil.DumpResponse(r, true)
log.Printf("response:\n")
log.Printf("%v\n}\n", string(dump))
}
if r.StatusCode != 200 {
return buildError(r)
}
err = xml.NewDecoder(r.Body).Decode(resp)
return err
}
func (ec *ElastiCache) query(query string, response interface{}) error {
url := ec.Region.ElastiCacheEndpoint + "/?" + query
hreq, err := http.NewRequest("POST", url, nil)
if err != nil {
return err
}
hreq.Header.Set("Content-Type", "application/x-amz-json-1.0")
hreq.Header.Set("X-Amz-Date", time.Now().UTC().Format(aws.ISO8601BasicFormat))
token := ec.Auth.Token()
if token != "" {
hreq.Header.Set("X-Amz-Security-Token", token)
}
signer := aws.NewV4Signer(ec.Auth, "elasticache", ec.Region)
signer.Sign(hreq)
resp, err := http.DefaultClient.Do(hreq)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
return buildError(resp)
}
b, err := ioutil.ReadAll(resp.Body)
if err != nil {
return err
}
return xml.Unmarshal(b, &response)
}
// prepare sets up req to be delivered to S3.
func (s3 *S3) prepare(req *request) error {
// Copy so they can be mutated without affecting on retries.
params := make(url.Values)
headers := make(http.Header)
for k, v := range req.params {
params[k] = v
}
for k, v := range req.headers {
headers[k] = v
}
req.params = params
req.headers = headers
if !req.prepared {
req.prepared = true
if req.method == "" {
req.method = "GET"
}
if !strings.HasPrefix(req.path, "/") {
req.path = "/" + req.path
}
err := s3.setBaseURL(req)
if err != nil {
return err
}
}
if s3.Signature == aws.V2Signature && s3.Auth.Token() != "" {
req.headers["X-Amz-Security-Token"] = []string{s3.Auth.Token()}
} else if s3.Auth.Token() != "" {
req.params.Set("X-Amz-Security-Token", s3.Auth.Token())
}
if s3.Signature == aws.V2Signature {
// Always sign again as it's not clear how far the
// server has handled a previous attempt.
u, err := url.Parse(req.baseurl)
if err != nil {
return err
}
signpathPatiallyEscaped := partiallyEscapedPath(req.path)
req.headers["Host"] = []string{u.Host}
req.headers["Date"] = []string{time.Now().In(time.UTC).Format(time.RFC1123)}
sign(s3.Auth, req.method, signpathPatiallyEscaped, req.params, req.headers)
} else {
hreq, err := s3.setupHttpRequest(req)
if err != nil {
return err
}
hreq.Host = hreq.URL.Host
signer := aws.NewV4Signer(s3.Auth, "s3", s3.Region)
signer.IncludeXAmzContentSha256 = true
signer.Sign(hreq)
req.payload = hreq.Body
if _, ok := headers["Content-Length"]; ok {
req.headers["Content-Length"] = headers["Content-Length"]
}
}
return nil
}
func (s *RetrySuite) TestRetryPolicy(c *check.C) {
// Save off the real endpoint, and then point it at a local proxy.
endpoint := s.table.Server.Region.DynamoDBEndpoint
policy := s.table.Server.RetryPolicy
defer func() {
s.table.Server.Region.DynamoDBEndpoint = endpoint
s.table.Server.RetryPolicy = policy
}()
numCalls := 0
server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
numCalls++
// Fake a failure the requested amount of times.
if numCalls <= s.NumCallsToFail {
b, _ := json.Marshal(map[string]interface{}{
"__type": s.ErrorType,
"Code": "blah",
})
w.WriteHeader(s.ErrorStatusCode)
io.WriteString(w, string(b))
return
}
// Otherwise, proxy to actual DynamoDB endpoint. We reformat the request
// with the same content.
body, err := ioutil.ReadAll(r.Body)
if err != nil {
c.Fatal(err)
}
newr, err := http.NewRequest("POST", endpoint+"/", strings.NewReader(string(body)))
headersToKeep := map[string]bool{
"Content-Type": true,
"X-Amz-Date": true,
"X-Amz-Target": true,
"X-Amz-Security-Token": true,
}
for h, _ := range r.Header {
if _, ok := headersToKeep[h]; ok {
newr.Header.Set(h, r.Header.Get(h))
}
}
signer := aws.NewV4Signer(s.table.Server.Auth, "dynamodb", s.table.Server.Region)
signer.Sign(newr)
resp, err := http.DefaultClient.Do(newr)
if err != nil {
c.Fatal(err)
}
body, err = ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
if err != nil {
c.Fatal(err)
}
w.WriteHeader(resp.StatusCode)
io.WriteString(w, string(body))
}))
defer server.Close()
rp := &retryPolicy{}
s.table.Server.RetryPolicy = rp
s.table.Server.Region.DynamoDBEndpoint = server.URL
// Now make the request.
k := &Key{HashKey: "NewHashKeyVal"}
in := map[string]interface{}{
"Attr1": "Attr1Val",
"Attr2": 12,
}
err := s.table.PutDocument(k, in)
if s.ExpectError {
if err == nil {
c.Fatalf("Expected error")
}
} else {
if err != nil {
c.Fatal(err)
}
}
if rp.numCalls != s.NumCallsToFail {
c.Fatalf("Expected %d failed calls, saw %d", s.NumCallsToFail, rp.numCalls)
}
}
func New(auth aws.Auth, region aws.Region) *SNS {
return &SNS{auth, region, aws.NewV4Signer(auth, "sns", region), 0}
}