// StripAccessKeyID - strip only access key id from auth header
func StripAccessKeyID(ah string) (string, error) {
if ah == "" {
return "", errors.New("Missing auth header")
}
authFields := strings.Split(strings.TrimSpace(ah), ",")
if len(authFields) != 3 {
return "", errors.New("Missing fields in Auth header")
}
authPrefixFields := strings.Fields(authFields[0])
if len(authPrefixFields) != 2 {
return "", errors.New("Missing fields in Auth header")
}
if authPrefixFields[0] != authHeaderPrefix {
return "", errors.New("Missing fields is Auth header")
}
credentials := strings.Split(strings.TrimSpace(authPrefixFields[1]), "=")
if len(credentials) != 2 {
return "", errors.New("Missing fields in Auth header")
}
if len(strings.Split(strings.TrimSpace(authFields[1]), "=")) != 2 {
return "", errors.New("Missing fields in Auth header")
}
if len(strings.Split(strings.TrimSpace(authFields[2]), "=")) != 2 {
return "", errors.New("Missing fields in Auth header")
}
accessKeyID := strings.Split(strings.TrimSpace(credentials[1]), "/")[0]
if !auth.IsValidAccessKey(accessKeyID) {
return "", errors.New("Invalid access key")
}
return accessKeyID, nil
}
// initPresignedSignatureV4 initializing presigned signature verification
func initPresignedSignatureV4(req *http.Request) (*donut.Signature, *probe.Error) {
credentialElements := strings.Split(strings.TrimSpace(req.URL.Query().Get("X-Amz-Credential")), "/")
if len(credentialElements) != 5 {
return nil, probe.NewError(errCredentialTagMalformed)
}
accessKeyID := credentialElements[0]
if !auth.IsValidAccessKey(accessKeyID) {
return nil, probe.NewError(errAccessKeyIDInvalid)
}
authConfig, err := auth.LoadConfig()
if err != nil {
return nil, err.Trace()
}
signedHeaders := strings.Split(strings.TrimSpace(req.URL.Query().Get("X-Amz-SignedHeaders")), ";")
signature := strings.TrimSpace(req.URL.Query().Get("X-Amz-Signature"))
for _, user := range authConfig.Users {
if user.AccessKeyID == accessKeyID {
signature := &donut.Signature{
AccessKeyID: user.AccessKeyID,
SecretAccessKey: user.SecretAccessKey,
Signature: signature,
SignedHeaders: signedHeaders,
Presigned: true,
Request: req,
}
return signature, nil
}
}
return nil, probe.NewError(errAccessKeyIDInvalid)
}
// stripAccessKeyID - strip only access key id from auth header
func stripAccessKeyID(authHeaderValue string) (string, *probe.Error) {
if err := isValidRegion(authHeaderValue); err != nil {
return "", err.Trace()
}
credentialElements, err := getCredentialsFromAuth(authHeaderValue)
if err != nil {
return "", err.Trace()
}
accessKeyID := credentialElements[0]
if !auth.IsValidAccessKey(accessKeyID) {
return "", probe.NewError(errAccessKeyIDInvalid)
}
return accessKeyID, nil
}
// strip auth from authorization header
func stripAuth(r *http.Request) (*authHeader, error) {
ah := r.Header.Get("Authorization")
if ah == "" {
return nil, errors.New("Missing auth header")
}
a := new(authHeader)
authFields := strings.Split(ah, ",")
if len(authFields) != 3 {
return nil, errors.New("Missing fields in Auth header")
}
authPrefixFields := strings.Fields(authFields[0])
if len(authPrefixFields) != 2 {
return nil, errors.New("Missing fields in Auth header")
}
if authPrefixFields[0] != authHeaderPrefix {
return nil, errors.New("Missing fields is Auth header")
}
credentials := strings.Split(authPrefixFields[1], "=")
if len(credentials) != 2 {
return nil, errors.New("Missing fields in Auth header")
}
signedheaders := strings.Split(authFields[1], "=")
if len(signedheaders) != 2 {
return nil, errors.New("Missing fields in Auth header")
}
signature := strings.Split(authFields[2], "=")
if len(signature) != 2 {
return nil, errors.New("Missing fields in Auth header")
}
a.credential = credentials[1]
a.signedheaders = signedheaders[1]
a.signature = signature[1]
a.accessKey = strings.Split(a.credential, "/")[0]
if !auth.IsValidAccessKey(a.accessKey) {
return nil, errors.New("Invalid access key")
}
return a, nil
}
