tommy
/
cos-go-sdk-v5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
15 Tags
719 KiB
Tree: a9d855e752
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a9d855e752'
${ noResults }
cos-go-sdk-v5/auth.go

263 lines
7.6 KiB
Raw Normal View History

first to commit project
6 years ago
update the comment for godoc
6 years ago
first to commit project
6 years ago
  1. package cos
  3. import (
  4. "crypto/hmac"
  5. "crypto/sha1"
  6. "fmt"
  7. "hash"
  8. "net/http"
  9. "net/url"
  10. "sort"
  11. "strings"
  12. "sync"
  13. "time"
  14. )
  16. const sha1SignAlgorithm = "sha1"
  17. const privateHeaderPrefix = "x-cos-"
  18. const defaultAuthExpire = time.Hour
  20. // 需要校验的 Headers 列表
  21. var needSignHeaders = map[string]bool{
  22. "host": true,
  23. "range": true,
  24. "x-cos-acl": true,
  25. "x-cos-grant-read": true,
  26. "x-cos-grant-write": true,
  27. "x-cos-grant-full-control": true,
  28. "response-content-type": true,
  29. "response-content-language": true,
  30. "response-expires": true,
  31. "response-cache-control": true,
  32. "response-content-disposition": true,
  33. "response-content-encoding": true,
  34. "cache-control": true,
  35. "content-disposition": true,
  36. "content-encoding": true,
  37. "content-type": true,
  38. "content-length": true,
  39. "content-md5": true,
  40. "expect": true,
  41. "expires": true,
  42. "x-cos-content-sha1": true,
  43. "x-cos-storage-class": true,
  44. "if-modified-since": true,
  45. "origin": true,
  46. "access-control-request-method": true,
  47. "access-control-request-headers": true,
  48. "x-cos-object-type": true,
  49. }
  51. // AuthTime 用于生成签名所需的 q-sign-time 和 q-key-time 相关参数
  52. type AuthTime struct {
  53. SignStartTime time.Time
  54. SignEndTime time.Time
  55. KeyStartTime time.Time
  56. KeyEndTime time.Time
  57. }
  59. // NewAuthTime 生成 AuthTime 的便捷函数
  60. //
  61. // expire: 从现在开始多久过期.
  62. func NewAuthTime(expire time.Duration) *AuthTime {
  63. signStartTime := time.Now()
  64. keyStartTime := signStartTime
  65. signEndTime := signStartTime.Add(expire)
  66. keyEndTime := signEndTime
  67. return &AuthTime{
  68. SignStartTime: signStartTime,
  69. SignEndTime: signEndTime,
  70. KeyStartTime: keyStartTime,
  71. KeyEndTime: keyEndTime,
  72. }
  73. }
  75. // signString return q-sign-time string
  76. func (a *AuthTime) signString() string {
  77. return fmt.Sprintf("%d;%d", a.SignStartTime.Unix(), a.SignEndTime.Unix())
  78. }
  80. // keyString return q-key-time string
  81. func (a *AuthTime) keyString() string {
  82. return fmt.Sprintf("%d;%d", a.KeyStartTime.Unix(), a.KeyEndTime.Unix())
  83. }
  85. // newAuthorization 通过一系列步骤生成最终需要的 Authorization 字符串
  86. func newAuthorization(secretID, secretKey string, req *http.Request, authTime *AuthTime) string {
  87. signTime := authTime.signString()
  88. keyTime := authTime.keyString()
  89. signKey := calSignKey(secretKey, keyTime)
  91. formatHeaders := *new(string)
  92. signedHeaderList := *new([]string)
  93. formatHeaders, signedHeaderList = genFormatHeaders(req.Header)
  94. formatParameters, signedParameterList := genFormatParameters(req.URL.Query())
  95. formatString := genFormatString(req.Method, *req.URL, formatParameters, formatHeaders)
  97. stringToSign := calStringToSign(sha1SignAlgorithm, keyTime, formatString)
  98. signature := calSignature(signKey, stringToSign)
  100. return genAuthorization(
  101. secretID, signTime, keyTime, signature, signedHeaderList,
  102. signedParameterList,
  103. )
  104. }
  106. // AddAuthorizationHeader 给 req 增加签名信息
  107. func AddAuthorizationHeader(secretID, secretKey string, sessionToken string, req *http.Request, authTime *AuthTime) {
  108. auth := newAuthorization(secretID, secretKey, req,
  109. authTime,
  110. )
  111. if len(sessionToken) > 0 {
  112. req.Header.Set("x-cos-security-token", sessionToken)
  113. }
  114. req.Header.Set("Authorization", auth)
  115. }
  117. // calSignKey 计算 SignKey
  118. func calSignKey(secretKey, keyTime string) string {
  119. digest := calHMACDigest(secretKey, keyTime, sha1SignAlgorithm)
  120. return fmt.Sprintf("%x", digest)
  121. }
  123. // calStringToSign 计算 StringToSign
  124. func calStringToSign(signAlgorithm, signTime, formatString string) string {
  125. h := sha1.New()
  126. h.Write([]byte(formatString))
  127. return fmt.Sprintf("%s\n%s\n%x\n", signAlgorithm, signTime, h.Sum(nil))
  128. }
  130. // calSignature 计算 Signature
  131. func calSignature(signKey, stringToSign string) string {
  132. digest := calHMACDigest(signKey, stringToSign, sha1SignAlgorithm)
  133. return fmt.Sprintf("%x", digest)
  134. }
  136. // genAuthorization 生成 Authorization
  137. func genAuthorization(secretID, signTime, keyTime, signature string, signedHeaderList, signedParameterList []string) string {
  138. return strings.Join([]string{
  139. "q-sign-algorithm=" + sha1SignAlgorithm,
  140. "q-ak=" + secretID,
  141. "q-sign-time=" + signTime,
  142. "q-key-time=" + keyTime,
  143. "q-header-list=" + strings.Join(signedHeaderList, ";"),
  144. "q-url-param-list=" + strings.Join(signedParameterList, ";"),
  145. "q-signature=" + signature,
  146. }, "&")
  147. }
  149. // genFormatString 生成 FormatString
  150. func genFormatString(method string, uri url.URL, formatParameters, formatHeaders string) string {
  151. formatMethod := strings.ToLower(method)
  152. formatURI := uri.Path
  154. return fmt.Sprintf("%s\n%s\n%s\n%s\n", formatMethod, formatURI,
  155. formatParameters, formatHeaders,
  156. )
  157. }
  159. // genFormatParameters 生成 FormatParameters 和 SignedParameterList
  160. func genFormatParameters(parameters url.Values) (formatParameters string, signedParameterList []string) {
  161. ps := url.Values{}
  162. for key, values := range parameters {
  163. for _, value := range values {
  164. key = strings.ToLower(key)
  165. ps.Add(key, value)
  166. signedParameterList = append(signedParameterList, key)
  167. }
  168. }
  169. //formatParameters = strings.ToLower(ps.Encode())
  170. formatParameters = ps.Encode()
  171. sort.Strings(signedParameterList)
  172. return
  173. }
  175. // genFormatHeaders 生成 FormatHeaders 和 SignedHeaderList
  176. func genFormatHeaders(headers http.Header) (formatHeaders string, signedHeaderList []string) {
  177. hs := url.Values{}
  178. for key, values := range headers {
  179. for _, value := range values {
  180. key = strings.ToLower(key)
  181. if isSignHeader(key) {
  182. hs.Add(key, value)
  183. signedHeaderList = append(signedHeaderList, key)
  184. }
  185. }
  186. }
  187. formatHeaders = hs.Encode()
  188. sort.Strings(signedHeaderList)
  189. return
  190. }
  192. // HMAC 签名
  193. func calHMACDigest(key, msg, signMethod string) []byte {
  194. var hashFunc func() hash.Hash
  195. switch signMethod {
  196. case "sha1":
  197. hashFunc = sha1.New
  198. default:
  199. hashFunc = sha1.New
  200. }
  201. h := hmac.New(hashFunc, []byte(key))
  202. h.Write([]byte(msg))
  203. return h.Sum(nil)
  204. }
  206. func isSignHeader(key string) bool {
  207. for k, v := range needSignHeaders {
  208. if key == k && v {
  209. return true
  210. }
  211. }
  212. return strings.HasPrefix(key, privateHeaderPrefix)
  213. }
  215. // AuthorizationTransport 给请求增加 Authorization header
  216. type AuthorizationTransport struct {
  217. SecretID string
  218. SecretKey string
  219. SessionToken string
  220. rwLocker sync.RWMutex
  221. // 签名多久过期
  222. Expire time.Duration
  223. Transport http.RoundTripper
  224. }
  226. // SetCredential update the SecretID(ak), SercretKey(sk), sessiontoken
  227. func (t *AuthorizationTransport) SetCredential(ak, sk, token string) {
  228. t.rwLocker.Lock()
  229. defer t.rwLocker.Unlock()
  230. t.SecretID = ak
  231. t.SecretKey = sk
  232. t.SessionToken = token
  233. }
  235. // GetCredential get the ak, sk, token
  236. func (t *AuthorizationTransport) GetCredential() (string, string, string) {
  237. t.rwLocker.RLock()
  238. defer t.rwLocker.RUnlock()
  239. return t.SecretID, t.SecretKey, t.SessionToken
  240. }
  242. // RoundTrip implements the RoundTripper interface.
  243. func (t *AuthorizationTransport) RoundTrip(req *http.Request) (*http.Response, error) {
  244. req = cloneRequest(req) // per RoundTrip contract
  245. if t.Expire == time.Duration(0) {
  246. t.Expire = defaultAuthExpire
  247. }
  249. ak, sk, token := t.GetCredential()
  250. // 增加 Authorization header
  251. authTime := NewAuthTime(t.Expire)
  252. AddAuthorizationHeader(ak, sk, token, req, authTime)
  254. resp, err := t.transport().RoundTrip(req)
  255. return resp, err
  256. }
  258. func (t *AuthorizationTransport) transport() http.RoundTripper {
  259. if t.Transport != nil {
  260. return t.Transport
  261. }
  262. return http.DefaultTransport
  263. }