diff options
author | Martin Kraft <martinkraft@gmail.com> | 2018-05-02 07:45:20 -0400 |
---|---|---|
committer | Martin Kraft <martinkraft@gmail.com> | 2018-05-02 07:45:20 -0400 |
commit | 7d5e85e4136b0e2e6cf902c48b186d99f0698d13 (patch) | |
tree | 84f7256de28eed0fd932f43532c218b385e09642 /vendor/github.com/minio/minio-go/pkg | |
parent | f4dcb4edf2aafca85c9af631131a77888da24bc7 (diff) | |
parent | 529807c1ba0c6b5e697d95d35b46865e22b0e62a (diff) | |
download | chat-7d5e85e4136b0e2e6cf902c48b186d99f0698d13.tar.gz chat-7d5e85e4136b0e2e6cf902c48b186d99f0698d13.tar.bz2 chat-7d5e85e4136b0e2e6cf902c48b186d99f0698d13.zip |
Merge remote-tracking branch 'origin/master' into advanced-permissions-phase-2
Diffstat (limited to 'vendor/github.com/minio/minio-go/pkg')
7 files changed, 216 insertions, 1291 deletions
diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go b/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go deleted file mode 100644 index b0f2d6e08..000000000 --- a/vendor/github.com/minio/minio-go/pkg/encrypt/cbc.go +++ /dev/null @@ -1,294 +0,0 @@ -/* - * Minio Go Library for Amazon S3 Compatible Cloud Storage - * Copyright 2017 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package encrypt - -import ( - "bytes" - "crypto/aes" - "crypto/cipher" - "crypto/rand" - "encoding/base64" - "errors" - "io" -) - -// Crypt mode - encryption or decryption -type cryptMode int - -const ( - encryptMode cryptMode = iota - decryptMode -) - -// CBCSecureMaterials encrypts/decrypts data using AES CBC algorithm -type CBCSecureMaterials struct { - - // Data stream to encrypt/decrypt - stream io.Reader - - // Last internal error - err error - - // End of file reached - eof bool - - // Holds initial data - srcBuf *bytes.Buffer - - // Holds transformed data (encrypted or decrypted) - dstBuf *bytes.Buffer - - // Encryption algorithm - encryptionKey Key - - // Key to encrypts/decrypts data - contentKey []byte - - // Encrypted form of contentKey - cryptedKey []byte - - // Initialization vector - iv []byte - - // matDesc - currently unused - matDesc []byte - - // Indicate if we are going to encrypt or decrypt - cryptMode cryptMode - - // Helper that encrypts/decrypts data - blockMode cipher.BlockMode -} - -// NewCBCSecureMaterials builds new CBC crypter module with -// the specified encryption key (symmetric or asymmetric) -func NewCBCSecureMaterials(key Key) (*CBCSecureMaterials, error) { - if key == nil { - return nil, errors.New("Unable to recognize empty encryption properties") - } - return &CBCSecureMaterials{ - srcBuf: bytes.NewBuffer([]byte{}), - dstBuf: bytes.NewBuffer([]byte{}), - encryptionKey: key, - matDesc: []byte("{}"), - }, nil - -} - -// Close implements closes the internal stream. -func (s *CBCSecureMaterials) Close() error { - closer, ok := s.stream.(io.Closer) - if ok { - return closer.Close() - } - return nil -} - -// SetupEncryptMode - tells CBC that we are going to encrypt data -func (s *CBCSecureMaterials) SetupEncryptMode(stream io.Reader) error { - // Set mode to encrypt - s.cryptMode = encryptMode - - // Set underlying reader - s.stream = stream - - s.eof = false - s.srcBuf.Reset() - s.dstBuf.Reset() - - var err error - - // Generate random content key - s.contentKey = make([]byte, aes.BlockSize*2) - if _, err := rand.Read(s.contentKey); err != nil { - return err - } - // Encrypt content key - s.cryptedKey, err = s.encryptionKey.Encrypt(s.contentKey) - if err != nil { - return err - } - // Generate random IV - s.iv = make([]byte, aes.BlockSize) - if _, err = rand.Read(s.iv); err != nil { - return err - } - // New cipher - encryptContentBlock, err := aes.NewCipher(s.contentKey) - if err != nil { - return err - } - - s.blockMode = cipher.NewCBCEncrypter(encryptContentBlock, s.iv) - - return nil -} - -// SetupDecryptMode - tells CBC that we are going to decrypt data -func (s *CBCSecureMaterials) SetupDecryptMode(stream io.Reader, iv string, key string) error { - // Set mode to decrypt - s.cryptMode = decryptMode - - // Set underlying reader - s.stream = stream - - // Reset - s.eof = false - s.srcBuf.Reset() - s.dstBuf.Reset() - - var err error - - // Get IV - s.iv, err = base64.StdEncoding.DecodeString(iv) - if err != nil { - return err - } - - // Get encrypted content key - s.cryptedKey, err = base64.StdEncoding.DecodeString(key) - if err != nil { - return err - } - - // Decrypt content key - s.contentKey, err = s.encryptionKey.Decrypt(s.cryptedKey) - if err != nil { - return err - } - - // New cipher - decryptContentBlock, err := aes.NewCipher(s.contentKey) - if err != nil { - return err - } - - s.blockMode = cipher.NewCBCDecrypter(decryptContentBlock, s.iv) - return nil -} - -// GetIV - return randomly generated IV (per S3 object), base64 encoded. -func (s *CBCSecureMaterials) GetIV() string { - return base64.StdEncoding.EncodeToString(s.iv) -} - -// GetKey - return content encrypting key (cek) in encrypted form, base64 encoded. -func (s *CBCSecureMaterials) GetKey() string { - return base64.StdEncoding.EncodeToString(s.cryptedKey) -} - -// GetDesc - user provided encryption material description in JSON (UTF8) format. -func (s *CBCSecureMaterials) GetDesc() string { - return string(s.matDesc) -} - -// Fill buf with encrypted/decrypted data -func (s *CBCSecureMaterials) Read(buf []byte) (n int, err error) { - // Always fill buf from bufChunk at the end of this function - defer func() { - if s.err != nil { - n, err = 0, s.err - } else { - n, err = s.dstBuf.Read(buf) - } - }() - - // Return - if s.eof { - return - } - - // Fill dest buffer if its length is less than buf - for !s.eof && s.dstBuf.Len() < len(buf) { - - srcPart := make([]byte, aes.BlockSize) - dstPart := make([]byte, aes.BlockSize) - - // Fill src buffer - for s.srcBuf.Len() < aes.BlockSize*2 { - _, err = io.CopyN(s.srcBuf, s.stream, aes.BlockSize) - if err != nil { - break - } - } - - // Quit immediately for errors other than io.EOF - if err != nil && err != io.EOF { - s.err = err - return - } - - // Mark current encrypting/decrypting as finished - s.eof = (err == io.EOF) - - if s.eof && s.cryptMode == encryptMode { - if srcPart, err = pkcs5Pad(s.srcBuf.Bytes(), aes.BlockSize); err != nil { - s.err = err - return - } - } else { - _, _ = s.srcBuf.Read(srcPart) - } - - // Crypt srcPart content - for len(srcPart) > 0 { - - // Crypt current part - s.blockMode.CryptBlocks(dstPart, srcPart[:aes.BlockSize]) - - // Unpad when this is the last part and we are decrypting - if s.eof && s.cryptMode == decryptMode { - dstPart, err = pkcs5Unpad(dstPart, aes.BlockSize) - if err != nil { - s.err = err - return - } - } - - // Send crypted data to dstBuf - if _, wErr := s.dstBuf.Write(dstPart); wErr != nil { - s.err = wErr - return - } - // Move to the next part - srcPart = srcPart[aes.BlockSize:] - } - } - return -} - -// Unpad a set of bytes following PKCS5 algorithm -func pkcs5Unpad(buf []byte, blockSize int) ([]byte, error) { - len := len(buf) - if len == 0 { - return nil, errors.New("buffer is empty") - } - pad := int(buf[len-1]) - if pad > len || pad > blockSize { - return nil, errors.New("invalid padding size") - } - return buf[:len-pad], nil -} - -// Pad a set of bytes following PKCS5 algorithm -func pkcs5Pad(buf []byte, blockSize int) ([]byte, error) { - len := len(buf) - pad := blockSize - (len % blockSize) - padText := bytes.Repeat([]byte{byte(pad)}, pad) - return append(buf, padText...), nil -} diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go b/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go deleted file mode 100644 index 482922ab7..000000000 --- a/vendor/github.com/minio/minio-go/pkg/encrypt/interface.go +++ /dev/null @@ -1,54 +0,0 @@ -/* - * Minio Go Library for Amazon S3 Compatible Cloud Storage - * Copyright 2017 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// Package encrypt implements a generic interface to encrypt any stream of data. -// currently this package implements two types of encryption -// - Symmetric encryption using AES. -// - Asymmetric encrytion using RSA. -package encrypt - -import "io" - -// Materials - provides generic interface to encrypt any stream of data. -type Materials interface { - - // Closes the wrapped stream properly, initiated by the caller. - Close() error - - // Returns encrypted/decrypted data, io.Reader compatible. - Read(b []byte) (int, error) - - // Get randomly generated IV, base64 encoded. - GetIV() (iv string) - - // Get content encrypting key (cek) in encrypted form, base64 encoded. - GetKey() (key string) - - // Get user provided encryption material description in - // JSON (UTF8) format. This is not used, kept for future. - GetDesc() (desc string) - - // Setup encrypt mode, further calls of Read() function - // will return the encrypted form of data streamed - // by the passed reader - SetupEncryptMode(stream io.Reader) error - - // Setup decrypted mode, further calls of Read() function - // will return the decrypted form of data streamed - // by the passed reader - SetupDecryptMode(stream io.Reader, iv string, key string) error -} diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go b/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go deleted file mode 100644 index 0ed95f5ff..000000000 --- a/vendor/github.com/minio/minio-go/pkg/encrypt/keys.go +++ /dev/null @@ -1,166 +0,0 @@ -/* - * Minio Go Library for Amazon S3 Compatible Cloud Storage - * Copyright 2017 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package encrypt - -import ( - "crypto/aes" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "errors" -) - -// Key - generic interface to encrypt/decrypt a key. -// We use it to encrypt/decrypt content key which is the key -// that encrypt/decrypt object data. -type Key interface { - // Encrypt data using to the set encryption key - Encrypt([]byte) ([]byte, error) - // Decrypt data using to the set encryption key - Decrypt([]byte) ([]byte, error) -} - -// SymmetricKey - encrypts data with a symmetric master key -type SymmetricKey struct { - masterKey []byte -} - -// Encrypt passed bytes -func (s *SymmetricKey) Encrypt(plain []byte) ([]byte, error) { - // Initialize an AES encryptor using a master key - keyBlock, err := aes.NewCipher(s.masterKey) - if err != nil { - return []byte{}, err - } - - // Pad the key before encryption - plain, _ = pkcs5Pad(plain, aes.BlockSize) - - encKey := []byte{} - encPart := make([]byte, aes.BlockSize) - - // Encrypt the passed key by block - for { - if len(plain) < aes.BlockSize { - break - } - // Encrypt the passed key - keyBlock.Encrypt(encPart, plain[:aes.BlockSize]) - // Add the encrypted block to the total encrypted key - encKey = append(encKey, encPart...) - // Pass to the next plain block - plain = plain[aes.BlockSize:] - } - return encKey, nil -} - -// Decrypt passed bytes -func (s *SymmetricKey) Decrypt(cipher []byte) ([]byte, error) { - // Initialize AES decrypter - keyBlock, err := aes.NewCipher(s.masterKey) - if err != nil { - return nil, err - } - - var plain []byte - plainPart := make([]byte, aes.BlockSize) - - // Decrypt the encrypted data block by block - for { - if len(cipher) < aes.BlockSize { - break - } - keyBlock.Decrypt(plainPart, cipher[:aes.BlockSize]) - // Add the decrypted block to the total result - plain = append(plain, plainPart...) - // Pass to the next cipher block - cipher = cipher[aes.BlockSize:] - } - - // Unpad the resulted plain data - plain, err = pkcs5Unpad(plain, aes.BlockSize) - if err != nil { - return nil, err - } - - return plain, nil -} - -// NewSymmetricKey generates a new encrypt/decrypt crypto using -// an AES master key password -func NewSymmetricKey(b []byte) *SymmetricKey { - return &SymmetricKey{masterKey: b} -} - -// AsymmetricKey - struct which encrypts/decrypts data -// using RSA public/private certificates -type AsymmetricKey struct { - publicKey *rsa.PublicKey - privateKey *rsa.PrivateKey -} - -// Encrypt data using public key -func (a *AsymmetricKey) Encrypt(plain []byte) ([]byte, error) { - cipher, err := rsa.EncryptPKCS1v15(rand.Reader, a.publicKey, plain) - if err != nil { - return nil, err - } - return cipher, nil -} - -// Decrypt data using public key -func (a *AsymmetricKey) Decrypt(cipher []byte) ([]byte, error) { - cipher, err := rsa.DecryptPKCS1v15(rand.Reader, a.privateKey, cipher) - if err != nil { - return nil, err - } - return cipher, nil -} - -// NewAsymmetricKey - generates a crypto module able to encrypt/decrypt -// data using a pair for private and public key -func NewAsymmetricKey(privData []byte, pubData []byte) (*AsymmetricKey, error) { - // Parse private key from passed data - priv, err := x509.ParsePKCS8PrivateKey(privData) - if err != nil { - return nil, err - } - privKey, ok := priv.(*rsa.PrivateKey) - if !ok { - return nil, errors.New("not a valid private key") - } - - // Parse public key from passed data - pub, err := x509.ParsePKIXPublicKey(pubData) - if err != nil { - return nil, err - } - - pubKey, ok := pub.(*rsa.PublicKey) - if !ok { - return nil, errors.New("not a valid public key") - } - - // Associate the private key with the passed public key - privKey.PublicKey = *pubKey - - return &AsymmetricKey{ - publicKey: pubKey, - privateKey: privKey, - }, nil -} diff --git a/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go b/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go new file mode 100644 index 000000000..2d3c70f00 --- /dev/null +++ b/vendor/github.com/minio/minio-go/pkg/encrypt/server-side.go @@ -0,0 +1,195 @@ +/* + * Minio Go Library for Amazon S3 Compatible Cloud Storage + * Copyright 2018 Minio, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package encrypt + +import ( + "crypto/md5" + "encoding/base64" + "encoding/json" + "errors" + "net/http" + + "golang.org/x/crypto/argon2" +) + +const ( + // sseGenericHeader is the AWS SSE header used for SSE-S3 and SSE-KMS. + sseGenericHeader = "X-Amz-Server-Side-Encryption" + + // sseKmsKeyID is the AWS SSE-KMS key id. + sseKmsKeyID = sseGenericHeader + "-Aws-Kms-Key-Id" + // sseEncryptionContext is the AWS SSE-KMS Encryption Context data. + sseEncryptionContext = sseGenericHeader + "-Encryption-Context" + + // sseCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key. + sseCustomerAlgorithm = sseGenericHeader + "-Customer-Algorithm" + // sseCustomerKey is the AWS SSE-C encryption key HTTP header key. + sseCustomerKey = sseGenericHeader + "-Customer-Key" + // sseCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key. + sseCustomerKeyMD5 = sseGenericHeader + "-Customer-Key-MD5" + + // sseCopyCustomerAlgorithm is the AWS SSE-C algorithm HTTP header key for CopyObject API. + sseCopyCustomerAlgorithm = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm" + // sseCopyCustomerKey is the AWS SSE-C encryption key HTTP header key for CopyObject API. + sseCopyCustomerKey = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key" + // sseCopyCustomerKeyMD5 is the AWS SSE-C encryption key MD5 HTTP header key for CopyObject API. + sseCopyCustomerKeyMD5 = "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-MD5" +) + +// PBKDF creates a SSE-C key from the provided password and salt. +// PBKDF is a password-based key derivation function +// which can be used to derive a high-entropy cryptographic +// key from a low-entropy password and a salt. +type PBKDF func(password, salt []byte) ServerSide + +// DefaultPBKDF is the default PBKDF. It uses Argon2id with the +// recommended parameters from the RFC draft (1 pass, 64 MB memory, 4 threads). +var DefaultPBKDF PBKDF = func(password, salt []byte) ServerSide { + sse := ssec{} + copy(sse[:], argon2.IDKey(password, salt, 1, 64*1024, 4, 32)) + return sse +} + +// Type is the server-side-encryption method. It represents one of +// the following encryption methods: +// - SSE-C: server-side-encryption with customer provided keys +// - KMS: server-side-encryption with managed keys +// - S3: server-side-encryption using S3 storage encryption +type Type string + +const ( + // SSEC represents server-side-encryption with customer provided keys + SSEC Type = "SSE-C" + // KMS represents server-side-encryption with managed keys + KMS Type = "KMS" + // S3 represents server-side-encryption using S3 storage encryption + S3 Type = "S3" +) + +// ServerSide is a form of S3 server-side-encryption. +type ServerSide interface { + // Type returns the server-side-encryption method. + Type() Type + + // Marshal adds encryption headers to the provided HTTP headers. + // It marks an HTTP request as server-side-encryption request + // and inserts the required data into the headers. + Marshal(h http.Header) +} + +// NewSSE returns a server-side-encryption using S3 storage encryption. +// Using SSE-S3 the server will encrypt the object with server-managed keys. +func NewSSE() ServerSide { return s3{} } + +// NewSSEKMS returns a new server-side-encryption using SSE-KMS and the provided Key Id and context. +func NewSSEKMS(keyID string, context interface{}) (ServerSide, error) { + if context == nil { + return kms{key: keyID, hasContext: false}, nil + } + serializedContext, err := json.Marshal(context) + if err != nil { + return nil, err + } + return kms{key: keyID, context: serializedContext, hasContext: true}, nil +} + +// NewSSEC returns a new server-side-encryption using SSE-C and the provided key. +// The key must be 32 bytes long. +func NewSSEC(key []byte) (ServerSide, error) { + if len(key) != 32 { + return nil, errors.New("encrypt: SSE-C key must be 256 bit long") + } + sse := ssec{} + copy(sse[:], key) + return sse, nil +} + +// SSE transforms a SSE-C copy encryption into a SSE-C encryption. +// It is the inverse of SSECopy(...). +// +// If the provided sse is no SSE-C copy encryption SSE returns +// sse unmodified. +func SSE(sse ServerSide) ServerSide { + if sse == nil || sse.Type() != SSEC { + return sse + } + if sse, ok := sse.(ssecCopy); ok { + return ssec(sse) + } + return sse +} + +// SSECopy transforms a SSE-C encryption into a SSE-C copy +// encryption. This is required for SSE-C key rotation or a SSE-C +// copy where the source and the destination should be encrypted. +// +// If the provided sse is no SSE-C encryption SSECopy returns +// sse unmodified. +func SSECopy(sse ServerSide) ServerSide { + if sse == nil || sse.Type() != SSEC { + return sse + } + if sse, ok := sse.(ssec); ok { + return ssecCopy(sse) + } + return sse +} + +type ssec [32]byte + +func (s ssec) Type() Type { return SSEC } + +func (s ssec) Marshal(h http.Header) { + keyMD5 := md5.Sum(s[:]) + h.Set(sseCustomerAlgorithm, "AES256") + h.Set(sseCustomerKey, base64.StdEncoding.EncodeToString(s[:])) + h.Set(sseCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:])) +} + +type ssecCopy [32]byte + +func (s ssecCopy) Type() Type { return SSEC } + +func (s ssecCopy) Marshal(h http.Header) { + keyMD5 := md5.Sum(s[:]) + h.Set(sseCopyCustomerAlgorithm, "AES256") + h.Set(sseCopyCustomerKey, base64.StdEncoding.EncodeToString(s[:])) + h.Set(sseCopyCustomerKeyMD5, base64.StdEncoding.EncodeToString(keyMD5[:])) +} + +type s3 struct{} + +func (s s3) Type() Type { return S3 } + +func (s s3) Marshal(h http.Header) { h.Set(sseGenericHeader, "AES256") } + +type kms struct { + key string + context []byte + hasContext bool +} + +func (s kms) Type() Type { return KMS } + +func (s kms) Marshal(h http.Header) { + h.Set(sseGenericHeader, "aws:kms") + h.Set(sseKmsKeyID, s.key) + if s.hasContext { + h.Set(sseEncryptionContext, base64.StdEncoding.EncodeToString(s.context)) + } +} diff --git a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go deleted file mode 100644 index 737b810ac..000000000 --- a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy-condition.go +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Minio Go Library for Amazon S3 Compatible Cloud Storage - * Copyright 2015-2017 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package policy - -import "github.com/minio/minio-go/pkg/set" - -// ConditionKeyMap - map of policy condition key and value. -type ConditionKeyMap map[string]set.StringSet - -// Add - adds key and value. The value is appended If key already exists. -func (ckm ConditionKeyMap) Add(key string, value set.StringSet) { - if v, ok := ckm[key]; ok { - ckm[key] = v.Union(value) - } else { - ckm[key] = set.CopyStringSet(value) - } -} - -// Remove - removes value of given key. If key has empty after removal, the key is also removed. -func (ckm ConditionKeyMap) Remove(key string, value set.StringSet) { - if v, ok := ckm[key]; ok { - if value != nil { - ckm[key] = v.Difference(value) - } - - if ckm[key].IsEmpty() { - delete(ckm, key) - } - } -} - -// RemoveKey - removes key and its value. -func (ckm ConditionKeyMap) RemoveKey(key string) { - if _, ok := ckm[key]; ok { - delete(ckm, key) - } -} - -// CopyConditionKeyMap - returns new copy of given ConditionKeyMap. -func CopyConditionKeyMap(condKeyMap ConditionKeyMap) ConditionKeyMap { - out := make(ConditionKeyMap) - - for k, v := range condKeyMap { - out[k] = set.CopyStringSet(v) - } - - return out -} - -// mergeConditionKeyMap - returns a new ConditionKeyMap which contains merged key/value of given two ConditionKeyMap. -func mergeConditionKeyMap(condKeyMap1 ConditionKeyMap, condKeyMap2 ConditionKeyMap) ConditionKeyMap { - out := CopyConditionKeyMap(condKeyMap1) - - for k, v := range condKeyMap2 { - if ev, ok := out[k]; ok { - out[k] = ev.Union(v) - } else { - out[k] = set.CopyStringSet(v) - } - } - - return out -} - -// ConditionMap - map of condition and conditional values. -type ConditionMap map[string]ConditionKeyMap - -// Add - adds condition key and condition value. The value is appended if key already exists. -func (cond ConditionMap) Add(condKey string, condKeyMap ConditionKeyMap) { - if v, ok := cond[condKey]; ok { - cond[condKey] = mergeConditionKeyMap(v, condKeyMap) - } else { - cond[condKey] = CopyConditionKeyMap(condKeyMap) - } -} - -// Remove - removes condition key and its value. -func (cond ConditionMap) Remove(condKey string) { - if _, ok := cond[condKey]; ok { - delete(cond, condKey) - } -} - -// mergeConditionMap - returns new ConditionMap which contains merged key/value of two ConditionMap. -func mergeConditionMap(condMap1 ConditionMap, condMap2 ConditionMap) ConditionMap { - out := make(ConditionMap) - - for k, v := range condMap1 { - out[k] = CopyConditionKeyMap(v) - } - - for k, v := range condMap2 { - if ev, ok := out[k]; ok { - out[k] = mergeConditionKeyMap(ev, v) - } else { - out[k] = CopyConditionKeyMap(v) - } - } - - return out -} diff --git a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go b/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go deleted file mode 100644 index 9dda99efc..000000000 --- a/vendor/github.com/minio/minio-go/pkg/policy/bucket-policy.go +++ /dev/null @@ -1,635 +0,0 @@ -/* - * Minio Go Library for Amazon S3 Compatible Cloud Storage - * Copyright 2015-2017 Minio, Inc. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package policy - -import ( - "reflect" - "strings" - - "github.com/minio/minio-go/pkg/set" -) - -// BucketPolicy - Bucket level policy. -type BucketPolicy string - -// Different types of Policies currently supported for buckets. -const ( - BucketPolicyNone BucketPolicy = "none" - BucketPolicyReadOnly = "readonly" - BucketPolicyReadWrite = "readwrite" - BucketPolicyWriteOnly = "writeonly" -) - -// IsValidBucketPolicy - returns true if policy is valid and supported, false otherwise. -func (p BucketPolicy) IsValidBucketPolicy() bool { - switch p { - case BucketPolicyNone, BucketPolicyReadOnly, BucketPolicyReadWrite, BucketPolicyWriteOnly: - return true - } - return false -} - -// Resource prefix for all aws resources. -const awsResourcePrefix = "arn:aws:s3:::" - -// Common bucket actions for both read and write policies. -var commonBucketActions = set.CreateStringSet("s3:GetBucketLocation") - -// Read only bucket actions. -var readOnlyBucketActions = set.CreateStringSet("s3:ListBucket") - -// Write only bucket actions. -var writeOnlyBucketActions = set.CreateStringSet("s3:ListBucketMultipartUploads") - -// Read only object actions. -var readOnlyObjectActions = set.CreateStringSet("s3:GetObject") - -// Write only object actions. -var writeOnlyObjectActions = set.CreateStringSet("s3:AbortMultipartUpload", "s3:DeleteObject", "s3:ListMultipartUploadParts", "s3:PutObject") - -// Read and write object actions. -var readWriteObjectActions = readOnlyObjectActions.Union(writeOnlyObjectActions) - -// All valid bucket and object actions. -var validActions = commonBucketActions. - Union(readOnlyBucketActions). - Union(writeOnlyBucketActions). - Union(readOnlyObjectActions). - Union(writeOnlyObjectActions) - -var startsWithFunc = func(resource string, resourcePrefix string) bool { - return strings.HasPrefix(resource, resourcePrefix) -} - -// User - canonical users list. -type User struct { - AWS set.StringSet `json:"AWS,omitempty"` - CanonicalUser set.StringSet `json:"CanonicalUser,omitempty"` -} - -// Statement - minio policy statement -type Statement struct { - Actions set.StringSet `json:"Action"` - Conditions ConditionMap `json:"Condition,omitempty"` - Effect string - Principal User `json:"Principal"` - Resources set.StringSet `json:"Resource"` - Sid string -} - -// BucketAccessPolicy - minio policy collection -type BucketAccessPolicy struct { - Version string // date in YYYY-MM-DD format - Statements []Statement `json:"Statement"` -} - -// isValidStatement - returns whether given statement is valid to process for given bucket name. -func isValidStatement(statement Statement, bucketName string) bool { - if statement.Actions.Intersection(validActions).IsEmpty() { - return false - } - - if statement.Effect != "Allow" { - return false - } - - if statement.Principal.AWS == nil || !statement.Principal.AWS.Contains("*") { - return false - } - - bucketResource := awsResourcePrefix + bucketName - if statement.Resources.Contains(bucketResource) { - return true - } - - if statement.Resources.FuncMatch(startsWithFunc, bucketResource+"/").IsEmpty() { - return false - } - - return true -} - -// Returns new statements with bucket actions for given policy. -func newBucketStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) { - statements = []Statement{} - if policy == BucketPolicyNone || bucketName == "" { - return statements - } - - bucketResource := set.CreateStringSet(awsResourcePrefix + bucketName) - - statement := Statement{ - Actions: commonBucketActions, - Effect: "Allow", - Principal: User{AWS: set.CreateStringSet("*")}, - Resources: bucketResource, - Sid: "", - } - statements = append(statements, statement) - - if policy == BucketPolicyReadOnly || policy == BucketPolicyReadWrite { - statement = Statement{ - Actions: readOnlyBucketActions, - Effect: "Allow", - Principal: User{AWS: set.CreateStringSet("*")}, - Resources: bucketResource, - Sid: "", - } - if prefix != "" { - condKeyMap := make(ConditionKeyMap) - condKeyMap.Add("s3:prefix", set.CreateStringSet(prefix)) - condMap := make(ConditionMap) - condMap.Add("StringEquals", condKeyMap) - statement.Conditions = condMap - } - statements = append(statements, statement) - } - - if policy == BucketPolicyWriteOnly || policy == BucketPolicyReadWrite { - statement = Statement{ - Actions: writeOnlyBucketActions, - Effect: "Allow", - Principal: User{AWS: set.CreateStringSet("*")}, - Resources: bucketResource, - Sid: "", - } - statements = append(statements, statement) - } - - return statements -} - -// Returns new statements contains object actions for given policy. -func newObjectStatement(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) { - statements = []Statement{} - if policy == BucketPolicyNone || bucketName == "" { - return statements - } - - statement := Statement{ - Effect: "Allow", - Principal: User{AWS: set.CreateStringSet("*")}, - Resources: set.CreateStringSet(awsResourcePrefix + bucketName + "/" + prefix + "*"), - Sid: "", - } - - if policy == BucketPolicyReadOnly { - statement.Actions = readOnlyObjectActions - } else if policy == BucketPolicyWriteOnly { - statement.Actions = writeOnlyObjectActions - } else if policy == BucketPolicyReadWrite { - statement.Actions = readWriteObjectActions - } - - statements = append(statements, statement) - return statements -} - -// Returns new statements for given policy, bucket and prefix. -func newStatements(policy BucketPolicy, bucketName string, prefix string) (statements []Statement) { - statements = []Statement{} - ns := newBucketStatement(policy, bucketName, prefix) - statements = append(statements, ns...) - - ns = newObjectStatement(policy, bucketName, prefix) - statements = append(statements, ns...) - - return statements -} - -// Returns whether given bucket statements are used by other than given prefix statements. -func getInUsePolicy(statements []Statement, bucketName string, prefix string) (readOnlyInUse, writeOnlyInUse bool) { - resourcePrefix := awsResourcePrefix + bucketName + "/" - objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*" - - for _, s := range statements { - if !s.Resources.Contains(objectResource) && !s.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() { - if s.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) { - readOnlyInUse = true - } - - if s.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) { - writeOnlyInUse = true - } - } - if readOnlyInUse && writeOnlyInUse { - break - } - } - - return readOnlyInUse, writeOnlyInUse -} - -// Removes object actions in given statement. -func removeObjectActions(statement Statement, objectResource string) Statement { - if statement.Conditions == nil { - if len(statement.Resources) > 1 { - statement.Resources.Remove(objectResource) - } else { - statement.Actions = statement.Actions.Difference(readOnlyObjectActions) - statement.Actions = statement.Actions.Difference(writeOnlyObjectActions) - } - } - - return statement -} - -// Removes bucket actions for given policy in given statement. -func removeBucketActions(statement Statement, prefix string, bucketResource string, readOnlyInUse, writeOnlyInUse bool) Statement { - removeReadOnly := func() { - if !statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) { - return - } - - if statement.Conditions == nil { - statement.Actions = statement.Actions.Difference(readOnlyBucketActions) - return - } - - if prefix != "" { - stringEqualsValue := statement.Conditions["StringEquals"] - values := set.NewStringSet() - if stringEqualsValue != nil { - values = stringEqualsValue["s3:prefix"] - if values == nil { - values = set.NewStringSet() - } - } - - values.Remove(prefix) - - if stringEqualsValue != nil { - if values.IsEmpty() { - delete(stringEqualsValue, "s3:prefix") - } - if len(stringEqualsValue) == 0 { - delete(statement.Conditions, "StringEquals") - } - } - - if len(statement.Conditions) == 0 { - statement.Conditions = nil - statement.Actions = statement.Actions.Difference(readOnlyBucketActions) - } - } - } - - removeWriteOnly := func() { - if statement.Conditions == nil { - statement.Actions = statement.Actions.Difference(writeOnlyBucketActions) - } - } - - if len(statement.Resources) > 1 { - statement.Resources.Remove(bucketResource) - } else { - if !readOnlyInUse { - removeReadOnly() - } - - if !writeOnlyInUse { - removeWriteOnly() - } - } - - return statement -} - -// Returns statements containing removed actions/statements for given -// policy, bucket name and prefix. -func removeStatements(statements []Statement, bucketName string, prefix string) []Statement { - bucketResource := awsResourcePrefix + bucketName - objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*" - readOnlyInUse, writeOnlyInUse := getInUsePolicy(statements, bucketName, prefix) - - out := []Statement{} - readOnlyBucketStatements := []Statement{} - s3PrefixValues := set.NewStringSet() - - for _, statement := range statements { - if !isValidStatement(statement, bucketName) { - out = append(out, statement) - continue - } - - if statement.Resources.Contains(bucketResource) { - if statement.Conditions != nil { - statement = removeBucketActions(statement, prefix, bucketResource, false, false) - } else { - statement = removeBucketActions(statement, prefix, bucketResource, readOnlyInUse, writeOnlyInUse) - } - } else if statement.Resources.Contains(objectResource) { - statement = removeObjectActions(statement, objectResource) - } - - if !statement.Actions.IsEmpty() { - if statement.Resources.Contains(bucketResource) && - statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) && - statement.Effect == "Allow" && - statement.Principal.AWS.Contains("*") { - - if statement.Conditions != nil { - stringEqualsValue := statement.Conditions["StringEquals"] - values := set.NewStringSet() - if stringEqualsValue != nil { - values = stringEqualsValue["s3:prefix"] - if values == nil { - values = set.NewStringSet() - } - } - s3PrefixValues = s3PrefixValues.Union(values.ApplyFunc(func(v string) string { - return bucketResource + "/" + v + "*" - })) - } else if !s3PrefixValues.IsEmpty() { - readOnlyBucketStatements = append(readOnlyBucketStatements, statement) - continue - } - } - out = append(out, statement) - } - } - - skipBucketStatement := true - resourcePrefix := awsResourcePrefix + bucketName + "/" - for _, statement := range out { - if !statement.Resources.FuncMatch(startsWithFunc, resourcePrefix).IsEmpty() && - s3PrefixValues.Intersection(statement.Resources).IsEmpty() { - skipBucketStatement = false - break - } - } - - for _, statement := range readOnlyBucketStatements { - if skipBucketStatement && - statement.Resources.Contains(bucketResource) && - statement.Effect == "Allow" && - statement.Principal.AWS.Contains("*") && - statement.Conditions == nil { - continue - } - - out = append(out, statement) - } - - if len(out) == 1 { - statement := out[0] - if statement.Resources.Contains(bucketResource) && - statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) && - statement.Effect == "Allow" && - statement.Principal.AWS.Contains("*") && - statement.Conditions == nil { - out = []Statement{} - } - } - - return out -} - -// Appends given statement into statement list to have unique statements. -// - If statement already exists in statement list, it ignores. -// - If statement exists with different conditions, they are merged. -// - Else the statement is appended to statement list. -func appendStatement(statements []Statement, statement Statement) []Statement { - for i, s := range statements { - if s.Actions.Equals(statement.Actions) && - s.Effect == statement.Effect && - s.Principal.AWS.Equals(statement.Principal.AWS) && - reflect.DeepEqual(s.Conditions, statement.Conditions) { - statements[i].Resources = s.Resources.Union(statement.Resources) - return statements - } else if s.Resources.Equals(statement.Resources) && - s.Effect == statement.Effect && - s.Principal.AWS.Equals(statement.Principal.AWS) && - reflect.DeepEqual(s.Conditions, statement.Conditions) { - statements[i].Actions = s.Actions.Union(statement.Actions) - return statements - } - - if s.Resources.Intersection(statement.Resources).Equals(statement.Resources) && - s.Actions.Intersection(statement.Actions).Equals(statement.Actions) && - s.Effect == statement.Effect && - s.Principal.AWS.Intersection(statement.Principal.AWS).Equals(statement.Principal.AWS) { - if reflect.DeepEqual(s.Conditions, statement.Conditions) { - return statements - } - if s.Conditions != nil && statement.Conditions != nil { - if s.Resources.Equals(statement.Resources) { - statements[i].Conditions = mergeConditionMap(s.Conditions, statement.Conditions) - return statements - } - } - } - } - - if !(statement.Actions.IsEmpty() && statement.Resources.IsEmpty()) { - return append(statements, statement) - } - - return statements -} - -// Appends two statement lists. -func appendStatements(statements []Statement, appendStatements []Statement) []Statement { - for _, s := range appendStatements { - statements = appendStatement(statements, s) - } - - return statements -} - -// Returns policy of given bucket statement. -func getBucketPolicy(statement Statement, prefix string) (commonFound, readOnly, writeOnly bool) { - if !(statement.Effect == "Allow" && statement.Principal.AWS.Contains("*")) { - return commonFound, readOnly, writeOnly - } - - if statement.Actions.Intersection(commonBucketActions).Equals(commonBucketActions) && - statement.Conditions == nil { - commonFound = true - } - - if statement.Actions.Intersection(writeOnlyBucketActions).Equals(writeOnlyBucketActions) && - statement.Conditions == nil { - writeOnly = true - } - - if statement.Actions.Intersection(readOnlyBucketActions).Equals(readOnlyBucketActions) { - if prefix != "" && statement.Conditions != nil { - if stringEqualsValue, ok := statement.Conditions["StringEquals"]; ok { - if s3PrefixValues, ok := stringEqualsValue["s3:prefix"]; ok { - if s3PrefixValues.Contains(prefix) { - readOnly = true - } - } - } else if stringNotEqualsValue, ok := statement.Conditions["StringNotEquals"]; ok { - if s3PrefixValues, ok := stringNotEqualsValue["s3:prefix"]; ok { - if !s3PrefixValues.Contains(prefix) { - readOnly = true - } - } - } - } else if prefix == "" && statement.Conditions == nil { - readOnly = true - } else if prefix != "" && statement.Conditions == nil { - readOnly = true - } - } - - return commonFound, readOnly, writeOnly -} - -// Returns policy of given object statement. -func getObjectPolicy(statement Statement) (readOnly bool, writeOnly bool) { - if statement.Effect == "Allow" && - statement.Principal.AWS.Contains("*") && - statement.Conditions == nil { - if statement.Actions.Intersection(readOnlyObjectActions).Equals(readOnlyObjectActions) { - readOnly = true - } - if statement.Actions.Intersection(writeOnlyObjectActions).Equals(writeOnlyObjectActions) { - writeOnly = true - } - } - - return readOnly, writeOnly -} - -// GetPolicy - Returns policy of given bucket name, prefix in given statements. -func GetPolicy(statements []Statement, bucketName string, prefix string) BucketPolicy { - bucketResource := awsResourcePrefix + bucketName - objectResource := awsResourcePrefix + bucketName + "/" + prefix + "*" - - bucketCommonFound := false - bucketReadOnly := false - bucketWriteOnly := false - matchedResource := "" - objReadOnly := false - objWriteOnly := false - - for _, s := range statements { - matchedObjResources := set.NewStringSet() - if s.Resources.Contains(objectResource) { - matchedObjResources.Add(objectResource) - } else { - matchedObjResources = s.Resources.FuncMatch(resourceMatch, objectResource) - } - - if !matchedObjResources.IsEmpty() { - readOnly, writeOnly := getObjectPolicy(s) - for resource := range matchedObjResources { - if len(matchedResource) < len(resource) { - objReadOnly = readOnly - objWriteOnly = writeOnly - matchedResource = resource - } else if len(matchedResource) == len(resource) { - objReadOnly = objReadOnly || readOnly - objWriteOnly = objWriteOnly || writeOnly - matchedResource = resource - } - } - } else if s.Resources.Contains(bucketResource) { - commonFound, readOnly, writeOnly := getBucketPolicy(s, prefix) - bucketCommonFound = bucketCommonFound || commonFound - bucketReadOnly = bucketReadOnly || readOnly - bucketWriteOnly = bucketWriteOnly || writeOnly - } - } - - policy := BucketPolicyNone - if bucketCommonFound { - if bucketReadOnly && bucketWriteOnly && objReadOnly && objWriteOnly { - policy = BucketPolicyReadWrite - } else if bucketReadOnly && objReadOnly { - policy = BucketPolicyReadOnly - } else if bucketWriteOnly && objWriteOnly { - policy = BucketPolicyWriteOnly - } - } - - return policy -} - -// GetPolicies - returns a map of policies rules of given bucket name, prefix in given statements. -func GetPolicies(statements []Statement, bucketName string) map[string]BucketPolicy { - policyRules := map[string]BucketPolicy{} - objResources := set.NewStringSet() - // Search all resources related to objects policy - for _, s := range statements { - for r := range s.Resources { - if strings.HasPrefix(r, awsResourcePrefix+bucketName+"/") { - objResources.Add(r) - } - } - } - // Pretend that policy resource as an actual object and fetch its policy - for r := range objResources { - // Put trailing * if exists in asterisk - asterisk := "" - if strings.HasSuffix(r, "*") { - r = r[:len(r)-1] - asterisk = "*" - } - objectPath := r[len(awsResourcePrefix+bucketName)+1:] - p := GetPolicy(statements, bucketName, objectPath) - policyRules[bucketName+"/"+objectPath+asterisk] = p - } - return policyRules -} - -// SetPolicy - Returns new statements containing policy of given bucket name and prefix are appended. -func SetPolicy(statements []Statement, policy BucketPolicy, bucketName string, prefix string) []Statement { - out := removeStatements(statements, bucketName, prefix) - // fmt.Println("out = ") - // printstatement(out) - ns := newStatements(policy, bucketName, prefix) - // fmt.Println("ns = ") - // printstatement(ns) - - rv := appendStatements(out, ns) - // fmt.Println("rv = ") - // printstatement(rv) - - return rv -} - -// Match function matches wild cards in 'pattern' for resource. -func resourceMatch(pattern, resource string) bool { - if pattern == "" { - return resource == pattern - } - if pattern == "*" { - return true - } - parts := strings.Split(pattern, "*") - if len(parts) == 1 { - return resource == pattern - } - tGlob := strings.HasSuffix(pattern, "*") - end := len(parts) - 1 - if !strings.HasPrefix(resource, parts[0]) { - return false - } - for i := 1; i < end; i++ { - if !strings.Contains(resource, parts[i]) { - return false - } - idx := strings.Index(resource, parts[i]) + len(parts[i]) - resource = resource[idx:] - } - return tGlob || strings.HasSuffix(resource, parts[end]) -} diff --git a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go index 0b90c41f6..b4070938e 100644 --- a/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go +++ b/vendor/github.com/minio/minio-go/pkg/s3signer/request-signature-v2.go @@ -25,7 +25,6 @@ import ( "fmt" "net/http" "net/url" - "path/filepath" "sort" "strconv" "strings" @@ -40,21 +39,17 @@ const ( ) // Encode input URL path to URL encoded path. -func encodeURL2Path(req *http.Request) (path string) { - reqHost := getHostAddr(req) - // Encode URL path. - if isS3, _ := filepath.Match("*.s3*.amazonaws.com", reqHost); isS3 { - bucketName := reqHost[:strings.LastIndex(reqHost, ".s3")] - path = "/" + bucketName - path += req.URL.Path - path = s3utils.EncodePath(path) - return - } - if strings.HasSuffix(reqHost, ".storage.googleapis.com") { - path = "/" + strings.TrimSuffix(reqHost, ".storage.googleapis.com") - path += req.URL.Path - path = s3utils.EncodePath(path) - return +func encodeURL2Path(req *http.Request, virtualHost bool) (path string) { + if virtualHost { + reqHost := getHostAddr(req) + dotPos := strings.Index(reqHost, ".") + if dotPos > -1 { + bucketName := reqHost[:dotPos] + path = "/" + bucketName + path += req.URL.Path + path = s3utils.EncodePath(path) + return + } } path = s3utils.EncodePath(req.URL.Path) return @@ -62,7 +57,7 @@ func encodeURL2Path(req *http.Request) (path string) { // PreSignV2 - presign the request in following style. // https://${S3_BUCKET}.s3.amazonaws.com/${S3_OBJECT}?AWSAccessKeyId=${S3_ACCESS_KEY}&Expires=${TIMESTAMP}&Signature=${SIGNATURE}. -func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64) *http.Request { +func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires int64, virtualHost bool) *http.Request { // Presign is not needed for anonymous credentials. if accessKeyID == "" || secretAccessKey == "" { return &req @@ -78,7 +73,7 @@ func PreSignV2(req http.Request, accessKeyID, secretAccessKey string, expires in } // Get presigned string to sign. - stringToSign := preStringToSignV2(req) + stringToSign := preStringToSignV2(req, virtualHost) hm := hmac.New(sha1.New, []byte(secretAccessKey)) hm.Write([]byte(stringToSign)) @@ -132,7 +127,7 @@ func PostPresignSignatureV2(policyBase64, secretAccessKey string) string { // CanonicalizedProtocolHeaders = <described below> // SignV2 sign the request before Do() (AWS Signature Version 2). -func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request { +func SignV2(req http.Request, accessKeyID, secretAccessKey string, virtualHost bool) *http.Request { // Signature calculation is not needed for anonymous credentials. if accessKeyID == "" || secretAccessKey == "" { return &req @@ -147,7 +142,7 @@ func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request } // Calculate HMAC for secretAccessKey. - stringToSign := stringToSignV2(req) + stringToSign := stringToSignV2(req, virtualHost) hm := hmac.New(sha1.New, []byte(secretAccessKey)) hm.Write([]byte(stringToSign)) @@ -172,14 +167,14 @@ func SignV2(req http.Request, accessKeyID, secretAccessKey string) *http.Request // Expires + "\n" + // CanonicalizedProtocolHeaders + // CanonicalizedResource; -func preStringToSignV2(req http.Request) string { +func preStringToSignV2(req http.Request, virtualHost bool) string { buf := new(bytes.Buffer) // Write standard headers. writePreSignV2Headers(buf, req) // Write canonicalized protocol headers if any. writeCanonicalizedHeaders(buf, req) // Write canonicalized Query resources if any. - writeCanonicalizedResource(buf, req) + writeCanonicalizedResource(buf, req, virtualHost) return buf.String() } @@ -199,14 +194,14 @@ func writePreSignV2Headers(buf *bytes.Buffer, req http.Request) { // Date + "\n" + // CanonicalizedProtocolHeaders + // CanonicalizedResource; -func stringToSignV2(req http.Request) string { +func stringToSignV2(req http.Request, virtualHost bool) string { buf := new(bytes.Buffer) // Write standard headers. writeSignV2Headers(buf, req) // Write canonicalized protocol headers if any. writeCanonicalizedHeaders(buf, req) // Write canonicalized Query resources if any. - writeCanonicalizedResource(buf, req) + writeCanonicalizedResource(buf, req, virtualHost) return buf.String() } @@ -288,11 +283,11 @@ var resourceList = []string{ // CanonicalizedResource = [ "/" + Bucket ] + // <HTTP-Request-URI, from the protocol name up to the query string> + // [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; -func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request) { +func writeCanonicalizedResource(buf *bytes.Buffer, req http.Request, virtualHost bool) { // Save request URL. requestURL := req.URL // Get encoded URL path. - buf.WriteString(encodeURL2Path(&req)) + buf.WriteString(encodeURL2Path(&req, virtualHost)) if requestURL.RawQuery != "" { var n int vals, _ := url.ParseQuery(requestURL.RawQuery) |