integrated s3 request signing with temporary credentials

This commit is contained in:
adriancole 2013-01-21 10:08:38 -08:00
parent 25ce398a44
commit be12dc3293
2 changed files with 103 additions and 0 deletions

View File

@ -43,6 +43,7 @@ import javax.inject.Singleton;
import javax.ws.rs.core.HttpHeaders;
import org.jclouds.Constants;
import org.jclouds.aws.domain.TemporaryCredentials;
import org.jclouds.crypto.Crypto;
import org.jclouds.date.TimeStamp;
import org.jclouds.domain.Credentials;
@ -119,12 +120,20 @@ public class RequestAuthorizeSignature implements HttpRequestFilter, RequestSign
public HttpRequest filter(HttpRequest request) throws HttpException {
request = replaceDateHeader(request);
Credentials current = creds.get();
if (current instanceof TemporaryCredentials) {
request = replaceSecurityTokenHeader(request, TemporaryCredentials.class.cast(current));
}
String signature = calculateSignature(createStringToSign(request));
request = replaceAuthorizationHeader(request, signature);
utils.logRequest(signatureLog, request, "<<");
return request;
}
HttpRequest replaceSecurityTokenHeader(HttpRequest request, TemporaryCredentials current) {
return request.toBuilder().replaceHeader("x-amz-security-token", current.getSessionToken()).build();
}
HttpRequest replaceAuthorizationHeader(HttpRequest request, String signature) {
request = request.toBuilder()
.replaceHeader(HttpHeaders.AUTHORIZATION, authTag + " " + creds.get().identity + ":" + signature).build();

View File

@ -0,0 +1,94 @@
/**
* Licensed to jclouds, Inc. (jclouds) under one or more
* contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. jclouds licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.jclouds.s3.filters;
import static org.jclouds.reflect.Reflection2.method;
import static org.testng.Assert.assertEquals;
import org.jclouds.ContextBuilder;
import org.jclouds.aws.domain.TemporaryCredentials;
import org.jclouds.date.TimeStamp;
import org.jclouds.date.internal.SimpleDateFormatDateService;
import org.jclouds.domain.Credentials;
import org.jclouds.http.HttpRequest;
import org.jclouds.logging.config.NullLoggingModule;
import org.jclouds.reflect.Invocation;
import org.jclouds.rest.ConfiguresRestClient;
import org.jclouds.rest.internal.BaseRestApiTest.MockModule;
import org.jclouds.rest.internal.GeneratedHttpRequest;
import org.jclouds.s3.S3AsyncClient;
import org.jclouds.s3.S3Client;
import org.jclouds.s3.config.S3RestClientModule;
import org.testng.annotations.Test;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.inject.Injector;
import com.google.inject.Module;
/**
* Tests behavior of {@code RequestAuthorizeSignature}
*
* @author Adrian Cole
*/
// NOTE:without testName, this will not call @Before* and fail w/NPE during surefire
@Test(groups = "unit", testName = "RequestAuthorizeSignatureWithTemporaryCredentialsTest")
public class RequestAuthorizeSignatureWithTemporaryCredentialsTest {
public static Injector injector(Credentials creds) {
return ContextBuilder.newBuilder("s3")
.credentialsSupplier(Suppliers.<Credentials> ofInstance(creds))
.modules(ImmutableList.<Module> of(new MockModule(), new NullLoggingModule(), new TestS3RestClientModule())).buildInjector();
}
@ConfiguresRestClient
private static final class TestS3RestClientModule extends S3RestClientModule<S3Client, S3AsyncClient> {
@Override
protected String provideTimeStamp(@TimeStamp Supplier<String> cache) {
return "2009-11-08T15:54:08.897Z";
}
}
public static RequestAuthorizeSignature filter(Credentials creds) {
return injector(creds).getInstance(RequestAuthorizeSignature.class);
}
TemporaryCredentials temporaryCredentials = TemporaryCredentials.builder()
.accessKeyId("AKIAIOSFODNN7EXAMPLE")
.secretAccessKey("wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY")
.sessionToken("AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT")
.expiration(new SimpleDateFormatDateService().iso8601DateParse("2011-07-11T19:55:29.611Z")).build();
Invocation invocation = Invocation.create(method(S3AsyncClient.class, "bucketExists", String.class),
ImmutableList.<Object> of("foo"));
HttpRequest bucketFooExists = GeneratedHttpRequest.builder().method("GET")
.invocation(invocation)
.endpoint("https://foo.s3.amazonaws.com/?max-keys=0")
.addHeader("Host", "foo.s3.amazonaws.com").build();
@Test
void testAddsSecurityToken() {
HttpRequest filtered = filter(temporaryCredentials).filter(bucketFooExists);
assertEquals(filtered.getFirstHeaderOrNull("Authorization"),
"AWS AKIAIOSFODNN7EXAMPLE:0fUhWTaRBcIvIAndg2C+5eLfE24=");
assertEquals(filtered.getFirstHeaderOrNull("x-amz-security-token"), temporaryCredentials.getSessionToken());
}
}