├── rebar.lock
├── .gitignore
├── rebar.config
├── src
    ├── aws_signature.app.src
    ├── aws_sigv4_utils.erl
    ├── aws_sigv4_internal.hrl
    ├── aws_sigv4a_credentials.erl
    ├── aws_sigv4a.erl
    ├── aws_sigv4_internal.erl
    ├── aws_signature_utils.erl
    └── aws_signature.erl
├── README.md
├── .github
    └── workflows
    │   ├── test.yml
    │   └── release.yml
├── CHANGELOG.md
├── LICENSE
└── test
    ├── aws_sigv4a_tests.erl
    └── aws_sigv4_internal_tests.erl


/rebar.lock:
--------------------------------------------------------------------------------
1 | [].
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .rebar3
 2 | _*
 3 | .eunit
 4 | *.o
 5 | *.beam
 6 | *.plt
 7 | *.swp
 8 | *.swo
 9 | .erlang.cookie
10 | ebin
11 | log
12 | erl_crash.dump
13 | .rebar
14 | logs
15 | _build
16 | .idea
17 | *.iml
18 | rebar3.crashdump
19 | *~
20 | doc/
21 | 


--------------------------------------------------------------------------------
/rebar.config:
--------------------------------------------------------------------------------
 1 | {erl_opts, [debug_info]}.
 2 | {deps, []}.
 3 | {project_plugins, [rebar3_hex, rebar3_ex_doc]}.
 4 | 
 5 | {ex_doc, [
 6 |     {extras, [<<"CHANGELOG.md">>, <<"LICENSE">>]},
 7 |     {main, <<"aws_signature">>},
 8 |     {source_url, <<"https://github.com/aws-beam/aws_signature">>}
 9 | ]}.
10 | 
11 | {hex, [
12 |     {doc, #{provider => ex_doc}}
13 | ]}.
14 | 


--------------------------------------------------------------------------------
/src/aws_signature.app.src:
--------------------------------------------------------------------------------
 1 | {application, aws_signature,
 2 |  [{description, "Request signature implementation for authorizing AWS API calls"},
 3 |   {vsn, "git"},
 4 |   {registered, []},
 5 |   {applications,
 6 |    [kernel,
 7 |     stdlib
 8 |    ]},
 9 |   {env,[]},
10 |   {modules, []},
11 |   {licenses, ["Apache-2.0"]},
12 |   {links, [{"GitHub", "https://github.com/aws-beam/aws_signature"}]},
13 |   {doc, "doc"}
14 |  ]}.
15 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # AWS Signature
 2 | 
 3 | [Documentation](https://hexdocs.pm/aws_signature)
 4 | 
 5 | Request signature implementation for authorizing AWS API calls.
 6 | 
 7 | ## Installation
 8 | 
 9 | The package is available on [Hex](https://hex.pm/packages/aws_signature).
10 | To install, just add it to your dependencies in `mix.exs`:
11 | 
12 | ```elixir
13 | defp deps() do
14 |   [
15 |     {:aws_signature, "~> 0.3.2"}
16 |   ]
17 | end
18 | ```
19 | 
20 | or `rebar.config`:
21 | 
22 | ```erlang
23 | {deps, [{aws_signature, "~> 0.3.2"}]}.
24 | ```
25 | 


--------------------------------------------------------------------------------
/.github/workflows/test.yml:
--------------------------------------------------------------------------------
 1 | name: Test
 2 | on:
 3 |   pull_request:
 4 |   push:
 5 |     branches:
 6 |       - main
 7 | 
 8 | jobs:
 9 |   build:
10 |     strategy:
11 |       matrix:
12 |         platform: [ubuntu-latest]
13 |         otp-version: [26, 27, 28]
14 |     runs-on: ${{ matrix.platform }}
15 |     container:
16 |       image: erlang:${{ matrix.otp-version }}
17 |     steps:
18 |     - name: Checkout
19 |       uses: actions/checkout@v3
20 |     - name: Cache Hex packages
21 |       uses: actions/cache@v3
22 |       with:
23 |         path: ~/.cache/rebar3/hex/hexpm/packages
24 |         key: ${{ runner.os }}-hex-${{ hashFiles(format('{0}{1}', github.workspace, '/rebar.lock')) }}
25 |         restore-keys: |
26 |           ${{ runner.os }}-hex-
27 |     - name: Compile
28 |       run: rebar3 compile
29 |     - name: Run EUnit Tests
30 |       run: rebar3 eunit
31 |     - name: Run Dialyzer
32 |       run: rebar3 dialyzer
33 | 


--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
 1 | name: Upload release
 2 | 
 3 | on:
 4 |   push:
 5 |     tags:
 6 |     - '*'
 7 | 
 8 | jobs:
 9 | 
10 |   build:
11 |     runs-on: ubuntu-latest
12 |     container:
13 |       image: erlang:27
14 |     permissions:
15 |       contents: write
16 |     steps:
17 |       - name: Checkout
18 |         uses: actions/checkout@v3
19 | 
20 |       - name: Take ownership of the checkout directory (Git CVE-2022-24765)
21 |         run: chown --recursive --reference=/ .
22 | 
23 |       - name: Allow for file ownership conflicts with Docker and GitHub Actions
24 |         run: git config --global --add safe.directory '*'
25 | 
26 |       - name: Compile
27 |         run: rebar3 compile
28 | 
29 |       - name: Run EUnit Tests
30 |         run: rebar3 eunit
31 | 
32 |       - name: Run Dialyzer
33 |         run: rebar3 dialyzer
34 | 
35 |       - name: Generate docs
36 |         run: rebar3 ex_doc
37 | 
38 |       - uses: ncipollo/release-action@v1
39 |         with:
40 |           generateReleaseNotes: true
41 |           token: ${{ secrets.GITHUB_TOKEN }}
42 | 
43 |       - name: Publish to hex.pm
44 |         uses: erlangpack/github-action@v4
45 |         env:
46 |           HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
47 | 


--------------------------------------------------------------------------------
/src/aws_sigv4_utils.erl:
--------------------------------------------------------------------------------
 1 | -module(aws_sigv4_utils).
 2 | 
 3 | -export([ binaries_join/2
 4 |         , format_time_long/1
 5 |         , format_time_short/1
 6 |         , sha256/1
 7 |         ]).
 8 | 
 9 | -spec binaries_join(binary(), [binary()]) -> binary().
10 | binaries_join(Separator, Binaries) ->
11 |   iolist_to_binary(lists:join(Separator, Binaries)).
12 | 
13 | -spec format_time_long(calendar:datetime()) -> binary().
14 | format_time_long({{YY, MM, DD}, {H, M, S}}) ->
15 |   format_timestamp(format_date(YY, MM, DD), H, M, S).
16 | 
17 | -spec format_time_short(calendar:datetime()) -> binary().
18 | format_time_short({{YY, MM, DD}, _}) ->
19 |   format_date(YY, MM, DD).
20 | 
21 | -spec format_date(non_neg_integer(), non_neg_integer(), non_neg_integer()) -> binary().
22 | format_date(YY, MM, DD) ->
23 |   YB = integer_to_binary(YY),
24 |   MB = maybe_pad(MM),
25 |   DB = maybe_pad(DD),
26 |   <<YB/binary, MB/binary, DB/binary>>.
27 | 
28 | -spec format_timestamp(binary(), non_neg_integer(), non_neg_integer(), non_neg_integer()) -> binary().
29 | format_timestamp(Date, H, M, S) ->
30 |   HB = maybe_pad(H),
31 |   MB = maybe_pad(M),
32 |   SB = maybe_pad(S),
33 |   <<Date/binary, "T", HB/binary, MB/binary, SB/binary, "Z">>.
34 | 
35 | -spec maybe_pad(non_neg_integer()) -> binary().
36 | maybe_pad(X) when X < 10 ->
37 |   <<"0", (integer_to_binary(X))/binary>>;
38 | maybe_pad(X) ->
39 |   integer_to_binary(X).
40 | 
41 | -spec sha256(binary()) -> binary().
42 | sha256(Binary) ->
43 |   crypto:hash(sha256, Binary).
44 | 


--------------------------------------------------------------------------------
/src/aws_sigv4_internal.hrl:
--------------------------------------------------------------------------------
 1 | -ifndef(_AWS_SIGV4_INTERNAL_HRL_).
 2 | -define(_AWS_SIGV4_INTERNAL_HRL_, true).
 3 | 
 4 | -record(request,
 5 |         { method :: binary()
 6 |         , url :: binary()
 7 |         , headers :: aws_sigv4_internal:headers()
 8 |         , body :: binary()
 9 |         , host :: binary()
10 |         }).
11 | 
12 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/credentials/credentials.go
13 | 
14 | -record(credentials,
15 |         { access_key_id :: binary()
16 |         , secret_access_key :: binary()
17 |         , session_token :: binary()
18 |         }).
19 | 
20 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/v4/v4.go
21 | 
22 | -record(v4_signer_options,
23 |         { is_signed :: fun((binary()) -> boolean()) | undefined
24 |         , disable_implicit_payload_hashing = false :: boolean()
25 |         , disable_double_path_escape = false :: boolean()
26 |         , add_payload_hash_header = false :: boolean()
27 |         }).
28 | 
29 | -define(UNSIGNED_PAYLOAD, <<"UNSIGNED-PAYLOAD">>).
30 | 
31 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/internal/v4/signer.go
32 | 
33 | -record(internal_signer,
34 |         { request :: aws_sigv4_internal:request()
35 |         , payload_hash :: binary() % raw binary, NOT hex-encoded
36 |         , time :: calendar:datetime()
37 |         , credentials :: aws_sigv4_internal:credentials()
38 |         , options :: aws_sigv4_internal:v4_signer_options()
39 |         , algorithm :: binary()
40 |         , credential_scope :: binary()
41 |         , sign_string :: aws_sigv4_internal:sign_string()
42 |         }).
43 | 
44 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/sigv4a/sigv4a.go
45 | 
46 | -record(v4a_sign_request_input,
47 |         { request :: aws_sigv4_internal:request()
48 |         , payload_hash :: binary() % raw binary, NOT hex-encoded
49 |         , credentials :: aws_sigv4_internal:credentials()
50 |         , service :: binary()
51 |         , regions :: [binary()]
52 |         , time :: calendar:datetime() | undefined
53 |         }).
54 | 
55 | -endif. % _AWS_SIGV4_INTERNAL_HRL_
56 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Changelog
 2 | 
 3 | All notable changes to this project will be documented in this file.
 4 | 
 5 | The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 6 | 
 7 | ## [v0.3.2](https://github.com/aws-beam/aws_signature/tree/v0.3.2) (2024-02-16)
 8 | 
 9 | ### Added
10 | 
11 | - Add support for signing AWS event stream messages ([#23](https://github.com/aws-beam/aws_signature/pull/23))
12 | - Add body_digest option to sign_v4/10 ([#25](https://github.com/aws-beam/aws_signature/pull/25))
13 | 
14 | ## [v0.3.1](https://github.com/aws-beam/aws_signature/tree/v0.3.1) (2022-04-27)
15 | 
16 | ### Fixed
17 | 
18 | - Signature for URLs with explicit port component ([#18](https://github.com/aws-beam/aws_signature/pull/18))
19 | 
20 | ## [v0.3.0](https://github.com/aws-beam/aws_signature/tree/v0.3.0) (2022-04-12)
21 | 
22 | This release changes the default behaviour of `sign_v4_query_params`. Instead of
23 | setting the body digest to "UNSIGNED-PAYLOAD" it now computes the digest of an
24 | empty string. To retain the current behaviour you need to pass an option:
25 | 
26 | ```diff
27 | -sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, []).
28 | +sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, [{body_digest, <<"UNSIGNED-PAYLOAD">>}]).
29 | ```
30 | 
31 | ### Added
32 | 
33 | - Support for body signing in presigned requests ([#15](https://github.com/aws-beam/aws_signature/pull/15))
34 | 
35 | ### Changed
36 | 
37 | - Default body digest in `sign_v4_query_params` signature ([#15](https://github.com/aws-beam/aws_signature/pull/15))
38 | 
39 | ## [v0.2.0](https://github.com/aws-beam/aws_signature/tree/v0.2.0) (2021-09-27)
40 | 
41 | ### Changed
42 | 
43 | - Changed `sign_v4_query_params` signatures to also accept HTTP method ([#11](https://github.com/aws-beam/aws_signature/pull/11))
44 | 
45 | ## [v0.1.1](https://github.com/aws-beam/aws_signature/tree/v0.1.1) (2021-08-28)
46 | 
47 | ### Added
48 | 
49 | - Support for query string signature ([#7](https://github.com/aws-beam/aws_signature/pull/7))
50 | 
51 | ## [v0.1.0](https://github.com/aws-beam/aws_signature/tree/v0.1.0) (2021-08-17)
52 | 
53 | Initial release
54 | 


--------------------------------------------------------------------------------
/src/aws_sigv4a_credentials.erl:
--------------------------------------------------------------------------------
 1 | %% Based on:
 2 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/sigv4a/credentials.go
 3 | -module(aws_sigv4a_credentials).
 4 | 
 5 | -export([ derive/1
 6 |         ]).
 7 | 
 8 | -ifdef(TEST).
 9 | -export([ derive_private_key/1
10 |         ]).
11 | -endif.
12 | 
13 | -include("aws_sigv4_internal.hrl").
14 | 
15 | -spec derive(aws_sigv4_internal:credentials()) -> {ok, binary()} | {error, any()}.
16 | derive(Credentials) ->
17 |   #credentials{access_key_id = AKID} = Credentials,
18 |   case persistent_term:get(?MODULE, false) of
19 |     {AKID, PrivateKey} -> {ok, PrivateKey};
20 |     _ ->
21 |       case derive_private_key(Credentials) of
22 |         {ok, PrivateKey} = Result ->
23 |           persistent_term:put(?MODULE, {AKID, PrivateKey}),
24 |           Result;
25 |         {error, _Reason} = Error -> Error
26 |       end
27 |   end.
28 | 
29 | %% See "Deriving a signing key for SigV4a" subsection of:
30 | %% https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html#derive-signing-key
31 | -spec derive_private_key(aws_sigv4_internal:credentials()) -> {ok, binary()} | {error, any()}.
32 | derive_private_key(Credentials) ->
33 |   NMinus2 = p256_n() - 2,
34 |   #credentials{access_key_id = AKID, secret_access_key = SK} = Credentials,
35 |   InputKey = << <<"AWS4A">>/binary, SK/binary>>,
36 |   derive_private_key(_Counter = 1, NMinus2, AKID, InputKey).
37 | 
38 | -spec derive_private_key(byte(), non_neg_integer(), binary(), binary()) -> {ok, binary()} | {error, any()}.
39 | derive_private_key(Counter, NMinus2, AKID, InputKey) ->
40 |   case Counter < 255 of
41 |     true ->
42 |       Context = <<AKID/binary, Counter>>,
43 |       Key = derive_hmac_key(InputKey, Context),
44 |       KeyNrBits = byte_size(Key) * 8,
45 |       KeyNrBits = 256, % assert
46 |       <<C:KeyNrBits/big>> = Key,
47 |       case C > NMinus2 of
48 |         true -> derive_private_key(Counter + 1, NMinus2, AKID, InputKey);
49 |         false -> {ok, <<(C + 1):KeyNrBits/big>>}
50 |       end;
51 |     false -> {error, exhausted_single_byte_external_counter}
52 |   end.
53 | 
54 | -spec p256_n() -> non_neg_integer().
55 | p256_n() ->
56 |   115792089210356248762697446949407573529996955224135760342422259061068512044369.
57 | 
58 | -spec p256_bitsize() -> non_neg_integer().
59 | p256_bitsize() ->
60 |   256.
61 | 
62 | -spec derive_hmac_key(binary(), binary()) -> binary().
63 | derive_hmac_key(Key, Context) ->
64 |   BitLen = p256_bitsize(),
65 |   N = ((BitLen + 7) div 8) div sha256_size(),
66 |   Label = <<"AWS4-ECDSA-P256-SHA256">>,
67 |   FixedInput = <<Label/binary, 16#00, Context/binary, BitLen:32/big>>,
68 |   %% INV: N == 1, so no loop needed
69 |   N = 1, % assert
70 |   Input = <<1:32/big, FixedInput/binary>>,
71 |   hmac_sha256(Key, Input).
72 | 
73 | -spec hmac_sha256(binary(), binary()) -> binary().
74 | hmac_sha256(Key, Data) ->
75 |   crypto:mac(hmac, sha256, Key, Data).
76 | 
77 | -spec sha256_size() -> non_neg_integer().
78 | sha256_size() ->
79 |   32.
80 | 


--------------------------------------------------------------------------------
/src/aws_sigv4a.erl:
--------------------------------------------------------------------------------
  1 | %% Based on:
  2 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/sigv4a/sigv4a.go
  3 | -module(aws_sigv4a).
  4 | 
  5 | -export([ sign_request/10
  6 |         ]).
  7 | 
  8 | -ifdef(TEST).
  9 | -export([ sign_request/2
 10 |         ]).
 11 | -endif.
 12 | 
 13 | -include("aws_sigv4_internal.hrl").
 14 | 
 15 | -type v4a_sign_request_input() :: #v4a_sign_request_input{}.
 16 | 
 17 | -export_type([ v4a_sign_request_input/0
 18 |              ]).
 19 | 
 20 | -define(ALGORITHM, <<"AWS4-ECDSA-P256-SHA256">>).
 21 | 
 22 | -spec sign_request(binary(), binary(), binary(), [binary()], binary(),
 23 |                    binary(), binary(), aws_sigv4_internal:headers(), binary(), map())
 24 |        -> {ok, aws_sigv4_internal:headers()} | {error, any()}.
 25 | sign_request(AccessKeyID, SecretAccessKey, SessionToken, Regions,
 26 |              Service, Method, URL, Headers, Body, Options) ->
 27 |   Credentials =
 28 |     #credentials
 29 |       { access_key_id = AccessKeyID
 30 |       , secret_access_key = SecretAccessKey
 31 |       , session_token = SessionToken
 32 |       },
 33 |   URIMap = uri_string:parse(URL),
 34 |   Host = maps:get(host, URIMap, <<>>),
 35 |   Request =
 36 |     #request
 37 |       { method = Method
 38 |       , url = URL
 39 |       , headers = Headers
 40 |       , body = Body
 41 |       , host = Host
 42 |       },
 43 |   V4ASignerOptions =
 44 |     #v4_signer_options
 45 |       { add_payload_hash_header = maps:get(add_payload_hash_header, Options, false)
 46 |       , disable_implicit_payload_hashing = maps:get(disable_implicit_payload_hashing, Options, false)
 47 |       },
 48 |   V4ASignRequestInput =
 49 |     #v4a_sign_request_input
 50 |       { request = Request
 51 |       , payload_hash = <<"">>
 52 |       , credentials = Credentials
 53 |       , service = Service
 54 |       , regions = Regions
 55 |       , time = undefined
 56 |       },
 57 |   sign_request(V4ASignerOptions, V4ASignRequestInput).
 58 | 
 59 | -spec sign_request(aws_sigv4_internal:v4_signer_options(), v4a_sign_request_input())
 60 |                -> {ok, aws_sigv4_internal:headers()} | {error, any()}.
 61 | sign_request(Options, SignRequestInput) ->
 62 |   case aws_sigv4a_credentials:derive(SignRequestInput#v4a_sign_request_input.credentials) of
 63 |     {ok, PrivateKey} ->
 64 |       Regions = SignRequestInput#v4a_sign_request_input.regions,
 65 |       Headers =
 66 |         [ {<<"X-Amz-Region-Set">>, aws_sigv4_utils:binaries_join(<<",">>, Regions)}
 67 |         | SignRequestInput#v4a_sign_request_input.request#request.headers
 68 |         ],
 69 |       Request = SignRequestInput#v4a_sign_request_input.request#request{headers = Headers},
 70 |       Time = aws_sigv4_internal:resolve_time(SignRequestInput#v4a_sign_request_input.time),
 71 |       InternalSigner =
 72 |         #internal_signer
 73 |           { request = Request
 74 |           , payload_hash = SignRequestInput#v4a_sign_request_input.payload_hash
 75 |           , time = Time
 76 |           , credentials = SignRequestInput#v4a_sign_request_input.credentials
 77 |           , options = Options
 78 |           , algorithm = ?ALGORITHM
 79 |           , credential_scope = scope(Time, SignRequestInput#v4a_sign_request_input.service)
 80 |           , sign_string = sign_string(PrivateKey)
 81 |           },
 82 |       aws_sigv4_internal:do(InternalSigner);
 83 |     Error -> Error
 84 |   end.
 85 | 
 86 | %% sigv4a.scope
 87 | -spec scope(calendar:datetime(), binary()) -> binary().
 88 | scope(Time, Service) ->
 89 |   <<(aws_sigv4_utils:format_time_short(Time))/binary, $/, Service/binary, $/, <<"aws4_request">>/binary>>.
 90 | 
 91 | %% sigv4a.SignString
 92 | -spec sign_string(binary()) -> aws_sigv4_internal:sign_string().
 93 | sign_string(PrivateKey) ->
 94 |   fun(StrToSign) ->
 95 |     {ok, aws_signature_utils:base16(ecdsa_sign(PrivateKey, StrToSign))}
 96 |   end.
 97 | 
 98 | ecdsa_sign(PrivateKey, Digest) ->
 99 |   crypto:sign(ecdsa, sha256, Digest, [PrivateKey, secp256r1]).
100 | 


--------------------------------------------------------------------------------
/src/aws_sigv4_internal.erl:
--------------------------------------------------------------------------------
  1 | %% Based on:
  2 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/internal/v4/signer.go
  3 | -module(aws_sigv4_internal).
  4 | 
  5 | -export([ do/1
  6 |         , resolve_time/1
  7 |         ]).
  8 | 
  9 | -ifdef(TEST).
 10 | -export([ build_canonical_request/1
 11 |         , default_is_signed/1
 12 |         , resolve_payload_hash/1
 13 |         , set_required_headers/1
 14 |         ]).
 15 | -endif.
 16 | 
 17 | -include("aws_sigv4_internal.hrl").
 18 | 
 19 | -type credentials() :: #credentials{}.
 20 | -type headers() :: [{binary(), binary()}].
 21 | -type internal_signer() :: #internal_signer{}.
 22 | -type request() :: #request{}.
 23 | -type sign_string() :: fun((binary()) -> {ok, binary()} | {error, any()}).
 24 | -type v4_signer_options() :: #v4_signer_options{}.
 25 | 
 26 | -export_type([ credentials/0
 27 |              , headers/0
 28 |              , internal_signer/0
 29 |              , request/0
 30 |              , sign_string/0
 31 |              , v4_signer_options/0
 32 |              ]).
 33 | 
 34 | -spec do(internal_signer()) -> {ok, headers()} | {error, any()}.
 35 | do(Signer) ->
 36 |   Signer1 = init(Signer),
 37 |   Signer2 = set_required_headers(Signer1),
 38 |   {CanonicalRequest, SignedHeaders} = build_canonical_request(Signer2),
 39 |   StringToSign = build_string_to_sign(Signer2, CanonicalRequest),
 40 |   case sign_string(Signer2, StringToSign) of
 41 |     {ok, Signature} -> {ok, set_authorization_header(Signer2, SignedHeaders, Signature)};
 42 |     {error, _Reason} = Error -> Error
 43 |   end.
 44 | 
 45 | -spec set_authorization_header(internal_signer(), binary(), binary()) -> headers().
 46 | set_authorization_header(Signer, SignedHeaders, Signature) ->
 47 |   headers_put(<<"Authorization">>,
 48 |               build_authorization_header(Signer, SignedHeaders, Signature),
 49 |               Signer#internal_signer.request#request.headers).
 50 | 
 51 | -spec init(internal_signer()) -> internal_signer().
 52 | init(Signer) ->
 53 |   resolve_payload_hash(init_is_signed(Signer)).
 54 | 
 55 | -spec init_is_signed(internal_signer()) -> internal_signer().
 56 | init_is_signed(Signer) ->
 57 |   Options = Signer#internal_signer.options,
 58 |   case Options#v4_signer_options.is_signed of
 59 |     undefined ->
 60 |       Options1 = Options#v4_signer_options{is_signed = fun default_is_signed/1},
 61 |       Signer#internal_signer{options = Options1};
 62 |     IsSigned when is_function(IsSigned, 1) -> Signer
 63 |   end.
 64 | 
 65 | -spec resolve_payload_hash(internal_signer()) -> internal_signer().
 66 | resolve_payload_hash(Signer) ->
 67 |   case Signer#internal_signer.payload_hash of
 68 |     Binary when byte_size(Binary) > 0 -> Signer;
 69 |     _ ->
 70 |       PayloadHash =
 71 |         case Signer#internal_signer.options#v4_signer_options.disable_implicit_payload_hashing of
 72 |           true -> ?UNSIGNED_PAYLOAD;
 73 |           false -> aws_sigv4_utils:sha256(Signer#internal_signer.request#request.body)
 74 |         end,
 75 |       Signer#internal_signer{payload_hash = PayloadHash}
 76 |   end.
 77 | 
 78 | -spec set_required_headers(internal_signer()) -> internal_signer().
 79 | set_required_headers(Signer) ->
 80 |   Request0 = Signer#internal_signer.request,
 81 |   Headers0 = Request0#request.headers,
 82 |   Funs =
 83 |     [ fun set_host_header/2
 84 |     , fun set_date_header/2
 85 |     , fun set_security_token_header/2
 86 |     , fun set_content_sha_header/2
 87 |     ],
 88 |   Headers = lists:foldl(fun(F, Hs) -> F(Signer, Hs) end, Headers0, Funs),
 89 |   Request = Request0#request{headers = Headers},
 90 |   Signer#internal_signer{request = Request}.
 91 | 
 92 | -spec set_host_header(internal_signer(), headers()) -> headers().
 93 | set_host_header(#internal_signer{request = #request{host = Host}}, Headers) ->
 94 |   headers_put(<<"Host">>, Host, Headers).
 95 | 
 96 | -spec set_date_header(internal_signer(), headers()) -> headers().
 97 | set_date_header(#internal_signer{time = Time}, Headers) ->
 98 |   headers_put(<<"X-Amz-Date">>, aws_sigv4_utils:format_time_long(Time), Headers).
 99 | 
100 | -spec set_security_token_header(internal_signer(), headers()) -> headers().
101 | set_security_token_header(#internal_signer{credentials = Credentials}, Headers) ->
102 |   case Credentials#credentials.session_token of
103 |     SessionToken when byte_size(SessionToken) > 0 ->
104 |       headers_put(<<"X-Amz-Security-Token">>, SessionToken, Headers);
105 |     _ -> Headers
106 |   end.
107 | 
108 | -spec set_content_sha_header(internal_signer(), headers()) -> headers().
109 | set_content_sha_header(#internal_signer{payload_hash = PayloadHash, options = Options}, Headers) ->
110 |   case PayloadHash of
111 |     _ when byte_size(PayloadHash) > 0, Options#v4_signer_options.add_payload_hash_header =:= true ->
112 |       headers_put(<<"X-Amz-Content-Sha256">>, payload_hash_string(PayloadHash), Headers);
113 |     _ -> Headers
114 |   end.
115 | 
116 | -spec headers_put(binary(), binary(), headers()) -> headers().
117 | headers_put(Key, Val, Headers) ->
118 |   lists:keystore(Key, 1, Headers, {Key, Val}).
119 | 
120 | -spec build_canonical_request(internal_signer()) -> {binary(), binary()}.
121 | build_canonical_request(Signer) ->
122 |   CanonMethod = build_canonical_method(Signer),
123 |   CanonPath = build_canonical_path(Signer),
124 |   CanonQuery = build_canonical_query(Signer),
125 |   {CanonHeaders, SignedHeaders} = build_canonical_headers(Signer),
126 |   {iolist_to_binary(
127 |      lists:join("\n",
128 |                 [ CanonMethod
129 |                 , CanonPath
130 |                 , CanonQuery
131 |                 , CanonHeaders
132 |                 , SignedHeaders
133 |                 , payload_hash_string(Signer#internal_signer.payload_hash)
134 |                 ])),
135 |    SignedHeaders}.
136 | 
137 | -spec build_canonical_method(internal_signer()) -> binary().
138 | build_canonical_method(Signer) ->
139 |   string:uppercase(Signer#internal_signer.request#request.method).
140 | 
141 | -spec build_canonical_path(internal_signer()) -> binary().
142 | build_canonical_path(Signer) ->
143 |   URIMap = uri_string:parse(Signer#internal_signer.request#request.url),
144 |   Path = maps:get(path, URIMap, <<>>),
145 |   %% FIXME: we want an escaped path here, it's unclear if it already is
146 |   EscapedPath =
147 |     case byte_size(Path) =:= 0 of
148 |       true -> <<"/">>;
149 |       false -> Path
150 |     end,
151 |   case Signer#internal_signer.options#v4_signer_options.disable_double_path_escape of
152 |     true -> EscapedPath;
153 |     false -> aws_signature_utils:uri_encode_path(EscapedPath)
154 |   end.
155 | 
156 | -spec build_canonical_query(internal_signer()) -> binary().
157 | build_canonical_query(Signer) ->
158 |   URIMap = uri_string:parse(Signer#internal_signer.request#request.url),
159 |   QueryString = maps:get(query, URIMap, <<"">>),
160 |   QueryList0 = uri_string:dissect_query(QueryString),
161 |   QueryMap0 =
162 |     lists:foldl(
163 |       fun({Key, Val0}, QMap) ->
164 |         %% treat "key" like "key="
165 |         Val = case Val0 of true -> <<>>; _ -> Val0 end,
166 |         Vals = maps:get(Key, QMap, []),
167 |         maps:put(Key, [Val | Vals], QMap)
168 |       end, maps:new(), QueryList0),
169 |   QueryMap1 =
170 |     maps:map(
171 |       fun(_Key, Vals) ->
172 |         lists:reverse(Vals)
173 |       end, QueryMap0),
174 |   QueryList2 =
175 |     lists:sort(
176 |       fun({K1, _Vs1}, {K2, _Vs2}) ->
177 |         K1 =< K2
178 |       end, maps:to_list(QueryMap1)),
179 |   QueryList3 =
180 |     lists:append(
181 |       lists:map(
182 |         fun({K, Vs}) ->
183 |           lists:map(fun(V) -> {K, V} end, Vs)
184 |         end, QueryList2)),
185 |   case QueryList3 of
186 |     [] -> <<>>;
187 |     _ -> binary:replace(uri_string:compose_query(QueryList3), <<"+">>, <<"%20">>)
188 |   end.
189 | 
190 | -spec build_canonical_headers(internal_signer()) -> {binary(), binary()}.
191 | build_canonical_headers(Signer) ->
192 |   IsSigned = Signer#internal_signer.options#v4_signer_options.is_signed,
193 |   SignedHeadersMap =
194 |     lists:foldl(
195 |       fun({Header, Value}, Map) ->
196 |         Lowercase = string:lowercase(Header),
197 |         case IsSigned(Lowercase) of
198 |           true ->
199 |             Values = maps:get(Lowercase, Map, []),
200 |             maps:put(Lowercase, [Value | Values], Map);
201 |           false -> Map
202 |         end
203 |       end, maps:new(), Signer#internal_signer.request#request.headers),
204 |   SignedHeadersList = lists:sort(maps:to_list(SignedHeadersMap)),
205 |   SignedHeaders =
206 |     iolist_to_binary(
207 |       lists:map(
208 |         fun({Header, Values}) ->
209 |           [ Header
210 |           , ":"
211 |           , lists:join(",", lists:map(fun string:trim/1, lists:reverse(Values)))
212 |           , "\n"
213 |           ]
214 |         end, SignedHeadersList)),
215 |   CanonHeaders =
216 |     iolist_to_binary(
217 |       lists:join(";", lists:map(fun({Header, _Values}) -> Header end, SignedHeadersList))),
218 |   {SignedHeaders, CanonHeaders}.
219 | 
220 | -spec build_string_to_sign(internal_signer(), binary()) -> binary().
221 | build_string_to_sign(Signer, CanonicalRequest) ->
222 |   iolist_to_binary(
223 |     lists:join("\n",
224 |                [ Signer#internal_signer.algorithm
225 |                , aws_sigv4_utils:format_time_long(Signer#internal_signer.time)
226 |                , Signer#internal_signer.credential_scope
227 |                , aws_signature_utils:base16(aws_sigv4_utils:sha256(CanonicalRequest))
228 |                ])).
229 | 
230 | -spec build_authorization_header(internal_signer(), binary(), binary()) -> binary().
231 | build_authorization_header(Signer, SignedHeaders, Signature) ->
232 |   iolist_to_binary(
233 |     [ Signer#internal_signer.algorithm
234 |     , " Credential="
235 |     , Signer#internal_signer.credentials#credentials.access_key_id
236 |     , "/"
237 |    , Signer#internal_signer.credential_scope
238 |     , ", SignedHeaders="
239 |     , SignedHeaders
240 |     , ", Signature="
241 |     , Signature
242 |     ]).
243 | 
244 | -spec payload_hash_string(binary()) -> binary().
245 | payload_hash_string(Hash) ->
246 |   case Hash of
247 |     ?UNSIGNED_PAYLOAD -> Hash;
248 |     _ -> aws_signature_utils:base16(Hash)
249 |   end.
250 | 
251 | -spec resolve_time(calendar:datetime() | undefined) -> calendar:datetime().
252 | resolve_time(undefined) -> calendar:universal_time();
253 | resolve_time(Time) -> Time.
254 | 
255 | -spec default_is_signed(binary()) -> boolean().
256 | default_is_signed(Header) ->
257 |   case Header of
258 |     <<"host">> -> true;
259 |     <<"x-amz-", _/binary>> -> true;
260 |     _ -> false
261 |   end.
262 | 
263 | -spec sign_string(internal_signer(), binary()) -> {ok, binary()} | {error, any()}.
264 | sign_string(Signer, String) ->
265 |   (Signer#internal_signer.sign_string)(String).
266 | 


--------------------------------------------------------------------------------
/src/aws_signature_utils.erl:
--------------------------------------------------------------------------------
  1 | %% @private
  2 | -module(aws_signature_utils).
  3 | 
  4 | -export([hmac_sha256/2,
  5 |          hmac_sha256_hexdigest/2,
  6 |          sha256_hexdigest/1,
  7 |          binary_join/2,
  8 |          base16/1,
  9 |          hex/2,
 10 |          parse_url/1,
 11 |          uri_encode_path/1,
 12 |          rebuilds_url_with_query_params/2
 13 |         ]).
 14 | 
 15 | %% @doc Creates an HMAC-SHA256 hexdigest for `Key' and `Message'.
 16 | -spec hmac_sha256_hexdigest(binary(), binary()) -> binary().
 17 | hmac_sha256_hexdigest(Key, Message) ->
 18 |     base16(hmac_sha256(Key, Message)).
 19 | 
 20 | %% @doc Creates an HMAC-SHA256 binary for `Key' and `Message'.
 21 | -spec hmac_sha256(binary(), binary()) -> binary().
 22 | hmac_sha256(Key, Message) ->
 23 |     crypto_hmac(sha256, Key, Message).
 24 | 
 25 | %% @doc Creates a SHA256 hexdigest for `Value'.
 26 | -spec sha256_hexdigest(iodata()) -> binary().
 27 | sha256_hexdigest(Value) ->
 28 |     base16(crypto:hash(sha256, Value)).
 29 | 
 30 | %% @doc Joins binary values using the specified separator.
 31 | -spec binary_join(Parts :: [binary()], Separator :: binary()) -> binary().
 32 | binary_join([], _) -> <<"">>;
 33 | binary_join([H], _) -> H;
 34 | binary_join([H1, H2 | T], Sep) ->
 35 |     binary_join([<<H1/binary, Sep/binary, H2/binary>> | T], Sep).
 36 | 
 37 | %% @doc Encodes binary data with base 16 encoding.
 38 | -spec base16(binary()) -> binary().
 39 | base16(Data) ->
 40 |     << <<(hex(N div 16, lower)), (hex(N rem 16, lower))>> || <<N>> <= Data >>.
 41 | 
 42 | %% @doc Converts an integer between 0 and 15 into a hexadecimal char.
 43 | -spec hex(0..15, lower | upper) -> byte().
 44 | hex(N, _Case) when N >= 0, N < 10 ->
 45 |     N + $0;
 46 | hex(N, lower) when N < 16 ->
 47 |     N - 10 + $a;
 48 | hex(N, upper) when N < 16 ->
 49 |     N - 10 + $A.
 50 | 
 51 | %% @doc Parses the given URL, returning the host, path and query components.
 52 | %%
 53 | %% The parsed `host' is normalized, such that it includes the port, if and
 54 | %% only if a not-standard port (80 or 443) is present in the URL.
 55 | %%
 56 | %% An alternative to `uri_string:parse/1' to support OTP below 21.
 57 | -spec parse_url(binary()) -> #{host => binary(), path => binary(), query => binary()}.
 58 | -ifdef(OTP_RELEASE). % OTP >= 21
 59 |   parse_url(URL) when is_binary(URL) ->
 60 |     #{host := Host, path := Path} = P = uri_string:parse(URL),
 61 | 
 62 |     Port = format_port(maps:get(port, P, undefined)),
 63 |     NormalizedHost = <<Host/binary, Port/binary>>,
 64 | 
 65 |     #{host => NormalizedHost, path => Path, query => maps:get(query, P, <<>>)}.
 66 | 
 67 |   format_port(undefined) -> <<>>;
 68 |   format_port(80) -> <<>>;
 69 |   format_port(443) -> <<>>;
 70 |   format_port(Port) ->
 71 |       FinalPort = list_to_binary(integer_to_list(Port)),
 72 |       <<":", FinalPort/binary>>.
 73 | 
 74 | -else. % OTP < 21
 75 |   parse_url(URL) when is_binary(URL) ->
 76 |     %% From https://datatracker.ietf.org/doc/html/rfc3986#appendix-B
 77 |     {ok, Regex} = re:compile("^(([a-z][a-z0-9\\+\\-\\.]*):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?", [caseless]),
 78 | 
 79 |     case re:run(URL, Regex, [{capture, all, binary}]) of
 80 |         {match, [_, _1, _2, _3, Authority, Path, _6, Query | _]} ->
 81 |             #{host => authority_to_host(Authority), path => Path, query => Query};
 82 |         {match, [_, _1, _2, _3, Authority, Path | _]} ->
 83 |             #{host => authority_to_host(Authority), path => Path, query => <<"">>};
 84 |         _ ->
 85 |             #{host => <<"">>, path => <<"">>, query => <<"">>}
 86 |     end.
 87 | 
 88 |   authority_to_host(Authority) ->
 89 |     Authority1 = remove_trailing(Authority, <<":80">>),
 90 |     remove_trailing(Authority1, <<":443">>).
 91 | 
 92 |   remove_trailing(Binary, Sufix) ->
 93 |     SufixSize = byte_size(Sufix),
 94 |     PrefixSize = byte_size(Binary) - SufixSize,
 95 |     case Binary of
 96 |       <<Prefix:PrefixSize/binary, Sufix/binary>> -> Prefix;
 97 |       _Else -> Binary
 98 |     end.
 99 | -endif.
100 | 
101 | -spec rebuilds_url_with_query_params(binary(), [{binary(), binary()}]) -> binary().
102 | rebuilds_url_with_query_params(OriginalURL, QueryParams) ->
103 |     %% Similar parse_url/1, but just split the URL in all until query params, and ignore the rest.
104 |     URL =
105 |         case binary:split(OriginalURL, <<"?">>) of
106 |             [UrlUntilQuery, _ExistingQuery] -> UrlUntilQuery;
107 |             [UrlUntilQuery] -> UrlUntilQuery
108 |         end,
109 |     Pairs = [binary_join([Key, Value], <<"=">>) || {Key, Value} <- QueryParams],
110 |     NewQuery = binary_join(Pairs, <<"&">>),
111 |     binary_join([URL, NewQuery], <<"?">>).
112 | 
113 | 
114 | %% @doc URI-encodes the given path.
115 | %%
116 | %% Escapes all characters except for "/" and the unreserved
117 | %% characters listed in https://tools.ietf.org/html/rfc3986#section-2.3
118 | %%
119 | %% See the UriEncode function in the docs: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
120 | -spec uri_encode_path(binary()) -> binary().
121 | uri_encode_path(Path) when is_binary(Path) ->
122 |     << (uri_encode_path_byte(Byte)) || <<Byte>> <= Path >>.
123 | 
124 | -spec uri_encode_path_byte(byte()) -> binary().
125 | uri_encode_path_byte($/) -> <<"/">>;
126 | uri_encode_path_byte(Byte)
127 |     when $0 =< Byte, Byte =< $9;
128 |         $a =< Byte, Byte =< $z;
129 |         $A =< Byte, Byte =< $Z;
130 |         Byte =:= $~;
131 |         Byte =:= $_;
132 |         Byte =:= $-;
133 |         Byte =:= $. ->
134 |     <<Byte>>;
135 | uri_encode_path_byte(Byte) ->
136 |     H = Byte band 16#F0 bsr 4,
137 |     L = Byte band 16#0F,
138 |     <<"%", (aws_signature_utils:hex(H, upper)), (aws_signature_utils:hex(L, upper))>>.
139 | 
140 | %% This can be simplified if we drop support for OTP < 21
141 | %% This can be removed if we drop support for OTP < 23
142 | -ifdef(OTP_RELEASE). % OTP >= 21
143 |     -if(?OTP_RELEASE >= 23).
144 |         -define(USE_CRYPTO_MAC_4, true).
145 |     -else.
146 |         -undef(USE_CRYPTO_MAC_4).
147 |     -endif.
148 | -else. % OTP < 21
149 |     -undef(USE_CRYPTO_MAC_4).
150 | -endif.
151 | 
152 | -spec crypto_hmac(atom(), binary(), binary()) -> binary().
153 | -ifdef(USE_CRYPTO_MAC_4).
154 |     crypto_hmac(Sha, Key, Data) -> crypto:mac(hmac, Sha, Key, Data).
155 | -else.
156 |     crypto_hmac(Sha, Key, Data) -> crypto:hmac(Sha, Key, Data).
157 | -endif.
158 | 
159 | %%====================================================================
160 | 
161 | -ifdef(TEST).
162 | -include_lib("eunit/include/eunit.hrl").
163 | 
164 | %% sha256_hexdigest/1 returns a SHA256 hexdigest for an empty value.
165 | sha256_hexdigest_with_empty_value_test() ->
166 |     ?assertEqual(
167 |         <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>,
168 |         sha256_hexdigest(<<"">>)).
169 | 
170 | %% sha256_hexdigest/1 returns a SHA256 hexdigest for a non-empty body.
171 | sha256_hexdigest_test() ->
172 |     ?assertEqual(
173 |         <<"315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3">>,
174 |         sha256_hexdigest(<<"Hello, world!">>)).
175 | 
176 | %% hmac_sha256/2 returns a SHA256 HMAC for a message.
177 | hmac_sha256_test() ->
178 |     ?assertEqual(
179 |         <<110, 158, 242, 155, 117, 255, 252,  91,
180 |           122, 186, 229,  39, 213, 143, 218, 219,
181 |           47, 228,  46, 114,  25,   1,  25, 118,
182 |           145, 115,  67,   6,  95,  88, 237,  74>>,
183 |         hmac_sha256(<<"key">>, <<"message">>)).
184 | 
185 | %% hmac_sha256_hexdigest/2 returns an HMAC SHA256 hexdigest for a message.
186 | hmac_sha256_hexdigest_test() ->
187 |     ?assertEqual(
188 |         <<"6e9ef29b75fffc5b7abae527d58fdadb2fe42e7219011976917343065f58ed4a">>,
189 |         hmac_sha256_hexdigest(<<"key">>, <<"message">>)).
190 | 
191 | %% binary_join/2 joins a list of binary values, separated by a separator
192 | %% character, into a single binary value
193 | binary_join_test() ->
194 |     ?assertEqual(
195 |         binary_join([<<"a">>, <<"b">>, <<"c">>], <<",">>),
196 |         <<"a,b,c">>).
197 | 
198 | %% binary_join/2 correctly joins binary values with a multi-character
199 | %% separator
200 | binary_join_with_multi_character_separator_test() ->
201 |     ?assertEqual(
202 |         binary_join([<<"a">>, <<"b">>, <<"c">>], <<", ">>),
203 |         <<"a, b, c">>).
204 | 
205 | %% binary_join/2 converts a list containing a single binary into the
206 | %% binary itself.
207 | binary_join_with_single_element_list_test() ->
208 |     ?assertEqual(binary_join([<<"a">>], <<",">>), <<"a">>).
209 | 
210 | %% binary_join/2 returns an empty binary value when an empty list is given
211 | binary_join_with_empty_list_test() ->
212 |     ?assertEqual(binary_join([], <<",">>), <<"">>).
213 | 
214 | %% parse_url/1 returns empty path and query if none is present
215 | parse_url_with_root_url_test() ->
216 |     ?assertEqual(
217 |         parse_url(<<"https://example.com">>),
218 |         #{path => <<"">>, query => <<"">>, host => <<"example.com">>}).
219 | 
220 | %% parse_url/1 parses just path
221 | parse_url_with_just_path_test() ->
222 |     ?assertEqual(
223 |         parse_url(<<"https://example.com/te%20st/path">>),
224 |         #{query => <<"">>, path => <<"/te%20st/path">>, host => <<"example.com">>}).
225 | 
226 | %% parse_url/1 parses just query
227 | parse_url_with_just_query_test() ->
228 |     ?assertEqual(
229 |         parse_url(<<"https://example.com?a=1&b&c=2">>),
230 |         #{host => <<"example.com">>, path => <<"">>, query => <<"a=1&b&c=2">>}).
231 | 
232 | %% parse_url/1 parses both path and query in a full URL
233 | parse_url_with_full_url_test() ->
234 |     ?assertEqual(
235 |         parse_url(<<"https://example.com/path/to/file/?a=1&b&c=2#fragment">>),
236 |         #{host => <<"example.com">>, path => <<"/path/to/file/">>, query => <<"a=1&b&c=2">>}).
237 | 
238 | %% parse_url/1 omits standard port number in the host
239 | parse_url_with_standard_port() ->
240 |     ?assertEqual(
241 |         parse_url(<<"https://example.com:443">>),
242 |         #{host => <<"example.com">>, path => <<"">>, query => <<"">>}).
243 | 
244 | %% parse_url/1 includes non-standard port number in the host
245 | parse_url_with_non_standard_port() ->
246 |     ?assertEqual(
247 |         parse_url(<<"https://example.com:3000">>),
248 |         #{host => <<"example.com:3000">>, path => <<"">>, query => <<"">>}).
249 | 
250 | %% uri_encode_path/1 keeps forward slash and unreserved characters unchanged
251 | uri_encode_path_with_forward_slash_test() ->
252 |     ?assertEqual(uri_encode_path(<<"/a1/~_-./">>), <<"/a1/~_-./">>).
253 | 
254 | %% uri_encode_path/1 escapes reserved characters
255 | uri_encode_path_with_reserved_characters_test() ->
256 |     ?assertEqual(uri_encode_path(<<"/a+b%c[d] e:f/">>), <<"/a%2Bb%25c%5Bd%5D%20e%3Af/">>).
257 | 
258 | %% rebuilds_url_with_query_params/2 correctly assambles a new URL
259 | rebuilds_url_with_query_params_test() ->
260 |   OriginalURL =
261 |       <<"https://example.com/path?existing_param=value&another_one=true#i-will-be-ignored">>,
262 | 
263 |   Actual =
264 |       rebuilds_url_with_query_params(OriginalURL,
265 |                                      [{<<"new_param">>, <<"new_value">>}]),
266 | 
267 |   Expected = <<"https://example.com/path?new_param=new_value">>,
268 |   ?assertEqual(Expected, Actual).
269 | 
270 | -endif.
271 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    Copyright 2021, Jonatan Kłosko <jonatanklosko@gmail.com>.
179 | 
180 |    Licensed under the Apache License, Version 2.0 (the "License");
181 |    you may not use this file except in compliance with the License.
182 |    You may obtain a copy of the License at
183 | 
184 |        http://www.apache.org/licenses/LICENSE-2.0
185 | 
186 |    Unless required by applicable law or agreed to in writing, software
187 |    distributed under the License is distributed on an "AS IS" BASIS,
188 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
189 |    See the License for the specific language governing permissions and
190 |    limitations under the License.
191 | 
192 | 


--------------------------------------------------------------------------------
/test/aws_sigv4a_tests.erl:
--------------------------------------------------------------------------------
  1 | %% Based on:
  2 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/sigv4a/sigv4a_test.go
  3 | -module(aws_sigv4a_tests).
  4 | 
  5 | -include_lib("eunit/include/eunit.hrl").
  6 | -include("aws_sigv4_internal.hrl").
  7 | 
  8 | creds_session() ->
  9 |   #credentials
 10 |     { access_key_id = <<"AKID">>
 11 |     , secret_access_key = <<"SECRET">>
 12 |     , session_token = <<"SESSION">>
 13 |     }.
 14 | 
 15 | creds_no_session() ->
 16 |   #credentials
 17 |     { access_key_id = <<"AKID">>
 18 |     , secret_access_key = <<"SECRET">>
 19 |     , session_token = <<"">>
 20 |     }.
 21 | 
 22 | verify_signature(PublicKey, Digest, Signature) ->
 23 |   crypto:verify(ecdsa, sha256, Digest, Signature, [PublicKey, secp256r1]).
 24 | 
 25 | derive_ecdsa_key_pair_from_secret_test() ->
 26 |   %% The Go test is unconditionally skipped, so this just checks that
 27 |   %% we can generate a private key and that it looks as expected.
 28 |   Credentials =
 29 |     #credentials
 30 |       { access_key_id = <<"AKISORANDOMAASORANDOM">>
 31 |       , secret_access_key = <<"q+jcrXGc+0zWN6uzclKVhvMmUsIfRPa4rlRandom">>
 32 |       , session_token = <<"TOKEN">>
 33 |       },
 34 |   {ok, PrivateKey} = aws_sigv4a_credentials:derive_private_key(Credentials),
 35 |   ?assertEqual(<<127,211,189,1,12,13,156,41,33,65,194,183,123,251,222,16,66,
 36 |                  201,46,104,54,255,247,73,209,38,158,200,144,252,161,189>>,
 37 |                PrivateKey).
 38 | 
 39 | -record(sign_request_test,
 40 |         { input :: #v4a_sign_request_input{}
 41 |         , opts :: #v4_signer_options{}
 42 |         , preamble :: binary()
 43 |         , signed_headers :: binary()
 44 |         , string_to_sign :: binary()
 45 |         , date :: binary()
 46 |         , token :: binary() | false
 47 |         , regions_header :: binary()
 48 |         }).
 49 | 
 50 | new_request(Body, Headers) ->
 51 |   #request
 52 |     { method = <<"POST">>
 53 |     , url = <<"https://service.region.amazonaws.com">>
 54 |     , headers = Headers
 55 |     , body = Body
 56 |     , host = <<"service.region.amazonaws.com">>
 57 |     }.
 58 | 
 59 | unix_zero_time() ->
 60 |   {{1970, 1, 1}, {0, 0, 0}}.
 61 | 
 62 | sign_request_minimal_case_nonseekable_test() ->
 63 |   test_sign_request(
 64 |     #sign_request_test
 65 |       { input =
 66 |           #v4a_sign_request_input
 67 |             { request = new_request(<<"{}">>, [])
 68 |             , payload_hash = <<>>
 69 |             , credentials = creds_session()
 70 |             , service = <<"dynamodb">>
 71 |             , regions = [<<"us-east-1">>, <<"us-west-1">>]
 72 |             , time = unix_zero_time()
 73 |             }
 74 |       , opts = #v4_signer_options{}
 75 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
 76 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set;x-amz-security-token">>
 77 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
 78 |                            "19700101T000000Z\n"
 79 |                            "19700101/dynamodb/aws4_request\n"
 80 |                            "968265b4e87c6b10c8ec6bcfd63e8002814cb3256d74c6c381f0c31268c80b53">>
 81 |       , date = <<"19700101T000000Z">>
 82 |       , token = <<"SESSION">>
 83 |       , regions_header = <<"us-east-1,us-west-1">>
 84 |       }).
 85 | 
 86 | sign_request_minimal_case_seekable_test() ->
 87 |   test_sign_request(
 88 |     #sign_request_test
 89 |       { input =
 90 |           #v4a_sign_request_input
 91 |             { request = new_request(<<"{}">>, [])
 92 |             , payload_hash = <<>>
 93 |             , credentials = creds_session()
 94 |             , service = <<"dynamodb">>
 95 |             , regions = [<<"us-east-1">>]
 96 |             , time = unix_zero_time()
 97 |             }
 98 |       , opts = #v4_signer_options{}
 99 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
100 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set;x-amz-security-token">>
101 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
102 |                            "19700101T000000Z\n"
103 |                            "19700101/dynamodb/aws4_request\n"
104 |                            "6fbe2f6247e506a47694e695d825477af6c604184f775050ce3b83e04674d9aa">>
105 |       , date = <<"19700101T000000Z">>
106 |       , token = <<"SESSION">>
107 |       , regions_header = <<"us-east-1">>
108 |       }).
109 | 
110 | sign_request_minimal_case_no_session_test() ->
111 |   test_sign_request(
112 |     #sign_request_test
113 |       { input =
114 |           #v4a_sign_request_input
115 |             { request = new_request(<<"{}">>, [])
116 |             , payload_hash = <<>>
117 |             , credentials = creds_no_session()
118 |             , service = <<"dynamodb">>
119 |             , regions = [<<"us-east-1">>]
120 |             , time = unix_zero_time()
121 |             }
122 |       , opts = #v4_signer_options{}
123 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
124 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set">>
125 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
126 |                            "19700101T000000Z\n"
127 |                            "19700101/dynamodb/aws4_request\n"
128 |                            "825ea1f5e80bdb91ac8802e832504d1ff1c3b05b7619ffc273a1565a7600ff5a">>
129 |       , date = <<"19700101T000000Z">>
130 |       , token = false
131 |       , regions_header = <<"us-east-1">>
132 |       }).
133 | 
134 | sign_request_explicit_unsigned_payload_test() ->
135 |   test_sign_request(
136 |     #sign_request_test
137 |       { input =
138 |           #v4a_sign_request_input
139 |             { request = new_request(<<"{}">>, [])
140 |             , payload_hash = ?UNSIGNED_PAYLOAD
141 |             , credentials = creds_session()
142 |             , service = <<"dynamodb">>
143 |             , regions = [<<"us-east-1">>]
144 |             , time = unix_zero_time()
145 |             }
146 |       , opts = #v4_signer_options{}
147 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
148 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set;x-amz-security-token">>
149 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
150 |                            "19700101T000000Z\n"
151 |                            "19700101/dynamodb/aws4_request\n"
152 |                            "69e5041f5ff858ee8f53a30e5f98cdb4c6bcbfe0f8e61b8aba537d2713bf41a4">>
153 |       , date = <<"19700101T000000Z">>
154 |       , token = <<"SESSION">>
155 |       , regions_header = <<"us-east-1">>
156 |       }).
157 | 
158 | sign_request_explicit_payload_hash_test() ->
159 |   test_sign_request(
160 |     #sign_request_test
161 |       { input =
162 |           #v4a_sign_request_input
163 |             { request = new_request(<<"{}">>, [])
164 |             , payload_hash = aws_sigv4_utils:sha256(<<"{}">>)
165 |             , credentials = creds_session()
166 |             , service = <<"dynamodb">>
167 |             , regions = [<<"us-east-1">>]
168 |             , time = unix_zero_time()
169 |             }
170 |       , opts = #v4_signer_options{}
171 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
172 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set;x-amz-security-token">>
173 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
174 |                            "19700101T000000Z\n"
175 |                            "19700101/dynamodb/aws4_request\n"
176 |                            "6fbe2f6247e506a47694e695d825477af6c604184f775050ce3b83e04674d9aa">>
177 |       , date = <<"19700101T000000Z">>
178 |       , token = <<"SESSION">>
179 |       , regions_header = <<"us-east-1">>
180 |       }).
181 | 
182 | sign_request_sign_all_headers_test() ->
183 |   test_sign_request(
184 |     #sign_request_test
185 |       { input =
186 |           #v4a_sign_request_input
187 |             { request = new_request(<<"{}">>,
188 |                                     [ {<<"Content-Type">>, <<"application/json">>}
189 |                                     , {<<"Foo">>, <<"bar">>}
190 |                                     , {<<"Bar">>, <<"baz">>}
191 |                                     ])
192 |             , payload_hash = aws_sigv4_utils:sha256(<<"{}">>)
193 |             , credentials = creds_session()
194 |             , service = <<"dynamodb">>
195 |             , regions = [<<"us-east-1">>]
196 |             , time = unix_zero_time()
197 |             }
198 |       , opts = #v4_signer_options{is_signed = fun(_) -> true end}
199 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
200 |       , signed_headers = <<"SignedHeaders=bar;content-type;foo;host;x-amz-date;x-amz-region-set;x-amz-security-token">>
201 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
202 |                            "19700101T000000Z\n"
203 |                            "19700101/dynamodb/aws4_request\n"
204 |                            "b28cca9faeaa86f4dbfcc3113b05b38f53cd41f41448a41e08e0171cea8ec363">>
205 |       , date = <<"19700101T000000Z">>
206 |       , token = <<"SESSION">>
207 |       , regions_header = <<"us-east-1">>
208 |       }).
209 | 
210 | sign_request_disable_implicit_payload_hash_test() ->
211 |   test_sign_request(
212 |     #sign_request_test
213 |       { input =
214 |           #v4a_sign_request_input
215 |             { request = new_request(<<"{}">>, [])
216 |             , payload_hash = <<"">>
217 |             , credentials = creds_session()
218 |             , service = <<"dynamodb">>
219 |             , regions = [<<"us-east-1">>]
220 |             , time = unix_zero_time()
221 |             }
222 |       , opts = #v4_signer_options{disable_implicit_payload_hashing = true}
223 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/dynamodb/aws4_request">>
224 |       , signed_headers = <<"SignedHeaders=host;x-amz-date;x-amz-region-set;x-amz-security-token">>
225 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
226 |                            "19700101T000000Z\n"
227 |                            "19700101/dynamodb/aws4_request\n"
228 |                            "69e5041f5ff858ee8f53a30e5f98cdb4c6bcbfe0f8e61b8aba537d2713bf41a4">>
229 |       , date = <<"19700101T000000Z">>
230 |       , token = <<"SESSION">>
231 |       , regions_header = <<"us-east-1">>
232 |       }).
233 | 
234 | sign_request_disable_s3_settings_test() ->
235 |   test_sign_request(
236 |     #sign_request_test
237 |       { input =
238 |           #v4a_sign_request_input
239 |             { request = new_request(<<"{}">>, [])
240 |             , payload_hash = <<"">>
241 |             , credentials = creds_session()
242 |             , service = <<"s3">>
243 |             , regions = [<<"us-east-1">>]
244 |             , time = unix_zero_time()
245 |             }
246 |       , opts =
247 |           #v4_signer_options
248 |             { disable_double_path_escape = true
249 |             , add_payload_hash_header = true
250 |             }
251 |       , preamble = <<"AWS4-ECDSA-P256-SHA256 Credential=AKID/19700101/s3/aws4_request">>
252 |       , signed_headers = <<"SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-region-set;x-amz-security-token">>
253 |       , string_to_sign = <<"AWS4-ECDSA-P256-SHA256\n"
254 |                            "19700101T000000Z\n"
255 |                            "19700101/s3/aws4_request\n"
256 |                            "3cf4ba7f150421e93dbc22112484147af6e355676d08a75799cfd32424458d7f">>
257 |       , date = <<"19700101T000000Z">>
258 |       , token = <<"SESSION">>
259 |       , regions_header = <<"us-east-1">>
260 |       }).
261 | 
262 | -spec test_sign_request(#sign_request_test{}) -> ok.
263 | test_sign_request(TT) ->
264 |   Input = TT#sign_request_test.input,
265 |   {ok, Headers} = aws_sigv4a:sign_request(TT#sign_request_test.opts, Input),
266 |   %% The Go test fails to check the token header.
267 |   ?assertEqual(TT#sign_request_test.token, get_header_opt(<<"X-Amz-Security-Token">>, Headers)),
268 |   expect_signature(Headers, TT),
269 |   ?assertEqual(Input#v4a_sign_request_input.request#request.host, get_header(<<"Host">>, Headers)).
270 | 
271 | -spec expect_signature(aws_sigv4_internal:headers(), #sign_request_test{}) -> ok.
272 | expect_signature(Headers, TT) ->
273 |   {Preamble, SignedHeaders, Signature} = get_signature(Headers),
274 |   ?assertEqual(TT#sign_request_test.preamble, Preamble),
275 |   ?assertEqual(TT#sign_request_test.signed_headers, SignedHeaders),
276 |   Credentials = TT#sign_request_test.input#v4a_sign_request_input.credentials,
277 |   {ok, PrivateKey} = aws_sigv4a_credentials:derive_private_key(Credentials),
278 |   PublicKey = public_key(PrivateKey),
279 |   verify_signature(PublicKey, TT#sign_request_test.string_to_sign, Signature).
280 | 
281 | public_key(PrivateKey) ->
282 |   {PublicKey, _PrivateKey} = crypto:generate_key(ecdh, secp256r1, PrivateKey),
283 |   PublicKey.
284 | 
285 | -spec get_signature(aws_sigv4_internal:headers()) -> {binary(), binary(), binary()}.
286 | get_signature(Headers) ->
287 |   Auth = get_header(<<"Authorization">>, Headers),
288 |   [Preamble, SignedHeaders, SigPart] = binary:split(Auth, <<", ">>, [global]),
289 |   [_Key, Hex] = binary:split(SigPart, <<"=">>, [global]),
290 |   Signature = binary:decode_hex(Hex),
291 |   {Preamble, SignedHeaders, Signature}.
292 | 
293 | -spec get_header(binary(), aws_sigv4_internal:headers()) -> binary().
294 | get_header(Key, Headers) ->
295 |   {_Key, Hdr} = lists:keyfind(Key, 1, Headers),
296 |   Hdr.
297 | 
298 | -spec get_header_opt(binary(), aws_sigv4_internal:headers()) -> binary() | false.
299 | get_header_opt(Key, Headers) ->
300 |   case lists:keyfind(Key, 1, Headers) of
301 |     false -> false;
302 |     {_Key, Hdr} -> Hdr
303 |   end.
304 | 
305 | %% TestSignRequest_SignStringError - n/a
306 | 


--------------------------------------------------------------------------------
/test/aws_sigv4_internal_tests.erl:
--------------------------------------------------------------------------------
  1 | %% Based on:
  2 | %% https://github.com/aws/smithy-go/blob/main/aws-http-auth/internal/v4/signer_test.go
  3 | -module(aws_sigv4_internal_tests).
  4 | 
  5 | -include_lib("eunit/include/eunit.hrl").
  6 | -include("aws_sigv4_internal.hrl").
  7 | 
  8 | build_canonical_request_signed_payload_test() ->
  9 |   Host = <<"service.region.amazonaws.com">>,
 10 |   Body = <<"{}">>,
 11 |   Request =
 12 |     #request
 13 |       { method = <<"POST">>
 14 |         %% Note: The Go test has a space between /path and 2, but uri_string:parse/1 rejects that.
 15 |       , url = << <<"https://">>/binary, Host/binary, <<"/path1/path%202?a=b">>/binary>>
 16 |       , headers =
 17 |           [ {<<"Host">>, Host}
 18 |           , {<<"X-Amz-Foo">>, <<"\t \tbar ">>}
 19 |           ]
 20 |       , body = Body
 21 |       , host = Host
 22 |       },
 23 |   Credentials =
 24 |     #credentials
 25 |       { access_key_id = <<"AKID">>
 26 |       , secret_access_key = <<"SK">>
 27 |       , session_token = <<"TOKEN">>
 28 |       },
 29 |   V4SignerOptions =
 30 |     #v4_signer_options
 31 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
 32 |       },
 33 |   Signer =
 34 |    #internal_signer
 35 |      { request = Request
 36 |      , payload_hash = aws_sigv4_utils:sha256(Body)
 37 |      , time = {{1970, 1, 1}, {0, 0, 0}}
 38 |      , credentials = Credentials
 39 |      , options = V4SignerOptions
 40 |      , algorithm = <<"ALG">>
 41 |      , credential_scope = <<"SCOPE">>
 42 |      , sign_string = fun(X) -> {error, X} end
 43 |      },
 44 |   ExpectedRequest =
 45 |     <<"POST\n"
 46 |       "/path1/path%25202\n"
 47 |       "a=b\n"
 48 |       "host:service.region.amazonaws.com\n"
 49 |       "x-amz-foo:bar\n"
 50 |       "\n"
 51 |       "host;x-amz-foo\n"
 52 |       "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a">>,
 53 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
 54 |   ?assertEqual(ExpectedRequest, ActualRequest).
 55 | 
 56 | build_canonical_request_no_path_test() ->
 57 |   Host = <<"service.region.amazonaws.com">>,
 58 |   Body = <<"{}">>,
 59 |   Request =
 60 |     #request
 61 |       { method = <<"POST">>
 62 |       , url = << <<"https://">>/binary, Host/binary, <<"?a=b">>/binary>>
 63 |       , headers =
 64 |           [ {<<"Host">>, Host}
 65 |           , {<<"X-Amz-Foo">>, <<"\t \tbar ">>}
 66 |           ]
 67 |       , body = Body
 68 |       , host = Host
 69 |       },
 70 |   Credentials =
 71 |     #credentials
 72 |       { access_key_id = <<"AKID">>
 73 |       , secret_access_key = <<"SK">>
 74 |       , session_token = <<"TOKEN">>
 75 |       },
 76 |   V4SignerOptions =
 77 |     #v4_signer_options
 78 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
 79 |       },
 80 |   Signer =
 81 |    #internal_signer
 82 |      { request = Request
 83 |      , payload_hash = aws_sigv4_utils:sha256(Body)
 84 |      , time = {{1970, 1, 1}, {0, 0, 0}}
 85 |      , credentials = Credentials
 86 |      , options = V4SignerOptions
 87 |      , algorithm = <<"ALG">>
 88 |      , credential_scope = <<"SCOPE">>
 89 |      , sign_string = fun(X) -> {error, X} end
 90 |      },
 91 |   ExpectedRequest =
 92 |     <<"POST\n"
 93 |       "/\n"
 94 |       "a=b\n"
 95 |       "host:service.region.amazonaws.com\n"
 96 |       "x-amz-foo:bar\n"
 97 |       "\n"
 98 |       "host;x-amz-foo\n"
 99 |       "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a">>,
100 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
101 |   ?assertEqual(ExpectedRequest, ActualRequest).
102 | 
103 | build_canonical_request_double_header_test() ->
104 |   Host = <<"service.region.amazonaws.com">>,
105 |   Body = <<"{}">>,
106 |   Request =
107 |     #request
108 |       { method = <<"POST">>
109 |       , url = << <<"https://">>/binary, Host/binary, <<"/">>/binary>>
110 |       , headers =
111 |           [ {<<"X-Amz-Foo">>, <<"\t \tbar ">>}
112 |           , {<<"Host">>, Host}
113 |           , {<<"dontsignit">>, <<"dontsignit">>} % should be skipped
114 |           , {<<"X-Amz-Foo">>, <<"\t \tbaz ">>}
115 |           ]
116 |       , body = Body
117 |       , host = Host
118 |       },
119 |   Credentials =
120 |     #credentials
121 |       { access_key_id = <<"AKID">>
122 |       , secret_access_key = <<"SK">>
123 |       , session_token = <<"TOKEN">>
124 |       },
125 |   V4SignerOptions =
126 |     #v4_signer_options
127 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
128 |       },
129 |   Signer =
130 |    #internal_signer
131 |      { request = Request
132 |      , payload_hash = aws_sigv4_utils:sha256(Body)
133 |      , time = {{1970, 1, 1}, {0, 0, 0}}
134 |      , credentials = Credentials
135 |      , options = V4SignerOptions
136 |      , algorithm = <<"ALG">>
137 |      , credential_scope = <<"SCOPE">>
138 |      , sign_string = fun(X) -> {error, X} end
139 |      },
140 |   ExpectedRequest =
141 |     <<"POST\n"
142 |       "/\n"
143 |       "\n"
144 |       "host:service.region.amazonaws.com\n"
145 |       "x-amz-foo:bar,baz\n"
146 |       "\n"
147 |       "host;x-amz-foo\n"
148 |       "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a">>,
149 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
150 |   ?assertEqual(ExpectedRequest, ActualRequest).
151 | 
152 | build_canonical_request_sort_query_test() ->
153 |   Host = <<"service.region.amazonaws.com">>,
154 |   Body = <<"{}">>,
155 |   Request =
156 |     #request
157 |       { method = <<"POST">>
158 |       , url = << <<"https://">>/binary, Host/binary, <<"/?a=b&%20b=c">>/binary>>
159 |       , headers =
160 |           [ {<<"Host">>, Host}
161 |           ]
162 |       , body = Body
163 |       , host = Host
164 |       },
165 |   Credentials =
166 |     #credentials
167 |       { access_key_id = <<"AKID">>
168 |       , secret_access_key = <<"SK">>
169 |       , session_token = <<"TOKEN">>
170 |       },
171 |   V4SignerOptions =
172 |     #v4_signer_options
173 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
174 |       },
175 |   Signer =
176 |    #internal_signer
177 |      { request = Request
178 |      , payload_hash = ?UNSIGNED_PAYLOAD
179 |      , time = {{1970, 1, 1}, {0, 0, 0}}
180 |      , credentials = Credentials
181 |      , options = V4SignerOptions
182 |      , algorithm = <<"ALG">>
183 |      , credential_scope = <<"SCOPE">>
184 |      , sign_string = fun(X) -> {error, X} end
185 |      },
186 |   ExpectedRequest =
187 |     <<"POST\n"
188 |       "/\n"
189 |       "%20b=c&a=b\n"
190 |       "host:service.region.amazonaws.com\n"
191 |       "\n"
192 |       "host\n"
193 |       "UNSIGNED-PAYLOAD">>,
194 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
195 |   ?assertEqual(ExpectedRequest, ActualRequest).
196 | 
197 | build_canonical_request_empty_query_test() ->
198 |   Host = <<"service.region.amazonaws.com">>,
199 |   Body = <<"{}">>,
200 |   Request =
201 |     #request
202 |       { method = <<"POST">>
203 |       , url = << <<"https://">>/binary, Host/binary, <<"/?foo">>/binary>>
204 |       , headers =
205 |           [ {<<"Host">>, Host}
206 |           ]
207 |       , body = Body
208 |       , host = Host
209 |       },
210 |   Credentials =
211 |     #credentials
212 |       { access_key_id = <<"AKID">>
213 |       , secret_access_key = <<"SK">>
214 |       , session_token = <<"TOKEN">>
215 |       },
216 |   V4SignerOptions =
217 |     #v4_signer_options
218 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
219 |       },
220 |   Signer =
221 |    #internal_signer
222 |      { request = Request
223 |      , payload_hash = ?UNSIGNED_PAYLOAD
224 |      , time = {{1970, 1, 1}, {0, 0, 0}}
225 |      , credentials = Credentials
226 |      , options = V4SignerOptions
227 |      , algorithm = <<"ALG">>
228 |      , credential_scope = <<"SCOPE">>
229 |      , sign_string = fun(X) -> {error, X} end
230 |      },
231 |   ExpectedRequest =
232 |     <<"POST\n"
233 |       "/\n"
234 |       "foo=\n"
235 |       "host:service.region.amazonaws.com\n"
236 |       "\n"
237 |       "host\n"
238 |       "UNSIGNED-PAYLOAD">>,
239 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
240 |   ?assertEqual(ExpectedRequest, ActualRequest).
241 | 
242 | build_canonical_request_unsigned_payload_test() ->
243 |   Host = <<"service.region.amazonaws.com">>,
244 |   Body = <<"{}">>,
245 |   Request =
246 |     #request
247 |       { method = <<"POST">>
248 |         %% Note: The Go test has a space between /path and 2, but uri_string:parse/1 rejects that.
249 |       , url = << <<"https://">>/binary, Host/binary, <<"/path1/path%202?a=b">>/binary>>
250 |       , headers =
251 |           [ {<<"Host">>, Host}
252 |           , {<<"X-Amz-Foo">>, <<"\t \tbar ">>}
253 |           ]
254 |       , body = Body
255 |       , host = Host
256 |       },
257 |   Credentials =
258 |     #credentials
259 |       { access_key_id = <<"AKID">>
260 |       , secret_access_key = <<"SK">>
261 |       , session_token = <<"TOKEN">>
262 |       },
263 |   V4SignerOptions =
264 |     #v4_signer_options
265 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
266 |       },
267 |   Signer =
268 |    #internal_signer
269 |      { request = Request
270 |      , payload_hash = ?UNSIGNED_PAYLOAD
271 |      , time = {{1970, 1, 1}, {0, 0, 0}}
272 |      , credentials = Credentials
273 |      , options = V4SignerOptions
274 |      , algorithm = <<"ALG">>
275 |      , credential_scope = <<"SCOPE">>
276 |      , sign_string = fun(X) -> {error, X} end
277 |      },
278 |   ExpectedRequest =
279 |     <<"POST\n"
280 |       "/path1/path%25202\n"
281 |       "a=b\n"
282 |       "host:service.region.amazonaws.com\n"
283 |       "x-amz-foo:bar\n"
284 |       "\n"
285 |       "host;x-amz-foo\n"
286 |       "UNSIGNED-PAYLOAD">>,
287 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
288 |   ?assertEqual(ExpectedRequest, ActualRequest).
289 | 
290 | build_canonical_request_disable_double_escape_test() ->
291 |   Host = <<"service.region.amazonaws.com">>,
292 |   Body = <<"{}">>,
293 |   Request =
294 |     #request
295 |       { method = <<"POST">>
296 |         %% Note: The Go test has a space between /path and 2, but uri_string:parse/1 rejects that.
297 |       , url = << <<"https://">>/binary, Host/binary, <<"/path1/path%202?a=b">>/binary>>
298 |       , headers =
299 |           [ {<<"Host">>, Host}
300 |           , {<<"X-Amz-Foo">>, <<"\t \tbar ">>}
301 |           ]
302 |       , body = Body
303 |       , host = Host
304 |       },
305 |   Credentials =
306 |     #credentials
307 |       { access_key_id = <<"AKID">>
308 |       , secret_access_key = <<"SK">>
309 |       , session_token = <<"TOKEN">>
310 |       },
311 |   V4SignerOptions =
312 |     #v4_signer_options
313 |       { is_signed = fun aws_sigv4_internal:default_is_signed/1
314 |       , disable_double_path_escape = true
315 |       },
316 |   Signer =
317 |    #internal_signer
318 |      { request = Request
319 |      , payload_hash = ?UNSIGNED_PAYLOAD
320 |      , time = {{1970, 1, 1}, {0, 0, 0}}
321 |      , credentials = Credentials
322 |      , options = V4SignerOptions
323 |      , algorithm = <<"ALG">>
324 |      , credential_scope = <<"SCOPE">>
325 |      , sign_string = fun(X) -> {error, X} end
326 |      },
327 |   ExpectedRequest =
328 |     <<"POST\n"
329 |       "/path1/path%202\n"
330 |       "a=b\n"
331 |       "host:service.region.amazonaws.com\n"
332 |       "x-amz-foo:bar\n"
333 |       "\n"
334 |       "host;x-amz-foo\n"
335 |       "UNSIGNED-PAYLOAD">>,
336 |   {ActualRequest, _SignedHeaders} = aws_sigv4_internal:build_canonical_request(Signer),
337 |   ?assertEqual(ExpectedRequest, ActualRequest).
338 | 
339 | resolve_payload_hash_already_set_test() ->
340 |   ExpectedHash = <<"already set">>,
341 |   Request =
342 |     #request
343 |       { method = <<"METHOD">>
344 |       , url = <<"URL">>
345 |       , headers = []
346 |       , body = <<"BODY">>
347 |       , host = <<"HOST">>
348 |       },
349 |   Credentials =
350 |     #credentials
351 |       { access_key_id = <<"AKID">>
352 |       , secret_access_key = <<"SK">>
353 |       , session_token = <<"TOKEN">>
354 |       },
355 |   V4SignerOptions =
356 |     #v4_signer_options
357 |       {
358 |       },
359 |   Signer0 =
360 |    #internal_signer
361 |      { request = Request
362 |      , payload_hash = ExpectedHash
363 |      , time = {{1970, 1, 1}, {0, 0, 0}}
364 |      , credentials = Credentials
365 |      , options = V4SignerOptions
366 |      , algorithm = <<"ALG">>
367 |      , credential_scope = <<"SCOPE">>
368 |      , sign_string = fun(X) -> {error, X} end
369 |      },
370 |   Signer = aws_sigv4_internal:resolve_payload_hash(Signer0),
371 |   ActualHash = Signer#internal_signer.payload_hash,
372 |   ?assertEqual(ExpectedHash, ActualHash).
373 | 
374 | resolve_payload_hash_disabled_test() ->
375 |   Request =
376 |     #request
377 |       { method = <<"METHOD">>
378 |       , url = <<"URL">>
379 |       , headers = []
380 |       , body = <<"BODY">>
381 |       , host = <<"HOST">>
382 |       },
383 |   Credentials =
384 |     #credentials
385 |       { access_key_id = <<"AKID">>
386 |       , secret_access_key = <<"SK">>
387 |       , session_token = <<"TOKEN">>
388 |       },
389 |   V4SignerOptions =
390 |     #v4_signer_options
391 |       { disable_implicit_payload_hashing = true
392 |       },
393 |   Signer0 =
394 |    #internal_signer
395 |      { request = Request
396 |      , payload_hash = <<>> % empty to trigger hash calculation
397 |      , time = {{1970, 1, 1}, {0, 0, 0}}
398 |      , credentials = Credentials
399 |      , options = V4SignerOptions
400 |      , algorithm = <<"ALG">>
401 |      , credential_scope = <<"SCOPE">>
402 |      , sign_string = fun(X) -> {error, X} end
403 |      },
404 |   Signer = aws_sigv4_internal:resolve_payload_hash(Signer0),
405 |   ActualHash = Signer#internal_signer.payload_hash,
406 |   ?assertEqual(?UNSIGNED_PAYLOAD, ActualHash).
407 | 
408 | %% TestResolvePayloadHash_SeekBlowsUp - not applicable
409 | 
410 | resolve_payload_hash_ok_test() ->
411 |   Body = <<"foo">>,
412 |   ExpectedHash = aws_sigv4_utils:sha256(Body),
413 |   Request =
414 |     #request
415 |       { method = <<"METHOD">>
416 |       , url = <<"URL">>
417 |       , headers = []
418 |       , body = Body
419 |       , host = <<"HOST">>
420 |       },
421 |   Credentials =
422 |     #credentials
423 |       { access_key_id = <<"AKID">>
424 |       , secret_access_key = <<"SK">>
425 |       , session_token = <<"TOKEN">>
426 |       },
427 |   V4SignerOptions =
428 |     #v4_signer_options
429 |       {
430 |       },
431 |   Signer0 =
432 |    #internal_signer
433 |      { request = Request
434 |      , payload_hash = <<>> % empty to trigger hash calculation
435 |      , time = {{1970, 1, 1}, {0, 0, 0}}
436 |      , credentials = Credentials
437 |      , options = V4SignerOptions
438 |      , algorithm = <<"ALG">>
439 |      , credential_scope = <<"SCOPE">>
440 |      , sign_string = fun(X) -> {error, X} end
441 |      },
442 |   Signer = aws_sigv4_internal:resolve_payload_hash(Signer0),
443 |   ActualHash = Signer#internal_signer.payload_hash,
444 |   ?assertEqual(ExpectedHash, ActualHash).
445 | 
446 | set_required_headers_all_test() ->
447 |   ExpectedHost = <<"foo.service.com">>,
448 |   Request =
449 |     #request
450 |       { method = <<"METHOD">>
451 |       , url = <<"URL">>
452 |       , headers = []
453 |       , body = <<"BODY">>
454 |       , host = ExpectedHost
455 |       },
456 |   ExpectedToken = <<"session_token">>,
457 |   Credentials =
458 |     #credentials
459 |       { access_key_id = <<"AKID">>
460 |       , secret_access_key = <<"SK">>
461 |       , session_token = ExpectedToken
462 |       },
463 |   V4SignerOptions =
464 |     #v4_signer_options
465 |       { add_payload_hash_header = true
466 |       },
467 |   Signer0 =
468 |    #internal_signer
469 |      { request = Request
470 |      , payload_hash = <<0, 1, 2, 3>>
471 |      , time = {{1970, 1, 1}, {0, 0, 0}}
472 |      , credentials = Credentials
473 |      , options = V4SignerOptions
474 |      , algorithm = <<"ALG">>
475 |      , credential_scope = <<"SCOPE">>
476 |      , sign_string = fun(X) -> {error, X} end
477 |      },
478 |   Signer = aws_sigv4_internal:set_required_headers(Signer0),
479 |   ActualHost = get_header(<<"Host">>, Signer),
480 |   ?assertEqual(ExpectedHost, ActualHost),
481 |   ActualDate = get_header(<<"X-Amz-Date">>, Signer),
482 |   ?assertEqual(<<"19700101T000000Z">>, ActualDate),
483 |   ActualToken = get_header(<<"X-Amz-Security-Token">>, Signer),
484 |   ?assertEqual(ExpectedToken, ActualToken),
485 |   ActualSha = get_header(<<"X-Amz-Content-Sha256">>, Signer),
486 |   ?assertEqual(<<"00010203">>, ActualSha).
487 | 
488 | set_required_headers_unsigned_payload_test() ->
489 |   ExpectedHost = <<"foo.service.com">>,
490 |   Request =
491 |     #request
492 |       { method = <<"METHOD">>
493 |       , url = <<"URL">>
494 |       , headers = []
495 |       , body = <<"BODY">>
496 |       , host = ExpectedHost
497 |       },
498 |   ExpectedToken = <<"session_token">>,
499 |   Credentials =
500 |     #credentials
501 |       { access_key_id = <<"AKID">>
502 |       , secret_access_key = <<"SK">>
503 |       , session_token = ExpectedToken
504 |       },
505 |   V4SignerOptions =
506 |     #v4_signer_options
507 |       { add_payload_hash_header = true
508 |       },
509 |   Signer0 =
510 |    #internal_signer
511 |      { request = Request
512 |      , payload_hash = <<"UNSIGNED-PAYLOAD">>
513 |      , time = {{1970, 1, 1}, {0, 0, 0}}
514 |      , credentials = Credentials
515 |      , options = V4SignerOptions
516 |      , algorithm = <<"ALG">>
517 |      , credential_scope = <<"SCOPE">>
518 |      , sign_string = fun(X) -> {error, X} end
519 |      },
520 |   Signer = aws_sigv4_internal:set_required_headers(Signer0),
521 |   ActualHost = get_header(<<"Host">>, Signer),
522 |   ?assertEqual(ExpectedHost, ActualHost),
523 |   ActualDate = get_header(<<"X-Amz-Date">>, Signer),
524 |   ?assertEqual(ActualDate, <<"19700101T000000Z">>),
525 |   ActualToken = get_header(<<"X-Amz-Security-Token">>, Signer),
526 |   ?assertEqual(ExpectedToken, ActualToken),
527 |   ActualSha = get_header(<<"X-Amz-Content-Sha256">>, Signer),
528 |   ?assertEqual(<<"UNSIGNED-PAYLOAD">>, ActualSha).
529 | 
530 | get_header(Key, Signer) ->
531 |   {_Key, Hdr} = lists:keyfind(Key, 1, Signer#internal_signer.request#request.headers),
532 |   Hdr.
533 | 


--------------------------------------------------------------------------------
/src/aws_signature.erl:
--------------------------------------------------------------------------------
   1 | %% @doc This module contains functions for signing requests to AWS services.
   2 | -module(aws_signature).
   3 | 
   4 | -export([sign_v4/9, sign_v4/10, sign_v4_event/7, sign_v4_query_params/7, sign_v4_query_params/8]).
   5 | -export([sign_v4a/10]).
   6 | 
   7 | -type header() :: {binary(), binary()}.
   8 | -type headers() :: [header()].
   9 | -type query_param() :: {binary(), binary()}.
  10 | -type query_params() :: [query_param()].
  11 | 
  12 | %% @doc Implements the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html">Asymmetric Signature Version 4 (SigV4a)</a> algorithm.
  13 | %%
  14 | %% This function takes AWS client credentials and request details,
  15 | %% based on which it computes the signature and returns headers
  16 | %% extended with the authorization entries.
  17 | %%
  18 | %% `URL' must be valid, with all components properly escaped.
  19 | %% For example, "https://example.com/path%20to" is valid, whereas
  20 | %% "https://example.com/path to" is not.
  21 | %%
  22 | %% It is essential that the provided request details are final
  23 | %% and the returned headers are used to make the request. All
  24 | %% custom headers need to be assembled before the signature is
  25 | %% calculated.
  26 | %%
  27 | %% The following options are supported:
  28 | %%
  29 | %% <dl>
  30 | %% <dt>`add_payload_hash_header'</dt>
  31 | %% <dd>
  32 | %% When `true' adds the `X-Amz-Content-Sha256' header to signed requests.
  33 | %% Amazon S3 is an example of a service that requires this setting.
  34 | %% Defaults to `false'.
  35 | %% </dd>
  36 | %% <dt>`disable_implicit_payload_hashing'</dt>
  37 | %% <dd>
  38 | %% When `true' use the "UNSIGNED-PAYLOAD" sentinel instead of computing
  39 | %% SHA256 digest of the payload. Defaults to `false'.
  40 | %% </dd>
  41 | %% </dl>
  42 | -spec sign_v4a(binary(), binary(), binary(), [binary()], binary(),
  43 |                binary(), binary(), headers(), binary(), map())
  44 |            -> {ok, headers()} | {error, any()}.
  45 | sign_v4a(AccessKeyID, SecretAccessKey, SessionToken, Regions,
  46 |          Service, Method, URL, Headers, Body, Options) ->
  47 |   aws_sigv4a:sign_request(AccessKeyID, SecretAccessKey, SessionToken, Regions,
  48 |                           Service, Method, URL, Headers, Body, Options).
  49 | 
  50 | %% @doc Same as {@link sign_v4/10} with no options.
  51 | sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body) ->
  52 |     sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, []).
  53 | 
  54 | %% @doc Implements the <a href="https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html">Signature Version 4 (SigV4)</a> algorithm.
  55 | %%
  56 | %% This function takes AWS client credentials and request details,
  57 | %% based on which it computes the signature and returns headers
  58 | %% extended with the authorization entries.
  59 | %%
  60 | %% `DateTime' is a datetime tuple used as the request date.
  61 | %% You most likely want to set it to the value of `calendar:universal_time()'
  62 | %% when making the request.
  63 | %%
  64 | %% `URL' must be valid, with all components properly escaped.
  65 | %% For example, "https://example.com/path%20to" is valid, whereas
  66 | %% "https://example.com/path to" is not.
  67 | %%
  68 | %% It is essential that the provided request details are final
  69 | %% and the returned headers are used to make the request. All
  70 | %% custom headers need to be assembled before the signature is
  71 | %% calculated.
  72 | %%
  73 | %% The signature is computed by normalizing request details into
  74 | %% a well defined format and combining it with the credentials
  75 | %% using a number of cryptographic functions. Upon receiving
  76 | %% a request, the server calculates the signature using the same
  77 | %% algorithm and compares it with the value received in headers.
  78 | %% For more details check out the <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html">AWS documentation</a>.
  79 | %%
  80 | %% The following options are supported:
  81 | %%
  82 | %% <dl>
  83 | %% <dt>`uri_encode_path'</dt>
  84 | %% <dd>
  85 | %% When `true', the request URI path is URI-encoded during request
  86 | %% canonicalization, <strong>which is required for every service except S3</strong>.
  87 | %% Note that the given URL should already be properly encoded, so
  88 | %% this results in each segment being URI-encoded twice, as expected
  89 | %% by AWS. Defaults to `true'.
  90 | %% </dd>
  91 | %% <dt>`body_digest'</dt>
  92 | %% <dd>
  93 | %% Optional SHA256 digest of the request body. This option can be used to provide
  94 | %% a fixed digest value, such as "UNSIGNED-PAYLOAD", when sending requests without
  95 | %% signing the body.
  96 | %% </dd>
  97 | %% </dl>
  98 | -spec sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, Options) -> FinalHeaders
  99 |     when AccessKeyID :: binary(),
 100 |          SecretAccessKey :: binary(),
 101 |          Region :: binary(),
 102 |          Service :: binary(),
 103 |          DateTime :: calendar:datetime(),
 104 |          Method :: binary(),
 105 |          URL :: binary(),
 106 |          Headers :: headers(),
 107 |          Body :: iodata(),
 108 |          Options :: [Option],
 109 |          Option ::
 110 |              {uri_encode_path, boolean()}
 111 |              | {body_digest, binary()},
 112 |          FinalHeaders :: headers().
 113 | sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, Options)
 114 |     when is_binary(AccessKeyID),
 115 |          is_binary(SecretAccessKey),
 116 |          is_binary(Region),
 117 |          is_binary(Service),
 118 |          is_tuple(DateTime),
 119 |          is_binary(Method),
 120 |          is_binary(URL),
 121 |          is_list(Headers),
 122 |          (is_binary(Body) orelse is_list(Body)),
 123 |          is_list(Options) ->
 124 |     URIEncodePath = proplists:get_value(uri_encode_path, Options, true),
 125 | 
 126 |     URLMap = aws_signature_utils:parse_url(URL),
 127 |     LongDate = format_datetime_long(DateTime),
 128 |     ShortDate = format_datetime_short(DateTime),
 129 |     FinalHeaders0 = add_date_header(Headers, LongDate),
 130 | 
 131 |     BodyDigest =
 132 |         case proplists:get_value(body_digest, Options, undefined) of
 133 |             undefined ->
 134 |                 aws_signature_utils:sha256_hexdigest(Body);
 135 |             Digest ->
 136 |                 Digest
 137 |         end,
 138 | 
 139 |     FinalHeaders = add_content_hash_header(FinalHeaders0, BodyDigest),
 140 |     CanonicalRequest = canonical_request(Method, URLMap, FinalHeaders, BodyDigest, URIEncodePath),
 141 |     HashedCanonicalRequest = aws_signature_utils:sha256_hexdigest(CanonicalRequest),
 142 |     CredentialScope = credential_scope(ShortDate, Region, Service),
 143 |     SigningKey = signing_key(SecretAccessKey, ShortDate, Region, Service),
 144 |     StringToSign = string_to_sign(LongDate, CredentialScope, HashedCanonicalRequest),
 145 |     Signature = aws_signature_utils:hmac_sha256_hexdigest(SigningKey, StringToSign),
 146 |     SignedHeaders = signed_headers(FinalHeaders),
 147 |     Authorization = authorization(AccessKeyID, CredentialScope, SignedHeaders, Signature),
 148 | 
 149 |     add_authorization_header(FinalHeaders, Authorization).
 150 | 
 151 | %% @doc Signs an AWS Event Stream message and returns the headers and
 152 | %% signature used for next event signing.
 153 | %%
 154 | %% Headers of a sigv4 signed event message only contains 2 headers
 155 | %% <dl>
 156 | %% <dt>`:chunk-signature'</dt>
 157 | %% <dd>
 158 | %% computed signature of the event, binary string, `bytes' type
 159 | %% </dd>
 160 | %% <dt>`:date'</dt>
 161 | %% <dd>
 162 | %% millisecond since epoch, `timestamp' type
 163 | %% </dd>
 164 | %% </dl>
 165 | %%
 166 | %% `PriorSignature' for the first message is the base16 encoded signv4
 167 | %% of the request used to open a connection with the target service.
 168 | %%
 169 | %% `HeadersString' are the headers of the inner packet, encoded using the
 170 | %% EventStream format.
 171 | -spec sign_v4_event(SecretAccessKey, Region, Service, DateTime, PriorSignature, HeaderString, Body) -> {Headers, Signature}
 172 |     when SecretAccessKey :: binary(),
 173 |          Region :: binary(),
 174 |          Service :: binary(),
 175 |          DateTime :: calendar:datetime(),
 176 |          PriorSignature :: binary(),
 177 |          HeaderString :: binary(),
 178 |          Body :: binary(),
 179 |          Headers :: [{binary(), binary(), atom()}],
 180 |          Signature :: binary().
 181 | sign_v4_event(SecretAccessKey, Region, Service, DateTime, PriorSignature, HeaderString, Body)
 182 |     when is_binary(SecretAccessKey),
 183 |          is_binary(Region),
 184 |          is_binary(Service),
 185 |          is_tuple(DateTime),
 186 |          is_binary(PriorSignature),
 187 |          is_binary(HeaderString),
 188 |          is_binary(Body) ->
 189 |     LongDate = format_datetime_long(DateTime),
 190 |     ShortDate = format_datetime_short(DateTime),
 191 |     Keypath = credential_scope(ShortDate, Region, Service),
 192 |     HeaderDigest = aws_signature_utils:sha256_hexdigest(HeaderString),
 193 |     BodyDigest = aws_signature_utils:sha256_hexdigest(Body),
 194 |     SigningKey = signing_key(SecretAccessKey, ShortDate, Region, Service),
 195 |     StringToSign =
 196 |         string_to_sign_for_event(LongDate, Keypath, PriorSignature, HeaderDigest, BodyDigest),
 197 | 
 198 |     Signature = aws_signature_utils:hmac_sha256(SigningKey, StringToSign),
 199 |     EventHeaders = [
 200 |         {<<":date">>, DateTime, timestamp},
 201 |         {<<":chunk-signature">>, Signature, byte_array}
 202 |     ],
 203 |     {EventHeaders, aws_signature_utils:base16(Signature)}.
 204 | 
 205 | %% @doc Same as {@link sign_v4_query_params/7} with no options.
 206 | sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL) ->
 207 |     sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, []).
 208 | 
 209 | %% @doc Implements the <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html">Signature Version 4 (SigV4)</a> algorithm for query parameters.
 210 | %%
 211 | %% This function takes AWS client credentials and request details,
 212 | %% based on which it computes the signature and returns the URL
 213 | %% extended with the signature entries. Note that anchors are ignored
 214 | %% in the resulting URL.
 215 | %%
 216 | %% `DateTime' is a datetime tuple used as the request date.
 217 | %% You most likely want to set it to the value of `calendar:universal_time()'
 218 | %% when making the request.
 219 | %%
 220 | %% `URL' must be valid, with all components properly escaped.
 221 | %% For example, "https://example.com/path%20to" is valid, whereas
 222 | %% "https://example.com/path to" is not.
 223 | %%
 224 | %% It is essential that the provided request details are final
 225 | %% and the returned query params are used to make the request with
 226 | %% the provided URL.
 227 | %%
 228 | %% The signature is computed by normalizing request details into
 229 | %% a well defined format and combining it with the credentials
 230 | %% using a number of cryptographic functions. Upon receiving
 231 | %% a request, the server calculates the signature using the same
 232 | %% algorithm and compares it with the value received in headers.
 233 | %% For more details check out the <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html">AWS documentation</a>.
 234 | %%
 235 | %% The following options are supported:
 236 | %%
 237 | %% <dl>
 238 | %% <dt>`ttl'</dt>
 239 | %% <dd>
 240 | %% Time-to-live value that tells how long this URL is valid in seconds.
 241 | %% Defaults to `86400', which means one day.
 242 | %% </dd>
 243 | %% <dt>`uri_encode_path'</dt>
 244 | %% <dd>
 245 | %% When `true', the request URI path is URI-encoded during request
 246 | %% canonicalization, <strong>which is required for every service except S3</strong>.
 247 | %% Note that the given URL should already be properly encoded, so
 248 | %% this results in each segment being URI-encoded twice, as expected
 249 | %% by AWS. Defaults to `true'.
 250 | %% </dd>
 251 | %% <dt>`session_token'</dt>
 252 | %% <dd>
 253 | %% Optional credential parameter if using credentials sourced from the STS service.
 254 | %% </dd>
 255 | %% <dt>`body'</dt>
 256 | %% <dd>
 257 | %% Request body to compute SHA256 digest for. Defaults to an empty binary. Note that
 258 | %% `body_digest' always takes precedence when set.
 259 | %% </dd>
 260 | %% <dt>`body_digest'</dt>
 261 | %% <dd>
 262 | %% Optional SHA256 digest of the request body. This option can be used to provide
 263 | %% a fixed digest value, such as "UNSIGNED-PAYLOAD", when sending requests without
 264 | %% signing the body, <strong>which is expected for S3</strong>.
 265 | %% </dd>
 266 | %% <dt>`tags'</dt>
 267 | %% <dd>
 268 | %% Optional tagging of the object when generating a pre-signed URL.
 269 | %% The value of `tags' is a binary() in the format, for example:
 270 | %% `<<"key1=value1&key2=value2">>'. The actual request to put or get the object
 271 | %% must use the exact `tags' value to ensure the signature is calculated
 272 | %% correctly.
 273 | %% </dd>
 274 | %% </dl>
 275 | -spec sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Options) -> FinalURL
 276 |     when AccessKeyID :: binary(),
 277 |          SecretAccessKey :: binary(),
 278 |          Region :: binary(),
 279 |          Service :: binary(),
 280 |          DateTime :: calendar:datetime(),
 281 |          Method :: binary(),
 282 |          URL :: binary(),
 283 |          Options :: [Option],
 284 |          Option ::
 285 |              {uri_encode_path, boolean()}
 286 |              | {session_token, binary()}
 287 |              | {ttl, non_neg_integer()}
 288 |              | {body, binary()}
 289 |              | {body_digest, binary()}
 290 |              | {tags, binary()},
 291 |          FinalURL :: binary().
 292 | sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Options)
 293 |     when is_binary(AccessKeyID),
 294 |          is_binary(SecretAccessKey),
 295 |          is_binary(Region),
 296 |          is_binary(Service),
 297 |          is_tuple(DateTime),
 298 |          is_binary(Method),
 299 |          is_binary(URL),
 300 |          is_list(Options) ->
 301 |     URIEncodePath = proplists:get_value(uri_encode_path, Options, true),
 302 |     TimeToLive = proplists:get_value(ttl, Options, 86400),
 303 |     SessionToken = proplists:get_value(session_token, Options, undefined),
 304 |     Tags = proplists:get_value(tags, Options, undefined),
 305 |     BodyDigest =
 306 |         case proplists:get_value(body_digest, Options, undefined) of
 307 |             undefined ->
 308 |                 Body = proplists:get_value(body, Options, <<"">>),
 309 |                 aws_signature_utils:sha256_hexdigest(Body);
 310 |             Digest ->
 311 |                 Digest
 312 |         end,
 313 |     BaseParams =
 314 |         [{<<"X-Amz-Algorithm">>, <<"AWS4-HMAC-SHA256">>},
 315 |          {<<"X-Amz-SignedHeaders">>,
 316 |           if Tags == undefined ->
 317 |                   <<"host">>;
 318 |              Tags =/= undefined ->
 319 |                   <<"host%3Bx-amz-tagging">>
 320 |           end}
 321 |         ],
 322 | 
 323 |     URLMap = aws_signature_utils:parse_url(URL),
 324 |     LongDate = format_datetime_long(DateTime),
 325 |     ShortDate = format_datetime_short(DateTime),
 326 |     CredentialScope = credential_scope(ShortDate, Region, Service),
 327 |     FinalQueryParams0 = add_ttl_query_param(BaseParams, TimeToLive),
 328 |     FinalQueryParams1 =
 329 |         add_credential_query_param(FinalQueryParams0, CredentialScope, AccessKeyID),
 330 |     FinalQueryParams2 = maybe_add_session_token_query_param(FinalQueryParams1, SessionToken),
 331 | 
 332 |     FinalQueryParams = add_date_header(FinalQueryParams2, LongDate),
 333 |     HostHeader = host_header_from_url(URLMap),
 334 |     Headers =
 335 |         if Tags == undefined ->
 336 |                 [HostHeader];
 337 |            Tags =/= undefined ->
 338 |                 [HostHeader, {<<"X-Amz-Tagging">>, Tags}]
 339 |         end,
 340 | 
 341 |     CanonicalRequest =
 342 |         canonical_request(Method, URLMap, Headers, BodyDigest, URIEncodePath, FinalQueryParams),
 343 | 
 344 |     HashedCanonicalRequest = aws_signature_utils:sha256_hexdigest(CanonicalRequest),
 345 |     SigningKey = signing_key(SecretAccessKey, ShortDate, Region, Service),
 346 |     StringToSign = string_to_sign(LongDate, CredentialScope, HashedCanonicalRequest),
 347 |     Signature = aws_signature_utils:hmac_sha256_hexdigest(SigningKey, StringToSign),
 348 | 
 349 |     build_final_url_with_signature(URL, URLMap, FinalQueryParams, Signature).
 350 | 
 351 | %% Formats the given datetime into YYMMDDTHHMMSSZ binary string.
 352 | -spec format_datetime_long(calendar:datetime()) -> binary().
 353 | format_datetime_long({{Y, Mo, D}, {H, Mn, S}}) ->
 354 |     Date = format_date(Y, Mo, D),
 355 |     Timestamp = format_timestamp(Date, H, Mn, S),
 356 |     Timestamp.
 357 | 
 358 | format_date(Y, M0, D0) ->
 359 |     M = maybe_add_padding(M0),
 360 |     D = maybe_add_padding(D0),
 361 |     <<(integer_to_binary(Y))/binary, M/binary, D/binary>>.
 362 | 
 363 | format_timestamp(Date, H0, Min0, S0) ->
 364 |     H = maybe_add_padding(H0),
 365 |     Min = maybe_add_padding(Min0),
 366 |     S = maybe_add_padding(S0),
 367 |     <<Date/binary, "T", H/binary, Min/binary, S/binary, "Z">>.
 368 | 
 369 | maybe_add_padding(X) when X < 10 ->
 370 |     <<"0", (integer_to_binary(X))/binary>>;
 371 | maybe_add_padding(X) ->
 372 |     integer_to_binary(X).
 373 | 
 374 | %% Formats the given datetime into YYMMDD binary string.
 375 | -spec format_datetime_short(calendar:datetime()) -> binary().
 376 | format_datetime_short({{Y, Mo, D}, _}) ->
 377 |     format_date(Y, Mo, D).
 378 | 
 379 | -spec add_authorization_header(headers(), binary()) -> headers().
 380 | add_authorization_header(Headers, Authorization) ->
 381 |     [{<<"Authorization">>, Authorization} | Headers].
 382 | 
 383 | add_date_header(Headers, LongDate) ->
 384 |     [{<<"X-Amz-Date">>, LongDate} | Headers].
 385 | 
 386 | add_ttl_query_param(QueryParams, TimeToLive) ->
 387 |     [{<<"X-Amz-Expires">>, integer_to_binary(TimeToLive)} | QueryParams].
 388 | 
 389 | add_credential_query_param(QueryParams, Scope, AccessKey) ->
 390 |     EncodedScope = binary:split(Scope, <<"/">>, [global]),
 391 |     [{<<"X-Amz-Credential">>,
 392 |       aws_signature_utils:binary_join([AccessKey | EncodedScope], <<"%2F">>)}
 393 |      | QueryParams].
 394 | 
 395 | host_header_from_url(URLMap) ->
 396 |     #{host := Host} = URLMap,
 397 |     {<<"Host">>, Host}.
 398 | 
 399 | maybe_add_session_token_query_param(QueryParams, undefined) ->
 400 |     QueryParams;
 401 | maybe_add_session_token_query_param(QueryParams, SessionToken) ->
 402 |     [{<<"X-Amz-Security-Token">>, SessionToken} | QueryParams].
 403 | 
 404 | sort_query_params_with_signature(QueryParams, Signature) ->
 405 |     FinalQueryParams = [{<<"X-Amz-Signature">>, Signature} | QueryParams],
 406 | 
 407 |     lists:sort(fun({K1, _}, {K2, _}) -> K1 =< K2 end, FinalQueryParams).
 408 | 
 409 | -spec build_final_url_with_signature(binary(), map(), query_params(), binary()) -> binary().
 410 | build_final_url_with_signature(OriginalURL, URLMap, QueryParams, Signature) ->
 411 |     #{query := Query} = URLMap,
 412 | 
 413 |     FinalQueryParams0 = query_entries(Query) ++ QueryParams,
 414 |     FinalQueryParams = sort_query_params_with_signature(FinalQueryParams0, Signature),
 415 | 
 416 |     aws_signature_utils:rebuilds_url_with_query_params(OriginalURL, FinalQueryParams).
 417 | 
 418 | %% Adds a X-Amz-Content-SHA256 header which is the hash of the payload.
 419 | %%
 420 | %% This header is required for S3 when using the v4 signature. Adding it
 421 | %% in requests for all services does not cause any issues.
 422 | -spec add_content_hash_header(headers(), binary()) -> headers().
 423 | add_content_hash_header(Headers, BodyDigest) ->
 424 |     [{<<"X-Amz-Content-SHA256">>, BodyDigest} | Headers].
 425 | 
 426 | %% Generates an AWS4-HMAC-SHA256 authorization signature.
 427 | -spec authorization(binary(), binary(), binary(), binary()) -> binary().
 428 | authorization(AccessKeyID, CredentialScope, SignedHeaders, Signature) ->
 429 |     << "AWS4-HMAC-SHA256 ",
 430 |        "Credential=", AccessKeyID/binary,
 431 |        "/", CredentialScope/binary,
 432 |        ",SignedHeaders=", SignedHeaders/binary,
 433 |        ",Signature=", Signature/binary >>.
 434 | 
 435 | %% Generates a signing key from a secret access key, a short date in YYMMDD
 436 | %% format, a region identifier and a service identifier.
 437 | -spec signing_key(binary(), binary(), binary(), binary()) -> binary().
 438 | signing_key(SecretAccessKey, ShortDate, Region, Service) ->
 439 |     SigningKey = << <<"AWS4">>/binary, SecretAccessKey/binary >>,
 440 |     SignedDate = aws_signature_utils:hmac_sha256(SigningKey, ShortDate),
 441 |     SignedRegion = aws_signature_utils:hmac_sha256(SignedDate, Region),
 442 |     SignedService = aws_signature_utils:hmac_sha256(SignedRegion, Service),
 443 |     aws_signature_utils:hmac_sha256(SignedService, <<"aws4_request">>).
 444 | 
 445 | %% Generates a credential scope from a short date in YYMMDD format,
 446 | %% a region identifier and a service identifier.
 447 | -spec credential_scope(binary(), binary(), binary()) -> binary().
 448 | credential_scope(ShortDate, Region, Service) ->
 449 |     aws_signature_utils:binary_join([ShortDate, Region, Service, <<"aws4_request">>],
 450 |                                     <<"/">>).
 451 | 
 452 | %% Generates the text to sign from a long date in YYMMDDTHHMMSSZ format,
 453 | %% a credential scope and a hashed canonical request.
 454 | -spec string_to_sign(binary(), binary(), binary()) -> binary().
 455 | string_to_sign(LongDate, CredentialScope, HashedCanonicalRequest) ->
 456 |     aws_signature_utils:binary_join([<<"AWS4-HMAC-SHA256">>,
 457 |                                      LongDate,
 458 |                                      CredentialScope,
 459 |                                      HashedCanonicalRequest],
 460 |                                     <<"\n">>).
 461 | 
 462 | -spec string_to_sign_for_event(binary(), binary(), binary(), binary(), binary()) -> binary().
 463 | string_to_sign_for_event(LongDate, Keypath, PriorSignature, HeaderDigest, PayloadDigest) ->
 464 |     aws_signature_utils:binary_join([<<"AWS4-HMAC-SHA256-PAYLOAD">>,
 465 |                                      LongDate,
 466 |                                      Keypath,
 467 |                                      PriorSignature,
 468 |                                      HeaderDigest,
 469 |                                      PayloadDigest],
 470 |                                     <<"\n">>).
 471 | 
 472 | %% Processes and merges request values into a canonical request.
 473 | -spec canonical_request(binary(), map(), headers(), binary(), boolean()) -> binary().
 474 | canonical_request(Method, URL, Headers, Body, URIEncodePath) ->
 475 |     canonical_request(Method, URL, Headers, Body, URIEncodePath, []).
 476 | 
 477 | -spec canonical_request(binary(),
 478 |                         map(),
 479 |                         headers(),
 480 |                         binary(),
 481 |                         boolean(),
 482 |                         query_params()) ->
 483 |                            binary().
 484 | canonical_request(Method, URLMap, Headers, BodyDigest, URIEncodePath, AdditionalQueryParams) ->
 485 |     CanonicalMethod = canonical_method(Method),
 486 |     #{path := Path, query := Query} = URLMap,
 487 |     CanonicalURL = canonical_path(Path, URIEncodePath),
 488 |     QueryEntries = query_entries(Query),
 489 |     CanonicalQueryString = canonical_query(QueryEntries ++ AdditionalQueryParams),
 490 |     CanonicalHeaders = canonical_headers(Headers),
 491 |     SignedHeaders = signed_headers(Headers),
 492 |     aws_signature_utils:binary_join([CanonicalMethod,
 493 |                                      CanonicalURL,
 494 |                                      CanonicalQueryString,
 495 |                                      CanonicalHeaders,
 496 |                                      SignedHeaders,
 497 |                                      BodyDigest],
 498 |                                     <<"\n">>).
 499 | 
 500 | %% Normalizes HTTP method name by uppercasing it.
 501 | -spec canonical_method(binary()) -> binary().
 502 | canonical_method(Method) ->
 503 |     list_to_binary(string:to_upper(binary_to_list(Method))).
 504 | 
 505 | -spec canonical_path(binary(), boolean()) -> binary().
 506 | canonical_path(<<"">>, _URIEncodePath) ->
 507 |     <<"/">>;
 508 | canonical_path(Path, true) ->
 509 |     aws_signature_utils:uri_encode_path(Path);
 510 | canonical_path(Path, false) ->
 511 |     Path.
 512 | 
 513 | %% Normalizes the given query string.
 514 | %%
 515 | %% Sorts query params by name first, then by value (if present).
 516 | %% Appends "=" to params with missing value.
 517 | %%
 518 | %% For example, "foo=bar&baz" becomes "baz=&foo=bar".
 519 | -spec canonical_query(query_params()) -> binary().
 520 | canonical_query([]) ->
 521 |     <<"">>;
 522 | canonical_query(QueryParams) when is_list(QueryParams) ->
 523 |     SortedParts = lists:sort(fun({K1, _}, {K2, _}) -> K1 =< K2 end, QueryParams),
 524 |     NormalizedParts = lists:map(fun query_entry_to_string/1, SortedParts),
 525 |     aws_signature_utils:binary_join(NormalizedParts, <<"&">>).
 526 | 
 527 | -spec query_entries(binary()) -> [{binary(), binary()}].
 528 | query_entries(<<"">>) -> [];
 529 | query_entries(Query) ->
 530 |     Parts = binary:split(Query, <<"&">>, [global]),
 531 |     SplittedParts = [binary:split(Part, <<"=">>) || Part <- Parts],
 532 | 
 533 |     lists:map(fun query_entry_to_tuple/1, SplittedParts).
 534 | 
 535 | query_entry_to_tuple([Key]) ->
 536 |     {Key, <<"">>};
 537 | query_entry_to_tuple([Key, Value]) ->
 538 |     {Key, Value}.
 539 | 
 540 | -spec query_entry_to_string({binary(), binary()}) -> binary().
 541 | query_entry_to_string({K, V}) ->
 542 |     <<K/binary, "=", V/binary>>.
 543 | 
 544 | %% Converts a list of headers to canonical header format.
 545 | %%
 546 | %% Leading and trailing whitespace around header names and values is
 547 | %% stripped, header names are lowercased, and headers are newline-joined
 548 | %% in alphabetical order (with a trailing newline).
 549 | -spec canonical_headers(headers()) -> binary().
 550 | canonical_headers(Headers) ->
 551 |     CanonicalHeaders = lists:map(fun canonical_header/1, Headers),
 552 |     SortedCanonicalHeaders =
 553 |         lists:sort(fun({N1, _}, {N2, _}) -> N1 =< N2 end, CanonicalHeaders),
 554 |     << <<N/binary, ":", V/binary, "\n">> || {N, V} <- SortedCanonicalHeaders >>.
 555 | 
 556 | -spec canonical_header(header()) -> header().
 557 | canonical_header({Name, Value}) ->
 558 |     N = list_to_binary(string:strip(
 559 |                            string:to_lower(binary_to_list(Name)))),
 560 |     V = list_to_binary(string:strip(binary_to_list(Value))),
 561 |     {N, V}.
 562 | 
 563 | %% Converts a list of headers to canonical signed header format.
 564 | %%
 565 | %% Leading and trailing whitespace around names is stripped, header names
 566 | %% are lowercased, and header names are semicolon-joined in alphabetical order.
 567 | -spec signed_headers(headers()) -> binary().
 568 | signed_headers(Headers) ->
 569 |     aws_signature_utils:binary_join(
 570 |         lists:sort(
 571 |             lists:map(fun signed_header/1, Headers)),
 572 |         <<";">>).
 573 | 
 574 | -spec signed_header(header()) -> binary().
 575 | signed_header({Name, _}) ->
 576 |     list_to_binary(string:strip(
 577 |                        string:to_lower(binary_to_list(Name)))).
 578 | 
 579 | %%====================================================================
 580 | 
 581 | -ifdef(TEST).
 582 | 
 583 | -include_lib("eunit/include/eunit.hrl").
 584 | 
 585 | %% sign_v4/9 computes AWS Signature Version 4 and returns an updated list of headers
 586 | sign_v4_test() ->
 587 |     AccessKeyID = <<"access-key-id">>,
 588 |     SecretAccessKey = <<"secret-access-key">>,
 589 |     Region = <<"us-east-1">>,
 590 |     Service = <<"ec2">>,
 591 |     DateTime = {{2015, 5, 14}, {16, 50, 5}},
 592 |     Method = <<"GET">>,
 593 |     URL = <<"https://ec2.us-east-1.amazonaws.com/?Action=DescribeInstances&Version=2014-10-01">>,
 594 |     Headers = [{<<"Host">>, <<"ec2.us-east-1.amazonaws.com">>}, {<<"Header">>, <<"Value">>}],
 595 |     Body = <<"">>,
 596 | 
 597 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body),
 598 | 
 599 |     Expected = [
 600 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=access-key-id/20150514/us-east-1/ec2/aws4_request,SignedHeaders=header;host;x-amz-content-sha256;x-amz-date,Signature=595529f9989556c9ce375ddec1b3e63f9d551fe063738b45909c28b25a34a6cb">>},
 601 |         {<<"X-Amz-Content-SHA256">>, <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>},
 602 |         {<<"X-Amz-Date">>, <<"20150514T165005Z">>},
 603 |         {<<"Host">>, <<"ec2.us-east-1.amazonaws.com">>},
 604 |         {<<"Header">>, <<"Value">>}],
 605 | 
 606 |     ?assertEqual(Actual, Expected).
 607 | 
 608 | %% sign_v4/9 https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#example-signature-GET-object
 609 | sign_v4_reference_example_1_test() ->
 610 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 611 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 612 |     Region = <<"us-east-1">>,
 613 |     Service = <<"s3">>,
 614 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 615 |     Method = <<"GET">>,
 616 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
 617 |     Headers = [{<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}, {<<"Range">>, <<"bytes=0-9">>}],
 618 |     Body = <<"">>,
 619 | 
 620 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{uri_encode_path, false}]),
 621 | 
 622 |     Expected = [
 623 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;range;x-amz-content-sha256;x-amz-date,Signature=f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41">>},
 624 |         {<<"X-Amz-Content-SHA256">>, <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>},
 625 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 626 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>},
 627 |         {<<"Range">>, <<"bytes=0-9">>}],
 628 | 
 629 |     ?assertEqual(Actual, Expected).
 630 | 
 631 | %% sign_v4/9 https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#example-signature-PUT-object
 632 | sign_v4_reference_example_2_test() ->
 633 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 634 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 635 |     Region = <<"us-east-1">>,
 636 |     Service = <<"s3">>,
 637 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 638 |     Method = <<"PUT">>,
 639 |     URL = <<"https://examplebucket.s3.amazonaws.com/test%24file.text">>,
 640 |     Headers = [
 641 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>},
 642 |         {<<"Date">>, <<"Fri, 24 May 2013 00:00:00 GMT">>},
 643 |         {<<"X-Amz-Storage-Class">>, <<"REDUCED_REDUNDANCY">>}],
 644 |     Body = <<"Welcome to Amazon S3.">>,
 645 | 
 646 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{uri_encode_path, false}]),
 647 | 
 648 |     Expected = [
 649 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class,Signature=98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd">>},
 650 |         {<<"X-Amz-Content-SHA256">>, <<"44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072">>},
 651 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 652 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>},
 653 |         {<<"Date">>, <<"Fri, 24 May 2013 00:00:00 GMT">>},
 654 |         {<<"X-Amz-Storage-Class">>, <<"REDUCED_REDUNDANCY">>}],
 655 | 
 656 |     ?assertEqual(Actual, Expected).
 657 | 
 658 | %% sign_v4/9 https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#example-signature-GET-bucket-lifecycle
 659 | sign_v4_reference_example_3_test() ->
 660 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 661 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 662 |     Region = <<"us-east-1">>,
 663 |     Service = <<"s3">>,
 664 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 665 |     Method = <<"GET">>,
 666 |     URL = <<"https://examplebucket.s3.amazonaws.com?lifecycle">>,
 667 |     Headers = [{<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 668 |     Body = <<"">>,
 669 | 
 670 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{uri_encode_path, false}]),
 671 | 
 672 |     Expected = [
 673 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=fea454ca298b7da1c68078a5d1bdbfbbe0d65c699e0f91ac7a200a0136783543">>},
 674 |         {<<"X-Amz-Content-SHA256">>, <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>},
 675 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 676 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 677 | 
 678 |     ?assertEqual(Actual, Expected).
 679 | 
 680 | %% sign_v4/9 https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#example-signature-list-bucket
 681 | sign_v4_reference_example_4_test() ->
 682 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 683 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 684 |     Region = <<"us-east-1">>,
 685 |     Service = <<"s3">>,
 686 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 687 |     Method = <<"GET">>,
 688 |     URL = <<"https://examplebucket.s3.amazonaws.com?max-keys=2&prefix=J">>,
 689 |     Headers = [{<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 690 |     Body = <<"">>,
 691 | 
 692 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{uri_encode_path, false}]),
 693 | 
 694 |     Expected = [
 695 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=34b48302e7b5fa45bde8084f4b7868a86f0a534bc59db6670ed5711ef69dc6f7">>},
 696 |         {<<"X-Amz-Content-SHA256">>, <<"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855">>},
 697 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 698 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 699 | 
 700 |     ?assertEqual(Actual, Expected).
 701 | 
 702 | sign_v4_iolist_body_test() ->
 703 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 704 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 705 |     Region = <<"us-east-1">>,
 706 |     Service = <<"s3">>,
 707 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 708 |     Method = <<"PUT">>,
 709 |     URL = <<"https://examplebucket.s3.amazonaws.com/test%24file.text">>,
 710 |     Headers = [
 711 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>},
 712 |         {<<"Date">>, <<"Fri, 24 May 2013 00:00:00 GMT">>},
 713 |         {<<"X-Amz-Storage-Class">>, <<"REDUCED_REDUNDANCY">>}],
 714 |     Body = [<<"Welcome ">>, <<"to ">>, <<"Amazon S3.">>],
 715 | 
 716 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{uri_encode_path, false}]),
 717 | 
 718 |     Expected = [
 719 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=date;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class,Signature=98ad721746da40c64f1a55b78f14c238d841ea1380cd77a1b5971af0ece108bd">>},
 720 |         {<<"X-Amz-Content-SHA256">>, <<"44ce7dd67c959e0d3524ffac1771dfbba87d2b6b4b4e99e42034a8b803f8b072">>},
 721 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 722 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>},
 723 |         {<<"Date">>, <<"Fri, 24 May 2013 00:00:00 GMT">>},
 724 |         {<<"X-Amz-Storage-Class">>, <<"REDUCED_REDUNDANCY">>}],
 725 | 
 726 |     ?assertEqual(Actual, Expected).
 727 | 
 728 | sign_v4_unsigned_payload_test() ->
 729 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 730 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 731 |     Region = <<"us-east-1">>,
 732 |     Service = <<"s3">>,
 733 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 734 |     Method = <<"GET">>,
 735 |     URL = <<"https://examplebucket.s3.amazonaws.com?max-keys=2&prefix=J">>,
 736 |     Headers = [{<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 737 |     Body = <<"foo">>,
 738 | 
 739 |     Actual = sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body, [{body_digest, <<"UNSIGNED-PAYLOAD">>}]),
 740 | 
 741 |     Expected = [
 742 |         {<<"Authorization">>, <<"AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256;x-amz-date,Signature=b1a076428fa68c2c42202ee5a5718b8207f725e451e2157d6b1c393e01fc2e68">>},
 743 |         {<<"X-Amz-Content-SHA256">>, <<"UNSIGNED-PAYLOAD">>},
 744 |         {<<"X-Amz-Date">>, <<"20130524T000000Z">>},
 745 |         {<<"Host">>, <<"examplebucket.s3.amazonaws.com">>}],
 746 | 
 747 |     ?assertEqual(Actual, Expected).
 748 | 
 749 | sign_v4_event_test() ->
 750 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 751 |     Region = <<"us-east-1">>,
 752 |     Service = <<"transcribe">>,
 753 |     DateTime = {{2023, 7, 31}, {11, 36, 12}},
 754 |     PriorSignature = <<"ce2704cf5f348fd66f179d5883162f223c30b3fb8213fb1bc097bf2ecd34b1b5">>,
 755 |     % EventStream encoded header of {":date", DateTime, :timestamp}
 756 |     HeaderString = <<5, 58, 100, 97, 116, 101, 8, 0, 0, 1, 137, 171, 187, 255, 224>>,
 757 | 
 758 |     {ActualHeaders, ActualSignature} = sign_v4_event(SecretAccessKey, Region, Service, DateTime, PriorSignature, HeaderString, <<>>),
 759 | 
 760 |     ExpectedHeaders = [
 761 |         {<<":date">>, DateTime, timestamp},
 762 |         {<<":chunk-signature">>,<<41, 239, 130, 195, 152, 80, 171, 220, 198, 95, 157, 96, 70, 243, 228, 55, 227, 133, 17, 43, 128, 183, 241, 123, 49, 186, 51, 167, 218, 60, 200, 175>>, byte_array}
 763 |     ],
 764 |     ExpectedSignature = <<"29ef82c39850abdcc65f9d6046f3e437e385112b80b7f17b31ba33a7da3cc8af">>,
 765 | 
 766 |     ?assertEqual(ActualHeaders, ExpectedHeaders),
 767 |     ?assertEqual(ActualSignature, ExpectedSignature).
 768 | 
 769 | %% canonical_headers/1 sorted headers by header name
 770 | canonical_headers_test() ->
 771 |     Headers = [
 772 |         {<<"User-Agent">>, <<"aws-sdk-ruby3/3.113.1 ruby/2.7.2 x86_64-linux aws-sdk-s3/1.93.0">>},
 773 |         {<<"X-Amz-Server-Side-Encryption-Customer-Algorithm">>, <<"AES256">>},
 774 |         {<<"X-Amz-Server-Side-Encryption-Customer-Key-Md5">>, <<"BaUscNABVnd0nRlQecUFPA==">>},
 775 |         {<<"X-Amz-Server-Side-Encryption-Customer-Key">>, <<"TIjv09mJiv+331Evgfq8eONO2y/G4aztRqEeAwx9y2U=">>},
 776 |         {<<"Content-Md5">>, <<"VDMfSlWzfS823+nFvkpWzg==">>},
 777 |         {<<"Host">>, <<"aws-beam-projects-test.s3.amazonaws.com">>}],
 778 | 
 779 |     Actual = canonical_headers(Headers),
 780 | 
 781 |     Expected =
 782 |         <<"content-md5:VDMfSlWzfS823+nFvkpWzg==\n",
 783 |           "host:aws-beam-projects-test.s3.amazonaws.com\n",
 784 |           "user-agent:aws-sdk-ruby3/3.113.1 ruby/2.7.2 x86_64-linux aws-sdk-s3/1.93.0\n",
 785 |           "x-amz-server-side-encryption-customer-algorithm:AES256\n",
 786 |           "x-amz-server-side-encryption-customer-key:TIjv09mJiv+331Evgfq8eONO2y/G4aztRqEeAwx9y2U=\n",
 787 |           "x-amz-server-side-encryption-customer-key-md5:BaUscNABVnd0nRlQecUFPA==\n">>,
 788 | 
 789 |     ?assertEqual(Expected, Actual).
 790 | 
 791 | %% canonical_request/5 returns a connical request binary string
 792 | canonical_request_test() ->
 793 |     Expected =
 794 |         <<"GET", $\n,
 795 |           "/pa%2520th", $\n,
 796 |           "a=&b=1", $\n,
 797 |           "host:example.com", $\n, "x-amz-date:20150325T105958Z", $\n, $\n,
 798 |           "host;x-amz-date", $\n,
 799 |           "content-sha256">>,
 800 | 
 801 |     Actual = canonical_request(
 802 |         <<"get">>,
 803 |         #{path => <<"/pa%20th">>, query => <<"b=1&a=">>},
 804 |         [{<<"Host">>, <<"example.com">>}, {<<"X-Amz-Date">>, <<"20150325T105958Z">>}],
 805 |         <<"content-sha256">>,
 806 |         true),
 807 | 
 808 |     ?assertEqual(Expected, Actual).
 809 | 
 810 | %% canonical_request/4 does not encode the path when disabled
 811 | canonical_request_with_encode_uri_path_false_test() ->
 812 |     Expected =
 813 |         <<"GET", $\n,
 814 |           "/pa%20th", $\n,
 815 |           "", $\n,
 816 |           $\n,
 817 |           $\n,
 818 |           "content-sha256">>,
 819 | 
 820 |     Actual =
 821 |         canonical_request(<<"get">>, #{path => <<"/pa%20th">>, query => <<"">>}, [], <<"content-sha256">>, false),
 822 | 
 823 |     ?assertEqual(Expected, Actual).
 824 | 
 825 | %% canonical_request/5 returns a canonical request binary string with extra query params
 826 | canonical_request_with_extra_query_params_test() ->
 827 |     Expected =
 828 |         <<"GET",
 829 |           $\n,
 830 |           "/pa%2520th",
 831 |           $\n,
 832 |           "a=&b=1&c=2&d=3",
 833 |           $\n,
 834 |           "host:example.com",
 835 |           $\n,
 836 |           "x-amz-date:20150325T105958Z",
 837 |           $\n,
 838 |           $\n,
 839 |           "host;x-amz-date",
 840 |           $\n,
 841 |           "content-sha256">>,
 842 | 
 843 |     Actual =
 844 |         canonical_request(<<"get">>,
 845 |                           #{path => <<"/pa%20th">>, query => <<"b=1&a=">>},
 846 |                           [{<<"Host">>, <<"example.com">>},
 847 |                            {<<"X-Amz-Date">>, <<"20150325T105958Z">>}],
 848 |                           <<"content-sha256">>,
 849 |                           true,
 850 |                           [{<<"c">>, <<"2">>}, {<<"d">>, <<"3">>}]),
 851 | 
 852 |     ?assertEqual(Expected, Actual).
 853 | 
 854 | %% canonical_request/5 returns a canonical request binary string with only additional query params
 855 | canonical_request_with_only_additional_query_params_test() ->
 856 |     Expected =
 857 |         <<"GET",
 858 |           $\n,
 859 |           "/pa%2520th",
 860 |           $\n,
 861 |           "c=2&d=3",
 862 |           $\n,
 863 |           "host:example.com",
 864 |           $\n,
 865 |           "x-amz-date:20150325T105958Z",
 866 |           $\n,
 867 |           $\n,
 868 |           "host;x-amz-date",
 869 |           $\n,
 870 |           "content-sha256">>,
 871 | 
 872 |     Actual =
 873 |         canonical_request(<<"get">>,
 874 |                           #{path => <<"/pa%20th">>, query => <<"">>},
 875 |                           [{<<"Host">>, <<"example.com">>},
 876 |                            {<<"X-Amz-Date">>, <<"20150325T105958Z">>}],
 877 |                           <<"content-sha256">>,
 878 |                           true,
 879 |                           [{<<"c">>, <<"2">>}, {<<"d">>, <<"3">>}]),
 880 | 
 881 |     ?assertEqual(Expected, Actual).
 882 | 
 883 | %% sign_v4_query_params/7: Example 1 from https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
 884 | sign_v4_query_params_reference_example_1_test() ->
 885 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 886 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 887 |     Region = <<"us-east-1">>,
 888 |     Service = <<"s3">>,
 889 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 890 |     Method = <<"GET">>,
 891 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
 892 | 
 893 |     Expected =
 894 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
 895 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
 896 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
 897 |         "X-Amz-Date=20130524T000000Z&",
 898 |         "X-Amz-Expires=86400&",
 899 |         "X-Amz-Signature=aeeed9bbccd4d02ee5c0109b86d86835f995330da4c265957d157751f604d404&",
 900 |         "X-Amz-SignedHeaders=host">>,
 901 | 
 902 |     Actual =
 903 |         sign_v4_query_params(AccessKeyID,
 904 |                              SecretAccessKey,
 905 |                              Region,
 906 |                              Service,
 907 |                              DateTime,
 908 |                              Method,
 909 |                              URL,
 910 |                              [{body_digest, <<"UNSIGNED-PAYLOAD">>}]),
 911 | 
 912 |     ?assertEqual(Expected, Actual).
 913 | 
 914 | %% sign_v4_query_params/7: Example 2 from https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
 915 | sign_v4_query_params_reference_example_2_with_session_token_test() ->
 916 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 917 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 918 |     Region = <<"us-east-1">>,
 919 |     Service = <<"s3">>,
 920 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 921 |     Method = <<"GET">>,
 922 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
 923 |     SessionToken = <<"my-session-token">>,
 924 | 
 925 |     Expected =
 926 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
 927 |           "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
 928 |           "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
 929 |           "X-Amz-Date=20130524T000000Z&",
 930 |           "X-Amz-Expires=86400&",
 931 |           "X-Amz-Security-Token=my-session-token&",
 932 |           "X-Amz-Signature=127498ec2e996f60915eba27520e69b1554fe016da1d36a3dde70f2408551d67&",
 933 |           "X-Amz-SignedHeaders=host">>,
 934 | 
 935 |     Actual =
 936 |         sign_v4_query_params(AccessKeyID,
 937 |                              SecretAccessKey,
 938 |                              Region,
 939 |                              Service,
 940 |                              DateTime,
 941 |                              Method,
 942 |                              URL,
 943 |                              [{body_digest, <<"UNSIGNED-PAYLOAD">>}, {session_token, SessionToken}]),
 944 | 
 945 |     ?assertEqual(Expected, Actual).
 946 | 
 947 | sign_v4_query_params_merge_existing_query_params_with_ttl_test() ->
 948 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 949 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 950 |     Region = <<"us-east-1">>,
 951 |     Service = <<"s3">>,
 952 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 953 |     Method = <<"GET">>,
 954 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt?A-param=value&X-Another=param">>,
 955 | 
 956 |     Expected =
 957 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
 958 |         "A-param=value&",
 959 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
 960 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
 961 |         "X-Amz-Date=20130524T000000Z&",
 962 |         "X-Amz-Expires=3600&",
 963 |         "X-Amz-Signature=ec8b95e4cf1cc811afc9e29eb7c3959f8832b1ddd36800a082d1c8e6d51f6b8a&",
 964 |         "X-Amz-SignedHeaders=host&",
 965 |         "X-Another=param">>,
 966 | 
 967 |     Actual =
 968 |         sign_v4_query_params(AccessKeyID,
 969 |                              SecretAccessKey,
 970 |                              Region,
 971 |                              Service,
 972 |                              DateTime,
 973 |                              Method,
 974 |                              URL,
 975 |                              [{ttl, 3600}]),
 976 | 
 977 |     ?assertEqual(Expected, Actual).
 978 | 
 979 | sign_v4_query_params_with_put_method_test() ->
 980 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
 981 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
 982 |     Region = <<"us-east-1">>,
 983 |     Service = <<"s3">>,
 984 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
 985 |     Method = <<"PUT">>,
 986 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
 987 | 
 988 |     Expected =
 989 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
 990 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
 991 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
 992 |         "X-Amz-Date=20130524T000000Z&",
 993 |         "X-Amz-Expires=86400&",
 994 |         "X-Amz-Signature=2f382d203f44c23831e0b740f8bc389dc4367991d3001843c8a4fccefe56a0ad&",
 995 |         "X-Amz-SignedHeaders=host">>,
 996 | 
 997 |     Actual =
 998 |         sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, []),
 999 | 
1000 |     ?assertEqual(Expected, Actual).
1001 | 
1002 | sign_v4_query_params_with_no_body_test() ->
1003 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1004 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1005 |     Region = <<"us-east-1">>,
1006 |     Service = <<"s3">>,
1007 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1008 |     Method = <<"GET">>,
1009 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
1010 | 
1011 |     Expected =
1012 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
1013 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1014 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1015 |         "X-Amz-Date=20130524T000000Z&",
1016 |         "X-Amz-Expires=86400&",
1017 |         "X-Amz-Signature=2f96f106e896a51445dbd699bd79337027afef2fd1d841506882218daeaf9b3c&",
1018 |         "X-Amz-SignedHeaders=host">>,
1019 | 
1020 |     Actual =
1021 |         sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, []),
1022 | 
1023 |     ?assertEqual(Expected, Actual).
1024 | 
1025 | sign_v4_query_params_with_body_test() ->
1026 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1027 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1028 |     Region = <<"us-east-1">>,
1029 |     Service = <<"s3">>,
1030 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1031 |     Method = <<"GET">>,
1032 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
1033 | 
1034 |     Expected =
1035 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
1036 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1037 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1038 |         "X-Amz-Date=20130524T000000Z&",
1039 |         "X-Amz-Expires=86400&",
1040 |         "X-Amz-Signature=2f803843262d253ddc309d3bdd705c054cf39f863ce347a35c9b66f8f651a62d&",
1041 |         "X-Amz-SignedHeaders=host">>,
1042 | 
1043 |     Actual =
1044 |         sign_v4_query_params(AccessKeyID,
1045 |                              SecretAccessKey,
1046 |                              Region,
1047 |                              Service,
1048 |                              DateTime,
1049 |                              Method,
1050 |                              URL,
1051 |                              [{body, <<"body">>}]),
1052 | 
1053 |     ?assertEqual(Expected, Actual).
1054 | 
1055 | sign_v4_query_params_with_body_digest_test() ->
1056 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1057 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1058 |     Region = <<"us-east-1">>,
1059 |     Service = <<"s3">>,
1060 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1061 |     Method = <<"GET">>,
1062 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
1063 | 
1064 |     Expected =
1065 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
1066 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1067 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1068 |         "X-Amz-Date=20130524T000000Z&",
1069 |         "X-Amz-Expires=86400&",
1070 |         "X-Amz-Signature=aeeed9bbccd4d02ee5c0109b86d86835f995330da4c265957d157751f604d404&",
1071 |         "X-Amz-SignedHeaders=host">>,
1072 | 
1073 |     Actual =
1074 |         sign_v4_query_params(AccessKeyID,
1075 |                              SecretAccessKey,
1076 |                              Region,
1077 |                              Service,
1078 |                              DateTime,
1079 |                              Method,
1080 |                              URL,
1081 |                              [{body_digest, <<"UNSIGNED-PAYLOAD">>}]),
1082 | 
1083 |     ?assertEqual(Expected, Actual).
1084 | 
1085 | sign_v4_query_params_with_authority_port_test() ->
1086 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1087 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1088 |     Region = <<"us-east-1">>,
1089 |     Service = <<"s3">>,
1090 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1091 |     Method = <<"GET">>,
1092 |     URL = <<"http://bucket.localhost:9000/test.txt">>,
1093 | 
1094 |     Expected =
1095 |         <<"http://bucket.localhost:9000/test.txt?",
1096 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1097 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1098 |         "X-Amz-Date=20130524T000000Z&",
1099 |         "X-Amz-Expires=86400&",
1100 |         "X-Amz-Signature=3dd62e9f64b1c393bfc3d2902e5d5474b629113acd965dbd52ea3d874c83921b&",
1101 |         "X-Amz-SignedHeaders=host">>,
1102 | 
1103 |     Actual =
1104 |         sign_v4_query_params(AccessKeyID,
1105 |                              SecretAccessKey,
1106 |                              Region,
1107 |                              Service,
1108 |                              DateTime,
1109 |                              Method,
1110 |                              URL,
1111 |                              [{body_digest, <<"UNSIGNED-PAYLOAD">>}]),
1112 | 
1113 |     ?assertEqual(Expected, Actual).
1114 | 
1115 | sign_v4_query_params_with_authority_well_known_port_test() ->
1116 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1117 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1118 |     Region = <<"us-east-1">>,
1119 |     Service = <<"s3">>,
1120 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1121 |     Method = <<"GET">>,
1122 |     URL = <<"http://bucket.localhost:80/test.txt">>,
1123 | 
1124 |     Expected =
1125 |         <<"http://bucket.localhost:80/test.txt?",
1126 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1127 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1128 |         "X-Amz-Date=20130524T000000Z&",
1129 |         "X-Amz-Expires=86400&",
1130 |         "X-Amz-Signature=12778f8b6fc2cb5cce0fee8b218428fb8261c99a145613232d47be9aa38d1d85&",
1131 |         "X-Amz-SignedHeaders=host">>,
1132 | 
1133 |     Actual =
1134 |         sign_v4_query_params(AccessKeyID,
1135 |                              SecretAccessKey,
1136 |                              Region,
1137 |                              Service,
1138 |                              DateTime,
1139 |                              Method,
1140 |                              URL,
1141 |                              [{body_digest, <<"UNSIGNED-PAYLOAD">>}]),
1142 | 
1143 |     ?assertEqual(Expected, Actual).
1144 | 
1145 | sign_v4_query_params_with_tagging_test() ->
1146 |     AccessKeyID = <<"AKIAIOSFODNN7EXAMPLE">>,
1147 |     SecretAccessKey = <<"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY">>,
1148 |     Region = <<"us-east-1">>,
1149 |     Service = <<"s3">>,
1150 |     DateTime = {{2013, 5, 24}, {0, 0, 0}},
1151 |     Method = <<"GET">>,
1152 |     URL = <<"https://examplebucket.s3.amazonaws.com/test.txt">>,
1153 | 
1154 |     Expected =
1155 |         <<"https://examplebucket.s3.amazonaws.com/test.txt?",
1156 |         "X-Amz-Algorithm=AWS4-HMAC-SHA256&",
1157 |         "X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&",
1158 |         "X-Amz-Date=20130524T000000Z&",
1159 |         "X-Amz-Expires=86400&",
1160 |         "X-Amz-Signature=5c14ef7998d657c3b8293b37abefaef5fa98cc775bcbfffdb2027f4ce05772ef&",
1161 |         "X-Amz-SignedHeaders=host%3Bx-amz-tagging">>,
1162 | 
1163 |     Actual =
1164 |         sign_v4_query_params(AccessKeyID,
1165 |                              SecretAccessKey,
1166 |                              Region,
1167 |                              Service,
1168 |                              DateTime,
1169 |                              Method,
1170 |                              URL,
1171 |                              [{tags, <<"key1=value1&key2=value2">>}]),
1172 | 
1173 |     ?assertEqual(Expected, Actual).
1174 | 
1175 | format_date_long_test() ->
1176 |     Expected = <<"20210126T200815Z">>,
1177 |     Actual = format_datetime_long({{2021,1,26}, {20,8,15}}),
1178 |     ?assertEqual(Expected, Actual).
1179 | 
1180 | format_date_short_test() ->
1181 |     Expected = <<"20210126">>,
1182 |     Actual = format_datetime_short({{2021,1,26}, {20,8,15}}),
1183 |     ?assertEqual(Expected, Actual).
1184 | 
1185 | -endif.
1186 | 


--------------------------------------------------------------------------------