mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21173 Commits
28 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
rspamd/lualib/lua_aws.lua

lua_aws.lua 9.0KB
Raw Permalink Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");

  5. you may not use this file except in compliance with the License.

  6. You may obtain a copy of the License at

  7. 

  8.     http://www.apache.org/licenses/LICENSE-2.0

  9. 

  10. Unless required by applicable law or agreed to in writing, software

  11. distributed under the License is distributed on an "AS IS" BASIS,

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. See the License for the specific language governing permissions and

  14. limitations under the License.

  15. ]]--

  16. 

  17. 

  18. --[[[

  19. -- @module lua_aws

  20. -- This module contains Amazon AWS utility functions

  21. --]]

  22. 

  23. local N = "aws"

  24. --local rspamd_logger = require "rspamd_logger"

  25. local ts = (require "tableshape").types

  26. local lua_util = require "lua_util"

  27. local fun = require "fun"

  28. local rspamd_crypto_hash = require "rspamd_cryptobox_hash"

  29. 

  30. local exports = {}

  31. 

  32. -- Returns a canonical representation of today date

  33. local function today_canonical()

  34.   return os.date('!%Y%m%d')

  35. end

  36. 

  37. --[[[

  38. -- @function lua_aws.aws_date([date_str])

  39. -- Returns an aws date header corresponding to the specific date

  40. --]]

  41. local function aws_date(date_str)

  42.   if not date_str then

  43.     date_str = today_canonical()

  44.   end

  45. 

  46.   return date_str .. os.date('!T%H%M%SZ')

  47. end

  48. 

  49. exports.aws_date = aws_date

  50. 

  51. 

  52. -- Local cache of the keys to save resources

  53. local cached_keys = {}

  54. 

  55. local function maybe_get_cached_key(date_str, secret_key, region, service, req_type)

  56.   local bucket = cached_keys[tonumber(date_str)]

  57. 

  58.   if not bucket then

  59.     return nil

  60.   end

  61. 

  62.   local elt = bucket[string.format('%s.%s.%s.%s', secret_key, region, service, req_type)]

  63.   if elt then

  64.     return elt

  65.   end

  66. end

  67. 

  68. local function save_cached_key(date_str, secret_key, region, service, req_type, key)

  69.   local numdate = tonumber(date_str)

  70.   -- expire old buckets

  71.   for k, _ in pairs(cached_keys) do

  72.     if k < numdate then

  73.       cached_keys[k] = nil

  74.     end

  75.   end

  76. 

  77.   local bucket = cached_keys[tonumber(date_str)]

  78.   local idx = string.format('%s.%s.%s.%s', secret_key, region, service, req_type)

  79. 

  80.   if not bucket then

  81.     cached_keys[tonumber(date_str)] = {

  82.       idx = key

  83.     }

  84.   else

  85.     bucket[idx] = key

  86.   end

  87. end

  88. --[[[

  89. -- @function lua_aws.aws_signing_key([date_str], secret_key, region, [service='s3'], [req_type='aws4_request'])

  90. -- Returns a signing key for the specific parameters

  91. --]]

  92. local function aws_signing_key(date_str, secret_key, region, service, req_type)

  93.   if not date_str then

  94.     date_str = today_canonical()

  95.   end

  96. 

  97.   if not service then

  98.     service = 's3'

  99.   end

  100. 

  101.   if not req_type then

  102.     req_type = 'aws4_request'

  103.   end

  104. 

  105.   assert(type(secret_key) == 'string')

  106.   assert(type(region) == 'string')

  107. 

  108.   local maybe_cached = maybe_get_cached_key(date_str, secret_key, region, service, req_type)

  109. 

  110.   if maybe_cached then

  111.     return maybe_cached

  112.   end

  113. 

  114.   local hmac1 = rspamd_crypto_hash.create_specific_keyed("AWS4" .. secret_key, "sha256", date_str):bin()

  115.   local hmac2 = rspamd_crypto_hash.create_specific_keyed(hmac1, "sha256", region):bin()

  116.   local hmac3 = rspamd_crypto_hash.create_specific_keyed(hmac2, "sha256", service):bin()

  117.   local final_key = rspamd_crypto_hash.create_specific_keyed(hmac3, "sha256", req_type):bin()

  118. 

  119.   save_cached_key(date_str, secret_key, region, service, req_type, final_key)

  120. 

  121.   return final_key

  122. end

  123. 

  124. exports.aws_signing_key = aws_signing_key

  125. 

  126. --[[[

  127. -- @function lua_aws.aws_canon_request_hash(method, path, headers_to_sign, hex_hash)

  128. -- Returns a hash + list of headers as required to produce signature afterwards

  129. --]]

  130. local function aws_canon_request_hash(method, uri, headers_to_sign, hex_hash)

  131.   assert(type(method) == 'string')

  132.   assert(type(uri) == 'string')

  133.   assert(type(headers_to_sign) == 'table')

  134. 

  135.   if not hex_hash then

  136.     hex_hash = headers_to_sign['x-amz-content-sha256']

  137.   end

  138. 

  139.   assert(type(hex_hash) == 'string')

  140. 

  141.   local sha_ctx = rspamd_crypto_hash.create_specific('sha256')

  142. 

  143.   lua_util.debugm(N, 'update signature with the method %s',

  144.       method)

  145.   sha_ctx:update(method .. '\n')

  146.   lua_util.debugm(N, 'update signature with the uri %s',

  147.       uri)

  148.   sha_ctx:update(uri .. '\n')

  149.   -- XXX add query string canonicalisation

  150.   sha_ctx:update('\n')

  151.   -- Sort auth headers and canonicalise them as requested

  152.   local hdr_canon = fun.tomap(fun.map(function(k, v)

  153.     return k:lower(), lua_util.str_trim(v)

  154.   end, headers_to_sign))

  155.   local header_names = lua_util.keys(hdr_canon)

  156.   table.sort(header_names)

  157.   for _, hn in ipairs(header_names) do

  158.     local v = hdr_canon[hn]

  159.     lua_util.debugm(N, 'update signature with the header %s, %s',

  160.         hn, v)

  161.     sha_ctx:update(string.format('%s:%s\n', hn, v))

  162.   end

  163.   local hdrs_list = table.concat(header_names, ';')

  164.   lua_util.debugm(N, 'headers list to sign: %s', hdrs_list)

  165.   sha_ctx:update(string.format('\n%s\n%s', hdrs_list, hex_hash))

  166. 

  167.   return sha_ctx:hex(), hdrs_list

  168. end

  169. 

  170. exports.aws_canon_request_hash = aws_canon_request_hash

  171. 

  172. local aws_authorization_hdr_args_schema = ts.shape {

  173.   date = ts.string + ts['nil'] / today_canonical,

  174.   secret_key = ts.string,

  175.   method = ts.string + ts['nil'] / function()

  176.     return 'GET'

  177.   end,

  178.   uri = ts.string,

  179.   region = ts.string,

  180.   service = ts.string + ts['nil'] / function()

  181.     return 's3'

  182.   end,

  183.   req_type = ts.string + ts['nil'] / function()

  184.     return 'aws4_request'

  185.   end,

  186.   headers = ts.map_of(ts.string, ts.string),

  187.   key_id = ts.string,

  188. }

  189. --[[[

  190. -- @function lua_aws.aws_authorization_hdr(params)

  191. -- Produces an authorization header as required by AWS

  192. -- Parameters schema is the following:

  193. ts.shape{

  194.   date = ts.string + ts['nil'] / today_canonical,

  195.   secret_key = ts.string,

  196.   method = ts.string + ts['nil'] / function() return 'GET' end,

  197.   uri = ts.string,

  198.   region = ts.string,

  199.   service = ts.string + ts['nil'] / function() return 's3' end,

  200.   req_type = ts.string + ts['nil'] / function() return 'aws4_request' end,

  201.   headers = ts.map_of(ts.string, ts.string),

  202.   key_id = ts.string,

  203. }

  204. --

  205. --]]

  206. local function aws_authorization_hdr(tbl, transformed)

  207.   local res, err

  208.   if not transformed then

  209.     res, err = aws_authorization_hdr_args_schema:transform(tbl)

  210.     assert(res, err)

  211.   else

  212.     res = tbl

  213.   end

  214. 

  215.   local signing_key = aws_signing_key(res.date, res.secret_key, res.region, res.service,

  216.       res.req_type)

  217.   assert(signing_key ~= nil)

  218.   local signed_sha, signed_hdrs = aws_canon_request_hash(res.method, res.uri,

  219.       res.headers)

  220. 

  221.   if not signed_sha then

  222.     return nil

  223.   end

  224. 

  225.   local string_to_sign = string.format('AWS4-HMAC-SHA256\n%s\n%s/%s/%s/%s\n%s',

  226.       res.headers['x-amz-date'] or aws_date(),

  227.       res.date, res.region, res.service, res.req_type,

  228.       signed_sha)

  229.   lua_util.debugm(N, "string to sign: %s", string_to_sign)

  230.   local hmac = rspamd_crypto_hash.create_specific_keyed(signing_key, 'sha256', string_to_sign):hex()

  231.   lua_util.debugm(N, "hmac: %s", hmac)

  232.   local auth_hdr = string.format('AWS4-HMAC-SHA256 Credential=%s/%s/%s/%s/%s,' ..

  233.       'SignedHeaders=%s,Signature=%s',

  234.       res.key_id, res.date, res.region, res.service, res.req_type,

  235.       signed_hdrs, hmac)

  236. 

  237.   return auth_hdr

  238. end

  239. 

  240. exports.aws_authorization_hdr = aws_authorization_hdr

  241. 

  242. 

  243. 

  244. --[[[

  245. -- @function lua_aws.aws_request_enrich(params, content)

  246. -- Produces an authorization header as required by AWS

  247. -- Parameters schema is the following:

  248. ts.shape{

  249.   date = ts.string + ts['nil'] / today_canonical,

  250.   secret_key = ts.string,

  251.   method = ts.string + ts['nil'] / function() return 'GET' end,

  252.   uri = ts.string,

  253.   region = ts.string,

  254.   service = ts.string + ts['nil'] / function() return 's3' end,

  255.   req_type = ts.string + ts['nil'] / function() return 'aws4_request' end,

  256.   headers = ts.map_of(ts.string, ts.string),

  257.   key_id = ts.string,

  258. }

  259. This method returns new/modified in place table of the headers

  260. --

  261. --]]

  262. local function aws_request_enrich(tbl, content)

  263.   local res, err = aws_authorization_hdr_args_schema:transform(tbl)

  264.   assert(res, err)

  265.   local content_sha256 = rspamd_crypto_hash.create_specific('sha256', content):hex()

  266.   local hdrs = res.headers

  267.   hdrs['x-amz-content-sha256'] = content_sha256

  268.   if not hdrs['x-amz-date'] then

  269.     hdrs['x-amz-date'] = aws_date(res.date)

  270.   end

  271.   hdrs['Authorization'] = aws_authorization_hdr(res, true)

  272. 

  273.   return hdrs

  274. end

  275. 

  276. exports.aws_request_enrich = aws_request_enrich

  277. 

  278. -- A simple tests according to AWS docs to check sanity

  279. local test_request_hdrs = {

  280.   ['Host'] = 'examplebucket.s3.amazonaws.com',

  281.   ['x-amz-date'] = '20130524T000000Z',

  282.   ['Range'] = 'bytes=0-9',

  283.   ['x-amz-content-sha256'] = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',

  284. }

  285. 

  286. assert(aws_canon_request_hash('GET', '/test.txt', test_request_hdrs) ==

  287.     '7344ae5b7ee6c3e7e6b0fe0640412a37625d1fbfff95c48bbb2dc43964946972')

  288. 

  289. assert(aws_authorization_hdr {

  290.   date = '20130524',

  291.   region = 'us-east-1',

  292.   headers = test_request_hdrs,

  293.   uri = '/test.txt',

  294.   key_id = 'AKIAIOSFODNN7EXAMPLE',

  295.   secret_key = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',

  296. } == 'AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,' ..

  297.     'SignedHeaders=host;range;x-amz-content-sha256;x-amz-date,' ..

  298.     'Signature=f0e8bdb87c964420e857bd35b5d6ed310bd44f0170aba48dd91039c6036bdb41')

  299. 

  300. return exports