aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoeland Jago Douma <rullzer@users.noreply.github.com>2018-01-09 21:19:24 +0100
committerGitHub <noreply@github.com>2018-01-09 21:19:24 +0100
commit323dc4acb12fced69cfc5f880d3e5efe830e4868 (patch)
treed648a2fa215f885e1f7813a4a9f96deb422ce8db
parente1e06bf38f0a645809b02182942e0475126b766e (diff)
parent4ec4a7df9356fa5d6af7af94b4b8952d7d69560c (diff)
downloadnextcloud-server-323dc4acb12fced69cfc5f880d3e5efe830e4868.tar.gz
nextcloud-server-323dc4acb12fced69cfc5f880d3e5efe830e4868.zip
Merge pull request #7758 from nextcloud/12-7570v12.0.5RC1
[stable12] add option to use legacy v2 auth with s3
-rw-r--r--apps/files_external/lib/Lib/Backend/AmazonS3.php2
-rw-r--r--lib/composer/composer/autoload_classmap.php1
-rw-r--r--lib/composer/composer/autoload_static.php1
-rw-r--r--lib/private/Files/ObjectStore/S3ConnectionTrait.php17
-rw-r--r--lib/private/Files/ObjectStore/S3Signature.php204
5 files changed, 224 insertions, 1 deletions
diff --git a/apps/files_external/lib/Lib/Backend/AmazonS3.php b/apps/files_external/lib/Lib/Backend/AmazonS3.php
index c9759015121..5625805601c 100644
--- a/apps/files_external/lib/Lib/Backend/AmazonS3.php
+++ b/apps/files_external/lib/Lib/Backend/AmazonS3.php
@@ -53,6 +53,8 @@ class AmazonS3 extends Backend {
->setType(DefinitionParameter::VALUE_BOOLEAN),
(new DefinitionParameter('use_path_style', $l->t('Enable Path Style')))
->setType(DefinitionParameter::VALUE_BOOLEAN),
+ (new DefinitionParameter('legacy_auth', $l->t('Legacy (v2) authentication')))
+ ->setType(DefinitionParameter::VALUE_BOOLEAN),
])
->addAuthScheme(AccessKey::SCHEME_AMAZONS3_ACCESSKEY)
->setLegacyAuthMechanism($legacyAuth)
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 61df49cd510..93e792a7f4c 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -594,6 +594,7 @@ return array(
'OC\\Files\\ObjectStore\\S3' => $baseDir . '/lib/private/Files/ObjectStore/S3.php',
'OC\\Files\\ObjectStore\\S3ConnectionTrait' => $baseDir . '/lib/private/Files/ObjectStore/S3ConnectionTrait.php',
'OC\\Files\\ObjectStore\\S3ObjectTrait' => $baseDir . '/lib/private/Files/ObjectStore/S3ObjectTrait.php',
+ 'OC\\Files\\ObjectStore\\S3Signature' => $baseDir . '/lib/private/Files/ObjectStore/S3Signature.php',
'OC\\Files\\ObjectStore\\StorageObjectStore' => $baseDir . '/lib/private/Files/ObjectStore/StorageObjectStore.php',
'OC\\Files\\ObjectStore\\Swift' => $baseDir . '/lib/private/Files/ObjectStore/Swift.php',
'OC\\Files\\Search\\SearchBinaryOperator' => $baseDir . '/lib/private/Files/Search/SearchBinaryOperator.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index aa5990466fc..88bb9c65ffa 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -624,6 +624,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
'OC\\Files\\ObjectStore\\S3' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/S3.php',
'OC\\Files\\ObjectStore\\S3ConnectionTrait' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/S3ConnectionTrait.php',
'OC\\Files\\ObjectStore\\S3ObjectTrait' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/S3ObjectTrait.php',
+ 'OC\\Files\\ObjectStore\\S3Signature' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/S3Signature.php',
'OC\\Files\\ObjectStore\\StorageObjectStore' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/StorageObjectStore.php',
'OC\\Files\\ObjectStore\\Swift' => __DIR__ . '/../../..' . '/lib/private/Files/ObjectStore/Swift.php',
'OC\\Files\\Search\\SearchBinaryOperator' => __DIR__ . '/../../..' . '/lib/private/Files/Search/SearchBinaryOperator.php',
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
index fdda19ff700..e6ae0f6cb54 100644
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -21,6 +21,7 @@
namespace OC\Files\ObjectStore;
+use Aws\ClientResolver;
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
@@ -83,11 +84,15 @@ trait S3ConnectionTrait {
],
'endpoint' => $base_url,
'region' => $this->params['region'],
- 'use_path_style_endpoint' => isset($this->params['use_path_style']) ? $this->params['use_path_style'] : false
+ 'use_path_style_endpoint' => isset($this->params['use_path_style']) ? $this->params['use_path_style'] : false,
+ 'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider())
];
if (isset($this->params['proxy'])) {
$options['request.options'] = ['proxy' => $this->params['proxy']];
}
+ if (isset($this->params['legacy_auth']) && $this->params['legacy_auth']) {
+ $options['signature_version'] = 'v2';
+ }
$this->connection = new S3Client($options);
if (!S3Client::isBucketDnsCompatible($this->bucket)) {
@@ -117,4 +122,14 @@ trait S3ConnectionTrait {
sleep($this->timeout);
}
}
+
+ public static function legacySignatureProvider($version, $service, $region) {
+ switch ($version) {
+ case 'v2':
+ case 's3':
+ return new S3Signature();
+ default:
+ return null;
+ }
+ }
}
diff --git a/lib/private/Files/ObjectStore/S3Signature.php b/lib/private/Files/ObjectStore/S3Signature.php
new file mode 100644
index 00000000000..d5bfbf4e53b
--- /dev/null
+++ b/lib/private/Files/ObjectStore/S3Signature.php
@@ -0,0 +1,204 @@
+<?php
+
+namespace OC\Files\ObjectStore;
+
+use Aws\Credentials\CredentialsInterface;
+use Aws\S3\S3Client;
+use Aws\S3\S3UriParser;
+use Aws\Signature\SignatureInterface;
+use GuzzleHttp\Psr7;
+use Psr\Http\Message\RequestInterface;
+
+/**
+ * Legacy Amazon S3 signature implementation
+ */
+class S3Signature implements SignatureInterface
+{
+ /** @var array Query string values that must be signed */
+ private $signableQueryString = [
+ 'acl', 'cors', 'delete', 'lifecycle', 'location', 'logging',
+ 'notification', 'partNumber', 'policy', 'requestPayment',
+ 'response-cache-control', 'response-content-disposition',
+ 'response-content-encoding', 'response-content-language',
+ 'response-content-type', 'response-expires', 'restore', 'tagging',
+ 'torrent', 'uploadId', 'uploads', 'versionId', 'versioning',
+ 'versions', 'website'
+ ];
+
+ /** @var array Sorted headers that must be signed */
+ private $signableHeaders = ['Content-MD5', 'Content-Type'];
+
+ /** @var \Aws\S3\S3UriParser S3 URI parser */
+ private $parser;
+
+ public function __construct()
+ {
+ $this->parser = new S3UriParser();
+ // Ensure that the signable query string parameters are sorted
+ sort($this->signableQueryString);
+ }
+
+ public function signRequest(
+ RequestInterface $request,
+ CredentialsInterface $credentials
+ ) {
+ $request = $this->prepareRequest($request, $credentials);
+ $stringToSign = $this->createCanonicalizedString($request);
+ $auth = 'AWS '
+ . $credentials->getAccessKeyId() . ':'
+ . $this->signString($stringToSign, $credentials);
+
+ return $request->withHeader('Authorization', $auth);
+ }
+
+ public function presign(
+ RequestInterface $request,
+ CredentialsInterface $credentials,
+ $expires
+ ) {
+ $query = [];
+ // URL encoding already occurs in the URI template expansion. Undo that
+ // and encode using the same encoding as GET object, PUT object, etc.
+ $uri = $request->getUri();
+ $path = S3Client::encodeKey(rawurldecode($uri->getPath()));
+ $request = $request->withUri($uri->withPath($path));
+
+ // Make sure to handle temporary credentials
+ if ($token = $credentials->getSecurityToken()) {
+ $request = $request->withHeader('X-Amz-Security-Token', $token);
+ $query['X-Amz-Security-Token'] = $token;
+ }
+
+ if ($expires instanceof \DateTime) {
+ $expires = $expires->getTimestamp();
+ } elseif (!is_numeric($expires)) {
+ $expires = strtotime($expires);
+ }
+
+ // Set query params required for pre-signed URLs
+ $query['AWSAccessKeyId'] = $credentials->getAccessKeyId();
+ $query['Expires'] = $expires;
+ $query['Signature'] = $this->signString(
+ $this->createCanonicalizedString($request, $expires),
+ $credentials
+ );
+
+ // Move X-Amz-* headers to the query string
+ foreach ($request->getHeaders() as $name => $header) {
+ $name = strtolower($name);
+ if (strpos($name, 'x-amz-') === 0) {
+ $query[$name] = implode(',', $header);
+ }
+ }
+
+ $queryString = http_build_query($query, null, '&', PHP_QUERY_RFC3986);
+
+ return $request->withUri($request->getUri()->withQuery($queryString));
+ }
+
+ /**
+ * @param RequestInterface $request
+ * @param CredentialsInterface $creds
+ *
+ * @return RequestInterface
+ */
+ private function prepareRequest(
+ RequestInterface $request,
+ CredentialsInterface $creds
+ ) {
+ $modify = [
+ 'remove_headers' => ['X-Amz-Date'],
+ 'set_headers' => ['Date' => gmdate(\DateTime::RFC2822)]
+ ];
+
+ // Add the security token header if one is being used by the credentials
+ if ($token = $creds->getSecurityToken()) {
+ $modify['set_headers']['X-Amz-Security-Token'] = $token;
+ }
+
+ return Psr7\modify_request($request, $modify);
+ }
+
+ private function signString($string, CredentialsInterface $credentials)
+ {
+ return base64_encode(
+ hash_hmac('sha1', $string, $credentials->getSecretKey(), true)
+ );
+ }
+
+ private function createCanonicalizedString(
+ RequestInterface $request,
+ $expires = null
+ ) {
+ $buffer = $request->getMethod() . "\n";
+
+ // Add the interesting headers
+ foreach ($this->signableHeaders as $header) {
+ $buffer .= $request->getHeaderLine($header) . "\n";
+ }
+
+ $date = $expires ?: $request->getHeaderLine('date');
+ $buffer .= "{$date}\n"
+ . $this->createCanonicalizedAmzHeaders($request)
+ . $this->createCanonicalizedResource($request);
+
+ return $buffer;
+ }
+
+ private function createCanonicalizedAmzHeaders(RequestInterface $request)
+ {
+ $headers = [];
+ foreach ($request->getHeaders() as $name => $header) {
+ $name = strtolower($name);
+ if (strpos($name, 'x-amz-') === 0) {
+ $value = implode(',', $header);
+ if (strlen($value) > 0) {
+ $headers[$name] = $name . ':' . $value;
+ }
+ }
+ }
+
+ if (!$headers) {
+ return '';
+ }
+
+ ksort($headers);
+
+ return implode("\n", $headers) . "\n";
+ }
+
+ private function createCanonicalizedResource(RequestInterface $request)
+ {
+ $data = $this->parser->parse($request->getUri());
+ $buffer = '/';
+
+ if ($data['bucket']) {
+ $buffer .= $data['bucket'];
+ if (!empty($data['key']) || !$data['path_style']) {
+ $buffer .= '/' . $data['key'];
+ }
+ }
+
+ // Add sub resource parameters if present.
+ $query = $request->getUri()->getQuery();
+
+ if ($query) {
+ $params = Psr7\parse_query($query);
+ $first = true;
+ foreach ($this->signableQueryString as $key) {
+ if (array_key_exists($key, $params)) {
+ $value = $params[$key];
+ $buffer .= $first ? '?' : '&';
+ $first = false;
+ $buffer .= $key;
+ // Don't add values for empty sub-resources
+ if (strlen($value)) {
+ $buffer .= "={$value}";
+ }
+ }
+ }
+ }
+
+ return $buffer;
+ }
+}