Compare commits
4 Commits
ff1e6f4cf3
...
5d13b48da6
Author | SHA1 | Date | |
---|---|---|---|
5d13b48da6 | |||
f8b6b3e521 | |||
4e4920e782 | |||
ab38d4c71e |
53
README.md
53
README.md
|
@ -91,7 +91,7 @@ Compiler wishlist/watchlist:
|
||||||
|
|
||||||
* [comptime allocations](https://github.com/ziglang/zig/issues/1291) so we can read files, etc (or is there another way)
|
* [comptime allocations](https://github.com/ziglang/zig/issues/1291) so we can read files, etc (or is there another way)
|
||||||
|
|
||||||
Services with TLS 1.3 Support (115 services)
|
Services with TLS 1.3 Support (116 services)
|
||||||
--------------------------------------------
|
--------------------------------------------
|
||||||
```
|
```
|
||||||
acm
|
acm
|
||||||
|
@ -101,6 +101,7 @@ apigateway
|
||||||
appconfig
|
appconfig
|
||||||
application-autoscaling
|
application-autoscaling
|
||||||
applicationinsights
|
applicationinsights
|
||||||
|
appmesh
|
||||||
apprunner
|
apprunner
|
||||||
appstream2
|
appstream2
|
||||||
appsync
|
appsync
|
||||||
|
@ -211,7 +212,7 @@ workspaces
|
||||||
xray
|
xray
|
||||||
```
|
```
|
||||||
|
|
||||||
Services without TLS 1.3 support (140 services)
|
Services without TLS 1.3 support (139 services)
|
||||||
-----------------------------------------------
|
-----------------------------------------------
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -223,7 +224,6 @@ appflow
|
||||||
app-integrations
|
app-integrations
|
||||||
application-cost-profiler
|
application-cost-profiler
|
||||||
discovery
|
discovery
|
||||||
appmesh
|
|
||||||
auditmanager
|
auditmanager
|
||||||
autoscaling
|
autoscaling
|
||||||
autoscaling-plans
|
autoscaling-plans
|
||||||
|
@ -356,3 +356,50 @@ wafv2
|
||||||
wellarchitected
|
wellarchitected
|
||||||
worklink
|
worklink
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Dependency tree
|
||||||
|
---------------
|
||||||
|
|
||||||
|
No dependencies:
|
||||||
|
* aws_authentication: base structure for credentials (only one type)
|
||||||
|
* aws_http_base: contains basic structures for http requests/results
|
||||||
|
* case: provides functions to change casing
|
||||||
|
* date: provides limited date manipulation functions
|
||||||
|
* http_client_17015_issue: zig 0.11 http client, with changes
|
||||||
|
* json: custom version of earlier stdlib json parser
|
||||||
|
* xml: custom xml parser library
|
||||||
|
* url: custom url encoding
|
||||||
|
|
||||||
|
aws_credentials: Allows credential handling
|
||||||
|
aws_authentication
|
||||||
|
|
||||||
|
aws_http:
|
||||||
|
http_client_17015_issue
|
||||||
|
aws_http_base
|
||||||
|
aws_signing
|
||||||
|
|
||||||
|
aws_signing: handles signing of http requests
|
||||||
|
aws_http_base
|
||||||
|
aws_authentication
|
||||||
|
date
|
||||||
|
|
||||||
|
aws: main usage point for libraries
|
||||||
|
aws_http
|
||||||
|
json
|
||||||
|
url
|
||||||
|
case
|
||||||
|
date
|
||||||
|
servicemodel
|
||||||
|
xml_shaper
|
||||||
|
aws_credentials
|
||||||
|
aws_authentication
|
||||||
|
|
||||||
|
main: main entrypoint for demo executable
|
||||||
|
aws
|
||||||
|
|
||||||
|
servicemodel: Provides access to all aws service generated models
|
||||||
|
all generated model files
|
||||||
|
|
||||||
|
xml_shaper: Manages interface from xml to in memory structures
|
||||||
|
xml
|
||||||
|
date
|
||||||
|
|
12
build.zig
12
build.zig
|
@ -45,13 +45,21 @@ pub fn build(b: *Builder) !void {
|
||||||
const smithy_module = smithy_dep.module("smithy");
|
const smithy_module = smithy_dep.module("smithy");
|
||||||
exe.addModule("smithy", smithy_module); // not sure this should be here...
|
exe.addModule("smithy", smithy_module); // not sure this should be here...
|
||||||
|
|
||||||
const module = b.addModule("aws", .{
|
// Expose module to others
|
||||||
|
_ = b.addModule("aws", .{
|
||||||
.source_file = .{ .path = "src/aws.zig" },
|
.source_file = .{ .path = "src/aws.zig" },
|
||||||
.dependencies = &[_]std.build.ModuleDependency{
|
.dependencies = &[_]std.build.ModuleDependency{
|
||||||
.{ .name = "smithy", .module = smithy_module },
|
.{ .name = "smithy", .module = smithy_module },
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
exe.addModule("aws", module);
|
|
||||||
|
// Expose module to others
|
||||||
|
_ = b.addModule("aws-signing", .{
|
||||||
|
.source_file = .{ .path = "src/aws_signing.zig" },
|
||||||
|
.dependencies = &[_]std.build.ModuleDependency{
|
||||||
|
.{ .name = "smithy", .module = smithy_module },
|
||||||
|
},
|
||||||
|
});
|
||||||
// TODO: This does not work correctly due to https://github.com/ziglang/zig/issues/16354
|
// TODO: This does not work correctly due to https://github.com/ziglang/zig/issues/16354
|
||||||
//
|
//
|
||||||
// We are working here with kind of a weird dependency though. So we can do this
|
// We are working here with kind of a weird dependency though. So we can do this
|
||||||
|
|
|
@ -31,11 +31,12 @@ const log = std.log.scoped(.aws_signing);
|
||||||
// // If true, this parameter is still added, but omitted from the canonical request.
|
// // If true, this parameter is still added, but omitted from the canonical request.
|
||||||
// omit_session_token: bool = true,
|
// omit_session_token: bool = true,
|
||||||
// };
|
// };
|
||||||
|
pub const Credentials = auth.Credentials;
|
||||||
|
|
||||||
pub const Config = struct {
|
pub const Config = struct {
|
||||||
// These two should be all you need to set most of the time
|
// These two should be all you need to set most of the time
|
||||||
service: []const u8,
|
service: []const u8,
|
||||||
credentials: auth.Credentials,
|
credentials: Credentials,
|
||||||
|
|
||||||
region: []const u8 = "aws-global",
|
region: []const u8 = "aws-global",
|
||||||
// https://github.com/awslabs/aws-c-auth/blob/ace1311f8ef6ea890b26dd376031bed2721648eb/include/aws/auth/signing_config.h#L38
|
// https://github.com/awslabs/aws-c-auth/blob/ace1311f8ef6ea890b26dd376031bed2721648eb/include/aws/auth/signing_config.h#L38
|
||||||
|
@ -282,8 +283,8 @@ pub fn freeSignedRequest(allocator: std.mem.Allocator, request: *base.Request, c
|
||||||
allocator.free(request.headers);
|
allocator.free(request.headers);
|
||||||
}
|
}
|
||||||
|
|
||||||
pub const CredentialsFn = *const fn ([]const u8) ?auth.Credentials;
|
pub const credentialsFn = *const fn ([]const u8) ?Credentials;
|
||||||
pub fn verify(allocator: std.mem.Allocator, request: std.http.Server.Request, request_body_reader: anytype, credentials_fn: CredentialsFn) !bool {
|
pub fn verify(allocator: std.mem.Allocator, request: std.http.Server.Request, request_body_reader: anytype, credentials_fn: credentialsFn) !bool {
|
||||||
// Authorization: AWS4-HMAC-SHA256 Credential=ACCESS/20230908/us-west-2/s3/aws4_request, SignedHeaders=accept;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class, Signature=fcc43ce73a34c9bd1ddf17e8a435f46a859812822f944f9eeb2aabcd64b03523
|
// Authorization: AWS4-HMAC-SHA256 Credential=ACCESS/20230908/us-west-2/s3/aws4_request, SignedHeaders=accept;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-storage-class, Signature=fcc43ce73a34c9bd1ddf17e8a435f46a859812822f944f9eeb2aabcd64b03523
|
||||||
const auth_header = request.headers.getFirstValue("Authorization").?;
|
const auth_header = request.headers.getFirstValue("Authorization").?;
|
||||||
if (!std.mem.startsWith(u8, auth_header, "AWS4-HMAC-SHA256")) return error.UnsupportedAuthorizationType;
|
if (!std.mem.startsWith(u8, auth_header, "AWS4-HMAC-SHA256")) return error.UnsupportedAuthorizationType;
|
||||||
|
@ -327,7 +328,7 @@ fn verifyParsedAuthorization(
|
||||||
credential: []const u8,
|
credential: []const u8,
|
||||||
signed_headers: []const u8,
|
signed_headers: []const u8,
|
||||||
signature: []const u8,
|
signature: []const u8,
|
||||||
credentials_fn: CredentialsFn,
|
credentials_fn: credentialsFn,
|
||||||
) !bool {
|
) !bool {
|
||||||
// AWS4-HMAC-SHA256
|
// AWS4-HMAC-SHA256
|
||||||
// Credential=ACCESS/20230908/us-west-2/s3/aws4_request
|
// Credential=ACCESS/20230908/us-west-2/s3/aws4_request
|
||||||
|
@ -933,7 +934,7 @@ test "canonical request" {
|
||||||
};
|
};
|
||||||
const access_key = try allocator.dupe(u8, "AKIDEXAMPLE");
|
const access_key = try allocator.dupe(u8, "AKIDEXAMPLE");
|
||||||
const secret_key = try allocator.dupe(u8, "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY");
|
const secret_key = try allocator.dupe(u8, "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY");
|
||||||
const credential = auth.Credentials.init(allocator, access_key, secret_key, null);
|
const credential = Credentials.init(allocator, access_key, secret_key, null);
|
||||||
defer credential.deinit();
|
defer credential.deinit();
|
||||||
const request = try createCanonicalRequest(allocator, req, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", .{
|
const request = try createCanonicalRequest(allocator, req, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", .{
|
||||||
.region = "us-west-2", // us-east-1
|
.region = "us-west-2", // us-east-1
|
||||||
|
@ -999,7 +1000,7 @@ test "can sign" {
|
||||||
|
|
||||||
const access_key = try allocator.dupe(u8, "AKIDEXAMPLE");
|
const access_key = try allocator.dupe(u8, "AKIDEXAMPLE");
|
||||||
const secret_key = try allocator.dupe(u8, "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY");
|
const secret_key = try allocator.dupe(u8, "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY");
|
||||||
const credential = auth.Credentials.init(allocator, access_key, secret_key, null);
|
const credential = Credentials.init(allocator, access_key, secret_key, null);
|
||||||
defer credential.deinit();
|
defer credential.deinit();
|
||||||
// we could look at sigv4 signing tests at:
|
// we could look at sigv4 signing tests at:
|
||||||
// https://github.com/awslabs/aws-c-auth/blob/ace1311f8ef6ea890b26dd376031bed2721648eb/tests/sigv4_signing_tests.c#L1478
|
// https://github.com/awslabs/aws-c-auth/blob/ace1311f8ef6ea890b26dd376031bed2721648eb/tests/sigv4_signing_tests.c#L1478
|
||||||
|
@ -1027,13 +1028,13 @@ test "can sign" {
|
||||||
try std.testing.expectEqualStrings(expected_auth, signed_req.headers[signed_req.headers.len - 1].value);
|
try std.testing.expectEqualStrings(expected_auth, signed_req.headers[signed_req.headers.len - 1].value);
|
||||||
}
|
}
|
||||||
|
|
||||||
var test_credential: ?auth.Credentials = null;
|
var test_credential: ?Credentials = null;
|
||||||
test "can verify" {
|
test "can verify" {
|
||||||
const allocator = std.testing.allocator;
|
const allocator = std.testing.allocator;
|
||||||
|
|
||||||
const access_key = try allocator.dupe(u8, "ACCESS");
|
const access_key = try allocator.dupe(u8, "ACCESS");
|
||||||
const secret_key = try allocator.dupe(u8, "SECRET");
|
const secret_key = try allocator.dupe(u8, "SECRET");
|
||||||
test_credential = auth.Credentials.init(allocator, access_key, secret_key, null);
|
test_credential = Credentials.init(allocator, access_key, secret_key, null);
|
||||||
defer test_credential.?.deinit();
|
defer test_credential.?.deinit();
|
||||||
|
|
||||||
var headers = std.http.Headers.init(allocator);
|
var headers = std.http.Headers.init(allocator);
|
||||||
|
@ -1064,10 +1065,10 @@ test "can verify" {
|
||||||
|
|
||||||
// std.testing.log_level = .debug;
|
// std.testing.log_level = .debug;
|
||||||
try std.testing.expect(try verify(allocator, request, fis.reader(), struct {
|
try std.testing.expect(try verify(allocator, request, fis.reader(), struct {
|
||||||
cred: auth.Credentials,
|
cred: Credentials,
|
||||||
|
|
||||||
const Self = @This();
|
const Self = @This();
|
||||||
fn getCreds(access: []const u8) ?auth.Credentials {
|
fn getCreds(access: []const u8) ?Credentials {
|
||||||
if (std.mem.eql(u8, access, "ACCESS")) return test_credential.?;
|
if (std.mem.eql(u8, access, "ACCESS")) return test_credential.?;
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user