feat: aws signature unit test w/ payload hash

Author: shawnhankim

core/awscredentials.js

@@ -68,16 +68,19 @@ function sessionToken(r) {
 }
 
 /**
- * Get the instance profile credentials needed to authenticated against S3 from
+ * Get the instance profile credentials needed to authenticate against Lambda from
  * a backend cache. If the credentials cannot be found, then return undefined.
  * @param r {Request} HTTP request object (not used, but required for NGINX configuration)
  * @returns {undefined|{accessKeyId: (string), secretAccessKey: (string), sessionToken: (string|null), expiration: (string|null)}} AWS instance profile credentials or undefined
  */
 function readCredentials(r) {
     // TODO: Change the generic constants naming for multiple AWS services.
     if ('AWS_ACCESS_KEY_ID' in process.env && 'AWS_SECRET_ACCESS_KEY' in process.env) {
-        const sessionToken = 'AWS_SESSION_TOKEN' in process.env ?
-                              process.env['AWS_SESSION_TOKEN'] : null;
+        let sessionToken = 'AWS_SESSION_TOKEN' in process.env ?
+            process.env['AWS_SESSION_TOKEN'] : null;
+        if (sessionToken != null && sessionToken.length === 0) {
+            sessionToken = null;
+        }
         return {
             accessKeyId: process.env['AWS_ACCESS_KEY_ID'],
             secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'],
@@ -207,8 +210,8 @@ function _writeCredentialsToFile(credentials) {
 
 /**
  * Get the credentials needed to create AWS signatures in order to authenticate
- * to S3. If the gateway is being provided credentials via a instance profile
- * credential as provided over the metadata endpoint, this function will:
+ * to AWS service. If the gateway is being provided credentials via a instance 
+ * profile credential as provided over the metadata endpoint, this function will:
  * 1. Try to read the credentials from cache
  * 2. Determine if the credentials are stale
  * 3. If the cached credentials are missing or stale, it gets new credentials
@@ -265,10 +268,10 @@ async function fetchCredentials(r) {
             return;
         }
     }
-    else if(process.env['AWS_WEB_IDENTITY_TOKEN_FILE']) {
+    else if (process.env['AWS_WEB_IDENTITY_TOKEN_FILE']) {
         try {
             credentials = await _fetchWebIdentityCredentials(r)
-        } catch(e) {
+        } catch (e) {
             utils.debug_log(r, 'Could not assume role using web identity: ' + JSON.stringify(e));
             r.return(500);
             return;
@@ -367,7 +370,7 @@ async function _fetchEC2RoleCredentials() {
  */
 async function _fetchWebIdentityCredentials(r) {
     const arn = process.env['AWS_ROLE_ARN'];
-    const name = process.env['HOSTNAME'] || 'nginx-s3-gateway';
+    const name = process.env['HOSTNAME'] || 'nginx-lambda-gateway';
 
     let sts_endpoint = process.env['STS_ENDPOINT'];
     if (!sts_endpoint) {

core/awssig4.js

@@ -14,7 +14,8 @@
  *  limitations under the License.
  */
 
-import utils from "./utils.js";
+import awscred from "./awscredentials.js";
+import utils   from "./utils.js";
 
 const mod_hmac = require('crypto');
 
@@ -28,8 +29,8 @@ const EMPTY_PAYLOAD_HASH = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495
  * Constant defining the headers being signed.
  * @type {string}
  */
-const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
-
+// const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
+const DEFAULT_SIGNED_HEADERS = 'host;x-amz-date';
 
 /**
  * Create HTTP Authorization header for authenticating with an AWS compatible
@@ -48,13 +49,13 @@ const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
 function signatureV4(r, timestamp, region, service, uri, queryParams, host, credentials) {
     const eightDigitDate = utils.getEightDigitDate(timestamp);
     const amzDatetime = utils.getAmzDatetime(timestamp, eightDigitDate);
-    const canonicalRequest = _buildCanonicalRequest(
+    const canonicalRequest = _buildCanonicalRequest(r,
         r.method, uri, queryParams, host, amzDatetime, credentials.sessionToken);
     const signature = _buildSignatureV4(r, amzDatetime, eightDigitDate,
         credentials, region, service, canonicalRequest);
     const authHeader = 'AWS4-HMAC-SHA256 Credential='
         .concat(credentials.accessKeyId, '/', eightDigitDate, '/', region, '/', service, '/aws4_request,',
-            'SignedHeaders=', _signedHeaders(credentials.sessionToken), ',Signature=', signature);
+            'SignedHeaders=', _signedHeaders(r, credentials.sessionToken), ',Signature=', signature);
 
     utils.debug_log(r, 'AWS v4 Auth header: [' + authHeader + ']');
 
@@ -73,22 +74,22 @@ function signatureV4(r, timestamp, region, service, uri, queryParams, host, cred
  * @returns {string} string with concatenated request parameters
  * @private
  */
-function _buildCanonicalRequest(method, uri, queryParams, host, amzDatetime, sessionToken) {
+function _buildCanonicalRequest(r,
+    method, uri, queryParams, host, amzDatetime, sessionToken) {
+    const payloadHash = awsHeaderPayloadHash(r);
     let canonicalHeaders = 'host:' + host + '\n' +
-        'x-amz-content-sha256:' + EMPTY_PAYLOAD_HASH + '\n' +
-        'x-amz-date:' + amzDatetime + '\n';
+                           'x-amz-date:' + amzDatetime + '\n';
 
-    if (sessionToken) {
+    if (sessionToken && sessionToken.length > 0) {
         canonicalHeaders += 'x-amz-security-token:' + sessionToken + '\n'
     }
 
     let canonicalRequest = method + '\n';
     canonicalRequest += uri + '\n';
     canonicalRequest += queryParams + '\n';
     canonicalRequest += canonicalHeaders + '\n';
-    canonicalRequest += _signedHeaders(sessionToken) + '\n';
-    canonicalRequest += EMPTY_PAYLOAD_HASH;
-
+    canonicalRequest += _signedHeaders(r, sessionToken) + '\n';
+    canonicalRequest += payloadHash;
     return canonicalRequest;
 }
 
@@ -119,7 +120,7 @@ function _buildSignatureV4(
     const stringToSign = _buildStringToSign(
         amzDatetime, eightDigitDate, region, service, canonicalRequestHash);
 
-        utils.debug_log(r, 'AWS v4 Auth Signing String: [' + stringToSign + ']');
+    utils.debug_log(r, 'AWS v4 Auth Signing String: [' + stringToSign + ']');
 
     let kSigningHash;
 
@@ -145,13 +146,13 @@ function _buildSignatureV4(
              * we encode it as JSON. By doing so we can gracefully decode it
              * when reading from the cache. */
             kSigningHash = Buffer.from(JSON.parse(fields[1]));
-        // Otherwise, generate a new signing key hash and store it in the cache
+            // Otherwise, generate a new signing key hash and store it in the cache
         } else {
             kSigningHash = _buildSigningKeyHash(creds.secretAccessKey, eightDigitDate, region, service);
             utils.debug_log(r, 'Writing key: ' + eightDigitDate + ':' + kSigningHash.toString('hex'));
             r.variables.signing_key_hash = eightDigitDate + ':' + JSON.stringify(kSigningHash);
         }
-    // Otherwise, don't use caching at all (like when we are using NGINX OSS)
+        // Otherwise, don't use caching at all (like when we are using NGINX OSS)
     } else {
         kSigningHash = _buildSigningKeyHash(creds.secretAccessKey, eightDigitDate, region, service);
     }
@@ -190,13 +191,15 @@ function _buildStringToSign(amzDatetime, eightDigitDate, region, service, canoni
  * Creates a string containing the headers that need to be signed as part of v4
  * signature authentication.
  *
+ * @param r {Request} HTTP request object
  * @param sessionToken {string|undefined} AWS session token if present
  * @returns {string} semicolon delimited string of the headers needed for signing
  * @private
  */
-function _signedHeaders(sessionToken) {
-    let headers = DEFAULT_SIGNED_HEADERS;
-    if (sessionToken) {
+function _signedHeaders(r, sessionToken) {
+    let headers = '';
+    headers += DEFAULT_SIGNED_HEADERS;
+    if (sessionToken && sessionToken.length > 0) {
         headers += ';x-amz-security-token';
     }
     return headers;
@@ -250,8 +253,40 @@ function _splitCachedValues(cached) {
     return [eightDigitDate, kSigningHash]
 }
 
+/**
+ * Outputs the timestamp used to sign the request, so that it can be added to
+ * the 'x-amz-date' header and sent by NGINX. The output format is
+ * ISO 8601: YYYYMMDD'T'HHMMSS'Z'.
+ * @see {@link https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html | Handling dates in Signature Version 4}
+ *
+ * @param r {Request} HTTP request object (not used, but required for NGINX configuration)
+ * @returns {string} ISO 8601 timestamp
+ */
+function awsHeaderDate(r) {
+    return utils.getAmzDatetime(
+        awscred.getNow(),
+        utils.getEightDigitDate(awscred.getNow())
+    );
+}
+
+/**
+ * Return a payload hash in the header
+ *
+ * @param r {Request} HTTP request object
+ * @returns {string} payload hash
+ */
+function awsHeaderPayloadHash(r) {
+    const reqBody = (r.variables.request_body === 'undefined') ? '':
+                     r.variables.request_body;
+    const payloadHash = mod_hmac.createHash('sha256', 'utf8')
+        .update(reqBody)
+        .digest('hex');
+    return payloadHash;
+}
 
 export default {
+    awsHeaderDate,
+    awsHeaderPayloadHash,
     signatureV4,
     // These functions do not need to be exposed, but they are exposed so that
     // unit tests can run against them.

core/utils.js

@@ -19,7 +19,7 @@
  * about signature generation will be logged.
  * @type {boolean}
  */
-const DEBUG = parseBoolean(process.env['S3_DEBUG']);
+const DEBUG = parseBoolean(process.env['DEBUG']);
 
 
 /**
@@ -127,11 +127,27 @@ function getEightDigitDate(timestamp) {
         padWithLeadingZeros(day,2));
 }
 
+
+/**
+ * Checks to see if the given environment variable is present. If not, an error
+ * is thrown.
+ * @param envVarName {string} environment variable to check for
+ * @private
+ */
+function requireEnvVar(envVarName) {
+    const isSet = envVarName in process.env;
+
+    if (!isSet) {
+        throw('Required environment variable ' + envVarName + ' is missing');
+    }
+}
+
 export default {
     debug_log,
     getAmzDatetime,
     getEightDigitDate,
     padWithLeadingZeros,
     parseArray,
-    parseBoolean
+    parseBoolean,
+    requireEnvVar
 }

tests/unit-test/awssig2_test.js

@@ -43,34 +43,6 @@ function _runSignatureV2(r) {
     }
 }
 
-
-/**
- * Generate some of request parameters for AWS signature version 2
- *
- * @see {@link https://docs.aws.amazon.com/AmazonS3/latest/userguide/auth-request-sig-v2.html | AWS signature version 2}
- * @param r {Request} HTTP request object
- * @param bucket {string} S3 bucket associated with request
- * @returns s3ReqParams {object} s3ReqParams object (host, method, uri, queryParams)
- * @private
- */
-function _s3ReqParamsForSigV2(r, bucket) {
-    /* If the source URI is a directory, we are sending to S3 a query string
-     * local to the root URI, so this is what we need to encode within the
-     * string to sign. For example, if we are requesting /bucket/dir1/ from
-     * nginx, then in S3 we need to request /?delimiter=/&prefix=dir1/
-     * Thus, we can't put the path /dir1/ in the string to sign. */
-    let uri = _isDirectory(r.variables.uri_path) ? '/' : r.variables.uri_path;
-    // To return index pages + index.html
-    if (PROVIDE_INDEX_PAGE && _isDirectory(r.variables.uri_path)){
-        uri = r.variables.uri_path + INDEX_PAGE
-    }
- 
-    return {
-        uri: '/' + bucket + uri,
-        httpDate: s3date(r)
-    };
-}
-
 function testSignatureV2() {
     printHeader('testSignatureV2');
     // Note: since this is a read-only gateway, host, query parameters and all

tests/unit-test/awssig4_test.js

@@ -71,12 +71,12 @@ function _runSignatureV4(r) {
         queryParams : '',
         host: bucket.concat('.', server)
     }
-    const canonicalRequest = awssig4._buildCanonicalRequest(
+    const canonicalRequest = awssig4._buildCanonicalRequest(r, 
         r.method, req.uri, req.queryParams, req.host, amzDatetime, creds.sessionToken);
 
-    var expected = 'cf4dd9e1d28c74e2284f938011efc8230d0c20704f56f67e4a3bfc2212026bec';
-    var signature = awssig4._buildSignatureV4(
-        r, amzDatetime, eightDigitDate, creds, region, service, canonicalRequest);
+    var expected = '600721cacc21e3de14416de7517868381831f4709e5c5663bbf2b738e4d5abe4';
+    var signature = awssig4._buildSignatureV4(r, 
+        amzDatetime, eightDigitDate, creds, region, service, canonicalRequest);
 
     if (signature !== expected) {
         throw 'V4 signature hash was not created correctly.\n' +
@@ -110,6 +110,7 @@ function testSignatureV4() {
             "foo" : "bar"
         },
         "variables" : {
+            "request_body": "",
             "uri_path": "/a/c/ramen.jpg"
         },
         "status" : 0
@@ -144,6 +145,7 @@ function testSignatureV4Cache() {
         },
         "variables": {
             "cache_signing_key_enabled": 1,
+            "request_body": "",
             "uri_path": "/a/c/ramen.jpg"
         },
         "status" : 0