debugging signing with SigV4 - found IBM's signing code - adapting

CaffeineFusion · CaffeineFusion · commit b351a4689fa2 · 2019-01-23T12:08:51.000+11:00
diff --git a/src/bluemix/README.MD b/src/bluemix/README.MD
@@ -2,4 +2,5 @@
 
 
 ## Notes
-Cloud functions not currently supported in au-syd.
+Cloud functions not currently supported in au-syd.   
+For Cloud Storage to generate Presigned URLS you need a credential with HMAC enabled.
diff --git a/src/bluemix/experiments/get.js b/src/bluemix/experiments/get.js
@@ -1 +1,42 @@
-// Example with signed URL https://github.com/ibm-functions/template-cloud-object-storage/blob/master/runtimes/nodejs/actions/app.js
+'use strict';
+
+const Storage = require('ibm-cos-sdk');
+
+const config = require('./../config.json');
+const key = require('./../keys/ibm_storage.json');
+
+const s3Config = {
+	endpoint: 's3.au-syd.cloud-object-storage.appdomain.cloud',
+	apiKeyId: key.apikey,
+	ibmAuthEndpoint: 'https://iam.ng.bluemix.net/oidc/token',
+	serviceInstanceId: key.resource_instance_id,
+};
+
+let storage = new Storage.S3(s3Config);
+
+/**
+ * Returns a Signed URL to access the uploaded file
+ * TODO: set expiry date to match the bucket's expiry rules for files
+ */
+function getURL(fileName, bucketName) {
+	let params = { Bucket: bucketName, Key: fileName, Expires: 600 };
+	return new Promise((resolve, reject) => {
+		storage.getSignedUrl('getObject', params, function(err, url) {
+			if (err) reject(err);
+			else resolve(url);
+		});
+	});
+}
+
+exports.get = function (fileName) {
+	return getURL(fileName, config.bucket_name);
+};
+
+
+/*
+HMAC Requirements:
+- All requests must have an x-amz-date header with the date in %Y%m%dT%H%M%SZ format.
+- Any request that has a payload (object uploads, deleting multiple objects, etc.) must provide a x-amz-content-sha256 header with a SHA256 hash of the payload contents.
+- ACLs (other than public-read) are unsupported.
+
+ */
diff --git a/src/bluemix/experiments/signing.js b/src/bluemix/experiments/signing.js
@@ -0,0 +1,164 @@
+'use strict';
+
+// Initial template modifier from https://console.bluemix.net/docs/services/cloud-object-storage/hmac/presigned-urls.html#create-a-presigned-url
+
+const crypto = require('crypto');
+const moment = require('moment');
+const https = require('https');
+
+const config = require('./../config.json');
+const key = require('./../keys/ibm_storage.json');
+
+const accessKey = key.cos_hmac_keys.access_key_id;
+const secretKey = key.cos_hmac_keys.secret_access_key;
+const httpMethod = 'GET';
+const host = '{endpoint}';
+const region = '';
+const endpoint = 'https://' + host;
+const bucket = 'example-bucket';
+const objectKey = 'example-object'
+const expiration = 86400  // time in seconds
+
+// hashing and signing methods
+function hash(key, msg) {
+    var hmac = crypto.createHmac('sha256', key);
+    hmac.update(msg, 'utf8');
+    return hmac.digest();
+}
+
+function hmacHex(key, msg) {
+    var hmac = crypto.createHmac('sha256', key);
+    hmac.update(msg, 'utf8');
+    return hmac.digest('hex');
+}
+
+function hashHex(msg) {
+    var hash = crypto.createHash('sha256');
+    hash.update(msg);
+    return hash.digest('hex');
+}
+
+// region is a wildcard value that takes the place of the AWS region value
+// as COS doesn't use the same conventions for regions, this parameter can accept any string
+function createSignatureKey(key, datestamp, region, service) {
+    keyDate = hash(('AWS4' + key), datestamp);
+    keyString = hash(keyDate, region);
+    keyService = hash(keyString, service);
+    keySigning = hash(keyService, 'aws4_request');
+    return keySigning;
+}
+
+function createHexSignatureKey(key, datestamp, region, service) {
+    keyDate = hashHex(('AWS4' + key), datestamp);
+    keyString = hashHex(keyDate, region);
+    keyService = hashHex(keyString, service);
+    keySigning = hashHex(keyService, 'aws4_request');
+    return keySigning;
+}
+
+function printDebug() {
+    // this information can be helpful in troubleshooting, or to better
+    // understand what goes into signature creation
+    console.log('These are the values used to construct this request.');
+    console.log('Request details -----------------------------------------');
+    console.log(`httpMethod: ${httpMethod}`);
+    console.log(`host: ${host}`);
+    console.log(`region: ${region}`);
+    console.log(`endpoint: ${endpoint}`);
+    console.log(`bucket: ${bucket}`);
+    console.log(`objectKey: ${objectKey}`);
+    console.log(`timestamp: ${timestamp}`);
+    console.log(`datestamp: ${datestamp}`);
+
+    console.log('Standardized request details ----------------------------');
+    console.log(`standardizedResource: ${standardizedResource}`);
+    console.log(`standardizedQuerystring: ${standardizedQuerystring}`);
+    console.log(`standardizedHeaders: ${standardizedHeaders}`);
+    console.log(`signedHeaders: ${signedHeaders}`);
+    console.log(`payloadHash: ${payloadHash}`);
+    console.log(`standardizedRequest: ${standardizedRequest}`);
+
+    console.log('String-to-sign details ----------------------------------');
+    console.log(`credentialScope: ${credentialScope}`);
+    console.log(`string-to-sign: ${sts}`);
+    console.log(`signatureKey: ${signatureKey}`);
+    console.log(`signature: ${signature}`);
+
+    console.log('Because the signature key has non-ASCII characters, it is');
+    console.log('necessary to create a hexadecimal digest for the purposes');
+    console.log('of checking against this example.');
+
+    signatureKeyHex = createHexSignatureKey(secretKey, datestamp, region, 's3')
+
+    console.log(`signatureKey (hexidecimal): ${signatureKeyHex}`);
+
+    console.log('Header details ------------------------------------------');
+    console.log(`pre-signed url: ${requestUrl}`);
+}
+
+// assemble the standardized request
+var time = moment().utc();
+var timestamp = time.format('YYYYMMDDTHHmmss') + 'Z';
+var datestamp = time.format('YYYYMMDD');
+
+var standardizedQuerystring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256' +
+    '&X-Amz-Credential=' + encodeURIComponent(accessKey + '/' + datestamp + '/' + region + '/s3/aws4_request') +
+    '&X-Amz-Date=' + timestamp +
+    '&X-Amz-Expires=' + expiration.toString() +
+    '&X-Amz-SignedHeaders=host';
+
+var standardizedResource = '/' + bucket + '/' + objectKey;
+
+var payloadHash = 'UNSIGNED-PAYLOAD';
+var standardizedHeaders = 'host:' + host;
+var signedHeaders = 'host';
+
+var standardizedRequest = httpMethod + '\n' +
+    standardizedResource + '\n' +
+    standardizedQuerystring + '\n' +
+    standardizedHeaders + '\n' +
+    '\n' +
+    signedHeaders + '\n' +
+    payloadHash;
+
+// assemble string-to-sign
+var hashingAlgorithm = 'AWS4-HMAC-SHA256';
+var credentialScope = datestamp + '/' + region + '/' + 's3' + '/' + 'aws4_request';
+var sts = hashingAlgorithm + '\n' +
+    timestamp + '\n' +
+    credentialScope + '\n' +
+    hashHex(standardizedRequest);
+
+// generate the signature
+signatureKey = createSignatureKey(secretKey, datestamp, region, 's3');
+signature = hmacHex(signatureKey, sts);
+
+// create and send the request
+// the 'requests' package autmatically adds the required 'host' header
+var requestUrl = endpoint + '/' +
+    bucket + '/' +
+    objectKey + '?' +
+    standardizedQuerystring +
+    '&X-Amz-Signature=' +
+    signature;
+
+console.log(`requestUrl: ${requestUrl}`);
+
+console.log(`\nSending ${httpMethod} request to IBM COS -----------------------`);
+console.log('Request URL = ' + requestUrl);
+
+// create and send the request
+console.log(`\nSending ${httpMethod} request to IBM COS -----------------------`);
+console.log('Request URL = ' + requestUrl);
+
+var request = https.get(requestUrl, function (response) {
+    console.log('\nResponse from IBM COS ----------------------------------');
+    console.log(`Response code: ${response.statusCode}\n`);
+
+    response.on('data', function (chunk) {
+        console.log('Response: ' + chunk);
+        printDebug();
+    });
+});
+
+request.end();
diff --git a/src/bluemix/experiments/upload.js b/src/bluemix/experiments/upload.js
@@ -1,8 +1,5 @@
 'use strict';
 
-//https://github.com/IBM-Cloud/node-file-upload-S3/blob/master/server.js
-//https://github.com/balderdashy/skipper-s3/blob/master/index.js
-
 const request = require('request');
 const path = require('path');
 const Storage = require('ibm-cos-sdk');
@@ -73,4 +70,9 @@ exports.upload = function (url) {
   });//œ
 
 }//ƒ
+
+//for future exploration:
+
+//https://github.com/IBM-Cloud/node-file-upload-S3/blob/master/server.js
+//https://github.com/balderdashy/skipper-s3/blob/master/index.js
  */
diff --git a/src/bluemix/package-lock.json b/src/bluemix/package-lock.json
diff --git a/src/bluemix/package.json b/src/bluemix/package.json
@@ -18,7 +18,10 @@
 	"author": "Owen Smith",
 	"license": "MIT",
 	"dependencies": {
+		"crypto": "^1.0.1",
+		"https": "^1.0.0",
 		"ibm-cos-sdk": "^1.4.1",
+		"moment": "^2.24.0",
 		"request": "^2.88.0",
 		"uuidv4": "^2.0.0"
 	},
