Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
MR414N-ID
GitHub Repository: MR414N-ID/botku2
 Path: blob/master/node_modules/aws4/aws4.js
1126 views
1
var aws4 = exports,

2
    url = require('url'),

3
    querystring = require('querystring'),

4
    crypto = require('crypto'),

5
    lru = require('./lru'),

6
    credentialsCache = lru(1000)

7


8
// http://docs.amazonwebservices.com/general/latest/gr/signature-version-4.html

9


10
function hmac(key, string, encoding) {

11
  return crypto.createHmac('sha256', key).update(string, 'utf8').digest(encoding)

12
}

13


14
function hash(string, encoding) {

15
  return crypto.createHash('sha256').update(string, 'utf8').digest(encoding)

16
}

17


18
// This function assumes the string has already been percent encoded

19
function encodeRfc3986(urlEncodedString) {

20
  return urlEncodedString.replace(/[!'()*]/g, function(c) {

21
    return '%' + c.charCodeAt(0).toString(16).toUpperCase()

22
  })

23
}

24


25
function encodeRfc3986Full(str) {

26
  return encodeRfc3986(encodeURIComponent(str))

27
}

28


29
// A bit of a combination of:

30
// https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59

31
// https://github.com/aws/aws-sdk-js/blob/18cb7e5b463b46239f9fdd4a65e2ff8c81831e8f/lib/signers/v4.js#L191-L199

32
// https://github.com/mhart/aws4fetch/blob/b3aed16b6f17384cf36ea33bcba3c1e9f3bdfefd/src/main.js#L25-L34

33
var HEADERS_TO_IGNORE = {

34
  'authorization': true,

35
  'connection': true,

36
  'x-amzn-trace-id': true,

37
  'user-agent': true,

38
  'expect': true,

39
  'presigned-expires': true,

40
  'range': true,

41
}

42


43
// request: { path | body, [host], [method], [headers], [service], [region] }

44
// credentials: { accessKeyId, secretAccessKey, [sessionToken] }

45
function RequestSigner(request, credentials) {

46


47
  if (typeof request === 'string') request = url.parse(request)

48


49
  var headers = request.headers = (request.headers || {}),

50
      hostParts = (!this.service || !this.region) && this.matchHost(request.hostname || request.host || headers.Host || headers.host)

51


52
  this.request = request

53
  this.credentials = credentials || this.defaultCredentials()

54


55
  this.service = request.service || hostParts[0] || ''

56
  this.region = request.region || hostParts[1] || 'us-east-1'

57


58
  // SES uses a different domain from the service name

59
  if (this.service === 'email') this.service = 'ses'

60


61
  if (!request.method && request.body)

62
    request.method = 'POST'

63


64
  if (!headers.Host && !headers.host) {

65
    headers.Host = request.hostname || request.host || this.createHost()

66


67
    // If a port is specified explicitly, use it as is

68
    if (request.port)

69
      headers.Host += ':' + request.port

70
  }

71
  if (!request.hostname && !request.host)

72
    request.hostname = headers.Host || headers.host

73


74
  this.isCodeCommitGit = this.service === 'codecommit' && request.method === 'GIT'

75
}

76


77
RequestSigner.prototype.matchHost = function(host) {

78
  var match = (host || '').match(/([^\.]+)\.(?:([^\.]*)\.)?amazonaws\.com(\.cn)?$/)

79
  var hostParts = (match || []).slice(1, 3)

80


81
  // ES's hostParts are sometimes the other way round, if the value that is expected

82
  // to be region equals ‘es’ switch them back

83
  // e.g. search-cluster-name-aaaa00aaaa0aaa0aaaaaaa0aaa.us-east-1.es.amazonaws.com

84
  if (hostParts[1] === 'es')

85
    hostParts = hostParts.reverse()

86


87
  if (hostParts[1] == 's3') {

88
    hostParts[0] = 's3'

89
    hostParts[1] = 'us-east-1'

90
  } else {

91
    for (var i = 0; i < 2; i++) {

92
      if (/^s3-/.test(hostParts[i])) {

93
        hostParts[1] = hostParts[i].slice(3)

94
        hostParts[0] = 's3'

95
        break

96
      }

97
    }

98
  }

99


100
  return hostParts

101
}

102


103
// http://docs.aws.amazon.com/general/latest/gr/rande.html

104
RequestSigner.prototype.isSingleRegion = function() {

105
  // Special case for S3 and SimpleDB in us-east-1

106
  if (['s3', 'sdb'].indexOf(this.service) >= 0 && this.region === 'us-east-1') return true

107


108
  return ['cloudfront', 'ls', 'route53', 'iam', 'importexport', 'sts']

109
    .indexOf(this.service) >= 0

110
}

111


112
RequestSigner.prototype.createHost = function() {

113
  var region = this.isSingleRegion() ? '' : '.' + this.region,

114
      subdomain = this.service === 'ses' ? 'email' : this.service

115
  return subdomain + region + '.amazonaws.com'

116
}

117


118
RequestSigner.prototype.prepareRequest = function() {

119
  this.parsePath()

120


121
  var request = this.request, headers = request.headers, query

122


123
  if (request.signQuery) {

124


125
    this.parsedPath.query = query = this.parsedPath.query || {}

126


127
    if (this.credentials.sessionToken)

128
      query['X-Amz-Security-Token'] = this.credentials.sessionToken

129


130
    if (this.service === 's3' && !query['X-Amz-Expires'])

131
      query['X-Amz-Expires'] = 86400

132


133
    if (query['X-Amz-Date'])

134
      this.datetime = query['X-Amz-Date']

135
    else

136
      query['X-Amz-Date'] = this.getDateTime()

137


138
    query['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'

139
    query['X-Amz-Credential'] = this.credentials.accessKeyId + '/' + this.credentialString()

140
    query['X-Amz-SignedHeaders'] = this.signedHeaders()

141


142
  } else {

143


144
    if (!request.doNotModifyHeaders && !this.isCodeCommitGit) {

145
      if (request.body && !headers['Content-Type'] && !headers['content-type'])

146
        headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=utf-8'

147


148
      if (request.body && !headers['Content-Length'] && !headers['content-length'])

149
        headers['Content-Length'] = Buffer.byteLength(request.body)

150


151
      if (this.credentials.sessionToken && !headers['X-Amz-Security-Token'] && !headers['x-amz-security-token'])

152
        headers['X-Amz-Security-Token'] = this.credentials.sessionToken

153


154
      if (this.service === 's3' && !headers['X-Amz-Content-Sha256'] && !headers['x-amz-content-sha256'])

155
        headers['X-Amz-Content-Sha256'] = hash(this.request.body || '', 'hex')

156


157
      if (headers['X-Amz-Date'] || headers['x-amz-date'])

158
        this.datetime = headers['X-Amz-Date'] || headers['x-amz-date']

159
      else

160
        headers['X-Amz-Date'] = this.getDateTime()

161
    }

162


163
    delete headers.Authorization

164
    delete headers.authorization

165
  }

166
}

167


168
RequestSigner.prototype.sign = function() {

169
  if (!this.parsedPath) this.prepareRequest()

170


171
  if (this.request.signQuery) {

172
    this.parsedPath.query['X-Amz-Signature'] = this.signature()

173
  } else {

174
    this.request.headers.Authorization = this.authHeader()

175
  }

176


177
  this.request.path = this.formatPath()

178


179
  return this.request

180
}

181


182
RequestSigner.prototype.getDateTime = function() {

183
  if (!this.datetime) {

184
    var headers = this.request.headers,

185
      date = new Date(headers.Date || headers.date || new Date)

186


187
    this.datetime = date.toISOString().replace(/[:\-]|\.\d{3}/g, '')

188


189
    // Remove the trailing 'Z' on the timestamp string for CodeCommit git access

190
    if (this.isCodeCommitGit) this.datetime = this.datetime.slice(0, -1)

191
  }

192
  return this.datetime

193
}

194


195
RequestSigner.prototype.getDate = function() {

196
  return this.getDateTime().substr(0, 8)

197
}

198


199
RequestSigner.prototype.authHeader = function() {

200
  return [

201
    'AWS4-HMAC-SHA256 Credential=' + this.credentials.accessKeyId + '/' + this.credentialString(),

202
    'SignedHeaders=' + this.signedHeaders(),

203
    'Signature=' + this.signature(),

204
  ].join(', ')

205
}

206


207
RequestSigner.prototype.signature = function() {

208
  var date = this.getDate(),

209
      cacheKey = [this.credentials.secretAccessKey, date, this.region, this.service].join(),

210
      kDate, kRegion, kService, kCredentials = credentialsCache.get(cacheKey)

211
  if (!kCredentials) {

212
    kDate = hmac('AWS4' + this.credentials.secretAccessKey, date)

213
    kRegion = hmac(kDate, this.region)

214
    kService = hmac(kRegion, this.service)

215
    kCredentials = hmac(kService, 'aws4_request')

216
    credentialsCache.set(cacheKey, kCredentials)

217
  }

218
  return hmac(kCredentials, this.stringToSign(), 'hex')

219
}

220


221
RequestSigner.prototype.stringToSign = function() {

222
  return [

223
    'AWS4-HMAC-SHA256',

224
    this.getDateTime(),

225
    this.credentialString(),

226
    hash(this.canonicalString(), 'hex'),

227
  ].join('\n')

228
}

229


230
RequestSigner.prototype.canonicalString = function() {

231
  if (!this.parsedPath) this.prepareRequest()

232


233
  var pathStr = this.parsedPath.path,

234
      query = this.parsedPath.query,

235
      headers = this.request.headers,

236
      queryStr = '',

237
      normalizePath = this.service !== 's3',

238
      decodePath = this.service === 's3' || this.request.doNotEncodePath,

239
      decodeSlashesInPath = this.service === 's3',

240
      firstValOnly = this.service === 's3',

241
      bodyHash

242


243
  if (this.service === 's3' && this.request.signQuery) {

244
    bodyHash = 'UNSIGNED-PAYLOAD'

245
  } else if (this.isCodeCommitGit) {

246
    bodyHash = ''

247
  } else {

248
    bodyHash = headers['X-Amz-Content-Sha256'] || headers['x-amz-content-sha256'] ||

249
      hash(this.request.body || '', 'hex')

250
  }

251


252
  if (query) {

253
    var reducedQuery = Object.keys(query).reduce(function(obj, key) {

254
      if (!key) return obj

255
      obj[encodeRfc3986Full(key)] = !Array.isArray(query[key]) ? query[key] :

256
        (firstValOnly ? query[key][0] : query[key])

257
      return obj

258
    }, {})

259
    var encodedQueryPieces = []

260
    Object.keys(reducedQuery).sort().forEach(function(key) {

261
      if (!Array.isArray(reducedQuery[key])) {

262
        encodedQueryPieces.push(key + '=' + encodeRfc3986Full(reducedQuery[key]))

263
      } else {

264
        reducedQuery[key].map(encodeRfc3986Full).sort()

265
          .forEach(function(val) { encodedQueryPieces.push(key + '=' + val) })

266
      }

267
    })

268
    queryStr = encodedQueryPieces.join('&')

269
  }

270
  if (pathStr !== '/') {

271
    if (normalizePath) pathStr = pathStr.replace(/\/{2,}/g, '/')

272
    pathStr = pathStr.split('/').reduce(function(path, piece) {

273
      if (normalizePath && piece === '..') {

274
        path.pop()

275
      } else if (!normalizePath || piece !== '.') {

276
        if (decodePath) piece = decodeURIComponent(piece.replace(/\+/g, ' '))

277
        path.push(encodeRfc3986Full(piece))

278
      }

279
      return path

280
    }, []).join('/')

281
    if (pathStr[0] !== '/') pathStr = '/' + pathStr

282
    if (decodeSlashesInPath) pathStr = pathStr.replace(/%2F/g, '/')

283
  }

284


285
  return [

286
    this.request.method || 'GET',

287
    pathStr,

288
    queryStr,

289
    this.canonicalHeaders() + '\n',

290
    this.signedHeaders(),

291
    bodyHash,

292
  ].join('\n')

293
}

294


295
RequestSigner.prototype.canonicalHeaders = function() {

296
  var headers = this.request.headers

297
  function trimAll(header) {

298
    return header.toString().trim().replace(/\s+/g, ' ')

299
  }

300
  return Object.keys(headers)

301
    .filter(function(key) { return HEADERS_TO_IGNORE[key.toLowerCase()] == null })

302
    .sort(function(a, b) { return a.toLowerCase() < b.toLowerCase() ? -1 : 1 })

303
    .map(function(key) { return key.toLowerCase() + ':' + trimAll(headers[key]) })

304
    .join('\n')

305
}

306


307
RequestSigner.prototype.signedHeaders = function() {

308
  return Object.keys(this.request.headers)

309
    .map(function(key) { return key.toLowerCase() })

310
    .filter(function(key) { return HEADERS_TO_IGNORE[key] == null })

311
    .sort()

312
    .join(';')

313
}

314


315
RequestSigner.prototype.credentialString = function() {

316
  return [

317
    this.getDate(),

318
    this.region,

319
    this.service,

320
    'aws4_request',

321
  ].join('/')

322
}

323


324
RequestSigner.prototype.defaultCredentials = function() {

325
  var env = process.env

326
  return {

327
    accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,

328
    secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,

329
    sessionToken: env.AWS_SESSION_TOKEN,

330
  }

331
}

332


333
RequestSigner.prototype.parsePath = function() {

334
  var path = this.request.path || '/'

335


336
  // S3 doesn't always encode characters > 127 correctly and

337
  // all services don't encode characters > 255 correctly

338
  // So if there are non-reserved chars (and it's not already all % encoded), just encode them all

339
  if (/[^0-9A-Za-z;,/?:@&=+$\-_.!~*'()#%]/.test(path)) {

340
    path = encodeURI(decodeURI(path))

341
  }

342


343
  var queryIx = path.indexOf('?'),

344
      query = null

345


346
  if (queryIx >= 0) {

347
    query = querystring.parse(path.slice(queryIx + 1))

348
    path = path.slice(0, queryIx)

349
  }

350


351
  this.parsedPath = {

352
    path: path,

353
    query: query,

354
  }

355
}

356


357
RequestSigner.prototype.formatPath = function() {

358
  var path = this.parsedPath.path,

359
      query = this.parsedPath.query

360


361
  if (!query) return path

362


363
  // Services don't support empty query string keys

364
  if (query[''] != null) delete query['']

365


366
  return path + '?' + encodeRfc3986(querystring.stringify(query))

367
}

368


369
aws4.RequestSigner = RequestSigner

370


371
aws4.sign = function(request, credentials) {

372
  return new RequestSigner(request, credentials).sign()

373
}

374


375