<?php declare(strict_types=1); namespace Sabre\HTTP\Auth; use Sabre\HTTP; /** * HTTP AWS Authentication handler. * * Use this class to leverage amazon's AWS authentication header * * @copyright Copyright (C) fruux GmbH (https://fruux.com/) * @author Evert Pot (http://evertpot.com/) * @license http://sabre.io/license/ Modified BSD License */ class AWS extends AbstractAuth { /** * The signature supplied by the HTTP client. * * @var string */ private $signature = null; /** * The accesskey supplied by the HTTP client. * * @var string */ private $accessKey = null; /** * An error code, if any. * * This value will be filled with one of the ERR_* constants * * @var int */ public $errorCode = 0; const ERR_NOAWSHEADER = 1; const ERR_MD5CHECKSUMWRONG = 2; const ERR_INVALIDDATEFORMAT = 3; const ERR_REQUESTTIMESKEWED = 4; const ERR_INVALIDSIGNATURE = 5; /** * Gathers all information from the headers. * * This method needs to be called prior to anything else. */ public function init(): bool { $authHeader = $this->request->getHeader('Authorization'); if (null === $authHeader) { $this->errorCode = self::ERR_NOAWSHEADER; return false; } $authHeader = explode(' ', $authHeader); if ('AWS' !== $authHeader[0] || !isset($authHeader[1])) { $this->errorCode = self::ERR_NOAWSHEADER; return false; } list($this->accessKey, $this->signature) = explode(':', $authHeader[1]); return true; } /** * Returns the username for the request. */ public function getAccessKey(): string { return $this->accessKey; } /** * Validates the signature based on the secretKey. */ public function validate(string $secretKey): bool { $contentMD5 = $this->request->getHeader('Content-MD5'); if ($contentMD5) { // We need to validate the integrity of the request $body = $this->request->getBody(); $this->request->setBody($body); if ($contentMD5 !== base64_encode(md5((string) $body, true))) { // content-md5 header did not match md5 signature of body $this->errorCode = self::ERR_MD5CHECKSUMWRONG; return false; } } if (!$requestDate = $this->request->getHeader('x-amz-date')) { $requestDate = $this->request->getHeader('Date'); } if (!$this->validateRFC2616Date((string) $requestDate)) { return false; } $amzHeaders = $this->getAmzHeaders(); $signature = base64_encode( $this->hmacsha1($secretKey, $this->request->getMethod()."\n". $contentMD5."\n". $this->request->getHeader('Content-type')."\n". $requestDate."\n". $amzHeaders. $this->request->getUrl() ) ); if ($this->signature !== $signature) { $this->errorCode = self::ERR_INVALIDSIGNATURE; return false; } return true; } /** * Returns an HTTP 401 header, forcing login. * * This should be called when username and password are incorrect, or not supplied at all */ public function requireLogin() { $this->response->addHeader('WWW-Authenticate', 'AWS'); $this->response->setStatus(401); } /** * Makes sure the supplied value is a valid RFC2616 date. * * If we would just use strtotime to get a valid timestamp, we have no way of checking if a * user just supplied the word 'now' for the date header. * * This function also makes sure the Date header is within 15 minutes of the operating * system date, to prevent replay attacks. */ protected function validateRFC2616Date(string $dateHeader): bool { $date = HTTP\parseDate($dateHeader); // Unknown format if (!$date) { $this->errorCode = self::ERR_INVALIDDATEFORMAT; return false; } $min = new \DateTime('-15 minutes'); $max = new \DateTime('+15 minutes'); // We allow 15 minutes around the current date/time if ($date > $max || $date < $min) { $this->errorCode = self::ERR_REQUESTTIMESKEWED; return false; } return true; } /** * Returns a list of AMZ headers. */ protected function getAmzHeaders(): string { $amzHeaders = []; $headers = $this->request->getHeaders(); foreach ($headers as $headerName => $headerValue) { if (0 === strpos(strtolower($headerName), 'x-amz-')) { $amzHeaders[strtolower($headerName)] = str_replace(["\r\n"], [' '], $headerValue[0])."\n"; } } ksort($amzHeaders); $headerStr = ''; foreach ($amzHeaders as $h => $v) { $headerStr .= $h.':'.$v; } return $headerStr; } /** * Generates an HMAC-SHA1 signature. */ private function hmacsha1(string $key, string $message): string { if (function_exists('hash_hmac')) { return hash_hmac('sha1', $message, $key, true); } $blocksize = 64; if (strlen($key) > $blocksize) { $key = pack('H*', sha1($key)); } $key = str_pad($key, $blocksize, chr(0x00)); $ipad = str_repeat(chr(0x36), $blocksize); $opad = str_repeat(chr(0x5c), $blocksize); $hmac = pack('H*', sha1(($key ^ $opad).pack('H*', sha1(($key ^ $ipad).$message)))); return $hmac; } }