ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
Public Member Functions | Data Fields | Protected Member Functions | Private Member Functions | Private Attributes
Sabre\HTTP\Auth\AWS Class Reference

HTTP AWS Authentication handler. More...

+ Inheritance diagram for Sabre\HTTP\Auth\AWS:
+ Collaboration diagram for Sabre\HTTP\Auth\AWS:

Public Member Functions

 init ()
 Gathers all information from the headers. More...
 
 getAccessKey ()
 Returns the username for the request. More...
 
 validate ($secretKey)
 Validates the signature based on the secretKey. More...
 
 requireLogin ()
 Returns an HTTP 401 header, forcing login. More...
 
- Public Member Functions inherited from Sabre\HTTP\Auth\AbstractAuth
 __construct ($realm='SabreTooth', RequestInterface $request, ResponseInterface $response)
 Creates the object. More...
 
 requireLogin ()
 This method sends the needed HTTP header and statuscode (401) to force the user to login. More...
 
 getRealm ()
 Returns the HTTP realm. More...
 

Data Fields

 $errorCode = 0
 
const ERR_NOAWSHEADER = 1
 
const ERR_MD5CHECKSUMWRONG = 2
 
const ERR_INVALIDDATEFORMAT = 3
 
const ERR_REQUESTTIMESKEWED = 4
 
const ERR_INVALIDSIGNATURE = 5
 

Protected Member Functions

 validateRFC2616Date ($dateHeader)
 Makes sure the supplied value is a valid RFC2616 date. More...
 
 getAmzHeaders ()
 Returns a list of AMZ headers. More...
 

Private Member Functions

 hmacsha1 ($key, $message)
 Generates an HMAC-SHA1 signature. More...
 

Private Attributes

 $signature = null
 
 $accessKey = null
 

Additional Inherited Members

- Protected Attributes inherited from Sabre\HTTP\Auth\AbstractAuth
 $realm
 
 $request
 
 $response
 

Detailed Description

HTTP AWS Authentication handler.

Use this class to leverage amazon's AWS authentication header

Copyright
Copyright (C) fruux GmbH (https://fruux.com/)
Author
Evert Pot (http://evertpot.com/) http://sabre.io/license/ Modified BSD License

Definition at line 16 of file AWS.php.

Member Function Documentation

◆ getAccessKey()

Sabre\HTTP\Auth\AWS::getAccessKey ( )

Returns the username for the request.

Returns
string

Definition at line 75 of file AWS.php.

References Sabre\HTTP\Auth\AWS\$accessKey.

75  {
76 
77  return $this->accessKey;
78 
79  }

◆ getAmzHeaders()

Sabre\HTTP\Auth\AWS::getAmzHeaders ( )
protected

Returns a list of AMZ headers.

Returns
string

Definition at line 189 of file AWS.php.

References $h.

Referenced by Sabre\HTTP\Auth\AWS\validate().

189  {
190 
191  $amzHeaders = [];
192  $headers = $this->request->getHeaders();
193  foreach ($headers as $headerName => $headerValue) {
194  if (strpos(strtolower($headerName), 'x-amz-') === 0) {
195  $amzHeaders[strtolower($headerName)] = str_replace(["\r\n"], [' '], $headerValue[0]) . "\n";
196  }
197  }
198  ksort($amzHeaders);
199 
200  $headerStr = '';
201  foreach ($amzHeaders as $h => $v) {
202  $headerStr .= $h . ':' . $v;
203  }
204 
205  return $headerStr;
206 
207  }
$h
$h
Definition: example_009.php:101
+ Here is the caller graph for this function:

◆ hmacsha1()

Sabre\HTTP\Auth\AWS::hmacsha1 (   $key,
  $message 
)
private

Generates an HMAC-SHA1 signature.

Parameters
string$key
string$message
Returns
string

Definition at line 216 of file AWS.php.

References $key, and $message.

Referenced by Sabre\HTTP\Auth\AWS\validate().

216  {
217 
218  if (function_exists('hash_hmac')) {
219  return hash_hmac('sha1', $message, $key, true);
220  }
221 
222  $blocksize = 64;
223  if (strlen($key) > $blocksize) {
224  $key = pack('H*', sha1($key));
225  }
226  $key = str_pad($key, $blocksize, chr(0x00));
227  $ipad = str_repeat(chr(0x36), $blocksize);
228  $opad = str_repeat(chr(0x5c), $blocksize);
229  $hmac = pack('H*', sha1(($key ^ $opad) . pack('H*', sha1(($key ^ $ipad) . $message))));
230  return $hmac;
231 
232  }
$message
catch(Exception $e) $message
Definition: saml2-logout.php:34
$key
$key
Definition: croninfo.php:18
+ Here is the caller graph for this function:

◆ init()

Sabre\HTTP\Auth\AWS::init ( )

Gathers all information from the headers.

This method needs to be called prior to anything else.

Returns
bool

Definition at line 54 of file AWS.php.

54  {
55 
56  $authHeader = $this->request->getHeader('Authorization');
57  $authHeader = explode(' ', $authHeader);
58 
59  if ($authHeader[0] != 'AWS' || !isset($authHeader[1])) {
60  $this->errorCode = self::ERR_NOAWSHEADER;
61  return false;
62  }
63 
64  list($this->accessKey, $this->signature) = explode(':', $authHeader[1]);
65 
66  return true;
67 
68  }

◆ requireLogin()

Sabre\HTTP\Auth\AWS::requireLogin ( )

Returns an HTTP 401 header, forcing login.

This should be called when username and password are incorrect, or not supplied at all

Returns
void

Definition at line 142 of file AWS.php.

142  {
143 
144  $this->response->addHeader('WWW-Authenticate', 'AWS');
145  $this->response->setStatus(401);
146 
147  }

◆ validate()

Sabre\HTTP\Auth\AWS::validate (   $secretKey)

Validates the signature based on the secretKey.

Parameters
string$secretKey
Returns
bool

Definition at line 87 of file AWS.php.

References Sabre\HTTP\Auth\AWS\$signature, Sabre\HTTP\Auth\AWS\getAmzHeaders(), Sabre\HTTP\Auth\AWS\hmacsha1(), and Sabre\HTTP\Auth\AWS\validateRFC2616Date().

87  {
88 
89  $contentMD5 = $this->request->getHeader('Content-MD5');
90 
91  if ($contentMD5) {
92  // We need to validate the integrity of the request
93  $body = $this->request->getBody();
94  $this->request->setBody($body);
95 
96  if ($contentMD5 != base64_encode(md5($body, true))) {
97  // content-md5 header did not match md5 signature of body
98  $this->errorCode = self::ERR_MD5CHECKSUMWRONG;
99  return false;
100  }
101 
102  }
103 
104  if (!$requestDate = $this->request->getHeader('x-amz-date'))
105  $requestDate = $this->request->getHeader('Date');
106 
107  if (!$this->validateRFC2616Date($requestDate))
108  return false;
109 
110  $amzHeaders = $this->getAmzHeaders();
111 
112  $signature = base64_encode(
113  $this->hmacsha1($secretKey,
114  $this->request->getMethod() . "\n" .
115  $contentMD5 . "\n" .
116  $this->request->getHeader('Content-type') . "\n" .
117  $requestDate . "\n" .
118  $amzHeaders .
119  $this->request->getUrl()
120  )
121  );
122 
123  if ($this->signature != $signature) {
124 
125  $this->errorCode = self::ERR_INVALIDSIGNATURE;
126  return false;
127 
128  }
129 
130  return true;
131 
132  }
Sabre\HTTP\Auth\AWS\validateRFC2616Date
validateRFC2616Date($dateHeader)
Makes sure the supplied value is a valid RFC2616 date.
Definition: AWS.php:161
Sabre\HTTP\Auth\AWS\getAmzHeaders
getAmzHeaders()
Returns a list of AMZ headers.
Definition: AWS.php:189
Sabre\HTTP\Auth\AWS\hmacsha1
hmacsha1($key, $message)
Generates an HMAC-SHA1 signature.
Definition: AWS.php:216
+ Here is the call graph for this function:

◆ validateRFC2616Date()

Sabre\HTTP\Auth\AWS::validateRFC2616Date (   $dateHeader)
protected

Makes sure the supplied value is a valid RFC2616 date.

If we would just use strtotime to get a valid timestamp, we have no way of checking if a user just supplied the word 'now' for the date header.

This function also makes sure the Date header is within 15 minutes of the operating system date, to prevent replay attacks.

Parameters
string$dateHeader
Returns
bool

Definition at line 161 of file AWS.php.

References Sabre\HTTP\Util\parseHTTPDate().

Referenced by Sabre\HTTP\Auth\AWS\validate().

161  {
162 
163  $date = Util::parseHTTPDate($dateHeader);
164 
165  // Unknown format
166  if (!$date) {
167  $this->errorCode = self::ERR_INVALIDDATEFORMAT;
168  return false;
169  }
170 
171  $min = new \DateTime('-15 minutes');
172  $max = new \DateTime('+15 minutes');
173 
174  // We allow 15 minutes around the current date/time
175  if ($date > $max || $date < $min) {
176  $this->errorCode = self::ERR_REQUESTTIMESKEWED;
177  return false;
178  }
179 
180  return $date;
181 
182  }
Sabre\HTTP\Util\parseHTTPDate
static parseHTTPDate($dateHeader)
Parses a RFC2616-compatible date string.
Definition: Util.php:53
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

Field Documentation

◆ $accessKey

Sabre\HTTP\Auth\AWS::$accessKey = null
private

Definition at line 30 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWS\getAccessKey().

◆ $errorCode

Sabre\HTTP\Auth\AWS::$errorCode = 0

Definition at line 39 of file AWS.php.

◆ $signature

Sabre\HTTP\Auth\AWS::$signature = null
private

Definition at line 23 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWS\validate().

◆ ERR_INVALIDDATEFORMAT

const Sabre\HTTP\Auth\AWS::ERR_INVALIDDATEFORMAT = 3

Definition at line 43 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testNoDate().

◆ ERR_INVALIDSIGNATURE

const Sabre\HTTP\Auth\AWS::ERR_INVALIDSIGNATURE = 5

Definition at line 45 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testIncorrectSignature().

◆ ERR_MD5CHECKSUMWRONG

const Sabre\HTTP\Auth\AWS::ERR_MD5CHECKSUMWRONG = 2

Definition at line 42 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testIncorrectContentMD5().

◆ ERR_NOAWSHEADER

const Sabre\HTTP\Auth\AWS::ERR_NOAWSHEADER = 1

Definition at line 41 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testNoHeader().

◆ ERR_REQUESTTIMESKEWED

const Sabre\HTTP\Auth\AWS::ERR_REQUESTTIMESKEWED = 4

Definition at line 44 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testFutureDate(), and Sabre\HTTP\Auth\AWSTest\testPastDate().

The documentation for this class was generated from the following file: