Sabre\HTTP\Auth\AWS Class Reference

HTTP AWS Authentication handler. More...

Inheritance diagram for Sabre\HTTP\Auth\AWS:

Collaboration diagram for Sabre\HTTP\Auth\AWS:

Public Member Functions
	init ()
	Gathers all information from the headers. More...
	getAccessKey ()
	Returns the username for the request. More...
	validate ($secretKey)
	Validates the signature based on the secretKey. More...
	requireLogin ()
	Returns an HTTP 401 header, forcing login. More...
Public Member Functions inherited from Sabre\HTTP\Auth\AbstractAuth
	__construct ($realm='SabreTooth', RequestInterface $request, ResponseInterface $response)
	Creates the object. More...
	requireLogin ()
	This method sends the needed HTTP header and statuscode (401) to force the user to login. More...
	getRealm ()
	Returns the HTTP realm. More...

Data Fields
	$errorCode = 0
const	ERR_NOAWSHEADER = 1
const	ERR_MD5CHECKSUMWRONG = 2
const	ERR_INVALIDDATEFORMAT = 3
const	ERR_REQUESTTIMESKEWED = 4
const	ERR_INVALIDSIGNATURE = 5

Protected Member Functions
	validateRFC2616Date ($dateHeader)
	Makes sure the supplied value is a valid RFC2616 date. More...
	getAmzHeaders ()
	Returns a list of AMZ headers. More...

Private Member Functions
	hmacsha1 ($key, $message)
	Generates an HMAC-SHA1 signature. More...

Private Attributes
	$signature = null
	$accessKey = null

Additional Inherited Members
Protected Attributes inherited from Sabre\HTTP\Auth\AbstractAuth
	$realm
	$request
	$response

Detailed Description

HTTP AWS Authentication handler.

Use this class to leverage amazon's AWS authentication header

Copyright

Copyright (C) fruux GmbH (https://fruux.com/)

Author

Evert Pot (http://evertpot.com/) @license http://sabre.io/license/ Modified BSD License

Definition at line 16 of file AWS.php.

Member Function Documentation

getAccessKey()

Sabre\HTTP\Auth\AWS::getAccessKey

(

)

Returns the username for the request.

Returns

string

Definition at line 75 of file AWS.php.

                            {
 
        return $this->accessKey;
 
    }

References Sabre\HTTP\Auth\AWS\$accessKey.

getAmzHeaders()

Sabre\HTTP\Auth\AWS::getAmzHeaders ( )

protected

Returns a list of AMZ headers.

Returns

string

Definition at line 189 of file AWS.php.

                                       {
 
        $amzHeaders = [];
        $headers = $this->request->getHeaders();
        foreach ($headers as $headerName => $headerValue) {
            if (strpos(strtolower($headerName), 'x-amz-') === 0) {
                $amzHeaders[strtolower($headerName)] = str_replace(["\r\n"], [' '], $headerValue[0]) . "\n";
            }
        }
        ksort($amzHeaders);
 
        $headerStr = '';
        foreach ($amzHeaders as $h => $v) {
            $headerStr .= $h . ':' . $v;
        }
 
        return $headerStr;
 
    }

References $h.

Referenced by Sabre\HTTP\Auth\AWS\validate().

Here is the caller graph for this function:

hmacsha1()

Sabre\HTTP\Auth\AWS::hmacsha1 (   $key,   $message  )

private

Generates an HMAC-SHA1 signature.

Parameters

string	$key
string	$message

Returns

string

Definition at line 216 of file AWS.php.

                                              {
 
        if (function_exists('hash_hmac')) {
            return hash_hmac('sha1', $message, $key, true);
        }
 
        $blocksize = 64;
        if (strlen($key) > $blocksize) {
            $key = pack('H*', sha1($key));
        }
        $key = str_pad($key, $blocksize, chr(0x00));
        $ipad = str_repeat(chr(0x36), $blocksize);
        $opad = str_repeat(chr(0x5c), $blocksize);
        $hmac = pack('H*', sha1(($key ^ $opad) . pack('H*', sha1(($key ^ $ipad) . $message))));
        return $hmac;
 
    }

References $key, and $message.

Referenced by Sabre\HTTP\Auth\AWS\validate().

Here is the caller graph for this function:

init()

Sabre\HTTP\Auth\AWS::init

(

)

Gathers all information from the headers.

This method needs to be called prior to anything else.

Returns

bool

Definition at line 54 of file AWS.php.

                    {
 
        $authHeader = $this->request->getHeader('Authorization');
        $authHeader = explode(' ', $authHeader);
 
        if ($authHeader[0] != 'AWS' || !isset($authHeader[1])) {
            $this->errorCode = self::ERR_NOAWSHEADER;
             return false;
        }
 
        list($this->accessKey, $this->signature) = explode(':', $authHeader[1]);
 
        return true;
 
    }

References Sabre\HTTP\Auth\AWS\ERR_NOAWSHEADER.

requireLogin()

Sabre\HTTP\Auth\AWS::requireLogin

(

)

Returns an HTTP 401 header, forcing login.

This should be called when username and password are incorrect, or not supplied at all

Returns

void

Reimplemented from Sabre\HTTP\Auth\AbstractAuth.

Definition at line 142 of file AWS.php.

                            {
 
        $this->response->addHeader('WWW-Authenticate', 'AWS');
        $this->response->setStatus(401);
 
    }

validate()

Sabre\HTTP\Auth\AWS::validate

(

$secretKey

)

Validates the signature based on the secretKey.

Parameters

string

$secretKey

Returns

bool

Definition at line 87 of file AWS.php.

                                  {
 
        $contentMD5 = $this->request->getHeader('Content-MD5');
 
        if ($contentMD5) {
            // We need to validate the integrity of the request
            $body = $this->request->getBody();
            $this->request->setBody($body);
 
            if ($contentMD5 != base64_encode(md5($body, true))) {
                // content-md5 header did not match md5 signature of body
                $this->errorCode = self::ERR_MD5CHECKSUMWRONG;
                return false;
            }
 
        }
 
        if (!$requestDate = $this->request->getHeader('x-amz-date'))
            $requestDate = $this->request->getHeader('Date');
 
        if (!$this->validateRFC2616Date($requestDate))
            return false;
 
        $amzHeaders = $this->getAmzHeaders();
 
        $signature = base64_encode(
            $this->hmacsha1($secretKey,
                $this->request->getMethod() . "\n" .
                $contentMD5 . "\n" .
                $this->request->getHeader('Content-type') . "\n" .
                $requestDate . "\n" .
                $amzHeaders .
                $this->request->getUrl()
            )
        );
 
        if ($this->signature != $signature) {
 
            $this->errorCode = self::ERR_INVALIDSIGNATURE;
            return false;
 
        }
 
        return true;
 
    }

References Sabre\HTTP\Auth\AWS\$signature, Sabre\HTTP\Auth\AWS\ERR_INVALIDSIGNATURE, Sabre\HTTP\Auth\AWS\ERR_MD5CHECKSUMWRONG, Sabre\HTTP\Auth\AWS\getAmzHeaders(), Sabre\HTTP\Auth\AWS\hmacsha1(), and Sabre\HTTP\Auth\AWS\validateRFC2616Date().

Here is the call graph for this function:

validateRFC2616Date()

Sabre\HTTP\Auth\AWS::validateRFC2616Date (   $dateHeader )

protected

Makes sure the supplied value is a valid RFC2616 date.

If we would just use strtotime to get a valid timestamp, we have no way of checking if a user just supplied the word 'now' for the date header.

This function also makes sure the Date header is within 15 minutes of the operating system date, to prevent replay attacks.

Parameters

string

$dateHeader

Returns

bool

Definition at line 161 of file AWS.php.

                                                        {
 
        $date = Util::parseHTTPDate($dateHeader);
 
        // Unknown format
        if (!$date) {
            $this->errorCode = self::ERR_INVALIDDATEFORMAT;
            return false;
        }
 
        $min = new \DateTime('-15 minutes');
        $max = new \DateTime('+15 minutes');
 
        // We allow 15 minutes around the current date/time
        if ($date > $max || $date < $min) {
            $this->errorCode = self::ERR_REQUESTTIMESKEWED;
            return false;
        }
 
        return $date;
 
    }

References Sabre\HTTP\Auth\AWS\ERR_INVALIDDATEFORMAT, Sabre\HTTP\Auth\AWS\ERR_REQUESTTIMESKEWED, and Sabre\HTTP\Util\parseHTTPDate().

Referenced by Sabre\HTTP\Auth\AWS\validate().

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

$accessKey

Sabre\HTTP\Auth\AWS::$accessKey = null

private

Definition at line 30 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWS\getAccessKey().

$errorCode

Sabre\HTTP\Auth\AWS::$errorCode = 0

Definition at line 39 of file AWS.php.

$signature

Sabre\HTTP\Auth\AWS::$signature = null

private

Definition at line 23 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWS\validate().

ERR_INVALIDDATEFORMAT

const Sabre\HTTP\Auth\AWS::ERR_INVALIDDATEFORMAT = 3

Definition at line 43 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testNoDate(), and Sabre\HTTP\Auth\AWS\validateRFC2616Date().

ERR_INVALIDSIGNATURE

const Sabre\HTTP\Auth\AWS::ERR_INVALIDSIGNATURE = 5

Definition at line 45 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testIncorrectSignature(), and Sabre\HTTP\Auth\AWS\validate().

ERR_MD5CHECKSUMWRONG

const Sabre\HTTP\Auth\AWS::ERR_MD5CHECKSUMWRONG = 2

Definition at line 42 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testIncorrectContentMD5(), and Sabre\HTTP\Auth\AWS\validate().

ERR_NOAWSHEADER

const Sabre\HTTP\Auth\AWS::ERR_NOAWSHEADER = 1

Definition at line 41 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWS\init(), and Sabre\HTTP\Auth\AWSTest\testNoHeader().

ERR_REQUESTTIMESKEWED

const Sabre\HTTP\Auth\AWS::ERR_REQUESTTIMESKEWED = 4

Definition at line 44 of file AWS.php.

Referenced by Sabre\HTTP\Auth\AWSTest\testFutureDate(), Sabre\HTTP\Auth\AWSTest\testPastDate(), and Sabre\HTTP\Auth\AWS\validateRFC2616Date().

---

The documentation for this class was generated from the following file:

• libs/composer/vendor/sabre/http/lib/Auth/AWS.php