File Coverage

blib/lib/Amazon/S3/Thin/Signer/V4.pm
Criterion Covered Total %
statement 66 66 100.0
branch 6 6 100.0
condition 8 9 88.8
subroutine 12 12 100.0
pod 2 3 66.6
total 94 96 97.9


line stmt bran cond sub pod time code
1             package Amazon::S3::Thin::Signer::V4;
2              
3             =head1 NAME
4              
5             Amazon::S3::Thin::Signer::V4 - AWS Version 4 Signer
6              
7             =head1 SYNOPSIS
8              
9             # create a client object
10             my $s3client = Amazon::S3::Thin->new({
11             aws_access_key_id => $aws_access_key_id,
12             aws_secret_access_key => $secret_access_key,
13             });
14              
15             # create a signer
16             my $signer = Amazon::S3::Thin::Signer::V4->new($s3client);
17              
18             # create a request
19             my $request = HTTP::Request->new(...);
20              
21             # sign the request using the client keys
22             $signer->sign($request);
23              
24             =head1 DESCRIPTION
25              
26             This module creates objects that can sign AWS requests using signature version
27             4, as implemented by the L module.
28              
29             =cut
30              
31 8     8   1235 use strict;
  8         21  
  8         211  
32 8     8   35 use warnings;
  8         13  
  8         182  
33 8     8   3112 use AWS::Signature4;
  8         151605  
  8         256  
34 8     8   59 use Digest::SHA ();
  8         15  
  8         101  
35 8     8   691 use JSON::PP ();
  8         12606  
  8         105  
36 8     8   2266 use MIME::Base64 ();
  8         3085  
  8         157  
37 8     8   47 use POSIX 'strftime';
  8         15  
  8         49  
38              
39             sub new {
40 17     17 0 8920 my ($class, $credentials, $region) = @_;
41 17         53 my $self = {
42             credentials => $credentials,
43             region => $region,
44             };
45 17         74 bless $self, $class;
46             }
47              
48             =head1 METHODS
49              
50             =head2 sign($request)
51              
52             Signs supplied L object, adding required AWS headers.
53              
54             =cut
55              
56             sub sign
57             {
58 18     18 1 45 my ($self, $request) = @_;
59 18         45 my $signer = $self->signer;
60 18 100       348 if (defined $self->{credentials}->session_token) {
61 1         4 $request->header('X-Amz-Security-Token', $self->{credentials}->session_token);
62             }
63 18         194 my $digest = Digest::SHA::sha256_hex($request->content);
64 18         356 $request->header('X-Amz-Content-SHA256', $digest);
65 18         1111 $signer->sign($request, $self->{region}, $digest);
66 18         16707 $request;
67             }
68              
69             =head2 signer
70              
71             Returns an L object for signing requests
72              
73             =cut
74              
75             sub signer
76             {
77 25     25 1 37 my $self = shift;
78             AWS::Signature4->new(
79             -access_key => $self->{credentials}->access_key_id,
80             -secret_key => $self->{credentials}->secret_access_key,
81 25         118 );
82             }
83              
84             # This method is written referencing these botocore's implementations:
85             # https://github.com/boto/botocore/blob/00c4cadcf0996ef77a3a01b158f15c8fced9909b/botocore/signers.py#L602-L714
86             # https://github.com/boto/botocore/blob/00c4cadcf0996ef77a3a01b158f15c8fced9909b/botocore/signers.py#L459-L528
87             # https://github.com/boto/botocore/blob/00c4cadcf0996ef77a3a01b158f15c8fced9909b/botocore/auth.py#L585-L628
88             sub _generate_presigned_post {
89 6     6   13 my ($self, $bucket, $key, $fields, $conditions, $expires_in) = @_;
90              
91             # $fields is arrayref of key/value pairs. The order of the fields is important because AWS says "please check the order of the fields"...
92 6   100     26 $fields ||= [];
93 6   100     19 $conditions ||= [];
94 6   100     17 $expires_in ||= 3600;
95              
96 6         7 my $t = time;
97 6         223 my $datetime = strftime('%Y%m%dT%H%M%SZ', gmtime($t));
98 6         141 my $expiration = strftime('%Y-%m-%dT%H:%M:%SZ', gmtime($t + $expires_in));
99              
100 6         18 my $signer = $self->signer;
101 6         116 my ($date) = $datetime =~ /^(\d+)T/;
102 6         14 my $credential = $signer->access_key . '/' . $date . '/' . $self->{region} . '/s3/aws4_request';
103              
104 6         52 push @$conditions, {bucket => $bucket};
105              
106 6         12 push @$fields, key => $key;
107 6 100       14 if ($key =~ /\$\{filename\}$/) {
108 1         3 push @$conditions, ['starts-with' => '$key', substr($key, 0, -11)];
109             } else {
110 5         11 push @$conditions, {key => $key};
111             }
112              
113 6         9 push @$fields, 'x-amz-algorithm' => 'AWS4-HMAC-SHA256';
114 6         17 push @$fields, 'x-amz-credential' => $credential;
115 6         13 push @$fields, 'x-amz-date' => $datetime;
116              
117 6         11 push @$conditions, {'x-amz-algorithm' => 'AWS4-HMAC-SHA256'};
118 6         11 push @$conditions, {'x-amz-credential' => $credential};
119 6         12 push @$conditions, {'x-amz-date' => $datetime};
120              
121 6         14 my $session_token = $self->{credentials}->session_token;
122 6 100       13 if (defined $session_token) {
123 1         4 push @$fields, 'x-amz-security-token' => $session_token;
124 1         4 push @$conditions, {'x-amz-security-token' => $session_token};
125             }
126              
127 6         18 my $policy = $self->_encode_policy({
128             expiration => $expiration,
129             conditions => $conditions,
130             });
131 6         2536 push @$fields, policy => $policy;
132              
133             my $signing_key = $signer->signing_key(
134             $signer->secret_key,
135             's3',
136             $self->{region},
137 6         16 $date,
138             );
139 6         238 push @$fields, 'x-amz-signature' => Digest::SHA::hmac_sha256_hex($policy, $signing_key);
140              
141 6         88 return $fields;
142             }
143              
144             my $_JSON;
145             sub _encode_policy {
146 6     6   8 my $self = shift;
147 6   66     23 return MIME::Base64::encode_base64(
148             ($_JSON ||= JSON::PP->new->utf8->canonical)->encode(@_),
149             ''
150             );
151             }
152              
153             1;
154              
155             =head1 LICENSE
156              
157             Copyright (C) 2016, Robert Showalter
158              
159             This library is free software; you can redistribute it and/or modify it under
160             the same terms as Perl itself.
161              
162             =head1 AUTHOR
163              
164             Robert Showalter
165              
166             =head1 SEE ALSO
167              
168             L