http: improve AWS HTTP v4 Signature auth

- Add support services without region and service prefixes in the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc) by providing region and service parameters via aws-sigv4 option. - Add [:region[:service]] suffix to aws-sigv4 option; - Fix memory allocation errors. - Refactor memory management. - Use Curl_http_method instead() STRING_CUSTOMREQUEST. - Refactor canonical headers generating. - Remove repeated sha256_to_hex() usage. - Add some docs fixes. - Add some codestyle fixes. - Add overloaded strndup() for debug - curl_dbg_strndup(). - Update tests. Closes curl#6524
kenh · Jan 30, 2021 · 796ce29 · 796ce29
1 parent 3c22107
commit 796ce29
Show file tree

Hide file tree

Showing 21 changed files with 741 additions and 256 deletions.
diff --git a/docs/cmdline-opts/aws-sigv4.d b/docs/cmdline-opts/aws-sigv4.d
@@ -1,5 +1,5 @@
 Long: aws-sigv4
-Arg: <provider1[:provider2]>
+Arg: <provider1[:provider2[:region[:service]]]>
 Help: Use AWS V4 signature authentication
 Category: auth http
 Added: 7.75.0
@@ -8,3 +8,10 @@ Use AWS V4 signature authentication in the transfer.
 
 The provider argument is a string that is used by the algorithm when creating
 outgoing authentication headers.
+
+The region argument is a string that points to a geographic area of
+a resources collection (region-code) when the region name is omitted from
+the endpoint.
+
+The service argument is a string that points to a function provided by a cloud
+(service-code) when the service name is omitted from the endpoint.
diff --git a/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3 b/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3
@@ -20,37 +20,47 @@
 .\" *
 .\" **************************************************************************
 .\"
-.TH CURLOPT_AWS_SIGV4 3 "03 Jun 2020" "libcurl 7.72.0" "curl_easy_setopt options"
+.TH CURLOPT_AWS_SIGV4 3 "03 Jun 2020" "libcurl 7.75.0" "curl_easy_setopt options"
 .SH NAME
 CURLOPT_AWS_SIGV4 \- V4 signature
 .SH SYNOPSIS
 .nf
 #include <curl/curl.h>
 
-CURLcode curl_easy_setopt(CURL *handle, CURLOPT_AWS_SIGV4,
-                          char *providers_infos);
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_AWS_SIGV4, char *param);
+.fi
 .SH DESCRIPTION
-provides AWS V4 signature authentication on HTTPS header
-
-The provider argument is a string that is merged to some authentication
-parameters use by the algorithm.
-It's used by "Algorithm", "date", "request type", "signed headers" arguments,
-
-NOTE: This call set CURLOPT_HTTPAUTH to CURLAUTH_AWS_SIGV4.
-Calling CURLOPT_HTTPAUTH with CURLAUTH_AWS_SIGV4 is the same as calling
-this with "aws:amz" in paramater.
-
-Example with "Test:Try", when curl will do the algorithm, it will Generate:
-"TEST-HMAC-SHA256" for "Algorithm"
-"x-try-date" and "X-Try-Date" for "date"
-"test4_request" for "request type"
+Provides AWS V4 signature authentication on HTTP(S) header.
+.PP
+Pass a char * that is the collection of specific arguments are used for
+creating outgoing authentication headers.
+The format of the param option is:
+.IP provider1[:provider2[:region[:service]]]
+.IP provider1,\ provider2
+The providers arguments are used for generating some authentication parameters
+such as "Algorithm", "date", "request type" and "signed headers".
+.IP region
+The argument is a geographic area of a resources collection.
+It is extracted from the host name specified in the URL if omitted.
+.IP service
+The argument is a function provided by a cloud.
+It is extracted from the host name specified in the URL if omitted.
+.PP
+NOTE: This call set \fICURLOPT_HTTPAUTH(3)\fP to CURLAUTH_AWS_SIGV4.
+Calling \fICURLOPT_HTTPAUTH(3)\fP with CURLAUTH_AWS_SIGV4 is the same
+as calling this with "aws:amz" in parameter.
+.PP
+Example with "Test:Try", when curl will do the algorithm, it will generate
+"TEST-HMAC-SHA256" for "Algorithm", "x-try-date" and "X-Try-Date" for "date",
+"test4_request" for "request type",
 "SignedHeaders=content-type;host;x-try-date" for "signed headers"
-
+.PP
 If you use just "test", instead of "test:try",
 test will be use for every strings generated
-
 .SH DEFAULT
-NULL
+By default, the value of this parameter is NULL.
+Calling \fICURLOPT_HTTPAUTH(3)\fP with CURLAUTH_AWS_SIGV4 is the same
+as calling this with "aws:amz" in parameter.
 .SH PROTOCOLS
 HTTP
 .SH EXAMPLE
@@ -61,22 +71,27 @@ struct curl_slist *list = NULL;
 
 if(curl) {
   curl_easy_setopt(curl, CURLOPT_URL,
-  "https://api_type.region.example.com/uri");
+                  "https://service.region.example.com/uri");
+  curl_easy_setopt(c, CURLOPT_AWS_SIGV4, "provider1:provider2");
+
+  /* service and region also could be set in CURLOPT_AWS_SIGV4 */
+  /*
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/uri");
+  curl_easy_setopt(c, CURLOPT_AWS_SIGV4,
+                   "provider1:provider2:region:service");
+  */
 
-  curl_easy_setopt(c, CURLOPT_AWS_SIGV4, "xxx:yyy");
   curl_easy_setopt(c, CURLOPT_USERPWD, "MY_ACCESS_KEY:MY_SECRET_KEY");
   curl_easy_perform(curl);
 }
 .fi
-
 .SH AVAILABILITY
 Added in 7.75.0
-
 .SH RETURN VALUE
 Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
-
 .SH NOTES
-this option overrides the other auth types you might have set in CURL_HTTPAUTH which should be highlighted as this makes this auth method special. It could probably also be mentioned that this method can't be combined with other auth types.
-
+This option overrides the other auth types you might have set in CURL_HTTPAUTH
+which should be highlighted as this makes this auth method special.
+This method can't be combined with other auth types.
 .SH "SEE ALSO"
 .BR CURLOPT_HEADEROPT "(3), " CURLOPT_HTTPHEADER "(3), "
diff --git a/include/curl/curl.h b/include/curl/curl.h
@@ -787,7 +787,7 @@ typedef enum {
 #define CURLAUTH_DIGEST_IE    (((unsigned long)1)<<4)
 #define CURLAUTH_NTLM_WB      (((unsigned long)1)<<5)
 #define CURLAUTH_BEARER       (((unsigned long)1)<<6)
-#define CURLAUTH_AWS_SIGV4 (((unsigned long)1)<<7)
+#define CURLAUTH_AWS_SIGV4    (((unsigned long)1)<<7)
 #define CURLAUTH_ONLY         (((unsigned long)1)<<31)
 #define CURLAUTH_ANY          (~CURLAUTH_DIGEST_IE)
 #define CURLAUTH_ANYSAFE      (~(CURLAUTH_BASIC|CURLAUTH_DIGEST_IE))
@@ -2075,7 +2075,7 @@ typedef enum {
   CURLOPT(CURLOPT_HSTSWRITEFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 303),
   CURLOPT(CURLOPT_HSTSWRITEDATA, CURLOPTTYPE_CBPOINT, 304),
 
-  /* Provider for V4 signature */
+  /* Parameters for V4 signature */
   CURLOPT(CURLOPT_AWS_SIGV4, CURLOPTTYPE_STRINGPOINT, 305),
 
   CURLOPT_LASTENTRY /* the last unused */