/** * Converts the specified request object into a URL, containing all the specified parameters, the * specified request endpoint, etc. * * @param request The request to convert into a URL. * @param removeLeadingSlashInResourcePath Whether the leading slash in resource-path should be * removed before appending to the endpoint. * @return A new URL representing the specified request. * @throws AmazonClientException If the request cannot be converted to a well formed URL. */ public static URL convertRequestToUrl( Request<?> request, boolean removeLeadingSlashInResourcePath) { String resourcePath = HttpUtils.urlEncode(request.getResourcePath(), true); // Removed the padding "/" that was already added into the request's resource path. if (removeLeadingSlashInResourcePath && resourcePath.startsWith("/")) { resourcePath = resourcePath.substring(1); } // Some http client libraries (e.g. Apache HttpClient) cannot handle // consecutive "/"s between URL authority and path components. // So we escape "////..." into "/%2F%2F%2F...", in the same way as how // we treat consecutive "/"s in AmazonS3Client#presignRequest(...) String urlPath = "/" + resourcePath; urlPath = urlPath.replaceAll("(?<=/)/", "%2F"); String urlString = request.getEndpoint() + urlPath; boolean firstParam = true; for (String param : request.getParameters().keySet()) { if (firstParam) { urlString += "?"; firstParam = false; } else { urlString += "&"; } String value = request.getParameters().get(param); urlString += param + "=" + HttpUtils.urlEncode(value, false); } try { return new URL(urlString); } catch (MalformedURLException e) { throw new AmazonClientException( "Unable to convert request to well formed URL: " + e.getMessage(), e); } }
/* (non-Javadoc) * @see com.amazonaws.auth.Signer#sign(com.amazonaws.Request, com.amazonaws.auth.AWSCredentials) */ public void sign(Request<?> request, AWSCredentials credentials) throws AmazonClientException { // annonymous credentials, don't sign if (credentials instanceof AnonymousAWSCredentials) { return; } AWSCredentials sanitizedCredentials = sanitizeCredentials(credentials); if (sanitizedCredentials instanceof AWSSessionCredentials) { addSessionCredentials(request, (AWSSessionCredentials) sanitizedCredentials); } SimpleDateFormat dateStampFormat = new SimpleDateFormat("yyyyMMdd"); dateStampFormat.setTimeZone(new SimpleTimeZone(0, "UTC")); SimpleDateFormat dateTimeFormat = new SimpleDateFormat("yyyyMMdd'T'HHmmss'Z'"); dateTimeFormat.setTimeZone(new SimpleTimeZone(0, "UTC")); String regionName = extractRegionName(request.getEndpoint()); String serviceName = extractServiceName(request.getEndpoint()); // AWS4 requires that we sign the Host header so we // have to have it in the request by the time we sign. String hostHeader = request.getEndpoint().getHost(); if (HttpUtils.isUsingNonDefaultPort(request.getEndpoint())) { hostHeader += ":" + request.getEndpoint().getPort(); } request.addHeader("Host", hostHeader); Date date = new Date(); if (overriddenDate != null) date = overriddenDate; String dateTime = dateTimeFormat.format(date); String dateStamp = dateStampFormat.format(date); InputStream payloadStream = getBinaryRequestPayloadStream(request); payloadStream.mark(-1); String contentSha256 = BinaryUtils.toHex(hash(payloadStream)); try { payloadStream.reset(); } catch (IOException e) { throw new AmazonClientException("Unable to reset stream after calculating AWS4 signature", e); } request.addHeader("X-Amz-Date", dateTime); request.addHeader("x-amz-content-sha256", contentSha256); String canonicalRequest = request.getHttpMethod().toString() + "\n" + super.getCanonicalizedResourcePath(request.getResourcePath()) + "\n" + getCanonicalizedQueryString(request) + "\n" + getCanonicalizedHeaderString(request) + "\n" + getSignedHeadersString(request) + "\n" + contentSha256; log.debug("AWS4 Canonical Request: '\"" + canonicalRequest + "\""); String scope = dateStamp + "/" + regionName + "/" + serviceName + "/" + TERMINATOR; String signingCredentials = sanitizedCredentials.getAWSAccessKeyId() + "/" + scope; String stringToSign = ALGORITHM + "\n" + dateTime + "\n" + scope + "\n" + BinaryUtils.toHex(hash(canonicalRequest)); log.debug("AWS4 String to Sign: '\"" + stringToSign + "\""); // AWS4 uses a series of derived keys, formed by hashing different pieces of data byte[] kSecret = ("AWS4" + sanitizedCredentials.getAWSSecretKey()).getBytes(); byte[] kDate = sign(dateStamp, kSecret, SigningAlgorithm.HmacSHA256); byte[] kRegion = sign(regionName, kDate, SigningAlgorithm.HmacSHA256); byte[] kService = sign(serviceName, kRegion, SigningAlgorithm.HmacSHA256); byte[] kSigning = sign(TERMINATOR, kService, SigningAlgorithm.HmacSHA256); byte[] signature = sign(stringToSign.getBytes(), kSigning, SigningAlgorithm.HmacSHA256); String credentialsAuthorizationHeader = "Credential=" + signingCredentials; String signedHeadersAuthorizationHeader = "SignedHeaders=" + getSignedHeadersString(request); String signatureAuthorizationHeader = "Signature=" + BinaryUtils.toHex(signature); String authorizationHeader = ALGORITHM + " " + credentialsAuthorizationHeader + ", " + signedHeadersAuthorizationHeader + ", " + signatureAuthorizationHeader; request.addHeader("Authorization", authorizationHeader); }