-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcompute_aws_s3_signature.lua
More file actions
264 lines (206 loc) · 7.25 KB
/
compute_aws_s3_signature.lua
File metadata and controls
264 lines (206 loc) · 7.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
--
--
-- Compute S3 signature
--
--
local aws_bucket_prefix = os.getenv('AWS_BUCKET_PREFIX')
local build_prefixes = { "dev%-", "preprod%-", "" }
-- Get encoded key.
--
local function get_encoded_key (key)
return key:gsub(' ', '%%20')
end
-- Get encoded prefix.
--
local function get_encoded_prefix (prefix)
-- If the prefix is empty, this means are browsing the root directory. But
-- as we do not want to list the artifacts for every project, we set the
-- prefix to a value that will match only builds for the current project.
-- This value can be computed from the ingress in the "Script-Name" HTTP
-- header.
--
if prefix == "" and ngx.var.http_script_name ~= nil then
prefix = string.match(ngx.var.http_script_name, "[^/]+/[^/]+/[^/]+/"):gsub("/", ":")
end
return ngx.escape_uri(prefix)
end
-- Check if this is a promoted build.
--
local function is_promoted(build_name)
for i=1, #build_prefixes do
if build_name:match("^[a-z]+:[a-z]+:[%-A-Za-z0-9]+:" .. build_prefixes[i] .. "promoted%-") then
return true
end
end
return false
end
-- Check if this is a staging build (with no expiration disabled).
--
local function is_staging (build_name)
for i=1, #build_prefixes do
if build_name:match("^[a-z]+:[a-z]+:[%-A-Za-z0-9]+:" .. build_prefixes[i] .. "staging%-") then
return true
end
end
return false
end
-- Set the target bucket.
--
local function scan_tgt_buckets (build_tgt)
if ngx.var.aws_tgt_bucket == "" then
if is_promoted(build_tgt) then
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-promoted"
elseif is_staging(build_tgt) then
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-staging"
else
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-prolonged"
end
end
end
-- Replace nil by an empty string.
--
local function empty_if_nil (str)
if str == nil then
return ""
end
return str
end
-- Compute AWS S3 signature.
--
local function compute_S3_signature (canonicalized_amz_headers)
local canonicalized_resource = "/" .. ngx.var.aws_tgt_bucket .. "/" .. ngx.var.encoded_key
local aws_secret_key = os.getenv('AWS_SECRET_ACCESS_KEY')
local http_content_md5 = empty_if_nil(ngx.var.http_content_md5)
local http_content_type = empty_if_nil(ngx.var.http_content_type)
local http_date = empty_if_nil(ngx.var.http_date)
local string_to_sign = ngx.var.request_method .. "\n" .. http_content_md5 .. "\n" .. http_content_type .. "\n" .. http_date .. "\n" .. canonicalized_amz_headers .. "\n" .. canonicalized_resource
ngx.var.aws_signature = ngx.encode_base64(ngx.hmac_sha1(aws_secret_key, string_to_sign))
end
-- Compute AWS S3 presignature.
--
local function compute_S3_presignature (expires)
local canonicalized_resource = "/" .. ngx.var.aws_tgt_bucket .. "/" .. ngx.var.encoded_key
local aws_secret_key = os.getenv('AWS_SECRET_ACCESS_KEY')
local http_content_md5 = empty_if_nil(ngx.var.http_content_md5)
local http_content_type = empty_if_nil(ngx.var.http_content_type)
local string_to_sign = ngx.var.request_method .. "\n" .. http_content_md5 .. "\n" .. http_content_type .. "\n" .. expires .. "\n" .. canonicalized_resource
local aws_signature = ngx.encode_base64(ngx.hmac_sha1(aws_secret_key, string_to_sign))
ngx.var.presign_query_string = ngx.encode_args({['AWSAccessKeyId'] = ngx.var.aws_access_key, ['Signature'] = aws_signature, ['Expires'] = expires})
end
-- Get mode set by nginx conf.
--
local signature_mode = ngx.var.signature_mode
if signature_mode == nil or signature_mode == "" then
ngx.log(ngx.ERR, "no signature_mode specified")
end
-- init
--
ngx.var.x_amz_date = ngx.http_time(ngx.time())
ngx.var.aws_access_key = os.getenv('AWS_ACCESS_KEY_ID')
-- do specific stuff regarding the signature mode
--
if signature_mode == "UPLOAD" then
-- UPLOAD is only done on staging
--
local build_tgt
ngx.var.encoded_key = get_encoded_key(ngx.var.canonical_path)
build_tgt = ngx.var.canonical_path:match("^[^/]+")
-- Set the target bucket.
--
if ngx.var.aws_tgt_bucket == "" then
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-staging"
end
-- Set the amz headers.
--
ngx.var.x_amz_acl = "private"
-- Compute signature.
--
compute_S3_signature ("x-amz-acl:" .. ngx.var.x_amz_acl .. "\nx-amz-date:" .. ngx.var.x_amz_date)
elseif signature_mode == "LISTING" then
-- LISTING mode.
--
local build_tgt
ngx.var.encoded_key = ""
ngx.var.encoded_prefix = get_encoded_prefix(ngx.var.canonical_path)
build_tgt = ngx.var.canonical_path:match("^[^/]+")
-- Set the target bucket.
--
if build_tgt ~= nil then
scan_tgt_buckets(build_tgt)
end
-- Compute signature.
--
compute_S3_signature ("x-amz-date:" .. ngx.var.x_amz_date)
elseif signature_mode == "DOWNLOAD" then
-- DOWNLOAD mode.
--
local build_tgt
ngx.var.encoded_key = get_encoded_key(ngx.var.canonical_path)
build_tgt = ngx.var.canonical_path:match("^[^/]+")
-- Set the target bucket, if there is a build in canonical_path.
--
scan_tgt_buckets(build_tgt)
-- Compute signature.
--
compute_S3_signature ("x-amz-date:" .. ngx.var.x_amz_date)
elseif signature_mode == "COPY" then
-- COPY mode.
--
local build_src, build_tgt, aws_src_bucket
ngx.var.encoded_key = get_encoded_key(ngx.var.canonical_path:match("^[^/]+/(.*)"))
build_src, build_tgt = ngx.var.canonical_path:match("^([^/]+)/([^/]+)")
-- Set the source bucket.
--
if is_staging(build_src) then
aws_src_bucket = aws_bucket_prefix .. "-staging"
elseif is_promoted(build_src) then
aws_src_bucket = aws_bucket_prefix .. "-promoted"
else
aws_src_bucket = aws_bucket_prefix .. "-prolonged"
end
-- Set the target bucket.
--
if ngx.var.aws_tgt_bucket == "" then
if is_staging(build_tgt) then
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-staging"
elseif is_promoted(build_tgt) then
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-promoted"
else
ngx.var.aws_tgt_bucket = aws_bucket_prefix .. "-prolonged"
end
end
-- Set the amz headers (Remove .ARTIFACTS_BEFORE/[d]+/ from source, if needed)
--
if ngx.var.encoded_key:match("^[^/]+/%.ARTIFACTS_BEFORE/[0-9]+/") and build_src == build_tgt then
ngx.var.x_amz_copy_source = "/" .. aws_src_bucket .. "/" .. ngx.var.encoded_key:gsub('^[^/]+/[^/]+/[^/]+/', build_src .. "/", 1)
else
ngx.var.x_amz_copy_source = "/" .. aws_src_bucket .. "/" .. ngx.var.encoded_key:gsub('^[^/]+/', build_src .. "/", 1)
end
-- Compute signature.
--
compute_S3_signature ("x-amz-copy-source:" .. ngx.var.x_amz_copy_source .. "\nx-amz-date:" .. ngx.var.x_amz_date)
elseif signature_mode == "PRESIGN" then
-- PRESIGN mode.
--
local build_tgt, expires
ngx.var.encoded_key = get_encoded_key(ngx.var.canonical_path)
build_tgt = ngx.var.canonical_path:match("^[^/]+")
-- Set the target bucket.
--
scan_tgt_buckets(build_tgt)
-- Set presignature expiration
--
expires = ngx.time() + 3600
-- Compute presignature.
--
compute_S3_presignature (expires)
-- Redirect directly from here.
--
return ngx.redirect(ngx.var.redirect_endpoint .. "/" .. ngx.var.aws_tgt_bucket .. "/" .. ngx.var.encoded_key .. "?" .. ngx.var.presign_query_string, ngx.HTTP_MOVED_TEMPORARILY);
else
--
-- Unkown signature mode.
--
ngx.log(ngx.ERR, "unknown signature_mode")
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end