From de1110f7e5c24105ec9afa2cd9871fa296d8f7de Mon Sep 17 00:00:00 2001 From: kdesjard Date: Mon, 6 Mar 2023 19:17:28 +0000 Subject: [PATCH 1/2] S3: Temporary credentials need a session token --- lib/Signer/AWSv4/S3.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Signer/AWSv4/S3.pm b/lib/Signer/AWSv4/S3.pm index 374d4ab..8e983b1 100644 --- a/lib/Signer/AWSv4/S3.pm +++ b/lib/Signer/AWSv4/S3.pm @@ -36,6 +36,7 @@ package Signer::AWSv4::S3; 'X-Amz-Credential' => $self->access_key . "/" . $self->credential_scope, 'X-Amz-Date' => $self->date_timestamp, 'X-Amz-Expires' => $self->expires, + ($self->session_token ? ('X-Amz-Security-Token' => $self->session_token) : () ), 'X-Amz-SignedHeaders' => $self->signed_header_list, ('response-content-disposition' => $self->content_disposition) x!! $self->content_disposition, ('response-content-type' => $self->content_type) x!! $self->content_type, From fddfcf67ee27951be6b86bf619301800980a8dbc Mon Sep 17 00:00:00 2001 From: kdesjard Date: Mon, 6 Mar 2023 19:32:34 +0000 Subject: [PATCH 2/2] add s3 tests with session token --- t/02_s3_with_session_token.t | 78 ++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 t/02_s3_with_session_token.t diff --git a/t/02_s3_with_session_token.t b/t/02_s3_with_session_token.t new file mode 100644 index 0000000..6180a57 --- /dev/null +++ b/t/02_s3_with_session_token.t @@ -0,0 +1,78 @@ +#!/usr/bin/env perl + +use strict; +use warnings; + +use Test::More; +use Signer::AWSv4::S3; + +my $signer = Signer::AWSv4::S3->new( + time => Time::Piece->strptime('20130524T000000Z', '%Y%m%dT%H%M%SZ'), + access_key => 'AKIAIOSFODNN7EXAMPLE', + secret_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', + session_token => 'fooSessionToken9876543210', + method => 'GET', + key => 'test.txt', + bucket => 'examplebucket', + region => 'us-east-1', + expires => 86400, +); + +my $expected_canon_request = 'GET +/examplebucket/test.txt +X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-Security-Token=fooSessionToken9876543210&X-Amz-SignedHeaders=host +host:s3.amazonaws.com + +host +UNSIGNED-PAYLOAD'; + +cmp_ok($signer->canonical_request, 'eq', $expected_canon_request); + +my $expected_string_to_sign = 'AWS4-HMAC-SHA256 +20130524T000000Z +20130524/us-east-1/s3/aws4_request +1ce3217367127240f226c8c5cb89e6e2b2cbeff9a6a6bf78cbd50fb3b07eff95'; + +cmp_ok($signer->string_to_sign, 'eq', $expected_string_to_sign); + +my $signature = 'baa9ba4567835bc469f3410235f3116036b8685c7460ead98e150e128cca84fa'; +cmp_ok($signer->signature, 'eq', $signature); + +my $expected_signed_qstring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-Security-Token=fooSessionToken9876543210&X-Amz-SignedHeaders=host&X-Amz-Signature=baa9ba4567835bc469f3410235f3116036b8685c7460ead98e150e128cca84fa'; +cmp_ok($signer->signed_qstring, 'eq', $expected_signed_qstring); + +$signer = Signer::AWSv4::S3->new( + time => Time::Piece->strptime('20130524T000000Z', '%Y%m%dT%H%M%SZ'), + access_key => 'AKIAIOSFODNN7EXAMPLE', + secret_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', + session_token => 'fooSessionToken9876543210', + method => 'GET', + key => 'test.txt', + bucket => 'examplebucket', + region => 'us-east-1', + expires => 86400, + version_id => '1234561zOnAAAJKHxVKBxxEyuy_78901j', +); + +$expected_signed_qstring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-Security-Token=fooSessionToken9876543210&X-Amz-SignedHeaders=host&versionId=1234561zOnAAAJKHxVKBxxEyuy_78901j&X-Amz-Signature=e3677f60bb4aef0a1a75d95dcde50846ff4849e26764a602022638a18ce69a3d'; +cmp_ok($signer->signed_qstring, 'eq', $expected_signed_qstring); + +$signer = Signer::AWSv4::S3->new( + time => Time::Piece->strptime('20130524T000000Z', '%Y%m%dT%H%M%SZ'), + access_key => 'AKIAIOSFODNN7EXAMPLE', + secret_key => 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY', + session_token => 'fooSessionToken9876543210', + method => 'GET', + key => 'test.txt', + bucket => 'examplebucket', + region => 'us-east-1', + expires => 86400, + version_id => '1234561zOnAAAJKHxVKBxxEyuy_78901j', + content_type => 'text/plain', + content_disposition => 'inline; filename=New Name.txt', +); + +$expected_signed_qstring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-Security-Token=fooSessionToken9876543210&X-Amz-SignedHeaders=host&response-content-disposition=inline%3B%20filename%3DNew%20Name.txt&response-content-type=text%2Fplain&versionId=1234561zOnAAAJKHxVKBxxEyuy_78901j&X-Amz-Signature=5ee5497a04f74c558fbb431876251834d67ed4807d17bd4b11a8418150baed7b'; +cmp_ok($signer->signed_qstring, 'eq', $expected_signed_qstring); + +done_testing;