Commit 18b7825f authored by Sophie Wenzel-Teuber's avatar Sophie Wenzel-Teuber
Browse files

Add Amazon Authorisation

The signature of amazon users is checked against a text file of known users and requests are accepted or rejected depending on the signature
parent 073d9049
Pipeline #1311 passed with stages
in 6 minutes and 23 seconds
......@@ -6,7 +6,6 @@ Checks: clang-diagnostic-*,
-clang-analyzer-security.insecureAPI.rand,
mpi-*,
readability-braces-around-statements,
readability-avoid-const-params-in-decls,
readability-redundant-string-init,
readability-container-size-empty,
readability-implicit-bool-conversion,
......
......@@ -7,7 +7,7 @@
PROJECT_NAME = FiPhoboServer
# Extraction options
EXTRACT_PRIVATE = NO
EXTRACT_PRIVATE = YES
EXTRACT_PACKAGE = YES
EXTRACT_STATIC = YES
EXTRACT_LOCAL_METHODS = YES
......
# <a name='fiphoboserver-s3_utilities-S3_authorisation' /> public fiphoboserver::s3_utilities::S3_authorisation
class to perform an authorisation of an S3 request.
The implementation of this class follows the guidelines from [https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html)
## Helper functions
| Name | Description |
| ---- | ---- |
| [search_for_user](#fiphoboserver-s3_utilities-S3_authorisation-search_for_user) | checks whether the user id saved in [m_user_identifier][fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier] exists in the user database |
| [is_chunked](#fiphoboserver-s3_utilities-S3_authorisation-is_chunked) | check if this message has a content body |
| [print_info](#fiphoboserver-s3_utilities-S3_authorisation-print_info) | print current state of member variables |
## Extract header information
| Name | Description |
| ---- | ---- |
| [set_authorisation_info](#fiphoboserver-s3_utilities-S3_authorisation-set_authorisation_info) | get the information about authorisation from the header and save it to member variables |
| [extract_string_part](#fiphoboserver-s3_utilities-S3_authorisation-extract_string_part) | Extract information from a string. |
| [split_signed_headers](#fiphoboserver-s3_utilities-S3_authorisation-split_signed_headers) | split up the "SignedHeaders" value of the HTTP request |
| [split_credentials](#fiphoboserver-s3_utilities-S3_authorisation-split_credentials) | split up the "Credential" value of the HTTP request |
## Signature creation
| Name | Description |
| ---- | ---- |
| [check](#fiphoboserver-s3_utilities-S3_authorisation-check) | checks the signature of the message |
| [create_canonical_request](#fiphoboserver-s3_utilities-S3_authorisation-create_canonical_request) | create a canonical request |
| [create_string_to_sign](#fiphoboserver-s3_utilities-S3_authorisation-create_string_to_sign) | create a string to sign |
| [get_signature](#fiphoboserver-s3_utilities-S3_authorisation-get_signature) | create the signature |
## Private Attributes
| Name | Description |
| ---- | ---- |
| [m_status](#fiphoboserver-s3_utilities-S3_authorisation-m_status) | the current status of the authorisation |
| [m_user_identifier](#fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier) | the public key / identifier of the user that send the request |
| [m_user_key](#fiphoboserver-s3_utilities-S3_authorisation-m_user_key) | the key that belongs to [m_user_identifier][fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier] |
| [m_date](#fiphoboserver-s3_utilities-S3_authorisation-m_date) | the date as saved in the credentials of the request |
| [m_region](#fiphoboserver-s3_utilities-S3_authorisation-m_region) | the S3 region as saved in the credentials of the request |
| [m_signed_headers](#fiphoboserver-s3_utilities-S3_authorisation-m_signed_headers) | a list of the headers that have been used to sign the request |
| [m_signature](#fiphoboserver-s3_utilities-S3_authorisation-m_signature) | the signature stored in the request |
| [m_payload](#fiphoboserver-s3_utilities-S3_authorisation-m_payload) | the payload of the request |
## Public Functions
| Name | Description |
| ---- | ---- |
| [authorise](#fiphoboserver-s3_utilities-S3_authorisation-authorise) | main method to run the authorisation algorithm |
| [add_chunk](#fiphoboserver-s3_utilities-S3_authorisation-add_chunk) | add a chunk of data to the payload |
| [is_valid](#fiphoboserver-s3_utilities-S3_authorisation-is_valid) | checks if the authorisation was successful |
## Helper functions
### <a name='fiphoboserver-s3_utilities-S3_authorisation-search_for_user' /> private bool fiphoboserver::s3_utilities::S3_authorisation::search_for_user ()
checks whether the user id saved in [m_user_identifier][fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier] exists in the user database
#### Returns:
| Type | Description |
| ---- | ---- |
| bool | true if the user has been found, false otherwise |
Sets
[m_user_key][fiphoboserver-s3_utilities-S3_authorisation-m_user_key] on success
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-is_chunked' /> private bool fiphoboserver::s3_utilities::S3_authorisation::is_chunked (const S3_header &headers) const
check if this message has a content body
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | the headers of the message to check |
#### Returns:
| Type | Description |
| ---- | ---- |
| bool | true if the message contains a body, false otherwise |
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-print_info' /> private void fiphoboserver::s3_utilities::S3_authorisation::print_info () const
print current state of member variables
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
## Extract header information
### <a name='fiphoboserver-s3_utilities-S3_authorisation-set_authorisation_info' /> private bool fiphoboserver::s3_utilities::S3_authorisation::set_authorisation_info (const S3_header &headers)
get the information about authorisation from the header and save it to member variables
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | the header to extract the information from |
#### Returns:
| Type | Description |
| ---- | ---- |
| bool | true if all information was found, false if an error occurred |
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-extract_string_part' /> private std::string fiphoboserver::s3_utilities::S3_authorisation::extract_string_part (std::string complete, std::string identifier, std::string delimiter) const
Extract information from a string.
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| std::string | complete | the complete string will all information |
| std::string | identifier | the identifier of the specific piece of information required |
| std::string | delimiter | the delimiter between the parts of information |
#### Returns:
| Type | Description |
| ---- | ---- |
| std::string | required information as string |
If there is for example a string of the form "id=info;id2=info2" then ';' is the delimiter, 'id' is the identifier and this function will return "info".
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-split_signed_headers' /> private void fiphoboserver::s3_utilities::S3_authorisation::split_signed_headers (std::string all_signed_headers)
split up the "SignedHeaders" value of the HTTP request
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| std::string | all_signed_headers | the value of the SignedHeaders header |
This function saves the headers into
[m_signed_headers][fiphoboserver-s3_utilities-S3_authorisation-m_signed_headers]
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-split_credentials' /> private void fiphoboserver::s3_utilities::S3_authorisation::split_credentials (std::string credentials)
split up the "Credential" value of the HTTP request
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| std::string | credentials | the value of the Credential header |
This function saves the credentials into
[m_user_identifier][fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier],
[m_date][fiphoboserver-s3_utilities-S3_authorisation-m_date] and
[m_region][fiphoboserver-s3_utilities-S3_authorisation-m_region]
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
## Signature creation
### <a name='fiphoboserver-s3_utilities-S3_authorisation-check' /> private bool fiphoboserver::s3_utilities::S3_authorisation::check (const S3_header &headers) const
checks the signature of the message
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | the headers of the message to check |
#### Returns:
| Type | Description |
| ---- | ---- |
| bool | true if the signature was valid, false otherwise |
This function splits the message's contents into the needed parts, creates a signature and compares it with the one saved in the headers
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-create_canonical_request' /> private std::string fiphoboserver::s3_utilities::S3_authorisation::create_canonical_request (const S3_header &headers) const
create a canonical request
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | the headers of the message to create the request from |
#### Returns:
| Type | Description |
| ---- | ---- |
| std::string | the canonical request |
For more information what this means, see:
[https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-create_string_to_sign' /> private std::string fiphoboserver::s3_utilities::S3_authorisation::create_string_to_sign (const S3_header &headers, std::string canonical_request) const
create a string to sign
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | the headers of the message to create the request from |
| std::string | canonical_request | the canonical request from [create_canonical_request][fiphoboserver-s3_utilities-S3_authorisation-create_canonical_request] |
#### Returns:
| Type | Description |
| ---- | ---- |
| std::string | the string to sign |
For more information what this means, see:
[https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-get_signature' /> private std::string fiphoboserver::s3_utilities::S3_authorisation::get_signature (std::string string_to_sign) const
create the signature
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| std::string | string_to_sign | the string to sign from [create_string_to_sign][fiphoboserver-s3_utilities-S3_authorisation-create_string_to_sign] |
#### Returns:
| Type | Description |
| ---- | ---- |
| std::string | the signature |
For more information what this means, see:
[https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)
#### Qualifiers:
* const
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
## Private Attributes
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_status' /> private fiphoboserver::s3_utilities::S3_authorisation::m_status =
the current status of the authorisation
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier' /> private fiphoboserver::s3_utilities::S3_authorisation::m_user_identifier
the public key / identifier of the user that send the request
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_user_key' /> private fiphoboserver::s3_utilities::S3_authorisation::m_user_key
the key that belongs to [m_user_identifier][fiphoboserver-s3_utilities-S3_authorisation-m_user_identifier]
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_date' /> private fiphoboserver::s3_utilities::S3_authorisation::m_date
the date as saved in the credentials of the request
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_region' /> private fiphoboserver::s3_utilities::S3_authorisation::m_region
the S3 region as saved in the credentials of the request
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_signed_headers' /> private fiphoboserver::s3_utilities::S3_authorisation::m_signed_headers
a list of the headers that have been used to sign the request
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_signature' /> private fiphoboserver::s3_utilities::S3_authorisation::m_signature
the signature stored in the request
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-m_payload' /> private fiphoboserver::s3_utilities::S3_authorisation::m_payload = ""
the payload of the request
This is the whole body since we do not support multiple chunked signatures
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
## Public Functions
### <a name='fiphoboserver-s3_utilities-S3_authorisation-authorise' /> public [Authorisation_status][fiphoboserver-s3_utilities-Authorisation_status] fiphoboserver::s3_utilities::S3_authorisation::authorise (const S3_header &headers)
main method to run the authorisation algorithm
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| const [S3_header][fiphoboserver-s3_utilities-S3_header] & | headers | of the message to authenticate |
#### Returns:
| Type | Description |
| ---- | ---- |
| [Authorisation_status][fiphoboserver-s3_utilities-Authorisation_status] | status of the authorisation |
[Go to Top](#fiphoboserver-s3_utilities-S3_authorisation)
### <a name='fiphoboserver-s3_utilities-S3_authorisation-add_chunk' /> public void fiphoboserver::s3_utilities::S3_authorisation::add_chunk (std::string chunk)
add a chunk of data to the payload
#### Parameters:
| Type | Name | Description |
| ---- | ---- | ---- |
| std::string | chunk | the string to add |
Since the whole body has to be hashed in order to verify the signature of the message each chunk of data has to be added here in order.
Otherwise the authentication will fail!