1<?php
2
3namespace Sabre\HTTP\Auth;
4
5use Sabre\HTTP\Util;
6
7/**
8 * HTTP AWS Authentication handler
9 *
10 * Use this class to leverage amazon's AWS authentication header
11 *
12 * @copyright Copyright (C) 2009-2015 fruux GmbH (https://fruux.com/).
13 * @author Evert Pot (http://evertpot.com/)
14 * @license http://sabre.io/license/ Modified BSD License
15 */
16class AWS extends AbstractAuth {
17
18    /**
19     * The signature supplied by the HTTP client
20     *
21     * @var string
22     */
23    private $signature = null;
24
25    /**
26     * The accesskey supplied by the HTTP client
27     *
28     * @var string
29     */
30    private $accessKey = null;
31
32    /**
33     * An error code, if any
34     *
35     * This value will be filled with one of the ERR_* constants
36     *
37     * @var int
38     */
39    public $errorCode = 0;
40
41    const ERR_NOAWSHEADER = 1;
42    const ERR_MD5CHECKSUMWRONG = 2;
43    const ERR_INVALIDDATEFORMAT = 3;
44    const ERR_REQUESTTIMESKEWED = 4;
45    const ERR_INVALIDSIGNATURE = 5;
46
47    /**
48     * Gathers all information from the headers
49     *
50     * This method needs to be called prior to anything else.
51     *
52     * @return bool
53     */
54    function init() {
55
56        $authHeader = $this->request->getHeader('Authorization');
57        $authHeader = explode(' ', $authHeader);
58
59        if ($authHeader[0] != 'AWS' || !isset($authHeader[1])) {
60            $this->errorCode = self::ERR_NOAWSHEADER;
61             return false;
62        }
63
64        list($this->accessKey, $this->signature) = explode(':', $authHeader[1]);
65
66        return true;
67
68    }
69
70    /**
71     * Returns the username for the request
72     *
73     * @return string
74     */
75    function getAccessKey() {
76
77        return $this->accessKey;
78
79    }
80
81    /**
82     * Validates the signature based on the secretKey
83     *
84     * @param string $secretKey
85     * @return bool
86     */
87    function validate($secretKey) {
88
89        $contentMD5 = $this->request->getHeader('Content-MD5');
90
91        if ($contentMD5) {
92            // We need to validate the integrity of the request
93            $body = $this->request->getBody(true);
94            $this->request->setBody($body, true);
95
96            if ($contentMD5 != base64_encode(md5($body, true))) {
97                // content-md5 header did not match md5 signature of body
98                $this->errorCode = self::ERR_MD5CHECKSUMWRONG;
99                return false;
100            }
101
102        }
103
104        if (!$requestDate = $this->request->getHeader('x-amz-date'))
105            $requestDate = $this->request->getHeader('Date');
106
107        if (!$this->validateRFC2616Date($requestDate))
108            return false;
109
110        $amzHeaders = $this->getAmzHeaders();
111
112        $signature = base64_encode(
113            $this->hmacsha1($secretKey,
114                $this->request->getMethod() . "\n" .
115                $contentMD5 . "\n" .
116                $this->request->getHeader('Content-type') . "\n" .
117                $requestDate . "\n" .
118                $amzHeaders .
119                $this->request->getUrl()
120            )
121        );
122
123        if ($this->signature != $signature) {
124
125            $this->errorCode = self::ERR_INVALIDSIGNATURE;
126            return false;
127
128        }
129
130        return true;
131
132    }
133
134
135    /**
136     * Returns an HTTP 401 header, forcing login
137     *
138     * This should be called when username and password are incorrect, or not supplied at all
139     *
140     * @return void
141     */
142    function requireLogin() {
143
144        $this->response->addHeader('WWW-Authenticate', 'AWS');
145        $this->response->setStatus(401);
146
147    }
148
149    /**
150     * Makes sure the supplied value is a valid RFC2616 date.
151     *
152     * If we would just use strtotime to get a valid timestamp, we have no way of checking if a
153     * user just supplied the word 'now' for the date header.
154     *
155     * This function also makes sure the Date header is within 15 minutes of the operating
156     * system date, to prevent replay attacks.
157     *
158     * @param string $dateHeader
159     * @return bool
160     */
161    protected function validateRFC2616Date($dateHeader) {
162
163        $date = Util::parseHTTPDate($dateHeader);
164
165        // Unknown format
166        if (!$date) {
167            $this->errorCode = self::ERR_INVALIDDATEFORMAT;
168            return false;
169        }
170
171        $min = new \DateTime('-15 minutes');
172        $max = new \DateTime('+15 minutes');
173
174        // We allow 15 minutes around the current date/time
175        if ($date > $max || $date < $min) {
176            $this->errorCode = self::ERR_REQUESTTIMESKEWED;
177            return false;
178        }
179
180        return $date;
181
182    }
183
184    /**
185     * Returns a list of AMZ headers
186     *
187     * @return string
188     */
189    protected function getAmzHeaders() {
190
191        $amzHeaders = [];
192        $headers = $this->request->getHeaders();
193        foreach ($headers as $headerName => $headerValue) {
194            if (strpos(strtolower($headerName), 'x-amz-') === 0) {
195                $amzHeaders[strtolower($headerName)] = str_replace(["\r\n"], [' '], $headerValue[0]) . "\n";
196            }
197        }
198        ksort($amzHeaders);
199
200        $headerStr = '';
201        foreach ($amzHeaders as $h => $v) {
202            $headerStr .= $h . ':' . $v;
203        }
204
205        return $headerStr;
206
207    }
208
209    /**
210     * Generates an HMAC-SHA1 signature
211     *
212     * @param string $key
213     * @param string $message
214     * @return string
215     */
216    private function hmacsha1($key, $message) {
217
218        if (function_exists('hash_hmac')) {
219            return hash_hmac('sha1', $message, $key, true);
220        }
221
222        $blocksize = 64;
223        if (strlen($key) > $blocksize) {
224            $key = pack('H*', sha1($key));
225        }
226        $key = str_pad($key, $blocksize, chr(0x00));
227        $ipad = str_repeat(chr(0x36), $blocksize);
228        $opad = str_repeat(chr(0x5c), $blocksize);
229        $hmac = pack('H*', sha1(($key ^ $opad) . pack('H*', sha1(($key ^ $ipad) . $message))));
230        return $hmac;
231
232    }
233
234}
235