From 327cfc6122f87b51a60890830512de03ba023240 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 2 Aug 2024 13:03:15 -0400 Subject: [PATCH] chore: port oci-copy task to aws v4 auth The aws v2 auth mechanism is deprecated. --- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 57 ++++++++++++++++--- task/oci-copy/0.1/oci-copy.yaml | 57 ++++++++++++++++--- 2 files changed, 98 insertions(+), 16 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 54e11da4fb..476f11b56f 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -139,16 +139,57 @@ spec: curl_args=(--fail --silent --show-error) if [ -n "${AWS_ACCESS_KEY_ID}" ] && [ -n "${AWS_SECRET_ACCESS_KEY}" ]; then echo "Found both aws credentials secret with both aws_access_key_id and aws_secret_access_key. Assuming S3 bucket" - # This implements v2 auth https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html. - # TODO - port to v4 auth https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html + # This implements v4 auth https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html path=$(echo "$url" | cut -d/ -f4-) echo "Bucket path is $path" - date="$(date -u '+%a, %e %b %Y %H:%M:%S +0000')" - printf -v string_to_sign "%s\n\n\n%s\n%s" "$method" "$date" "/$path" - echo "String to sign is $string_to_sign" - signature=$(echo -n "$string_to_sign" | openssl dgst -sha1 -binary -hmac "${AWS_SECRET_ACCESS_KEY}" | openssl base64) - authorization="AWS ${AWS_ACCESS_KEY_ID}:${signature}" - curl "${curl_args[@]}" -H "Date: ${date}" -H "Authorization: ${authorization}" --location "$url" -o "$file" + date="$(date -u '+%Y%m%dT%H%M%SZ')" + host=$(echo -n "$url" | awk -F '/' '{print $3}') + region=$(echo -n "$host" | awk -F '.' '{print $2}') + + # This e3b0c44 digest is digest of the empty string. No request body. + payload_digest=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 + + # Step 1: construct canonical request + IFS= read -r -d '' canonical_request <