Firkin.Auth.SigV4 (firkin v0.2.0)

@type parsed_header() :: %{
  access_key_id: String.t(),
  credential_scope: String.t(),
  signed_headers: [String.t()],
  signature: String.t(),
  date: String.t(),
  region: String.t(),
  service: String.t()
}

parsed_presigned()

@type parsed_presigned() :: %{
  access_key_id: String.t(),
  credential_scope: String.t(),
  signed_headers: [String.t()],
  signature: String.t(),
  date: String.t(),
  region: String.t(),
  service: String.t(),
  expires: non_neg_integer(),
  amz_date: String.t()
}

Functions

build_canonical_request(conn, signed_headers, content_sha256)

@spec build_canonical_request(Plug.Conn.t(), [String.t()], String.t()) :: String.t()

Builds a canonical request string per the SigV4 spec.

build_string_to_sign(amz_date, credential_scope, canonical_request)

@spec build_string_to_sign(String.t(), String.t(), String.t()) :: String.t()

Builds a string to sign per the SigV4 spec.

derive_signing_key(secret_access_key, date, region, service)

@spec derive_signing_key(String.t(), String.t(), String.t(), String.t()) :: binary()

Signs a string with the given secret key using the SigV4 key derivation.

parse_auth_header(arg1)

@spec parse_auth_header(String.t()) ::
  {:ok, parsed_header()} | {:error, :invalid_signature}

Parses an AWS4-HMAC-SHA256 Authorization header.

parse_presigned_params(params)

@spec parse_presigned_params(map()) ::
  {:ok, parsed_presigned()} | {:error, :invalid_signature}

Parses presigned URL query parameters.

verify_header_signature(conn, parsed, credential)

@spec verify_header_signature(Plug.Conn.t(), parsed_header(), Firkin.Credential.t()) ::
  :ok | {:error, :invalid_signature | :credential_not_found}

Verifies the signature from an Authorization header.

verify_presigned_signature(conn, parsed, credential)

@spec verify_presigned_signature(
  Plug.Conn.t(),
  parsed_presigned(),
  Firkin.Credential.t()
) ::
  :ok | {:error, :invalid_signature | :expired | :credential_not_found}

Verifies a presigned URL signature.