livery_s3_sigv4 (livery_s3 v0.1.0)

View Source

AWS Signature Version 4 for S3, as a livery_client layer.

Used two ways:

  • As the innermost client layer (call/3): it derives the payload hash, sets host/x-amz-date/x-amz-content-sha256 (and x-amz-security-token when a session token is configured), signs host plus every x-amz-* header, and adds the authorization header before handing the request to the transport.
  • As a presigner (presigned_url/8): query-string signing for time-limited GET/PUT URLs, with UNSIGNED-PAYLOAD and host as the only signed header.

The pure authorization/1 primitive computes a signature from explicit inputs; it is exercised against AWS's published S3 worked examples in the tests.

Summary

Types

sign_input()

Functions

authorization/1

Compute the Authorization header value from explicit, already-canonical inputs. headers is the exact set to sign; path/query are the canonical URI and query string; payload_hash is the hex SHA-256 (or UNSIGNED-PAYLOAD).

call(Req, Next, Cfg)

Sign the request, then hand it to the next layer.

now_timestamps()

Return the current {amz-datetime, yyyymmdd} pair in UTC.

presigned_url/8

Build a presigned URL (query-string SigV4) with explicitly-resolved Creds. ExtraQuery holds operation params (e.g. versionId); they are signed alongside the X-Amz-* auth params. Only the host header is signed and the payload is UNSIGNED-PAYLOAD.

Types

sign_input()

-type sign_input() ::
          #{method := binary(),
            path := binary(),
            query := binary(),
            headers := [{binary(), binary()}],
            payload_hash := binary(),
            secret := binary(),
            region := binary(),
            service := binary(),
            datetime := binary(),
            date := binary(),
            access_key_id => binary()}.

Functions

authorization/1

-spec authorization(sign_input()) -> binary().

Compute the Authorization header value from explicit, already-canonical inputs. headers is the exact set to sign; path/query are the canonical URI and query string; payload_hash is the hex SHA-256 (or UNSIGNED-PAYLOAD).

call(Req, Next, Cfg)

-spec call(livery_client:request(),
           livery_client:next(),
           #s3_config{scheme :: binary(),
                      host :: binary(),
                      port :: undefined | inet:port_number(),
                      region :: binary(),
                      credentials :: livery_s3_credentials:handle(),
                      addressing :: path | virtual}) ->
              livery_client:result().

Sign the request, then hand it to the next layer.

now_timestamps()

-spec now_timestamps() -> {binary(), binary()}.

Return the current {amz-datetime, yyyymmdd} pair in UTC.

presigned_url/8

-spec presigned_url(#s3_config{scheme :: binary(),
                               host :: binary(),
                               port :: undefined | inet:port_number(),
                               region :: binary(),
                               credentials :: livery_s3_credentials:handle(),
                               addressing :: path | virtual},
                    livery_s3_credentials:creds(),
                    atom() | binary(),
                    binary(),
                    binary(),
                    pos_integer(),
                    [{binary(), binary()}],
                    {binary(), binary()}) ->
                       binary().

Build a presigned URL (query-string SigV4) with explicitly-resolved Creds. ExtraQuery holds operation params (e.g. versionId); they are signed alongside the X-Amz-* auth params. Only the host header is signed and the payload is UNSIGNED-PAYLOAD.