GitDataAI
diff --git a/‎auth/aksk/gen.go
Lines changed: 22 additions & 0 deletions b/‎auth/aksk/gen.go
Lines changed: 22 additions & 0 deletions
diff --git a/‎auth/aksk/sign.go
Lines changed: 87 additions & 0 deletions b/‎auth/aksk/sign.go
Lines changed: 87 additions & 0 deletions
diff --git a/‎auth/aksk/verifier.go
Lines changed: 105 additions & 0 deletions b/‎auth/aksk/verifier.go
Lines changed: 105 additions & 0 deletions
@@ -0,0 +1,22 @@
+package aksk
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"io"
+)
+
+func GenerateAksk() (string, string, error) {
+	akBytes, err := io.ReadAll(io.LimitReader(rand.Reader, 16))
+	if err != nil {
+		return "", "", err
+	}
+	ak := hex.EncodeToString(akBytes)
+
+	skBytes, err := io.ReadAll(io.LimitReader(rand.Reader, 16))
+	if err != nil {
+		return "", "", err
+	}
+	sk := hex.EncodeToString(skBytes)
+	return ak, sk, nil
+}
@@ -0,0 +1,87 @@
+package aksk
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+)
+
+const (
+	signatureVersion = "0"
+	signatureMethod  = "HmacSHA256"
+	timeFormat       = "2006-01-02T15:04:05Z"
+)
+
+type Signer interface {
+	Sign(req *http.Request) error
+}
+
+var _ Signer = (*V0Signer)(nil)
+
+type V0Signer struct {
+	accessKey, secretKey string
+}
+
+func NewV0Signer(accessKey string, secretKey string) *V0Signer {
+	return &V0Signer{accessKey: accessKey, secretKey: secretKey}
+}
+
+func (voSigner V0Signer) Sign(req *http.Request) error {
+	// http verb
+
+	curTime := time.Now()
+	// set query parameter
+	query := req.URL.Query()
+	query.Set("AWSAccessKeyId", voSigner.accessKey)
+	query.Set("SignatureVersion", signatureVersion)
+	query.Set("SignatureMethod", signatureMethod)
+	query.Set("Timestamp", curTime.UTC().Format(timeFormat))
+
+	req.Header.Del("Signature")
+
+	method := req.Method
+	host := req.URL.Host
+	path := req.URL.Path
+	if path == "" {
+		path = "/"
+	}
+
+	// obtain all of the query keys and sort them
+	queryKeys := make([]string, 0, len(query))
+	for key := range query {
+		queryKeys = append(queryKeys, key)
+	}
+	sort.Strings(queryKeys)
+
+	// build URL-encoded query keys and values
+	queryKeysAndValues := make([]string, len(queryKeys))
+	for i, key := range queryKeys {
+		k := strings.Replace(url.QueryEscape(key), "+", "%20", -1)
+		v := strings.Replace(url.QueryEscape(query.Get(key)), "+", "%20", -1)
+		queryKeysAndValues[i] = k + "=" + v
+	}
+
+	// join into one query string
+	queryString := strings.Join(queryKeysAndValues, "&")
+
+	// build the canonical string for the V2 signature
+	stringToSign := strings.Join([]string{
+		method,
+		host,
+		path,
+		queryString,
+	}, "\n")
+
+	hash := hmac.New(sha256.New, []byte(voSigner.secretKey))
+	hash.Write([]byte(stringToSign))
+	signature := base64.StdEncoding.EncodeToString(hash.Sum(nil))
+	query.Set("Signature", signature)
+
+	req.URL.RawQuery = query.Encode()
+	return nil
+}
@@ -0,0 +1,105 @@
+package aksk
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+)
+
+type V0Verifier interface {
+	Verify(req *http.Request) error
+}
+
+type SkGetter interface {
+	Get(ak string) (string, error)
+}
+
+var _ V0Verifier = (*V0Verier)(nil)
+
+type V0Verier struct {
+	skGetter SkGetter
+}
+
+func NewV0Verier(skGetter SkGetter) *V0Verier {
+	return &V0Verier{skGetter: skGetter}
+}
+
+func (v *V0Verier) Verify(req *http.Request) error {
+	query := req.URL.Query()
+	accessKey := query.Get("AWSAccessKeyId")
+	if len(accessKey) == 0 {
+		return fmt.Errorf("ak not found")
+	}
+
+	secretKey, err := v.skGetter.Get(accessKey)
+	if err != nil {
+		return fmt.Errorf("access key not correct")
+	}
+
+	sigMethod := query.Get("SignatureMethod")
+	if sigMethod != signatureMethod {
+		return fmt.Errorf("invalid signature method %s", sigMethod)
+	}
+
+	sigVersion := query.Get("SignatureVersion")
+	if sigVersion != signatureVersion {
+		return fmt.Errorf("invalid signature method %s", sigMethod)
+	}
+
+	reqTime := query.Get("Timestamp")
+	t, err := time.Parse(timeFormat, reqTime)
+	if err != nil {
+		return fmt.Errorf("invalid timestamp %s", reqTime)
+	}
+	if t.Before(time.Now().Add(-5 * time.Minute)) {
+		return fmt.Errorf("request is out of data")
+	}
+	expectSignature := query.Get("Signature")
+	query.Del("Signature")
+
+	method := req.Method
+	host := req.URL.Host
+	path := req.URL.Path
+	if path == "" {
+		path = "/"
+	}
+
+	// obtain all of the query keys and sort them
+	queryKeys := make([]string, 0, len(query))
+	for key := range query {
+		queryKeys = append(queryKeys, key)
+	}
+	sort.Strings(queryKeys)
+
+	// build URL-encoded query keys and values
+	queryKeysAndValues := make([]string, len(queryKeys))
+	for i, key := range queryKeys {
+		k := strings.Replace(url.QueryEscape(key), "+", "%20", -1)
+		v := strings.Replace(url.QueryEscape(query.Get(key)), "+", "%20", -1)
+		queryKeysAndValues[i] = k + "=" + v
+	}
+
+	// join into one query string
+	queryString := strings.Join(queryKeysAndValues, "&")
+
+	// build the canonical string for the V2 signature
+	stringToSign := strings.Join([]string{
+		method,
+		host,
+		path,
+		queryString,
+	}, "\n")
+	hash := hmac.New(sha256.New, []byte(secretKey))
+	hash.Write([]byte(stringToSign))
+	actualSig := base64.StdEncoding.EncodeToString(hash.Sum(nil))
+	if actualSig != expectSignature {
+		return fmt.Errorf("signature not correct")
+	}
+	return nil
+}