Source file `auth.ml`

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
open! Import

type payload_hash = string * int
type canonical_request = string
type credential_scope = string
type string_to_sign = string
type signature = string

let service_to_string_no_api_prefix service =
  let s = Service.to_string service in
  let prefix = "api." in
  match String.is_prefix s ~prefix with
  | true -> String.chop_prefix_exn s ~prefix
  | false -> s
;;

module Payload_header = struct
  let x_amz_content_sha256_key = "x-amz-content-sha256"

  let to_value = function
    | `Streaming -> "STREAMING-AWS4-HMAC-SHA256-PAYLOAD"
    | `Signed (hash, (_ : int)) -> hash
    | `Unsigned -> "UNSIGNED-PAYLOAD"
  ;;

  let add t header = Cohttp.Header.add header x_amz_content_sha256_key (to_value t)
end

module Date_header = struct
  let datestamp (timestamp : Time.t) : string =
    let date = Time.to_date timestamp ~zone:Time.Zone.utc in
    Date.to_string_iso8601_basic date
  ;;

  let amzdate (timestamp : Time.t) : string =
    let date, time_ofday = Time.to_date_ofday timestamp ~zone:Time.Zone.utc in
    let datestamp = Date.to_string_iso8601_basic date in
    let { Time.Span.Parts.hr; min; sec; _ } = Time.Ofday.to_parts time_ofday in
    sprintf "%sT%02d%02d%02dZ" datestamp hr min sec
  ;;

  let x_amz_date_key = "x-amz-date"
  let to_value timestamp = amzdate timestamp
  let add t header = Cohttp.Header.add header x_amz_date_key (to_value t)
  let value_of_now () = amzdate (Time.now ())
end

module Session_token_header = struct
  let x_amz_security_token = "x-amz-security-token"
  let to_value t = t
  let add t header = Cohttp.Header.add header x_amz_security_token (to_value t)
end

(******************************************************************************)
(* Cryptography                                                               *)
(******************************************************************************)
let algorithm = "AWS4-HMAC-SHA256"
let sha256 s = Cryptokit.hash_string (Cryptokit.Hash.sha256 ()) s
let hex_encode s = Cryptokit.transform_string (Cryptokit.Hexa.encode ()) s
let hmac_sha256 ~key ~data = Cryptokit.hash_string (Cryptokit.MAC.hmac_sha256 key) data
let payload_hash s = hex_encode (sha256 s), String.length s
let empty_payload_hash = payload_hash ""

(******************************************************************************)
(* Low Level API                                                              *)
(******************************************************************************)

let rec filter_except_last ~f = function
  | [] -> []
  | [ x ] -> [ x ]
  | x :: xs ->
    let t = filter_except_last ~f xs in
    if f x then x :: t else t
;;

let filter_middle ~f l =
  match l with
  | [] -> []
  | x :: xs -> x :: filter_except_last ~f xs
;;

let normalize_path_components s =
  String.split s ~on:'/'
  |> filter_middle ~f:(Fn.non String.is_empty)
  |> String.concat ~sep:"/"
;;

let canonical_uri_path uri =
  let slash_by_default = function
    | "" -> "/"
    | x -> x
  in
  Uri.path uri |> normalize_path_components |> slash_by_default
;;

let%expect_test "canonical_uri_path" =
  let test path = print_string (canonical_uri_path (Uri.make ~path ())) in
  test "";
  [%expect {| / |}];
  test "/";
  [%expect {| / |}];
  test "/x/y";
  [%expect {| /x/y |}];
  test "/x/y/";
  [%expect {| /x/y/ |}];
  test "/x//y";
  [%expect {| /x/y |}]
;;

let canonical_uri_encode_char = function
  | ('A' .. 'Z' | 'a' .. 'z' | '0' .. '9' | '-' | '_' | '.' | '~') as c ->
    Char.to_string c
  | c -> sprintf "%%%X" (Char.to_int c)
;;

let canonical_uri_encode x = String.concat_map x ~f:canonical_uri_encode_char

let canonical_uri_query : Uri.t -> string =
 fun uri ->
  Uri.query uri
  |> List.sort ~compare:[%compare: string * string list]
  |> List.map ~f:(fun (x, ys) ->
       sprintf
         "%s=%s"
         (canonical_uri_encode x)
         (List.map ys ~f:canonical_uri_encode |> String.concat ~sep:","))
  |> String.concat ~sep:"&"
;;

let%expect_test "canonical_uri_query" =
  let test s = print_string (canonical_uri_query (Uri.of_string s)) in
  test "";
  [%expect];
  test "/?k=v";
  [%expect {| k=v |}];
  test "/?y=yv&x=zx";
  [%expect {| x=zx&y=yv |}];
  test "/?a=y&a=x";
  [%expect {| a=x&a=y |}];
  test "/?\225\136\180=v";
  [%expect {| %E1%88%B4=v |}]
;;

let canonical_headers headers : (string * string list) list =
  Cohttp.Header.to_list headers
  |> String.Caseless.Map.of_alist_multi
  |> String.Caseless.Map.to_alist
  |> List.map ~f:(fun (x, y) -> String.lowercase x, List.map y ~f:String.strip)
  |> List.sort ~compare:(fun (x1, _) (x2, _) -> String.compare x1 x2)
;;

let canonical_request ~http_method ~uri ~headers ~payload_hash =
  let headers = canonical_headers headers in
  match List.Assoc.mem headers "host" ~equal:String.equal with
  | false -> failwith "headers must include Host"
  | true ->
    [ Cohttp.Code.string_of_method http_method
    ; canonical_uri_path uri
    ; canonical_uri_query uri
    ; List.map headers ~f:(fun (x, y) -> sprintf "%s:%s\n" x (String.concat ~sep:"," y))
      |> String.concat ~sep:""
    ; List.map headers ~f:fst |> String.concat ~sep:";"
    ; Payload_header.to_value payload_hash
    ]
    |> String.concat ~sep:"\n"
    |> fun x -> x
;;

let credential_scope ~timestamp ~region ~service =
  String.concat
    ~sep:"/"
    [ Date_header.datestamp timestamp
    ; Region.to_string region
    ; service_to_string_no_api_prefix service
    ; "aws4_request"
    ]
;;

let string_to_sign ~canonical_request ~credential_scope ~timestamp =
  String.concat
    ~sep:"\n"
    [ algorithm
    ; Date_header.to_value timestamp
    ; credential_scope
    ; hex_encode (sha256 canonical_request)
    ]
;;

let credential_with_access_key ?aws_access_key_id ~credential_scope () =
  match aws_access_key_id with
  | Some a -> sprintf "%s/%s" a credential_scope
  | None -> credential_scope
;;

let headers_with_date_and_payload_hash ?session_token ~timestamp ~payload_hash headers =
  Date_header.add timestamp headers
  |> fun header ->
  (match session_token with
   | Some s -> Session_token_header.add s header
   | None -> header)
  |> Payload_header.add payload_hash
;;

let signature ?aws_secret_access_key ~string_to_sign ~timestamp ~region ~service () =
  "AWS4" ^ Option.value ~default:"" aws_secret_access_key
  |> fun key ->
  hmac_sha256 ~key ~data:(Date_header.datestamp timestamp)
  |> fun key ->
  hmac_sha256 ~key ~data:(Region.to_string region)
  |> fun key ->
  hmac_sha256 ~key ~data:(service_to_string_no_api_prefix service)
  |> fun key ->
  hmac_sha256 ~key ~data:"aws4_request"
  |> fun key -> hmac_sha256 ~key ~data:string_to_sign |> hex_encode
;;

let authorization_header ?aws_access_key_id ~signature ~credential_scope ~headers () =
  ( "Authorization"
  , sprintf
      "%s Credential=%s, SignedHeaders=%s, Signature=%s"
      algorithm
      (credential_with_access_key ?aws_access_key_id ~credential_scope ())
      (canonical_headers headers |> List.map ~f:fst |> String.concat ~sep:";")
      signature )
;;

(******************************************************************************)
(* Main API                                                                   *)
(******************************************************************************)
let sign_url
  ~http_method
  ~region
  ~service
  ~timestamp
  ~headers
  ?aws_secret_access_key
  ?aws_access_key_id
  ~(payload_hash : [ `Signed of payload_hash | `Unsigned ])
  ?timeout
  uri
  =
  (match timeout with
   | None -> timeout
   | Some x ->
     if x < 1 || x > 604800
     then
       failwiths
         ~here:[%here]
         "timeout must be between 1 and 604800 seconds"
         x
         sexp_of_int
     else timeout)
  |> fun timeout ->
  let credential_scope = credential_scope ~timestamp ~region ~service in
  let credential =
    match aws_access_key_id with
    | Some a -> sprintf "%s/%s" a credential_scope
    | None -> credential_scope
  in
  let header_names =
    canonical_headers headers |> List.map ~f:fst |> String.concat ~sep:";"
  in
  let uri =
    [ Some ("X-Amz-Algorithm", algorithm)
    ; Some ("X-Amz-Credential", credential)
    ; Some ("X-Amz-Date", Date_header.amzdate timestamp)
    ; Option.map timeout ~f:(fun x -> "X-Amz-Expires", Int.to_string x)
    ; Some ("X-Amz-SignedHeaders", header_names)
    ]
    |> List.filter_map ~f:Fn.id
    |> Uri.add_query_params' uri
  in
  canonical_request ~http_method ~uri ~headers ~payload_hash
  |> fun canonical_request ->
  let signature =
    let string_to_sign = string_to_sign ~canonical_request ~credential_scope ~timestamp in
    signature ~string_to_sign ?aws_secret_access_key ~timestamp ~region ~service ()
  in
  Uri.add_query_param' uri ("X-Amz-Signature", signature)
;;

let sign_request
  ?session_token
  ?aws_access_key_id
  ?aws_secret_access_key
  ~region
  ~service
  ~payload_hash
  req
  =
  let timestamp = Time.now () in
  let headers =
    headers_with_date_and_payload_hash
      ?session_token
      ~payload_hash:(`Signed payload_hash)
      ~timestamp
      req.Cohttp.Request.headers
  in
  let canonical_request_headers =
    (* 2022-05-03 mbac: I had to reduce the canonical request headers to this
       restricted set to get EC2 to work. The aws cli tool appears to do the same
       (run it with --debug) *)
    headers
    |> Cohttp.Header.to_list
    |> List.filter ~f:(fun (k, _) ->
         match String.lowercase k with
         | "host" | "x-amz-date" | "content-type" | "x-amz-security-token" -> true
         | _ -> false)
    |> Cohttp.Header.of_list
  in
  let canonical_request =
    canonical_request
      ~http_method:req.Cohttp.Request.meth
      ~uri:(Cohttp.Request.uri req)
      ~headers:canonical_request_headers
      ~payload_hash:(`Signed payload_hash)
  in
  (* printf "Canonical request:\n%s\n" canonical_request; *)
  let credential_scope_region =
    Botocore_endpoints.lookup_credential_scope ~region service
  in
  let credential_scope =
    credential_scope ~timestamp ~region:credential_scope_region ~service
  in
  let (signature : string) =
    let string_to_sign = string_to_sign ~canonical_request ~credential_scope ~timestamp in
    (* printf "String to sign:\n%s\n" string_to_sign; *)
    signature
      ~string_to_sign
      ?aws_secret_access_key
      ~timestamp
      ~region:credential_scope_region
      ~service
      ()
  in
  let auth_header_name, auth_header_val =
    authorization_header
      ~signature
      ~credential_scope
      ?aws_access_key_id
      ~headers:canonical_request_headers
      ()
  in
  { req with
    Cohttp.Request.headers = Cohttp.Header.add headers auth_header_name auth_header_val
  }
;;