Added support for SIG4/SIGV4A querystring authentication. (#595)

Author: crahen-aws

aws-http-auth/internal/v4/signer.go

@@ -33,6 +33,8 @@ type Signer struct {
 	Algorithm       string
 	CredentialScope string
 	Finalizer       Finalizer
+
+	SignatureType v4.SignatureType
 }
 
 // Finalizer performs the final step in v4 signing, deriving a signature for
@@ -53,15 +55,26 @@ func (s *Signer) Do() error {
 
 	s.setRequiredHeaders()
 
-	canonicalRequest, signedHeaders := s.buildCanonicalRequest()
+	// Build canonical headers first to get signedHeaders
+	canonHeaders, signedHeaders := s.buildCanonicalHeaders()
+
+	if s.SignatureType == v4.SignatureTypeQueryString {
+		s.addSignatureParametersToQuery(signedHeaders)
+	}
+
+	canonicalRequest := s.buildCanonicalRequestWithHeaders(canonHeaders, signedHeaders)
 	stringToSign := s.buildStringToSign(canonicalRequest)
 	signature, err := s.Finalizer.SignString(stringToSign)
 	if err != nil {
 		return err
 	}
 
-	s.Request.Header.Set("Authorization",
-		s.buildAuthorizationHeader(signature, signedHeaders))
+	if s.SignatureType == v4.SignatureTypeQueryString {
+		s.addSignatureToQuery(signature, signedHeaders)
+	} else {
+		s.Request.Header.Set("Authorization",
+			s.buildAuthorizationHeader(signature, signedHeaders))
+	}
 
 	return nil
 }
@@ -108,20 +121,32 @@ func (s *Signer) setRequiredHeaders() {
 	headers := s.Request.Header
 
 	s.Request.Header.Set("Host", s.Request.Host)
-	s.Request.Header.Set("X-Amz-Date", s.Time.Format(TimeFormat))
 
-	if len(s.Credentials.SessionToken) > 0 {
-		s.Request.Header.Set("X-Amz-Security-Token", s.Credentials.SessionToken)
+	// X-Amz-Date and X-Amz-Security-Token are only set as headers when using a header signature type
+	if s.SignatureType == v4.SignatureTypeHeader {
+		s.Request.Header.Set("X-Amz-Date", s.Time.Format(TimeFormat))
+		if len(s.Credentials.SessionToken) > 0 {
+			s.Request.Header.Set("X-Amz-Security-Token", s.Credentials.SessionToken)
+		}
+	} else {
+		// For query string auth, ensure these headers are not present
+		s.Request.Header.Del("X-Amz-Date")
+		s.Request.Header.Del("X-Amz-Security-Token")
 	}
+
 	if len(s.PayloadHash) > 0 && s.Options.AddPayloadHashHeader {
 		headers.Set("X-Amz-Content-Sha256", payloadHashString(s.PayloadHash))
 	}
 }
 
 func (s *Signer) buildCanonicalRequest() (string, string) {
+	canonHeaders, signedHeaders := s.buildCanonicalHeaders()
+	canonicalRequest := s.buildCanonicalRequestWithHeaders(canonHeaders, signedHeaders)
+	return canonicalRequest, signedHeaders
+}
+
+func (s *Signer) buildCanonicalRequestWithHeaders(canonHeaders, signedHeaders string) string {
 	canonPath := s.Request.URL.EscapedPath()
-	// https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html:
-	// if input has no path, "/" is used
 	if len(canonPath) == 0 {
 		canonPath = "/"
 	}
@@ -135,8 +160,6 @@ func (s *Signer) buildCanonicalRequest() (string, string) {
 	}
 	canonQuery := strings.Replace(query.Encode(), "+", "%20", -1)
 
-	canonHeaders, signedHeaders := s.buildCanonicalHeaders()
-
 	req := strings.Join([]string{
 		s.Request.Method,
 		canonPath,
@@ -146,7 +169,7 @@ func (s *Signer) buildCanonicalRequest() (string, string) {
 		payloadHashString(s.PayloadHash),
 	}, "\n")
 
-	return req, signedHeaders
+	return req
 }
 
 func (s *Signer) buildCanonicalHeaders() (canon, signed string) {
@@ -203,6 +226,28 @@ func (s *Signer) buildAuthorizationHeader(signature, headers string) string {
 		signature)
 }
 
+func (s *Signer) addSignatureParametersToQuery(signedHeaders string) {
+	query := s.Request.URL.Query()
+	query.Set("X-Amz-Algorithm", s.Algorithm)
+	query.Set("X-Amz-Credential", s.Credentials.AccessKeyID+"/"+s.CredentialScope)
+	query.Set("X-Amz-Date", s.Time.Format(TimeFormat))
+	query.Set("X-Amz-SignedHeaders", signedHeaders)
+
+	if len(s.Credentials.SessionToken) > 0 {
+		query.Set("X-Amz-Security-Token", s.Credentials.SessionToken)
+	}
+
+	s.Request.URL.RawQuery = query.Encode()
+}
+
+func (s *Signer) addSignatureToQuery(signature, signedHeaders string) {
+	query := s.Request.URL.Query()
+	query.Set("X-Amz-SignedHeaders", signedHeaders)
+	query.Set("X-Amz-Signature", signature)
+
+	s.Request.URL.RawQuery = query.Encode()
+}
+
 func payloadHashString(p []byte) string {
 	if string(p) == "UNSIGNED-PAYLOAD" {
 		return string(p) // sentinel, do not hex-encode

aws-http-auth/internal/v4/signer_test.go

@@ -34,6 +34,117 @@ func (identityFinalizer) SignString(v string) (string, error) {
 	return v, nil
 }
 
+func TestQueryStringAuth_IncludesSignedHeadersInCanonicalRequest(t *testing.T) {
+	req, err := http.NewRequest(http.MethodGet, "https://service.region.amazonaws.com/path", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.URL.RawQuery = "existing=param"
+
+	s := &Signer{
+		Request:              req,
+		PayloadHash:          []byte("UNSIGNED-PAYLOAD"),
+		Time:                 time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
+		Credentials:          credentials.Credentials{AccessKeyID: "AKID", SecretAccessKey: "SECRET"},
+		Algorithm:            "AWS4-HMAC-SHA256",
+		CredentialScope:      "20240101/us-east-1/service/aws4_request",
+		Finalizer:            identityFinalizer{},
+		SignatureType: v4.SignatureTypeQueryString,
+	}
+
+	err = s.Do()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	query := req.URL.Query()
+	if !query.Has("X-Amz-SignedHeaders") {
+		t.Error("X-Amz-SignedHeaders missing from query string")
+	}
+	if !query.Has("X-Amz-Algorithm") {
+		t.Error("X-Amz-Algorithm missing from query string")
+	}
+	if !query.Has("X-Amz-Credential") {
+		t.Error("X-Amz-Credential missing from query string")
+	}
+	if !query.Has("X-Amz-Date") {
+		t.Error("X-Amz-Date missing from query string")
+	}
+	if !query.Has("X-Amz-Signature") {
+		t.Error("X-Amz-Signature missing from query string")
+	}
+	if !query.Has("existing") {
+		t.Error("existing query parameter should be preserved")
+	}
+}
+
+func TestQueryStringAuth_WithSessionToken(t *testing.T) {
+	req, err := http.NewRequest(http.MethodGet, "https://service.region.amazonaws.com/path", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s := &Signer{
+		Request:              req,
+		PayloadHash:          []byte("UNSIGNED-PAYLOAD"),
+		Time:                 time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
+		Credentials:          credentials.Credentials{AccessKeyID: "AKID", SecretAccessKey: "SECRET", SessionToken: "TOKEN123"},
+		Algorithm:            "AWS4-HMAC-SHA256",
+		CredentialScope:      "20240101/us-east-1/service/aws4_request",
+		Finalizer:            identityFinalizer{},
+		SignatureType: v4.SignatureTypeQueryString,
+	}
+
+	err = s.Do()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	query := req.URL.Query()
+	if !query.Has("X-Amz-Security-Token") {
+		t.Error("X-Amz-Security-Token missing from query string")
+	}
+	if query.Get("X-Amz-Security-Token") != "TOKEN123" {
+		t.Errorf("X-Amz-Security-Token = %q, want %q", query.Get("X-Amz-Security-Token"), "TOKEN123")
+	}
+}
+
+func TestQueryStringAuth_WithRegionSet(t *testing.T) {
+	req, err := http.NewRequest(http.MethodGet, "https://service.region.amazonaws.com/path", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Pre-populate X-Amz-Region-Set as query parameter (simulating SigV4a)
+	query := req.URL.Query()
+	query.Set("X-Amz-Region-Set", "us-east-1,us-west-2")
+	req.URL.RawQuery = query.Encode()
+
+	s := &Signer{
+		Request:              req,
+		PayloadHash:          []byte("UNSIGNED-PAYLOAD"),
+		Time:                 time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
+		Credentials:          credentials.Credentials{AccessKeyID: "AKID", SecretAccessKey: "SECRET"},
+		Algorithm:            "AWS4-ECDSA-P256-SHA256",
+		CredentialScope:      "20240101/service/aws4_request",
+		Finalizer:            identityFinalizer{},
+		SignatureType: v4.SignatureTypeQueryString,
+	}
+
+	err = s.Do()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	finalQuery := req.URL.Query()
+	if !finalQuery.Has("X-Amz-Region-Set") {
+		t.Error("X-Amz-Region-Set missing from final query string")
+	}
+	if finalQuery.Get("X-Amz-Region-Set") != "us-east-1,us-west-2" {
+		t.Errorf("X-Amz-Region-Set = %q, want %q", finalQuery.Get("X-Amz-Region-Set"), "us-east-1,us-west-2")
+	}
+}
+
 func TestBuildCanonicalRequest_SignedPayload(t *testing.T) {
 	req, err := http.NewRequest(http.MethodPost,
 		"https://service.region.amazonaws.com",

aws-http-auth/sigv4/sigv4.go

@@ -17,6 +17,8 @@ import (
 
 const algorithm = "AWS4-HMAC-SHA256"
 
+
+
 // Signer signs requests with AWS Signature version 4.
 type Signer struct {
 	options v4.SignerOptions
@@ -66,6 +68,9 @@ type SignRequestInput struct {
 	// If the zero-value is given (generally by the caller not setting it), the
 	// signer will instead use the current system clock time for the signature.
 	Time time.Time
+
+	// How the signature is transmitted (header or query string).
+	SignatureType v4.SignatureType
 }
 
 // SignRequest signs an HTTP request with AWS Signature Version 4, modifying
@@ -107,8 +112,9 @@ func (s *Signer) SignRequest(in *SignRequestInput, opts ...v4.SignerOption) erro
 		Credentials: in.Credentials,
 		Options:     options,
 
-		Algorithm:       algorithm,
-		CredentialScope: scope(tm, in.Region, in.Service),
+		Algorithm:            algorithm,
+		CredentialScope:      scope(tm, in.Region, in.Service),
+		SignatureType:        in.SignatureType,
 		Finalizer: &finalizer{
 			Secret:  in.Credentials.SecretAccessKey,
 			Service: in.Service,