Merge pull request #4 from Yasumoto/master

Adds ability to provide temporary credential token when using EC2 instances. Update swift version.

Author: JustinM1

.swift-version

@@ -1 +1 @@
-3.0
+3.0.2

Package.swift

@@ -7,8 +7,5 @@ let package = Package(
         .Package(url: "https://github.com/vapor/crypto.git",
                  majorVersion: 1),
         .Package(url: "https://github.com/vapor/core.git", majorVersion: 1)
-        
-        
-        ]
+    ]
 )
-

Sources/S3SignerAWS.swift

@@ -6,6 +6,7 @@ import Core
 public class S3SignerAWS  {
     private let accessKey: String
     private let secretKey: String
+    private let securityToken : String? // Used to validate temporary credentials, such as those from an EC2 Instance's IAM role
     private let _region: Region
     private let dateFormatter: DateFormatter
 
@@ -14,14 +15,22 @@ public class S3SignerAWS  {
            return self._region
         }
     }
-    
-    required public init(accessKey: String, secretKey: String, region: Region) {
+
+    /// Initializes a signer which works for either permanent credentials or temporary secrets
+    ///
+    /// - Parameters:
+    ///   - accessKey: Main token to identify the credential
+    ///   - secretKey: Password to validate access
+    ///   - region: Which AWS region to sign against
+    ///   - securityToken: Optional token used only with temporary credentials
+    public init(accessKey: String, secretKey: String, region: Region, securityToken: String? = nil) {
         self.accessKey = accessKey
         self.secretKey = secretKey
         self._region = region
+        self.securityToken = securityToken
         self.dateFormatter = DateFormatter()
     }
-    
+
     public func authHeaderV4(httpMethod: HTTPMethod, urlString: String, pathPercentEncoding: CharacterSet =  CharacterSet.urlPathAllowed, queryPercentEncoding: CharacterSet = CharacterSet.urlQueryAllowed, headers: [String: String], payload: Payload, mimeType: String? = nil) throws -> [String:String] {
 
         guard let url = URL(string: urlString) else { throw S3SignerError.badURL }
@@ -34,7 +43,7 @@ public class S3SignerAWS  {
 
         if httpMethod == .put {
             if payload.isBytes {
-            let MD5Digest = try Hash.make(.md5, payload.bytes).base64String
+            let MD5Digest = try Hash.make(.md5, payload.bytes).base64Encoded.string
             updatedHeaders["content-md5"] = MD5Digest
             }
         }
@@ -79,7 +88,7 @@ public class S3SignerAWS  {
         guard let stringToSign = ["GET", "", "", "\(expirationTime)", path(url: url)].joined(separator: "\n").data(using: String.Encoding.utf8) else { throw S3SignerError.unableToEncodeStringToSign }
 
         let stringToSignBytes = try stringToSign.makeBytes()
-        let signature = try HMAC.make(.sha1, stringToSignBytes, key: secretKey.bytes).base64String.addingPercentEncoding(withAllowedCharacters: .urlHostAllowed)
+        let signature = try HMAC.make(.sha1, stringToSignBytes, key: secretKey.bytes).base64Encoded.string.addingPercentEncoding(withAllowedCharacters: .urlHostAllowed)
         guard let sig = signature else { throw  S3SignerError.unableToEncodeSignature }
 
         let finalURLString = "\(urlString)?AWSAccessKeyId=\(accessKey)&Signature=\(sig)&Expires=\(expirationTime)"
@@ -113,6 +122,10 @@ public class S3SignerAWS  {
         if bodyDigest != "UNSIGNED-PAYLOAD" {
             headersCopy["x-amz-content-sha256"] = bodyDigest
         }
+        // According to http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS
+        if let token = securityToken {
+            headersCopy["X-Amz-Security-Token"] = token
+        }
         return headersCopy
     }
 

S3SignerAWSTests/Info.plist renamed to Tests/S3SignerAWSTests/Info.plist

@@ -21,7 +21,11 @@ class S3SignerAWSTests: XCTestCase {
     let accessKey = "AKIAIOSFODNN7EXAMPLE"
     let testSecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
 
-    var signer: S3SignerAWS = S3SignerAWS(accessKey: accessKey, secretKey: testSecretKey, region: Region.usStandard_usEast1)
+    var signer: S3SignerAWS {
+        get {
+            return S3SignerAWS(accessKey: accessKey, secretKey: testSecretKey, region: Region.usEast1_Virginia)
+        }
+    }
 
     let shortDate = "20130524"
     let longDate = "20130524T000000Z"
@@ -247,16 +251,21 @@ class S3SignerAWSTests: XCTestCase {
 //            }
 //        }
 //    }
-//
-// 
-//    
-//    
-//    func testPerformanceExample() {
-//        // This is an example of a performance test case.
-//        self.measure {
-//        }
-//    }
-//    
+
+    func testAuthHeaderV4ConfigCredentials() throws {
+        let configFileCredentials = try signer.authHeaderV4(httpMethod: .get, urlString: "http://fake-url.com", headers: [:], payload: .none)
+        XCTAssert(configFileCredentials["x-amz-content-sha256"] == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
+        XCTAssert(configFileCredentials["host"] == "fake-url.com")
+        XCTAssert(configFileCredentials["X-Amz-Security-Token"] == nil)
+    }
+
+    func testAuthHeaderV4IAMCredentials() throws {
+        let iamSigner = S3SignerAWS(accessKey: accessKey, secretKey: testSecretKey, region: Region.usEast1_Virginia, securityToken: "verySecure")
+        let iamBasedCredentials = try iamSigner.authHeaderV4(httpMethod: .get, urlString: "http://fake-url.com", headers: [:], payload: .none)
+        XCTAssert(iamBasedCredentials["x-amz-content-sha256"] == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
+        XCTAssert(iamBasedCredentials["host"] == "fake-url.com")
+        XCTAssert(iamBasedCredentials["X-Amz-Security-Token"] == "verySecure")
+    }
 }