1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
extern crate git2;
extern crate hex;
#[macro_use]
extern crate lazy_static;
#[macro_use]
extern crate log;
extern crate regex;
extern crate ring;
extern crate rusoto_credential;
extern crate time;
extern crate url;
use git2::{Cred, CredentialType, Error};
use hex::ToHex;
use regex::Regex;
use ring::{digest, hmac};
use rusoto_credential::{DefaultCredentialsProvider, ProvideAwsCredentials};
use std::error::Error as StdError;
use time::{Tm, now_utc};
use url::Url;
macro_rules! gtry {
($expr:expr) => (match $expr {
Ok(val) => val,
Err(err) => {
return Err(Error::from_str(err.description()));
}
})
}
pub fn codecommit_credentials(url_str: &str,
_: Option<&str>,
_: CredentialType)
-> Result<Cred, Error> {
lazy_static! {
static ref HOST_RE: Regex = Regex::new(r"git-codecommit\.([a-z0-9-]+)\.amazonaws\.com")
.unwrap();
}
let url = gtry!(Url::parse(url_str));
let host = url.host_str().unwrap_or("");
let region = match HOST_RE.captures(host) {
Some(cap) => {
match cap.get(1) {
Some(s) => s.as_str(),
None => return Cred::default(),
}
}
None => return Cred::default(),
};
let credentials = gtry!(gtry!(DefaultCredentialsProvider::new()).credentials());
let username = match *credentials.token() {
Some(ref t) => format!("{}%{}", credentials.aws_access_key_id(), t),
None => credentials.aws_access_key_id().to_string(),
};
debug!("username: {}", username);
let date = now_utc();
let canonical_request = format!("GIT\n{}\n\nhost:{}\n\nhost\n", url.path(), host);
debug!("canonical_request: {:?}", canonical_request);
let string_to_sign = format!("AWS4-HMAC-SHA256\n{}\n{}/{}/codecommit/aws4_request\n{}",
gtry!(date.strftime("%Y%m%dT%H%M%S")),
gtry!(date.strftime("%Y%m%d")),
region,
to_hexdigest(canonical_request));
debug!("string_to_sign: {:?}", string_to_sign);
let signing_key = signing_key(credentials.aws_secret_access_key(),
date,
region,
"codecommit");
let password = format!("{}{}",
gtry!(date.strftime("%Y%m%dT%H%M%SZ")),
signature(&string_to_sign, &signing_key));
debug!("password: {}", password);
Cred::userpass_plaintext(&username, &password)
}
fn to_hexdigest<T: AsRef<[u8]>>(t: T) -> String {
let h = digest::digest(&digest::SHA256, t.as_ref());
h.as_ref().to_hex().to_string()
}
fn signature(string_to_sign: &str, signing_key: &hmac::SigningKey) -> String {
hmac::sign(signing_key, string_to_sign.as_bytes()).as_ref().to_hex().to_string()
}
fn signing_key(secret: &str, date: Tm, region: &str, service: &str) -> hmac::SigningKey {
let date_key = hmac::SigningKey::new(&digest::SHA256, format!("AWS4{}", secret).as_bytes());
let date_hmac = hmac::sign(&date_key,
date.strftime("%Y%m%d").unwrap().to_string().as_bytes());
let region_key = hmac::SigningKey::new(&digest::SHA256, date_hmac.as_ref());
let region_hmac = hmac::sign(®ion_key, region.as_bytes());
let service_key = hmac::SigningKey::new(&digest::SHA256, region_hmac.as_ref());
let service_hmac = hmac::sign(&service_key, service.as_bytes());
let signing_key = hmac::SigningKey::new(&digest::SHA256, service_hmac.as_ref());
let signing_hmac = hmac::sign(&signing_key, b"aws4_request");
hmac::SigningKey::new(&digest::SHA256, signing_hmac.as_ref())
}