Skip to content

Commit

Permalink
fixing signature format
Browse files Browse the repository at this point in the history
  • Loading branch information
@bshaffer
bshaffer committed Jul 25, 2023
1 parent 89bb375 commit 5fd66ae
Showing 1 changed file with 15 additions and 12 deletions.
27 changes: 15 additions & 12 deletions src/CredentialSource/AwsNativeSource.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ public static function fetchAccessTokenFromCredVerificationUrl(
$url = new Uri($regionalCredVerificationUrl);
$url = $url->withQuery(self::CRED_VERIFICATION_QUERY);

$request = new Request('GET', $url, $signedHeaders);
$request = new Request('POST', $url, $signedHeaders);
$response = $httpHandler($request);
$json = json_decode((string) $response->getBody(), true);

Expand All @@ -136,8 +136,8 @@ public static function getSignedRequestHeaders(
$host = 'sts.amazonaws.com';

# Create a date for headers and the credential string in ISO-8601 format
$amzdate = date('c');
$datestamp = date('Y-m-d'); # Date w/o time, used in credential scope
$amzdate = date('Ymd\THis\Z');
$datestamp = date('Ymd'); # Date w/o time, used in credential scope

# Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
Expand All @@ -163,7 +163,7 @@ public static function getSignedRequestHeaders(

# Step 7: Combine elements to create canonical request
$canonicalRequest = implode("\n", [
'GET', // method
'POST', // method
'/', // canonical URL
self::CRED_VERIFICATION_QUERY, // query string
$canonicalHeaders,
Expand All @@ -184,7 +184,7 @@ public static function getSignedRequestHeaders(
$signingKey = self::getSignatureKey($secretAccessKey, $datestamp, $region, $service);

# Sign the string_to_sign using the signing_key
$signature = self::hmacSign($signingKey, $stringToSign);
$signature = bin2hex(self::hmacSign($signingKey, $stringToSign));

# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# The signing information can be either in a query string value or in
Expand Down Expand Up @@ -274,22 +274,25 @@ public static function getSigningVarsFromUrl(
*/
public static function getSigningVarsFromEnv(): ?array
{
if (isset($_ENV['AWS_ACCESS_KEY_ID'])
&& isset($_ENV['AWS_SECRET_ACCESS_KEY'])
) {
$accessKeyId = getenv('AWS_ACCESS_KEY_ID');
$secretAccessKey = getenv('AWS_SECRET_ACCESS_KEY');
if ($accessKeyId && $secretAccessKey) {
return [

Check failure on line 280 in src/CredentialSource/AwsNativeSource.php

View workflow job for this annotation

GitHub Actions / PHPStan Static Analysis 

Method Google\Auth\CredentialSource\AwsNativeSource::getSigningVarsFromEnv() should return array{string, string, string|null}|null but returns array{non-falsy-string, non-falsy-string, string|false}.
$_ENV['AWS_ACCESS_KEY_ID'], // accessKeyId
$_ENV['AWS_SECRET_ACCESS_KEY'], // secretAccessKey
$_ENV['AWS_SESSION_TOKEN'] ?? null, // token (can be null)
$accessKeyId,
$secretAccessKey,
getenv('AWS_SESSION_TOKEN'), // session token (can be null)
];
}

return null;
}

/**
* Return HMAC hash in binary string
*/
private static function hmacSign(string $key, string $msg): string
{
return hash_hmac('sha256', self::utf8Encode($msg), $key);
return hash_hmac('sha256', self::utf8Encode($msg), $key, true);
}

/**
Expand Down

0 comments on commit 5fd66ae

Please sign in to comment.