mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-14 00:15:09 -05:00
2944579d21
* fix(s3): support get-object region override and robust S3 URL parsing * ack pr comments
122 lines
4.6 KiB
TypeScript
122 lines
4.6 KiB
TypeScript
import crypto from 'crypto'
|
|
|
|
export function encodeS3PathComponent(pathComponent: string): string {
|
|
return encodeURIComponent(pathComponent).replace(/%2F/g, '/')
|
|
}
|
|
|
|
export function getSignatureKey(
|
|
key: string,
|
|
dateStamp: string,
|
|
regionName: string,
|
|
serviceName: string
|
|
): Buffer {
|
|
if (!key || typeof key !== 'string') {
|
|
throw new Error('Invalid key provided to getSignatureKey')
|
|
}
|
|
const kDate = crypto.createHmac('sha256', `AWS4${key}`).update(dateStamp).digest()
|
|
const kRegion = crypto.createHmac('sha256', kDate).update(regionName).digest()
|
|
const kService = crypto.createHmac('sha256', kRegion).update(serviceName).digest()
|
|
const kSigning = crypto.createHmac('sha256', kService).update('aws4_request').digest()
|
|
return kSigning
|
|
}
|
|
|
|
export function parseS3Uri(
|
|
s3Uri: string,
|
|
fallbackRegion?: string
|
|
): {
|
|
bucketName: string
|
|
region: string
|
|
objectKey: string
|
|
} {
|
|
try {
|
|
const url = new URL(s3Uri)
|
|
const hostname = url.hostname
|
|
const normalizedPath = url.pathname.startsWith('/') ? url.pathname.slice(1) : url.pathname
|
|
|
|
const virtualHostedDualstackMatch = hostname.match(
|
|
/^(.+)\.s3\.dualstack\.([^.]+)\.amazonaws\.com(?:\.cn)?$/
|
|
)
|
|
const virtualHostedRegionalMatch = hostname.match(
|
|
/^(.+)\.s3[.-]([^.]+)\.amazonaws\.com(?:\.cn)?$/
|
|
)
|
|
const virtualHostedGlobalMatch = hostname.match(/^(.+)\.s3\.amazonaws\.com(?:\.cn)?$/)
|
|
|
|
const pathStyleDualstackMatch = hostname.match(
|
|
/^s3\.dualstack\.([^.]+)\.amazonaws\.com(?:\.cn)?$/
|
|
)
|
|
const pathStyleRegionalMatch = hostname.match(/^s3[.-]([^.]+)\.amazonaws\.com(?:\.cn)?$/)
|
|
const pathStyleGlobalMatch = hostname.match(/^s3\.amazonaws\.com(?:\.cn)?$/)
|
|
|
|
const isPathStyleHost = Boolean(
|
|
pathStyleDualstackMatch || pathStyleRegionalMatch || pathStyleGlobalMatch
|
|
)
|
|
|
|
const firstSlashIndex = normalizedPath.indexOf('/')
|
|
const pathStyleBucketName =
|
|
firstSlashIndex === -1 ? normalizedPath : normalizedPath.slice(0, firstSlashIndex)
|
|
const pathStyleObjectKey =
|
|
firstSlashIndex === -1 ? '' : normalizedPath.slice(firstSlashIndex + 1)
|
|
|
|
const bucketName = isPathStyleHost
|
|
? pathStyleBucketName
|
|
: (virtualHostedDualstackMatch?.[1] ??
|
|
virtualHostedRegionalMatch?.[1] ??
|
|
virtualHostedGlobalMatch?.[1] ??
|
|
'')
|
|
|
|
const rawObjectKey = isPathStyleHost ? pathStyleObjectKey : normalizedPath
|
|
const objectKey = (() => {
|
|
try {
|
|
return decodeURIComponent(rawObjectKey)
|
|
} catch {
|
|
return rawObjectKey
|
|
}
|
|
})()
|
|
|
|
const normalizedFallbackRegion = fallbackRegion?.trim()
|
|
const regionFromHost =
|
|
virtualHostedDualstackMatch?.[2] ??
|
|
virtualHostedRegionalMatch?.[2] ??
|
|
pathStyleDualstackMatch?.[1] ??
|
|
pathStyleRegionalMatch?.[1]
|
|
const region = regionFromHost || normalizedFallbackRegion || 'us-east-1'
|
|
|
|
if (!bucketName || !objectKey) {
|
|
throw new Error('Invalid S3 URI format')
|
|
}
|
|
|
|
return { bucketName, region, objectKey }
|
|
} catch (_error) {
|
|
throw new Error(
|
|
'Invalid S3 Object URL format. Expected S3 virtual-hosted or path-style URL with object key.'
|
|
)
|
|
}
|
|
}
|
|
|
|
export function generatePresignedUrl(params: any, expiresIn = 3600): string {
|
|
const date = new Date()
|
|
const amzDate = date.toISOString().replace(/[:-]|\.\d{3}/g, '')
|
|
const dateStamp = amzDate.slice(0, 8)
|
|
const encodedPath = encodeS3PathComponent(params.objectKey)
|
|
|
|
const _expires = Math.floor(Date.now() / 1000) + expiresIn
|
|
|
|
const method = 'GET'
|
|
const canonicalUri = `/${encodedPath}`
|
|
const canonicalQueryString = `X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=${encodeURIComponent(`${params.accessKeyId}/${dateStamp}/${params.region}/s3/aws4_request`)}&X-Amz-Date=${amzDate}&X-Amz-Expires=${expiresIn}&X-Amz-SignedHeaders=host`
|
|
const canonicalHeaders = `host:${params.bucketName}.s3.${params.region}.amazonaws.com\n`
|
|
const signedHeaders = 'host'
|
|
const payloadHash = 'UNSIGNED-PAYLOAD'
|
|
|
|
const canonicalRequest = `${method}\n${canonicalUri}\n${canonicalQueryString}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}`
|
|
|
|
const algorithm = 'AWS4-HMAC-SHA256'
|
|
const credentialScope = `${dateStamp}/${params.region}/s3/aws4_request`
|
|
const stringToSign = `${algorithm}\n${amzDate}\n${credentialScope}\n${crypto.createHash('sha256').update(canonicalRequest).digest('hex')}`
|
|
|
|
const signingKey = getSignatureKey(params.secretAccessKey, dateStamp, params.region, 's3')
|
|
const signature = crypto.createHmac('sha256', signingKey).update(stringToSign).digest('hex')
|
|
|
|
return `https://${params.bucketName}.s3.${params.region}.amazonaws.com/${encodedPath}?${canonicalQueryString}&X-Amz-Signature=${signature}`
|
|
}
|