//go:build example // +build example package main import ( "encoding/json" "flag" "fmt" "net" "net/http" "os" "strconv" "strings" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/endpoints" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/s3" "github.com/aws/aws-sdk-go/service/s3/s3iface" "github.com/aws/aws-sdk-go/service/s3/s3manager" ) // server.go is an example of a service that vends lists for requests for presigned // URLs for S3 objects. The service supports two S3 operations, "GetObject" and // "PutObject". // // Example GetObject request to the service for the object with the key "MyObjectKey": // // curl -v "http://127.0.0.1:8080/presign/my-object/key?method=GET" // // Example PutObject request to the service for the object with the key "MyObjectKey": // // curl -v "http://127.0.0.1:8080/presign/my-object/key?method=PUT&contentLength=1024" // // Use "--help" command line argument flag to see all options and defaults. // // Usage: // go run -tags example service.go -b myBucket func main() { addr, bucket, region := loadConfig() // Create a AWS SDK for Go Session that will load credentials using the SDK's // default credential change. sess := session.Must(session.NewSession()) // Use the GetBucketRegion utility to lookup the bucket's region automatically. // The service.go will only do this correctly for AWS regions. For AWS China // and AWS Gov Cloud the region needs to be specified to let the service know // to look in those partitions instead of AWS. if len(region) == 0 { var err error region, err = s3manager.GetBucketRegion(aws.BackgroundContext(), sess, bucket, endpoints.UsWest2RegionID) if err != nil { exitError(fmt.Errorf("failed to get bucket region, %v", err)) } } // Create a new S3 service client that will be use by the service to generate // presigned URLs with. Not actual API requests will be made with this client. // The credentials loaded when the Session was created above will be used // to sign the requests with. s3Svc := s3.New(sess, &aws.Config{ Region: aws.String(region), }) // Start the server listening and serve presigned URLs for GetObject and // PutObject requests. if err := listenAndServe(addr, bucket, s3Svc); err != nil { exitError(err) } } func loadConfig() (addr, bucket, region string) { flag.StringVar(&bucket, "b", "", "S3 `bucket` object should be uploaded to.") flag.StringVar(®ion, "r", "", "AWS `region` the bucket exists in, If not set region will be looked up, only valid for AWS Regions, not AWS China or Gov Cloud.") flag.StringVar(&addr, "a", "127.0.0.1:8080", "The TCP `address` the server will be started on.") flag.Parse() if len(bucket) == 0 { fmt.Fprintln(os.Stderr, "bucket is required") flag.PrintDefaults() os.Exit(1) } return addr, bucket, region } func listenAndServe(addr, bucket string, svc s3iface.S3API) error { l, err := net.Listen("tcp", addr) if err != nil { return fmt.Errorf("failed to start service listener, %v", err) } const presignPath = "/presign/" // Create the HTTP handler for the "/presign/" path prefix. This will handle // all requests on this path, extracting the object's key from the path. http.HandleFunc(presignPath, func(w http.ResponseWriter, r *http.Request) { var u string var err error var signedHeaders http.Header query := r.URL.Query() var contentLen int64 // Optionally the Content-Length header can be included with the signature // of the request. This is helpful to ensure the content uploaded is the // size that is expected. Constraints like these can be further expanded // with headers such as `Content-Type`. These can be enforced by the service // requiring the client to satisfying those constraints when uploading // // In addition the client could provide the service with a SHA256 of the // content to be uploaded. This prevents any other third party from uploading // anything else with the presigned URL if contLenStr := query.Get("contentLength"); len(contLenStr) > 0 { contentLen, err = strconv.ParseInt(contLenStr, 10, 64) if err != nil { fmt.Fprintf(os.Stderr, "unable to parse request content length, %v", err) http.Error(w, err.Error(), http.StatusBadRequest) return } } // Extract the object key from the path key := strings.Replace(r.URL.Path, presignPath, "", 1) method := query.Get("method") switch method { case "PUT": // For creating PutObject presigned URLs fmt.Println("Received request to presign PutObject for,", key) sdkReq, _ := svc.PutObjectRequest(&s3.PutObjectInput{ Bucket: aws.String(bucket), Key: aws.String(key), // If ContentLength is 0 the header will not be included in the signature. ContentLength: aws.Int64(contentLen), }) u, signedHeaders, err = sdkReq.PresignRequest(15 * time.Minute) case "GET": // For creating GetObject presigned URLs fmt.Println("Received request to presign GetObject for,", key) sdkReq, _ := svc.GetObjectRequest(&s3.GetObjectInput{ Bucket: aws.String(bucket), Key: aws.String(key), }) u, signedHeaders, err = sdkReq.PresignRequest(15 * time.Minute) default: fmt.Fprintf(os.Stderr, "invalid method provided, %s, %v\n", method, err) err = fmt.Errorf("invalid request") } if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } // Create the response back to the client with the information on the // presigned request and additional headers to include. if err := json.NewEncoder(w).Encode(PresignResp{ Method: method, URL: u, Header: signedHeaders, }); err != nil { fmt.Fprintf(os.Stderr, "failed to encode presign response, %v", err) } }) fmt.Println("Starting Server On:", "http://"+l.Addr().String()) s := &http.Server{} return s.Serve(l) } // PresignResp provides the Go representation of the JSON value that will be // sent to the client. type PresignResp struct { Method, URL string Header http.Header } func exitError(err error) { fmt.Fprintln(os.Stderr, err.Error()) os.Exit(1) }