开发者社区> 问答> 正文

什么是函数计算签名认证

对于每一个请求,函数计算服务会根据请求头部的Authorization字段来校验是否合法。客户端须使用与函数计算服务端一致的签名算法才能通过验证,对于未包含签名字段或者签名错误的请求,函数计算服务将会返回HTTP 403错误。

签名算法

  1. [backcolor=transparent]signature [backcolor=transparent]=[backcolor=transparent] base64[backcolor=transparent]([backcolor=transparent]hmac[backcolor=transparent]-[backcolor=transparent]sha256[backcolor=transparent]([backcolor=transparent]HTTP_METHOD [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]"\n"[backcolor=transparent]
  2. [backcolor=transparent]                [backcolor=transparent]+[backcolor=transparent] CONTENT[backcolor=transparent]-[backcolor=transparent]MD5 [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]"\n"[backcolor=transparent]    
  3. [backcolor=transparent]                [backcolor=transparent]+[backcolor=transparent] CONTENT[backcolor=transparent]-[backcolor=transparent]TYPE [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]"\n"[backcolor=transparent]
  4. [backcolor=transparent]                [backcolor=transparent]+[backcolor=transparent] DATE [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]"\n"[backcolor=transparent]
  5. [backcolor=transparent]                [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]CanonicalizedFCHeaders
  6. [backcolor=transparent]                [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]CanonicalizedResource[backcolor=transparent]))
  7. [backcolor=transparent]Authorization[backcolor=transparent] [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent]"FC "[backcolor=transparent] [backcolor=transparent]+[backcolor=transparent] accessKeyID [backcolor=transparent]+[backcolor=transparent] [backcolor=transparent]":"[backcolor=transparent] [backcolor=transparent]+[backcolor=transparent] signature
  • HTTP_METHOD 表示大写的HTTP Method(如:PUT, GET, POST, DELETE)
  • CONTENT-MD5 表示请求内容数据的MD5值。如果请求的Header中没有传Content-MD5,则此处填入空串
  • CONTENT-TYPE 表示请求内容的类型
  • DATE 表示此次操作的时间,不能为空,目前只支持GMT格式注意:客户端需要保证生成的时间与函数计算服务端的时间相差不超过15分钟,否则函数服务将拒绝此请求
CanonicalizedFCHeaders 表示所有以x-fc-为前缀的HTTP头组成的字符串,生成方式见下文CanonicalizedResource 表示请求的URL的Path,例如/2016-08-15/services/my-service/functions?limit=100hmac-sha256需要以用户的AccessKeySecret为Key

CanonicalizedFCHeaders


生成步骤如下:
  1. 找出请求头中所有以x-fc-开头的字段(不区分大小写)
    • 对于符合前缀的字段,先将字段名转换成小写,然后将这些字段按字段名从小到大排序
  • 对于每一个字段,生成一个子串${key}:${value}\n,
    • ${key}是HTTP头的名称(转换成小写)
    • ${value}是HTTP头的值
    • 例如:X-Fc-Invocation-Type: Sync变成x-fc-invocation-type:Sync\n
  • 将上述生成的子串连接成一个整串

  • 伪代码如下:
    1. [backcolor=transparent]// javascript
    2. [backcolor=transparent]// prefix = 'x-fc-'
    3. [backcolor=transparent]function[backcolor=transparent] buildCanonicalHeaders[backcolor=transparent]([backcolor=transparent]headers[backcolor=transparent],[backcolor=transparent] prefix[backcolor=transparent])[backcolor=transparent] [backcolor=transparent]{
    4. [backcolor=transparent]  [backcolor=transparent]var[backcolor=transparent] list [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent][];
    5. [backcolor=transparent]  [backcolor=transparent]var[backcolor=transparent] keys [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent]Object[backcolor=transparent].[backcolor=transparent]keys[backcolor=transparent]([backcolor=transparent]headers[backcolor=transparent]);
    6. [backcolor=transparent]  [backcolor=transparent]for[backcolor=transparent] [backcolor=transparent]([backcolor=transparent]let i [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent]0[backcolor=transparent];[backcolor=transparent] i [backcolor=transparent]<[backcolor=transparent] keys[backcolor=transparent].[backcolor=transparent]length[backcolor=transparent];[backcolor=transparent] i[backcolor=transparent]++)[backcolor=transparent] [backcolor=transparent]{
    7. [backcolor=transparent]    [backcolor=transparent]var[backcolor=transparent] key [backcolor=transparent]=[backcolor=transparent] keys[backcolor=transparent][[backcolor=transparent]i[backcolor=transparent]];
    8. [backcolor=transparent]    [backcolor=transparent]if[backcolor=transparent] [backcolor=transparent]([backcolor=transparent]key[backcolor=transparent].[backcolor=transparent]startsWith[backcolor=transparent]([backcolor=transparent]prefix[backcolor=transparent]))[backcolor=transparent] [backcolor=transparent]{
    9. [backcolor=transparent]      list[backcolor=transparent].[backcolor=transparent]push[backcolor=transparent]([backcolor=transparent]key[backcolor=transparent]);
    10. [backcolor=transparent]    [backcolor=transparent]}
    11. [backcolor=transparent]  [backcolor=transparent]}
    12. [backcolor=transparent]  list[backcolor=transparent].[backcolor=transparent]sort[backcolor=transparent]();
    13. [backcolor=transparent]  [backcolor=transparent]var[backcolor=transparent] canonical [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent]''[backcolor=transparent];
    14. [backcolor=transparent]  [backcolor=transparent]for[backcolor=transparent] [backcolor=transparent]([backcolor=transparent]let i [backcolor=transparent]=[backcolor=transparent] [backcolor=transparent]0[backcolor=transparent];[backcolor=transparent] i [backcolor=transparent]<[backcolor=transparent] list[backcolor=transparent].[backcolor=transparent]length[backcolor=transparent];[backcolor=transparent] i[backcolor=transparent]++)[backcolor=transparent] [backcolor=transparent]{
    15. [backcolor=transparent]    [backcolor=transparent]const[backcolor=transparent] key [backcolor=transparent]=[backcolor=transparent] list[backcolor=transparent][[backcolor=transparent]i[backcolor=transparent]];
    16. [backcolor=transparent]    canonical [backcolor=transparent]+=[backcolor=transparent] [backcolor=transparent]`[backcolor=transparent]$[backcolor=transparent]{[backcolor=transparent]key[backcolor=transparent]}:[backcolor=transparent]$[backcolor=transparent]{[backcolor=transparent]headers[backcolor=transparent][[backcolor=transparent]key[backcolor=transparent]]}[backcolor=transparent]\n[backcolor=transparent]`;
    17. [backcolor=transparent]  [backcolor=transparent]}
    18. [backcolor=transparent]  [backcolor=transparent]return[backcolor=transparent] canonical[backcolor=transparent];
    19. [backcolor=transparent]}


    请求示例


    请求:
    1. [backcolor=transparent]GET [backcolor=transparent]/[backcolor=transparent]2016[backcolor=transparent]-[backcolor=transparent]08[backcolor=transparent]-[backcolor=transparent]15[backcolor=transparent]/[backcolor=transparent]services[backcolor=transparent]?[backcolor=transparent]limit[backcolor=transparent]=[backcolor=transparent]100[backcolor=transparent]&[backcolor=transparent]nextToken[backcolor=transparent]=&[backcolor=transparent]prefix[backcolor=transparent]=&[backcolor=transparent]startKey[backcolor=transparent]=[backcolor=transparent] HTTP[backcolor=transparent]/[backcolor=transparent]1.1
    2. [backcolor=transparent]Host[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]1237050315505682.fc[backcolor=transparent].[backcolor=transparent]cn[backcolor=transparent]-[backcolor=transparent]shanghai[backcolor=transparent].[backcolor=transparent]aliyuncs[backcolor=transparent].[backcolor=transparent]com
    3. [backcolor=transparent]User[backcolor=transparent]-[backcolor=transparent]Agent[backcolor=transparent]:[backcolor=transparent] go[backcolor=transparent]-[backcolor=transparent]sdk[backcolor=transparent]-[backcolor=transparent]0.1
    4. [backcolor=transparent]Accept[backcolor=transparent]:[backcolor=transparent] application[backcolor=transparent]/[backcolor=transparent]json
    5. [backcolor=transparent]Authorization[backcolor=transparent]:[backcolor=transparent] FC [backcolor=transparent]LTAIUyt0Yeq1rgqo[backcolor=transparent]:[backcolor=transparent]GBmoz6OwC7bobTlD1j boBZ9PkaZ1e4cKsQ[backcolor=transparent]+[backcolor=transparent]5[backcolor=transparent]/[backcolor=transparent]dlLTns[backcolor=transparent]=
    6. [backcolor=transparent]Date[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Mon[backcolor=transparent],[backcolor=transparent] [backcolor=transparent]08[backcolor=transparent] [backcolor=transparent]May[backcolor=transparent] [backcolor=transparent]2017[backcolor=transparent] [backcolor=transparent]03[backcolor=transparent]:[backcolor=transparent]08[backcolor=transparent]:[backcolor=transparent]31[backcolor=transparent] GMT
    7. [backcolor=transparent]X[backcolor=transparent]-[backcolor=transparent]User[backcolor=transparent]-[backcolor=transparent]Agent[backcolor=transparent]:[backcolor=transparent] go[backcolor=transparent]-[backcolor=transparent]resty v0[backcolor=transparent].[backcolor=transparent]11[backcolor=transparent] [backcolor=transparent]-[backcolor=transparent] https[backcolor=transparent]:[backcolor=transparent]//github.com/go-resty/resty
    8. [backcolor=transparent]Accept[backcolor=transparent]-[backcolor=transparent]Encoding[backcolor=transparent]:[backcolor=transparent] gzip

    响应:
    1. [backcolor=transparent]HTTP[backcolor=transparent]/[backcolor=transparent]1.1[backcolor=transparent] [backcolor=transparent]200[backcolor=transparent] OK
    2. [backcolor=transparent]Content[backcolor=transparent]-[backcolor=transparent]Type[backcolor=transparent]:[backcolor=transparent] application[backcolor=transparent]/[backcolor=transparent]json[backcolor=transparent];[backcolor=transparent] charset[backcolor=transparent]=[backcolor=transparent]utf[backcolor=transparent]-[backcolor=transparent]8
    3. [backcolor=transparent]X[backcolor=transparent]-[backcolor=transparent]Fc[backcolor=transparent]-[backcolor=transparent]Request[backcolor=transparent]-[backcolor=transparent]Id[backcolor=transparent]:[backcolor=transparent] ab7c7602[backcolor=transparent]-[backcolor=transparent]0922[backcolor=transparent]-[backcolor=transparent]f04f[backcolor=transparent]-[backcolor=transparent]b4ee[backcolor=transparent]-[backcolor=transparent]923cd7df7fb0
    4. [backcolor=transparent]Date[backcolor=transparent]:[backcolor=transparent] [backcolor=transparent]Mon[backcolor=transparent],[backcolor=transparent] [backcolor=transparent]08[backcolor=transparent] [backcolor=transparent]May[backcolor=transparent] [backcolor=transparent]2017[backcolor=transparent] [backcolor=transparent]03[backcolor=transparent]:[backcolor=transparent]08[backcolor=transparent]:[backcolor=transparent]31[backcolor=transparent] GMT
    5. [backcolor=transparent]Transfer[backcolor=transparent]-[backcolor=transparent]Encoding[backcolor=transparent]:[backcolor=transparent] chunked


    代码示例


    可以参考我们已经发布的SDK中签名部分的代码:

    展开
    收起
    boxti 2017-10-20 10:13:50 1956 0
    0 条回答
    写回答
    取消 提交回答
    问答排行榜
    最热
    最新

    相关电子书

    更多
    Hologres Serverless之路:揭秘弹性计算组 立即下载
    Serverless开发平台: 让研发效能再提升 立即下载
    Serverless 引领云上研发新范式 立即下载