Implement bin/aws-s3 get ... and a basic S3 client API

Summary: Ref T5155. This implements pulling file data off S3 using a first-party, Signature v4-compatible API.

Test Plan: {F1057744}

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T5155

Differential Revision: https://secure.phabricator.com/D14979

Author: epriestley

bin/aws-s3

@@ -0,0 +1 @@
+../scripts/utils/aws-s3.php

scripts/utils/aws-s3.php

@@ -0,0 +1,22 @@
+#!/usr/bin/env php
+<?php
+
+$root = dirname(dirname(dirname(__FILE__)));
+require_once $root.'/scripts/__init_script__.php';
+
+$args = new PhutilArgumentParser($argv);
+$args->setTagline(pht('AWS CLI Client for S3'));
+$args->setSynopsis(<<<EOSYNOPSIS
+**aws-s3** __command__ [__options__]
+    Upload and download data from Amazon Simple Storage Service (S3).
+
+EOSYNOPSIS
+  );
+$args->parseStandardArguments();
+
+$workflows = id(new PhutilClassMapQuery())
+  ->setAncestorClass('PhutilAWSS3ManagementWorkflow')
+  ->execute();
+
+$workflows[] = new PhutilHelpArgumentWorkflow();
+$args->parseWorkflows($workflows);

src/__phutil_library_map__.php

@@ -85,7 +85,10 @@
     'PhutilAWSEC2Future' => 'future/aws/PhutilAWSEC2Future.php',
     'PhutilAWSException' => 'future/aws/PhutilAWSException.php',
     'PhutilAWSFuture' => 'future/aws/PhutilAWSFuture.php',
+    'PhutilAWSManagementWorkflow' => 'future/aws/management/PhutilAWSManagementWorkflow.php',
     'PhutilAWSS3Future' => 'future/aws/PhutilAWSS3Future.php',
+    'PhutilAWSS3GetManagementWorkflow' => 'future/aws/management/PhutilAWSS3GetManagementWorkflow.php',
+    'PhutilAWSS3ManagementWorkflow' => 'future/aws/management/PhutilAWSS3ManagementWorkflow.php',
     'PhutilAWSv4Signature' => 'future/aws/PhutilAWSv4Signature.php',
     'PhutilAWSv4SignatureTestCase' => 'future/aws/__tests__/PhutilAWSv4SignatureTestCase.php',
     'PhutilAggregateException' => 'error/PhutilAggregateException.php',
@@ -603,7 +606,10 @@
     'PhutilAWSEC2Future' => 'PhutilAWSFuture',
     'PhutilAWSException' => 'Exception',
     'PhutilAWSFuture' => 'FutureProxy',
+    'PhutilAWSManagementWorkflow' => 'PhutilArgumentWorkflow',
     'PhutilAWSS3Future' => 'PhutilAWSFuture',
+    'PhutilAWSS3GetManagementWorkflow' => 'PhutilAWSS3ManagementWorkflow',
+    'PhutilAWSS3ManagementWorkflow' => 'PhutilAWSManagementWorkflow',
     'PhutilAWSv4Signature' => 'Phobject',
     'PhutilAWSv4SignatureTestCase' => 'PhutilTestCase',
     'PhutilAggregateException' => 'Exception',

src/future/aws/PhutilAWSFuture.php

@@ -3,85 +3,115 @@
 abstract class PhutilAWSFuture extends FutureProxy {
 
   private $future;
-  private $awsAccessKey;
-  private $awsPrivateKey;
-  private $awsRegion;
-  private $builtRequest;
-  private $params;
+  private $accessKey;
+  private $secretKey;
+  private $region;
+  private $httpMethod = 'GET';
+  private $path = '/';
+  private $params = array();
+  private $endpoint;
 
   abstract public function getServiceName();
 
   public function __construct() {
     parent::__construct(null);
   }
 
-  public function setAWSKeys($access, $private) {
-    $this->awsAccessKey = $access;
-    $this->awsPrivateKey = $private;
+  public function setAccessKey($access_key) {
+    $this->accessKey = $access_key;
     return $this;
   }
 
-  public function getAWSAccessKey() {
-    return $this->awsAccessKey;
+  public function getAccessKey() {
+    return $this->accessKey;
   }
 
-  public function getAWSPrivateKey() {
-    return $this->awsPrivateKey;
+  public function setSecretKey(PhutilOpaqueEnvelope $secret_key) {
+    $this->secretKey = $secret_key;
+    return $this;
+  }
+
+  public function getSecretKey() {
+    return $this->secretKey;
   }
 
-  public function getAWSRegion() {
-    return $this->awsRegion;
+  public function getRegion() {
+    return $this->region;
   }
 
-  public function setAWSRegion($region) {
-    $this->awsRegion = $region;
+  public function setRegion($region) {
+    $this->region = $region;
     return $this;
   }
 
-  public function getHost() {
-    $host = $this->getServiceName().'.'.$this->awsRegion.'.amazonaws.com';
-    return $host;
+  public function setEndpoint($endpoint) {
+    $this->endpoint = $endpoint;
+    return $this;
   }
 
-  public function setRawAWSQuery($action, array $params = array()) {
-    $this->params = $params;
-    $this->params['Action'] = $action;
+  public function getEndpoint() {
+    return $this->endpoint;
+  }
+
+  public function setHTTPMethod($method) {
+    $this->httpMethod = $method;
     return $this;
   }
 
-  protected function getProxiedFuture() {
-    if (!$this->future) {
-      $params = $this->params;
+  public function getHTTPMethod() {
+    return $this->httpMethod;
+  }
 
-      if (!$this->params) {
-        throw new Exception(
-          pht(
-            'You must %s!',
-            'setRawAWSQuery()'));
-      }
+  public function setPath($path) {
+    $this->path = $path;
+    return $this;
+  }
 
-      if (!$this->getAWSAccessKey()) {
-        throw new Exception(
-          pht(
-            'You must %s!',
-            'setAWSKeys()'));
-      }
+  public function getPath() {
+    return $this->path;
+  }
 
-      $params['AWSAccessKeyId'] = $this->getAWSAccessKey();
-      $params['Version']        = '2013-10-15';
-      $params['Timestamp']      = date('c');
+  protected function getParameters() {
+    $params = $this->params;
+    return $params;
+  }
 
-      $params = $this->sign($params);
+  protected function getProxiedFuture() {
+    if (!$this->future) {
+      $params = $this->getParameters();
+      $method = $this->getHTTPMethod();
+      $host = $this->getEndpoint();
+      $path = $this->getPath();
 
-      $uri = new PhutilURI('http://'.$this->getHost().'/');
-      $uri->setQueryParams($params);
+      $uri = id(new PhutilURI("https://{$host}/"))
+        ->setPath($path)
+        ->setQueryParams($params);
 
-      $this->future = new HTTPFuture($uri);
+      $future = id(new HTTPSFuture($uri))
+        ->setMethod($method);
+
+      $this->signRequest($future);
+
+      $this->future = $future;
     }
 
     return $this->future;
   }
 
+  protected function signRequest(HTTPSFuture $future) {
+    $access_key = $this->getAccessKey();
+    $secret_key = $this->getSecretKey();
+
+    $region = $this->getRegion();
+
+    id(new PhutilAWSv4Signature())
+      ->setRegion($region)
+      ->setService($this->getServiceName())
+      ->setAccessKey($access_key)
+      ->setSecretKey($secret_key)
+      ->signRequest($future);
+  }
+
   protected function didReceiveResult($result) {
     list($status, $body, $headers) = $result;
 
@@ -101,7 +131,8 @@ protected function didReceiveResult($result) {
       );
       if ($xml) {
         $params['RequestID'] = $xml->RequestID[0];
-        foreach ($xml->Errors[0] as $error) {
+        $errors = array($xml->Error);
+        foreach ($errors as $error) {
           $params['Errors'][] = array($error->Code, $error->Message);
         }
       }
@@ -112,36 +143,4 @@ protected function didReceiveResult($result) {
     return $xml;
   }
 
-  /**
-   * http://bit.ly/wU0JFh
-   */
-  private function sign(array $params) {
-
-    $params['SignatureMethod'] = 'HmacSHA256';
-    $params['SignatureVersion'] = '2';
-
-    ksort($params);
-
-    $pstr = array();
-    foreach ($params as $key => $value) {
-      $pstr[] = rawurlencode($key).'='.rawurlencode($value);
-    }
-    $pstr = implode('&', $pstr);
-
-    $sign = "GET"."\n".
-            strtolower($this->getHost())."\n".
-            "/"."\n".
-            $pstr;
-
-    $hash = hash_hmac(
-      'sha256',
-      $sign,
-      $this->getAWSPrivateKey(),
-      $raw_ouput = true);
-
-    $params['Signature'] = base64_encode($hash);
-
-    return $params;
-  }
-
 }

src/future/aws/PhutilAWSS3Future.php

@@ -2,8 +2,42 @@
 
 final class PhutilAWSS3Future extends PhutilAWSFuture {
 
+  private $bucket;
+
   public function getServiceName() {
     return 's3';
   }
 
+  public function setBucket($bucket) {
+    $this->bucket = $bucket;
+    return $this;
+  }
+
+  public function getBucket() {
+    return $this->bucket;
+  }
+
+  public function setParametersForGetObject($key) {
+    $bucket = $this->getBucket();
+
+    $this->setHTTPMethod('GET');
+    $this->setPath($bucket.'/'.$key);
+
+    return $this;
+  }
+
+  protected function didReceiveResult($result) {
+    list($status, $body, $headers) = $result;
+
+    if (!$status->isError()) {
+      return $body;
+    }
+
+    if ($status->getStatusCode() === 404) {
+      return null;
+    }
+
+    return parent::didReceiveResult($result);
+  }
+
 }

src/future/aws/PhutilAWSv4Signature.php

@@ -28,7 +28,7 @@ public function setDate($date) {
 
   public function getDate() {
     if ($this->date === null) {
-      $this->date = date('c');
+      $this->date = gmdate('Ymd\THis\Z', time());
     }
     return $this->date;
   }

src/future/aws/management/PhutilAWSManagementWorkflow.php

@@ -0,0 +1,69 @@
+<?php
+
+abstract class PhutilAWSManagementWorkflow
+  extends PhutilArgumentWorkflow {
+
+  public function isExecutable() {
+    return true;
+  }
+
+  protected function newAWSFuture($template) {
+    $argv = $this->getArgv();
+
+    $access_key = $argv->getArg('access-key');
+    $secret_key = $argv->getArg('secret-key');
+
+    $has_root = (strlen($access_key) || strlen($secret_key));
+    if ($has_root) {
+      if (!strlen($access_key) || !strlen($secret_key)) {
+        throw new PhutilArgumentUsageException(
+          pht(
+            'When specifying AWS credentials with --access-key and '.
+            '--secret-key, you must provide both keys.'));
+      }
+
+      $template->setAccessKey($access_key);
+      $template->setSecretKey(new PhutilOpaqueEnvelope($secret_key));
+    }
+
+    $has_any = ($has_root);
+    if (!$has_any) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'You must specify AWS credentials. Use --access-key and '.
+          '--secret-key to provide root credentials.'));
+    }
+
+    $region = $argv->getArg('region');
+    if (!strlen($region)) {
+      throw new PhutilArgumentUsageException(
+        pht(
+          'You must specify an AWS region with --region.'));
+    }
+
+    $template->setRegion($region);
+
+    return $template;
+  }
+
+  protected function getAWSArguments() {
+    return array(
+      array(
+        'name' => 'access-key',
+        'param' => 'key',
+        'help' => pht('AWS access key.'),
+      ),
+      array(
+        'name' => 'secret-key',
+        'param' => 'file',
+        'help' => pht('AWS secret key.'),
+      ),
+      array(
+        'name' => 'region',
+        'param' => 'region',
+        'help' => pht('AWS region.'),
+      ),
+    );
+  }
+
+}