Update the s3 example to support POST/DELETE/PUT etc as well

as just get, by adding payload signing and generalizing the HTTP
request type into a parameter

Author: pramsey

examples/s3.sql

@@ -1,14 +1,13 @@
-
--- 
--- s3_get
+--
+-- s3_request
 --
 -- Installation:
 --
 --   CREATE EXTENSION pgcrypto;
 --   CREATE EXTENSION http;
 --
 -- Utility function to take S3 object and access keys and create
--- a signed HTTP GET request using the AWS4 signing scheme.
+-- a signed HTTP request using the AWS4 signing scheme.
 -- https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
 -- 
 -- Various pieces of the request are gathered into strings bundled together
@@ -18,23 +17,57 @@
 --
 -- https://cleverelephant-west-1.s3.amazonaws.com/META.json
 --
--- SELECT * FROM s3_get(
+-- SELECT * FROM s3_request(
+--     'your_s3_access_key',      -- access
+--     'your_s3_secret_key',      -- secret
+--     'us-west-1',               -- region
+--     'cleverelephant-west-1',   -- bucket
+--     'META.json',               -- object name
+-- );
+--
+--
+-- Created and delete objects too!
+--
+-- SELECT * FROM s3_request(
+--     'your_s3_access_key',      -- access
+--     'your_s3_secret_key',      -- secret
+--     'us-west-1',               -- region
+--     'cleverelephant-west-1',   -- bucket
+--     'testfile.txt',            -- object name
+--     'PUT',                     -- http method
+--     'this is a test'           -- payload
+--     'text/plain'               -- payload mime type
+-- );
+--
+-- SELECT * FROM s3_request(
+--     'your_s3_access_key',      -- access
+--     'your_s3_secret_key',      -- secret
+--     'us-west-1',               -- region
+--     'cleverelephant-west-1',   -- bucket
+--     'testfile.txt',            -- object name
+-- );
+--
+-- SELECT * FROM s3_request(
 --     'your_s3_access_key',      -- access
 --     'your_s3_secret_key',      -- secret
 --     'us-west-1',               -- region
 --     'cleverelephant-west-1',   -- bucket
---     'META.json'                -- object
+--     'testfile.txt',            -- object name
+--     'DELETE'                   -- http method
 -- );
 --
-CREATE OR REPLACE FUNCTION s3_get(
+
+CREATE OR REPLACE FUNCTION s3_request(
     access_key TEXT,
     secret_key TEXT,
     region TEXT,
     bucket TEXT,
-    object_key TEXT
+    object_key TEXT,
+    http_method TEXT DEFAULT 'GET',
+    object_payload TEXT DEFAULT NULL,
+    object_mimetype TEXT DEFAULT 'text/plain'
 ) RETURNS http_response AS $$
 DECLARE
-    http_method TEXT := 'GET';
     host TEXT := bucket || '.s3.' || region || '.amazonaws.com';
     endpoint TEXT := 'https://' || host || '/' || object_key;
     canonical_uri TEXT := '/' || object_key;
@@ -45,7 +78,9 @@ DECLARE
     now TIMESTAMP := now() AT TIME ZONE 'UTC';
     amz_date TEXT := to_char(now, 'YYYYMMDD"T"HH24MISS"Z"');
     date_stamp TEXT := to_char(now, 'YYYYMMDD');
-    empty_payload_hash TEXT := 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
+
+    -- Must use this magic hash if the payload is empty
+    payload_hash TEXT := 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855';
 
     canonical_headers TEXT;
     canonical_request TEXT;
@@ -62,18 +97,33 @@ DECLARE
     request http_request;
 BEGIN
 
+    http_method := upper(http_method);
+
+    IF object_payload IS NOT NULL
+    THEN
+        payload_hash := encode(digest(convert_to(object_payload, 'UTF8'), 'sha256'), 'hex');
+    END IF;
+
     -- Construct the canonical headers
     canonical_headers := 'host:' || host || E'\n' 
-                      || 'x-amz-content-sha256:' || empty_payload_hash || E'\n'
+                      || 'x-amz-content-sha256:' || payload_hash || E'\n'
                       || 'x-amz-date:' || amz_date || E'\n';
 
+    -- Signed headers must be in alphabetical order
+    -- so content-type goes first
+    IF object_payload IS NOT NULL
+    THEN
+        canonical_headers := 'content-type:' || lower(object_mimetype) || E'\n' || canonical_headers;
+        signed_headers :=  'content-type;' || signed_headers;
+    END IF;
+
     -- Create the canonical request
     canonical_request := http_method || E'\n' ||
                          canonical_uri || E'\n' ||
                          canonical_querystring || E'\n' ||
                          canonical_headers || E'\n' ||
                          signed_headers || E'\n' ||
-                         empty_payload_hash;
+                         payload_hash;
 
     -- Define the credential scope
     credential_scope := date_stamp || '/' || region || '/' || service || '/aws4_request';
@@ -108,29 +158,27 @@ BEGIN
 
     -- Perform the HTTP request
     request := (
-          'GET',
-           endpoint,
-           http_headers('Authorization', authorization_header, 
-                        'x-amz-content-sha256', empty_payload_hash,
-                        'x-amz-date', amz_date,
-                        'host', host),
-           NULL,
-           NULL
+            http_method,
+            endpoint,
+            http_headers('Authorization', authorization_header,
+                         'x-amz-content-sha256', payload_hash,
+                         'x-amz-date', amz_date,
+                         'host', host),
+            object_mimetype,
+            object_payload
         )::http_request;
 
     -- Getting the canonical request and payload strings perfectly 
     -- formatted is an important step so debugging here in case
     -- S3 rejects signed request
-    RAISE DEBUG 's3_get, canonical_request: %', canonical_request;
-    RAISE DEBUG 's3_get, string_to_sign: %', string_to_sign;
-    RAISE DEBUG 's3_get, request %', request;
+    RAISE DEBUG 's3_request, payload_hash: %', payload_hash;
+    RAISE DEBUG 's3_request, canonical_request: %', canonical_request;
+    RAISE DEBUG 's3_request, string_to_sign: %', string_to_sign;
+    RAISE DEBUG 's3_request, request %', request;
 
     RETURN http(request);
+    -- RETURN NULL;
 
 END;
 $$ LANGUAGE 'plpgsql'
 VOLATILE;
-
-
-
-