Dashman uses S3 for storing the encrypted screenshots. They can go directly from the renderer application to S3 and from there to the displayer application as there’s no need for the server application to ever see them. They are end-to-end encrypted anyway.
My needs in this regard were a bit unique. I have a server component that can generate whatever tokens and signatures are needed and then send it to both applications. The applications are written in ClojureScript, so, essentially, JavaScript, but unlike most direct-to-S3 upload solutions, I don’t have a web site with a form, so, I don’t need to fiddle with CORS or forms.
The two libraries
I found two libraries that could have helped me. The big one is amazonica, a Clojure library to interact with AWS. It looks very complete but when I tried to use the com.amazonaws.services.s3/generate-presigned-url function, I got this error:
The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.
There are two versions of signatures, version 2 and 4. Version 2 is deprecated, it might or might not work on some data centers but it definitely doesn’t work on all. I refused to believe it at first because I was using very recent version of all libraries, but yup, it was generating version 2 of the signature with signed URLs that look something like this:
https://bucket-name.s3.amazonaws.com/key-name?AWSAccessKeyId=AKI...OA&Expires=1494190327&Signature=ct...3DDigging further I found this snippet of code:
(System/setProperty SDKGlobalConfiguration/ENFORCE_S3_SIGV4_SYSTEM_PROPERTY "true")
But for me, it made no difference in my case. For the record I reported the issue and it is supposed to work, but it doesn’t for me.
Then there’s s3-beam, that looked promising, but it seems targeted towards forms, not just plain PUT requests from the clients. On top of that, I didn’t want to mess with async, I didn’t need it and it would be over-engineering for my case. Lastly, it uses it’s own custom way of creating the signatures instead of Amazon’s SDK and that code looks like it’s generating the old signatures (sha1 instead of sha256). I ended up not even trying it.
Instead, I decided to do my own custom option, which was not hard and worked straight away. This post is about sharing that code.
Custom solution using the AWS Java SDK
Starting on the server/Clojure side of things, I added the dependency:
[com.amazonaws/aws-java-sdk "1.11.126"]
With only that I was getting this unexpected error when trying to use the AWS SDK:
ERROR com.fasterxml.jackson.databind.ObjectMapper.enable([Lcom/fasterxml/jackson/core/JsonParser$Feature;)Lcom/fasterxml/jackson/databind/ObjectMapper;
java.lang.NoSuchMethodError: com.fasterxml.jackson.databind.ObjectMapper.enable([Lcom/fasterxml/jackson/core/JsonParser$Feature;)Lcom/fasterxml/jackson/databind/ObjectMapper;
ERROR Could not initialize class com.amazonaws.partitions.PartitionsLoaderwhich I resolved by adding these other dependencies as well (mostly about getting the latest version):
[com.fasterxml.jackson.core/jackson-core "2.8.8"]
[com.fasterxml.jackson.core/jackson-databind "2.8.8"]
[com.fasterxml.jackson.core/jackson-annotations "2.8.8"]
I wrote a function to generate the S3 client:
(defn aws-s3-client []
(let [region (Regions/fromName (config/env :aws-s3-region))
credentials (BasicAWSCredentials. (config/env :aws-access-key-id)
(config/env :aws-secret-access-key))]
(-> (AmazonS3ClientBuilder/standard)
(.withRegion region)
(.withCredentials (AWSStaticCredentialsProvider. credentials))
.build)))
config/env just fetches configuration values, powered by cprop and mount. This is just standard stuff from Luminus. With
(defn- pre-signed-url [key & [verb]]
(let [expiration (tc/to-date (-> 24 t/hours t/from-now))
generate-presigned-url-request (doto (GeneratePresignedUrlRequest. (config/env :aws-s3-bucket-name) key)
(.setMethod (if (= verb :put)
HttpMethod/PUT
HttpMethod/GET))
(.setExpiration expiration))]
(.toString (.generatePresignedUrl (aws-s3-client) generate-presigned-url-request))))
The function generates either a URL for reading, :get, or for writing, :put, depending on the parameter verb. key is just the path part of the URL (remember, S3 is actually a key/value storage). All URLs will last for 24hs, something you can tweak as well.
And that’s it, generating the URL is done, now we have to use it.
Reading and writing from ClojureScript
If you have a form, then, you might need to deal with CORS and other issues. I suggest you look at s3-beam at least for inspiration. For me, it was just a matter of generating the requests from the ClojureScript app, which uses cljs-ajax. Reading was straightforward enough:
(ajax/GET get-url
{:handler (fn [value]
(do-something value))})
although the handler might have to deal with encoding issues. Writing is similar, but again, you may need to fiddle with encoding issues. Since what I was sending is a JSON payload (an encrypted screenshot), this worked for me:
(ajax/PUT put-url
{:format :json
:params payload})
If you are uploading binary data, I recommend you play with :format :raw and the :body attribute.
