@daisy-workflow/plugin-aws-s3 0.1.0

package/lib/sigv4.js

@@ -0,0 +1,176 @@
+// AWS Signature Version 4 — minimal implementation supporting both
+// header-based auth (Authorization header) and query-string auth
+// (presigned URLs).
+//
+// Spec: https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
+// Validated against AWS's published S3 test vector
+// ("Example: GET Object" — examplebucket/test.txt).
+//
+// Built with node:crypto — no external deps.
+
+import crypto from "node:crypto";
+
+const ALGO       = "AWS4-HMAC-SHA256";
+const TERMINATOR = "aws4_request";
+const SERVICE    = "s3";
+
+const sha256Hex = (data) =>
+  crypto.createHash("sha256").update(data).digest("hex");
+const hmac = (key, data) =>
+  crypto.createHmac("sha256", key).update(data).digest();
+
+// RFC 3986 URI encoding. encodeURIComponent already does most of this;
+// patch up the characters it leaves alone but the spec says to escape.
+function uriEncode(str) {
+  return encodeURIComponent(str)
+    .replace(/!/g,  "%21")
+    .replace(/\*/g, "%2A")
+    .replace(/'/g,  "%27")
+    .replace(/\(/g, "%28")
+    .replace(/\)/g, "%29");
+}
+
+function canonicalUri(pathname) {
+  if (!pathname || pathname === "/") return "/";
+  return pathname
+    .split("/")
+    .map(seg => uriEncode(decodeURIComponent(seg)))
+    .join("/");
+}
+
+function canonicalQuery(searchParams) {
+  if (!searchParams) return "";
+  const entries = [];
+  for (const [k, v] of searchParams) entries.push([k, v]);
+  entries.sort((a, b) => a[0] === b[0] ? (a[1] < b[1] ? -1 : 1) : (a[0] < b[0] ? -1 : 1));
+  return entries.map(([k, v]) => `${uriEncode(k)}=${uriEncode(v ?? "")}`).join("&");
+}
+
+function canonicalHeaders(headers) {
+  const lower = {};
+  for (const [k, v] of Object.entries(headers)) {
+    if (v == null) continue;
+    lower[k.toLowerCase()] = String(v).trim().replace(/\s+/g, " ");
+  }
+  const keys = Object.keys(lower).sort();
+  const canonical = keys.map(k => `${k}:${lower[k]}\n`).join("");
+  const signed    = keys.join(";");
+  return { canonical, signed };
+}
+
+function derivSigningKey(secretAccessKey, dateStamp, region, service) {
+  const kDate    = hmac(`AWS4${secretAccessKey}`, dateStamp);
+  const kRegion  = hmac(kDate, region);
+  const kService = hmac(kRegion, service);
+  return hmac(kService, TERMINATOR);
+}
+
+function amzTimestamp(d) {
+  return d.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
+}
+
+// ── header-based signing ──────────────────────────────────────────────
+// Returns headers to send (caller headers + Authorization + amz-date +
+// content-sha256, plus security-token if STS).
+export function signRequest({
+  method, url, headers = {}, body = "",
+  region, service = SERVICE,
+  accessKeyId, secretAccessKey, sessionToken = null,
+  nowMs,
+}) {
+  const u   = new URL(url);
+  const now = new Date(nowMs ?? Date.now());
+  const amzDate   = amzTimestamp(now);
+  const dateStamp = amzDate.slice(0, 8);
+
+  const payloadHash = sha256Hex(body || "");
+
+  const signedHeaders = {
+    ...headers,
+    host:                   u.host,
+    "x-amz-date":           amzDate,
+    "x-amz-content-sha256": payloadHash,
+  };
+  if (sessionToken) signedHeaders["x-amz-security-token"] = sessionToken;
+
+  const { canonical: canonHeaders, signed: signedHeaderList } = canonicalHeaders(signedHeaders);
+
+  const canonicalRequest = [
+    method.toUpperCase(),
+    canonicalUri(u.pathname),
+    canonicalQuery(u.searchParams),
+    canonHeaders,
+    signedHeaderList,
+    payloadHash,
+  ].join("\n");
+
+  const credentialScope = `${dateStamp}/${region}/${service}/${TERMINATOR}`;
+  const stringToSign = [ALGO, amzDate, credentialScope, sha256Hex(canonicalRequest)].join("\n");
+
+  const kSigning  = derivSigningKey(secretAccessKey, dateStamp, region, service);
+  const signature = hmac(kSigning, stringToSign).toString("hex");
+
+  const authorization = [
+    `${ALGO} Credential=${accessKeyId}/${credentialScope}`,
+    `SignedHeaders=${signedHeaderList}`,
+    `Signature=${signature}`,
+  ].join(", ");
+
+  return { ...signedHeaders, Authorization: authorization };
+}
+
+// ── presigned URL signing ─────────────────────────────────────────────
+// Returns a URL with X-Amz-* query params baked in. The caller can use
+// it from a browser / curl / IoT device without holding the secret.
+//
+// Notes:
+//   • For presigned URLs, x-amz-content-sha256 is the literal string
+//     "UNSIGNED-PAYLOAD" (S3 special-cases this).
+//   • Only `host` is in SignedHeaders by default. If you need to enforce
+//     specific headers at request time, add them to `headers`.
+//   • Max expiry is 7 days (604800s) for SigV4.
+export function presignUrl({
+  method = "GET", url, headers = {}, expiresIn = 900,
+  region, service = SERVICE,
+  accessKeyId, secretAccessKey, sessionToken = null,
+  nowMs,
+}) {
+  if (expiresIn < 1 || expiresIn > 604800) {
+    throw new Error(`presignUrl: expiresIn must be 1..604800 (got ${expiresIn})`);
+  }
+  const u   = new URL(url);
+  const now = new Date(nowMs ?? Date.now());
+  const amzDate   = amzTimestamp(now);
+  const dateStamp = amzDate.slice(0, 8);
+  const credentialScope = `${dateStamp}/${region}/${service}/${TERMINATOR}`;
+
+  // Sign at minimum `host` (every request has it). Extra headers can be
+  // forced via `headers`.
+  const signedHeaders = { ...headers, host: u.host };
+  const { canonical: canonHeaders, signed: signedHeaderList } = canonicalHeaders(signedHeaders);
+
+  // Add the X-Amz-* query parameters BEFORE building the canonical
+  // query string (they participate in the signature).
+  u.searchParams.set("X-Amz-Algorithm",     ALGO);
+  u.searchParams.set("X-Amz-Credential",    `${accessKeyId}/${credentialScope}`);
+  u.searchParams.set("X-Amz-Date",          amzDate);
+  u.searchParams.set("X-Amz-Expires",       String(expiresIn));
+  u.searchParams.set("X-Amz-SignedHeaders", signedHeaderList);
+  if (sessionToken) u.searchParams.set("X-Amz-Security-Token", sessionToken);
+
+  const canonicalRequest = [
+    method.toUpperCase(),
+    canonicalUri(u.pathname),
+    canonicalQuery(u.searchParams),
+    canonHeaders,
+    signedHeaderList,
+    "UNSIGNED-PAYLOAD",
+  ].join("\n");
+
+  const stringToSign = [ALGO, amzDate, credentialScope, sha256Hex(canonicalRequest)].join("\n");
+  const kSigning     = derivSigningKey(secretAccessKey, dateStamp, region, service);
+  const signature    = hmac(kSigning, stringToSign).toString("hex");
+
+  u.searchParams.set("X-Amz-Signature", signature);
+  return u.toString();
+}

package/manifest.json

@@ -0,0 +1,185 @@
+{
+  "name":          "aws-s3",
+  "version":       "0.1.0",
+  "description":   "AWS S3 connector — buckets, files, folders, plus AWS-specific features (storage classes, server-side encryption, KMS, tags, requester pays, presigned URLs). For non-AWS S3-compatible providers (Wasabi, MinIO, R2, B2…) use the generic `s3` plugin. Mirrors n8n's AWS S3 node. Auth via a workspace `generic` config with accessKeyId + secretAccessKey + region (plus optional sessionToken / customEndpoint).",
+  "ui":            { "category": "storage", "icon": "amazon-s3" },
+  "primaryOutput": "result",
+
+  "configRefs": [
+    {
+      "name":        "aws-s3",
+      "type":        "generic",
+      "required":    true,
+      "description": "Generic config: { accessKeyId, secretAccessKey, region, sessionToken?, customEndpoint? }. The endpoint is derived from the region (s3.<region>.amazonaws.com) unless customEndpoint is set — useful for VPC interface endpoints, S3 Transfer Acceleration, AWS GovCloud, or AWS China regions."
+    }
+  ],
+
+  "inputSchema": {
+    "type": "object",
+    "required": ["operation"],
+    "properties": {
+      "operation": {
+        "type": "string",
+        "description": "Which AWS S3 call to run.",
+        "enum": [
+          "bucket.getAll",
+          "bucket.create",
+          "bucket.delete",
+          "bucket.search",
+          "bucket.location",
+          "file.getAll",
+          "file.head",
+          "file.upload",
+          "file.download",
+          "file.copy",
+          "file.delete",
+          "file.presignedUrl",
+          "folder.create",
+          "folder.getAll",
+          "folder.delete"
+        ]
+      },
+
+      "config": {
+        "type": "string",
+        "description": "Workspace config name to read credentials from. Default: 'aws-s3'."
+      },
+
+      "bucket": {
+        "type": "string",
+        "description": "Bucket name. Required for bucket.create / bucket.delete / bucket.search / bucket.location / file.* / folder.*."
+      },
+      "key": {
+        "type": "string",
+        "description": "Object key (path within the bucket). Required for file.{upload,download,copy,delete,head,presignedUrl}."
+      },
+
+      "prefix": {
+        "type": "string",
+        "description": "Key prefix filter. Used by bucket.search / file.getAll / folder.getAll / folder.delete."
+      },
+      "delimiter": {
+        "type": "string",
+        "default": "/",
+        "description": "Delimiter used to group keys into 'folders'. Default '/'. Used by folder.getAll."
+      },
+      "maxKeys": {
+        "type": "integer",
+        "minimum": 1,
+        "maximum": 1000,
+        "default": 1000,
+        "description": "Page size for list operations (S3 caps this at 1000)."
+      },
+      "continuationToken": {
+        "type": "string",
+        "description": "Opaque pagination token from a previous list response."
+      },
+
+      "body": {
+        "type": "string",
+        "description": "Object content for file.upload. Plain text by default; set `bodyEncoding: 'base64'` to upload binary data."
+      },
+      "bodyEncoding": {
+        "type": "string",
+        "enum": ["utf8", "base64"],
+        "default": "utf8",
+        "description": "How to interpret `body`. Use 'base64' to upload binary files."
+      },
+      "contentType": {
+        "type": "string",
+        "description": "Content-Type header for file.upload. Default: application/octet-stream (binary) or text/plain (utf8)."
+      },
+      "metadata": {
+        "type": "object",
+        "description": "User metadata for file.upload. Each key is sent as x-amz-meta-<key>."
+      },
+      "tags": {
+        "type": "object",
+        "description": "Object tags for file.upload. URL-encoded into the x-amz-tagging header (e.g. {env:'prod', team:'data'} → 'env=prod&team=data')."
+      },
+
+      "acl": {
+        "type": "string",
+        "enum": ["private", "public-read", "public-read-write", "authenticated-read", "aws-exec-read", "bucket-owner-read", "bucket-owner-full-control"],
+        "description": "Canned ACL. Used by file.upload / folder.create / bucket.create. Note: many AWS accounts have ACLs disabled via 'Object Ownership = Bucket owner enforced'; in that case the ACL header is rejected."
+      },
+
+      "storageClass": {
+        "type": "string",
+        "enum": ["STANDARD", "REDUCED_REDUNDANCY", "STANDARD_IA", "ONEZONE_IA", "INTELLIGENT_TIERING", "GLACIER", "DEEP_ARCHIVE", "GLACIER_IR"],
+        "description": "Storage class for file.upload. AWS S3-specific. GLACIER and DEEP_ARCHIVE need restore-before-read."
+      },
+
+      "serverSideEncryption": {
+        "type": "string",
+        "enum": ["AES256", "aws:kms", "aws:kms:dsse"],
+        "description": "Server-side encryption for file.upload. Set ssekmsKeyId when using aws:kms or aws:kms:dsse."
+      },
+      "ssekmsKeyId": {
+        "type": "string",
+        "description": "KMS key ID or ARN. Required when serverSideEncryption is aws:kms / aws:kms:dsse and you want a non-default key."
+      },
+
+      "requesterPays": {
+        "type": "boolean",
+        "default": false,
+        "description": "Set x-amz-request-payer: requester. Required when reading from or writing to a bucket configured as Requester Pays."
+      },
+
+      "copySource": {
+        "type": "string",
+        "description": "Source for file.copy in `bucket/key` form (e.g. 'src-bucket/path/to/file.txt'). Destination is bucket+key."
+      },
+
+      "folderName": {
+        "type": "string",
+        "description": "Folder name for folder.create. Will be created as an empty object with key ending in '/'."
+      },
+
+      "responseEncoding": {
+        "type": "string",
+        "enum": ["utf8", "base64"],
+        "default": "base64",
+        "description": "How file.download returns the body. 'base64' is safe for binary. 'utf8' for text-only objects."
+      },
+
+      "presignedMethod": {
+        "type": "string",
+        "enum": ["GET", "PUT"],
+        "default": "GET",
+        "description": "HTTP method to sign for file.presignedUrl."
+      },
+      "presignedExpiresIn": {
+        "type": "integer",
+        "minimum": 1,
+        "maximum": 604800,
+        "default": 900,
+        "description": "Expiry in seconds for file.presignedUrl. Max 604800 (7 days)."
+      },
+
+      "region": {
+        "type": "string",
+        "description": "Override the region from the config for this call only."
+      },
+
+      "timeoutMs": {
+        "type": "integer",
+        "minimum": 1,
+        "maximum": 120000,
+        "default": 30000
+      }
+    }
+  },
+
+  "outputSchema": {
+    "type": "object",
+    "required": ["ok", "operation"],
+    "properties": {
+      "ok":        { "type": "boolean" },
+      "operation": { "type": "string", "description": "Echo of the input operation that ran." },
+      "status":    { "type": "integer", "description": "HTTP status from the underlying S3 call (omitted for file.presignedUrl)." },
+      "result":    { "description": "Operation-specific payload. See README for shapes." },
+      "url":       { "type": "string", "description": "Deep-link to the affected bucket/object on the AWS endpoint (when applicable)." }
+    }
+  }
+}

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "@daisy-workflow/plugin-aws-s3",
+  "version": "0.1.0",
+  "description": "Daisy external plugin — AWS S3 connector (AWS-specific: region-derived endpoints, storage classes, server-side encryption, KMS, tags, requester pays, presigned URLs).",
+  "type": "module",
+  "main": "index.js",
+  "scripts": {
+    "start": "node index.js"
+  },
+  "dependencies": {
+    "@daisy-workflow/plugin-sdk": "^0.1.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "license": "MIT"
+}

package/publish-docker.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+#
+# publish-docker.sh — build & push the aws-s3 plugin image to Docker Hub.
+#
+# Usage:
+#   ./publish-docker.sh                    # build + push :<version> and :latest, multi-arch
+#   IMAGE=foo/bar ./publish-docker.sh      # override image name
+#   PLATFORMS=linux/amd64 ./publish-docker.sh   # single-arch
+#   PUSH=0 ./publish-docker.sh             # build only, don't push
+#   NO_LATEST=1 ./publish-docker.sh        # skip the :latest tag
+#
+# Prereqs on your machine:
+#   - Docker Desktop (or dockerd) running
+#   - docker buildx available  (comes with Docker Desktop)
+#   - You're logged in:  docker login -u <dockerhub-user>
+#
+set -euo pipefail
+
+IMAGE="${IMAGE:-vivek13186/daisy-plugin-aws-s3}"
+PLATFORMS="${PLATFORMS:-linux/amd64,linux/arm64}"
+PUSH="${PUSH:-1}"
+NO_LATEST="${NO_LATEST:-0}"
+
+SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
+cd "$SCRIPT_DIR"
+
+if ! command -v node >/dev/null 2>&1; then
+  echo "ERROR: node is required to read version from package.json" >&2
+  exit 1
+fi
+VERSION="$(node -p "require('./package.json').version")"
+if [[ -z "$VERSION" || "$VERSION" == "undefined" ]]; then
+  echo "ERROR: could not read version from package.json" >&2
+  exit 1
+fi
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "ERROR: docker CLI not found in PATH" >&2
+  exit 1
+fi
+if ! docker buildx version >/dev/null 2>&1; then
+  echo "ERROR: docker buildx is required (install Docker Desktop or the buildx plugin)" >&2
+  exit 1
+fi
+
+BUILDER="daisy-plugin-builder"
+if ! docker buildx inspect "$BUILDER" >/dev/null 2>&1; then
+  echo ">> creating buildx builder: $BUILDER"
+  docker buildx create --name "$BUILDER" --driver docker-container --use >/dev/null
+else
+  docker buildx use "$BUILDER" >/dev/null
+fi
+docker buildx inspect --bootstrap >/dev/null
+
+TAG_LIST=("${IMAGE}:${VERSION}")
+if [[ "$NO_LATEST" != "1" ]]; then
+  TAG_LIST+=("${IMAGE}:latest")
+fi
+TAG_FLAGS=()
+for t in "${TAG_LIST[@]}"; do
+  TAG_FLAGS+=(--tag "$t")
+done
+
+PUSH_FLAG="--push"
+if [[ "$PUSH" == "0" ]]; then
+  PUSH_FLAG="--load"
+  if [[ "$PLATFORMS" == *","* ]]; then
+    echo ">> PUSH=0 requested; forcing single platform linux/amd64 (--load can't load multi-arch)"
+    PLATFORMS="linux/amd64"
+  fi
+fi
+
+echo ">> image:      $IMAGE"
+echo ">> version:    $VERSION"
+echo ">> platforms:  $PLATFORMS"
+echo ">> tags:       ${TAG_LIST[*]}"
+echo ">> action:     $([[ "$PUSH" == "1" ]] && echo push || echo build-only)"
+
+if [[ "$PUSH" == "1" ]]; then
+  if ! docker info 2>/dev/null | grep -q "Username:"; then
+    echo ">> not logged in to Docker Hub — running: docker login"
+    docker login
+  fi
+fi
+
+docker buildx build \
+  --platform "$PLATFORMS" \
+  "${TAG_FLAGS[@]}" \
+  --file Dockerfile \
+  $PUSH_FLAG \
+  .
+
+echo ">> done."
+if [[ "$PUSH" == "1" ]]; then
+  echo ">> pulled with:  docker pull ${IMAGE}:${VERSION}"
+  echo ">> hub page:     https://hub.docker.com/r/${IMAGE}"
+fi