aws-sigv4 1.0.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: dc5dab371e96d81659b31a8f240fac3f0181e1b1
-  data.tar.gz: fa9c9cce2b176379585923c0345890756f930e78
+SHA256:
+  metadata.gz: 46dbb72f9e31ff1022703f91ae7e1d2cfe78c78629e682fe99468933704aff62
+  data.tar.gz: 963db4a8f39031b64398dea0d2ebc7167af20e79446e23bfd270c6cb85d4738f
 SHA512:
-  metadata.gz: cdad04342ef2a0e2e8d1016af4d7e50daf13bc892981f7629c7fb444bf86c599ad6c9657e377176c66ebddaea8a73b211c13e05c63ae38da9cf7f4cec86d70c7
-  data.tar.gz: af5088ab2930b07050ef3ab12c7de87671f54f3d8bcecc38a1fdde49e1df69f43cb11a80c402caf7257f5156b2eec935d35bcab427578f979ee8e6185d5bb1c0
+  metadata.gz: '0142942e58db9971d8ceaa2aeb7c97d1cd58bdba463366fd06831b1769a3c124f6e1f1b082c4d1b5917f794ab70556f6bd78dbb67824a35e74ccbfc5bdaafa25'
+  data.tar.gz: aca23ad7a8a98f24abdbbaa2afe9cde1430a7a10f627b63d7da56939665056ccc7a04226dc14e3793e3848032291aba990fc10576369f3974911593566ea9262

data/CHANGELOG.md

@@ -0,0 +1,88 @@
+Unreleased Changes
+------------------
+
+1.4.0 (2021-09-02)
+------------------
+
+* Feature - add `signing_algorithm` option with `sigv4` default.
+
+1.3.0 (2021-09-01)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9, 2.0, 2.1, and 2.2.
+
+1.2.4 (2021-07-08)
+------------------
+
+* Issue - Fix usage of `:uri_escape_path` and `:apply_checksum_header` in `Signer`.
+
+1.2.3 (2021-03-04)
+------------------
+
+* Issue - Include LICENSE, CHANGELOG, and VERSION files with this gem.
+
+1.2.2 (2020-08-13)
+------------------
+
+* Issue - Sort query params with same names by value when signing. (#2376)
+
+1.2.1 (2020-06-24)
+------------------
+
+* Issue - Don't overwrite `host` header in sigv4 signer if given.
+
+1.2.0 (2020-06-17)
+------------------
+
+* Feature - Bump `aws-eventstream` dependency to `~> 1`.
+
+1.1.4 (2020-05-28)
+------------------
+
+* Issue - Don't use `expect` header to compute Signature.
+
+1.1.3 (2020-04-27)
+------------------
+
+* Issue - Don't rely on the set? method of credentials.
+
+1.1.2 (2020-04-17)
+------------------
+
+* Issue - Raise errors when credentials are not set (nil or empty)
+
+1.1.1 (2020-02-26)
+------------------
+
+* Issue - Handle signing for unknown protocols and default ports.
+
+1.1.0 (2019-03-13)
+------------------
+
+* Feature - Support signature V4 signing per event.
+
+1.0.3 (2018-06-28)
+------------------
+
+* Issue - Reduce memory allocation when generating signatures.
+
+1.0.2 (2018-02-21)
+------------------
+
+* Issue - Fix Ruby warning: shadowed local variable "headers".
+
+1.0.2 (2017-08-31)
+------------------
+
+* Issue - Update `aws-sigv4` gemspec metadata.
+
+1.0.1 (2017-07-12)
+------------------
+
+* Issue - Make UTF-8 encoding explicit in spec test.
+
+
+1.0.0 (2016-11-08)
+------------------
+
+* Feature - Initial release of the `aws-sigv4` gem.

data/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/VERSION

@@ -0,0 +1 @@
+1.4.0

data/lib/aws-sigv4/credentials.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     # Users that wish to configure static credentials can use the
@@ -28,11 +30,14 @@ module Aws
       # @return [String, nil]
       attr_reader :session_token
 
-      # @return [Boolean]
+      # @return [Boolean] Returns `true` if the access key id and secret
+      #   access key are both set.
       def set?
-        !!(access_key_id && secret_access_key)
+        !access_key_id.nil? &&
+          !access_key_id.empty? &&
+          !secret_access_key.nil? &&
+          !secret_access_key.empty?
       end
-
     end
 
     # Users that wish to configure static credentials can use the
@@ -53,6 +58,10 @@ module Aws
       # @return [Credentials]
       attr_reader :credentials
 
+      # @return [Boolean]
+      def set?
+        !!credentials && credentials.set?
+      end
     end
 
   end

data/lib/aws-sigv4/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     module Errors

data/lib/aws-sigv4/request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'uri'
 
 module Aws

data/lib/aws-sigv4/signature.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     class Signature

data/lib/aws-sigv4/signer.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 require 'openssl'
 require 'tempfile'
 require 'time'
 require 'uri'
 require 'set'
 require 'cgi'
+require 'aws-eventstream'
 
 module Aws
   module Sigv4
@@ -121,8 +124,16 @@ module Aws
         @credentials_provider = extract_credentials_provider(options)
         @unsigned_headers = Set.new((options.fetch(:unsigned_headers, [])).map(&:downcase))
         @unsigned_headers << 'authorization'
+        @unsigned_headers << 'x-amzn-trace-id'
+        @unsigned_headers << 'expect'
         [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[:opt] : true)
+          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[opt] : true)
+        end
+
+        if options[:signing_algorithm] == :sigv4a
+          raise ArgumentError, 'You are attempting to sign a' \
+' request with sigv4a which requires aws-crt and version 1.4.0.crt or later of the aws-sigv4 gem.'\
+' Please install the gem or add it to your gemfile.'
         end
       end
 
@@ -165,11 +176,11 @@ module Aws
       #     )
       #
       #     # Apply the following hash of headers to your HTTP request
-      #     signature.headers['Host']
-      #     signature.headers['X-Amz-Date']
-      #     signature.headers['X-Amz-Security-Token']
-      #     signature.headers['X-Amz-Content-Sha256']
-      #     signature.headers['Authorization']
+      #     signature.headers['host']
+      #     signature.headers['x-amz-date']
+      #     signature.headers['x-amz-security-token']
+      #     signature.headers['x-amz-content-sha256']
+      #     signature.headers['authorization']
       #
       # In addition to computing the signature headers, the canonicalized
       # request, string to sign and content sha256 checksum are also available.
@@ -191,7 +202,7 @@ module Aws
       #   to sign. If the 'X-Amz-Content-Sha256' header is set, the `:body`
       #   is optional and will not be read.
       #
-      # @option request [otpional, String, IO] :body ('') The HTTP request body.
+      # @option request [optional, String, IO] :body ('') The HTTP request body.
       #   A sha256 checksum is computed of the body unless the
       #   'X-Amz-Content-Sha256' header is set.
       #
@@ -200,7 +211,7 @@ module Aws
       #
       def sign_request(request)
 
-        creds = get_credentials
+        creds = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
@@ -214,7 +225,7 @@ module Aws
         content_sha256 ||= sha256_hexdigest(request[:body] || '')
 
         sigv4_headers = {}
-        sigv4_headers['host'] = host(url)
+        sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
         sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
@@ -242,6 +253,59 @@ module Aws
         )
       end
 
+      # Signs a event and returns signature headers and prior signature
+      # used for next event signing.
+      #
+      # Headers of a sigv4 signed event message only contains 2 headers
+      #   * ':chunk-signature'
+      #     * computed signature of the event, binary string, 'bytes' type
+      #   * ':date'
+      #     * millisecond since epoch, 'timestamp' type
+      #
+      # Payload of the sigv4 signed event message contains eventstream encoded message
+      # which is serialized based on input and protocol
+      #
+      # To sign events
+      #
+      #     headers_0, signature_0 = signer.sign_event(
+      #       prior_signature, # hex-encoded string
+      #       payload_0, # binary string (eventstream encoded event 0)
+      #       encoder, # Aws::EventStreamEncoder
+      #     )
+      #
+      #     headers_1, signature_1 = signer.sign_event(
+      #       signature_0,
+      #       payload_1, # binary string (eventstream encoded event 1)
+      #       encoder
+      #     )
+      #
+      # The initial prior_signature should be using the signature computed at initial request
+      #
+      # Note:
+      #
+      #   Since ':chunk-signature' header value has bytes type, the signature value provided
+      #   needs to be a binary string instead of a hex-encoded string (like original signature
+      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
+      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
+      #   hex-encoded string using #unpack
+      def sign_event(prior_signature, payload, encoder)
+        creds = fetch_credentials
+        time = Time.now
+        headers = {}
+
+        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
+        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
+
+        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        sig = event_signature(creds.secret_access_key, date, sts)
+
+        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
+
+        # Returning signed headers and signature value in hex-encoded string
+        [headers, sig.unpack('H*').first]
+      end
+
       # Signs a URL with query authentication. Using query parameters
       # to authenticate requests is useful when you want to express a
       # request entirely in a URL. This method is also referred as
@@ -252,7 +316,7 @@ module Aws
       # To generate a presigned URL, you must provide a HTTP URI and
       # the http method.
       #
-      #     url = signer.presigned_url(
+      #     url = signer.presign_url(
       #       http_method: 'GET',
       #       url: 'https://my-bucket.s3-us-east-1.amazonaws.com/key',
       #       expires_in: 60
@@ -261,7 +325,7 @@ module Aws
       # By default, signatures are valid for 15 minutes. You can specify
       # the number of seconds for the URL to expire in.
       #
-      #     url = signer.presigned_url(
+      #     url = signer.presign_url(
       #       http_method: 'GET',
       #       url: 'https://my-bucket.s3-us-east-1.amazonaws.com/key',
       #       expires_in: 3600 # one hour
@@ -272,7 +336,7 @@ module Aws
       # **must** be provided, or the signature is invalid. Other headers
       # are optional, but should be provided for security reasons.
       #
-      #     url = signer.presigned_url(
+      #     url = signer.presign_url(
       #       http_method: 'PUT',
       #       url: 'https://my-bucket.s3-us-east-1.amazonaws.com/key',
       #       headers: {
@@ -312,13 +376,13 @@ module Aws
       #
       def presign_url(options)
 
-        creds = get_credentials
+        creds = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
 
         headers = downcase_headers(options[:headers])
-        headers['host'] = host(url)
+        headers['host'] ||= host(url)
 
         datetime = headers['x-amz-date']
         datetime ||= (options[:time] || Time.now).utc.strftime("%Y%m%dT%H%M%SZ")
@@ -333,8 +397,8 @@ module Aws
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
         params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-SignedHeaders'] = signed_headers(headers)
         params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
         params = params.map do |key, value|
           "#{uri_escape(key)}=#{uri_escape(value)}"
@@ -374,6 +438,29 @@ module Aws
         ].join("\n")
       end
 
+      # Compared to original #string_to_sign at signature v4 algorithm
+      # there is no canonical_request concept for an eventstream event,
+      # instead, an event contains headers and payload two parts, and
+      # they will be used for computing digest in #event_string_to_sign
+      #
+      # Note:
+      #   While headers need to be encoded under eventstream format,
+      #   payload used is already eventstream encoded (event without signature),
+      #   thus no extra encoding is needed.
+      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        encoded_headers = encoder.encode_headers(
+          Aws::EventStream::Message.new(headers: headers, payload: payload)
+        )
+        [
+          "AWS4-HMAC-SHA256-PAYLOAD",
+          datetime,
+          credential_scope(datetime[0,8]),
+          prior_signature,
+          sha256_hexdigest(encoded_headers),
+          sha256_hexdigest(payload)
+        ].join("\n")
+      end
+
       def credential_scope(date)
         [
           date,
@@ -395,6 +482,24 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      # Comparing to original signature v4 algorithm,
+      # returned signature is a binary string instread of
+      # hex-encoded string. (Since ':chunk-signature' requires
+      # 'bytes' type)
+      #
+      # Note:
+      #   converting signature from binary string to hex-encoded
+      #   string is handled at #sign_event instead. (Will be used
+      #   as next prior signature for event signing)
+      def event_signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hmac(k_credentials, string_to_sign)
+      end
+
+
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -408,18 +513,26 @@ module Aws
       def normalized_querystring(querystring)
         params = querystring.split('&')
         params = params.map { |p| p.match(/=/) ? p : p + '=' }
-        # We have to sort by param name and preserve order of params that
-        # have the same name. Default sort <=> in JRuby will swap members
+        # From: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        # Sort the parameter names by character code point in ascending order.
+        # Parameters with duplicate names should be sorted by value.
+        #
+        # Default sort <=> in JRuby will swap members
         # occasionally when <=> is 0 (considered still sorted), but this
         # causes our normalized query string to not match the sent querystring.
-        # When names match, we then sort by their original order
-        params = params.each.with_index.sort do |a, b|
+        # When names match, we then sort by their values.  When values also
+        # match then we sort by their original order
+        params.each.with_index.sort do |a, b|
           a, a_offset = a
-          a_name = a.split('=')[0]
           b, b_offset = b
-          b_name = b.split('=')[0]
+          a_name, a_value = a.split('=')
+          b_name, b_value = b.split('=')
           if a_name == b_name
-            a_offset <=> b_offset
+            if a_value == b_value
+              a_offset <=> b_offset
+            else
+              a_value <=> b_value
+            end
           else
             a_name <=> b_name
           end
@@ -437,11 +550,11 @@ module Aws
       end
 
       def canonical_headers(headers)
-        headers = headers.inject([]) do |headers, (k,v)|
+        headers = headers.inject([]) do |hdrs, (k,v)|
           if @unsigned_headers.include?(k)
-            headers
+            hdrs
           else
-            headers << [k,v]
+            hdrs << [k,v]
           end
         end
         headers = headers.sort_by(&:first)
@@ -453,18 +566,14 @@ module Aws
       end
 
       def host(uri)
-        if standard_port?(uri)
+        # Handles known and unknown URI schemes; default_port nil when unknown.
+        if uri.default_port == uri.port
           uri.host
         else
           "#{uri.host}:#{uri.port}"
         end
       end
 
-      def standard_port?(uri)
-        (uri.scheme == 'http' && uri.port == 80) ||
-        (uri.scheme == 'https' && uri.port == 443)
-      end
-
       # @param [File, Tempfile, IO#read, String] value
       # @return [String<SHA256 Hexdigest>]
       def sha256_hexdigest(value)
@@ -472,7 +581,9 @@ module Aws
           OpenSSL::Digest::SHA256.file(value).hexdigest
         elsif value.respond_to?(:read)
           sha256 = OpenSSL::Digest::SHA256.new
-          while chunk = value.read(1024 * 1024) # 1MB
+          loop do
+            chunk = value.read(1024 * 1024) # 1MB
+            break unless chunk
             sha256.update(chunk)
           end
           value.rewind
@@ -560,18 +671,26 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-      def get_credentials
+
+      def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
           credentials
         else
-          msg = 'unable to sign request without credentials set'
-          raise Errors::MissingCredentialsError.new(msg)
+          raise Errors::MissingCredentialsError,
+          'unable to sign request without credentials set'
         end
       end
 
+      # Returns true if credentials are set (not nil or empty)
+      # Credentials may not implement the Credentials interface
+      # and may just be credential like Client response objects
+      # (eg those returned by sts#assume_role)
       def credentials_set?(credentials)
-        credentials.access_key_id && credentials.secret_access_key
+        !credentials.access_key_id.nil? &&
+          !credentials.access_key_id.empty? &&
+          !credentials.secret_access_key.nil? &&
+          !credentials.secret_access_key.empty?
       end
 
       class << self

data/lib/aws-sigv4.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'

metadata

@@ -1,32 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-08 00:00:00.000000000 Z
-dependencies: []
-description: Amazon Web Services Signature Version 4 signing ligrary. Generates sigv4
+date: 2021-09-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-eventstream
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
 email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
+- LICENSE.txt
+- VERSION
 - lib/aws-sigv4.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
 - lib/aws-sigv4/request.rb
 - lib/aws-sigv4/signature.rb
 - lib/aws-sigv4/signer.rb
-homepage: http://github.com/aws/aws-sdk-ruby
+homepage: https://github.com/aws/aws-sdk-ruby
 licenses:
 - Apache-2.0
-metadata: {}
+metadata:
+  source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
+  changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -35,15 +60,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.4
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: AWS Signature Version 4 library.