aws-sigv4 1.0.3 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/aws-sigv4/signer.rb +95 -0
- metadata +23 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cb4db422d46522a4ad3274b0dc5b28689ed5def4
|
|
4
|
+
data.tar.gz: 061ca3ebfd24ffea8a1717ac9e12f9fc0650d4f8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fef836871abeaf35b99b00a28deab1506f45d6792a6c732d74db4a37250d77e62ee64da491ad91a21a0f8098ba91dae19953d27c48aec0a36d7e2ad403f4edf6
|
|
7
|
+
data.tar.gz: 6bee73d7bbcd3f7fe8cb92275eabb13d5981869dc566bfc818960449143fdc28f91270465efd9d38adbfb4f91d12c23a2c70e7cfebf4c45d8954df3c0a082b36
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -4,6 +4,7 @@ require 'time'
|
|
|
4
4
|
require 'uri'
|
|
5
5
|
require 'set'
|
|
6
6
|
require 'cgi'
|
|
7
|
+
require 'aws-eventstream'
|
|
7
8
|
|
|
8
9
|
module Aws
|
|
9
10
|
module Sigv4
|
|
@@ -243,6 +244,59 @@ module Aws
|
|
|
243
244
|
)
|
|
244
245
|
end
|
|
245
246
|
|
|
247
|
+
# Signs a event and returns signature headers and prior signature
|
|
248
|
+
# used for next event signing.
|
|
249
|
+
#
|
|
250
|
+
# Headers of a sigv4 signed event message only contains 2 headers
|
|
251
|
+
# * ':chunk-signature'
|
|
252
|
+
# * computed signature of the event, binary string, 'bytes' type
|
|
253
|
+
# * ':date'
|
|
254
|
+
# * millisecond since epoch, 'timestamp' type
|
|
255
|
+
#
|
|
256
|
+
# Payload of the sigv4 signed event message contains eventstream encoded message
|
|
257
|
+
# which is serialized based on input and protocol
|
|
258
|
+
#
|
|
259
|
+
# To sign events
|
|
260
|
+
#
|
|
261
|
+
# headers_0, signature_0 = signer.sign_event(
|
|
262
|
+
# prior_signature, # hex-encoded string
|
|
263
|
+
# payload_0, # binary string (eventstream encoded event 0)
|
|
264
|
+
# encoder, # Aws::EventStreamEncoder
|
|
265
|
+
# )
|
|
266
|
+
#
|
|
267
|
+
# headers_1, signature_1 = signer.sign_event(
|
|
268
|
+
# signature_0,
|
|
269
|
+
# payload_1, # binary string (eventstream encoded event 1)
|
|
270
|
+
# encoder
|
|
271
|
+
# )
|
|
272
|
+
#
|
|
273
|
+
# The initial prior_signature should be using the signature computed at initial request
|
|
274
|
+
#
|
|
275
|
+
# Note:
|
|
276
|
+
#
|
|
277
|
+
# Since ':chunk-signature' header value has bytes type, the signature value provided
|
|
278
|
+
# needs to be a binary string instead of a hex-encoded string (like original signature
|
|
279
|
+
# V4 algorithm). Thus, when returning signature value used for next event siging, the
|
|
280
|
+
# signature value (a binary string) used at ':chunk-signature' needs to converted to
|
|
281
|
+
# hex-encoded string using #unpack
|
|
282
|
+
def sign_event(prior_signature, payload, encoder)
|
|
283
|
+
creds = get_credentials
|
|
284
|
+
time = Time.now
|
|
285
|
+
headers = {}
|
|
286
|
+
|
|
287
|
+
datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
|
|
288
|
+
date = datetime[0,8]
|
|
289
|
+
headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i*1000, type: 'timestamp')
|
|
290
|
+
|
|
291
|
+
sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
|
|
292
|
+
sig = event_signature(creds.secret_access_key, date, sts)
|
|
293
|
+
|
|
294
|
+
headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
|
|
295
|
+
|
|
296
|
+
# Returning signed headers and signature value in hex-encoded string
|
|
297
|
+
[headers, sig.unpack('H*').first]
|
|
298
|
+
end
|
|
299
|
+
|
|
246
300
|
# Signs a URL with query authentication. Using query parameters
|
|
247
301
|
# to authenticate requests is useful when you want to express a
|
|
248
302
|
# request entirely in a URL. This method is also referred as
|
|
@@ -375,6 +429,29 @@ module Aws
|
|
|
375
429
|
].join("\n")
|
|
376
430
|
end
|
|
377
431
|
|
|
432
|
+
# Compared to original #string_to_sign at signature v4 algorithm
|
|
433
|
+
# there is no canonical_request concept for an eventstream event,
|
|
434
|
+
# instead, an event contains headers and payload two parts, and
|
|
435
|
+
# they will be used for computing digest in #event_string_to_sign
|
|
436
|
+
#
|
|
437
|
+
# Note:
|
|
438
|
+
# While headers need to be encoded under eventstream format,
|
|
439
|
+
# payload used is already eventstream encoded (event without signature),
|
|
440
|
+
# thus no extra encoding is needed.
|
|
441
|
+
def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
|
|
442
|
+
encoded_headers = encoder.encode_headers(
|
|
443
|
+
Aws::EventStream::Message.new(headers: headers, payload: payload)
|
|
444
|
+
).read
|
|
445
|
+
[
|
|
446
|
+
"AWS4-HMAC-SHA256-PAYLOAD",
|
|
447
|
+
datetime,
|
|
448
|
+
credential_scope(datetime[0,8]),
|
|
449
|
+
prior_signature,
|
|
450
|
+
sha256_hexdigest(encoded_headers),
|
|
451
|
+
sha256_hexdigest(payload)
|
|
452
|
+
].join("\n")
|
|
453
|
+
end
|
|
454
|
+
|
|
378
455
|
def credential_scope(date)
|
|
379
456
|
[
|
|
380
457
|
date,
|
|
@@ -396,6 +473,24 @@ module Aws
|
|
|
396
473
|
hexhmac(k_credentials, string_to_sign)
|
|
397
474
|
end
|
|
398
475
|
|
|
476
|
+
# Comparing to original signature v4 algorithm,
|
|
477
|
+
# returned signature is a binary string instread of
|
|
478
|
+
# hex-encoded string. (Since ':chunk-signature' requires
|
|
479
|
+
# 'bytes' type)
|
|
480
|
+
#
|
|
481
|
+
# Note:
|
|
482
|
+
# converting signature from binary string to hex-encoded
|
|
483
|
+
# string is handled at #sign_event instead. (Will be used
|
|
484
|
+
# as next prior signature for event signing)
|
|
485
|
+
def event_signature(secret_access_key, date, string_to_sign)
|
|
486
|
+
k_date = hmac("AWS4" + secret_access_key, date)
|
|
487
|
+
k_region = hmac(k_date, @region)
|
|
488
|
+
k_service = hmac(k_region, @service)
|
|
489
|
+
k_credentials = hmac(k_service, 'aws4_request')
|
|
490
|
+
hmac(k_credentials, string_to_sign)
|
|
491
|
+
end
|
|
492
|
+
|
|
493
|
+
|
|
399
494
|
def path(url)
|
|
400
495
|
path = url.path
|
|
401
496
|
path = '/' if path == ''
|
metadata
CHANGED
|
@@ -1,15 +1,35 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
-
dependencies:
|
|
11
|
+
date: 2019-03-13 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: aws-eventstream
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - "~>"
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '1.0'
|
|
20
|
+
- - ">="
|
|
21
|
+
- !ruby/object:Gem::Version
|
|
22
|
+
version: 1.0.2
|
|
23
|
+
type: :runtime
|
|
24
|
+
prerelease: false
|
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
26
|
+
requirements:
|
|
27
|
+
- - "~>"
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: '1.0'
|
|
30
|
+
- - ">="
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: 1.0.2
|
|
13
33
|
description: Amazon Web Services Signature Version 4 signing ligrary. Generates sigv4
|
|
14
34
|
signature for HTTP requests.
|
|
15
35
|
email:
|