aws-sigv4 1.0.3 → 1.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 230c5aa7c49bded384ea0cc96ecbc3cdc6d3bec7
-  data.tar.gz: b1b194fa0740e2588a94dd9a0c66f7c5f4198f70
+SHA256:
+  metadata.gz: 20343231e403c71c5f020e97a51d2218cbc392109eeaabb6d2dfc20350251acc
+  data.tar.gz: 0b36d157ccfcd9fc92c307d602bb3b1da6ba910cea99836879b2e618bf57a196
 SHA512:
-  metadata.gz: 53016c5f240e3154815b4f172158a5a29c84ef7e912e756f8f5b53e619854bbc30a041358b5be4a8fc82708cbbb12c549f31c843421cbf5a0e6c3f2e0537ab23
-  data.tar.gz: 4ff775b31b1603a3eaf5206cb0c59bdac3599a95973626d746d81ec21b8e51db46cdc9fd8cb6a7008afaeaec5bb6ac6af6a12b5317ba60e2c64303424235a63d
+  metadata.gz: 1422ecb16c75a15b94c521b14a62502a8ed1e53756119c914bf91f720dc0edee45d566ea909e7a0617ecc3bc560ef7f840d0d4745a6b4a401e16199630727d5e
+  data.tar.gz: f0488cd4c6d30ee2f61f1fb2b7f803eea8a638efc432346a5416659cca33d0d4aebe372f8187a40e3637ad6ce5ab5ae98ea5d9af79c3c778dc7c795b08f9b065

data/lib/aws-sigv4/credentials.rb

@@ -28,11 +28,14 @@ module Aws
       # @return [String, nil]
       attr_reader :session_token
 
-      # @return [Boolean]
+      # @return [Boolean] Returns `true` if the access key id and secret
+      #   access key are both set.
       def set?
-        !!(access_key_id && secret_access_key)
+        !access_key_id.nil? &&
+          !access_key_id.empty? &&
+          !secret_access_key.nil? &&
+          !secret_access_key.empty?
       end
-
     end
 
     # Users that wish to configure static credentials can use the
@@ -53,6 +56,10 @@ module Aws
       # @return [Credentials]
       attr_reader :credentials
 
+      # @return [Boolean]
+      def set?
+        !!credentials && credentials.set?
+      end
     end
 
   end

data/lib/aws-sigv4/signer.rb

@@ -4,6 +4,7 @@ require 'time'
 require 'uri'
 require 'set'
 require 'cgi'
+require 'aws-eventstream'
 
 module Aws
   module Sigv4
@@ -122,6 +123,7 @@ module Aws
         @unsigned_headers = Set.new((options.fetch(:unsigned_headers, [])).map(&:downcase))
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
+        @unsigned_headers << 'expect'
         [:uri_escape_path, :apply_checksum_header].each do |opt|
           instance_variable_set("@#{opt}", options.key?(opt) ? !!options[:opt] : true)
         end
@@ -201,7 +203,7 @@ module Aws
       #
       def sign_request(request)
 
-        creds = get_credentials
+        creds = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
@@ -243,6 +245,59 @@ module Aws
         )
       end
 
+      # Signs a event and returns signature headers and prior signature
+      # used for next event signing.
+      #
+      # Headers of a sigv4 signed event message only contains 2 headers
+      #   * ':chunk-signature'
+      #     * computed signature of the event, binary string, 'bytes' type
+      #   * ':date'
+      #     * millisecond since epoch, 'timestamp' type
+      #
+      # Payload of the sigv4 signed event message contains eventstream encoded message
+      # which is serialized based on input and protocol
+      #
+      # To sign events
+      #
+      #     headers_0, signature_0 = signer.sign_event(
+      #       prior_signature, # hex-encoded string
+      #       payload_0, # binary string (eventstream encoded event 0)
+      #       encoder, # Aws::EventStreamEncoder
+      #     )
+      #
+      #     headers_1, signature_1 = signer.sign_event(
+      #       signature_0,
+      #       payload_1, # binary string (eventstream encoded event 1)
+      #       encoder
+      #     )
+      #
+      # The initial prior_signature should be using the signature computed at initial request
+      #
+      # Note:
+      #
+      #   Since ':chunk-signature' header value has bytes type, the signature value provided
+      #   needs to be a binary string instead of a hex-encoded string (like original signature
+      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
+      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
+      #   hex-encoded string using #unpack
+      def sign_event(prior_signature, payload, encoder)
+        creds = fetch_credentials
+        time = Time.now
+        headers = {}
+
+        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
+        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
+
+        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        sig = event_signature(creds.secret_access_key, date, sts)
+
+        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
+
+        # Returning signed headers and signature value in hex-encoded string
+        [headers, sig.unpack('H*').first]
+      end
+
       # Signs a URL with query authentication. Using query parameters
       # to authenticate requests is useful when you want to express a
       # request entirely in a URL. This method is also referred as
@@ -313,7 +368,7 @@ module Aws
       #
       def presign_url(options)
 
-        creds = get_credentials
+        creds = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
@@ -375,6 +430,29 @@ module Aws
         ].join("\n")
       end
 
+      # Compared to original #string_to_sign at signature v4 algorithm
+      # there is no canonical_request concept for an eventstream event,
+      # instead, an event contains headers and payload two parts, and
+      # they will be used for computing digest in #event_string_to_sign
+      #
+      # Note:
+      #   While headers need to be encoded under eventstream format,
+      #   payload used is already eventstream encoded (event without signature),
+      #   thus no extra encoding is needed.
+      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        encoded_headers = encoder.encode_headers(
+          Aws::EventStream::Message.new(headers: headers, payload: payload)
+        )
+        [
+          "AWS4-HMAC-SHA256-PAYLOAD",
+          datetime,
+          credential_scope(datetime[0,8]),
+          prior_signature,
+          sha256_hexdigest(encoded_headers),
+          sha256_hexdigest(payload)
+        ].join("\n")
+      end
+
       def credential_scope(date)
         [
           date,
@@ -396,6 +474,24 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      # Comparing to original signature v4 algorithm,
+      # returned signature is a binary string instread of
+      # hex-encoded string. (Since ':chunk-signature' requires
+      # 'bytes' type)
+      #
+      # Note:
+      #   converting signature from binary string to hex-encoded
+      #   string is handled at #sign_event instead. (Will be used
+      #   as next prior signature for event signing)
+      def event_signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hmac(k_credentials, string_to_sign)
+      end
+
+
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -454,18 +550,14 @@ module Aws
       end
 
       def host(uri)
-        if standard_port?(uri)
+        # Handles known and unknown URI schemes; default_port nil when unknown.
+        if uri.default_port == uri.port
           uri.host
         else
           "#{uri.host}:#{uri.port}"
         end
       end
 
-      def standard_port?(uri)
-        (uri.scheme == 'http' && uri.port == 80) ||
-        (uri.scheme == 'https' && uri.port == 443)
-      end
-
       # @param [File, Tempfile, IO#read, String] value
       # @return [String<SHA256 Hexdigest>]
       def sha256_hexdigest(value)
@@ -473,7 +565,9 @@ module Aws
           OpenSSL::Digest::SHA256.file(value).hexdigest
         elsif value.respond_to?(:read)
           sha256 = OpenSSL::Digest::SHA256.new
-          while chunk = value.read(1024 * 1024, buffer ||= "") # 1MB
+          loop do
+            chunk = value.read(1024 * 1024) # 1MB
+            break unless chunk
             sha256.update(chunk)
           end
           value.rewind
@@ -561,18 +655,26 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-      def get_credentials
+
+      def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
           credentials
         else
-          msg = 'unable to sign request without credentials set'
-          raise Errors::MissingCredentialsError.new(msg)
+          raise Errors::MissingCredentialsError,
+          'unable to sign request without credentials set'
         end
       end
 
+      # Returns true if credentials are set (not nil or empty)
+      # Credentials may not implement the Credentials interface
+      # and may just be credential like Client response objects
+      # (eg those returned by sts#assume_role)
       def credentials_set?(credentials)
-        credentials.access_key_id && credentials.secret_access_key
+        !credentials.access_key_id.nil? &&
+          !credentials.access_key_id.empty? &&
+          !credentials.secret_access_key.nil? &&
+          !credentials.secret_access_key.empty?
       end
 
       class << self

metadata

@@ -1,16 +1,36 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.1.4
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-28 00:00:00.000000000 Z
-dependencies: []
-description: Amazon Web Services Signature Version 4 signing ligrary. Generates sigv4
+date: 2020-05-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-eventstream
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
 email: 
 executables: []
@@ -23,7 +43,7 @@ files:
 - lib/aws-sigv4/request.rb
 - lib/aws-sigv4/signature.rb
 - lib/aws-sigv4/signer.rb
-homepage: http://github.com/aws/aws-sdk-ruby
+homepage: https://github.com/aws/aws-sdk-ruby
 licenses:
 - Apache-2.0
 metadata:
@@ -45,7 +65,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: AWS Signature Version 4 library.