aws-sigv4 1.0.3 → 1.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 230c5aa7c49bded384ea0cc96ecbc3cdc6d3bec7
-  data.tar.gz: b1b194fa0740e2588a94dd9a0c66f7c5f4198f70
+SHA256:
+  metadata.gz: 33cb09610570a5aefa4e83ab34277756201d8f1e50197bfe343fc49cce668672
+  data.tar.gz: 4d070f7cf41c0a77b69e7ca6cc80c2fb7a8111eb3640819fb01ee6602027b5d9
 SHA512:
-  metadata.gz: 53016c5f240e3154815b4f172158a5a29c84ef7e912e756f8f5b53e619854bbc30a041358b5be4a8fc82708cbbb12c549f31c843421cbf5a0e6c3f2e0537ab23
-  data.tar.gz: 4ff775b31b1603a3eaf5206cb0c59bdac3599a95973626d746d81ec21b8e51db46cdc9fd8cb6a7008afaeaec5bb6ac6af6a12b5317ba60e2c64303424235a63d
+  metadata.gz: ddb8c5fc04288a396501afb0cd74907232ac78a2ca5e3bbb4c0879c27c15d72c19e30b9ddcaf5b8fe536e8b04d4ccc3c98eee74f27f92b594058a54b29edf704
+  data.tar.gz: 283afcb61ae4b06a68b5a644a529b560864b82f0e69c107a8c059c04b9b6448421ac93015c483aae1bdf77bed41cb3088942c1e18dc26fc4b569aa7fde65f563

data/CHANGELOG.md

@@ -0,0 +1,103 @@
+Unreleased Changes
+------------------
+
+1.5.2 (2022-09-30)
+------------------
+
+* Issue - Fix an issue where quoted strings with multiple spaces are not trimmed. (#2758)
+
+1.5.1 (2022-07-19)
+------------------
+
+* Issue - Fix performance regression when checking if `aws-crt` is available. (#2729)
+
+1.5.0 (2022-04-20)
+------------------
+
+* Feature - Use CRT based signers if `aws-crt` is available - provides support for `sigv4a`.
+
+1.4.0 (2021-09-02)
+------------------
+
+* Feature - add `signing_algorithm` option with `sigv4` default.
+
+1.3.0 (2021-09-01)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9, 2.0, 2.1, and 2.2.
+
+1.2.4 (2021-07-08)
+------------------
+
+* Issue - Fix usage of `:uri_escape_path` and `:apply_checksum_header` in `Signer`.
+
+1.2.3 (2021-03-04)
+------------------
+
+* Issue - Include LICENSE, CHANGELOG, and VERSION files with this gem.
+
+1.2.2 (2020-08-13)
+------------------
+
+* Issue - Sort query params with same names by value when signing. (#2376)
+
+1.2.1 (2020-06-24)
+------------------
+
+* Issue - Don't overwrite `host` header in sigv4 signer if given.
+
+1.2.0 (2020-06-17)
+------------------
+
+* Feature - Bump `aws-eventstream` dependency to `~> 1`.
+
+1.1.4 (2020-05-28)
+------------------
+
+* Issue - Don't use `expect` header to compute Signature.
+
+1.1.3 (2020-04-27)
+------------------
+
+* Issue - Don't rely on the set? method of credentials.
+
+1.1.2 (2020-04-17)
+------------------
+
+* Issue - Raise errors when credentials are not set (nil or empty)
+
+1.1.1 (2020-02-26)
+------------------
+
+* Issue - Handle signing for unknown protocols and default ports.
+
+1.1.0 (2019-03-13)
+------------------
+
+* Feature - Support signature V4 signing per event.
+
+1.0.3 (2018-06-28)
+------------------
+
+* Issue - Reduce memory allocation when generating signatures.
+
+1.0.2 (2018-02-21)
+------------------
+
+* Issue - Fix Ruby warning: shadowed local variable "headers".
+
+1.0.2 (2017-08-31)
+------------------
+
+* Issue - Update `aws-sigv4` gemspec metadata.
+
+1.0.1 (2017-07-12)
+------------------
+
+* Issue - Make UTF-8 encoding explicit in spec test.
+
+
+1.0.0 (2016-11-08)
+------------------
+
+* Feature - Initial release of the `aws-sigv4` gem.

data/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/VERSION

@@ -0,0 +1 @@
+1.5.2

data/lib/aws-sigv4/credentials.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     # Users that wish to configure static credentials can use the
@@ -28,11 +30,14 @@ module Aws
       # @return [String, nil]
       attr_reader :session_token
 
-      # @return [Boolean]
+      # @return [Boolean] Returns `true` if the access key id and secret
+      #   access key are both set.
       def set?
-        !!(access_key_id && secret_access_key)
+        !access_key_id.nil? &&
+          !access_key_id.empty? &&
+          !secret_access_key.nil? &&
+          !secret_access_key.empty?
       end
-
     end
 
     # Users that wish to configure static credentials can use the
@@ -53,6 +58,10 @@ module Aws
       # @return [Credentials]
       attr_reader :credentials
 
+      # @return [Boolean]
+      def set?
+        !!credentials && credentials.set?
+      end
     end
 
   end

data/lib/aws-sigv4/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     module Errors

data/lib/aws-sigv4/request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'uri'
 
 module Aws

data/lib/aws-sigv4/signature.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Aws
   module Sigv4
     class Signature
@@ -30,6 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [Hash] Internal data for debugging purposes.
+      attr_accessor :extra
     end
   end
 end

data/lib/aws-sigv4/signer.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 require 'openssl'
 require 'tempfile'
 require 'time'
 require 'uri'
 require 'set'
 require 'cgi'
+require 'aws-eventstream'
 
 module Aws
   module Sigv4
@@ -71,6 +74,14 @@ module Aws
     #
     class Signer
 
+      @@use_crt =
+        begin
+          require 'aws-crt'
+          true
+        rescue LoadError
+          false
+        end
+
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
       #   @param [String] :region The region name, e.g. 'us-east-1'.
@@ -115,6 +126,18 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
+      # @option options [Symbol] :signing_algorithm (:sigv4) The
+      #   algorithm to use for signing.  :sigv4a is only supported when
+      #   `aws-crt` is available.
+      #
+      # @option options [Boolean] :omit_session_token (false)
+      #   (Supported only when `aws-crt` is available) If `true`,
+      #   then security token is added to the final signing result,
+      #   but is treated as "unsigned" and does not contribute
+      #   to the authorization signature.
+      #
+      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
+      #   When `true`, the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -122,8 +145,17 @@ module Aws
         @unsigned_headers = Set.new((options.fetch(:unsigned_headers, [])).map(&:downcase))
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
-        [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[:opt] : true)
+        @unsigned_headers << 'expect'
+        @uri_escape_path = options.fetch(:uri_escape_path, true)
+        @apply_checksum_header = options.fetch(:apply_checksum_header, true)
+        @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
+        @normalize_path = options.fetch(:normalize_path, true)
+        @omit_session_token = options.fetch(:omit_session_token, false)
+
+        if @signing_algorithm == :sigv4a && !Signer.use_crt?
+          raise ArgumentError, 'You are attempting to sign a' \
+' request with sigv4a which requires the `aws-crt` gem.'\
+' Please install the gem or add it to your gemfile.'
         end
       end
 
@@ -201,7 +233,9 @@ module Aws
       #
       def sign_request(request)
 
-        creds = get_credentials
+        return crt_sign_request(request) if Signer.use_crt?
+
+        creds = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
@@ -215,7 +249,7 @@ module Aws
         content_sha256 ||= sha256_hexdigest(request[:body] || '')
 
         sigv4_headers = {}
-        sigv4_headers['host'] = host(url)
+        sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
         sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
@@ -243,6 +277,60 @@ module Aws
         )
       end
 
+      # Signs a event and returns signature headers and prior signature
+      # used for next event signing.
+      #
+      # Headers of a sigv4 signed event message only contains 2 headers
+      #   * ':chunk-signature'
+      #     * computed signature of the event, binary string, 'bytes' type
+      #   * ':date'
+      #     * millisecond since epoch, 'timestamp' type
+      #
+      # Payload of the sigv4 signed event message contains eventstream encoded message
+      # which is serialized based on input and protocol
+      #
+      # To sign events
+      #
+      #     headers_0, signature_0 = signer.sign_event(
+      #       prior_signature, # hex-encoded string
+      #       payload_0, # binary string (eventstream encoded event 0)
+      #       encoder, # Aws::EventStreamEncoder
+      #     )
+      #
+      #     headers_1, signature_1 = signer.sign_event(
+      #       signature_0,
+      #       payload_1, # binary string (eventstream encoded event 1)
+      #       encoder
+      #     )
+      #
+      # The initial prior_signature should be using the signature computed at initial request
+      #
+      # Note:
+      #
+      #   Since ':chunk-signature' header value has bytes type, the signature value provided
+      #   needs to be a binary string instead of a hex-encoded string (like original signature
+      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
+      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
+      #   hex-encoded string using #unpack
+      def sign_event(prior_signature, payload, encoder)
+        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
+        creds = fetch_credentials
+        time = Time.now
+        headers = {}
+
+        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
+        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
+
+        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        sig = event_signature(creds.secret_access_key, date, sts)
+
+        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
+
+        # Returning signed headers and signature value in hex-encoded string
+        [headers, sig.unpack('H*').first]
+      end
+
       # Signs a URL with query authentication. Using query parameters
       # to authenticate requests is useful when you want to express a
       # request entirely in a URL. This method is also referred as
@@ -313,13 +401,15 @@ module Aws
       #
       def presign_url(options)
 
-        creds = get_credentials
+        return crt_presign_url(options) if Signer.use_crt?
+
+        creds = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
 
         headers = downcase_headers(options[:headers])
-        headers['host'] = host(url)
+        headers['host'] ||= host(url)
 
         datetime = headers['x-amz-date']
         datetime ||= (options[:time] || Time.now).utc.strftime("%Y%m%dT%H%M%SZ")
@@ -334,8 +424,8 @@ module Aws
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
         params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-SignedHeaders'] = signed_headers(headers)
         params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
         params = params.map do |key, value|
           "#{uri_escape(key)}=#{uri_escape(value)}"
@@ -375,6 +465,29 @@ module Aws
         ].join("\n")
       end
 
+      # Compared to original #string_to_sign at signature v4 algorithm
+      # there is no canonical_request concept for an eventstream event,
+      # instead, an event contains headers and payload two parts, and
+      # they will be used for computing digest in #event_string_to_sign
+      #
+      # Note:
+      #   While headers need to be encoded under eventstream format,
+      #   payload used is already eventstream encoded (event without signature),
+      #   thus no extra encoding is needed.
+      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        encoded_headers = encoder.encode_headers(
+          Aws::EventStream::Message.new(headers: headers, payload: payload)
+        )
+        [
+          "AWS4-HMAC-SHA256-PAYLOAD",
+          datetime,
+          credential_scope(datetime[0,8]),
+          prior_signature,
+          sha256_hexdigest(encoded_headers),
+          sha256_hexdigest(payload)
+        ].join("\n")
+      end
+
       def credential_scope(date)
         [
           date,
@@ -396,6 +509,24 @@ module Aws
         hexhmac(k_credentials, string_to_sign)
       end
 
+      # Comparing to original signature v4 algorithm,
+      # returned signature is a binary string instread of
+      # hex-encoded string. (Since ':chunk-signature' requires
+      # 'bytes' type)
+      #
+      # Note:
+      #   converting signature from binary string to hex-encoded
+      #   string is handled at #sign_event instead. (Will be used
+      #   as next prior signature for event signing)
+      def event_signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hmac(k_credentials, string_to_sign)
+      end
+
+
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -409,18 +540,26 @@ module Aws
       def normalized_querystring(querystring)
         params = querystring.split('&')
         params = params.map { |p| p.match(/=/) ? p : p + '=' }
-        # We have to sort by param name and preserve order of params that
-        # have the same name. Default sort <=> in JRuby will swap members
+        # From: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+        # Sort the parameter names by character code point in ascending order.
+        # Parameters with duplicate names should be sorted by value.
+        #
+        # Default sort <=> in JRuby will swap members
         # occasionally when <=> is 0 (considered still sorted), but this
         # causes our normalized query string to not match the sent querystring.
-        # When names match, we then sort by their original order
-        params = params.each.with_index.sort do |a, b|
+        # When names match, we then sort by their values.  When values also
+        # match then we sort by their original order
+        params.each.with_index.sort do |a, b|
           a, a_offset = a
-          a_name = a.split('=')[0]
           b, b_offset = b
-          b_name = b.split('=')[0]
+          a_name, a_value = a.split('=')
+          b_name, b_value = b.split('=')
           if a_name == b_name
-            a_offset <=> b_offset
+            if a_value == b_value
+              a_offset <=> b_offset
+            else
+              a_value <=> b_value
+            end
           else
             a_name <=> b_name
           end
@@ -450,22 +589,18 @@ module Aws
       end
 
       def canonical_header_value(value)
-        value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
+        value.gsub(/\s+/, ' ').strip
       end
 
       def host(uri)
-        if standard_port?(uri)
+        # Handles known and unknown URI schemes; default_port nil when unknown.
+        if uri.default_port == uri.port
           uri.host
         else
           "#{uri.host}:#{uri.port}"
         end
       end
 
-      def standard_port?(uri)
-        (uri.scheme == 'http' && uri.port == 80) ||
-        (uri.scheme == 'https' && uri.port == 443)
-      end
-
       # @param [File, Tempfile, IO#read, String] value
       # @return [String<SHA256 Hexdigest>]
       def sha256_hexdigest(value)
@@ -473,7 +608,9 @@ module Aws
           OpenSSL::Digest::SHA256.file(value).hexdigest
         elsif value.respond_to?(:read)
           sha256 = OpenSSL::Digest::SHA256.new
-          while chunk = value.read(1024 * 1024, buffer ||= "") # 1MB
+          loop do
+            chunk = value.read(1024 * 1024) # 1MB
+            break unless chunk
             sha256.update(chunk)
           end
           value.rewind
@@ -561,22 +698,152 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-      def get_credentials
+
+      def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
           credentials
         else
-          msg = 'unable to sign request without credentials set'
-          raise Errors::MissingCredentialsError.new(msg)
+          raise Errors::MissingCredentialsError,
+          'unable to sign request without credentials set'
         end
       end
 
+      # Returns true if credentials are set (not nil or empty)
+      # Credentials may not implement the Credentials interface
+      # and may just be credential like Client response objects
+      # (eg those returned by sts#assume_role)
       def credentials_set?(credentials)
-        credentials.access_key_id && credentials.secret_access_key
+        !credentials.access_key_id.nil? &&
+          !credentials.access_key_id.empty? &&
+          !credentials.secret_access_key.nil? &&
+          !credentials.secret_access_key.empty?
+      end
+
+      ### CRT Code
+
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def crt_fetch_credentials
+        creds = fetch_credentials
+        Aws::Crt::Auth::StaticCredentialsProvider.new(
+          creds.access_key_id,
+          creds.secret_access_key,
+          creds.session_token
+        )
+      end
+
+      def crt_sign_request(request)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(request)
+        url = extract_url(request)
+        headers = downcase_headers(request[:headers])
+
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= sha256_hexdigest(request[:body] || '')
+
+        sigv4_headers = {}
+        sigv4_headers['host'] = headers['host'] || host(url)
+
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
+
+        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+
+        Signature.new(
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
+        )
+      end
+
+      def crt_presign_url(options)
+        creds = crt_fetch_credentials
+
+        http_method = extract_http_method(options)
+        url = extract_url(options)
+        headers = downcase_headers(options[:headers])
+        headers['host'] ||= host(url)
+
+        datetime = headers.delete('x-amz-date')
+        datetime ||= (options[:time] || Time.now)
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= options[:body_digest]
+        content_sha256 ||= sha256_hexdigest(options[:body] || '')
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: options.fetch(:expires_in, 900)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
+
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
+        end
+        url
       end
 
       class << self
 
+        def use_crt?
+          @@use_crt
+        end
+
         # @api private
         def uri_escape_path(path)
           path.gsub(/[^\/]+/) { |part| uri_escape(part) }

data/lib/aws-sigv4.rb

@@ -1,4 +1,12 @@
+# frozen_string_literal: true
+
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'
 require_relative 'aws-sigv4/signer'
+
+module Aws
+  module Sigv4
+    VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
+  end
+end

metadata

@@ -1,34 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.5.2
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-28 00:00:00.000000000 Z
-dependencies: []
-description: Amazon Web Services Signature Version 4 signing ligrary. Generates sigv4
+date: 2022-09-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-eventstream
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.2
+description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
   signature for HTTP requests.
 email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
+- LICENSE.txt
+- VERSION
 - lib/aws-sigv4.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
 - lib/aws-sigv4/request.rb
 - lib/aws-sigv4/signature.rb
 - lib/aws-sigv4/signer.rb
-homepage: http://github.com/aws/aws-sdk-ruby
+homepage: https://github.com/aws/aws-sdk-ruby
 licenses:
 - Apache-2.0
 metadata:
-  source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/master/gems/aws-sigv4
-  changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/master/gems/aws-sigv4/CHANGELOG.md
+  source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
+  changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -37,15 +60,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: AWS Signature Version 4 library.