aws-sigv4 1.3.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8b705b7ccc4d893d12bcc41c42921b0d6d5c264fc24c8aa04195736f05ecaac
-  data.tar.gz: ab36dadea138a0593bb84d123fbe667c37bcdbb3e626e05628bac05493fbd1e6
+  metadata.gz: 482b4ffa8bd9e9e2d7dab0d61ab15553f0e8d05e1be2923b388157664a47a9fa
+  data.tar.gz: c5caa84527ca213826f8c802195430caacb25750530609f1b8d7267810808574
 SHA512:
-  metadata.gz: 421a1d3f97ee0037d2ddeeed88e454dc7fdd88314d1503abe488b224793e63b2e131d197c67cce9efdc09bcf6c63560a976b72b6db636cf91f89afcdfce1b79e
-  data.tar.gz: cbb4297ad962402d891593d6326d460df3fe919bd1b3151ca9b80d3aadcc4f14384a4e4826d71f4d0faac9cacad4093b43a6b9be5a11fa206a20f3fb5a00a5f4
+  metadata.gz: c16c5df7f8c6ca10cf073c25984506ce938f26823f99d82813b5bde3fb283d23a3c480adec2945b98975946a7b32efe57a0058cd65bb383606c5ee5228711381
+  data.tar.gz: b72ea1894eb1c419179325f8e715fb454ab02ae2d1ac243b90ed2f4032c0fd966ba157287a12009587908d0a6a2f62261c78e319a230196792b6ec4206a20718

data/CHANGELOG.md

@@ -1,6 +1,46 @@
 Unreleased Changes
 ------------------
 
+1.8.0 (2023-11-28)
+------------------
+
+* Feature - Support `sigv4-s3express` signing algorithm.
+
+1.7.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+1.6.1 (2023-10-25)
+------------------
+
+* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
+
+1.6.0 (2023-06-28)
+------------------
+
+* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
+
+1.5.2 (2022-09-30)
+------------------
+
+* Issue - Fix an issue where quoted strings with multiple spaces are not trimmed. (#2758)
+
+1.5.1 (2022-07-19)
+------------------
+
+* Issue - Fix performance regression when checking if `aws-crt` is available. (#2729)
+
+1.5.0 (2022-04-20)
+------------------
+
+* Feature - Use CRT based signers if `aws-crt` is available - provides support for `sigv4a`.
+
+1.4.0 (2021-09-02)
+------------------
+
+* Feature - add `signing_algorithm` option with `sigv4` default.
+
 1.3.0 (2021-09-01)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.3.0
+1.8.0

data/lib/aws-sigv4/signature.rb

@@ -32,6 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      # @return [Hash] Internal data for debugging purposes.
+      attr_accessor :extra
     end
   end
 end

data/lib/aws-sigv4/signer.rb

@@ -74,6 +74,14 @@ module Aws
     #
     class Signer
 
+      @@use_crt =
+        begin
+          require 'aws-crt'
+          true
+        rescue LoadError
+          false
+        end
+
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
       #   @param [String] :region The region name, e.g. 'us-east-1'.
@@ -118,6 +126,18 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
+      # @option options [Symbol] :signing_algorithm (:sigv4) The
+      #   algorithm to use for signing.  :sigv4a is only supported when
+      #   `aws-crt` is available.
+      #
+      # @option options [Boolean] :omit_session_token (false)
+      #   (Supported only when `aws-crt` is available) If `true`,
+      #   then security token is added to the final signing result,
+      #   but is treated as "unsigned" and does not contribute
+      #   to the authorization signature.
+      #
+      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
+      #   When `true`, the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -126,8 +146,23 @@ module Aws
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
         @unsigned_headers << 'expect'
-        [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[opt] : true)
+        @uri_escape_path = options.fetch(:uri_escape_path, true)
+        @apply_checksum_header = options.fetch(:apply_checksum_header, true)
+        @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
+        @normalize_path = options.fetch(:normalize_path, true)
+        @omit_session_token = options.fetch(:omit_session_token, false)
+
+        if @signing_algorithm == :sigv4a && !Signer.use_crt?
+          raise ArgumentError, 'You are attempting to sign a' \
+' request with sigv4a which requires the `aws-crt` gem.'\
+' Please install the gem or add it to your gemfile.'
+        end
+
+        if @signing_algorithm == 'sigv4-s3express'.to_sym &&
+           Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
+          raise ArgumentError,
+                'This version of aws-crt does not support S3 Express. Please
+                 update this gem to at least version 0.2.0.'
         end
       end
 
@@ -205,7 +240,9 @@ module Aws
       #
       def sign_request(request)
 
-        creds = fetch_credentials
+        return crt_sign_request(request) if Signer.use_crt?
+
+        creds, _ = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
@@ -221,7 +258,14 @@ module Aws
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
         sigv4_headers['x-amz-date'] = datetime
-        sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
+        if creds.session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            sigv4_headers['x-amz-s3session-token'] = creds.session_token
+          else
+            sigv4_headers['x-amz-security-token'] = creds.session_token
+          end
+        end
+
         sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
 
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
@@ -283,7 +327,8 @@ module Aws
       #   signature value (a binary string) used at ':chunk-signature' needs to converted to
       #   hex-encoded string using #unpack
       def sign_event(prior_signature, payload, encoder)
-        creds = fetch_credentials
+        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
+        creds, _ = fetch_credentials
         time = Time.now
         headers = {}
 
@@ -370,7 +415,9 @@ module Aws
       #
       def presign_url(options)
 
-        creds = fetch_credentials
+        return crt_presign_url(options) if Signer.use_crt?
+
+        creds, expiration = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
@@ -390,8 +437,14 @@ module Aws
         params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
         params['X-Amz-Credential'] = credential(creds, date)
         params['X-Amz-Date'] = datetime
-        params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
+        params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
+        if creds.session_token
+          if @signing_algorithm == 'sigv4-s3express'.to_sym
+            params['X-Amz-S3session-Token'] = creds.session_token
+          else
+            params['X-Amz-Security-Token'] = creds.session_token
+          end
+        end
         params['X-Amz-SignedHeaders'] = signed_headers(headers)
 
         params = params.map do |key, value|
@@ -493,7 +546,6 @@ module Aws
         hmac(k_credentials, string_to_sign)
       end
 
-
       def path(url)
         path = url.path
         path = '/' if path == ''
@@ -556,7 +608,7 @@ module Aws
       end
 
       def canonical_header_value(value)
-        value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
+        value.gsub(/\s+/, ' ').strip
       end
 
       def host(uri)
@@ -649,8 +701,8 @@ module Aws
 
       def extract_expires_in(options)
         case options[:expires_in]
-        when nil then 900.to_s
-        when Integer then options[:expires_in].to_s
+        when nil then 900
+        when Integer then options[:expires_in]
         else
           msg = "expected :expires_in to be a number of seconds"
           raise ArgumentError, msg
@@ -665,11 +717,14 @@ module Aws
         self.class.uri_escape_path(string)
       end
 
-
       def fetch_credentials
         credentials = @credentials_provider.credentials
         if credentials_set?(credentials)
-          credentials
+          expiration = nil
+          if @credentials_provider.respond_to?(:expiration)
+            expiration = @credentials_provider.expiration
+          end
+          [credentials, expiration]
         else
           raise Errors::MissingCredentialsError,
           'unable to sign request without credentials set'
@@ -687,8 +742,146 @@ module Aws
           !credentials.secret_access_key.empty?
       end
 
+      def presigned_url_expiration(options, expiration, datetime)
+        expires_in = extract_expires_in(options)
+        return expires_in unless expiration
+
+        expiration_seconds = (expiration - datetime).to_i
+        # In the static stability case, credentials may expire in the past
+        # but still be valid.  For those cases, use the user configured
+        # expires_in and ingore expiration.
+        if expiration_seconds <= 0
+          expires_in
+        else
+          [expires_in, expiration_seconds].min
+        end
+      end
+
+      ### CRT Code
+
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def crt_fetch_credentials
+        creds, expiration = fetch_credentials
+        crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
+          creds.access_key_id,
+          creds.secret_access_key,
+          creds.session_token
+        )
+        [crt_creds, expiration]
+      end
+
+      def crt_sign_request(request)
+        creds, _ = crt_fetch_credentials
+        http_method = extract_http_method(request)
+        url = extract_url(request)
+        headers = downcase_headers(request[:headers])
+
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= sha256_hexdigest(request[:body] || '')
+
+        sigv4_headers = {}
+        sigv4_headers['host'] = headers['host'] || host(url)
+
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
+
+        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+
+        Signature.new(
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
+        )
+      end
+
+      def crt_presign_url(options)
+        creds, expiration = crt_fetch_credentials
+
+        http_method = extract_http_method(options)
+        url = extract_url(options)
+        headers = downcase_headers(options[:headers])
+        headers['host'] ||= host(url)
+
+        datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
+        datetime ||= (options[:time] || Time.now)
+
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= options[:body_digest]
+        content_sha256 ||= sha256_hexdigest(options[:body] || '')
+
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
+
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
+        end
+        url
+      end
+
       class << self
 
+        def use_crt?
+          @@use_crt
+        end
+
         # @api private
         def uri_escape_path(path)
           path.gsub(/[^\/]+/) { |part| uri_escape(part) }

data/lib/aws-sigv4.rb

@@ -4,3 +4,9 @@ require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'
 require_relative 'aws-sigv4/signer'
+
+module Aws
+  module Sigv4
+    VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-01 00:00:00.000000000 Z
+date: 2023-11-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
@@ -60,7 +60,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="