RubyGems - aws-sigv4 - Versions diffs - 1.4.0 → 1.5.0 - Mend

aws-sigv4 1.4.0 → 1.5.0

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46dbb72f9e31ff1022703f91ae7e1d2cfe78c78629e682fe99468933704aff62
-  data.tar.gz: 963db4a8f39031b64398dea0d2ebc7167af20e79446e23bfd270c6cb85d4738f
+  metadata.gz: 709cebb0799ad1e75e1f1e69413798d4da1d523332abc0ac59899e9686aa2e07
+  data.tar.gz: a4751a6a7c2356bf76b2ac550f8320e3f8b24951415eaddf1328271c1835f2d3
 SHA512:
-  metadata.gz: '0142942e58db9971d8ceaa2aeb7c97d1cd58bdba463366fd06831b1769a3c124f6e1f1b082c4d1b5917f794ab70556f6bd78dbb67824a35e74ccbfc5bdaafa25'
-  data.tar.gz: aca23ad7a8a98f24abdbbaa2afe9cde1430a7a10f627b63d7da56939665056ccc7a04226dc14e3793e3848032291aba990fc10576369f3974911593566ea9262
+  metadata.gz: 07ebb364959ed8bf62c39192707a30caef1127fcf0ab078dab30ecaf695b2a9e22caa017a773987dac297615dfc824eeb8cc04a60a604837024ee850f6812dd2
+  data.tar.gz: f9e93932e59b1d43b92aa2c74d33d7553490ecf84ff61b491321c0b031896f30b5375c8a5f2c81d8514691917096e7c3dd5cc298c3a3fa5e6876cabb1f458c8e

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
+1.5.0 (2022-04-20)
+------------------
+* Feature - Use CRT based signers if `aws-crt` is available - provides support for `sigv4a`.
 1.4.0 (2021-09-02)
 ------------------

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.4.0
1	+ 1.5.0

data/lib/aws-sigv4/signature.rb CHANGED Viewed

@@ -32,6 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
+      # @return [Hash] Internal data for debugging purposes.
+      attr_accessor :extra
     end
   end
 end

data/lib/aws-sigv4/signer.rb CHANGED Viewed

@@ -118,6 +118,18 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
+      # @option options [Symbol] :signing_algorithm (:sigv4) The
+      #   algorithm to use for signing.  :sigv4a is only supported when
+      #   `aws-crt` is available.
+      #
+      # @option options [Boolean] :omit_session_token (false)
+      #   (Supported only when `aws-crt` is available) If `true`,
+      #   then security token is added to the final signing result,
+      #   but is treated as "unsigned" and does not contribute
+      #   to the authorization signature.
+      #
+      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
+      #   When `true`, the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -126,13 +138,15 @@ module Aws
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
         @unsigned_headers << 'expect'
-        [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[opt] : true)
-        end
+        @uri_escape_path = options.fetch(:uri_escape_path, true)
+        @apply_checksum_header = options.fetch(:apply_checksum_header, true)
+        @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
+        @normalize_path = options.fetch(:normalize_path, true)
+        @omit_session_token = options.fetch(:omit_session_token, false)
-        if options[:signing_algorithm] == :sigv4a
+        if @signing_algorithm == :sigv4a && !Signer.use_crt?
           raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires aws-crt and version 1.4.0.crt or later of the aws-sigv4 gem.'\
+' request with sigv4a which requires the `aws-crt` gem.'\
 ' Please install the gem or add it to your gemfile.'
         end
       end
@@ -211,6 +225,8 @@ module Aws
       #
       def sign_request(request)
+        return crt_sign_request(request) if Signer.use_crt?
         creds = fetch_credentials
         http_method = extract_http_method(request)
@@ -289,6 +305,7 @@ module Aws
       #   signature value (a binary string) used at ':chunk-signature' needs to converted to
       #   hex-encoded string using #unpack
       def sign_event(prior_signature, payload, encoder)
+        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
         creds = fetch_credentials
         time = Time.now
         headers = {}
@@ -376,6 +393,8 @@ module Aws
       #
       def presign_url(options)
+        return crt_presign_url(options) if Signer.use_crt?
         creds = fetch_credentials
         http_method = extract_http_method(options)
@@ -693,8 +712,135 @@ module Aws
           !credentials.secret_access_key.empty?
       end
+      ### CRT Code
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def crt_fetch_credentials
+        creds = fetch_credentials
+        Aws::Crt::Auth::StaticCredentialsProvider.new(
+          creds.access_key_id,
+          creds.secret_access_key,
+          creds.session_token
+        )
+      end
+      def crt_sign_request(request)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(request)
+        url = extract_url(request)
+        headers = downcase_headers(request[:headers])
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= sha256_hexdigest(request[:body] || '')
+        sigv4_headers = {}
+        sigv4_headers['host'] = headers['host'] || host(url)
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
+        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+        Signature.new(
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
+        )
+      end
+      def crt_presign_url(options)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(options)
+        url = extract_url(options)
+        headers = downcase_headers(options[:headers])
+        headers['host'] ||= host(url)
+        datetime = headers.delete('x-amz-date')
+        datetime ||= (options[:time] || Time.now)
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= options[:body_digest]
+        content_sha256 ||= sha256_hexdigest(options[:body] || '')
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: options.fetch(:expires_in, 900)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
+        end
+        url
+      end
       class << self
+        def use_crt?
+          begin
+            require 'aws-crt'
+            return true
+          rescue LoadError
+            return false
+          end
+        end
         # @api private
         def uri_escape_path(path)
           path.gsub(/[^\/]+/) { |part| uri_escape(part) }

data/lib/aws-sigv4.rb CHANGED Viewed

@@ -4,3 +4,9 @@ require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'
 require_relative 'aws-sigv4/signer'
+module Aws
+  module Sigv4
+    VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-02 00:00:00.000000000 Z
+date: 2022-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream