aws-sigv4 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/signature.rb +2 -0
- data/lib/aws-sigv4/signer.rb +151 -5
- data/lib/aws-sigv4.rb +6 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 709cebb0799ad1e75e1f1e69413798d4da1d523332abc0ac59899e9686aa2e07
|
|
4
|
+
data.tar.gz: a4751a6a7c2356bf76b2ac550f8320e3f8b24951415eaddf1328271c1835f2d3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 07ebb364959ed8bf62c39192707a30caef1127fcf0ab078dab30ecaf695b2a9e22caa017a773987dac297615dfc824eeb8cc04a60a604837024ee850f6812dd2
|
|
7
|
+
data.tar.gz: f9e93932e59b1d43b92aa2c74d33d7553490ecf84ff61b491321c0b031896f30b5375c8a5f2c81d8514691917096e7c3dd5cc298c3a3fa5e6876cabb1f458c8e
|
data/CHANGELOG.md
CHANGED
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.5.0
|
data/lib/aws-sigv4/signature.rb
CHANGED
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -118,6 +118,18 @@ module Aws
|
|
|
118
118
|
# headers. This is required for AWS Glacier, and optional for
|
|
119
119
|
# every other AWS service as of late 2016.
|
|
120
120
|
#
|
|
121
|
+
# @option options [Symbol] :signing_algorithm (:sigv4) The
|
|
122
|
+
# algorithm to use for signing. :sigv4a is only supported when
|
|
123
|
+
# `aws-crt` is available.
|
|
124
|
+
#
|
|
125
|
+
# @option options [Boolean] :omit_session_token (false)
|
|
126
|
+
# (Supported only when `aws-crt` is available) If `true`,
|
|
127
|
+
# then security token is added to the final signing result,
|
|
128
|
+
# but is treated as "unsigned" and does not contribute
|
|
129
|
+
# to the authorization signature.
|
|
130
|
+
#
|
|
131
|
+
# @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
|
|
132
|
+
# When `true`, the uri paths will be normalized when building the canonical request
|
|
121
133
|
def initialize(options = {})
|
|
122
134
|
@service = extract_service(options)
|
|
123
135
|
@region = extract_region(options)
|
|
@@ -126,13 +138,15 @@ module Aws
|
|
|
126
138
|
@unsigned_headers << 'authorization'
|
|
127
139
|
@unsigned_headers << 'x-amzn-trace-id'
|
|
128
140
|
@unsigned_headers << 'expect'
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
141
|
+
@uri_escape_path = options.fetch(:uri_escape_path, true)
|
|
142
|
+
@apply_checksum_header = options.fetch(:apply_checksum_header, true)
|
|
143
|
+
@signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
|
|
144
|
+
@normalize_path = options.fetch(:normalize_path, true)
|
|
145
|
+
@omit_session_token = options.fetch(:omit_session_token, false)
|
|
132
146
|
|
|
133
|
-
if
|
|
147
|
+
if @signing_algorithm == :sigv4a && !Signer.use_crt?
|
|
134
148
|
raise ArgumentError, 'You are attempting to sign a' \
|
|
135
|
-
' request with sigv4a which requires
|
|
149
|
+
' request with sigv4a which requires the `aws-crt` gem.'\
|
|
136
150
|
' Please install the gem or add it to your gemfile.'
|
|
137
151
|
end
|
|
138
152
|
end
|
|
@@ -211,6 +225,8 @@ module Aws
|
|
|
211
225
|
#
|
|
212
226
|
def sign_request(request)
|
|
213
227
|
|
|
228
|
+
return crt_sign_request(request) if Signer.use_crt?
|
|
229
|
+
|
|
214
230
|
creds = fetch_credentials
|
|
215
231
|
|
|
216
232
|
http_method = extract_http_method(request)
|
|
@@ -289,6 +305,7 @@ module Aws
|
|
|
289
305
|
# signature value (a binary string) used at ':chunk-signature' needs to converted to
|
|
290
306
|
# hex-encoded string using #unpack
|
|
291
307
|
def sign_event(prior_signature, payload, encoder)
|
|
308
|
+
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
292
309
|
creds = fetch_credentials
|
|
293
310
|
time = Time.now
|
|
294
311
|
headers = {}
|
|
@@ -376,6 +393,8 @@ module Aws
|
|
|
376
393
|
#
|
|
377
394
|
def presign_url(options)
|
|
378
395
|
|
|
396
|
+
return crt_presign_url(options) if Signer.use_crt?
|
|
397
|
+
|
|
379
398
|
creds = fetch_credentials
|
|
380
399
|
|
|
381
400
|
http_method = extract_http_method(options)
|
|
@@ -693,8 +712,135 @@ module Aws
|
|
|
693
712
|
!credentials.secret_access_key.empty?
|
|
694
713
|
end
|
|
695
714
|
|
|
715
|
+
### CRT Code
|
|
716
|
+
|
|
717
|
+
# the credentials used by CRT must be a
|
|
718
|
+
# CRT StaticCredentialsProvider object
|
|
719
|
+
def crt_fetch_credentials
|
|
720
|
+
creds = fetch_credentials
|
|
721
|
+
Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
722
|
+
creds.access_key_id,
|
|
723
|
+
creds.secret_access_key,
|
|
724
|
+
creds.session_token
|
|
725
|
+
)
|
|
726
|
+
end
|
|
727
|
+
|
|
728
|
+
def crt_sign_request(request)
|
|
729
|
+
creds = crt_fetch_credentials
|
|
730
|
+
http_method = extract_http_method(request)
|
|
731
|
+
url = extract_url(request)
|
|
732
|
+
headers = downcase_headers(request[:headers])
|
|
733
|
+
|
|
734
|
+
datetime =
|
|
735
|
+
if headers.include? 'x-amz-date'
|
|
736
|
+
Time.parse(headers.delete('x-amz-date'))
|
|
737
|
+
end
|
|
738
|
+
|
|
739
|
+
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
740
|
+
content_sha256 ||= sha256_hexdigest(request[:body] || '')
|
|
741
|
+
|
|
742
|
+
sigv4_headers = {}
|
|
743
|
+
sigv4_headers['host'] = headers['host'] || host(url)
|
|
744
|
+
|
|
745
|
+
# Modify the user-agent to add usage of crt-signer
|
|
746
|
+
# This should be temporary during developer preview only
|
|
747
|
+
if headers.include? 'user-agent'
|
|
748
|
+
headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
|
|
749
|
+
sigv4_headers['user-agent'] = headers['user-agent']
|
|
750
|
+
end
|
|
751
|
+
|
|
752
|
+
headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
|
|
753
|
+
|
|
754
|
+
config = Aws::Crt::Auth::SigningConfig.new(
|
|
755
|
+
algorithm: @signing_algorithm,
|
|
756
|
+
signature_type: :http_request_headers,
|
|
757
|
+
region: @region,
|
|
758
|
+
service: @service,
|
|
759
|
+
date: datetime,
|
|
760
|
+
signed_body_value: content_sha256,
|
|
761
|
+
signed_body_header_type: @apply_checksum_header ?
|
|
762
|
+
:sbht_content_sha256 : :sbht_none,
|
|
763
|
+
credentials: creds,
|
|
764
|
+
unsigned_headers: @unsigned_headers,
|
|
765
|
+
use_double_uri_encode: @uri_escape_path,
|
|
766
|
+
should_normalize_uri_path: @normalize_path,
|
|
767
|
+
omit_session_token: @omit_session_token
|
|
768
|
+
)
|
|
769
|
+
http_request = Aws::Crt::Http::Message.new(
|
|
770
|
+
http_method, url.to_s, headers
|
|
771
|
+
)
|
|
772
|
+
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
773
|
+
|
|
774
|
+
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
|
|
775
|
+
|
|
776
|
+
Signature.new(
|
|
777
|
+
headers: sigv4_headers.merge(
|
|
778
|
+
downcase_headers(signing_result[:headers])
|
|
779
|
+
),
|
|
780
|
+
string_to_sign: 'CRT_INTERNAL',
|
|
781
|
+
canonical_request: 'CRT_INTERNAL',
|
|
782
|
+
content_sha256: content_sha256,
|
|
783
|
+
extra: {config: config, signable: signable}
|
|
784
|
+
)
|
|
785
|
+
end
|
|
786
|
+
|
|
787
|
+
def crt_presign_url(options)
|
|
788
|
+
creds = crt_fetch_credentials
|
|
789
|
+
|
|
790
|
+
http_method = extract_http_method(options)
|
|
791
|
+
url = extract_url(options)
|
|
792
|
+
headers = downcase_headers(options[:headers])
|
|
793
|
+
headers['host'] ||= host(url)
|
|
794
|
+
|
|
795
|
+
datetime = headers.delete('x-amz-date')
|
|
796
|
+
datetime ||= (options[:time] || Time.now)
|
|
797
|
+
|
|
798
|
+
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
799
|
+
content_sha256 ||= options[:body_digest]
|
|
800
|
+
content_sha256 ||= sha256_hexdigest(options[:body] || '')
|
|
801
|
+
|
|
802
|
+
config = Aws::Crt::Auth::SigningConfig.new(
|
|
803
|
+
algorithm: @signing_algorithm,
|
|
804
|
+
signature_type: :http_request_query_params,
|
|
805
|
+
region: @region,
|
|
806
|
+
service: @service,
|
|
807
|
+
date: datetime,
|
|
808
|
+
signed_body_value: content_sha256,
|
|
809
|
+
signed_body_header_type: @apply_checksum_header ?
|
|
810
|
+
:sbht_content_sha256 : :sbht_none,
|
|
811
|
+
credentials: creds,
|
|
812
|
+
unsigned_headers: @unsigned_headers,
|
|
813
|
+
use_double_uri_encode: @uri_escape_path,
|
|
814
|
+
should_normalize_uri_path: @normalize_path,
|
|
815
|
+
omit_session_token: @omit_session_token,
|
|
816
|
+
expiration_in_seconds: options.fetch(:expires_in, 900)
|
|
817
|
+
)
|
|
818
|
+
http_request = Aws::Crt::Http::Message.new(
|
|
819
|
+
http_method, url.to_s, headers
|
|
820
|
+
)
|
|
821
|
+
signable = Aws::Crt::Auth::Signable.new(http_request)
|
|
822
|
+
|
|
823
|
+
signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
|
|
824
|
+
url = URI.parse(signing_result[:path])
|
|
825
|
+
|
|
826
|
+
if options[:extra] && options[:extra].is_a?(Hash)
|
|
827
|
+
options[:extra][:config] = config
|
|
828
|
+
options[:extra][:signable] = signable
|
|
829
|
+
end
|
|
830
|
+
url
|
|
831
|
+
end
|
|
832
|
+
|
|
696
833
|
class << self
|
|
697
834
|
|
|
835
|
+
def use_crt?
|
|
836
|
+
begin
|
|
837
|
+
require 'aws-crt'
|
|
838
|
+
return true
|
|
839
|
+
rescue LoadError
|
|
840
|
+
return false
|
|
841
|
+
end
|
|
842
|
+
end
|
|
843
|
+
|
|
698
844
|
# @api private
|
|
699
845
|
def uri_escape_path(path)
|
|
700
846
|
path.gsub(/[^\/]+/) { |part| uri_escape(part) }
|
data/lib/aws-sigv4.rb
CHANGED
|
@@ -4,3 +4,9 @@ require_relative 'aws-sigv4/credentials'
|
|
|
4
4
|
require_relative 'aws-sigv4/errors'
|
|
5
5
|
require_relative 'aws-sigv4/signature'
|
|
6
6
|
require_relative 'aws-sigv4/signer'
|
|
7
|
+
|
|
8
|
+
module Aws
|
|
9
|
+
module Sigv4
|
|
10
|
+
VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
|
|
11
|
+
end
|
|
12
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2022-04-20 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-eventstream
|