RubyGems - aws-sigv4 - Versions diffs - 1.4.0 → 1.5.1 - Mend

aws-sigv4 1.4.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46dbb72f9e31ff1022703f91ae7e1d2cfe78c78629e682fe99468933704aff62
-  data.tar.gz: 963db4a8f39031b64398dea0d2ebc7167af20e79446e23bfd270c6cb85d4738f
+  metadata.gz: '024807372644472d420e52bd415e36b47d1ceb4eabad0d76c505e9a5b8c1bf4a'
+  data.tar.gz: a1f7102b525847893157a95988b2252fa560443d461fd568744599563a060a10
 SHA512:
-  metadata.gz: '0142942e58db9971d8ceaa2aeb7c97d1cd58bdba463366fd06831b1769a3c124f6e1f1b082c4d1b5917f794ab70556f6bd78dbb67824a35e74ccbfc5bdaafa25'
-  data.tar.gz: aca23ad7a8a98f24abdbbaa2afe9cde1430a7a10f627b63d7da56939665056ccc7a04226dc14e3793e3848032291aba990fc10576369f3974911593566ea9262
+  metadata.gz: 1e2d0ad4e485957c009ced92febe1df4105c557a224ac9a6a93c960f46503cb8f8fde5e695afec58bcd02b8866fb5705c96e085863479115ceb193a490a55e51
+  data.tar.gz: 7cc4b490fd35ceb5a7af7904b8f353cdb08f76da8c286a4358071136f3491bf49e4adbbe24599193da2a5dc59a0daa3ad382aa0609a8060a5f13d0ed52a48d63

data/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
+1.5.1 (2022-07-19)
+------------------
+* Issue - Fix performance regression when checking if `aws-crt` is available. (#2729)
+1.5.0 (2022-04-20)
+------------------
+* Feature - Use CRT based signers if `aws-crt` is available - provides support for `sigv4a`.
 1.4.0 (2021-09-02)
 ------------------

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 1.4.0
1	+ 1.5.1

data/lib/aws-sigv4/signature.rb CHANGED Viewed

@@ -32,6 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
+      # @return [Hash] Internal data for debugging purposes.
+      attr_accessor :extra
     end
   end
 end

data/lib/aws-sigv4/signer.rb CHANGED Viewed

@@ -74,6 +74,14 @@ module Aws
     #
     class Signer
+      @@use_crt =
+        begin
+          require 'aws-crt'
+          true
+        rescue LoadError
+          false
+        end
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
       #   @param [String] :region The region name, e.g. 'us-east-1'.
@@ -118,6 +126,18 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
+      # @option options [Symbol] :signing_algorithm (:sigv4) The
+      #   algorithm to use for signing.  :sigv4a is only supported when
+      #   `aws-crt` is available.
+      #
+      # @option options [Boolean] :omit_session_token (false)
+      #   (Supported only when `aws-crt` is available) If `true`,
+      #   then security token is added to the final signing result,
+      #   but is treated as "unsigned" and does not contribute
+      #   to the authorization signature.
+      #
+      # @option options [Boolean] :normalize_path (true) (Supported only when `aws-crt` is available)
+      #   When `true`, the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
@@ -126,13 +146,15 @@ module Aws
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
         @unsigned_headers << 'expect'
-        [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[opt] : true)
-        end
+        @uri_escape_path = options.fetch(:uri_escape_path, true)
+        @apply_checksum_header = options.fetch(:apply_checksum_header, true)
+        @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
+        @normalize_path = options.fetch(:normalize_path, true)
+        @omit_session_token = options.fetch(:omit_session_token, false)
-        if options[:signing_algorithm] == :sigv4a
+        if @signing_algorithm == :sigv4a && !Signer.use_crt?
           raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires aws-crt and version 1.4.0.crt or later of the aws-sigv4 gem.'\
+' request with sigv4a which requires the `aws-crt` gem.'\
 ' Please install the gem or add it to your gemfile.'
         end
       end
@@ -211,6 +233,8 @@ module Aws
       #
       def sign_request(request)
+        return crt_sign_request(request) if Signer.use_crt?
         creds = fetch_credentials
         http_method = extract_http_method(request)
@@ -289,6 +313,7 @@ module Aws
       #   signature value (a binary string) used at ':chunk-signature' needs to converted to
       #   hex-encoded string using #unpack
       def sign_event(prior_signature, payload, encoder)
+        # Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
         creds = fetch_credentials
         time = Time.now
         headers = {}
@@ -376,6 +401,8 @@ module Aws
       #
       def presign_url(options)
+        return crt_presign_url(options) if Signer.use_crt?
         creds = fetch_credentials
         http_method = extract_http_method(options)
@@ -693,8 +720,130 @@ module Aws
           !credentials.secret_access_key.empty?
       end
+      ### CRT Code
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def crt_fetch_credentials
+        creds = fetch_credentials
+        Aws::Crt::Auth::StaticCredentialsProvider.new(
+          creds.access_key_id,
+          creds.secret_access_key,
+          creds.session_token
+        )
+      end
+      def crt_sign_request(request)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(request)
+        url = extract_url(request)
+        headers = downcase_headers(request[:headers])
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= sha256_hexdigest(request[:body] || '')
+        sigv4_headers = {}
+        sigv4_headers['host'] = headers['host'] || host(url)
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
+        headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
+        Signature.new(
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
+        )
+      end
+      def crt_presign_url(options)
+        creds = crt_fetch_credentials
+        http_method = extract_http_method(options)
+        url = extract_url(options)
+        headers = downcase_headers(options[:headers])
+        headers['host'] ||= host(url)
+        datetime = headers.delete('x-amz-date')
+        datetime ||= (options[:time] || Time.now)
+        content_sha256 = headers.delete('x-amz-content-sha256')
+        content_sha256 ||= options[:body_digest]
+        content_sha256 ||= sha256_hexdigest(options[:body] || '')
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+                                     :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: options.fetch(:expires_in, 900)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
+        end
+        url
+      end
       class << self
+        def use_crt?
+          @@use_crt
+        end
         # @api private
         def uri_escape_path(path)
           path.gsub(/[^\/]+/) { |part| uri_escape(part) }

data/lib/aws-sigv4.rb CHANGED Viewed

@@ -4,3 +4,9 @@ require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'
 require_relative 'aws-sigv4/signer'
+module Aws
+  module Sigv4
+    VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.5.1
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-09-02 00:00:00.000000000 Z
+date: 2022-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-eventstream