aws-sigv4 1.5.0 → 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/signer.rb +65 -24
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 482b4ffa8bd9e9e2d7dab0d61ab15553f0e8d05e1be2923b388157664a47a9fa
|
|
4
|
+
data.tar.gz: c5caa84527ca213826f8c802195430caacb25750530609f1b8d7267810808574
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c16c5df7f8c6ca10cf073c25984506ce938f26823f99d82813b5bde3fb283d23a3c480adec2945b98975946a7b32efe57a0058cd65bb383606c5ee5228711381
|
|
7
|
+
data.tar.gz: b72ea1894eb1c419179325f8e715fb454ab02ae2d1ac243b90ed2f4032c0fd966ba157287a12009587908d0a6a2f62261c78e319a230196792b6ec4206a20718
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,36 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.8.0 (2023-11-28)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Support `sigv4-s3express` signing algorithm.
|
|
8
|
+
|
|
9
|
+
1.7.0 (2023-11-22)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
|
|
13
|
+
|
|
14
|
+
1.6.1 (2023-10-25)
|
|
15
|
+
------------------
|
|
16
|
+
|
|
17
|
+
* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
|
|
18
|
+
|
|
19
|
+
1.6.0 (2023-06-28)
|
|
20
|
+
------------------
|
|
21
|
+
|
|
22
|
+
* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
|
|
23
|
+
|
|
24
|
+
1.5.2 (2022-09-30)
|
|
25
|
+
------------------
|
|
26
|
+
|
|
27
|
+
* Issue - Fix an issue where quoted strings with multiple spaces are not trimmed. (#2758)
|
|
28
|
+
|
|
29
|
+
1.5.1 (2022-07-19)
|
|
30
|
+
------------------
|
|
31
|
+
|
|
32
|
+
* Issue - Fix performance regression when checking if `aws-crt` is available. (#2729)
|
|
33
|
+
|
|
4
34
|
1.5.0 (2022-04-20)
|
|
5
35
|
------------------
|
|
6
36
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.8.0
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -74,6 +74,14 @@ module Aws
|
|
|
74
74
|
#
|
|
75
75
|
class Signer
|
|
76
76
|
|
|
77
|
+
@@use_crt =
|
|
78
|
+
begin
|
|
79
|
+
require 'aws-crt'
|
|
80
|
+
true
|
|
81
|
+
rescue LoadError
|
|
82
|
+
false
|
|
83
|
+
end
|
|
84
|
+
|
|
77
85
|
# @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
|
|
78
86
|
# @param [String] :service The service signing name, e.g. 's3'.
|
|
79
87
|
# @param [String] :region The region name, e.g. 'us-east-1'.
|
|
@@ -149,6 +157,13 @@ module Aws
|
|
|
149
157
|
' request with sigv4a which requires the `aws-crt` gem.'\
|
|
150
158
|
' Please install the gem or add it to your gemfile.'
|
|
151
159
|
end
|
|
160
|
+
|
|
161
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym &&
|
|
162
|
+
Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
|
|
163
|
+
raise ArgumentError,
|
|
164
|
+
'This version of aws-crt does not support S3 Express. Please
|
|
165
|
+
update this gem to at least version 0.2.0.'
|
|
166
|
+
end
|
|
152
167
|
end
|
|
153
168
|
|
|
154
169
|
# @return [String]
|
|
@@ -227,7 +242,7 @@ module Aws
|
|
|
227
242
|
|
|
228
243
|
return crt_sign_request(request) if Signer.use_crt?
|
|
229
244
|
|
|
230
|
-
creds = fetch_credentials
|
|
245
|
+
creds, _ = fetch_credentials
|
|
231
246
|
|
|
232
247
|
http_method = extract_http_method(request)
|
|
233
248
|
url = extract_url(request)
|
|
@@ -243,7 +258,14 @@ module Aws
|
|
|
243
258
|
sigv4_headers = {}
|
|
244
259
|
sigv4_headers['host'] = headers['host'] || host(url)
|
|
245
260
|
sigv4_headers['x-amz-date'] = datetime
|
|
246
|
-
|
|
261
|
+
if creds.session_token
|
|
262
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym
|
|
263
|
+
sigv4_headers['x-amz-s3session-token'] = creds.session_token
|
|
264
|
+
else
|
|
265
|
+
sigv4_headers['x-amz-security-token'] = creds.session_token
|
|
266
|
+
end
|
|
267
|
+
end
|
|
268
|
+
|
|
247
269
|
sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
|
|
248
270
|
|
|
249
271
|
headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
|
|
@@ -306,7 +328,7 @@ module Aws
|
|
|
306
328
|
# hex-encoded string using #unpack
|
|
307
329
|
def sign_event(prior_signature, payload, encoder)
|
|
308
330
|
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
309
|
-
creds = fetch_credentials
|
|
331
|
+
creds, _ = fetch_credentials
|
|
310
332
|
time = Time.now
|
|
311
333
|
headers = {}
|
|
312
334
|
|
|
@@ -395,7 +417,7 @@ module Aws
|
|
|
395
417
|
|
|
396
418
|
return crt_presign_url(options) if Signer.use_crt?
|
|
397
419
|
|
|
398
|
-
creds = fetch_credentials
|
|
420
|
+
creds, expiration = fetch_credentials
|
|
399
421
|
|
|
400
422
|
http_method = extract_http_method(options)
|
|
401
423
|
url = extract_url(options)
|
|
@@ -415,8 +437,14 @@ module Aws
|
|
|
415
437
|
params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
|
|
416
438
|
params['X-Amz-Credential'] = credential(creds, date)
|
|
417
439
|
params['X-Amz-Date'] = datetime
|
|
418
|
-
params['X-Amz-Expires'] =
|
|
419
|
-
|
|
440
|
+
params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
|
|
441
|
+
if creds.session_token
|
|
442
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym
|
|
443
|
+
params['X-Amz-S3session-Token'] = creds.session_token
|
|
444
|
+
else
|
|
445
|
+
params['X-Amz-Security-Token'] = creds.session_token
|
|
446
|
+
end
|
|
447
|
+
end
|
|
420
448
|
params['X-Amz-SignedHeaders'] = signed_headers(headers)
|
|
421
449
|
|
|
422
450
|
params = params.map do |key, value|
|
|
@@ -518,7 +546,6 @@ module Aws
|
|
|
518
546
|
hmac(k_credentials, string_to_sign)
|
|
519
547
|
end
|
|
520
548
|
|
|
521
|
-
|
|
522
549
|
def path(url)
|
|
523
550
|
path = url.path
|
|
524
551
|
path = '/' if path == ''
|
|
@@ -581,7 +608,7 @@ module Aws
|
|
|
581
608
|
end
|
|
582
609
|
|
|
583
610
|
def canonical_header_value(value)
|
|
584
|
-
value.
|
|
611
|
+
value.gsub(/\s+/, ' ').strip
|
|
585
612
|
end
|
|
586
613
|
|
|
587
614
|
def host(uri)
|
|
@@ -674,8 +701,8 @@ module Aws
|
|
|
674
701
|
|
|
675
702
|
def extract_expires_in(options)
|
|
676
703
|
case options[:expires_in]
|
|
677
|
-
when nil then 900
|
|
678
|
-
when Integer then options[:expires_in]
|
|
704
|
+
when nil then 900
|
|
705
|
+
when Integer then options[:expires_in]
|
|
679
706
|
else
|
|
680
707
|
msg = "expected :expires_in to be a number of seconds"
|
|
681
708
|
raise ArgumentError, msg
|
|
@@ -690,11 +717,14 @@ module Aws
|
|
|
690
717
|
self.class.uri_escape_path(string)
|
|
691
718
|
end
|
|
692
719
|
|
|
693
|
-
|
|
694
720
|
def fetch_credentials
|
|
695
721
|
credentials = @credentials_provider.credentials
|
|
696
722
|
if credentials_set?(credentials)
|
|
697
|
-
|
|
723
|
+
expiration = nil
|
|
724
|
+
if @credentials_provider.respond_to?(:expiration)
|
|
725
|
+
expiration = @credentials_provider.expiration
|
|
726
|
+
end
|
|
727
|
+
[credentials, expiration]
|
|
698
728
|
else
|
|
699
729
|
raise Errors::MissingCredentialsError,
|
|
700
730
|
'unable to sign request without credentials set'
|
|
@@ -712,21 +742,37 @@ module Aws
|
|
|
712
742
|
!credentials.secret_access_key.empty?
|
|
713
743
|
end
|
|
714
744
|
|
|
745
|
+
def presigned_url_expiration(options, expiration, datetime)
|
|
746
|
+
expires_in = extract_expires_in(options)
|
|
747
|
+
return expires_in unless expiration
|
|
748
|
+
|
|
749
|
+
expiration_seconds = (expiration - datetime).to_i
|
|
750
|
+
# In the static stability case, credentials may expire in the past
|
|
751
|
+
# but still be valid. For those cases, use the user configured
|
|
752
|
+
# expires_in and ingore expiration.
|
|
753
|
+
if expiration_seconds <= 0
|
|
754
|
+
expires_in
|
|
755
|
+
else
|
|
756
|
+
[expires_in, expiration_seconds].min
|
|
757
|
+
end
|
|
758
|
+
end
|
|
759
|
+
|
|
715
760
|
### CRT Code
|
|
716
761
|
|
|
717
762
|
# the credentials used by CRT must be a
|
|
718
763
|
# CRT StaticCredentialsProvider object
|
|
719
764
|
def crt_fetch_credentials
|
|
720
|
-
creds = fetch_credentials
|
|
721
|
-
Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
765
|
+
creds, expiration = fetch_credentials
|
|
766
|
+
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
722
767
|
creds.access_key_id,
|
|
723
768
|
creds.secret_access_key,
|
|
724
769
|
creds.session_token
|
|
725
770
|
)
|
|
771
|
+
[crt_creds, expiration]
|
|
726
772
|
end
|
|
727
773
|
|
|
728
774
|
def crt_sign_request(request)
|
|
729
|
-
creds = crt_fetch_credentials
|
|
775
|
+
creds, _ = crt_fetch_credentials
|
|
730
776
|
http_method = extract_http_method(request)
|
|
731
777
|
url = extract_url(request)
|
|
732
778
|
headers = downcase_headers(request[:headers])
|
|
@@ -785,14 +831,14 @@ module Aws
|
|
|
785
831
|
end
|
|
786
832
|
|
|
787
833
|
def crt_presign_url(options)
|
|
788
|
-
creds = crt_fetch_credentials
|
|
834
|
+
creds, expiration = crt_fetch_credentials
|
|
789
835
|
|
|
790
836
|
http_method = extract_http_method(options)
|
|
791
837
|
url = extract_url(options)
|
|
792
838
|
headers = downcase_headers(options[:headers])
|
|
793
839
|
headers['host'] ||= host(url)
|
|
794
840
|
|
|
795
|
-
datetime = headers.delete('x-amz-date')
|
|
841
|
+
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
|
796
842
|
datetime ||= (options[:time] || Time.now)
|
|
797
843
|
|
|
798
844
|
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
@@ -813,7 +859,7 @@ module Aws
|
|
|
813
859
|
use_double_uri_encode: @uri_escape_path,
|
|
814
860
|
should_normalize_uri_path: @normalize_path,
|
|
815
861
|
omit_session_token: @omit_session_token,
|
|
816
|
-
expiration_in_seconds: options
|
|
862
|
+
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
|
817
863
|
)
|
|
818
864
|
http_request = Aws::Crt::Http::Message.new(
|
|
819
865
|
http_method, url.to_s, headers
|
|
@@ -833,12 +879,7 @@ module Aws
|
|
|
833
879
|
class << self
|
|
834
880
|
|
|
835
881
|
def use_crt?
|
|
836
|
-
|
|
837
|
-
require 'aws-crt'
|
|
838
|
-
return true
|
|
839
|
-
rescue LoadError
|
|
840
|
-
return false
|
|
841
|
-
end
|
|
882
|
+
@@use_crt
|
|
842
883
|
end
|
|
843
884
|
|
|
844
885
|
# @api private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-11-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-eventstream
|
|
@@ -60,7 +60,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
60
60
|
requirements:
|
|
61
61
|
- - ">="
|
|
62
62
|
- !ruby/object:Gem::Version
|
|
63
|
-
version: '2.
|
|
63
|
+
version: '2.5'
|
|
64
64
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - ">="
|