aws-sigv4 1.5.0 → 1.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +30 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/signer.rb +65 -24
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 482b4ffa8bd9e9e2d7dab0d61ab15553f0e8d05e1be2923b388157664a47a9fa
|
|
4
|
+
data.tar.gz: c5caa84527ca213826f8c802195430caacb25750530609f1b8d7267810808574
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c16c5df7f8c6ca10cf073c25984506ce938f26823f99d82813b5bde3fb283d23a3c480adec2945b98975946a7b32efe57a0058cd65bb383606c5ee5228711381
|
|
7
|
+
data.tar.gz: b72ea1894eb1c419179325f8e715fb454ab02ae2d1ac243b90ed2f4032c0fd966ba157287a12009587908d0a6a2f62261c78e319a230196792b6ec4206a20718
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,36 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.8.0 (2023-11-28)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Support `sigv4-s3express` signing algorithm.
|
|
8
|
+
|
|
9
|
+
1.7.0 (2023-11-22)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
|
|
13
|
+
|
|
14
|
+
1.6.1 (2023-10-25)
|
|
15
|
+
------------------
|
|
16
|
+
|
|
17
|
+
* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
|
|
18
|
+
|
|
19
|
+
1.6.0 (2023-06-28)
|
|
20
|
+
------------------
|
|
21
|
+
|
|
22
|
+
* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
|
|
23
|
+
|
|
24
|
+
1.5.2 (2022-09-30)
|
|
25
|
+
------------------
|
|
26
|
+
|
|
27
|
+
* Issue - Fix an issue where quoted strings with multiple spaces are not trimmed. (#2758)
|
|
28
|
+
|
|
29
|
+
1.5.1 (2022-07-19)
|
|
30
|
+
------------------
|
|
31
|
+
|
|
32
|
+
* Issue - Fix performance regression when checking if `aws-crt` is available. (#2729)
|
|
33
|
+
|
|
4
34
|
1.5.0 (2022-04-20)
|
|
5
35
|
------------------
|
|
6
36
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.8.0
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -74,6 +74,14 @@ module Aws
|
|
|
74
74
|
#
|
|
75
75
|
class Signer
|
|
76
76
|
|
|
77
|
+
@@use_crt =
|
|
78
|
+
begin
|
|
79
|
+
require 'aws-crt'
|
|
80
|
+
true
|
|
81
|
+
rescue LoadError
|
|
82
|
+
false
|
|
83
|
+
end
|
|
84
|
+
|
|
77
85
|
# @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
|
|
78
86
|
# @param [String] :service The service signing name, e.g. 's3'.
|
|
79
87
|
# @param [String] :region The region name, e.g. 'us-east-1'.
|
|
@@ -149,6 +157,13 @@ module Aws
|
|
|
149
157
|
' request with sigv4a which requires the `aws-crt` gem.'\
|
|
150
158
|
' Please install the gem or add it to your gemfile.'
|
|
151
159
|
end
|
|
160
|
+
|
|
161
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym &&
|
|
162
|
+
Signer.use_crt? && Aws::Crt::GEM_VERSION <= '0.1.9'
|
|
163
|
+
raise ArgumentError,
|
|
164
|
+
'This version of aws-crt does not support S3 Express. Please
|
|
165
|
+
update this gem to at least version 0.2.0.'
|
|
166
|
+
end
|
|
152
167
|
end
|
|
153
168
|
|
|
154
169
|
# @return [String]
|
|
@@ -227,7 +242,7 @@ module Aws
|
|
|
227
242
|
|
|
228
243
|
return crt_sign_request(request) if Signer.use_crt?
|
|
229
244
|
|
|
230
|
-
creds = fetch_credentials
|
|
245
|
+
creds, _ = fetch_credentials
|
|
231
246
|
|
|
232
247
|
http_method = extract_http_method(request)
|
|
233
248
|
url = extract_url(request)
|
|
@@ -243,7 +258,14 @@ module Aws
|
|
|
243
258
|
sigv4_headers = {}
|
|
244
259
|
sigv4_headers['host'] = headers['host'] || host(url)
|
|
245
260
|
sigv4_headers['x-amz-date'] = datetime
|
|
246
|
-
|
|
261
|
+
if creds.session_token
|
|
262
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym
|
|
263
|
+
sigv4_headers['x-amz-s3session-token'] = creds.session_token
|
|
264
|
+
else
|
|
265
|
+
sigv4_headers['x-amz-security-token'] = creds.session_token
|
|
266
|
+
end
|
|
267
|
+
end
|
|
268
|
+
|
|
247
269
|
sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
|
|
248
270
|
|
|
249
271
|
headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
|
|
@@ -306,7 +328,7 @@ module Aws
|
|
|
306
328
|
# hex-encoded string using #unpack
|
|
307
329
|
def sign_event(prior_signature, payload, encoder)
|
|
308
330
|
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
309
|
-
creds = fetch_credentials
|
|
331
|
+
creds, _ = fetch_credentials
|
|
310
332
|
time = Time.now
|
|
311
333
|
headers = {}
|
|
312
334
|
|
|
@@ -395,7 +417,7 @@ module Aws
|
|
|
395
417
|
|
|
396
418
|
return crt_presign_url(options) if Signer.use_crt?
|
|
397
419
|
|
|
398
|
-
creds = fetch_credentials
|
|
420
|
+
creds, expiration = fetch_credentials
|
|
399
421
|
|
|
400
422
|
http_method = extract_http_method(options)
|
|
401
423
|
url = extract_url(options)
|
|
@@ -415,8 +437,14 @@ module Aws
|
|
|
415
437
|
params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
|
|
416
438
|
params['X-Amz-Credential'] = credential(creds, date)
|
|
417
439
|
params['X-Amz-Date'] = datetime
|
|
418
|
-
params['X-Amz-Expires'] =
|
|
419
|
-
|
|
440
|
+
params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
|
|
441
|
+
if creds.session_token
|
|
442
|
+
if @signing_algorithm == 'sigv4-s3express'.to_sym
|
|
443
|
+
params['X-Amz-S3session-Token'] = creds.session_token
|
|
444
|
+
else
|
|
445
|
+
params['X-Amz-Security-Token'] = creds.session_token
|
|
446
|
+
end
|
|
447
|
+
end
|
|
420
448
|
params['X-Amz-SignedHeaders'] = signed_headers(headers)
|
|
421
449
|
|
|
422
450
|
params = params.map do |key, value|
|
|
@@ -518,7 +546,6 @@ module Aws
|
|
|
518
546
|
hmac(k_credentials, string_to_sign)
|
|
519
547
|
end
|
|
520
548
|
|
|
521
|
-
|
|
522
549
|
def path(url)
|
|
523
550
|
path = url.path
|
|
524
551
|
path = '/' if path == ''
|
|
@@ -581,7 +608,7 @@ module Aws
|
|
|
581
608
|
end
|
|
582
609
|
|
|
583
610
|
def canonical_header_value(value)
|
|
584
|
-
value.
|
|
611
|
+
value.gsub(/\s+/, ' ').strip
|
|
585
612
|
end
|
|
586
613
|
|
|
587
614
|
def host(uri)
|
|
@@ -674,8 +701,8 @@ module Aws
|
|
|
674
701
|
|
|
675
702
|
def extract_expires_in(options)
|
|
676
703
|
case options[:expires_in]
|
|
677
|
-
when nil then 900
|
|
678
|
-
when Integer then options[:expires_in]
|
|
704
|
+
when nil then 900
|
|
705
|
+
when Integer then options[:expires_in]
|
|
679
706
|
else
|
|
680
707
|
msg = "expected :expires_in to be a number of seconds"
|
|
681
708
|
raise ArgumentError, msg
|
|
@@ -690,11 +717,14 @@ module Aws
|
|
|
690
717
|
self.class.uri_escape_path(string)
|
|
691
718
|
end
|
|
692
719
|
|
|
693
|
-
|
|
694
720
|
def fetch_credentials
|
|
695
721
|
credentials = @credentials_provider.credentials
|
|
696
722
|
if credentials_set?(credentials)
|
|
697
|
-
|
|
723
|
+
expiration = nil
|
|
724
|
+
if @credentials_provider.respond_to?(:expiration)
|
|
725
|
+
expiration = @credentials_provider.expiration
|
|
726
|
+
end
|
|
727
|
+
[credentials, expiration]
|
|
698
728
|
else
|
|
699
729
|
raise Errors::MissingCredentialsError,
|
|
700
730
|
'unable to sign request without credentials set'
|
|
@@ -712,21 +742,37 @@ module Aws
|
|
|
712
742
|
!credentials.secret_access_key.empty?
|
|
713
743
|
end
|
|
714
744
|
|
|
745
|
+
def presigned_url_expiration(options, expiration, datetime)
|
|
746
|
+
expires_in = extract_expires_in(options)
|
|
747
|
+
return expires_in unless expiration
|
|
748
|
+
|
|
749
|
+
expiration_seconds = (expiration - datetime).to_i
|
|
750
|
+
# In the static stability case, credentials may expire in the past
|
|
751
|
+
# but still be valid. For those cases, use the user configured
|
|
752
|
+
# expires_in and ingore expiration.
|
|
753
|
+
if expiration_seconds <= 0
|
|
754
|
+
expires_in
|
|
755
|
+
else
|
|
756
|
+
[expires_in, expiration_seconds].min
|
|
757
|
+
end
|
|
758
|
+
end
|
|
759
|
+
|
|
715
760
|
### CRT Code
|
|
716
761
|
|
|
717
762
|
# the credentials used by CRT must be a
|
|
718
763
|
# CRT StaticCredentialsProvider object
|
|
719
764
|
def crt_fetch_credentials
|
|
720
|
-
creds = fetch_credentials
|
|
721
|
-
Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
765
|
+
creds, expiration = fetch_credentials
|
|
766
|
+
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
722
767
|
creds.access_key_id,
|
|
723
768
|
creds.secret_access_key,
|
|
724
769
|
creds.session_token
|
|
725
770
|
)
|
|
771
|
+
[crt_creds, expiration]
|
|
726
772
|
end
|
|
727
773
|
|
|
728
774
|
def crt_sign_request(request)
|
|
729
|
-
creds = crt_fetch_credentials
|
|
775
|
+
creds, _ = crt_fetch_credentials
|
|
730
776
|
http_method = extract_http_method(request)
|
|
731
777
|
url = extract_url(request)
|
|
732
778
|
headers = downcase_headers(request[:headers])
|
|
@@ -785,14 +831,14 @@ module Aws
|
|
|
785
831
|
end
|
|
786
832
|
|
|
787
833
|
def crt_presign_url(options)
|
|
788
|
-
creds = crt_fetch_credentials
|
|
834
|
+
creds, expiration = crt_fetch_credentials
|
|
789
835
|
|
|
790
836
|
http_method = extract_http_method(options)
|
|
791
837
|
url = extract_url(options)
|
|
792
838
|
headers = downcase_headers(options[:headers])
|
|
793
839
|
headers['host'] ||= host(url)
|
|
794
840
|
|
|
795
|
-
datetime = headers.delete('x-amz-date')
|
|
841
|
+
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
|
796
842
|
datetime ||= (options[:time] || Time.now)
|
|
797
843
|
|
|
798
844
|
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
@@ -813,7 +859,7 @@ module Aws
|
|
|
813
859
|
use_double_uri_encode: @uri_escape_path,
|
|
814
860
|
should_normalize_uri_path: @normalize_path,
|
|
815
861
|
omit_session_token: @omit_session_token,
|
|
816
|
-
expiration_in_seconds: options
|
|
862
|
+
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
|
817
863
|
)
|
|
818
864
|
http_request = Aws::Crt::Http::Message.new(
|
|
819
865
|
http_method, url.to_s, headers
|
|
@@ -833,12 +879,7 @@ module Aws
|
|
|
833
879
|
class << self
|
|
834
880
|
|
|
835
881
|
def use_crt?
|
|
836
|
-
|
|
837
|
-
require 'aws-crt'
|
|
838
|
-
return true
|
|
839
|
-
rescue LoadError
|
|
840
|
-
return false
|
|
841
|
-
end
|
|
882
|
+
@@use_crt
|
|
842
883
|
end
|
|
843
884
|
|
|
844
885
|
# @api private
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-11-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-eventstream
|
|
@@ -60,7 +60,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
60
60
|
requirements:
|
|
61
61
|
- - ">="
|
|
62
62
|
- !ruby/object:Gem::Version
|
|
63
|
-
version: '2.
|
|
63
|
+
version: '2.5'
|
|
64
64
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
65
65
|
requirements:
|
|
66
66
|
- - ">="
|