aws-sigv4 1.5.2 → 1.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/signer.rb +33 -15
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 49a7649934cc31b07d019d328bc33748f9829bb439f8bb942b89c0b2dd749998
|
4
|
+
data.tar.gz: 6e94e2e59cf30b1d1e3492b2d0225ea835478fc9d4fd9e8102cfc171aa904aa1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2fb86ba1eae65d9433d81e015063e896caba8d5b702f7adc7138398cf7787ad304ba32bea01b145c646b4a7e2c58b32e981e95ea36ebf5ff1adca67d91d45b0b
|
7
|
+
data.tar.gz: 4613f7fa628a0019aeb954f6b5913077232fb6535a5e8ebceeef532ad107d20fb7587d4ea4b96aadf1628dad6dd226ab0e50e52bfcdbfec6eab08284992a5b9d
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,16 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
1.6.1 (2023-10-25)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
|
8
|
+
|
9
|
+
1.6.0 (2023-06-28)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
|
13
|
+
|
4
14
|
1.5.2 (2022-09-30)
|
5
15
|
------------------
|
6
16
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.6.1
|
data/lib/aws-sigv4/signer.rb
CHANGED
@@ -235,7 +235,7 @@ module Aws
|
|
235
235
|
|
236
236
|
return crt_sign_request(request) if Signer.use_crt?
|
237
237
|
|
238
|
-
creds = fetch_credentials
|
238
|
+
creds, _ = fetch_credentials
|
239
239
|
|
240
240
|
http_method = extract_http_method(request)
|
241
241
|
url = extract_url(request)
|
@@ -314,7 +314,7 @@ module Aws
|
|
314
314
|
# hex-encoded string using #unpack
|
315
315
|
def sign_event(prior_signature, payload, encoder)
|
316
316
|
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
317
|
-
creds = fetch_credentials
|
317
|
+
creds, _ = fetch_credentials
|
318
318
|
time = Time.now
|
319
319
|
headers = {}
|
320
320
|
|
@@ -403,7 +403,7 @@ module Aws
|
|
403
403
|
|
404
404
|
return crt_presign_url(options) if Signer.use_crt?
|
405
405
|
|
406
|
-
creds = fetch_credentials
|
406
|
+
creds, expiration = fetch_credentials
|
407
407
|
|
408
408
|
http_method = extract_http_method(options)
|
409
409
|
url = extract_url(options)
|
@@ -423,7 +423,7 @@ module Aws
|
|
423
423
|
params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
|
424
424
|
params['X-Amz-Credential'] = credential(creds, date)
|
425
425
|
params['X-Amz-Date'] = datetime
|
426
|
-
params['X-Amz-Expires'] =
|
426
|
+
params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
|
427
427
|
params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
|
428
428
|
params['X-Amz-SignedHeaders'] = signed_headers(headers)
|
429
429
|
|
@@ -526,7 +526,6 @@ module Aws
|
|
526
526
|
hmac(k_credentials, string_to_sign)
|
527
527
|
end
|
528
528
|
|
529
|
-
|
530
529
|
def path(url)
|
531
530
|
path = url.path
|
532
531
|
path = '/' if path == ''
|
@@ -682,8 +681,8 @@ module Aws
|
|
682
681
|
|
683
682
|
def extract_expires_in(options)
|
684
683
|
case options[:expires_in]
|
685
|
-
when nil then 900
|
686
|
-
when Integer then options[:expires_in]
|
684
|
+
when nil then 900
|
685
|
+
when Integer then options[:expires_in]
|
687
686
|
else
|
688
687
|
msg = "expected :expires_in to be a number of seconds"
|
689
688
|
raise ArgumentError, msg
|
@@ -698,11 +697,14 @@ module Aws
|
|
698
697
|
self.class.uri_escape_path(string)
|
699
698
|
end
|
700
699
|
|
701
|
-
|
702
700
|
def fetch_credentials
|
703
701
|
credentials = @credentials_provider.credentials
|
704
702
|
if credentials_set?(credentials)
|
705
|
-
|
703
|
+
expiration = nil
|
704
|
+
if @credentials_provider.respond_to?(:expiration)
|
705
|
+
expiration = @credentials_provider.expiration
|
706
|
+
end
|
707
|
+
[credentials, expiration]
|
706
708
|
else
|
707
709
|
raise Errors::MissingCredentialsError,
|
708
710
|
'unable to sign request without credentials set'
|
@@ -720,21 +722,37 @@ module Aws
|
|
720
722
|
!credentials.secret_access_key.empty?
|
721
723
|
end
|
722
724
|
|
725
|
+
def presigned_url_expiration(options, expiration, datetime)
|
726
|
+
expires_in = extract_expires_in(options)
|
727
|
+
return expires_in unless expiration
|
728
|
+
|
729
|
+
expiration_seconds = (expiration - datetime).to_i
|
730
|
+
# In the static stability case, credentials may expire in the past
|
731
|
+
# but still be valid. For those cases, use the user configured
|
732
|
+
# expires_in and ingore expiration.
|
733
|
+
if expiration_seconds <= 0
|
734
|
+
expires_in
|
735
|
+
else
|
736
|
+
[expires_in, expiration_seconds].min
|
737
|
+
end
|
738
|
+
end
|
739
|
+
|
723
740
|
### CRT Code
|
724
741
|
|
725
742
|
# the credentials used by CRT must be a
|
726
743
|
# CRT StaticCredentialsProvider object
|
727
744
|
def crt_fetch_credentials
|
728
|
-
creds = fetch_credentials
|
729
|
-
Aws::Crt::Auth::StaticCredentialsProvider.new(
|
745
|
+
creds, expiration = fetch_credentials
|
746
|
+
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
730
747
|
creds.access_key_id,
|
731
748
|
creds.secret_access_key,
|
732
749
|
creds.session_token
|
733
750
|
)
|
751
|
+
[crt_creds, expiration]
|
734
752
|
end
|
735
753
|
|
736
754
|
def crt_sign_request(request)
|
737
|
-
creds = crt_fetch_credentials
|
755
|
+
creds, _ = crt_fetch_credentials
|
738
756
|
http_method = extract_http_method(request)
|
739
757
|
url = extract_url(request)
|
740
758
|
headers = downcase_headers(request[:headers])
|
@@ -793,14 +811,14 @@ module Aws
|
|
793
811
|
end
|
794
812
|
|
795
813
|
def crt_presign_url(options)
|
796
|
-
creds = crt_fetch_credentials
|
814
|
+
creds, expiration = crt_fetch_credentials
|
797
815
|
|
798
816
|
http_method = extract_http_method(options)
|
799
817
|
url = extract_url(options)
|
800
818
|
headers = downcase_headers(options[:headers])
|
801
819
|
headers['host'] ||= host(url)
|
802
820
|
|
803
|
-
datetime = headers.delete('x-amz-date')
|
821
|
+
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
804
822
|
datetime ||= (options[:time] || Time.now)
|
805
823
|
|
806
824
|
content_sha256 = headers.delete('x-amz-content-sha256')
|
@@ -821,7 +839,7 @@ module Aws
|
|
821
839
|
use_double_uri_encode: @uri_escape_path,
|
822
840
|
should_normalize_uri_path: @normalize_path,
|
823
841
|
omit_session_token: @omit_session_token,
|
824
|
-
expiration_in_seconds: options
|
842
|
+
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
825
843
|
)
|
826
844
|
http_request = Aws::Crt::Http::Message.new(
|
827
845
|
http_method, url.to_s, headers
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sigv4
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.6.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-10-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-eventstream
|