aws-sigv4 1.5.2 → 1.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sigv4/signer.rb +33 -15
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 49a7649934cc31b07d019d328bc33748f9829bb439f8bb942b89c0b2dd749998
|
|
4
|
+
data.tar.gz: 6e94e2e59cf30b1d1e3492b2d0225ea835478fc9d4fd9e8102cfc171aa904aa1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2fb86ba1eae65d9433d81e015063e896caba8d5b702f7adc7138398cf7787ad304ba32bea01b145c646b4a7e2c58b32e981e95ea36ebf5ff1adca67d91d45b0b
|
|
7
|
+
data.tar.gz: 4613f7fa628a0019aeb954f6b5913077232fb6535a5e8ebceeef532ad107d20fb7587d4ea4b96aadf1628dad6dd226ab0e50e52bfcdbfec6eab08284992a5b9d
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,16 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
1.6.1 (2023-10-25)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Issue - (Static Stability) use provided `expires_in` in presigned url when credentials are expired.
|
|
8
|
+
|
|
9
|
+
1.6.0 (2023-06-28)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Feature - Select the minimum expiration time for presigned urls between the expiration time option and the credential expiration time.
|
|
13
|
+
|
|
4
14
|
1.5.2 (2022-09-30)
|
|
5
15
|
------------------
|
|
6
16
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.
|
|
1
|
+
1.6.1
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -235,7 +235,7 @@ module Aws
|
|
|
235
235
|
|
|
236
236
|
return crt_sign_request(request) if Signer.use_crt?
|
|
237
237
|
|
|
238
|
-
creds = fetch_credentials
|
|
238
|
+
creds, _ = fetch_credentials
|
|
239
239
|
|
|
240
240
|
http_method = extract_http_method(request)
|
|
241
241
|
url = extract_url(request)
|
|
@@ -314,7 +314,7 @@ module Aws
|
|
|
314
314
|
# hex-encoded string using #unpack
|
|
315
315
|
def sign_event(prior_signature, payload, encoder)
|
|
316
316
|
# Note: CRT does not currently provide event stream signing, so we always use the ruby implementation.
|
|
317
|
-
creds = fetch_credentials
|
|
317
|
+
creds, _ = fetch_credentials
|
|
318
318
|
time = Time.now
|
|
319
319
|
headers = {}
|
|
320
320
|
|
|
@@ -403,7 +403,7 @@ module Aws
|
|
|
403
403
|
|
|
404
404
|
return crt_presign_url(options) if Signer.use_crt?
|
|
405
405
|
|
|
406
|
-
creds = fetch_credentials
|
|
406
|
+
creds, expiration = fetch_credentials
|
|
407
407
|
|
|
408
408
|
http_method = extract_http_method(options)
|
|
409
409
|
url = extract_url(options)
|
|
@@ -423,7 +423,7 @@ module Aws
|
|
|
423
423
|
params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
|
|
424
424
|
params['X-Amz-Credential'] = credential(creds, date)
|
|
425
425
|
params['X-Amz-Date'] = datetime
|
|
426
|
-
params['X-Amz-Expires'] =
|
|
426
|
+
params['X-Amz-Expires'] = presigned_url_expiration(options, expiration, Time.strptime(datetime, "%Y%m%dT%H%M%S%Z")).to_s
|
|
427
427
|
params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
|
|
428
428
|
params['X-Amz-SignedHeaders'] = signed_headers(headers)
|
|
429
429
|
|
|
@@ -526,7 +526,6 @@ module Aws
|
|
|
526
526
|
hmac(k_credentials, string_to_sign)
|
|
527
527
|
end
|
|
528
528
|
|
|
529
|
-
|
|
530
529
|
def path(url)
|
|
531
530
|
path = url.path
|
|
532
531
|
path = '/' if path == ''
|
|
@@ -682,8 +681,8 @@ module Aws
|
|
|
682
681
|
|
|
683
682
|
def extract_expires_in(options)
|
|
684
683
|
case options[:expires_in]
|
|
685
|
-
when nil then 900
|
|
686
|
-
when Integer then options[:expires_in]
|
|
684
|
+
when nil then 900
|
|
685
|
+
when Integer then options[:expires_in]
|
|
687
686
|
else
|
|
688
687
|
msg = "expected :expires_in to be a number of seconds"
|
|
689
688
|
raise ArgumentError, msg
|
|
@@ -698,11 +697,14 @@ module Aws
|
|
|
698
697
|
self.class.uri_escape_path(string)
|
|
699
698
|
end
|
|
700
699
|
|
|
701
|
-
|
|
702
700
|
def fetch_credentials
|
|
703
701
|
credentials = @credentials_provider.credentials
|
|
704
702
|
if credentials_set?(credentials)
|
|
705
|
-
|
|
703
|
+
expiration = nil
|
|
704
|
+
if @credentials_provider.respond_to?(:expiration)
|
|
705
|
+
expiration = @credentials_provider.expiration
|
|
706
|
+
end
|
|
707
|
+
[credentials, expiration]
|
|
706
708
|
else
|
|
707
709
|
raise Errors::MissingCredentialsError,
|
|
708
710
|
'unable to sign request without credentials set'
|
|
@@ -720,21 +722,37 @@ module Aws
|
|
|
720
722
|
!credentials.secret_access_key.empty?
|
|
721
723
|
end
|
|
722
724
|
|
|
725
|
+
def presigned_url_expiration(options, expiration, datetime)
|
|
726
|
+
expires_in = extract_expires_in(options)
|
|
727
|
+
return expires_in unless expiration
|
|
728
|
+
|
|
729
|
+
expiration_seconds = (expiration - datetime).to_i
|
|
730
|
+
# In the static stability case, credentials may expire in the past
|
|
731
|
+
# but still be valid. For those cases, use the user configured
|
|
732
|
+
# expires_in and ingore expiration.
|
|
733
|
+
if expiration_seconds <= 0
|
|
734
|
+
expires_in
|
|
735
|
+
else
|
|
736
|
+
[expires_in, expiration_seconds].min
|
|
737
|
+
end
|
|
738
|
+
end
|
|
739
|
+
|
|
723
740
|
### CRT Code
|
|
724
741
|
|
|
725
742
|
# the credentials used by CRT must be a
|
|
726
743
|
# CRT StaticCredentialsProvider object
|
|
727
744
|
def crt_fetch_credentials
|
|
728
|
-
creds = fetch_credentials
|
|
729
|
-
Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
745
|
+
creds, expiration = fetch_credentials
|
|
746
|
+
crt_creds = Aws::Crt::Auth::StaticCredentialsProvider.new(
|
|
730
747
|
creds.access_key_id,
|
|
731
748
|
creds.secret_access_key,
|
|
732
749
|
creds.session_token
|
|
733
750
|
)
|
|
751
|
+
[crt_creds, expiration]
|
|
734
752
|
end
|
|
735
753
|
|
|
736
754
|
def crt_sign_request(request)
|
|
737
|
-
creds = crt_fetch_credentials
|
|
755
|
+
creds, _ = crt_fetch_credentials
|
|
738
756
|
http_method = extract_http_method(request)
|
|
739
757
|
url = extract_url(request)
|
|
740
758
|
headers = downcase_headers(request[:headers])
|
|
@@ -793,14 +811,14 @@ module Aws
|
|
|
793
811
|
end
|
|
794
812
|
|
|
795
813
|
def crt_presign_url(options)
|
|
796
|
-
creds = crt_fetch_credentials
|
|
814
|
+
creds, expiration = crt_fetch_credentials
|
|
797
815
|
|
|
798
816
|
http_method = extract_http_method(options)
|
|
799
817
|
url = extract_url(options)
|
|
800
818
|
headers = downcase_headers(options[:headers])
|
|
801
819
|
headers['host'] ||= host(url)
|
|
802
820
|
|
|
803
|
-
datetime = headers.delete('x-amz-date')
|
|
821
|
+
datetime = Time.strptime(headers.delete('x-amz-date'), "%Y%m%dT%H%M%S%Z") if headers['x-amz-date']
|
|
804
822
|
datetime ||= (options[:time] || Time.now)
|
|
805
823
|
|
|
806
824
|
content_sha256 = headers.delete('x-amz-content-sha256')
|
|
@@ -821,7 +839,7 @@ module Aws
|
|
|
821
839
|
use_double_uri_encode: @uri_escape_path,
|
|
822
840
|
should_normalize_uri_path: @normalize_path,
|
|
823
841
|
omit_session_token: @omit_session_token,
|
|
824
|
-
expiration_in_seconds: options
|
|
842
|
+
expiration_in_seconds: presigned_url_expiration(options, expiration, datetime)
|
|
825
843
|
)
|
|
826
844
|
http_request = Aws::Crt::Http::Message.new(
|
|
827
845
|
http_method, url.to_s, headers
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-10-25 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-eventstream
|