aws-sigv4 1.0.3 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sigv4/signer.rb +95 -0
- metadata +23 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cb4db422d46522a4ad3274b0dc5b28689ed5def4
|
|
4
|
+
data.tar.gz: 061ca3ebfd24ffea8a1717ac9e12f9fc0650d4f8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fef836871abeaf35b99b00a28deab1506f45d6792a6c732d74db4a37250d77e62ee64da491ad91a21a0f8098ba91dae19953d27c48aec0a36d7e2ad403f4edf6
|
|
7
|
+
data.tar.gz: 6bee73d7bbcd3f7fe8cb92275eabb13d5981869dc566bfc818960449143fdc28f91270465efd9d38adbfb4f91d12c23a2c70e7cfebf4c45d8954df3c0a082b36
|
data/lib/aws-sigv4/signer.rb
CHANGED
|
@@ -4,6 +4,7 @@ require 'time'
|
|
|
4
4
|
require 'uri'
|
|
5
5
|
require 'set'
|
|
6
6
|
require 'cgi'
|
|
7
|
+
require 'aws-eventstream'
|
|
7
8
|
|
|
8
9
|
module Aws
|
|
9
10
|
module Sigv4
|
|
@@ -243,6 +244,59 @@ module Aws
|
|
|
243
244
|
)
|
|
244
245
|
end
|
|
245
246
|
|
|
247
|
+
# Signs a event and returns signature headers and prior signature
|
|
248
|
+
# used for next event signing.
|
|
249
|
+
#
|
|
250
|
+
# Headers of a sigv4 signed event message only contains 2 headers
|
|
251
|
+
# * ':chunk-signature'
|
|
252
|
+
# * computed signature of the event, binary string, 'bytes' type
|
|
253
|
+
# * ':date'
|
|
254
|
+
# * millisecond since epoch, 'timestamp' type
|
|
255
|
+
#
|
|
256
|
+
# Payload of the sigv4 signed event message contains eventstream encoded message
|
|
257
|
+
# which is serialized based on input and protocol
|
|
258
|
+
#
|
|
259
|
+
# To sign events
|
|
260
|
+
#
|
|
261
|
+
# headers_0, signature_0 = signer.sign_event(
|
|
262
|
+
# prior_signature, # hex-encoded string
|
|
263
|
+
# payload_0, # binary string (eventstream encoded event 0)
|
|
264
|
+
# encoder, # Aws::EventStreamEncoder
|
|
265
|
+
# )
|
|
266
|
+
#
|
|
267
|
+
# headers_1, signature_1 = signer.sign_event(
|
|
268
|
+
# signature_0,
|
|
269
|
+
# payload_1, # binary string (eventstream encoded event 1)
|
|
270
|
+
# encoder
|
|
271
|
+
# )
|
|
272
|
+
#
|
|
273
|
+
# The initial prior_signature should be using the signature computed at initial request
|
|
274
|
+
#
|
|
275
|
+
# Note:
|
|
276
|
+
#
|
|
277
|
+
# Since ':chunk-signature' header value has bytes type, the signature value provided
|
|
278
|
+
# needs to be a binary string instead of a hex-encoded string (like original signature
|
|
279
|
+
# V4 algorithm). Thus, when returning signature value used for next event siging, the
|
|
280
|
+
# signature value (a binary string) used at ':chunk-signature' needs to converted to
|
|
281
|
+
# hex-encoded string using #unpack
|
|
282
|
+
def sign_event(prior_signature, payload, encoder)
|
|
283
|
+
creds = get_credentials
|
|
284
|
+
time = Time.now
|
|
285
|
+
headers = {}
|
|
286
|
+
|
|
287
|
+
datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
|
|
288
|
+
date = datetime[0,8]
|
|
289
|
+
headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i*1000, type: 'timestamp')
|
|
290
|
+
|
|
291
|
+
sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
|
|
292
|
+
sig = event_signature(creds.secret_access_key, date, sts)
|
|
293
|
+
|
|
294
|
+
headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
|
|
295
|
+
|
|
296
|
+
# Returning signed headers and signature value in hex-encoded string
|
|
297
|
+
[headers, sig.unpack('H*').first]
|
|
298
|
+
end
|
|
299
|
+
|
|
246
300
|
# Signs a URL with query authentication. Using query parameters
|
|
247
301
|
# to authenticate requests is useful when you want to express a
|
|
248
302
|
# request entirely in a URL. This method is also referred as
|
|
@@ -375,6 +429,29 @@ module Aws
|
|
|
375
429
|
].join("\n")
|
|
376
430
|
end
|
|
377
431
|
|
|
432
|
+
# Compared to original #string_to_sign at signature v4 algorithm
|
|
433
|
+
# there is no canonical_request concept for an eventstream event,
|
|
434
|
+
# instead, an event contains headers and payload two parts, and
|
|
435
|
+
# they will be used for computing digest in #event_string_to_sign
|
|
436
|
+
#
|
|
437
|
+
# Note:
|
|
438
|
+
# While headers need to be encoded under eventstream format,
|
|
439
|
+
# payload used is already eventstream encoded (event without signature),
|
|
440
|
+
# thus no extra encoding is needed.
|
|
441
|
+
def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
|
|
442
|
+
encoded_headers = encoder.encode_headers(
|
|
443
|
+
Aws::EventStream::Message.new(headers: headers, payload: payload)
|
|
444
|
+
).read
|
|
445
|
+
[
|
|
446
|
+
"AWS4-HMAC-SHA256-PAYLOAD",
|
|
447
|
+
datetime,
|
|
448
|
+
credential_scope(datetime[0,8]),
|
|
449
|
+
prior_signature,
|
|
450
|
+
sha256_hexdigest(encoded_headers),
|
|
451
|
+
sha256_hexdigest(payload)
|
|
452
|
+
].join("\n")
|
|
453
|
+
end
|
|
454
|
+
|
|
378
455
|
def credential_scope(date)
|
|
379
456
|
[
|
|
380
457
|
date,
|
|
@@ -396,6 +473,24 @@ module Aws
|
|
|
396
473
|
hexhmac(k_credentials, string_to_sign)
|
|
397
474
|
end
|
|
398
475
|
|
|
476
|
+
# Comparing to original signature v4 algorithm,
|
|
477
|
+
# returned signature is a binary string instread of
|
|
478
|
+
# hex-encoded string. (Since ':chunk-signature' requires
|
|
479
|
+
# 'bytes' type)
|
|
480
|
+
#
|
|
481
|
+
# Note:
|
|
482
|
+
# converting signature from binary string to hex-encoded
|
|
483
|
+
# string is handled at #sign_event instead. (Will be used
|
|
484
|
+
# as next prior signature for event signing)
|
|
485
|
+
def event_signature(secret_access_key, date, string_to_sign)
|
|
486
|
+
k_date = hmac("AWS4" + secret_access_key, date)
|
|
487
|
+
k_region = hmac(k_date, @region)
|
|
488
|
+
k_service = hmac(k_region, @service)
|
|
489
|
+
k_credentials = hmac(k_service, 'aws4_request')
|
|
490
|
+
hmac(k_credentials, string_to_sign)
|
|
491
|
+
end
|
|
492
|
+
|
|
493
|
+
|
|
399
494
|
def path(url)
|
|
400
495
|
path = url.path
|
|
401
496
|
path = '/' if path == ''
|
metadata
CHANGED
|
@@ -1,15 +1,35 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sigv4
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
12
|
-
dependencies:
|
|
11
|
+
date: 2019-03-13 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: aws-eventstream
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - "~>"
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '1.0'
|
|
20
|
+
- - ">="
|
|
21
|
+
- !ruby/object:Gem::Version
|
|
22
|
+
version: 1.0.2
|
|
23
|
+
type: :runtime
|
|
24
|
+
prerelease: false
|
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
26
|
+
requirements:
|
|
27
|
+
- - "~>"
|
|
28
|
+
- !ruby/object:Gem::Version
|
|
29
|
+
version: '1.0'
|
|
30
|
+
- - ">="
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: 1.0.2
|
|
13
33
|
description: Amazon Web Services Signature Version 4 signing ligrary. Generates sigv4
|
|
14
34
|
signature for HTTP requests.
|
|
15
35
|
email:
|