aws-sigv4 1.4.0 → 1.4.1.crt

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46dbb72f9e31ff1022703f91ae7e1d2cfe78c78629e682fe99468933704aff62
-  data.tar.gz: 963db4a8f39031b64398dea0d2ebc7167af20e79446e23bfd270c6cb85d4738f
+  metadata.gz: 9f4ebc6670c011eafdb6f2ca33ee5894dd723f10f1ad23ea296837bb41355a77
+  data.tar.gz: 6e69783f73330b8559390d56718e0fe48cb117f4fc07ae8c808a2d6ebea6263f
 SHA512:
-  metadata.gz: '0142942e58db9971d8ceaa2aeb7c97d1cd58bdba463366fd06831b1769a3c124f6e1f1b082c4d1b5917f794ab70556f6bd78dbb67824a35e74ccbfc5bdaafa25'
-  data.tar.gz: aca23ad7a8a98f24abdbbaa2afe9cde1430a7a10f627b63d7da56939665056ccc7a04226dc14e3793e3848032291aba990fc10576369f3974911593566ea9262
+  metadata.gz: 2ba3f4da7f88b55f0529e9d23a4cc6a039abb6e1af7d939a9fe2679232c28ba80f7b2791758d39f67940cfa180c631f92ec424753a38f346b290132a95263ba6
+  data.tar.gz: 9fdee7aeff9a4764bb7a2395628ba5a9e52b8fe1e21adf165b48ed6241e3a2b71b7cff2d7597dba2696e49009963589244410e276898a3807945cb659865a0b6

data/CHANGELOG.md

@@ -1,15 +1,11 @@
 Unreleased Changes
 ------------------
 
-1.4.0 (2021-09-02)
-------------------
-
-* Feature - add `signing_algorithm` option with `sigv4` default.
 
-1.3.0 (2021-09-01)
+1.3.0.crt (2021-08-04)
 ------------------
 
-* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9, 2.0, 2.1, and 2.2.
+* Feature - Preview release of `aws-sigv4` version 1.3.0.crt gem - uses the Common Runtime (CRT) for signing and support for sigv4a.
 
 1.2.4 (2021-07-08)
 ------------------

data/VERSION

@@ -1 +1 @@
-1.4.0
+1.4.1.crt

data/lib/aws-sigv4/credentials.rb

@@ -11,7 +11,10 @@ module Aws
       # @option options [required, String] :secret_access_key
       # @option options [String, nil] :session_token (nil)
       def initialize(options = {})
-        if options[:access_key_id] && options[:secret_access_key]
+        if options[:access_key_id] && options[:secret_access_key] &&
+          !options[:access_key_id].empty? &&
+          !options[:secret_access_key].empty?
+
           @access_key_id = options[:access_key_id]
           @secret_access_key = options[:secret_access_key]
           @session_token = options[:session_token]
@@ -51,8 +54,8 @@ module Aws
       # @option options [String] :session_token (nil)
       def initialize(options = {})
         @credentials = options[:credentials] ?
-          options[:credentials] :
-          Credentials.new(options)
+                         options[:credentials] :
+                         Credentials.new(options)
       end
 
       # @return [Credentials]
@@ -63,6 +66,5 @@ module Aws
         !!credentials && credentials.set?
       end
     end
-
   end
 end

data/lib/aws-sigv4/signature.rb

@@ -32,6 +32,8 @@ module Aws
       # @return [String] For debugging purposes.
       attr_accessor :content_sha256
 
+      attr_accessor :extra
+
     end
   end
 end

data/lib/aws-sigv4/signer.rb

@@ -1,79 +1,16 @@
 # frozen_string_literal: true
 
 require 'openssl'
-require 'tempfile'
 require 'time'
+require 'tempfile'
 require 'uri'
 require 'set'
-require 'cgi'
 require 'aws-eventstream'
 
 module Aws
   module Sigv4
-
-    # Utility class for creating AWS signature version 4 signature. This class
-    # provides two methods for generating signatures:
-    #
-    # * {#sign_request} - Computes a signature of the given request, returning
-    #   the hash of headers that should be applied to the request.
-    #
-    # * {#presign_url} - Computes a presigned request with an expiration.
-    #   By default, the body of this request is not signed and the request
-    #   expires in 15 minutes.
-    #
-    # ## Configuration
-    #
-    # To use the signer, you need to specify the service, region, and credentials.
-    # The service name is normally the endpoint prefix to an AWS service. For
-    # example:
-    #
-    #     ec2.us-west-1.amazonaws.com => ec2
-    #
-    # The region is normally the second portion of the endpoint, following
-    # the service name.
-    #
-    #     ec2.us-west-1.amazonaws.com => us-west-1
-    #
-    # It is important to have the correct service and region name, or the
-    # signature will be invalid.
-    #
-    # ## Credentials
-    #
-    # The signer requires credentials. You can configure the signer
-    # with static credentials:
-    #
-    #     signer = Aws::Sigv4::Signer.new(
-    #       service: 's3',
-    #       region: 'us-east-1',
-    #       # static credentials
-    #       access_key_id: 'akid',
-    #       secret_access_key: 'secret'
-    #     )
-    #
-    # You can also provide refreshing credentials via the `:credentials_provider`.
-    # If you are using the AWS SDK for Ruby, you can use any of the credential
-    # classes:
-    #
-    #     signer = Aws::Sigv4::Signer.new(
-    #       service: 's3',
-    #       region: 'us-east-1',
-    #       credentials_provider: Aws::InstanceProfileCredentials.new
-    #     )
-    #
-    # Other AWS SDK for Ruby classes that can be provided via `:credentials_provider`:
-    #
-    # * `Aws::Credentials`
-    # * `Aws::SharedCredentials`
-    # * `Aws::InstanceProfileCredentials`
-    # * `Aws::AssumeRoleCredentials`
-    # * `Aws::ECSCredentials`
-    #
-    # A credential provider is any object that responds to `#credentials`
-    # returning another object that responds to `#access_key_id`, `#secret_access_key`,
-    # and `#session_token`.
-    #
+    # Utility class for creating AWS signature version 4 signature.
     class Signer
-
       # @overload initialize(service:, region:, access_key_id:, secret_access_key:, session_token:nil, **options)
       #   @param [String] :service The service signing name, e.g. 's3'.
       #   @param [String] :region The region name, e.g. 'us-east-1'.
@@ -118,23 +55,27 @@ module Aws
       #   headers. This is required for AWS Glacier, and optional for
       #   every other AWS service as of late 2016.
       #
+      # @option options [Boolean] :omit_session_token (false) If `true`,
+      #   then security token is added to the final signing result,
+      #   but is treated as "unsigned" and does not contribute
+      #   to the authorization signature.
+      #
+      # @option options [Boolean] :normalize_path (true) When `true`,
+      #   the uri paths will be normalized when building the canonical request
       def initialize(options = {})
         @service = extract_service(options)
         @region = extract_region(options)
         @credentials_provider = extract_credentials_provider(options)
-        @unsigned_headers = Set.new((options.fetch(:unsigned_headers, [])).map(&:downcase))
+        @unsigned_headers = Set.new((options.fetch(:unsigned_headers, []))
+                                    .map(&:downcase))
         @unsigned_headers << 'authorization'
         @unsigned_headers << 'x-amzn-trace-id'
         @unsigned_headers << 'expect'
-        [:uri_escape_path, :apply_checksum_header].each do |opt|
-          instance_variable_set("@#{opt}", options.key?(opt) ? !!options[opt] : true)
-        end
-
-        if options[:signing_algorithm] == :sigv4a
-          raise ArgumentError, 'You are attempting to sign a' \
-' request with sigv4a which requires aws-crt and version 1.4.0.crt or later of the aws-sigv4 gem.'\
-' Please install the gem or add it to your gemfile.'
-        end
+        @uri_escape_path = options.fetch(:uri_escape_path, true)
+        @apply_checksum_header = options.fetch(:apply_checksum_header, true)
+        @signing_algorithm = options.fetch(:signing_algorithm, :sigv4)
+        @normalize_path = options.fetch(:normalize_path, true)
+        @omit_session_token = options.fetch(:omit_session_token, false)
       end
 
       # @return [String]
@@ -210,102 +151,65 @@ module Aws
       #   a `#headers` method. The headers must be applied to your request.
       #
       def sign_request(request)
-
         creds = fetch_credentials
 
         http_method = extract_http_method(request)
         url = extract_url(request)
         headers = downcase_headers(request[:headers])
 
-        datetime = headers['x-amz-date']
-        datetime ||= Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
-        date = datetime[0,8]
+        datetime =
+          if headers.include? 'x-amz-date'
+            Time.parse(headers.delete('x-amz-date'))
+          end
 
-        content_sha256 = headers['x-amz-content-sha256']
+        content_sha256 = headers.delete('x-amz-content-sha256')
         content_sha256 ||= sha256_hexdigest(request[:body] || '')
 
         sigv4_headers = {}
         sigv4_headers['host'] = headers['host'] || host(url)
-        sigv4_headers['x-amz-date'] = datetime
-        sigv4_headers['x-amz-security-token'] = creds.session_token if creds.session_token
-        sigv4_headers['x-amz-content-sha256'] ||= content_sha256 if @apply_checksum_header
+
+        # Modify the user-agent to add usage of crt-signer
+        # This should be temporary during developer preview only
+        if headers.include? 'user-agent'
+          headers['user-agent'] = "#{headers['user-agent']} crt-signer/#{@signing_algorithm}/#{Aws::Sigv4::VERSION}"
+          sigv4_headers['user-agent'] = headers['user-agent']
+        end
 
         headers = headers.merge(sigv4_headers) # merge so we do not modify given headers hash
 
-        # compute signature parts
-        creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        sig = signature(creds.secret_access_key, date, sts)
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_headers,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+            :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
 
-        # apply signature
-        sigv4_headers['authorization'] = [
-          "AWS4-HMAC-SHA256 Credential=#{credential(creds, date)}",
-          "SignedHeaders=#{signed_headers(headers)}",
-          "Signature=#{sig}",
-        ].join(', ')
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable)
 
-        # Returning the signature components.
         Signature.new(
-          headers: sigv4_headers,
-          string_to_sign: sts,
-          canonical_request: creq,
-          content_sha256: content_sha256
+          headers: sigv4_headers.merge(
+            downcase_headers(signing_result[:headers])
+          ),
+          string_to_sign: 'CRT_INTERNAL',
+          canonical_request: 'CRT_INTERNAL',
+          content_sha256: content_sha256,
+          extra: {config: config, signable: signable}
         )
       end
 
-      # Signs a event and returns signature headers and prior signature
-      # used for next event signing.
-      #
-      # Headers of a sigv4 signed event message only contains 2 headers
-      #   * ':chunk-signature'
-      #     * computed signature of the event, binary string, 'bytes' type
-      #   * ':date'
-      #     * millisecond since epoch, 'timestamp' type
-      #
-      # Payload of the sigv4 signed event message contains eventstream encoded message
-      # which is serialized based on input and protocol
-      #
-      # To sign events
-      #
-      #     headers_0, signature_0 = signer.sign_event(
-      #       prior_signature, # hex-encoded string
-      #       payload_0, # binary string (eventstream encoded event 0)
-      #       encoder, # Aws::EventStreamEncoder
-      #     )
-      #
-      #     headers_1, signature_1 = signer.sign_event(
-      #       signature_0,
-      #       payload_1, # binary string (eventstream encoded event 1)
-      #       encoder
-      #     )
-      #
-      # The initial prior_signature should be using the signature computed at initial request
-      #
-      # Note:
-      #
-      #   Since ':chunk-signature' header value has bytes type, the signature value provided
-      #   needs to be a binary string instead of a hex-encoded string (like original signature
-      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
-      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
-      #   hex-encoded string using #unpack
-      def sign_event(prior_signature, payload, encoder)
-        creds = fetch_credentials
-        time = Time.now
-        headers = {}
-
-        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
-        date = datetime[0,8]
-        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
-
-        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
-        sig = event_signature(creds.secret_access_key, date, sts)
-
-        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
-
-        # Returning signed headers and signature value in hex-encoded string
-        [headers, sig.unpack('H*').first]
-      end
-
       # Signs a URL with query authentication. Using query parameters
       # to authenticate requests is useful when you want to express a
       # request entirely in a URL. This method is also referred as
@@ -375,247 +279,120 @@ module Aws
       # @return [HTTPS::URI, HTTP::URI]
       #
       def presign_url(options)
-
         creds = fetch_credentials
 
         http_method = extract_http_method(options)
         url = extract_url(options)
-
         headers = downcase_headers(options[:headers])
         headers['host'] ||= host(url)
 
-        datetime = headers['x-amz-date']
-        datetime ||= (options[:time] || Time.now).utc.strftime("%Y%m%dT%H%M%SZ")
-        date = datetime[0,8]
+        datetime = headers.delete('x-amz-date')
+        datetime ||= (options[:time] || Time.now)
 
-        content_sha256 = headers['x-amz-content-sha256']
+        content_sha256 = headers.delete('x-amz-content-sha256')
         content_sha256 ||= options[:body_digest]
         content_sha256 ||= sha256_hexdigest(options[:body] || '')
 
-        params = {}
-        params['X-Amz-Algorithm'] = 'AWS4-HMAC-SHA256'
-        params['X-Amz-Credential'] = credential(creds, date)
-        params['X-Amz-Date'] = datetime
-        params['X-Amz-Expires'] = extract_expires_in(options)
-        params['X-Amz-Security-Token'] = creds.session_token if creds.session_token
-        params['X-Amz-SignedHeaders'] = signed_headers(headers)
+        config = Aws::Crt::Auth::SigningConfig.new(
+          algorithm: @signing_algorithm,
+          signature_type: :http_request_query_params,
+          region: @region,
+          service: @service,
+          date: datetime,
+          signed_body_value: content_sha256,
+          signed_body_header_type: @apply_checksum_header ?
+            :sbht_content_sha256 : :sbht_none,
+          credentials: creds,
+          unsigned_headers: @unsigned_headers,
+          use_double_uri_encode: @uri_escape_path,
+          should_normalize_uri_path: @normalize_path,
+          omit_session_token: @omit_session_token,
+          expiration_in_seconds: options.fetch(:expires_in, 900)
+        )
+        http_request = Aws::Crt::Http::Message.new(
+          http_method, url.to_s, headers
+        )
+        signable = Aws::Crt::Auth::Signable.new(http_request)
 
-        params = params.map do |key, value|
-          "#{uri_escape(key)}=#{uri_escape(value)}"
-        end.join('&')
+        signing_result = Aws::Crt::Auth::Signer.sign_request(config, signable, http_method, url.to_s)
+        url = URI.parse(signing_result[:path])
 
-        if url.query
-          url.query += '&' + params
-        else
-          url.query = params
+        if options[:extra] && options[:extra].is_a?(Hash)
+          options[:extra][:config] = config
+          options[:extra][:signable] = signable
         end
-
-        creq = canonical_request(http_method, url, headers, content_sha256)
-        sts = string_to_sign(datetime, creq)
-        url.query += '&X-Amz-Signature=' + signature(creds.secret_access_key, date, sts)
         url
       end
 
-      private
-
-      def canonical_request(http_method, url, headers, content_sha256)
-        [
-          http_method,
-          path(url),
-          normalized_querystring(url.query || ''),
-          canonical_headers(headers) + "\n",
-          signed_headers(headers),
-          content_sha256,
-        ].join("\n")
-      end
-
-      def string_to_sign(datetime, canonical_request)
-        [
-          'AWS4-HMAC-SHA256',
-          datetime,
-          credential_scope(datetime[0,8]),
-          sha256_hexdigest(canonical_request),
-        ].join("\n")
-      end
 
-      # Compared to original #string_to_sign at signature v4 algorithm
-      # there is no canonical_request concept for an eventstream event,
-      # instead, an event contains headers and payload two parts, and
-      # they will be used for computing digest in #event_string_to_sign
+      # Signs a event and returns signature headers and prior signature
+      # used for next event signing.
       #
-      # Note:
-      #   While headers need to be encoded under eventstream format,
-      #   payload used is already eventstream encoded (event without signature),
-      #   thus no extra encoding is needed.
-      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
-        encoded_headers = encoder.encode_headers(
-          Aws::EventStream::Message.new(headers: headers, payload: payload)
-        )
-        [
-          "AWS4-HMAC-SHA256-PAYLOAD",
-          datetime,
-          credential_scope(datetime[0,8]),
-          prior_signature,
-          sha256_hexdigest(encoded_headers),
-          sha256_hexdigest(payload)
-        ].join("\n")
-      end
-
-      def credential_scope(date)
-        [
-          date,
-          @region,
-          @service,
-          'aws4_request',
-        ].join('/')
-      end
-
-      def credential(credentials, date)
-        "#{credentials.access_key_id}/#{credential_scope(date)}"
-      end
-
-      def signature(secret_access_key, date, string_to_sign)
-        k_date = hmac("AWS4" + secret_access_key, date)
-        k_region = hmac(k_date, @region)
-        k_service = hmac(k_region, @service)
-        k_credentials = hmac(k_service, 'aws4_request')
-        hexhmac(k_credentials, string_to_sign)
-      end
-
-      # Comparing to original signature v4 algorithm,
-      # returned signature is a binary string instread of
-      # hex-encoded string. (Since ':chunk-signature' requires
-      # 'bytes' type)
+      # Headers of a sigv4 signed event message only contains 2 headers
+      #   * ':chunk-signature'
+      #     * computed signature of the event, binary string, 'bytes' type
+      #   * ':date'
+      #     * millisecond since epoch, 'timestamp' type
+      #
+      # Payload of the sigv4 signed event message contains eventstream encoded message
+      # which is serialized based on input and protocol
+      #
+      # To sign events
+      #
+      #     headers_0, signature_0 = signer.sign_event(
+      #       prior_signature, # hex-encoded string
+      #       payload_0, # binary string (eventstream encoded event 0)
+      #       encoder, # Aws::EventStreamEncoder
+      #     )
+      #
+      #     headers_1, signature_1 = signer.sign_event(
+      #       signature_0,
+      #       payload_1, # binary string (eventstream encoded event 1)
+      #       encoder
+      #     )
+      #
+      # The initial prior_signature should be using the signature computed at initial request
       #
       # Note:
-      #   converting signature from binary string to hex-encoded
-      #   string is handled at #sign_event instead. (Will be used
-      #   as next prior signature for event signing)
-      def event_signature(secret_access_key, date, string_to_sign)
-        k_date = hmac("AWS4" + secret_access_key, date)
-        k_region = hmac(k_date, @region)
-        k_service = hmac(k_region, @service)
-        k_credentials = hmac(k_service, 'aws4_request')
-        hmac(k_credentials, string_to_sign)
-      end
-
-
-      def path(url)
-        path = url.path
-        path = '/' if path == ''
-        if @uri_escape_path
-          uri_escape_path(path)
-        else
-          path
-        end
-      end
-
-      def normalized_querystring(querystring)
-        params = querystring.split('&')
-        params = params.map { |p| p.match(/=/) ? p : p + '=' }
-        # From: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
-        # Sort the parameter names by character code point in ascending order.
-        # Parameters with duplicate names should be sorted by value.
-        #
-        # Default sort <=> in JRuby will swap members
-        # occasionally when <=> is 0 (considered still sorted), but this
-        # causes our normalized query string to not match the sent querystring.
-        # When names match, we then sort by their values.  When values also
-        # match then we sort by their original order
-        params.each.with_index.sort do |a, b|
-          a, a_offset = a
-          b, b_offset = b
-          a_name, a_value = a.split('=')
-          b_name, b_value = b.split('=')
-          if a_name == b_name
-            if a_value == b_value
-              a_offset <=> b_offset
-            else
-              a_value <=> b_value
-            end
-          else
-            a_name <=> b_name
-          end
-        end.map(&:first).join('&')
-      end
-
-      def signed_headers(headers)
-        headers.inject([]) do |signed_headers, (header, _)|
-          if @unsigned_headers.include?(header)
-            signed_headers
-          else
-            signed_headers << header
-          end
-        end.sort.join(';')
-      end
-
-      def canonical_headers(headers)
-        headers = headers.inject([]) do |hdrs, (k,v)|
-          if @unsigned_headers.include?(k)
-            hdrs
-          else
-            hdrs << [k,v]
-          end
-        end
-        headers = headers.sort_by(&:first)
-        headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n")
-      end
+      #
+      #   Since ':chunk-signature' header value has bytes type, the signature value provided
+      #   needs to be a binary string instead of a hex-encoded string (like original signature
+      #   V4 algorithm). Thus, when returning signature value used for next event siging, the
+      #   signature value (a binary string) used at ':chunk-signature' needs to converted to
+      #   hex-encoded string using #unpack
+      def sign_event(prior_signature, payload, encoder)
+        # CRT does not currently provide event stream signing
+        # use the Ruby implementation
+        creds = @credentials_provider.credentials
+        time = Time.now
+        headers = {}
 
-      def canonical_header_value(value)
-        value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
-      end
+        datetime = time.utc.strftime("%Y%m%dT%H%M%SZ")
+        date = datetime[0,8]
+        headers[':date'] = Aws::EventStream::HeaderValue.new(value: time.to_i * 1000, type: 'timestamp')
 
-      def host(uri)
-        # Handles known and unknown URI schemes; default_port nil when unknown.
-        if uri.default_port == uri.port
-          uri.host
-        else
-          "#{uri.host}:#{uri.port}"
-        end
-      end
+        sts = event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        sig = event_signature(creds.secret_access_key, date, sts)
 
-      # @param [File, Tempfile, IO#read, String] value
-      # @return [String<SHA256 Hexdigest>]
-      def sha256_hexdigest(value)
-        if (File === value || Tempfile === value) && !value.path.nil? && File.exist?(value.path)
-          OpenSSL::Digest::SHA256.file(value).hexdigest
-        elsif value.respond_to?(:read)
-          sha256 = OpenSSL::Digest::SHA256.new
-          loop do
-            chunk = value.read(1024 * 1024) # 1MB
-            break unless chunk
-            sha256.update(chunk)
-          end
-          value.rewind
-          sha256.hexdigest
-        else
-          OpenSSL::Digest::SHA256.hexdigest(value)
-        end
-      end
+        headers[':chunk-signature'] = Aws::EventStream::HeaderValue.new(value: sig, type: 'bytes')
 
-      def hmac(key, value)
-        OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+        # Returning signed headers and signature value in hex-encoded string
+        [headers, sig.unpack('H*').first]
       end
 
-      def hexhmac(key, value)
-        OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
-      end
+      private
 
       def extract_service(options)
         if options[:service]
           options[:service]
         else
-          msg = "missing required option :service"
+          msg = 'missing required option :service'
           raise ArgumentError, msg
         end
       end
 
       def extract_region(options)
-        if options[:region]
-          options[:region]
-        else
-          raise Errors::MissingRegionError
-        end
+        options[:region] || raise(Errors::MissingRegionError)
       end
 
       def extract_credentials_provider(options)
@@ -628,11 +405,22 @@ module Aws
         end
       end
 
+      # the credentials used by CRT must be a
+      # CRT StaticCredentialsProvider object
+      def fetch_credentials
+        credentials = @credentials_provider.credentials
+        Aws::Crt::Auth::StaticCredentialsProvider.new(
+          credentials.access_key_id,
+          credentials.secret_access_key,
+          credentials.session_token
+        )
+      end
+
       def extract_http_method(request)
         if request[:http_method]
           request[:http_method].upcase
         else
-          msg = "missing required option :http_method"
+          msg = 'missing required option :http_method'
           raise ArgumentError, msg
         end
       end
@@ -641,56 +429,97 @@ module Aws
         if request[:url]
           URI.parse(request[:url].to_s)
         else
-          msg = "missing required option :url"
+          msg = 'missing required option :url'
           raise ArgumentError, msg
         end
       end
 
       def downcase_headers(headers)
-        (headers || {}).to_hash.inject({}) do |hash, (key, value)|
-          hash[key.downcase] = value
-          hash
-        end
+        (headers || {}).to_hash.transform_keys(&:downcase)
       end
 
-      def extract_expires_in(options)
-        case options[:expires_in]
-        when nil then 900.to_s
-        when Integer then options[:expires_in].to_s
+      # @param [File, Tempfile, IO#read, String] value
+      # @return [String<SHA256 Hexdigest>]
+      def sha256_hexdigest(value)
+        if (value.is_a?(File) || value.is_a?(Tempfile)) && !value.path.nil? && File.exist?(value.path)
+          OpenSSL::Digest::SHA256.file(value).hexdigest
+        elsif value.respond_to?(:read)
+          sha256 = OpenSSL::Digest.new('SHA256')
+          loop do
+            chunk = value.read(1024 * 1024) # 1MB
+            break unless chunk
+
+            sha256.update(chunk)
+          end
+          value.rewind
+          sha256.hexdigest
         else
-          msg = "expected :expires_in to be a number of seconds"
-          raise ArgumentError, msg
+          OpenSSL::Digest::SHA256.hexdigest(value)
         end
       end
 
-      def uri_escape(string)
-        self.class.uri_escape(string)
+      def host(uri)
+        # Handles known and unknown URI schemes; default_port nil when unknown.
+        if uri.default_port == uri.port
+          uri.host
+        else
+          "#{uri.host}:#{uri.port}"
+        end
       end
 
-      def uri_escape_path(string)
-        self.class.uri_escape_path(string)
+      # Used only for event signing
+      def credential_scope(date)
+        [
+          date,
+          @region,
+          @service,
+          'aws4_request',
+        ].join('/')
       end
 
+      # Used only for event signing
+      def hmac(key, value)
+        OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
+      end
 
-      def fetch_credentials
-        credentials = @credentials_provider.credentials
-        if credentials_set?(credentials)
-          credentials
-        else
-          raise Errors::MissingCredentialsError,
-          'unable to sign request without credentials set'
-        end
+      # Compared to original #string_to_sign at signature v4 algorithm
+      # there is no canonical_request concept for an eventstream event,
+      # instead, an event contains headers and payload two parts, and
+      # they will be used for computing digest in #event_string_to_sign
+      #
+      # Note:
+      #   While headers need to be encoded under eventstream format,
+      #   payload used is already eventstream encoded (event without signature),
+      #   thus no extra encoding is needed.
+      def event_string_to_sign(datetime, headers, payload, prior_signature, encoder)
+        encoded_headers = encoder.encode_headers(
+          Aws::EventStream::Message.new(headers: headers, payload: payload)
+        )
+        [
+          "AWS4-HMAC-SHA256-PAYLOAD",
+          datetime,
+          credential_scope(datetime[0,8]),
+          prior_signature,
+          sha256_hexdigest(encoded_headers),
+          sha256_hexdigest(payload)
+        ].join("\n")
       end
 
-      # Returns true if credentials are set (not nil or empty)
-      # Credentials may not implement the Credentials interface
-      # and may just be credential like Client response objects
-      # (eg those returned by sts#assume_role)
-      def credentials_set?(credentials)
-        !credentials.access_key_id.nil? &&
-          !credentials.access_key_id.empty? &&
-          !credentials.secret_access_key.nil? &&
-          !credentials.secret_access_key.empty?
+      # Comparing to original signature v4 algorithm,
+      # returned signature is a binary string instread of
+      # hex-encoded string. (Since ':chunk-signature' requires
+      # 'bytes' type)
+      #
+      # Note:
+      #   converting signature from binary string to hex-encoded
+      #   string is handled at #sign_event instead. (Will be used
+      #   as next prior signature for event signing)
+      def event_signature(secret_access_key, date, string_to_sign)
+        k_date = hmac("AWS4" + secret_access_key, date)
+        k_region = hmac(k_date, @region)
+        k_service = hmac(k_region, @service)
+        k_credentials = hmac(k_service, 'aws4_request')
+        hmac(k_credentials, string_to_sign)
       end
 
       class << self
@@ -708,8 +537,8 @@ module Aws
             CGI.escape(string.encode('UTF-8')).gsub('+', '%20').gsub('%7E', '~')
           end
         end
-
       end
     end
   end
 end
+

data/lib/aws-sigv4.rb

@@ -1,6 +1,13 @@
 # frozen_string_literal: true
 
+require 'aws-crt'
 require_relative 'aws-sigv4/credentials'
 require_relative 'aws-sigv4/errors'
 require_relative 'aws-sigv4/signature'
 require_relative 'aws-sigv4/signer'
+
+module Aws
+  module Sigv4
+    VERSION = File.read(File.expand_path('../VERSION', __dir__)).strip
+  end
+end

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: aws-sigv4
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.4.1.crt
 platform: ruby
 authors:
 - Amazon Web Services
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2021-09-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-crt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: aws-eventstream
   requirement: !ruby/object:Gem::Requirement
@@ -30,9 +44,22 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.2
-description: Amazon Web Services Signature Version 4 signing library. Generates sigv4
-  signature for HTTP requests.
-email: 
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Amazon Web Services signing library. Generates signatures for HTTP requests
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -43,16 +70,13 @@ files:
 - lib/aws-sigv4.rb
 - lib/aws-sigv4/credentials.rb
 - lib/aws-sigv4/errors.rb
-- lib/aws-sigv4/request.rb
 - lib/aws-sigv4/signature.rb
 - lib/aws-sigv4/signer.rb
-homepage: https://github.com/aws/aws-sdk-ruby
+homepage: https://github.com/awslabs/aws-crt-ruby
 licenses:
 - Apache-2.0
-metadata:
-  source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4
-  changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sigv4/CHANGELOG.md
-post_install_message: 
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -60,15 +84,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.2.7
+signing_key:
 specification_version: 4
-summary: AWS Signature Version 4 library.
+summary: AWS SDK for Ruby - Common Runtime (CRT) based Signer
 test_files: []

data/lib/aws-sigv4/request.rb

@@ -1,65 +0,0 @@
-# frozen_string_literal: true
-
-require 'uri'
-
-module Aws
-  module Sigv4
-    class Request
-
-      # @option options [required, String] :http_method
-      # @option options [required, HTTP::URI, HTTPS::URI, String] :endpoint
-      # @option options [Hash<String,String>] :headers ({})
-      # @option options [String, IO] :body ('')
-      def initialize(options = {})
-        @http_method = nil
-        @endpoint = nil
-        @headers = {}
-        @body = ''
-        options.each_pair do |attr_name, attr_value|
-          send("#{attr_name}=", attr_value)
-        end
-      end
-
-      # @param [String] http_method One of 'GET', 'PUT', 'POST', 'DELETE', 'HEAD', or 'PATCH'
-      def http_method=(http_method)
-        @http_method = http_method
-      end
-
-      # @return [String] One of 'GET', 'PUT', 'POST', 'DELETE', 'HEAD', or 'PATCH'
-      def http_method
-        @http_method
-      end
-
-      # @param [String, HTTP::URI, HTTPS::URI] endpoint
-      def endpoint=(endpoint)
-        @endpoint = URI.parse(endpoint.to_s)
-      end
-
-      # @return [HTTP::URI, HTTPS::URI]
-      def endpoint
-        @endpoint
-      end
-
-      # @param [Hash] headers
-      def headers=(headers)
-        @headers = headers
-      end
-
-      # @return [Hash<String,String>]
-      def headers
-        @headers
-      end
-
-      # @param [String, IO] body
-      def body=(body)
-        @body = body
-      end
-
-      # @return [String, IO]
-      def body
-        @body
-      end
-
-    end
-  end
-end