aws4 0.0.1

data/Gemfile

@@ -0,0 +1,2 @@
+source "https://rubygems.org"
+gemspec

data/Gemfile.lock

@@ -0,0 +1,16 @@
+PATH
+  remote: .
+  specs:
+    aws4 (0.0.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    rake (10.0.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aws4!
+  rake

data/Rakefile

@@ -0,0 +1,9 @@
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.libs.push "lib"
+  t.test_files = FileList['test/*_test.rb']
+  t.verbose = true
+end
+
+task :default => :test

data/aws4.gemspec

@@ -0,0 +1,18 @@
+require "./lib/aws4/version"
+
+Gem::Specification.new do |s|
+  s.name         = 'aws4'
+  s.version      = AWS4::VERSION
+  s.summary      = "A ruby gem for AWS Signature version 4"
+  s.description  = "The approach is HTTP library agnostic, so you must supply method, uri, headers, and body"
+  s.authors      = ["Brandon Keene"]
+  s.email        = ["bkeene@gmail.com"]
+  s.require_path = 'lib'
+  s.files        = `git ls-files`.split("\n")
+  s.test_files   = `git ls-files -- {test}/*`.split("\n")
+  s.executables  = []
+  s.homepage     = 'http://github.com/cmdrkeene/aws4'
+
+  s.add_development_dependency "rake"
+end
+

data/lib/aws4.rb

@@ -0,0 +1,3 @@
+# AWS4
+require "aws4/version"
+require "aws4/signer"

data/lib/aws4/signer.rb

@@ -0,0 +1,104 @@
+# encoding: UTF-8
+require "openssl"
+require "time"
+require "uri"
+require "pathname"
+
+module AWS4
+  class Signer
+    attr_reader :access_key, :secret_key, :region
+    attr_reader :date, :method, :uri, :headers, :body
+
+    def initialize(config)
+      @access_key = config[:access_key] || config["access_key"]
+      @secret_key = config[:secret_key] || config["secret_key"]
+      @region = config[:region] || config["region"]
+    end
+
+    def sign(method, uri, headers, body, debug = false)
+      @method = method.upcase
+      @uri = uri
+      @headers = headers
+      @body = body
+      @date = Time.parse(headers["Date"] || headers["DATE"] || headers["date"]).utc.strftime("%Y%m%dT%H%M%SZ")
+      dump if debug
+      signed = headers.dup
+      signed['Authorization'] = authorization(headers)
+      signed
+    end
+
+    private
+
+    def service
+      @uri.host.split(".", 2)[0]
+    end
+
+    def authorization(headers)
+      parts = []
+      parts << "AWS4-HMAC-SHA256 Credential=#{access_key}/#{credential_string}"
+      parts << "SignedHeaders=#{headers.keys.map(&:downcase).sort.join(";")}"
+      parts << "Signature=#{signature}"
+      parts.join(', ')
+    end
+
+    def signature
+      k_secret = secret_key
+      k_date = hmac("AWS4" + k_secret, date[0,8])
+      k_region = hmac(k_date, region)
+      k_service = hmac(k_region, service)
+      k_credentials = hmac(k_service, 'aws4_request')
+      hexhmac(k_credentials, string_to_sign)
+    end
+
+    def string_to_sign
+      parts = []
+      parts << 'AWS4-HMAC-SHA256'
+      parts << date
+      parts << credential_string
+      parts << hexdigest(canonical_request)
+      parts.join("\n")
+    end
+
+    def credential_string
+      parts = []
+      parts << date[0,8]
+      parts << region
+      parts << service
+      parts << 'aws4_request'
+      parts.join("/")
+    end
+
+    def canonical_request
+      parts = []
+      parts << method
+      parts << Pathname.new(uri.path).cleanpath.to_s
+      parts << uri.query
+      parts << headers.sort.map {|k, v| [k.downcase,v.strip].join(':')}.join("\n") + "\n"
+      parts << headers.sort.map {|k, v| k.downcase}.join(";")
+      parts << hexdigest(body || '')
+      parts.join("\n")
+    end
+
+    def hexdigest(value)
+      digest = Digest::SHA256.new
+      digest.update(value)
+      digest.hexdigest
+    end
+
+    def hmac(key, value)
+      OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'), key, value)
+    end
+
+    def hexhmac(key, value)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), key, value)
+    end
+
+    def dump
+      puts "string to sign"
+      puts string_to_sign
+      puts "canonical_request"
+      puts canonical_request
+      puts "authorization"
+    end
+  end
+end

data/lib/aws4/version.rb

@@ -0,0 +1,3 @@
+module AWS4
+  VERSION = "0.0.1"
+end

data/readme.md

@@ -0,0 +1,27 @@
+This gem signs HTTP headers with the AWS4 signature for use with Amazon’s AWS APIs.
+
+You MUST supply a `Date` header.
+
+## Usage
+
+    # create a signer
+    signer = AWS4::Signer.new(
+      access_key: "key",
+      secret_key: "secret",
+      region: "us-east-1",
+      host: "dynamodb.us-east-1.amazonaws.com"
+    )
+
+    # build request
+    uri = URI("https://dynamodb.us-east-1.amazonaws.com/")
+    headers = {
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "Content-Type" => "application/json; charset=utf8"
+    }
+    body="{}"
+
+    # sign headers
+    headers = signer.sign("POST", uri, headers, body)
+
+    # send request using library of choice
+

data/test/benchmark_test.rb

@@ -0,0 +1,31 @@
+# encoding: UTF-8
+require 'minitest/spec'
+require 'minitest/autorun'
+require 'aws4/signer'
+require "benchmark"
+
+describe "benchmark" do
+  it "runs quickly" do
+    trials = 10_000
+    signer = AWS4::Signer.new(
+      access_key: "AKIDEXAMPLE",
+      secret_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
+      region: "us-east-1",
+      host: "host.foo.com"
+    )
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "Content-Type" => "application/x-www-form-urlencoded; charset=utf8"
+    }
+    body = "foo=bar"
+
+    t = Benchmark.realtime do
+      trials.times do
+        signed = signer.sign("POST", uri, headers, body)
+      end
+    end
+    puts "#{(trials/t).round(1)} signatures/second (#{((t/trials.to_f)*1000).round(3)}ms/signature)"
+  end
+end

data/test/signer_test.rb

@@ -0,0 +1,256 @@
+# encoding: UTF-8
+require 'minitest/spec'
+require 'minitest/autorun'
+require 'aws4/signer'
+
+describe AWS4::Signer do
+  def signer
+    @signer ||= AWS4::Signer.new(
+      access_key: "AKIDEXAMPLE",
+      secret_key: "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY",
+      region: "us-east-1",
+      host: "host.foo.com"
+    )
+  end
+
+  it "signs get-vanilla" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470")
+  end
+
+  it "signs get-relative" do
+    uri = URI("http://host.foo.com/foo/..")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470")
+  end
+
+  it "signs get-relative-relative" do
+    uri = URI("http://host.foo.com/foo/bar/../..")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470")
+  end
+
+  it "signs get-slash-pointless-dot" do
+    uri = URI("http://host.foo.com/./foo")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=910e4d6c9abafaf87898e1eb4c929135782ea25bb0279703146455745391e63a")
+  end
+
+  it "signs get-slash" do
+    uri = URI("http://host.foo.com//")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b27ccfbfa7df52a200ff74193ca6e32d4b48b8856fab7ebf1c595d0670a7e470")
+  end
+
+  it "signs get-vanilla-empty-query" do
+    uri = URI("http://host.foo.com/?foo=bar")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=56c054473fd260c13e4e7393eb203662195f5d4a1fada5314b8b52b23f985e9f")
+  end
+
+  it "signs get-unreserved" do
+    uri = URI("http://host.foo.com/-._~0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=830cc36d03f0f84e6ee4953fbe701c1c8b71a0372c63af9255aa364dd183281e")
+  end
+
+  it "signs get-header-value-trim" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "p" => " phfft "
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;p, Signature=debf546796015d6f6ded8626f5ce98597c33b47b9164cf6b17b4642036fcb592")
+  end
+
+  it "signs get-vanilla-query-order" do
+    uri = URI("http://host.foo.com/?foo=Zoo&foo=aha")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09")
+  end
+
+  it "signs get-vanilla-query-order-key" do
+    uri = URI("http://host.foo.com/?a=foo&b=foo")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=0dc122f3b28b831ab48ba65cb47300de53fbe91b577fe113edac383730254a3b")
+  end
+
+  it "signs get-vanilla-utf8-query" do
+    uri = URI(URI::encode("http://host.foo.com/?ሴ=bar"))
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("GET", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=6fb359e9a05394cc7074e0feb42573a2601abc0c869a953e8c5c12e4e01f1a8c")
+  end
+
+  it "signs post-vanilla" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=22902d79e148b64e7571c3565769328423fe276eae4b26f83afceda9e767f726")    
+  end
+
+  it "signs post-vanilla-empty-query-value" do
+    uri = URI("http://host.foo.com/?foo=bar")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=b6e3b79003ce0743a491606ba1035a804593b0efb1e20a11cba83f8c25a57a92")    
+  end
+
+  it "signs post-header-key-sort" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "ZOO"  => "zoobar"
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=b7a95a52518abbca0964a999a880429ab734f35ebbf1235bd79a5de87756dc4a")
+  end
+
+  it "signs post-header-key-case" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "DATE" => "Mon, 09 Sep 2011 23:36:00 GMT"
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["DATE"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host, Signature=22902d79e148b64e7571c3565769328423fe276eae4b26f83afceda9e767f726")
+  end
+
+  it "signs post-header-value-case" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "zoo" => "ZOOBAR"
+    }
+    body = ""
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=date;host;zoo, Signature=273313af9d0c265c531e11db70bbd653f3ba074c1009239e8559d3987039cad7")
+  end
+
+  it "signs post-x-www-form-urlencoded" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "Content-Type" => "application/x-www-form-urlencoded"
+    }
+    body = "foo=bar"
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Content-Type"].must_equal("application/x-www-form-urlencoded")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=content-type;date;host, Signature=5a15b22cf462f047318703b92e6f4f38884e4a7ab7b1d6426ca46a8bd1c26cbc")
+  end
+
+  it "signs post-x-www-form-urlencoded-parameters" do
+    uri = URI("http://host.foo.com/")
+    headers = {
+      "Host" => "host.foo.com",
+      "Date" => "Mon, 09 Sep 2011 23:36:00 GMT",
+      "Content-Type" => "application/x-www-form-urlencoded; charset=utf8"
+    }
+    body = "foo=bar"
+    signed = signer.sign("POST", uri, headers, body)
+    signed["Date"].must_equal("Mon, 09 Sep 2011 23:36:00 GMT")
+    signed["Host"].must_equal("host.foo.com")    
+    signed["Content-Type"].must_equal("application/x-www-form-urlencoded; charset=utf8")
+    signed["Authorization"].must_equal("AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/host/aws4_request, SignedHeaders=content-type;date;host, Signature=b105eb10c6d318d2294de9d49dd8b031b55e3c3fe139f2e637da70511e9e7b71")
+  end
+end