aws4_signer 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 40d14a60591fbacc5974d2146d052a90d6c82e8d
+  data.tar.gz: ac94c5b92bf12e4617387070a7616d3f6066365a
+SHA512:
+  metadata.gz: a975872efa7da0c5c1bd42f25a132c5213a0c10e7f54196158fb9df615a1a2351645942e697bfeb47dd8a8b0b39279acba2a7bb4078ab994668e1627f3e27f18
+  data.tar.gz: 995dbc0117c08c1d96165eb138637164e3422733d80a0f3ad2f56bc80681bff606f4556fb60786118fcf628cc8cf86ad327f0ab034b77a52fca57267238853a3

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+cache: bundler
+rvm:
+  - "2.1.1"
+  - "2.0.0"
+  - "ruby-head"
+matrix:
+  allow_failures:
+    - rvm:
+      - "ruby-head"
+  fast_finish: true
+notifications:
+  email:
+    - travis-ci@sorah.jp
+script: bundle exec rake test

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in aws4_signer.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Shota Fukumori (sora_h)
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,43 @@
+# Aws4Signer - Simple signer module implements AWS4 signature
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'aws4_signer'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install aws4_signer
+
+## Usage
+
+```
+bucket, key = 'foo', 'path/to/file'
+signer = Aws4Signer.new(ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"], 'ap-northeast-1', 's3')
+uri = URI("https://s3-ap-northeast-1.amazonaws.com/#{bucket}/#{key}")
+Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http| 
+  req = Net::HTTP::Get.new(uri)
+  signer.sign_http_request(req)
+
+  response = http.request(req)
+  p response.body
+end
+```
+
+## Reference
+
+- [Authenticating Requests (AWS Signature Version 4) - Amazon Simple Storage Service](http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html)
+- [Authenticating Requests by Using the Authorization Header (Compute Checksum of the Entire Payload Prior to Transmission) - Signature Version 4 - Amazon Simple Storage Service](http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)
+
+## Contributing
+
+1. Fork it ( https://github.com/sorah/aws4_signer/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+  t.pattern= "test/*_spec.rb"
+end
+
+task default: :test

data/aws4_signer.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'aws4_signer/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "aws4_signer"
+  spec.version       = Aws4Signer::VERSION
+  spec.authors       = ["Shota Fukumori (sora_h)"]
+  spec.email         = ["her@sorah.jp"]
+  spec.summary       = %q{Simple signer module implements AWS4 signature}
+  spec.description   = nil
+  spec.homepage      = "https://github.com/sorah/aws4_signer"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "minitest", '~> 5.4.0'
+  spec.add_development_dependency 'minitest-reporters', '~> 1.0.5'
+end

data/examples/s3_get.rb

@@ -0,0 +1,22 @@
+require 'aws4_signer'
+require 'uri'
+require 'net/http'
+require 'net/https'
+
+bucket, key = ARGV
+
+unless bucket && key && ENV["AWS_ACCESS_KEY_ID"] && ENV["AWS_SECRET_ACCESS_KEY"] && ENV["AWS_REGION"]
+  puts "Usage: #{$0} bucket key"
+  puts "Specify AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION via environment variable"
+  exit 2
+end
+
+signer = Aws4Signer.new(ENV["AWS_ACCESS_KEY_ID"], ENV["AWS_SECRET_ACCESS_KEY"], ENV["AWS_REGION"], 's3')
+uri = URI("https://s3-#{ENV["AWS_REGION"]}.amazonaws.com/#{bucket}/#{key}")
+Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http| 
+  req = Net::HTTP::Get.new(uri)
+  signer.sign_http_request(req)
+
+  response = http.request(req)
+  puts response.body
+end

data/lib/aws4_signer/signature.rb

@@ -0,0 +1,142 @@
+class Aws4Signer
+  class Signature
+    def initialize(access_key_id, secret_access_key, region, service, verb, uri, headers, body)
+      @access_key_id = access_key_id
+      @secret_access_key = secret_access_key
+      @region = region
+      @service = service
+      @verb = verb
+      @uri = uri
+      @headers = headers.dup
+      @body = body
+
+      @headers.each do |name, value|
+        if value.kind_of?(Array)
+          @headers[name] = value.first
+        end
+      end
+
+      @headers["x-amz-date"] ||= @headers.delete("X-Amz-Date")
+      unless @headers["x-amz-date"]
+        @date = Time.now.utc
+        @headers["x-amz-date"] = @date.strftime("%Y%m%dT%H%M%SZ")
+      end
+      @headers["Host"] ||= @headers.delete("host") || uri.host
+    end
+
+    attr_reader :region, :service, :verb, :uri, :headers, :body, :access_key_id, :secret_access_key
+
+    def attach_to_http_request(req)
+      headers.each do |name, value|
+        req[name.downcase] = value
+      end
+
+      req["x-amz-content-sha256"] = Digest::SHA2.hexdigest(req.body || '', 256)
+      req["authorization"] = authorization_header
+
+      req
+    end
+
+    def authorization_header
+      "AWS4-HMAC-SHA256 " \
+        "Credential=#{@access_key_id}/#{scope}," \
+        "SignedHeaders=#{signed_headers}," \
+        "Signature=#{signature}"
+    end
+
+    def date
+      @date ||= begin
+        time = Time.strptime(headers["x-amz-date"],"%Y%m%dT%H%M%SZ")
+        time += time.utc_offset
+        time.utc
+      end
+    end
+
+    def canonical_headers
+      @canonical_headers ||= begin
+        signed = []
+        hs = headers.sort_by { |name, _| name.downcase }.flat_map { |name, value|
+          next if name == "Authorization"
+
+          signed << name.downcase
+          case value
+          when Array
+            value.each do |v|
+              "#{name.downcase}:#{v.to_s.strip}\n"
+            end
+          else
+            "#{name.downcase}:#{value.to_s.strip}\n"
+          end
+        }.compact.join.freeze
+
+        @signed_headers = signed.join(";").freeze
+        hs
+      end
+    end
+
+    def signed_headers
+      canonical_headers; @signed_headers
+    end
+
+    def hashed_payload
+      @hashed_payload ||= Digest::SHA2.hexdigest(body, 256)
+    end
+
+    def canonical_request
+      @canonical_request ||= [
+        @verb.upcase,
+        @uri.path,
+        @uri.query,
+        canonical_headers,
+        signed_headers,
+        hashed_payload,
+      ].join("\n")
+    end
+
+    def scope
+      "#{date.strftime("%Y%m%d")}/#{@region}/#{service}/aws4_request"
+    end
+
+    def string_to_sign
+      @string_to_sign ||= [
+        "AWS4-HMAC-SHA256",
+        headers["x-amz-date"],
+        scope,
+        Digest::SHA2.hexdigest(canonical_request, 256),
+      ].join("\n")
+    end
+
+    def date_key
+      @date_key ||= hmac("AWS4#{@secret_access_key}", date.strftime("%Y%m%d"))
+    end
+
+    def date_region_key
+      @date_region_key ||= hmac(date_key, region)
+    end
+
+    def date_region_service_key
+      @date_region_service_key ||= hmac(date_region_key, service)
+    end
+
+    def signing_key
+      @signing_key ||= hmac(date_region_service_key, 'aws4_request')
+    end
+
+    def signature
+      @signature ||= hmac(signing_key, string_to_sign, :hex)
+    end
+
+    private
+
+    def hmac(key, data, hex = false)
+      hm = OpenSSL::HMAC.new(key, OpenSSL::Digest.new('sha256'))
+      hm.update(data)
+
+      if hex
+        hm.hexdigest
+      else
+        hm.digest
+      end
+    end
+  end
+end

data/lib/aws4_signer/version.rb

@@ -0,0 +1,3 @@
+class Aws4Signer
+  VERSION = "0.1.0"
+end

data/lib/aws4_signer.rb

@@ -0,0 +1,48 @@
+require 'uri'
+require 'time'
+require 'digest/sha2'
+require 'openssl'
+
+require 'net/http'
+require 'net/https'
+
+require "aws4_signer/version"
+require 'aws4_signer/signature'
+
+class Aws4Signer
+  # to be exactly follow the AWS documentation, implement by ourselves
+  def self.uri_encode(str)
+    str.bytes.map do |c|
+      if %w[- . _ ~].include?(c) || (?A .. ?Z).cover?(c) || (?a .. ?z).cover?(c) || (?0 .. ?9).cover?(c)
+        c
+      else
+        "%#{c.ord.to_s(16)}"
+      end
+    end.join
+  end
+
+  def initialize(access_key_id, secret_access_key, region, service)
+    @access_key_id = access_key_id
+    @secret_access_key = secret_access_key
+    @region = region
+    @service = service
+  end
+
+  def sign(verb, uri, headers: {}, body: '')
+    raise ArgumentError, 'URI must provided' unless uri
+    Signature.new(@access_key_id, @secret_access_key, @region, @service, verb, uri, headers, body)
+  end
+
+  def sign_http_request(req, uri = nil)
+    sign(
+      req.method,
+      uri || req.uri,
+      headers: req.to_hash,
+      body: req.body || '',
+    ).tap do |signature|
+      signature.attach_to_http_request(req)
+    end
+  end
+end
+
+

data/test/aws4_signer_spec.rb

@@ -0,0 +1,27 @@
+require_relative './test_helper'
+require 'minitest/autorun'
+require 'aws4_signer'
+
+require 'uri'
+require 'net/http'
+
+describe Aws4Signer do
+  let(:signer) { Aws4Signer.new('KEYKEYKEY','THISISSECRET', 'xx-region-1', 'svc') }
+  let(:uri) { URI('https://example.org/foo/bar?baz=blah') }
+
+  describe "#sign" do
+    it "returns Signature" do
+      signature = signer.sign('PUT', uri, headers: {'foo' => 'bar'}, body: 'hello')
+
+      assert signature.is_a?(Aws4Signer::Signature)
+      assert_equal 'KEYKEYKEY', signature.access_key_id
+      assert_equal 'THISISSECRET', signature.secret_access_key
+      assert_equal 'xx-region-1', signature.region
+      assert_equal 'svc', signature.service
+      assert_equal 'PUT', signature.verb
+      assert_equal uri, signature.uri
+      assert_equal 'hello', signature.body
+      assert_equal 'bar', signature.headers['foo']
+    end
+  end
+end

data/test/signature_spec.rb

@@ -0,0 +1,197 @@
+require_relative './test_helper'
+require 'minitest/autorun'
+require 'aws4_signer/signature'
+
+require 'uri'
+require 'digest/sha2'
+
+describe Aws4Signer::Signature do
+  let(:uri) { URI('https://example.org/foo/bar?baz=blah') }
+  let(:verb) { 'PUT' }
+  let(:headers) do
+    {'x-foo' => 'bar'}
+  end
+  let(:body) { 'hello' }
+
+  let(:signature) do
+    Aws4Signer::Signature.new(
+      'AKID',
+      'SECRET',
+      'xx-region-1',
+      'svc',
+      verb,
+      uri,
+      headers,
+      body,
+    )
+  end
+
+  describe "headers" do
+    describe "without x-amz-date" do
+      it "assigns" do
+        assert signature.headers['x-amz-date'].is_a?(String)
+      end
+    end
+
+    describe "with x-amz-date" do
+      before do
+        headers['x-amz-date'] = '20140222T070605Z'
+      end
+
+      it "doesn't assign" do
+        assert signature.headers['x-amz-date'].is_a?(String)
+        assert_equal Time.utc(2014,02,22,07,06,05), signature.date
+      end
+    end
+
+    describe "without host" do
+      it "assigns" do
+        assert_equal 'example.org', signature.headers['Host']
+      end
+    end
+
+    describe "with host" do
+      before do
+        headers['host'] = 'example.com'
+      end
+
+      it "doesn't assign" do
+        assert_equal 'example.com', signature.headers['Host']
+      end
+    end
+  end
+
+  describe "#attach_to_http_request" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "assigns headers" do
+      headers = {}
+      class << headers
+        def body
+          'hello'
+        end
+      end
+      signature.attach_to_http_request(headers)
+
+      assert_equal 'example.org', headers['host']
+      assert_equal '20140222T070605Z', headers['x-amz-date']
+      assert_equal 'bar', headers['x-foo']
+      assert_equal signature.authorization_header, headers['authorization']
+      assert_equal Digest::SHA2.hexdigest('hello', 256), headers['x-amz-content-sha256']
+    end
+  end
+
+  describe "#authorization_header" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "returns" do
+      assert_equal 'AWS4-HMAC-SHA256 '\
+        'Credential=AKID/20140222/xx-region-1/svc/aws4_request,' \
+        'SignedHeaders=host;x-amz-date;x-foo,' \
+        'Signature=2845eebf2510f52010a9d9e228d4b60d4dd33fb7e9f349fb21bd6a533bfc37b6',
+        signature.authorization_header
+    end
+  end
+
+  describe "#signature" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "return the sign" do
+      assert_equal '2845eebf2510f52010a9d9e228d4b60d4dd33fb7e9f349fb21bd6a533bfc37b6', signature.signature
+    end
+  end
+
+  describe "#canonical_headers,signed_headers" do
+    let(:headers) do
+      {
+        'x-test-b' => '2',
+        'X-Test-A' => '1',
+        'x-test-c' => '3',
+        'Authorization' => 'skip',
+      }
+    end
+
+    it "ends with return" do
+      assert_equal "\n", signature.canonical_headers[-1]
+    end
+
+    it "contains headers" do
+      assert signature.canonical_headers.lines.include?("x-test-b:2\n")
+      assert signature.canonical_headers.lines.include?("x-test-a:1\n") # downcase
+      assert signature.canonical_headers.lines.include?("x-test-c:3\n")
+      assert !signature.canonical_headers.lines.include?("Authorization:skip\n")
+
+      %w(x-test-a x-test-b x-test-c).each do |name|
+        assert signature.signed_headers.split(/;/).include?(name)
+      end
+    end
+
+    it "sorts headers" do
+      assert %w(host x-amz-date x-test-a x-test-b x-test-c),
+        signature.canonical_headers.lines.map { |_| _.split(/:/,2).first }
+
+      assert_equal 'host;x-amz-date;x-test-a;x-test-b;x-test-c', signature.signed_headers
+    end
+  end
+
+  describe "#hashed_payload" do
+    let(:body) { 'body' }
+
+    it "returns hashed payloed" do
+      assert_equal Digest::SHA2.hexdigest('body', 256), signature.hashed_payload
+    end
+  end
+
+  describe "#canonical_request" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "returns canonical request" do
+      canonical_request = signature.canonical_request
+
+      assert_equal <<-EXPECTED.chomp, canonical_request
+PUT
+/foo/bar
+baz=blah
+host:example.org
+x-amz-date:20140222T070605Z
+x-foo:bar
+
+host;x-amz-date;x-foo
+#{Digest::SHA2.hexdigest('hello', 256)}
+      EXPECTED
+    end
+  end
+
+  describe "#scope" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "returns scope" do
+      assert_equal '20140222/xx-region-1/svc/aws4_request', signature.scope
+    end
+  end
+
+  describe "#string_to_sign" do
+    before do
+      headers['x-amz-date'] = '20140222T070605Z'
+    end
+
+    it "returns string to sign" do
+      assert_equal <<-EXPECTED.chomp, signature.string_to_sign
+AWS4-HMAC-SHA256
+20140222T070605Z
+20140222/xx-region-1/svc/aws4_request
+#{Digest::SHA2.hexdigest(signature.canonical_request, 256)}
+      EXPECTED
+    end
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,3 @@
+require 'minitest/spec'
+require 'minitest/reporters'
+Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new

metadata

@@ -0,0 +1,117 @@
+--- !ruby/object:Gem::Specification
+name: aws4_signer
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Shota Fukumori (sora_h)
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-07-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.4.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.4.0
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.5
+description: ''
+email:
+- her@sorah.jp
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws4_signer.gemspec
+- examples/s3_get.rb
+- lib/aws4_signer.rb
+- lib/aws4_signer/signature.rb
+- lib/aws4_signer/version.rb
+- test/aws4_signer_spec.rb
+- test/signature_spec.rb
+- test/test_helper.rb
+homepage: https://github.com/sorah/aws4_signer
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Simple signer module implements AWS4 signature
+test_files:
+- test/aws4_signer_spec.rb
+- test/signature_spec.rb
+- test/test_helper.rb