awsraw 0.1.9 → 1.0.0.alpha.1

data/lib/awsraw/s3/faraday_middleware.rb

@@ -0,0 +1,39 @@
+require 'time'
+require 'faraday'
+require 'awsraw/error'
+require 'awsraw/s3/content_md5_header'
+require 'awsraw/s3/signature'
+require 'awsraw/s3/string_to_sign'
+
+module AWSRaw
+  module S3
+    class FaradayMiddleware < Faraday::Middleware
+
+      def initialize(app, credentials = nil)
+        @app = app
+        @credentials = credentials
+      end
+
+      def call(env)
+        if env[:body] && env[:request_headers]['Content-Type'].nil?
+          raise AWSRaw::Error, "Can't make a request with a body but no Content-Type header"
+        end
+
+        env[:request_headers]['Date']        ||= Time.now.httpdate
+        env[:request_headers]['Content-MD5'] ||= ContentMD5Header.generate_content_md5(env[:body])
+
+        string_to_sign = StringToSign.string_to_sign(
+          :method       => env[:method].to_s.upcase,
+          :uri          => env[:url],
+          :content_md5  => env[:request_headers]['Content-MD5'],
+          :content_type => env[:request_headers]['Content-Type'],
+          :date         => env[:request_headers]['Date'],
+          :amz_headers  => env[:request_headers]
+        )
+
+        env[:request_headers]['Authorization'] = Signature.authorization_header(string_to_sign, @credentials)
+      end
+
+    end
+  end
+end

data/lib/awsraw/s3/query_string_signer.rb

@@ -1,50 +1,39 @@
-require 'awsraw/s3/signer'
-require 'cgi'
+require 'awsraw/s3/string_to_sign'
+require 'awsraw/s3/signature'
 
 module AWSRaw
   module S3
 
-    # Generates a signed query string to make an authenticated S3 GET request
+    # Sign S3 URIs using the query string.
     #
-    # See http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
-    #
-    # The Authorization header method is usually preferable, as implemented in
-    # AWSRaw::S3::Signer. However, you may have occasions where you need a
-    # simple "download URL", without having to tell your user-agent (browser,
-    # curl, wget, etc) about all the special AWS headers. The query string
-    # authentication method is useful in those cases.
-    class QueryStringSigner < Signer
-      def sign_with_query_string(url, expires, headers = {})
-        query_string_hash = query_string_hash(url, expires, headers)
-
-        uri = URI.parse(url)
-        uri.query = query_string_hash.map { |k,v| "#{k}=#{v}" }.join("&")
-        uri.to_s
-      end
-
-      def query_string_hash(url, expires, headers = {})
-        string_to_sign = string_to_sign(url, expires, headers)
-        signature = encoded_signature(string_to_sign)
+    # See http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+    class QueryStringSigner
 
-        {
-          "AWSAccessKeyId" => @access_key_id,
-          "Expires"        => expires.to_s,
-          "Signature"      => CGI.escape(signature)
-        }
+      def initialize(credentials)
+        @credentials = credentials
       end
 
-      def string_to_sign(url, expires, headers)
-        [
-          "GET",
-          headers["Content-MD5"],
-          headers["Content-Type"],
-          expires.to_s,
-          canonicalized_amz_headers(headers),
-          canonicalized_resource(URI.parse(url))
-        ].flatten.join("\n")
+      def sign(uri, expires)
+        string_to_sign = StringToSign.string_to_sign(
+          :method => "GET",
+          :uri    => uri,
+          :date   => expires.to_i
+        )
+
+        signature = Signature.signature(string_to_sign, @credentials)
+
+        URI(uri).tap do |signed_uri|
+          signed_uri.query = URI.encode_www_form(
+            "AWSAccessKeyId" => @credentials.access_key_id,
+            "Signature"      => signature,
+            "Expires"        => expires.to_i
+          )
+        end
       end
 
-    end
+      # For backwards-compatibility with pre-1.0 versions:
+      alias_method :sign_with_query_string, :sign
 
+    end
   end
 end

data/lib/awsraw/s3/signature.rb

@@ -0,0 +1,52 @@
+require 'digest/sha1'
+require 'openssl'
+require 'base64'
+
+module AWSRaw
+  module S3
+
+    module Signature
+
+      # Given a string to sign and some AWS credentials, generate a signature
+      # for an S3 request.
+      def self.signature(string_to_sign, credentials)
+        base64_encode(hmac_sha1(string_to_sign, credentials))
+      end
+
+      # Given a string to sign and some AWS credentials, generate a value
+      # for the Authorization header of an S3 request.
+      def self.authorization_header(string_to_sign, credentials)
+        "AWS #{credentials.access_key_id}:#{signature(string_to_sign, credentials)}"
+      end
+
+      # Encode a HTML form upload policy. See:
+      # http://docs.aws.amazon.com/AmazonS3/latest/dev/HTTPPOSTForms.html
+      #
+      # The policy is expected to be a JSON document.
+      def self.encode_form_policy(policy)
+        base64_encode(policy)
+      end
+
+      # Sign a policy document for a HTML form upload.
+      #
+      # The policy document is expected to be base64 encoded JSON.
+      # See the .encode_form_policy method.
+      def self.form_signature(policy_base64, credentials)
+        signature(policy_base64, credentials)
+      end
+
+    private
+
+      def self.hmac_sha1(data, credentials)
+        digest = OpenSSL::Digest::Digest.new("sha1")
+        OpenSSL::HMAC.digest(digest, credentials.secret_access_key, data)
+      end
+
+      def self.base64_encode(data)
+        Base64.encode64(data).tr("\n", "")
+      end
+
+    end
+
+  end
+end

data/lib/awsraw/s3/string_to_sign.rb

@@ -0,0 +1,49 @@
+require 'awsraw/s3/canonicalized_resource'
+
+module AWSRaw
+  module S3
+
+    module StringToSign
+
+      # Generate the string to sign for authentication headers or query string signing, as per:
+      #
+      # http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader
+      #
+      # Expects the following parameters:
+      #
+      #   :method         The HTTP method being used, e.g. GET, PUT, DELETE
+      #   :uri            The full URI for the request, hostname and everything
+      #   :content_md5    The Content-MD5 header; required if there is body content
+      #   :content_type   The Content-Type header
+      #   :date           The Date (or X-Amz-Date) header
+      #   :amz_headers    A hash of all the X-Amz-* headers
+      #
+      # Headers in the :amz_headers hash that don't start with "X-Amz-" will be ignored.
+      #
+      # For query string signing, pass in the "Expires" timestamp in the :date parameter.
+      def self.string_to_sign(request_info = {})
+        [
+          request_info[:method],
+          request_info[:content_md5]  || "",
+          request_info[:content_type] || "",
+          request_info[:date],
+          canonicalized_amz_headers(request_info[:amz_headers] || {}),
+          CanonicalizedResource.canonicalized_resource(request_info[:uri])
+        ].flatten.join("\n")
+      end
+
+      def self.canonicalized_amz_headers(headers)
+        header_names = headers.keys.
+          select  {|name| name =~ /^x-amz-/i }.
+          sort_by {|name| name.downcase }
+
+        header_names.map do |name|
+          "#{name.downcase}:#{headers[name]}"
+        end
+      end
+
+    end
+
+  end
+end
+

data/lib/awsraw/version.rb

@@ -1,3 +1,3 @@
-module Awsraw
-  VERSION = "0.1.9"
+module AWSRaw
+  VERSION = "1.0.0.alpha.1"
 end

data/spec/s3/canonicalized_resource_spec.rb

@@ -0,0 +1,51 @@
+require 'awsraw/s3/canonicalized_resource'
+
+describe AWSRaw::S3::CanonicalizedResource do
+
+  context ".canonicalized_resource" do
+    it "works for a virtual-host-style request" do
+      expect(subject.canonicalized_resource("http://johnsmith.s3.amazonaws.com/puppies.jpg")).to eq("/johnsmith/puppies.jpg")
+    end
+
+    it "works for a path-style request" do
+      expect(subject.canonicalized_resource("http://s3.amazonaws.com/johnsmith/puppies.jpg")).to eq("/johnsmith/puppies.jpg")
+    end
+  end
+
+  context ".bucket_from_hostname" do
+    it "gets the bucket from virtual-host-style requests in the default region" do
+      expect(subject.bucket_from_hostname("johnsmith.net.s3.amazonaws.com")).to eq("johnsmith.net")
+    end
+
+    it "gets the bucket from virtual-host-style requests in other regions" do
+      expect(subject.bucket_from_hostname("johnsmith.net.s3-eu-west-1.amazonaws.com")).to eq("johnsmith.net")
+    end
+
+    it "gets the bucket from cname-style requests" do
+      expect(subject.bucket_from_hostname("johnsmith.net")).to eq("johnsmith.net")
+    end
+
+    it "doesn't get the bucket for path-style requests in the default region" do
+      expect(subject.bucket_from_hostname("s3.amazonaws.com")).to be_nil
+    end
+
+    it "doesn't get the bucket for path-style requests in other regions" do
+      expect(subject.bucket_from_hostname("s3-eu-west-1.amazonaws.com")).to be_nil
+    end
+  end
+
+  context ".canonicalized_subresources" do
+    it "includes valid subresources" do
+      expect(subject.canonicalized_subresources("acl")).to eq("?acl")
+    end
+
+    it "excludes invalid subresources" do
+      expect(subject.canonicalized_subresources("rhubarb")).to be_nil
+    end
+
+    it "sorts the subresources" do
+      expect(subject.canonicalized_subresources("website&acl")).to eq("?acl&website")
+    end
+  end
+
+end

data/spec/s3/content_md5_header_spec.rb

@@ -0,0 +1,27 @@
+require 'stringio'
+require 'awsraw/s3/content_md5_header'
+
+describe AWSRaw::S3::ContentMD5Header do
+
+  context ".generate_content_md5" do
+    it "returns nil if the body is nil" do
+      expect(subject.generate_content_md5(nil)).to be_nil
+    end
+
+    it "generates the correct digest for a string" do
+      expect(subject.generate_content_md5("rhubarb")).to eq("lBxzvNO0KqwdCwPVMx2IYQ==")
+    end
+
+    it "generates the correct digest for a file" do
+      file = StringIO.new("rhubarb")
+      expect(subject.generate_content_md5(file)).to eq("lBxzvNO0KqwdCwPVMx2IYQ==")
+    end
+
+    it "rewinds a file after reading it" do
+      file = StringIO.new("rhubarb")
+      subject.generate_content_md5(file)
+      expect(file.pos).to eq(0)
+    end
+  end
+
+end

data/spec/s3/faraday_middleware_spec.rb

@@ -0,0 +1,88 @@
+require 'awsraw/s3/faraday_middleware'
+require 'ostruct'
+
+describe AWSRaw::S3::FaradayMiddleware do
+
+  let(:credentials) do
+    OpenStruct.new(
+      :access_key_id     => "AKIAIOSFODNN7EXAMPLE",
+      :secret_access_key => "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    )
+  end
+
+  let(:app)  { double("app") }
+  let(:time) { Time.parse("2013-09-19 19:22:13 +1000") }
+
+  subject { described_class.new(app, credentials) }
+
+  it "signs the request" do
+    env = {
+      :method       => :put,
+      :url          => "http://static.johnsmith.net:8080/db-backup.dat.gz",
+      :request_headers => {
+        "Date"                         => "Tue, 27 Mar 2007 21:06:08 +0000",
+        "Content-Type"                 => "application/x-download",
+        "Content-MD5"                  => "4gJE4saaMU4BqNR0kLY+lw==",
+        "x-amz-acl"                    => "public-read",
+        "X-Amz-Meta-ReviewedBy"        => "joe@johnsmith.net,jane@johnsmith.net",
+        "X-Amz-Meta-FileChecksum"      => "0x02661779",
+        "X-Amz-Meta-ChecksumAlgorithm" => "crc32"
+      }
+    }
+    subject.call(env)
+    expect(env[:request_headers]["Authorization"]).to eq(
+      "AWS AKIAIOSFODNN7EXAMPLE:ilyl83RwaSoYIEdixDQcA4OnAnc="
+    )
+  end
+
+  it "sets the Date header if there isn't one" do
+    Time.stub(:now => time) # Freeze time for the duration of the test.
+
+    env = {
+      :method          => :get,
+      :url             => "http://s3.amazonaws.com/",
+      :request_headers => {}
+    }
+    subject.call(env)
+    expect(env[:request_headers]["Date"]).to eq(time.httpdate)
+  end
+
+  it "calculates the Content-MD5 header from the body if there isn't one" do
+    env = {
+      :method          => :put,
+      :url             => "http://s3.amazonaws.com/johnsmith/my-file.txt",
+      :body            => "rhubarb",
+      :request_headers => {
+        "Content-Type" => "text/plain"
+      }
+    }
+    subject.call(env)
+    expect(env[:request_headers]["Content-MD5"]).to eq("lBxzvNO0KqwdCwPVMx2IYQ==")
+  end
+
+  it "lets you manually set the Content-MD5 header" do
+    env = {
+      :method          => :put,
+      :url             => "http://s3.amazonaws.com/johnsmith/my-file.txt",
+      :body            => "rhubarb",
+      :request_headers => {
+        "Content-Type" => "text/plain",
+        "Content-MD5"  => "test-content-md5"
+      }
+    }
+    subject.call(env)
+    expect(env[:request_headers]["Content-MD5"]).to eq("test-content-md5")
+
+  end
+
+  it "blows up if you have a request body, but no content type" do
+    env = {
+      :method          => :put,
+      :url             => "http://s3.amazonaws.com/johnsmith/my-file.txt",
+      :body            => "rhubarb",
+      :request_headers => { }
+    }
+    expect { subject.call(env) }.to raise_error(AWSRaw::Error, "Can't make a request with a body but no Content-Type header")
+  end
+
+end

data/spec/s3/query_string_signer_spec.rb

@@ -1,67 +1,23 @@
 require 'awsraw/s3/query_string_signer'
+require 'ostruct'
 
 describe AWSRaw::S3::QueryStringSigner do
-  let(:access_key_id)     { "AKIAIOSFODNN7EXAMPLE" }
-  let(:secret_access_key) { "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" }
 
-  subject { AWSRaw::S3::QueryStringSigner.new(access_key_id, secret_access_key) }
-
-  context "examples from Amazon docs" do
-    it "signs a get request correctly" do
-      url = "http://s3.amazonaws.com/johnsmith/photos/puppy.jpg"
-      expiry = 1175139620
-      headers = {}
-
-      subject.string_to_sign(url, expiry, {}).should ==
-        "GET\n\n\n#{expiry}\n/johnsmith/photos/puppy.jpg"
-
-      subject.query_string_hash(url, expiry).should == {
-        "AWSAccessKeyId" => access_key_id,
-        "Expires"        => expiry.to_s,
-        "Signature"      => "NpgCjnDzrM%2BWFzoENXmpNDUsSn8%3D"
-      }
-
-      subject.sign_with_query_string(url, expiry).to_s.should ==
-        "http://s3.amazonaws.com/johnsmith/photos/puppy.jpg?AWSAccessKeyId=#{access_key_id}&Expires=#{expiry}&Signature=NpgCjnDzrM%2BWFzoENXmpNDUsSn8%3D"
-    end
-
-    it "signs a get request to a non-us-east bucket" do
-      url = "http://johnsmith.s3.amazonaws.com/photos/puppy.jpg"
-      expiry = 1175139620
-      headers = {}
-
-      subject.string_to_sign(url, expiry, headers).should ==
-        "GET\n\n\n#{expiry}\n/johnsmith/photos/puppy.jpg"
-
-      subject.query_string_hash(url, expiry).should == {
-        "AWSAccessKeyId" => access_key_id,
-        "Expires"        => expiry.to_s,
-        "Signature"      => "NpgCjnDzrM%2BWFzoENXmpNDUsSn8%3D"
-      }
-
-      subject.sign_with_query_string(url, expiry).to_s.should ==
-        "http://johnsmith.s3.amazonaws.com/photos/puppy.jpg?AWSAccessKeyId=#{access_key_id}&Expires=#{expiry}&Signature=NpgCjnDzrM%2BWFzoENXmpNDUsSn8%3D"
-    end
+  let(:credentials) do
+    OpenStruct.new(
+      :access_key_id     => "AKIAIOSFODNN7EXAMPLE",
+      :secret_access_key => "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    )
   end
 
-  context "custom headers" do
-    let(:url) { "http://s3.amazonaws.com/johnsmith/" }
-    let(:expiry) { 1175139620 }
-
-    it "changes the signature based on the Content-MD5 header" do
-      subject.string_to_sign(url, expiry, "Content-MD5" => "deadbeef").should ==
-        "GET\ndeadbeef\n\n#{expiry}\n/johnsmith/"
-    end
+  subject { described_class.new(credentials) }
 
-    it "changes the signature based on the Content-Type header" do
-      subject.string_to_sign(url, expiry, "Content-Type" => "image/png").should ==
-        "GET\n\nimage/png\n#{expiry}\n/johnsmith/"
-    end
+  # See the example in the AWS docs:
+  # http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
+  it "signs Amazon's example URI correctly" do
+    uri = subject.sign("http://johnsmith.s3.amazonaws.com/photos/puppy.jpg", Time.at(1175139620))
 
-    it "changes the signature based on x-amz-* headers" do
-      subject.string_to_sign(url, expiry, "x-amz-acl" => "public-read").should ==
-        "GET\n\n\n#{expiry}\nx-amz-acl:public-read\n/johnsmith/"
-    end
+    expect(uri.to_s).to eq("http://johnsmith.s3.amazonaws.com/photos/puppy.jpg?AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Signature=NpgCjnDzrM%2BWFzoENXmpNDUsSn8%3D&Expires=1175139620")
   end
-end
 
+end