mss-sdk 1.0.0

data/lib/mss/core/signers/version_2.rb

@@ -0,0 +1,71 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+module MSS
+  module Core
+    module Signers
+      # @api private
+      class Version2
+
+        include Base
+
+        # @param [CredentialProviders::Provider] credentials
+        def initialize credentials
+          @credentials = credentials
+        end
+
+        # @return [CredentialProviders::Provider]
+        attr_reader :credentials
+
+        # @param [Http::Request] req
+        # @return [Http::Request]
+        def sign_request req
+          req.add_param('AWSAccessKeyId', credentials.access_key_id)
+          if token = credentials.session_token
+            req.add_param("SecurityToken", token)
+          end
+          req.add_param('SignatureVersion', '2')
+          req.add_param('SignatureMethod', 'HmacSHA256')
+          req.add_param('Signature', signature(req))
+          req.body = req.url_encoded_params
+          req
+        end
+
+        private
+
+        # @param [Http::Request] req
+        def signature req
+          sign(credentials.secret_access_key, string_to_sign(req))
+        end
+
+        # @param [Http::Request] req
+        def string_to_sign req
+
+          host =
+            case req.port
+            when 80, 443 then req.host
+            else "#{req.host}:#{req.port}"
+            end
+
+          [
+            req.http_method,
+            host.to_s.downcase,
+            req.path,
+            req.url_encoded_params,
+          ].join("\n")
+
+        end
+
+      end
+    end
+  end
+end

data/lib/mss/core/signers/version_3.rb

@@ -0,0 +1,85 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'openssl'
+require 'time'
+
+module MSS
+  module Core
+    module Signers
+      # @api private
+      class Version3
+
+        include Base
+
+        # @param [CredentialProviders::Provider] credentials
+        def initialize credentials
+          @credentials = credentials
+        end
+
+        # @return [CredentialProviders::Provider]
+        attr_reader :credentials
+
+        # @param [Http::Request] req
+        # @return [Http::Request]
+        def sign_request req
+          req.headers["x-amz-date"] ||= (req.headers["date"] ||= Time.now.httpdate)
+          req.headers["host"] ||= req.host
+          req.headers["x-amz-security-token"] = credentials.session_token if
+            credentials.session_token
+          req.headers["x-amzn-authorization"] =
+            "MSS3 "+
+            "AWSAccessKeyId=#{credentials.access_key_id},"+
+            "Algorithm=HmacSHA256,"+
+            "SignedHeaders=#{headers_to_sign(req).join(';')},"+
+            "Signature=#{signature(req)}"
+        end
+
+        private
+
+        # @param [Http::Request] req
+        def signature req, service_signing_name = nil
+          sign(credentials.secret_access_key, string_to_sign(req))
+        end
+
+        # @param [Http::Request] req
+        def string_to_sign req
+          OpenSSL::Digest::SHA256.digest([
+            req.http_method,
+            "/",
+            "",
+            canonical_headers(req),
+            req.body
+          ].join("\n"))
+        end
+
+        # @param [Http::Request] req
+        def canonical_headers req
+          headers_to_sign(req).map do |name|
+            value = req.headers[name]
+            "#{name.downcase.strip}:#{value.strip}\n"
+          end.sort.join
+        end
+
+        # @param [Http::Request] req
+        def headers_to_sign req
+          req.headers.keys.select do |header|
+              header == "host" ||
+              header == "content-encoding" ||
+              header =~ /^x-amz/
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/mss/core/signers/version_3_https.rb

@@ -0,0 +1,60 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'time'
+
+module MSS
+  module Core
+    module Signers
+      # @api private
+      class Version3Https
+
+        include Base
+
+        # @param [CredentialProviders::Provider] credentials
+        def initialize credentials
+          @credentials = credentials
+        end
+
+        # @return [CredentialProviders::Provider]
+        attr_reader :credentials
+
+        # @param [Http::Request] req
+        # @return [Http::Request]
+        def sign_request req
+          parts = []
+          parts << "MSS3-HTTPS AWSAccessKeyId=#{credentials.access_key_id}"
+          parts << "Algorithm=HmacSHA256"
+          parts << "Signature=#{signature(req)}"
+          req.headers['x-amzn-authorization'] = parts.join(',')
+          req.headers['x-amz-security-token'] = credentials.session_token if
+            credentials.session_token
+          req
+        end
+
+        private
+
+        # @param [Http::Request] req
+        def signature req
+          sign(credentials.secret_access_key, string_to_sign(req))
+        end
+
+        # @param [Http::Request] req
+        def string_to_sign req
+          req.headers['date'] ||= Time.now.httpdate
+        end
+
+      end
+    end
+  end
+end
+

data/lib/mss/core/signers/version_4/chunk_signed_stream.rb

@@ -0,0 +1,190 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'stringio'
+
+module MSS
+  module Core
+    module Signers
+      class Version4
+        class ChunkSignedStream
+
+          # @api private
+          DEFAULT_CHUNK_SIZE = 128 * 1024
+
+          # @api private
+          MAX_BUFFER_SIZE = 256 * 1024
+
+          # @api private
+          CHUNK_SIGNATURE_HEADER = ";chunk-signature="
+
+          # @api private
+          CHUNK_STRING_TO_SIGN_PREFIX = "MSS4-HMAC-SHA256-PAYLOAD"
+
+          # @api private
+          SIGNATURE_LENGTH = 64
+
+          # @api private
+          CLRF = "\r\n"
+
+          # @param [IO] stream The original http request body stream.
+          # @param [Integer] stream_size Size of the original stream in bytes.
+          #   This must be greater than 0.
+          # @param [String] key The derived sigv4 signing key.
+          # @param [String] key_path The scope of the derived key.
+          # @param [String] datetime The iso8601 formatted datetime.
+          # @param [String] signature The computed signature of the request headers.
+          # @return [IO] Returns an IO-like object.
+          def initialize stream, stream_size, key, key_path, datetime, signature
+            @stream = stream || StringIO.new('')
+            @size = self.class.signed_size(stream_size)
+            @key = key
+            @key_path = key_path
+            @datetime = datetime
+            @prev_chunk_signature = signature
+            reset
+          end
+
+          # @return [Integer] the size of the final (signed) stream
+          attr_reader :size
+
+          # @param [Integer] bytes (nil)
+          # @param [String] output_buffer (nil)
+          # @return [String,nil]
+          def read bytes = nil, output_buffer = nil
+            data = read_bytes(bytes || @size)
+            if output_buffer
+              output_buffer.replace(data || '')
+            else
+              (data.nil? and bytes.nil?) ? '' : data
+            end
+          end
+
+          # @return [Integer]
+          def rewind
+            @stream.rewind
+            reset
+          end
+
+          private
+
+          def reset
+            @buffer = ''
+            @more_chunks = true
+          end
+
+          # @param [Integer] num_bytes The maximum number of bytes to return.
+          # @return [String,nil] `nil` once the complete stream has been read
+          def read_bytes num_bytes
+            fill_buffer(num_bytes)
+            bytes = @buffer[0,num_bytes]
+            @buffer = @buffer[num_bytes..-1] || '' # flatten the buffer
+            bytes == '' ? nil : bytes
+          end
+
+          # Fills the internal buffer at least +num_bytes+ of data.
+          # @param [Integer] num_bytes
+          def fill_buffer num_bytes
+            while @buffer.bytesize < num_bytes && more_chunks?
+              @buffer << next_chunk
+            end
+          end
+
+          def more_chunks?
+            @more_chunks
+          end
+
+          def next_chunk
+            chunk = @stream.read(DEFAULT_CHUNK_SIZE)
+            if chunk.nil?
+              chunk = ''
+              @more_chunks = false
+            end
+            sign_chunk(chunk)
+          end
+
+          # Given a chunk of the original stream, this method returns a signed
+          # chunk with the prefixed header.
+          # @param [String] chunk
+          # @return [String]
+          def sign_chunk chunk
+            [
+              chunk.bytesize.to_s(16),
+              CHUNK_SIGNATURE_HEADER,
+              next_chunk_signature(chunk),
+              CLRF,
+              chunk,
+              CLRF,
+            ].join
+          end
+
+          # @param [String] chunk
+          # @return [String]
+          def next_chunk_signature chunk
+            string_to_sign = [
+              "MSS4-HMAC-SHA256-PAYLOAD",
+              @datetime,
+              @key_path,
+              @prev_chunk_signature,
+              hash(''),
+              hash(chunk),
+            ].join("\n")
+            signature = sign(string_to_sign)
+            @prev_chunk_signature = signature
+            signature
+          end
+
+          def sign value
+            @digest ||= OpenSSL::Digest.new('sha256')
+            OpenSSL::HMAC.hexdigest(@digest, @key, value)
+          end
+
+          def hash value
+            OpenSSL::Digest::SHA256.new.update(value).hexdigest
+          end
+
+          class << self
+
+            # Computes the final size of a chunked signed stream.
+            # @param [Integer] size Size of the original, unsigned stream.
+            # @return [Integer]
+            def signed_size size
+              full_sized_chunks = size / DEFAULT_CHUNK_SIZE
+              trailing_bytes = size % DEFAULT_CHUNK_SIZE
+              length = 0
+              length += full_sized_chunks * header_length(DEFAULT_CHUNK_SIZE)
+              length += trailing_bytes > 0 ? header_length(trailing_bytes) : 0
+              length += header_length(0)
+              length
+            end
+
+            private
+
+            # Computes the size of a header that prefixes a chunk.  The size
+            # appears in the header as a string.
+            # @param [Integer] size
+            # @return [Integer]
+            def header_length size
+              size.to_s(16).length +
+              CHUNK_SIGNATURE_HEADER.length +
+              SIGNATURE_LENGTH +
+              CLRF.length +
+              size +
+              CLRF.length
+            end
+
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mss/core/signers/version_4.rb

@@ -0,0 +1,227 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'time'
+require 'openssl'
+require 'digest'
+
+module MSS
+  module Core
+    module Signers
+      # @api private
+      class Version4
+
+        autoload :ChunkSignedStream, 'mss/core/signers/version_4/chunk_signed_stream'
+
+        # @api private
+        # SHA256 hex digest of the empty string
+        EMPTY_DIGEST = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+
+        # @api private
+        STREAMING_CHECKSUM = "STREAMING-MSS4-HMAC-SHA256-PAYLOAD"
+
+        # @param [CredentialProviders::Provider] credentials
+        # @param [String] service_name
+        # @param [String] region
+        def initialize credentials, service_name, region
+          @credentials = credentials
+          @service_name = service_name
+          @region = region
+        end
+
+        # @return [CredentialProviders::Provider]
+        attr_reader :credentials
+
+        # @return [String]
+        attr_reader :service_name
+
+        # @return [String]
+        attr_reader :region
+
+        # @param [Http::Request] req
+        # @option options [Boolean] :chunk_signing (false) When +true+, the
+        #   request body will be signed in chunk.
+        # @option options [DateTime String<YYYYMMDDTHHMMSSZ>] :datetime
+        # @return [Http::Request]
+        def sign_request req, options = {}
+          datetime = options[:datetime] || Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
+          key = derive_key(datetime)
+          token = credentials.session_token
+          chunk_signing = !!options[:chunk_signing]
+          content_sha256 = req.headers['x-amz-content-sha256'] || body_digest(req, chunk_signing)
+
+          req.headers['host'] = req.host
+          req.headers['x-amz-date'] = datetime
+          req.headers['x-amz-security-token'] = token if token
+          req.headers['x-amz-content-sha256'] = content_sha256
+
+          if chunk_signing
+            orig_size = req.headers['content-length'].to_i
+            signed_size = ChunkSignedStream.signed_size(orig_size.to_i)
+            req.headers['content-length'] = signed_size.to_s
+            req.headers['x-amz-decoded-content-length'] = orig_size.to_s
+          end
+
+          req.headers['authorization'] = authorization(req, key, datetime, content_sha256)
+
+          req.body_stream = chunk_signed_stream(req, key) if chunk_signing
+
+          req
+        end
+
+        def signature(request, key, datetime, content_sha256)
+          string = string_to_sign(request, datetime, content_sha256)
+          hexhmac(key, string)
+        end
+
+        def credential(datetime)
+          "#{credentials.access_key_id}/#{key_path(datetime)}"
+        end
+
+        def derive_key(datetime)
+          k_secret = credentials.secret_access_key
+          k_date = hmac("MSS4" + k_secret, datetime[0,8])
+          k_region = hmac(k_date, region)
+          k_service = hmac(k_region, service_name)
+          k_credentials = hmac(k_service, 'mss4_request')
+        end
+
+        private
+
+        # Wraps the req body stream with another stream.  The wrapper signs
+        # the original body as it is read, injecting signatures of indiviaul
+        # chunks into the resultant stream.
+        # @param [Http::Request] req
+        # @param [String] key
+        # @param [String] datetime
+        def chunk_signed_stream req, key
+          args = []
+          args << req.body_stream
+          args << req.headers['x-amz-decoded-content-length'].to_i
+          args << key
+          args << key_path(req.headers['x-amz-date'])
+          args << req.headers['x-amz-date']
+          args << req.headers['authorization'].split('Signature=')[1]
+          ChunkSignedStream.new(*args)
+        end
+
+        def authorization req, key, datetime, content_sha256
+          parts = []
+          parts << "MSS4-HMAC-SHA256 Credential=#{credential(datetime)}"
+          parts << "SignedHeaders=#{signed_headers(req)}"
+          parts << "Signature=#{signature(req, key, datetime, content_sha256)}"
+          parts.join(', ')
+        end
+
+        def string_to_sign req, datetime, content_sha256
+          parts = []
+          parts << 'MSS4-HMAC-SHA256'
+          parts << datetime
+          parts << key_path(datetime)
+          parts << hexdigest(canonical_request(req, content_sha256))
+          parts.join("\n")
+        end
+
+        # @param [String] datetime
+        # @return [String] the signature scope.
+        def key_path datetime
+          parts = []
+          parts << datetime[0,8]
+          parts << region
+          parts << service_name
+          parts << 'mss4_request'
+          parts.join("/")
+        end
+
+        # @param [Http::Request] req
+        def canonical_request req, content_sha256
+          parts = []
+          parts << req.http_method
+          parts << req.path
+          parts << req.querystring
+          parts << canonical_headers(req) + "\n"
+          parts << signed_headers(req)
+          parts << content_sha256
+          parts.join("\n")
+        end
+
+        # @param [Http::Request] req
+        def signed_headers req
+          to_sign = req.headers.keys.map{|k| k.to_s.downcase }
+          to_sign.delete('authorization')
+          to_sign.sort.join(";")
+        end
+
+        # @param [Http::Request] req
+        def canonical_headers req
+          headers = []
+          req.headers.each_pair do |k,v|
+            headers << [k,v] unless k == 'authorization'
+          end
+          headers = headers.sort_by(&:first)
+          headers.map{|k,v| "#{k}:#{canonical_header_values(v)}" }.join("\n")
+        end
+
+        # @param [String,Array<String>] values
+        def canonical_header_values values
+          values = [values] unless values.is_a?(Array)
+          values.map(&:to_s).join(',').gsub(/\s+/, ' ').strip
+        end
+
+        # @param [Http::Request] req
+        # @param [Boolean] chunk_signing
+        # @return [String]
+        def body_digest req, chunk_signing
+          case
+          when chunk_signing then STREAMING_CHECKSUM
+          when ['', nil].include?(req.body) then EMPTY_DIGEST
+          else hexdigest(req.body)
+          end
+        end
+
+        # @param [String] value
+        # @return [String]
+        def hexdigest value
+          digest = OpenSSL::Digest::SHA256.new
+          if value.respond_to?(:read)
+            chunk = nil
+            chunk_size = 1024 * 1024 # 1 megabyte
+            digest.update(chunk) while chunk = value.read(chunk_size)
+            value.rewind
+          else
+            digest.update(value)
+          end
+          digest.hexdigest
+        end
+
+        # @param [String] key
+        # @param [String] value
+        # @return [String]
+        def hmac key, value
+          OpenSSL::HMAC.digest(sha256_digest, key, value)
+        end
+
+        # @param [String] key
+        # @param [String] value
+        # @return [String]
+        def hexhmac key, value
+          OpenSSL::HMAC.hexdigest(sha256_digest, key, value)
+        end
+
+        def sha256_digest
+          OpenSSL::Digest.new('sha256')
+        end
+
+      end
+    end
+  end
+end

data/lib/mss/core/uri_escape.rb

@@ -0,0 +1,43 @@
+# Copyright 2011-2013 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+require 'cgi'
+
+module MSS
+  module Core
+
+    # Provides helper methods for URI escaping values and paths.
+    module UriEscape
+
+      # @param [String] value
+      # @return [String] Returns a URI escaped string.
+      def escape value
+        value = value.encode("UTF-8") if value.respond_to?(:encode)
+        CGI::escape(value.to_s).gsub('+', '%20').gsub('%7E', '~')
+      end
+      module_function :escape
+
+      # @param [String] value
+      # @return [String] Returns a URI-escaped path without escaping the
+      #   separators.
+      def escape_path value
+        escaped = ""
+        value.scan(%r{(/*)([^/]*)(/*)}) do |(leading, part, trailing)|
+          escaped << leading + escape(part) + trailing
+        end
+        escaped
+      end
+      module_function :escape_path
+
+    end
+  end
+end