ve-tos-ruby-sdk 0.1.1 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a94a5896f975a89ca93bcad502a1aee316647af303b9279358f9690c01b76a6
-  data.tar.gz: c99e79d75684d386839cdc1f8f540259b035ca7039b35ce8912ca997e86965bc
+  metadata.gz: 7d28faa1c3a6f13531292e60ccee65d3679f26f685094171bb4c67bc5395c344
+  data.tar.gz: 9b34853fcbde7301fde520242a3678530e97b426b60b982e230312397f1ce327
 SHA512:
-  metadata.gz: a80ba4f769d55a776dbe0dac3dab068ee253bd9305123e246929d70e21ca619ab144697aaf9c4fa3703686df1ac9603ba300d043d4b42daea80b0a51cff0e8aa
-  data.tar.gz: 2f15c21d6faa7a0e898461d6ae7106cecb4cfd58da4542cb263f5beddea16a325732a2d2fdb4cced6cc94e138104d79e18df97dae6b980b0fadcbf6378b2632d
+  metadata.gz: 0b7f5c1c0342f5eeb82250e873a2240656686dcd16a325c0ba34e8db1630c4c002fd416607b5752b711d5246a66005b162f5d2e771000d5dba992ad6ac6d0520
+  data.tar.gz: b36e9449e1bc7c4573908d660138226ab969eb58d2a1e53484a9544611f4df06f31db219dfa60e933b99232d230f091396416b3c18292a56d62cf0e73e331fa1

data/lib/tos/bucket.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "rexml/document"
-
 module TOS
   # All operations are bucket-scoped: get a bucket via `client.bucket(name)`
   # then call put_object / get_object / etc. on it.
@@ -66,7 +64,10 @@ module TOS
       keys = Array(keys).reject { |k| k.to_s.empty? }
       return [] if keys.empty?
 
-      body = build_delete_payload(keys, quiet)
+      body = JSON.generate(
+        Quiet: quiet,
+        Objects: keys.map { |k| { Key: k.to_s } },
+      )
       content_md5 = OpenSSL::Digest::MD5.base64digest(body)
 
       client.request(
@@ -74,7 +75,7 @@ module TOS
         host: host,
         path: "/",
         query: { "delete" => "" },
-        headers: { "Content-Type" => "application/xml", "Content-MD5" => content_md5 },
+        headers: { "Content-Type" => "application/json", "Content-MD5" => content_md5 },
         body: body,
       )
     end
@@ -96,32 +97,15 @@ module TOS
     end
 
     def parse_list_response(res)
-      doc = REXML::Document.new(res.body)
-      root = doc.root
-      keys = root.get_elements("Contents/Key").map(&:text)
-      truncated = root.elements["IsTruncated"]&.text == "true"
-      next_token = root.elements["NextContinuationToken"]&.text
+      data = JSON.parse(res.body)
+      keys = (data["Contents"] || []).map { |obj| obj["Key"] }
 
       {
         keys: keys,
-        is_truncated: truncated,
-        next_continuation_token: next_token,
+        is_truncated: data["IsTruncated"] == true,
+        next_continuation_token: data["NextContinuationToken"],
         raw: res,
       }
     end
-
-    def build_delete_payload(keys, quiet)
-      doc = REXML::Document.new
-      doc.add_element("Delete").tap do |delete|
-        delete.add_element("Quiet").text = quiet ? "true" : "false"
-        keys.each do |key|
-          obj = delete.add_element("Object")
-          obj.add_element("Key").text = key
-        end
-      end
-      out = +""
-      doc.write(out)
-      out
-    end
   end
 end

data/lib/tos/client.rb

@@ -2,7 +2,6 @@
 
 require "net/http"
 require "uri"
-require "rexml/document"
 
 module TOS
   # Low-level HTTP client. Holds credentials, region, endpoint resolution, and
@@ -53,7 +52,7 @@ module TOS
 
       signed = signer.sign_headers(
         method: method, path: path, query: query,
-        headers: headers, body: body
+        headers: headers.merge("Host" => host), body: body
       )
       signed.each { |k, v| req[k] = v }
       # Signer-only headers that aren't in the user's `headers` hash.
@@ -136,12 +135,9 @@ module TOS
       request_id = res["x-tos-request-id"]
       return [body, nil, request_id] if body.empty?
 
-      doc = REXML::Document.new(body)
-      code = doc.root&.elements&.[]("Code")&.text
-      message = doc.root&.elements&.[]("Message")&.text || body
-      request_id ||= doc.root&.elements&.[]("RequestId")&.text
-      [message, code, request_id]
-    rescue REXML::ParseException
+      data = JSON.parse(body)
+      [data["Message"] || body, data["Code"], request_id || data["RequestId"]]
+    rescue JSON::ParserError
       [body, nil, request_id]
     end
 

data/lib/tos/signer.rb

@@ -1,15 +1,11 @@
 # frozen_string_literal: true
 
 require "openssl"
-require "time"
-require "uri"
-require "cgi"
+require "erb"
 
 module TOS
-  # Signs HTTP requests for the TOS object service using the
-  # TOS4-HMAC-SHA256 scheme (analogous to AWS SigV4, but with the "tos"
-  # service name and a slightly different signed-header policy: by default
-  # only `content-type` and any `x-tos-*` headers are signed).
+  # Signs HTTP requests for the TOS object service using TOS4-HMAC-SHA256
+  # (AWS SigV4 with the "tos" service name)
   class Signer
     ALGORITHM = "TOS4-HMAC-SHA256"
     SERVICE = "tos"
@@ -30,153 +26,102 @@ module TOS
     # Sign a request and return a Hash of headers to add (Authorization,
     # X-Tos-Date, X-Tos-Content-Sha256, plus X-Tos-Security-Token when STS
     # credentials are used).
-    #
-    # @param method [String] HTTP method, uppercased (e.g. "PUT")
-    # @param path [String] URI path starting with "/" (e.g. "/bucket/key")
-    # @param query [Hash{String=>String,Array<String>}] query params
-    # @param headers [Hash] existing request headers (case-insensitive keys)
-    # @param body [String, nil] request body — may be nil for GET/HEAD/DELETE
-    # @param now [Time] override for testing
     def sign_headers(method:, path:, query: {}, headers: {}, body: nil, now: Time.now.utc)
       datetime = now.strftime("%Y%m%dT%H%M%SZ")
-      date = datetime[0, 8]
       content_sha = body ? sha256_hex(body) : EMPTY_SHA256
 
-      working_headers = headers.dup
-      working_headers["X-Tos-Date"] = datetime
-      working_headers["X-Tos-Content-Sha256"] = content_sha
-      working_headers["X-Tos-Security-Token"] = @credentials.security_token if @credentials.security_token
+      out = headers.dup
+      out["X-Tos-Date"] = datetime
+      out["X-Tos-Content-Sha256"] = content_sha
+      out["X-Tos-Security-Token"] = @credentials.security_token if @credentials.security_token
 
-      signed_headers = filter_signed_headers(working_headers)
-
-      canonical_request = build_canonical_request(
-        method: method.to_s.upcase,
-        path: path,
-        query: query,
-        signed_headers: signed_headers,
-        content_sha: content_sha
-      )
-
-      credential_scope = "#{date}/#{@region}/#{SERVICE}/#{REQUEST}"
-      string_to_sign = [ALGORITHM, datetime, credential_scope, sha256_hex(canonical_request)].join("\n")
-
-      signing_key = derive_signing_key(date)
-      signature = hmac_hex(signing_key, string_to_sign)
-
-      authorization = build_authorization_header(signed_headers, credential_scope, signature)
-      working_headers["Authorization"] = authorization
-
-      working_headers
+      signed = signed_headers(out)
+      out["Authorization"] = authorization(method, path, query, signed, content_sha, datetime)
+      out
     end
 
     # Build a presigned URL with all signing material in the query string.
-    # Returns a fully-qualified URL.
     def presign(method:, host:, path:, query: {}, expires_in: 3600, now: Time.now.utc)
       datetime = now.strftime("%Y%m%dT%H%M%SZ")
-      date = datetime[0, 8]
-      credential_scope = "#{date}/#{@region}/#{SERVICE}/#{REQUEST}"
-
-      query_with_sig = query.dup
-      query_with_sig["X-Tos-Algorithm"] = ALGORITHM
-      query_with_sig["X-Tos-Credential"] = "#{@credentials.access_key_id}/#{credential_scope}"
-      query_with_sig["X-Tos-Date"] = datetime
-      query_with_sig["X-Tos-Expires"] = expires_in.to_s
-      query_with_sig["X-Tos-SignedHeaders"] = ""
-      query_with_sig["X-Tos-Security-Token"] = @credentials.security_token if @credentials.security_token
-
-      canonical_request = build_canonical_request(
-        method: method.to_s.upcase,
-        path: path,
-        query: query_with_sig,
-        signed_headers: [],
-        content_sha: UNSIGNED_PAYLOAD
+      params = query.merge(
+        "X-Tos-Algorithm" => ALGORITHM,
+        "X-Tos-Credential" => "#{@credentials.access_key_id}/#{credential_scope(datetime[0, 8])}",
+        "X-Tos-Date" => datetime,
+        "X-Tos-Expires" => expires_in.to_s,
+        "X-Tos-SignedHeaders" => "",
       )
+      params["X-Tos-Security-Token"] = @credentials.security_token if @credentials.security_token
 
-      string_to_sign = [ALGORITHM, datetime, credential_scope, sha256_hex(canonical_request)].join("\n")
-      signing_key = derive_signing_key(date)
-      query_with_sig["X-Tos-Signature"] = hmac_hex(signing_key, string_to_sign)
-
-      "https://#{host}#{path}?#{encode_query(query_with_sig)}"
+      params["X-Tos-Signature"] = sign(method, path, params, [], UNSIGNED_PAYLOAD, datetime)
+      "https://#{host}#{path}?#{encode_query(params)}"
     end
 
     private
 
-    # Default policy mirrors the Go SDK: only `content-type` (lower-case) and
-    # any `x-tos-*` header is signed. `host` is intentionally NOT signed.
-    def filter_signed_headers(headers)
-      headers.each_with_object([]) do |(name, value), acc|
-        key = name.to_s.downcase
-        next unless key == "content-type" || key.start_with?("x-tos-")
+    # Default policy: sign `host`, `content-type`, and any `x-tos-*` header.
+    def signed_headers(headers)
+      headers
+        .map { |k, v| [k.to_s.downcase, normalize_value(v)] }
+        .select { |k, _| k == "host" || k == "content-type" || k.start_with?("x-tos-") }
+        .sort
+    end
 
-        acc << [key, normalize_value(value)]
-      end.sort_by(&:first)
+    def authorization(method, path, query, signed, content_sha, datetime)
+      header_list = signed.map(&:first).join(";")
+      signature = sign(method, path, query, signed, content_sha, datetime)
+      "#{ALGORITHM} Credential=#{@credentials.access_key_id}/#{credential_scope(datetime[0, 8])}," \
+      "SignedHeaders=#{header_list},Signature=#{signature}"
     end
 
-    def build_canonical_request(method:, path:, query:, signed_headers:, content_sha:)
-      canonical_headers = signed_headers.map { |k, v| "#{k}:#{v}\n" }.join
-      header_list = signed_headers.map(&:first).join(";")
+    def sign(method, path, query, signed, content_sha, datetime)
+      canonical = canonical_request(method, path, query, signed, content_sha)
+      string_to_sign = [ALGORITHM, datetime, credential_scope(datetime[0, 8]), sha256_hex(canonical)].join("\n")
+      hmac_hex(signing_key(datetime[0, 8]), string_to_sign)
+    end
 
+    def canonical_request(method, path, query, signed, content_sha)
       [
-        method,
+        method.to_s.upcase,
         encode_path(path),
         encode_query(query),
-        canonical_headers,
-        header_list,
-        content_sha
+        signed.map { |k, v| "#{k}:#{v}\n" }.join,
+        signed.map(&:first).join(";"),
+        content_sha,
       ].join("\n")
     end
 
-    def build_authorization_header(signed_headers, credential_scope, signature)
-      header_list = signed_headers.map(&:first).join(";")
-      "#{ALGORITHM} Credential=#{@credentials.access_key_id}/#{credential_scope}," \
-        "SignedHeaders=#{header_list},Signature=#{signature}"
+    def credential_scope(date)
+      "#{date}/#{@region}/#{SERVICE}/#{REQUEST}"
     end
 
-    def derive_signing_key(date)
-      k_date = hmac(@credentials.secret_access_key, date)
-      k_region = hmac(k_date, @region)
-      k_service = hmac(k_region, SERVICE)
-      hmac(k_service, REQUEST)
+    def signing_key(date)
+      key = hmac(@credentials.secret_access_key, date)
+      key = hmac(key, @region)
+      key = hmac(key, SERVICE)
+      hmac(key, REQUEST)
     end
 
     def normalize_value(value)
       Array(value).map { |v| v.to_s.split(/\s+/).join(" ") }.join(",")
     end
 
-    # RFC 3986 percent-encoding for the URI path. Slashes are preserved.
     def encode_path(path)
-      path.split("/", -1).map { |segment| uri_escape(segment) }.join("/")
-    end
-
-    # Sort by key, then by value, encode and join with `&`.
-    def encode_query(query)
-      pairs = []
-      query.each do |key, values|
-        Array(values).each do |value|
-          pairs << [uri_escape(key.to_s), uri_escape(value.to_s)]
-        end
-      end
-      pairs.sort.map { |k, v| "#{k}=#{v}" }.join("&")
+      path.split("/", -1).map { |seg| ERB::Util.url_encode(percent_decode(seg)) }.join("/")
     end
 
-    def uri_escape(str)
-      # URI.encode_www_form_component encodes space as "+", which is wrong for
-      # SigV4. Use a manual escape that matches Go's url.QueryEscape rules
-      # (which percent-encodes everything except unreserved chars), but preserve
-      # nothing else.
-      str.b.gsub(/([^A-Za-z0-9\-_.~])/) { format("%%%02X", $1.ord) }
+    def percent_decode(seg)
+      seg.b.gsub(/%([0-9A-Fa-f]{2})/) { $1.to_i(16).chr }.force_encoding("UTF-8")
     end
 
-    def sha256_hex(data)
-      OpenSSL::Digest::SHA256.hexdigest(data.to_s)
-    end
-
-    def hmac(key, data)
-      OpenSSL::HMAC.digest("SHA256", key, data)
+    def encode_query(query)
+      query.flat_map { |k, vs| Array(vs).map { |v| [ERB::Util.url_encode(k.to_s), ERB::Util.url_encode(v.to_s)] } }
+           .sort
+           .map { |k, v| "#{k}=#{v}" }
+           .join("&")
     end
 
-    def hmac_hex(key, data)
-      OpenSSL::HMAC.hexdigest("SHA256", key, data)
-    end
+    def sha256_hex(data) = OpenSSL::Digest::SHA256.hexdigest(data.to_s)
+    def hmac(key, data) = OpenSSL::HMAC.digest("SHA256", key, data)
+    def hmac_hex(key, data) = OpenSSL::HMAC.hexdigest("SHA256", key, data)
   end
 end

data/lib/tos/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module TOS
-  VERSION = "0.1.1"
+  VERSION = "0.1.3"
 end

data/ve-tos-ruby-sdk.gemspec

@@ -16,8 +16,6 @@ Gem::Specification.new do |spec|
   spec.files = Dir["lib/**/*.rb", "README.md", "LICENSE", "ve-tos-ruby-sdk.gemspec"]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "rexml", ">= 3.2"
-
   spec.add_development_dependency "rspec", "~> 3.12"
   spec.add_development_dependency "webmock", "~> 3.18"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ve-tos-ruby-sdk
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Renny
@@ -9,20 +9,6 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: rexml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement