Class: Aws::Signers::V4 Private
- Inherits:
-
Object
- Object
- Aws::Signers::V4
- Defined in:
- lib/aws-sdk-core/signers/v4.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Class Method Summary collapse
- .sign(context) ⇒ Object private
Instance Method Summary collapse
- #authorization(request, datetime, body_digest) ⇒ Object private
- #canonical_header_value(value) ⇒ Object private
- #canonical_headers(request) ⇒ Object private
- #canonical_request(request, body_digest) ⇒ Object private
- #credential(datetime) ⇒ Object private
- #credential_scope(datetime) ⇒ Object private
- #hexdigest(value) ⇒ Object private
- #hexhmac(key, value) ⇒ Object private
- #hmac(key, value) ⇒ Object private
-
#initialize(credentials, service_name, region) ⇒ V4
constructor
private
A new instance of V4.
- #normalized_querystring(querystring) ⇒ Object private
- #path(uri) ⇒ Object private
-
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
private
Generates an returns a presigned URL.
-
#sign(req) ⇒ Seahorse::Client::Http::Request
private
The signed request.
- #signature(request, datetime, body_digest) ⇒ Object private
- #signed_headers(request) ⇒ Object private
- #string_to_sign(request, datetime, body_digest) ⇒ Object private
Constructor Details
#initialize(credentials, service_name, region) ⇒ V4
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of V4.
22 23 24 25 26 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 22 def initialize(credentials, service_name, region) @service_name = service_name @credentials = credentials @region = region end |
Class Method Details
.sign(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
8 9 10 11 12 13 14 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 8 def self.sign(context) new( context.config.credentials, context.config.sigv4_name, context.config.sigv4_region ).sign(context.http_request) end |
Instance Method Details
#authorization(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
83 84 85 86 87 88 89 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 83 def (request, datetime, body_digest) parts = [] parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}" parts << "SignedHeaders=#{signed_headers(request)}" parts << "Signature=#{signature(request, datetime, body_digest)}" parts.join(', ') end |
#canonical_header_value(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
165 166 167 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 165 def canonical_header_value(value) value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip end |
#canonical_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
155 156 157 158 159 160 161 162 163 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 155 def canonical_headers(request) headers = [] request.headers.each_pair do |k,v| k = k.downcase headers << [k,v] unless k == 'authorization' end headers = headers.sort_by(&:first) headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n") end |
#canonical_request(request, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
122 123 124 125 126 127 128 129 130 131 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 122 def canonical_request(request, body_digest) [ request.http_method, path(request.endpoint), normalized_querystring(request.endpoint.query || ''), canonical_headers(request) + "\n", signed_headers(request), body_digest ].join("\n") end |
#credential(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
91 92 93 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 91 def credential(datetime) "#{credentials.access_key_id}/#{credential_scope(datetime)}" end |
#credential_scope(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
113 114 115 116 117 118 119 120 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 113 def credential_scope(datetime) parts = [] parts << datetime[0,8] parts << region parts << service_name parts << 'aws4_request' parts.join("/") end |
#hexdigest(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
169 170 171 172 173 174 175 176 177 178 179 180 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 169 def hexdigest(value) digest = OpenSSL::Digest::SHA256.new if value.respond_to?(:read) chunk = nil chunk_size = 1024 * 1024 # 1 megabyte digest.update(chunk) while chunk = value.read(chunk_size) value.rewind else digest.update(value) end digest.hexdigest end |
#hexhmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
186 187 188 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 186 def hexhmac(key, value) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value) end |
#hmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
182 183 184 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 182 def hmac(key, value) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value) end |
#normalized_querystring(querystring) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
142 143 144 145 146 147 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 142 def normalized_querystring(querystring) params = querystring.split('&') params = params.map { |p| p.match(/=/) ? p : p + '=' } params = params.sort { |a, b| a.split('=')[0] <=> b.split('=')[0] } params.join('&') end |
#path(uri) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
133 134 135 136 137 138 139 140 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 133 def path(uri) path = uri.path == '' ? '/' : uri.path if @service_name == 's3' path else path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) } end end |
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Generates an returns a presigned URL.
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 50 def presigned_url(request, = {}) now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = [:body_digest] || hexdigest(request.body) params = Query::ParamList.new request.headers['Host'] ||= request.endpoint.host request.headers.each do |header_name, header_value| if header_name.match(/^x-amz/) params.set(header_name, header_value) end unless %w(host content-md5).include?(header_name) request.headers.delete(header_name) end end params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256") params.set("X-Amz-Date", now) params.set("X-Amz-SignedHeaders", signed_headers(request)) params.set("X-Amz-Expires", [:expires_in].to_s) params.set('X-Amz-Security-Token', credentials.session_token) if credentials.session_token params.set("X-Amz-Credential", credential(now)) endpoint = request.endpoint if endpoint.query endpoint.query += '&' + params.to_s else endpoint.query = params.to_s end endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest) end |
#sign(req) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns the signed request.
30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 30 def sign(req) datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body) req.headers['X-Amz-Date'] = datetime req.headers['Host'] = req.endpoint.host req.headers['X-Amz-Security-Token'] = credentials.session_token if credentials.session_token req.headers['X-Amz-Content-Sha256'] ||= body_digest req.headers['Authorization'] = (req, datetime, body_digest) req end |
#signature(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
95 96 97 98 99 100 101 102 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 95 def signature(request, datetime, body_digest) k_secret = credentials.secret_access_key k_date = hmac("AWS4" + k_secret, datetime[0,8]) k_region = hmac(k_date, region) k_service = hmac(k_region, service_name) k_credentials = hmac(k_service, 'aws4_request') hexhmac(k_credentials, string_to_sign(request, datetime, body_digest)) end |
#signed_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
149 150 151 152 153 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 149 def signed_headers(request) headers = request.headers.keys headers.delete('authorization') headers.sort.join(';') end |
#string_to_sign(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
104 105 106 107 108 109 110 111 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 104 def string_to_sign(request, datetime, body_digest) parts = [] parts << 'AWS4-HMAC-SHA256' parts << datetime parts << credential_scope(datetime) parts << hexdigest(canonical_request(request, body_digest)) parts.join("\n") end |