Class: Aws::Signers::V4 Private
- Inherits:
-
Object
- Object
- Aws::Signers::V4
- Defined in:
- lib/aws-sdk-core/signers/v4.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Class Method Summary collapse
- .sign(context) ⇒ Object private
Instance Method Summary collapse
- #authorization(request, datetime, body_digest) ⇒ Object private
- #canonical_header_value(value) ⇒ Object private
- #canonical_headers(request) ⇒ Object private
- #canonical_request(request, body_digest) ⇒ Object private
- #credential(datetime) ⇒ Object private
- #credential_scope(datetime) ⇒ Object private
- #hexdigest(value) ⇒ Object private
- #hexhmac(key, value) ⇒ Object private
- #hmac(key, value) ⇒ Object private
-
#initialize(credentials, service_name, region) ⇒ V4
constructor
private
A new instance of V4.
- #normalized_querystring(querystring) ⇒ Object private
- #path(uri) ⇒ Object private
-
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
private
Generates an returns a presigned URL.
-
#sign(req) ⇒ Seahorse::Client::Http::Request
private
The signed request.
- #signature(request, datetime, body_digest) ⇒ Object private
- #signed_headers(request) ⇒ Object private
- #string_to_sign(request, datetime, body_digest) ⇒ Object private
Constructor Details
#initialize(credentials, service_name, region) ⇒ V4
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of V4.
22 23 24 25 26 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 22 def initialize(credentials, service_name, region) @service_name = service_name @credentials = credentials @region = region end |
Class Method Details
.sign(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
8 9 10 11 12 13 14 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 8 def self.sign(context) new( context.config.credentials, context.config.sigv4_name, context.config.sigv4_region ).sign(context.http_request) end |
Instance Method Details
#authorization(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
83 84 85 86 87 88 89 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 83 def (request, datetime, body_digest) parts = [] parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}" parts << "SignedHeaders=#{signed_headers(request)}" parts << "Signature=#{signature(request, datetime, body_digest)}" parts.join(', ') end |
#canonical_header_value(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
179 180 181 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 179 def canonical_header_value(value) value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip end |
#canonical_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
169 170 171 172 173 174 175 176 177 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 169 def canonical_headers(request) headers = [] request.headers.each_pair do |k,v| k = k.downcase headers << [k,v] unless k == 'authorization' end headers = headers.sort_by(&:first) headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n") end |
#canonical_request(request, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
122 123 124 125 126 127 128 129 130 131 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 122 def canonical_request(request, body_digest) [ request.http_method, path(request.endpoint), normalized_querystring(request.endpoint.query || ''), canonical_headers(request) + "\n", signed_headers(request), body_digest ].join("\n") end |
#credential(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
91 92 93 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 91 def credential(datetime) "#{credentials.access_key_id}/#{credential_scope(datetime)}" end |
#credential_scope(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
113 114 115 116 117 118 119 120 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 113 def credential_scope(datetime) parts = [] parts << datetime[0,8] parts << region parts << service_name parts << 'aws4_request' parts.join("/") end |
#hexdigest(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
183 184 185 186 187 188 189 190 191 192 193 194 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 183 def hexdigest(value) digest = OpenSSL::Digest::SHA256.new if value.respond_to?(:read) chunk = nil chunk_size = 1024 * 1024 # 1 megabyte digest.update(chunk) while chunk = value.read(chunk_size) value.rewind else digest.update(value) end digest.hexdigest end |
#hexhmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
200 201 202 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 200 def hexhmac(key, value) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value) end |
#hmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
196 197 198 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 196 def hmac(key, value) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value) end |
#normalized_querystring(querystring) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 142 def normalized_querystring(querystring) params = querystring.split('&') params = params.map { |p| p.match(/=/) ? p : p + '=' } # We have to sort by param name and preserve order of params that # have the same name. Default sort <=> in JRuby will swap members # occasionally when <=> is 0 (considered still sorted), but this # causes our normalized query string to not match the sent querystring. # When names match, we then sort by their original order params = params.each.with_index.sort do |a, b| a, a_offset = a a_name = a.split('=')[0] b, b_offset = b b_name = b.split('=')[0] if a_name == b_name a_offset <=> b_offset else a_name <=> b_name end end.map(&:first).join('&') end |
#path(uri) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
133 134 135 136 137 138 139 140 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 133 def path(uri) path = uri.path == '' ? '/' : uri.path if @service_name == 's3' path else path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) } end end |
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Generates an returns a presigned URL.
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 50 def presigned_url(request, = {}) now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = [:body_digest] || hexdigest(request.body) params = Query::ParamList.new request.headers['Host'] ||= request.endpoint.host request.headers.each do |header_name, header_value| if header_name.match(/^x-amz/) params.set(header_name, header_value) end unless %w(host content-md5).include?(header_name) request.headers.delete(header_name) end end params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256") params.set("X-Amz-Date", now) params.set("X-Amz-SignedHeaders", signed_headers(request)) params.set("X-Amz-Expires", [:expires_in].to_s) params.set('X-Amz-Security-Token', credentials.session_token) if credentials.session_token params.set("X-Amz-Credential", credential(now)) endpoint = request.endpoint if endpoint.query endpoint.query += '&' + params.to_s else endpoint.query = params.to_s end endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest) end |
#sign(req) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns the signed request.
30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 30 def sign(req) datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body) req.headers['X-Amz-Date'] = datetime req.headers['Host'] = req.endpoint.host req.headers['X-Amz-Security-Token'] = credentials.session_token if credentials.session_token req.headers['X-Amz-Content-Sha256'] ||= body_digest req.headers['Authorization'] = (req, datetime, body_digest) req end |
#signature(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
95 96 97 98 99 100 101 102 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 95 def signature(request, datetime, body_digest) k_secret = credentials.secret_access_key k_date = hmac("AWS4" + k_secret, datetime[0,8]) k_region = hmac(k_date, region) k_service = hmac(k_region, service_name) k_credentials = hmac(k_service, 'aws4_request') hexhmac(k_credentials, string_to_sign(request, datetime, body_digest)) end |
#signed_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
163 164 165 166 167 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 163 def signed_headers(request) headers = request.headers.keys headers.delete('authorization') headers.sort.join(';') end |
#string_to_sign(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
104 105 106 107 108 109 110 111 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 104 def string_to_sign(request, datetime, body_digest) parts = [] parts << 'AWS4-HMAC-SHA256' parts << datetime parts << credential_scope(datetime) parts << hexdigest(canonical_request(request, body_digest)) parts.join("\n") end |