Class: Aws::Signers::V4 Private

Inherits:

Object

• Object
• Aws::Signers::V4

Defined in:

lib/aws-sdk-core/signers/v4.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Class Method Summary

• .sign(context) ⇒ Object private

Instance Method Summary

• #authorization(request, datetime, body_digest) ⇒ Object private
• #canonical_header_value(value) ⇒ Object private
• #canonical_headers(request) ⇒ Object private
• #canonical_request(request, body_digest) ⇒ Object private
• #credential(datetime) ⇒ Object private
• #credential_scope(datetime) ⇒ Object private
• #hexdigest(value) ⇒ Object private
• #hexhmac(key, value) ⇒ Object private
• #hmac(key, value) ⇒ Object private
• #host(uri) ⇒ Object private
• #initialize(credentials, service_name, region) ⇒ V4 constructor private

  A new instance of V4.

• #normalized_querystring(querystring) ⇒ Object private
• #path(uri) ⇒ Object private
• #presigned_url(request, options = {}) ⇒ String private

  Generates an returns a presigned URL.

• #sign(req) ⇒ Seahorse::Client::Http::Request private

  The signed request.

• #signature(request, datetime, body_digest) ⇒ Object private
• #signed_headers(request) ⇒ Object private
• #standard_port?(uri) ⇒ Boolean private
• #string_to_sign(request, datetime, body_digest) ⇒ Object private

Constructor Details

#initialize(credentials, service_name, region) ⇒ V4

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of V4.

Parameters:

• credentials (Credentials)
• service_name (String) —

  The name used by the service in signing signature version 4 requests. This is generally the endpoint prefix.

• region (String) —

  The region (e.g. ‘us-west-1’) the request will be made to.

# File 'lib/aws-sdk-core/signers/v4.rb', line 22

def initialize(credentials, service_name, region)
  @service_name = service_name
  @credentials = credentials.credentials
  @region = region
end

Class Method Details

.sign(context) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 8

def self.sign(context)
  new(
    context.config.credentials,
    context.config.sigv4_name,
    context.config.sigv4_region
  ).sign(context.http_request)
end

Instance Method Details

#authorization(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 82

def authorization(request, datetime, body_digest)
  parts = []
  parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}"
  parts << "SignedHeaders=#{signed_headers(request)}"
  parts << "Signature=#{signature(request, datetime, body_digest)}"
  parts.join(', ')
end

#canonical_header_value(value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 180

def canonical_header_value(value)
  value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
end

#canonical_headers(request) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 170

def canonical_headers(request)
  headers = []
  request.headers.each_pair do |k,v|
    k = k.downcase
    headers << [k,v] unless k == 'authorization'
  end
  headers = headers.sort_by(&:first)
  headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n")
end

#canonical_request(request, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 121

def canonical_request(request, body_digest)
  [
    request.http_method,
    path(request.endpoint),
    normalized_querystring(request.endpoint.query || ''),
    canonical_headers(request) + "\n",
    signed_headers(request),
    body_digest
  ].join("\n")
end

#credential(datetime) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 90

def credential(datetime)
  "#{@credentials.access_key_id}/#{credential_scope(datetime)}"
end

#credential_scope(datetime) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 112

def credential_scope(datetime)
  parts = []
  parts << datetime[0,8]
  parts << @region
  parts << @service_name
  parts << 'aws4_request'
  parts.join("/")
end

#hexdigest(value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 197

def hexdigest(value)
  digest = OpenSSL::Digest::SHA256.new
  if value.respond_to?(:read)
    chunk = nil
    chunk_size = 1024 * 1024 # 1 megabyte
    digest.update(chunk) while chunk = value.read(chunk_size)
    value.rewind
  else
    digest.update(value)
  end
  digest.hexdigest
end

#hexhmac(key, value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 214

def hexhmac(key, value)
  OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
end

#hmac(key, value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 210

def hmac(key, value)
  OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
end

#host(uri) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 184

def host(uri)
  if standard_port?(uri)
    uri.host
  else
    "#{uri.host}:#{uri.port}"
  end
end

#normalized_querystring(querystring) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 141

def normalized_querystring(querystring)
  params = querystring.split('&')
  params = params.map { |p| p.match(/=/) ? p : p + '=' }
  # We have to sort by param name and preserve order of params that
  # have the same name. Default sort <=> in JRuby will swap members
  # occasionally when <=> is 0 (considered still sorted), but this
  # causes our normalized query string to not match the sent querystring.
  # When names match, we then sort by their original order
  params = params.each.with_index.sort do |a, b|
    a, a_offset = a
    a_name = a.split('=')[0]
    b, b_offset = b
    b_name = b.split('=')[0]
    if a_name == b_name
      a_offset <=> b_offset
    else
      a_name <=> b_name
    end
  end.map(&:first).join('&')
end

#path(uri) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 132

def path(uri)
  path = uri.path == '' ? '/' : uri.path
  if @service_name == 's3'
    path
  else
    path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) }
  end
end

#presigned_url(request, options = {}) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Generates an returns a presigned URL.

Parameters:

• request (Seahorse::Client::Http::Request)
• options (Hash) (defaults to: {}) —

  a customizable set of options

Options Hash (options):

• :expires_in (required, Integer<Seconds>)
• :body_digest (optional, String) —

  The SHA256 hexdigest of the payload to sign. For S3, this should be the string literal ‘UNSIGNED-PAYLOAD`.

Returns:

• (String)

# File 'lib/aws-sdk-core/signers/v4.rb', line 50

def presigned_url(request, options = {})
  now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
  body_digest = options[:body_digest] || hexdigest(request.body)

  request.headers['Host'] = host(request.endpoint)
  request.headers.delete('User-Agent')

  params = Aws::Query::ParamList.new

  request.headers.keys.each do |key|
    if key.match(/^x-amz/i)
      params.set(key, request.headers.delete(key))
    end
  end

  params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256")
  params.set("X-Amz-Credential", credential(now))
  params.set("X-Amz-Date", now)
  params.set("X-Amz-Expires", options[:expires_in].to_s)
  params.set("X-Amz-SignedHeaders", signed_headers(request))
  params.set('X-Amz-Security-Token', @credentials.session_token) if
    @credentials.session_token

  endpoint = request.endpoint
  if endpoint.query
    endpoint.query += '&' + params.to_s
  else
    endpoint.query = params.to_s
  end
  endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest)
end

#sign(req) ⇒ Seahorse::Client::Http::Request

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns the signed request.

Parameters:

• req (Seahorse::Client::Http::Request)

Returns:

• (Seahorse::Client::Http::Request) —

  the signed request.

# File 'lib/aws-sdk-core/signers/v4.rb', line 30

def sign(req)
  datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
  body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body)
  req.headers['X-Amz-Date'] = datetime
  req.headers['Host'] = host(req.endpoint)
  req.headers['X-Amz-Security-Token'] = @credentials.session_token if
    @credentials.session_token
  req.headers['X-Amz-Content-Sha256'] ||= body_digest
  req.headers['Authorization'] = authorization(req, datetime, body_digest)
  req
end

#signature(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 94

def signature(request, datetime, body_digest)
  k_secret = @credentials.secret_access_key
  k_date = hmac("AWS4" + k_secret, datetime[0,8])
  k_region = hmac(k_date, @region)
  k_service = hmac(k_region, @service_name)
  k_credentials = hmac(k_service, 'aws4_request')
  hexhmac(k_credentials, string_to_sign(request, datetime, body_digest))
end

#signed_headers(request) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 162

def signed_headers(request)
  request.headers.keys.inject([]) do |signed_headers, header_key|
    header_key = header_key.downcase
    signed_headers << header_key unless header_key == 'authorization'
    signed_headers
  end.sort.join(';')
end

#standard_port?(uri) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

• (Boolean)

# File 'lib/aws-sdk-core/signers/v4.rb', line 192

def standard_port?(uri)
  (uri.scheme == 'http' && uri.port == 80) ||
  (uri.scheme == 'https' && uri.port == 443)
end

#string_to_sign(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/aws-sdk-core/signers/v4.rb', line 103

def string_to_sign(request, datetime, body_digest)
  parts = []
  parts << 'AWS4-HMAC-SHA256'
  parts << datetime
  parts << credential_scope(datetime)
  parts << hexdigest(canonical_request(request, body_digest))
  parts.join("\n")
end