Class: Aws::Signers::V4 Private

Inherits:
Object
  • Object
show all
Defined in:
lib/aws-sdk-core/signers/v4.rb

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Constant Summary collapse

BLACKLIST_HEADERS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

[
  'cache-control',
  'content-length',
  'expect',
  'max-forwards',
  'pragma',
  'te',
  'if-match',
  'if-none-match',
  'if-modified-since',
  'if-unmodified-since',
  'if-range',
  'accept',
  'authorization',
  'proxy-authorization',
  'from',
  'referer',
  'user-agent',
  'x-amzn-trace-id'
]

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(credentials, service_name, region) ⇒ V4

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of V4.

Parameters:

  • credentials (Credentials)
  • service_name (String)

    The name used by the service in signing signature version 4 requests. This is generally the endpoint prefix.

  • region (String)

    The region (e.g. ‘us-west-1’) the request will be made to.



43
44
45
46
47
# File 'lib/aws-sdk-core/signers/v4.rb', line 43

def initialize(credentials, service_name, region)
  @service_name = service_name
  @credentials = credentials.credentials
  @region = EndpointProvider.signing_region(region, service_name)
end

Class Method Details

.sign(context) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



29
30
31
32
33
34
35
# File 'lib/aws-sdk-core/signers/v4.rb', line 29

def self.sign(context)
  new(
    context.config.credentials,
    context.config.sigv4_name,
    context.config.sigv4_region
  ).sign(context.http_request)
end

Instance Method Details

#authorization(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



103
104
105
106
107
108
109
# File 'lib/aws-sdk-core/signers/v4.rb', line 103

def authorization(request, datetime, body_digest)
  parts = []
  parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}"
  parts << "SignedHeaders=#{signed_headers(request)}"
  parts << "Signature=#{signature(request, datetime, body_digest)}"
  parts.join(', ')
end

#canonical_header_value(value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



203
204
205
# File 'lib/aws-sdk-core/signers/v4.rb', line 203

def canonical_header_value(value)
  value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip
end

#canonical_headers(request) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



193
194
195
196
197
198
199
200
201
# File 'lib/aws-sdk-core/signers/v4.rb', line 193

def canonical_headers(request)
  headers = []
  request.headers.each_pair do |k,v|
    k = k.downcase
    headers << [k,v] unless BLACKLIST_HEADERS.include?(k)
  end
  headers = headers.sort_by(&:first)
  headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n")
end

#canonical_request(request, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



142
143
144
145
146
147
148
149
150
151
# File 'lib/aws-sdk-core/signers/v4.rb', line 142

def canonical_request(request, body_digest)
  [
    request.http_method,
    path(request.endpoint),
    normalized_querystring(request.endpoint.query || ''),
    canonical_headers(request) + "\n",
    signed_headers(request),
    body_digest
  ].join("\n")
end

#credential(datetime) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



111
112
113
# File 'lib/aws-sdk-core/signers/v4.rb', line 111

def credential(datetime)
  "#{@credentials.access_key_id}/#{credential_scope(datetime)}"
end

#credential_scope(datetime) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



133
134
135
136
137
138
139
140
# File 'lib/aws-sdk-core/signers/v4.rb', line 133

def credential_scope(datetime)
  parts = []
  parts << datetime[0,8]
  parts << @region
  parts << @service_name
  parts << 'aws4_request'
  parts.join("/")
end

#hexdigest(value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



220
221
222
# File 'lib/aws-sdk-core/signers/v4.rb', line 220

def hexdigest(value)
  Aws::Checksums.sha256_hexdigest(value)
end

#hexhmac(key, value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



228
229
230
# File 'lib/aws-sdk-core/signers/v4.rb', line 228

def hexhmac(key, value)
  OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value)
end

#hmac(key, value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



224
225
226
# File 'lib/aws-sdk-core/signers/v4.rb', line 224

def hmac(key, value)
  OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value)
end

#host(uri) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



207
208
209
210
211
212
213
# File 'lib/aws-sdk-core/signers/v4.rb', line 207

def host(uri)
  if standard_port?(uri)
    uri.host
  else
    "#{uri.host}:#{uri.port}"
  end
end

#normalized_querystring(querystring) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# File 'lib/aws-sdk-core/signers/v4.rb', line 162

def normalized_querystring(querystring)
  params = querystring.split('&')
  params = params.map { |p| p.match(/=/) ? p : p + '=' }
  # We have to sort by param name and preserve order of params that
  # have the same name. Default sort <=> in JRuby will swap members
  # occasionally when <=> is 0 (considered still sorted), but this
  # causes our normalized query string to not match the sent querystring.
  # When names match, we then sort by their original order
  params = params.each.with_index.sort do |a, b|
    a, a_offset = a
    a_name = a.split('=')[0]
    b, b_offset = b
    b_name = b.split('=')[0]
    if a_name == b_name
      a_offset <=> b_offset
    else
      a_name <=> b_name
    end
  end.map(&:first).join('&')
end

#path(uri) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



153
154
155
156
157
158
159
160
# File 'lib/aws-sdk-core/signers/v4.rb', line 153

def path(uri)
  path = uri.path == '' ? '/' : uri.path
  if @service_name == 's3'
    path
  else
    Seahorse::Util.uri_path_escape(path)
  end
end

#presigned_url(request, options = {}) ⇒ String

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Generates an returns a presigned URL.

Parameters:

Options Hash (options):

  • :expires_in (required, Integer<Seconds>)
  • :body_digest (optional, String)

    The SHA256 hexdigest of the payload to sign. For S3, this should be the string literal ‘UNSIGNED-PAYLOAD`.

Returns:

  • (String)


71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# File 'lib/aws-sdk-core/signers/v4.rb', line 71

def presigned_url(request, options = {})
  now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
  body_digest = options[:body_digest] || hexdigest(request.body)

  request.headers['Host'] = host(request.endpoint)
  request.headers.delete('User-Agent')

  params = Aws::Query::ParamList.new

  request.headers.keys.each do |key|
    if key.match(/^x-amz/i)
      params.set(key, request.headers.delete(key))
    end
  end

  params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256")
  params.set("X-Amz-Credential", credential(now))
  params.set("X-Amz-Date", now)
  params.set("X-Amz-Expires", options[:expires_in].to_s)
  params.set("X-Amz-SignedHeaders", signed_headers(request))
  params.set('X-Amz-Security-Token', @credentials.session_token) if
    @credentials.session_token

  endpoint = request.endpoint
  if endpoint.query
    endpoint.query += '&' + params.to_s
  else
    endpoint.query = params.to_s
  end
  endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest)
end

#sign(req) ⇒ Seahorse::Client::Http::Request

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns the signed request.

Parameters:

Returns:



51
52
53
54
55
56
57
58
59
60
61
# File 'lib/aws-sdk-core/signers/v4.rb', line 51

def sign(req)
  datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
  body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body)
  req.headers['X-Amz-Date'] = datetime
  req.headers['Host'] = host(req.endpoint)
  req.headers['X-Amz-Security-Token'] = @credentials.session_token if
    @credentials.session_token
  req.headers['X-Amz-Content-Sha256'] ||= body_digest
  req.headers['Authorization'] = authorization(req, datetime, body_digest)
  req
end

#signature(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



115
116
117
118
119
120
121
122
# File 'lib/aws-sdk-core/signers/v4.rb', line 115

def signature(request, datetime, body_digest)
  k_secret = @credentials.secret_access_key
  k_date = hmac("AWS4" + k_secret, datetime[0,8])
  k_region = hmac(k_date, @region)
  k_service = hmac(k_region, @service_name)
  k_credentials = hmac(k_service, 'aws4_request')
  hexhmac(k_credentials, string_to_sign(request, datetime, body_digest))
end

#signed_headers(request) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



183
184
185
186
187
188
189
190
191
# File 'lib/aws-sdk-core/signers/v4.rb', line 183

def signed_headers(request)
  request.headers.keys.inject([]) do |signed_headers, header_key|
    header_key = header_key.downcase
    unless BLACKLIST_HEADERS.include?(header_key)
      signed_headers << header_key
    end
    signed_headers
  end.sort.join(';')
end

#standard_port?(uri) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

  • (Boolean)


215
216
217
218
# File 'lib/aws-sdk-core/signers/v4.rb', line 215

def standard_port?(uri)
  (uri.scheme == 'http' && uri.port == 80) ||
  (uri.scheme == 'https' && uri.port == 443)
end

#string_to_sign(request, datetime, body_digest) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



124
125
126
127
128
129
130
131
# File 'lib/aws-sdk-core/signers/v4.rb', line 124

def string_to_sign(request, datetime, body_digest)
  parts = []
  parts << 'AWS4-HMAC-SHA256'
  parts << datetime
  parts << credential_scope(datetime)
  parts << hexdigest(canonical_request(request, body_digest))
  parts.join("\n")
end