class Aws::Signers::V4
def self.sign(context)
def self.sign(context) new( context.config.credentials, context.config.sigv4_name, context.config.sigv4_region ).sign(context.http_request) end
def authorization(request, datetime, body_digest)
def authorization(request, datetime, body_digest) parts = [] parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}" parts << "SignedHeaders=#{signed_headers(request)}" parts << "Signature=#{signature(request, datetime, body_digest)}" parts.join(', ') end
def canonical_header_value(value)
def canonical_header_value(value) value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip end
def canonical_headers(request)
def canonical_headers(request) headers = [] request.headers.each_pair do |k,v| k = k.downcase headers << [k,v] unless k == 'authorization' end headers = headers.sort_by(&:first) headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n") end
def canonical_request(request, body_digest)
def canonical_request(request, body_digest) [ request.http_method, path(request.endpoint), normalized_querystring(request.endpoint.query || ''), canonical_headers(request) + "\n", signed_headers(request), body_digest ].join("\n") end
def credential(datetime)
def credential(datetime) "#{credentials.access_key_id}/#{credential_scope(datetime)}" end
def credential_scope(datetime)
def credential_scope(datetime) parts = [] parts << datetime[0,8] parts << region parts << service_name parts << 'aws4_request' parts.join("/") end
def hexdigest(value)
def hexdigest(value) digest = OpenSSL::Digest::SHA256.new if value.respond_to?(:read) chunk = nil chunk_size = 1024 * 1024 # 1 megabyte digest.update(chunk) while chunk = value.read(chunk_size) value.rewind else digest.update(value) end digest.hexdigest end
def hexhmac(key, value)
def hexhmac(key, value) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value) end
def hmac(key, value)
def hmac(key, value) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value) end
def initialize(credentials, service_name, region)
-
region(String) -- The region (e.g. 'us-west-1') the request -
service_name(String) -- The name used by the service in -
credentials(Credentials) --
def initialize(credentials, service_name, region) @service_name = service_name @credentials = credentials @region = region end
def normalized_querystring(querystring)
def normalized_querystring(querystring) params = querystring.split('&') params = params.map { |p| p.match(/=/) ? p : p + '=' } # We have to sort by param name and preserve order of params that # have the same name. Default sort <=> in JRuby will swap members # occasionally when <=> is 0 (considered still sorted), but this # causes our normalized query string to not match the sent querystring. # When names match, we then sort by their original order params = params.each.with_index.sort do |a, b| a, a_offset = a a_name = a.split('=')[0] b, b_offset = b b_name = b.split('=')[0] if a_name == b_name a_offset <=> b_offset else a_name <=> b_name end end.map(&:first).join('&') end
def path(uri)
def path(uri) path = uri.path == '' ? '/' : uri.path if @service_name == 's3' path else path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) } end end
def presigned_url(request, options = {})
- Api: - private
Returns:
-
(Seahorse::Client::Http::Request)- the signed request.
Options Hash:
(**options)-
:body_digest(optional, String) -- The SHA256 hexdigest of -
:expires_in(required, Integer) --
Parameters:
-
request(Seahorse::Client::Http::Request) --
def presigned_url(request, options = {}) now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = options[:body_digest] || hexdigest(request.body) params = Query::ParamList.new request.headers['Host'] ||= request.endpoint.host request.headers.each do |header_name, header_value| if header_name.match(/^x-amz/) params.set(header_name, header_value) end unless %w(host content-md5).include?(header_name) request.headers.delete(header_name) end end params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256") params.set("X-Amz-Date", now) params.set("X-Amz-SignedHeaders", signed_headers(request)) params.set("X-Amz-Expires", options[:expires_in].to_s) params.set('X-Amz-Security-Token', credentials.session_token) if credentials.session_token params.set("X-Amz-Credential", credential(now)) endpoint = request.endpoint if endpoint.query endpoint.query += '&' + params.to_s else endpoint.query = params.to_s end endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest) end
def sign(req)
-
(Seahorse::Client::Http::Request)- the signed request.
Parameters:
-
req(Seahorse::Client::Http::Request) --
def sign(req) datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body) req.headers['X-Amz-Date'] = datetime req.headers['Host'] = req.endpoint.host req.headers['X-Amz-Security-Token'] = credentials.session_token if credentials.session_token req.headers['X-Amz-Content-Sha256'] ||= body_digest req.headers['Authorization'] = authorization(req, datetime, body_digest) req end
def signature(request, datetime, body_digest)
def signature(request, datetime, body_digest) k_secret = credentials.secret_access_key k_date = hmac("AWS4" + k_secret, datetime[0,8]) k_region = hmac(k_date, region) k_service = hmac(k_region, service_name) k_credentials = hmac(k_service, 'aws4_request') hexhmac(k_credentials, string_to_sign(request, datetime, body_digest)) end
def signed_headers(request)
def signed_headers(request) headers = request.headers.keys headers.delete('authorization') headers.sort.join(';') end
def string_to_sign(request, datetime, body_digest)
def string_to_sign(request, datetime, body_digest) parts = [] parts << 'AWS4-HMAC-SHA256' parts << datetime parts << credential_scope(datetime) parts << hexdigest(canonical_request(request, body_digest)) parts.join("\n") end