Class: Amazon::FPS::SignatureUtilsForOutbound

Inherits:

Object

• Object
• Amazon::FPS::SignatureUtilsForOutbound

Defined in:

lib/amazon/fps/signatureutilsforoutbound.rb

Constant Summary

SIGNATURE_KEYNAME =

"signature"

SIGNATURE_METHOD_KEYNAME =

"signatureMethod"

SIGNATURE_VERSION_KEYNAME =

"signatureVersion"

CERTIFICATE_URL_KEYNAME =

"certificateUrl"

CERTIFICATE_URL_ROOT =

"https://fps.amazonaws.com/"

CERTIFICATE_URL_ROOT_SANDBOX =

"https://fps.sandbox.amazonaws.com/"

FPS_PROD_ENDPOINT =

CERTIFICATE_URL_ROOT

FPS_SANDBOX_ENDPOINT =

CERTIFICATE_URL_ROOT_SANDBOX

ACTION_PARAM =

"?Action=VerifySignature"

END_POINT_PARAM =

"&UrlEndPoint="

HTTP_PARAMS_PARAM =

"&HttpParameters="

VERSION_PARAM_VALUE =

"&Version=2008-09-17"

USER_AGENT_STRING =

"SigV2_MigrationSampleCode_Ruby-2010-09-13"

SIGNATURE_VERSION_1 =

"1"

SIGNATURE_VERSION_2 =

"2"

RSA_SHA1_ALGORITHM =

"RSA-SHA1"

Class Method Summary

• .calculate_string_to_sign_v1(args) ⇒ Object
• .get_algorithm(signature_method) ⇒ Object
• .get_http_data(url) ⇒ Object
• .get_http_params(params) ⇒ Object
• .starts_with(string, prefix) ⇒ Object
• .urlencode(plaintext) ⇒ Object

  Convert a string into URL encoded form.

Instance Method Summary

• #initialize(aws_access_key, aws_secret_key) ⇒ SignatureUtilsForOutbound constructor

  A new instance of SignatureUtilsForOutbound.

• #validate_request(args) ⇒ Object
• #validate_signature_v1(args) ⇒ Object
• #validate_signature_v2(args) ⇒ Object

Constructor Details

#initialize(aws_access_key, aws_secret_key) ⇒ SignatureUtilsForOutbound

Returns a new instance of SignatureUtilsForOutbound.

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 45

def initialize(aws_access_key, aws_secret_key)
  @aws_secret_key = aws_secret_key
  @aws_access_key = aws_access_key
end

Class Method Details

.calculate_string_to_sign_v1(args) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 123

def self.calculate_string_to_sign_v1(args)
  parameters = args[:parameters]

  # exclude any existing Signature parameter from the canonical string
  sorted = (parameters.reject { |k, v| ((k == SIGNATURE_KEYNAME)) }).sort { |a,b| a[0].downcase <=> b[0].downcase }

  canonical = ''
  sorted.each do |v|
    canonical << v[0]
    canonical << v[1] unless(v[1].nil?)
  end

  return canonical
end

.get_algorithm(signature_method) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 138

def self.get_algorithm(signature_method)
  return OpenSSL::Digest::SHA1.new if (signature_method == RSA_SHA1_ALGORITHM)
  return nil
end

.get_http_data(url) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 148

def self.get_http_data(url)
  #2. fetch certificate if not found in cache
  uri = URI.parse(url)
  http_session = Net::HTTP.new(uri.host, uri.port)
  http_session.use_ssl = true
  http_session.ca_file = File.dirname(__FILE__) + '/ca-bundle.crt'
  http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http_session.verify_depth = 5

  res = http_session.start {|http_session|
    req = Net::HTTP::Get.new(url, {"User-Agent" => USER_AGENT_STRING})
    http_session.request(req)
  }

  return res.body
end

.get_http_params(params) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 170

def self.get_http_params(params)
   params.map do |(k, v)|
      urlencode(k) + "=" + urlencode(v)
   end.join("&")
end

.starts_with(string, prefix) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 165

def self.starts_with(string, prefix)
  prefix = prefix.to_s
  string[0, prefix.length] == prefix
end

.urlencode(plaintext) ⇒ Object

Convert a string into URL encoded form.

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 144

def self.urlencode(plaintext)
  CGI.escape(plaintext.to_s).gsub("+", "%20").gsub("%7E", "~")
end

Instance Method Details

#validate_request(args) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 50

def validate_request(args)
  parameters = args[:parameters]
  return validate_signature_v2(args) if (parameters[SIGNATURE_VERSION_KEYNAME] == SIGNATURE_VERSION_2)
  return validate_signature_v1(args)
end

#validate_signature_v1(args) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 56

def validate_signature_v1(args)
  parameters = args[:parameters]
  signature = "";
  if(parameters[SIGNATURE_KEYNAME] != nil) then
    signature = parameters[SIGNATURE_KEYNAME];
  else
     raise "Signature is missing from parameters"
  end

  canonical = SignatureUtilsForOutbound::calculate_string_to_sign_v1(args)
  digest = OpenSSL::Digest::Digest.new('sha1')
  return signature == Base64.encode64(OpenSSL::HMAC.digest(digest, @aws_secret_key, canonical)).chomp
end

#validate_signature_v2(args) ⇒ Object

# File 'lib/amazon/fps/signatureutilsforoutbound.rb', line 70

def validate_signature_v2(args)
    [:parameters,
   :http_method,
   :url_end_point].each do |arg|
    raise "#{arg.inspect} is missing from the arguments." unless args[arg]
  end

  url_end_point = args[:url_end_point]

  parameters = args[:parameters]
  raise ":parameters must be enumerable" unless args[:parameters].kind_of? Enumerable

  signature = parameters[SIGNATURE_KEYNAME];
  raise "'signature' is missing from the parameters." if (signature.nil? or signature.empty?)

  signature_version = parameters[SIGNATURE_VERSION_KEYNAME];
  raise "'signatureVersion' is missing from the parameters." if (signature_version.nil? or signature_version.empty?)
  raise "'signatureVersion' present in parameters is invalid. Valid values are: 2" if (signature_version != SIGNATURE_VERSION_2)

  signature_method = parameters[SIGNATURE_METHOD_KEYNAME]
  raise "'signatureMethod' is missing from the parameters." if (signature_method.nil? or signature_method.empty?)
  signature_algorithm = SignatureUtilsForOutbound::get_algorithm(signature_method)
  raise "'signatureMethod' present in parameters is invalid. Valid values are: RSA-SHA1" if (signature_algorithm.nil?)

  certificate_url = parameters[CERTIFICATE_URL_KEYNAME]
  raise "'certificate_url' is missing from the parameters." if (certificate_url.nil? or certificate_url.empty?)

  # Construct VerifySignatureAPI request
  if(SignatureUtilsForOutbound::starts_with(certificate_url, FPS_SANDBOX_ENDPOINT) == true) then
     verify_signature_request = FPS_SANDBOX_ENDPOINT
  elsif(SignatureUtilsForOutbound::starts_with(certificate_url, FPS_PROD_ENDPOINT) == true) then
     verify_signature_request = FPS_PROD_ENDPOINT
  else
     raise "'certificateUrl' received is not valid. Valid certificate urls start with " <<
      CERTIFICATE_URL_ROOT << " or " << CERTIFICATE_URL_ROOT_SANDBOX << "."
  end

  verify_signature_request = verify_signature_request + ACTION_PARAM +
  END_POINT_PARAM +
  SignatureUtilsForOutbound::urlencode(url_end_point) +
  VERSION_PARAM_VALUE +
  HTTP_PARAMS_PARAM +
  SignatureUtilsForOutbound::urlencode(SignatureUtilsForOutbound::get_http_params(parameters))

  verify_signature_response = SignatureUtilsForOutbound::get_http_data(verify_signature_request)

  # parse the response
  document = REXML::Document.new(verify_signature_response)

  status_el = document.elements['VerifySignatureResponse/VerifySignatureResult/VerificationStatus']
  return (!status_el.nil? && status_el.text == "Success")
end