Class: Aws::Signers::V4 Private
- Inherits:
-
Object
- Object
- Aws::Signers::V4
- Defined in:
- lib/aws-sdk-core/signers/v4.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Class Method Summary collapse
- .sign(context) ⇒ Object private
Instance Method Summary collapse
- #authorization(request, datetime, body_digest) ⇒ Object private
- #canonical_header_value(value) ⇒ Object private
- #canonical_headers(request) ⇒ Object private
- #canonical_request(request, body_digest) ⇒ Object private
- #credential(datetime) ⇒ Object private
- #credential_scope(datetime) ⇒ Object private
- #hexdigest(value) ⇒ Object private
- #hexhmac(key, value) ⇒ Object private
- #hmac(key, value) ⇒ Object private
- #host(uri) ⇒ Object private
-
#initialize(credentials, service_name, region) ⇒ V4
constructor
private
A new instance of V4.
- #normalized_querystring(querystring) ⇒ Object private
- #path(uri) ⇒ Object private
-
#presigned_url(request, options = {}) ⇒ String
private
Generates an returns a presigned URL.
-
#sign(req) ⇒ Seahorse::Client::Http::Request
private
The signed request.
- #signature(request, datetime, body_digest) ⇒ Object private
- #signed_headers(request) ⇒ Object private
- #standard_port?(uri) ⇒ Boolean private
- #string_to_sign(request, datetime, body_digest) ⇒ Object private
Constructor Details
#initialize(credentials, service_name, region) ⇒ V4
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of V4.
22 23 24 25 26 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 22 def initialize(credentials, service_name, region) @service_name = service_name @credentials = credentials.credentials @region = region end |
Class Method Details
.sign(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
8 9 10 11 12 13 14 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 8 def self.sign(context) new( context.config.credentials, context.config.sigv4_name, context.config.sigv4_region ).sign(context.http_request) end |
Instance Method Details
#authorization(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
82 83 84 85 86 87 88 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 82 def (request, datetime, body_digest) parts = [] parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}" parts << "SignedHeaders=#{signed_headers(request)}" parts << "Signature=#{signature(request, datetime, body_digest)}" parts.join(', ') end |
#canonical_header_value(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
180 181 182 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 180 def canonical_header_value(value) value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip end |
#canonical_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
170 171 172 173 174 175 176 177 178 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 170 def canonical_headers(request) headers = [] request.headers.each_pair do |k,v| k = k.downcase headers << [k,v] unless k == 'authorization' end headers = headers.sort_by(&:first) headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n") end |
#canonical_request(request, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
121 122 123 124 125 126 127 128 129 130 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 121 def canonical_request(request, body_digest) [ request.http_method, path(request.endpoint), normalized_querystring(request.endpoint.query || ''), canonical_headers(request) + "\n", signed_headers(request), body_digest ].join("\n") end |
#credential(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
90 91 92 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 90 def credential(datetime) "#{@credentials.access_key_id}/#{credential_scope(datetime)}" end |
#credential_scope(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
112 113 114 115 116 117 118 119 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 112 def credential_scope(datetime) parts = [] parts << datetime[0,8] parts << @region parts << @service_name parts << 'aws4_request' parts.join("/") end |
#hexdigest(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
197 198 199 200 201 202 203 204 205 206 207 208 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 197 def hexdigest(value) digest = OpenSSL::Digest::SHA256.new if value.respond_to?(:read) chunk = nil chunk_size = 1024 * 1024 # 1 megabyte digest.update(chunk) while chunk = value.read(chunk_size) value.rewind else digest.update(value) end digest.hexdigest end |
#hexhmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
214 215 216 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 214 def hexhmac(key, value) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value) end |
#hmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
210 211 212 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 210 def hmac(key, value) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value) end |
#host(uri) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
184 185 186 187 188 189 190 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 184 def host(uri) if standard_port?(uri) uri.host else "#{uri.host}:#{uri.port}" end end |
#normalized_querystring(querystring) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 141 def normalized_querystring(querystring) params = querystring.split('&') params = params.map { |p| p.match(/=/) ? p : p + '=' } # We have to sort by param name and preserve order of params that # have the same name. Default sort <=> in JRuby will swap members # occasionally when <=> is 0 (considered still sorted), but this # causes our normalized query string to not match the sent querystring. # When names match, we then sort by their original order params = params.each.with_index.sort do |a, b| a, a_offset = a a_name = a.split('=')[0] b, b_offset = b b_name = b.split('=')[0] if a_name == b_name a_offset <=> b_offset else a_name <=> b_name end end.map(&:first).join('&') end |
#path(uri) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
132 133 134 135 136 137 138 139 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 132 def path(uri) path = uri.path == '' ? '/' : uri.path if @service_name == 's3' path else path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) } end end |
#presigned_url(request, options = {}) ⇒ String
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Generates an returns a presigned URL.
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 50 def presigned_url(request, = {}) now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = [:body_digest] || hexdigest(request.body) request.headers['Host'] = host(request.endpoint) request.headers.delete('User-Agent') params = Aws::Query::ParamList.new request.headers.keys.each do |key| if key.match(/^x-amz/i) params.set(key, request.headers.delete(key)) end end params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256") params.set("X-Amz-Credential", credential(now)) params.set("X-Amz-Date", now) params.set("X-Amz-Expires", [:expires_in].to_s) params.set("X-Amz-SignedHeaders", signed_headers(request)) params.set('X-Amz-Security-Token', @credentials.session_token) if @credentials.session_token endpoint = request.endpoint if endpoint.query endpoint.query += '&' + params.to_s else endpoint.query = params.to_s end endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest) end |
#sign(req) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns the signed request.
30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 30 def sign(req) datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body) req.headers['X-Amz-Date'] = datetime req.headers['Host'] = host(req.endpoint) req.headers['X-Amz-Security-Token'] = @credentials.session_token if @credentials.session_token req.headers['X-Amz-Content-Sha256'] ||= body_digest req.headers['Authorization'] = (req, datetime, body_digest) req end |
#signature(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
94 95 96 97 98 99 100 101 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 94 def signature(request, datetime, body_digest) k_secret = @credentials.secret_access_key k_date = hmac("AWS4" + k_secret, datetime[0,8]) k_region = hmac(k_date, @region) k_service = hmac(k_region, @service_name) k_credentials = hmac(k_service, 'aws4_request') hexhmac(k_credentials, string_to_sign(request, datetime, body_digest)) end |
#signed_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
162 163 164 165 166 167 168 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 162 def signed_headers(request) request.headers.keys.inject([]) do |signed_headers, header_key| header_key = header_key.downcase signed_headers << header_key unless header_key == 'authorization' signed_headers end.sort.join(';') end |
#standard_port?(uri) ⇒ Boolean
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
192 193 194 195 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 192 def standard_port?(uri) (uri.scheme == 'http' && uri.port == 80) || (uri.scheme == 'https' && uri.port == 443) end |
#string_to_sign(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
103 104 105 106 107 108 109 110 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 103 def string_to_sign(request, datetime, body_digest) parts = [] parts << 'AWS4-HMAC-SHA256' parts << datetime parts << credential_scope(datetime) parts << hexdigest(canonical_request(request, body_digest)) parts.join("\n") end |