Class: Aws::Signers::V4 Private
- Inherits:
-
Object
- Object
- Aws::Signers::V4
- Defined in:
- lib/aws-sdk-core/signers/v4.rb
This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.
Class Method Summary collapse
- .sign(context) ⇒ Object private
Instance Method Summary collapse
- #authorization(request, datetime, body_digest) ⇒ Object private
- #canonical_header_value(value) ⇒ Object private
- #canonical_headers(request) ⇒ Object private
- #canonical_request(request, body_digest) ⇒ Object private
- #credential(datetime) ⇒ Object private
- #credential_scope(datetime) ⇒ Object private
- #hexdigest(value) ⇒ Object private
- #hexhmac(key, value) ⇒ Object private
- #hmac(key, value) ⇒ Object private
-
#initialize(credentials, service_name, region) ⇒ V4
constructor
private
A new instance of V4.
- #normalized_querystring(querystring) ⇒ Object private
- #path(uri) ⇒ Object private
-
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
private
Generates an returns a presigned URL.
-
#sign(req) ⇒ Seahorse::Client::Http::Request
private
The signed request.
- #signature(request, datetime, body_digest) ⇒ Object private
- #signed_headers(request) ⇒ Object private
- #string_to_sign(request, datetime, body_digest) ⇒ Object private
Constructor Details
#initialize(credentials, service_name, region) ⇒ V4
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns a new instance of V4.
22 23 24 25 26 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 22 def initialize(credentials, service_name, region) @service_name = service_name @credentials = credentials.credentials @region = region end |
Class Method Details
.sign(context) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
8 9 10 11 12 13 14 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 8 def self.sign(context) new( context.config.credentials, context.config.sigv4_name, context.config.sigv4_region ).sign(context.http_request) end |
Instance Method Details
#authorization(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
82 83 84 85 86 87 88 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 82 def (request, datetime, body_digest) parts = [] parts << "AWS4-HMAC-SHA256 Credential=#{credential(datetime)}" parts << "SignedHeaders=#{signed_headers(request)}" parts << "Signature=#{signature(request, datetime, body_digest)}" parts.join(', ') end |
#canonical_header_value(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
178 179 180 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 178 def canonical_header_value(value) value.match(/^".*"$/) ? value : value.gsub(/\s+/, ' ').strip end |
#canonical_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
168 169 170 171 172 173 174 175 176 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 168 def canonical_headers(request) headers = [] request.headers.each_pair do |k,v| k = k.downcase headers << [k,v] unless k == 'authorization' end headers = headers.sort_by(&:first) headers.map{|k,v| "#{k}:#{canonical_header_value(v.to_s)}" }.join("\n") end |
#canonical_request(request, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
121 122 123 124 125 126 127 128 129 130 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 121 def canonical_request(request, body_digest) [ request.http_method, path(request.endpoint), normalized_querystring(request.endpoint.query || ''), canonical_headers(request) + "\n", signed_headers(request), body_digest ].join("\n") end |
#credential(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
90 91 92 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 90 def credential(datetime) "#{@credentials.access_key_id}/#{credential_scope(datetime)}" end |
#credential_scope(datetime) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
112 113 114 115 116 117 118 119 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 112 def credential_scope(datetime) parts = [] parts << datetime[0,8] parts << @region parts << @service_name parts << 'aws4_request' parts.join("/") end |
#hexdigest(value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
182 183 184 185 186 187 188 189 190 191 192 193 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 182 def hexdigest(value) digest = OpenSSL::Digest::SHA256.new if value.respond_to?(:read) chunk = nil chunk_size = 1024 * 1024 # 1 megabyte digest.update(chunk) while chunk = value.read(chunk_size) value.rewind else digest.update(value) end digest.hexdigest end |
#hexhmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
199 200 201 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 199 def hexhmac(key, value) OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value) end |
#hmac(key, value) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
195 196 197 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 195 def hmac(key, value) OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, value) end |
#normalized_querystring(querystring) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 141 def normalized_querystring(querystring) params = querystring.split('&') params = params.map { |p| p.match(/=/) ? p : p + '=' } # We have to sort by param name and preserve order of params that # have the same name. Default sort <=> in JRuby will swap members # occasionally when <=> is 0 (considered still sorted), but this # causes our normalized query string to not match the sent querystring. # When names match, we then sort by their original order params = params.each.with_index.sort do |a, b| a, a_offset = a a_name = a.split('=')[0] b, b_offset = b b_name = b.split('=')[0] if a_name == b_name a_offset <=> b_offset else a_name <=> b_name end end.map(&:first).join('&') end |
#path(uri) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
132 133 134 135 136 137 138 139 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 132 def path(uri) path = uri.path == '' ? '/' : uri.path if @service_name == 's3' path else path.gsub(/[^\/]+/) { |segment| Seahorse::Util.uri_escape(segment) } end end |
#presigned_url(request, options = {}) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Generates an returns a presigned URL.
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 50 def presigned_url(request, = {}) now = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = [:body_digest] || hexdigest(request.body) request.headers['Host'] = request.endpoint.host request.headers.delete('User-Agent') params = Aws::Query::ParamList.new request.headers.keys.each do |key| if key.match(/^x-amz/i) params.set(key, request.headers.delete(key)) end end params.set("X-Amz-Algorithm", "AWS4-HMAC-SHA256") params.set("X-Amz-Credential", credential(now)) params.set("X-Amz-Date", now) params.set("X-Amz-Expires", [:expires_in].to_s) params.set("X-Amz-SignedHeaders", signed_headers(request)) params.set('X-Amz-Security-Token', @credentials.session_token) if @credentials.session_token endpoint = request.endpoint if endpoint.query endpoint.query += '&' + params.to_s else endpoint.query = params.to_s end endpoint.to_s + '&X-Amz-Signature=' + signature(request, now, body_digest) end |
#sign(req) ⇒ Seahorse::Client::Http::Request
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
Returns the signed request.
30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 30 def sign(req) datetime = Time.now.utc.strftime("%Y%m%dT%H%M%SZ") body_digest = req.headers['X-Amz-Content-Sha256'] || hexdigest(req.body) req.headers['X-Amz-Date'] = datetime req.headers['Host'] = req.endpoint.host req.headers['X-Amz-Security-Token'] = @credentials.session_token if @credentials.session_token req.headers['X-Amz-Content-Sha256'] ||= body_digest req.headers['Authorization'] = (req, datetime, body_digest) req end |
#signature(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
94 95 96 97 98 99 100 101 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 94 def signature(request, datetime, body_digest) k_secret = @credentials.secret_access_key k_date = hmac("AWS4" + k_secret, datetime[0,8]) k_region = hmac(k_date, @region) k_service = hmac(k_region, @service_name) k_credentials = hmac(k_service, 'aws4_request') hexhmac(k_credentials, string_to_sign(request, datetime, body_digest)) end |
#signed_headers(request) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
162 163 164 165 166 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 162 def signed_headers(request) headers = request.headers.keys headers.delete('authorization') headers.sort.join(';') end |
#string_to_sign(request, datetime, body_digest) ⇒ Object
This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.
103 104 105 106 107 108 109 110 |
# File 'lib/aws-sdk-core/signers/v4.rb', line 103 def string_to_sign(request, datetime, body_digest) parts = [] parts << 'AWS4-HMAC-SHA256' parts << datetime parts << credential_scope(datetime) parts << hexdigest(canonical_request(request, body_digest)) parts.join("\n") end |