Use aws4 gem to sign requests

Author: cmdrkeene

Gemfile

@@ -1,3 +1,2 @@
 source "https://rubygems.org"
-gem "rake"
 gemspec

Rakefile

@@ -1,4 +1,4 @@
 require 'bundler/gem_tasks'
 require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
-task :default => :spec
+task :default => :spec

dynamodb.gemspec

@@ -13,8 +13,10 @@ Gem::Specification.new do |s|
   s.executables  = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.homepage     = 'http://github.com/groupme/dynamodb'
 
+  s.add_runtime_dependency 'aws4', '0.0.1'
   s.add_runtime_dependency 'multi_json', '1.3.7'
 
+  s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec', '2.8.0'
   s.add_development_dependency 'webmock', '1.8.11'
 end

lib/dynamodb.rb

@@ -9,8 +9,6 @@ class ClientError < BaseError; end
   class ServerError < BaseError; end
   class AuthenticationError < BaseError; end
 
-  Credentials = Struct.new(:access_key_id, :secret_access_key)
-
   require 'dynamodb/version'
   require 'dynamodb/connection'
   require 'dynamodb/http_handler'

lib/dynamodb/connection.rb

@@ -1,3 +1,5 @@
+require "aws4/signer"
+
 module DynamoDB
   # Establishes a connection to Amazon DynamoDB using credentials.
   class Connection
@@ -14,42 +16,48 @@ def http_handler=(new_http_handler)
     # Create a connection
     # uri:          # default 'https://dynamodb.us-east-1.amazonaws.com/'
     # timeout:      # default 5 seconds
-    # api_version:  # default 
+    # api_version:  # default
     #
     def initialize(opts = {})
-      if opts[:access_key_id] && opts[:secret_access_key]
-        @credentials = DynamoDB::Credentials.new(opts[:access_key_id], opts[:secret_access_key])
-      else
+      if !(opts[:access_key_id] && opts[:secret_access_key])
         raise ArgumentError.new("access_key_id and secret_access_key are required")
       end
 
-      @uri = URI(opts[:uri] || "https://dynamodb.us-east-1.amazonaws.com/")
       set_timeout(opts[:timeout]) if opts[:timeout]
-
+      @uri = URI(opts[:uri] || "https://dynamodb.us-east-1.amazonaws.com/")
+      region = @uri.host.split(".", 4)[1] || "us-east-1"
       @api_version = opts[:api_version] || "DynamoDB_20111205"
+      @signer = AWS4::Signer.new(
+        access_key: opts[:access_key_id],
+        secret_key: opts[:secret_access_key],
+        region: region
+      )
     end
 
     # Create and send a request to DynamoDB
     #
     # This returns either a SuccessResponse or a FailureResponse.
     #
-    # `operation` can be any DynamoDB operation. `data` is a hash that will be
+    # `operation` can be any DynamoDB operation. `body` is a hash that will be
     # used as the request body (in JSON format). More info available at:
     # http://docs.amazonwebservices.com/amazondynamodb/latest/developerguide
     #
-    def post(operation, data={})
+    def post(operation, body={})
       request = DynamoDB::Request.new(
-        uri:         @uri,
-        credentials: @credentials,
-        api_version: @api_version,
-        operation:   operation,
-        data:        data
+        signer: @signer,
+        uri: @uri,
+        operation: version(operation),
+        body: body
       )
       http_handler.handle(request)
     end
 
     private
 
+    def version(op)
+      "#{@api_version}.#{op}"
+    end
+
     def http_handler
       self.class.http_handler
     end

lib/dynamodb/request.rb

@@ -1,107 +1,42 @@
-require "base64"
-require "openssl"
-
 module DynamoDB
   class Request
-    class << self
-      def digest(signing_string, key)
-        Base64.encode64(
-          OpenSSL::HMAC.digest('sha256', key, Digest::SHA256.digest(signing_string))
-        ).strip
-      end
-    end
+    RFC1123 = "%a, %d %b %Y %H:%M:%S GMT"
+    ISO8601 = "%Y%m%dT%H%M%SZ"
 
-    attr_reader :uri, :datetime, :credentials, :region, :data, :service, :operation, :api_version
+    attr_reader :uri, :operation, :body, :signer
 
     def initialize(args = {})
-      @uri          = args[:uri]
-      @credentials  = args[:credentials]
-      @operation    = args[:operation]
-      @data         = args[:data]
-      @api_version  = args[:api_version]
-      @region       = args[:region] || "us-east-1"
-      @datetime     = Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
-      @service      = "dynamodb"
-    end
-
-    def our_headers
-      {
-        "user-agent"           => "groupme/dynamodb",
-        "host"                 => uri.host,
-        "content-type"         => "application/x-amz-json-1.0",
-        "content-length"       => body.size,
-        "x-amz-date"           => datetime,
-        "x-amz-target"         => "#{api_version}.#{operation}",
-        "x-amz-content-sha256" => hexdigest(body || '')
-      }
+      @uri        = args[:uri]
+      @operation  = args[:operation]
+      @body       = MultiJson.dump(args[:body])
+      @signer     = args[:signer]
     end
 
     def headers
-      @headers ||= our_headers.merge("authorization" => authorization)
-    end
-
-    def body
-      @body ||= MultiJson.dump(data)
-    end
-
-    def authorization
-      parts = []
-      parts << "AWS4-HMAC-SHA256 Credential=#{credentials.access_key_id}/#{credential_string}"
-      parts << "SignedHeaders=#{our_headers.keys.sort.join(";")}"
-      parts << "Signature=#{signature}"
-      parts.join(', ')
-    end
-
-    def signature
-      k_secret = credentials.secret_access_key
-      k_date = hmac("AWS4" + k_secret, datetime[0,8])
-      k_region = hmac(k_date, region)
-      k_service = hmac(k_region, service)
-      k_credentials = hmac(k_service, 'aws4_request')
-      hexhmac(k_credentials, string_to_sign)
-    end
-
-    def string_to_sign
-      parts = []
-      parts << 'AWS4-HMAC-SHA256'
-      parts << datetime
-      parts << credential_string
-      parts << hexdigest(canonical_request)
-      parts.join("\n")
-    end
-
-    def credential_string
-      parts = []
-      parts << datetime[0,8]
-      parts << region
-      parts << service
-      parts << 'aws4_request'
-      parts.join("/")
-    end
-
-    def canonical_request
-      parts = []
-      parts << "POST"
-      parts << uri.path
-      parts << uri.query
-      parts << our_headers.sort.map {|k, v| [k,v].join(':')}.join("\n") + "\n"
-      parts << "content-length;content-type;host;user-agent;x-amz-content-sha256;x-amz-date;x-amz-target"
-      parts << our_headers['x-amz-content-sha256']
-      parts.join("\n")
+      @headers ||= signed_headers
+    end
+
+    private
+
+    def signed_headers
+      date = Time.now.utc
+      h = {
+        "Date"                 => date.strftime(RFC1123),
+        "User-Agent"           => "groupme/dynamodb",
+        "Host"                 => uri.host,
+        "Content-Type"         => "application/x-amz-json-1.0",
+        "Content-Length"       => body.size.to_s,
+        "X-AMZ-Date"           => date.strftime(ISO8601),
+        "X-AMZ-Target"         => operation,
+        "X-AMZ-Content-SHA256" => hexdigest(body || '')
+      }
+      signer.sign("POST", uri, h, body)
     end
 
-    def hexdigest value
+    def hexdigest(value)
       digest = Digest::SHA256.new
       digest.update(value)
       digest.hexdigest
     end
-
-    def hmac key, value
-      OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'), key, value)
-    end
-
-    def hexhmac key, value
-      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), key, value)
-    end
   end
 end

spec/dynamodb/request_spec.rb

@@ -1,31 +1,32 @@
 require "spec_helper"
 
 describe DynamoDB::Request do
-  let(:uri)         { URI("https://dynamodb.us-east-1.amazonaws.com/") }
-  let(:credentials) { DynamoDB::Credentials.new("access_key_id", "secret_access_key") }
-  let(:data)        { {} }
-  let(:request) {
-    DynamoDB::Request.new(
-      uri:          uri,
-      api_version:  "DynamoDB_20111205",
-      credentials:  credentials,
-      data:         data,
-      operation:    "ListTables",
-    )
-  }
-
   it "signs the request" do
     Time.stub(now: Time.parse("20130508T201304Z"))
 
+    uri = URI("https://dynamodb.us-east-1.amazonaws.com/")
+    signer = AWS4::Signer.new(
+      access_key: "access_key_id",
+      secret_key: "secret_access_key",
+      region: "us-east-1"
+    )
+    request = DynamoDB::Request.new(
+      uri: uri,
+      signer: signer,
+      body: {},
+      operation: "DynamoDB_20111205.ListTables",
+    )
+
     request.headers.should == {
-      "content-type"=>"application/x-amz-json-1.0",
-      "x-amz-target"=>"DynamoDB_20111205.ListTables",
-      "content-length"=>2,
-      "user-agent"=>"groupme/dynamodb",
-      "host"=>"dynamodb.us-east-1.amazonaws.com",
-      "x-amz-date"=>"20130508T201304Z",
-      "x-amz-content-sha256"=>"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
-      "authorization"=>"AWS4-HMAC-SHA256 Credential=access_key_id/20130508/us-east-1/dynamodb/aws4_request, SignedHeaders=content-length;content-type;host;user-agent;x-amz-content-sha256;x-amz-date;x-amz-target, Signature=52fab5c720b35ce247f8388c5c8f66b300074ae88b666985ee26ca70d923be1d"
+      "Content-Type"=>"application/x-amz-json-1.0",
+      "Content-Length"=>"2",
+      "Date"=>"Wed, 08 May 2013 20:13:04 GMT",
+      "User-Agent"=>"groupme/dynamodb",
+      "Host"=>"dynamodb.us-east-1.amazonaws.com",
+      "X-AMZ-Target"=>"DynamoDB_20111205.ListTables",
+      "X-AMZ-Date"=>"20130508T201304Z",
+      "X-AMZ-Content-SHA256"=>"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
+      "Authorization"=>"AWS4-HMAC-SHA256 Credential=access_key_id/20130508/us-east-1/dynamodb/aws4_request, SignedHeaders=content-length;content-type;date;host;user-agent;x-amz-content-sha256;x-amz-date;x-amz-target, Signature=9e551627237673b4deaa2c22fd3b3777d6d0705facd35b56b289e357c4995c46"
     }
   end
 end