enabled AWS Signature Version 4

based on pr waynehoover/s3_direct_upload#174 made by @mattwarrenrnp
narando · Aug 24, 2016 · 3e2c034 · 3e2c034
1 parent 3746cf3
commit 3e2c034
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 27 deletions.
diff --git a/app/assets/javascripts/s3_file_field.js.coffee b/app/assets/javascripts/s3_file_field.js.coffee
@@ -75,11 +75,13 @@ jQuery.fn.S3FileField = (options) ->
         key: $this.data('key').replace('{timestamp}', new Date().getTime()).replace('{unique_id}', unique_id)
         'Content-Type': @files[0].type
         acl: $this.data('acl')
-        'AWSAccessKeyId': $this.data('aws-access-key-id')
         policy: $this.data('policy')
-        signature: $this.data('signature')
         success_action_status: "201"
         'X-Requested-With': 'xhr'
+        'X-Amz-Algorithm': $this.data('amzalgorithm')
+        'X-Amz-Credential': $this.data('amzcredential')
+        'X-Amz-Date': $this.data('amzdate')
+        'X-Amz-Signature': $this.data('amzsignature')
 
       getFormData(finalFormData[unique_id]).concat(getFormData(extraFormData))
 

diff --git a/lib/s3_file_field/s3_uploader.rb b/lib/s3_file_field/s3_uploader.rb
@@ -13,9 +13,11 @@ def initialize(original_options = {})
         max_file_size: 500.megabytes,
         conditions: [],
         key_starts_with: S3FileField.config.key_starts_with || 'uploads/',
-        region: S3FileField.config.region || 's3',
+        region: S3FileField.config.region || 'us-east-1',
         url: S3FileField.config.url,
-        ssl: S3FileField.config.ssl
+        ssl: S3FileField.config.ssl,
+        date: Time.now.utc.strftime("%Y%m%d"),
+        timestamp: Time.now.utc.strftime("%Y%m%dT%H%M%SZ")
       }
 
       @key = original_options[:key]
@@ -27,6 +29,16 @@ def initialize(original_options = {})
 
       @options = default_options.merge(extracted_options)
 
+
+      def hostname
+        if @options[:region] == "us-east-1"
+          "#{@options[:bucket]}.s3.amazonaws.com"
+        else
+          "#{@options[:bucket]}.s3-#{@options[:region]}.amazonaws.com"
+        end
+      end
+
+
       unless @options[:access_key_id]
         raise Error.new("Please configure access_key_id option.")
       end
@@ -41,17 +53,22 @@ def initialize(original_options = {})
     end
 
     def field_options
-      @original_options.merge(data: field_data_options)
+
+      all_options = @original_options.merge(data: field_data_options)
+      puts all_options
+      all_options
     end
 
     def field_data_options
       {
-        url: url,
-        key: key,
-        acl: @options[:acl],
-        aws_access_key_id: @options[:access_key_id],
-        policy: policy,
-        signature: signature
+        :url => @options[:url] || url,
+        :key => @options[:key] || key,
+        :acl => @options[:acl],
+        :policy => policy,
+        :amzAlgorithm => 'AWS4-HMAC-SHA256',
+        :amzCredential => "#{@options[:access_key_id]}/#{@options[:date]}/#{@options[:region]}/s3/aws4_request",
+        :amzDate => @options[:timestamp],
+        :amzSignature => signature,
       }.merge(@original_options[:data] || {})
     end
 
@@ -62,15 +79,7 @@ def key
     end
 
     def url
-      @url ||=
-        if @options[:url]
-          @options[:url]
-        else
-          protocol = @options[:ssl] == true ? "https" : @options[:ssl] == false ? "http" : nil
-          subdomain = "#{@options[:bucket]}.#{@options[:region]}"
-          domain = "//#{subdomain}.amazonaws.com/"
-          [protocol, domain].compact.join(":")
-        end
+      @options[:url] || "http#{@options[:ssl] ? 's' : ''}://#{hostname}/"
     end
 
     def policy
@@ -87,18 +96,29 @@ def policy_data
           ["starts-with","$Content-Type",""],
           {bucket: @options[:bucket]},
           {acl: @options[:acl]},
-          {success_action_status: "201"}
+          {success_action_status: "201"},
+          {'X-Amz-Algorithm' => 'AWS4-HMAC-SHA256'},
+          {'X-Amz-Credential' => "#{@options[:access_key_id]}/#{@options[:date]}/#{@options[:region]}/s3/aws4_request"},
+          {'X-Amz-Date' => @options[:timestamp]}
         ] + @options[:conditions]
       }
     end
 
+
+    def signing_key
+      #AWS Signature Version 4
+
+      kDate    = OpenSSL::HMAC.digest('sha256', "AWS4" + @options[:secret_access_key], @options[:date])
+      kRegion  = OpenSSL::HMAC.digest('sha256', kDate, @options[:region])
+      kService = OpenSSL::HMAC.digest('sha256', kRegion, 's3')
+      kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
+
+      kSigning
+    end
+
+
     def signature
-      Base64.encode64(
-        OpenSSL::HMAC.digest(
-          OpenSSL::Digest.new('sha1'),
-          @options[:secret_access_key], policy
-        )
-      ).gsub("\n", '')
+      OpenSSL::HMAC.hexdigest('sha256', signing_key, policy)
     end
   end
 end