ruby - SignatureDoesNotMatch - 查询字符串参数(AWS 签名版本 4)

Question

我正在使用 AWS 签名版本 4 为 GET 请求预签名 URL。我让整个模块为 AWS 在其文档中提供的示例代码工作。当我尝试在我自己的 s3 存储桶上使用它时(在将所有示例值更改为我的真实值之后)，它给了我一个 SignatureDoesNotMatch 错误。我一直在尝试无数个小时来查看我的代码中遗漏了什么或做错了什么。我确信它是微不足道的，但我无法理解为什么它计算的签名与 AWS 不同。

参数将附加到我的 GET 请求的末尾，因为 return 语句将它们提交回来(而不是通过请求中的 header 发送)。

这是我创建的模块。

require 'openssl'

module AwsPresignUrl
  extend self
  SECRET_KEY = ENV.fetch("AWS_SECRET_ACCESS_KEY")
  ACCESS_KEY = ENV.fetch("AWS_ACCESS_KEY_ID")
  METHOD = "GET"
  REGION = "us-east-2"
  EXPIRES = 10000
  HOST = "s3.us-east-2.amazonaws.com"
  SERVICE = "s3"

  def get_signature_key(key, dateStamp, regionName, serviceName)
    kDate    = OpenSSL::HMAC.digest('sha256', "AWS4" + key, dateStamp)
    kRegion  = OpenSSL::HMAC.digest('sha256', kDate, regionName)
    kService = OpenSSL::HMAC.digest('sha256', kRegion, serviceName)
    kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
  end

  def generate_signed_url(path: "/")
    t = Time.now.utc
    amz_date = t.strftime('%Y%m%dT%H%M%SZ')
    date_stamp = t.strftime('%Y%m%d')
    credential_scope = [date_stamp, REGION, SERVICE, 'aws4_request'].join("/")
    amz_credential = uri_encode(path: [ACCESS_KEY, credential_scope].join('/'))
    algorithm = 'AWS4-HMAC-SHA256'

    # Task 1: Create a Canonical Request For Signature Version 4
    # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
    # payload_hash = OpenSSL::Digest.new("sha256").hexdigest("")
    canonical_uri = uri_encode(path: path)
    signed_headers = "host;x-amz-algorithm;x-amz-content-sha256;x-amz-credential;x-amz-date;x-amz-expires;x-amz-signedheaders"
    payload_hash = "UNSIGNED-PAYLOAD"
    canonical_headers = ["host:" + HOST, 
                         "x-amz-algorithm:" + algorithm,
                         "x-amz-content-sha256:" + payload_hash, 
                         "x-amz-credential:" + amz_credential,
                         "x-amz-date:" + amz_date,
                         "x-amz-expires:" + EXPIRES.to_s,
                         "x-amz-signedheaders:" + signed_headers
                        ].join("\n") + "\n"
    canonical_query_string = "X-Amz-Algorithm=#{algorithm}" +
                             "&X-Amz-Credential=#{amz_credential}" +
                             "&X-Amz-Date=#{amz_date}" + 
                             "&X-Amz-Expires=#{EXPIRES}" +
                             "&X-Amz-Content-Sha256=#{payload_hash}" +
                             "&X-Amz-SignedHeaders=#{signed_headers}"

    canonical_request = [METHOD, canonical_uri, canonical_query_string, canonical_headers,
                         signed_headers, payload_hash].join("\n")

    canonical_request_digest_hash = OpenSSL::Digest.new("sha256").hexdigest(canonical_request)

    # Task 2: Create a String to Sign for Signature Version 4
    # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
    string_to_sign = [algorithm, amz_date, credential_scope, canonical_request_digest_hash].join("\n")

    # Task 3: Calculate the AWS Signature Version 4
    # http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html
    signing_key = get_signature_key(SECRET_KEY, date_stamp, REGION, SERVICE)

    # Task 4: Add the Signing Information to the Request
    # http://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html
    signature = OpenSSL::HMAC.hexdigest('sha256', signing_key, string_to_sign)

    return  "?X-Amz-Algorithm=#{algorithm}" +
            "&X-Amz-Credential=#{amz_credential}" +
            "&X-Amz-Date=#{amz_date}" + 
            "&X-Amz-Expires=#{EXPIRES}" +
            "&X-Amz-Content-Sha256=#{payload_hash}" +
            "&X-Amz-SignedHeaders=#{signed_headers}" +
            "&X-Amz-Signature=#{signature}"
  end

  def uri_encode(path:, encode_slash: true)
    encoded_uri = ""
    path.chars.each do |ch|
      if ((ch >= 'A' && ch <= 'Z') || (ch >= 'a' && ch <= 'z') || (ch >= '0' && ch <= '9') || ch == '_' || ch == '-' || ch == '~' || ch == '.')
        encoded_uri << ch 
      elsif (ch == '/')
        encoded_uri << (encode_slash ? "%2F" : ch)
      else 
        encoded_uri << (ch.unpack('U'*ch.length).collect{|x| x.to_s 16})
      end 
    end
    encoded_uri
  end

Answer 1

我无法弄清楚上面的代码片段有什么问题，但我找到了一些方法来完成我需要完成的工作。

1.

添加亚马逊的 Ruby SDK gem。

gem 'aws-sdk-s3', '~> 1'

然后创建一个使用它的模块。

module AwsPresignUrl
  extend self
  AWS_CLIENT = Aws::S3::Client.new(region: 'us-east-2', access_key_id: ENV.fetch("AWS_ACCESS_KEY_ID"), secret_access_key: ENV.fetch("AWS_SECRET_ACCESS_KEY"))
  S3 = Aws::S3::Resource.new(client: AWS_CLIENT)
  BUCKET = S3.bucket(ENV.fetch("S3_BUCKET_NAME"))

  def presign_url(path: "/")
    obj = BUCKET.object(path)
    url = obj.presigned_url(:get, expires_in: 60)
  end
end

2.

我实际上是在使用 CarrierWave 进行文件上传，而忽略了有一种内置方法可以实现我想要的相同功能。

在我的初始化程序中，我只需要注释掉一行并取消注释另一行。

# config.aws_acl    = 'public-read'
config.aws_authenticated_url_expiration = 60

完成这两项操作后，我最终选择了第二个选项，因为 S3 gem 是 CarrierWave AWS gem 的依赖项。