Implement v4a aws-chunked payload signer and s3-crt delegation #4350

haydenbaker · 2023-08-25T21:46:34Z

Motivation and Context

similar to Implement AwsChunked payload signer and s3v4 delegation #4296, this implements it for s3-crt

Modifications

Copies chunk-encoding code from http-auth-aws, such that it doesn't need to be protected/shared right now (the implementation may change, and we don't want to block on this)
Adds the necessary code to decide on chunk-encoding, payload signing, etc.

Testing

run old and new tests, make sure pass

Screenshots (if appropriate)

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)

Checklist

I have read the CONTRIBUTING document
Local run of mvn install succeeds
My code follows the code style of this project
My change requires a change to the Javadoc documentation
I have updated the Javadoc documentation accordingly
I have added tests to cover my changes
All new and existing tests passed
I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

I confirm that this pull request can be released under the Apache 2 license

haydenbaker · 2023-08-28T18:49:47Z

...t/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/Chunk.java

haydenbaker · 2023-08-28T18:49:51Z

...oftware/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/ChunkExtensionProvider.java

haydenbaker · 2023-08-28T18:49:55Z

...a/software/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/ChunkHeaderProvider.java

haydenbaker · 2023-08-28T18:49:58Z

...java/software/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/ChunkInputStream.java

haydenbaker · 2023-08-28T18:50:02Z

...ware/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/ChunkedEncodedInputStream.java

haydenbaker · 2023-08-28T18:50:08Z

...ain/java/software/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/DefaultChunk.java

haydenbaker · 2023-08-28T18:50:12Z

.../java/software/amazon/awssdk/http/auth/aws/crt/internal/chunkedencoding/TrailerProvider.java

haydenbaker · 2023-08-28T18:50:15Z

...ain/java/software/amazon/awssdk/http/auth/aws/crt/internal/io/SdkLengthAwareInputStream.java

zoewangg · 2023-08-28T21:01:25Z

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSigner.java

@@ -47,6 +52,47 @@
 @SdkInternalApi
 public final class DefaultAwsCrtV4aHttpSigner implements AwsV4aHttpSigner {

+    private static final int DEFAULT_CHUNK_SIZE_IN_BYTES = 128 * 1024;


Do we use the same value else where? If so, should we share the constant?

In the AWS module, I don't think we need to share this one.

zoewangg · 2023-08-28T21:53:28Z

...rt/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/RollingSigner.java

+        HttpRequestBodyStream crtBody = new CrtInputStream(() -> new ByteArrayInputStream(chunkBody));
+        CompletableFuture<byte[]> future = AwsSigner.signChunk(crtBody, previousSignature, signingConfig);
+        try {
+            return future.get();


joinLikeSync? https://github.com/aws/aws-sdk-java-v2/blob/feature/master/sra-identity-auth/utils/src/main/java/software/amazon/awssdk/utils/CompletableFutureUtils.java#L247

zoewangg · 2023-08-28T22:04:10Z

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSigner.java

@@ -135,12 +144,72 @@ private AwsSigningConfig signingConfig(SignRequest<?, ? extends AwsCredentialsId
        }

        if (!isPayloadSigning) {
-            signingConfig.setSignedBodyValue(AwsSigningConfig.AwsSignedBodyValue.UNSIGNED_PAYLOAD);
+            if (isChunkEncoding) {


nit: nested if-else is a bit hard to read. Can we split up the block a bit?

if (isPayloadSigning) { configurePayloadSigning(); } else { configureNonPayloadSigning(); }

I'm wondering if we can handle complex decisions like this in a more clean way (not just here, but in other places as well), any ideas? I think it's easy to reason about right now, but it would be nice if we could do (pseudocode):

STREAMING_UNSIGNED_TRAILER = !isPayloadSigning & isChunked & isTrailing STREAMING_SIGNED = isPayloadSigning & isChunked ... switch (payloadType) case STREAMING_SIGNED: // configure here case STREAMING_UNSIGNED_TRAILER: // configure here ... default: throw new UnsupportedOperationException()

We could probably do a bitmask, but might not be as easy to reason through.

zoewangg · 2023-08-28T22:04:47Z

...rt/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/RollingSigner.java

+    }
+
+    private static byte[] signChunk(byte[] chunkBody, byte[] previousSignature, AwsSigningConfig signingConfig) {
+        HttpRequestBodyStream crtBody = new CrtInputStream(() -> new ByteArrayInputStream(chunkBody));


Do we need to close the body afterwards?

That's a good question. Closing would need to happen somewhere downstream (such as in AwsSigner.signChunk()) or in CrtInputStream itself). It doesn't happen in AwsSigner, so perhaps we can add it to CrtInputStream. Done.

zoewangg · 2023-08-28T22:04:58Z

...rt/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/RollingSigner.java

+        configCopy.setSignatureType(AwsSigningConfig.AwsSignatureType.HTTP_REQUEST_TRAILING_HEADERS);
+        CompletableFuture<AwsSigningResult> future = AwsSigner.sign(httpHeaderList, previousSignature, configCopy);
+        try {
+            return future.get();


Same here, joinLikeSync

zoewangg · 2023-08-29T21:33:29Z

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSigner.java

+    private static void configureUnsignedPayload(AwsSigningConfig signingConfig, boolean isChunkEncoding, boolean isTrailing) {
+        if (isChunkEncoding) {
+            if (isTrailing) {
+                signingConfig.setSignedBodyValue(AwsSigningConfig.AwsSignedBodyValue.STREAMING_UNSIGNED_PAYLOAD_TRAILER);


nit: can we use static import? signingConfig.setSignedBodyValue(STREAMING_UNSIGNED_PAYLOAD_TRAILER). Same as others

zoewangg · 2023-08-29T21:36:01Z

...s-crt/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/V4aContext.java


-    public V4aContext(SdkHttpRequest signedRequest) {
+    public V4aContext(SdkHttpRequest.Builder signedRequest, byte[] signature, AwsSigningConfig signingConfig) {


Is there any reason we changed it to the builder instance? Is this just for testing?

No, this is changed because the payload signing step needs access to the request-builder from the context in order to update the request-headers (such as removing content-length, etc.)

zoewangg · 2023-09-01T19:49:32Z

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/AwsChunkedV4aPayloadSigner.java

+    }
+
+    private void setupChecksumTrailer(ChunkedEncodedInputStream.Builder builder) {
+        // TODO: Set up checksumming of chunks and add as a trailer


I think we use TODO(sra-identity-and-auth) naming convention. Ignore this if this TODO gets deleted in other PR

haydenbaker requested a review from a team as a code owner August 25, 2023 21:46

haydenbaker changed the base branch from master to feature/master/sra-identity-auth August 25, 2023 21:46

haydenbaker force-pushed the haydenbaker/sra-ia-awss3v4crt-signer-composed branch from 5b00087 to 69e9b15 Compare August 28, 2023 17:49