-
Notifications
You must be signed in to change notification settings - Fork 840
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement v4a aws-chunked payload signer and s3-crt delegation #4350
Implement v4a aws-chunked payload signer and s3-crt delegation #4350
Conversation
5b00087
to
69e9b15
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore.
@@ -47,6 +52,47 @@ | |||
@SdkInternalApi | |||
public final class DefaultAwsCrtV4aHttpSigner implements AwsV4aHttpSigner { | |||
|
|||
private static final int DEFAULT_CHUNK_SIZE_IN_BYTES = 128 * 1024; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we use the same value else where? If so, should we share the constant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the AWS module, I don't think we need to share this one.
HttpRequestBodyStream crtBody = new CrtInputStream(() -> new ByteArrayInputStream(chunkBody)); | ||
CompletableFuture<byte[]> future = AwsSigner.signChunk(crtBody, previousSignature, signingConfig); | ||
try { | ||
return future.get(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -135,12 +144,72 @@ private AwsSigningConfig signingConfig(SignRequest<?, ? extends AwsCredentialsId | |||
} | |||
|
|||
if (!isPayloadSigning) { | |||
signingConfig.setSignedBodyValue(AwsSigningConfig.AwsSignedBodyValue.UNSIGNED_PAYLOAD); | |||
if (isChunkEncoding) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: nested if-else is a bit hard to read. Can we split up the block a bit?
if (isPayloadSigning) {
configurePayloadSigning();
} else {
configureNonPayloadSigning();
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if we can handle complex decisions like this in a more clean way (not just here, but in other places as well), any ideas? I think it's easy to reason about right now, but it would be nice if we could do (pseudocode):
STREAMING_UNSIGNED_TRAILER = !isPayloadSigning & isChunked & isTrailing
STREAMING_SIGNED = isPayloadSigning & isChunked
...
switch (payloadType)
case STREAMING_SIGNED:
// configure here
case STREAMING_UNSIGNED_TRAILER:
// configure here
...
default:
throw new UnsupportedOperationException()
We could probably do a bitmask, but might not be as easy to reason through.
} | ||
|
||
private static byte[] signChunk(byte[] chunkBody, byte[] previousSignature, AwsSigningConfig signingConfig) { | ||
HttpRequestBodyStream crtBody = new CrtInputStream(() -> new ByteArrayInputStream(chunkBody)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to close the body afterwards?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question. Closing would need to happen somewhere downstream (such as in AwsSigner.signChunk()
) or in CrtInputStream
itself). It doesn't happen in AwsSigner
, so perhaps we can add it to CrtInputStream
. Done.
configCopy.setSignatureType(AwsSigningConfig.AwsSignatureType.HTTP_REQUEST_TRAILING_HEADERS); | ||
CompletableFuture<AwsSigningResult> future = AwsSigner.sign(httpHeaderList, previousSignature, configCopy); | ||
try { | ||
return future.get(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, joinLikeSync
f6f4624
to
dcdf605
Compare
private static void configureUnsignedPayload(AwsSigningConfig signingConfig, boolean isChunkEncoding, boolean isTrailing) { | ||
if (isChunkEncoding) { | ||
if (isTrailing) { | ||
signingConfig.setSignedBodyValue(AwsSigningConfig.AwsSignedBodyValue.STREAMING_UNSIGNED_PAYLOAD_TRAILER); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: can we use static import? signingConfig.setSignedBodyValue(STREAMING_UNSIGNED_PAYLOAD_TRAILER)
. Same as others
|
||
public V4aContext(SdkHttpRequest signedRequest) { | ||
public V4aContext(SdkHttpRequest.Builder signedRequest, byte[] signature, AwsSigningConfig signingConfig) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason we changed it to the builder instance? Is this just for testing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this is changed because the payload signing step needs access to the request-builder from the context in order to update the request-headers (such as removing content-length, etc.)
4852d00
to
5b6a418
Compare
} | ||
|
||
private void setupChecksumTrailer(ChunkedEncodedInputStream.Builder builder) { | ||
// TODO: Set up checksumming of chunks and add as a trailer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we use TODO(sra-identity-and-auth)
naming convention. Ignore this if this TODO gets deleted in other PR
5b6a418
to
25cdb4a
Compare
0034c78
into
feature/master/sra-identity-auth
Motivation and Context
Modifications
Testing
Screenshots (if appropriate)
Types of changes
Checklist
mvn install
succeedsscripts/new-change
script and following the instructions. Commit the new file created by the script in.changes/next-release
with your changes.License