Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not re-use sanitized request when forming signed request #4543

Merged
merged 1 commit into from
Oct 4, 2023
Merged

Do not re-use sanitized request when forming signed request #4543

merged 1 commit into from
Oct 4, 2023

Conversation

haydenbaker
Copy link
Contributor

@haydenbaker haydenbaker commented Oct 4, 2023
edited
Loading

Motivation and Context

  • Before signing a request with CRT, a request is sanitized (forbidden headers/params are removed, encoded-path is set to / if path is empty, etc)
  • After signing, we should use the original request when forming the signed request, instead of the sanitized one, such that original metadata is not lost (headers, params, path, etc.)

Modifications

  • Update signer to use original request when converting to signed request
  • Remove TODOs in tests

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@haydenbaker haydenbaker force-pushed the haydenbaker/fix-mrap-endpoint-tests branch from e70ecb4 to ae7c3b5 Compare October 4, 2023 18:01
gosar
gosar approved these changes Oct 4, 2023
View reviewed changes
Copy link
Contributor

@gosar gosar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm treating the comments as non-blocking for the release.

...ava/software/amazon/awssdk/http/auth/aws/crt/internal/signer/DefaultAwsCrtV4aHttpSigner.java
@@ -228,7 +228,7 @@ private static SignedRequest doSign(SignRequest<? extends AwsCredentialsIdentity

HttpRequest crtRequest = toRequest(sanitizedRequest, request.payload().orElse(null));

V4aContext v4aContext = sign(sanitizedRequest, crtRequest, signingConfig);
V4aContext v4aContext = sign(requestBuilder.build(), crtRequest, signingConfig);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we do

        SdkHttpRequest.Builder requestBuilder = request.request().toBuilder();

        payloadSigner.beforeSigning(requestBuilder, request.payload().orElse(null), signingConfig.getSignedBodyValue());

        // The requestBuilder changes should be done now.
       SdkHttpRequest requestToSign = requestBuilder.build();

        SdkHttpRequest sanitizedRequest = sanitizeRequest(requestToSign);

        HttpRequest crtRequest = toRequest(sanitizedRequest, request.payload().orElse(null));

        V4aContext v4aContext = sign(requestToSign, crtRequest, signingConfig);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And I know we have the MultiRegionAccessPointEndpointResolutionTest test, but is worth adding a unit test to this module.

...mazon/awssdk/services/s3/internal/resource/MultiRegionAccessPointEndpointResolutionTest.java
@@ -40,11 +40,6 @@
public class MultiRegionAccessPointEndpointResolutionTest {

private final static String MULTI_REGION_ARN = "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap";
// TODO(sra-identity-and-auth): The forward slash of the URL below was added to account for the signer behavior that
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you didn't call it out, but I assume you tested this with useSraAuth=true

@sonarcloud
Copy link

sonarcloud bot commented Oct 4, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 9 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 2 Security Hotspots
Code Smell A 481 Code Smells

85.5% 85.5% Coverage
4.2% 4.2% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@haydenbaker haydenbaker marked this pull request as ready for review October 4, 2023 19:50
@haydenbaker haydenbaker requested a review from a team as a code owner October 4, 2023 19:50
@haydenbaker haydenbaker merged commit 669e269 into feature/master/sra-identity-auth Oct 4, 2023
6 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gosar gosar gosar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@haydenbaker @gosar