Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update presigner so host is set and content-hash is excluded from signed-headers #4560

Merged
merged 3 commits into from
Oct 10, 2023
Merged

Update presigner so host is set and content-hash is excluded from signed-headers #4560

merged 3 commits into from
Oct 10, 2023

Conversation

haydenbaker
Copy link
Contributor

@haydenbaker haydenbaker commented Oct 6, 2023
edited
Loading

Motivation and Context

  • Presigner only expects a single signed-header (host) for browser-compatible requests

Modifications

  • Update presigner request-signer so that it correctly sets host and excludes

Testing

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@haydenbaker haydenbaker force-pushed the haydenbaker/fix-presigner-headers branch from 29a6d11 to 471e42d Compare October 6, 2023 21:15
@haydenbaker haydenbaker marked this pull request as ready for review October 9, 2023 17:35
@haydenbaker haydenbaker requested a review from a team as a code owner October 9, 2023 17:35
@haydenbaker haydenbaker force-pushed the haydenbaker/fix-presigner-headers branch from 471e42d to 121a86f Compare October 9, 2023 23:58
@haydenbaker haydenbaker force-pushed the haydenbaker/fix-presigner-headers branch from 121a86f to 5e18716 Compare October 10, 2023 00:12
@sonarcloud
Copy link

sonarcloud bot commented Oct 10, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 9 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 2 Security Hotspots
Code Smell A 481 Code Smells

85.2% 85.2% Coverage
4.2% 4.2% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@gosar gosar mentioned this pull request Oct 10, 2023
Merged
12 tasks
gosar
gosar reviewed Oct 10, 2023
View reviewed changes
...-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4RequestSigner.java
addDateHeader(requestBuilder, formatDateTime(properties.getCredentialScope().getInstant()));

V4RequestSigningResult result = create(properties).sign(requestBuilder);
V4RequestSigningResult result = create(properties, getContentHash(requestBuilder)).sign(requestBuilder);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thinking aloud: should the contentHash be a constructor input like properties, or input to sign()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's easier if it's a constructor param - sign's signature would change, which is a bigger change. If we decide that x-amz-content-sha256 shouldn't be added as a header unless required (s3), then we'll likely need to refactor it as an input to request-signer and payload-signer

...-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4RequestSigner.java
((AwsSessionCredentialsIdentity) properties.getCredentials()).sessionToken());
}
// We have to add the host-header here explicitly, since pre-signed request requires it in the signed-header param
addHostHeader(requestBuilder);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the v4a signer already do this for presigned case?
Does v4a signer always include x-amz-content-sha256?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRT would be the thing that manipulates headers - the signer simply delegates to it. However, the signer does configure CRT to always add the hash header, yes: signingConfig.setSignedBodyHeader(X_AMZ_CONTENT_SHA256)

...-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4RequestSigner.java Show resolved Hide resolved
gosar
gosar approved these changes Oct 10, 2023
View reviewed changes
Copy link
Contributor

@gosar gosar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can close on whether x-amz-content-sha256 always added or not separately.

@haydenbaker haydenbaker merged commit a00ee8a into feature/master/sra-identity-auth Oct 10, 2023
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gosar gosar gosar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@haydenbaker @gosar