Skip to content

Commit

Permalink
feat: sraauth
Browse files Browse the repository at this point in the history
  • Loading branch information
lucix-aws committed Nov 9, 2023
1 parent 3db3b14 commit d0b37b2
Show file tree
Hide file tree
Showing 16,391 changed files with 373,627 additions and 1,983,586 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
14 changes: 13 additions & 1 deletion aws/middleware/metadata.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ func GetServiceID(ctx context.Context) (v string) {
//
// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
// to clear all stack values.
//
// Deprecated: This value is unstable. The resolved signing name is available
// in the signer properties object passed to the signer.
func GetSigningName(ctx context.Context) (v string) {
v, _ = middleware.GetStackValue(ctx, signingNameKey{}).(string)
return v
Expand All @@ -74,6 +77,9 @@ func GetSigningName(ctx context.Context) (v string) {
//
// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
// to clear all stack values.
//
// Deprecated: This value is unstable. The resolved signing region is available
// in the signer properties object passed to the signer.
func GetSigningRegion(ctx context.Context) (v string) {
v, _ = middleware.GetStackValue(ctx, signingRegionKey{}).(string)
return v
Expand Down Expand Up @@ -125,10 +131,13 @@ func SetRequiresLegacyEndpoints(ctx context.Context, value bool) context.Context
return middleware.WithStackValue(ctx, requiresLegacyEndpointsKey{}, value)
}

// SetSigningName set or modifies the signing name on the context.
// SetSigningName set or modifies the sigv4 or sigv4a signing name on the context.
//
// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
// to clear all stack values.
//
// Deprecated: This value is unstable. Use WithSigV4SigningName client option
// funcs instead.
func SetSigningName(ctx context.Context, value string) context.Context {
return middleware.WithStackValue(ctx, signingNameKey{}, value)
}
Expand All @@ -137,6 +146,9 @@ func SetSigningName(ctx context.Context, value string) context.Context {
//
// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
// to clear all stack values.
//
// Deprecated: This value is unstable. Use WithSigV4SigningRegion client option
// funcs instead.
func SetSigningRegion(ctx context.Context, value string) context.Context {
return middleware.WithStackValue(ctx, signingRegionKey{}, value)
}
Expand Down
95 changes: 41 additions & 54 deletions aws/signer/v4/middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func (e *SigningError) Unwrap() error {
// S3 PutObject API allows unsigned payload signing auth usage when TLS is enabled, and uses this middleware to
// dynamically switch between unsigned and signed payload based on TLS state for request.
func UseDynamicPayloadSigningMiddleware(stack *middleware.Stack) error {
_, err := stack.Build.Swap(computePayloadHashMiddlewareID, &dynamicPayloadSigningMiddleware{})
_, err := stack.Finalize.Swap(computePayloadHashMiddlewareID, &dynamicPayloadSigningMiddleware{})
return err
}

Expand All @@ -71,24 +71,22 @@ func (m *dynamicPayloadSigningMiddleware) ID() string {
return computePayloadHashMiddlewareID
}

// HandleBuild sets a resolver that directs to the payload sha256 compute handler.
func (m *dynamicPayloadSigningMiddleware) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
// HandleFinalize delegates SHA256 computation according to whether the request
// is TLS-enabled.
func (m *dynamicPayloadSigningMiddleware) HandleFinalize(
ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
}

// if TLS is enabled, use unsigned payload when supported
if req.IsHTTPS() {
return (&unsignedPayload{}).HandleBuild(ctx, in, next)
return (&unsignedPayload{}).HandleFinalize(ctx, in, next)
}

// else fall back to signed payload
return (&computePayloadSHA256{}).HandleBuild(ctx, in, next)
return (&computePayloadSHA256{}).HandleFinalize(ctx, in, next)
}

// unsignedPayload sets the SigV4 request payload hash to unsigned.
Expand All @@ -104,31 +102,24 @@ type unsignedPayload struct{}
// AddUnsignedPayloadMiddleware adds unsignedPayload to the operation
// middleware stack
func AddUnsignedPayloadMiddleware(stack *middleware.Stack) error {
return stack.Build.Add(&unsignedPayload{}, middleware.After)
return stack.Finalize.Insert(&unsignedPayload{}, "ResolveEndpointV2", middleware.After)
}

// ID returns the unsignedPayload identifier
func (m *unsignedPayload) ID() string {
return computePayloadHashMiddlewareID
}

// HandleBuild sets the payload hash to be an unsigned payload
func (m *unsignedPayload) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
// HandleFinalize sets the payload hash magic value to the unsigned sentinel.
func (m *unsignedPayload) HandleFinalize(
ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
// This should not compute the content SHA256 if the value is already
// known. (e.g. application pre-computed SHA256 before making API call).
// Does not have any tight coupling to the X-Amz-Content-Sha256 header, if
// that header is provided a middleware must translate it into the context.
contentSHA := GetPayloadHash(ctx)
if len(contentSHA) == 0 {
contentSHA = v4Internal.UnsignedPayload
if GetPayloadHash(ctx) == "" {
ctx = SetPayloadHash(ctx, v4Internal.UnsignedPayload)
}

ctx = SetPayloadHash(ctx, contentSHA)
return next.HandleBuild(ctx, in)
return next.HandleFinalize(ctx, in)
}

// computePayloadSHA256 computes SHA256 payload hash to sign.
Expand All @@ -144,13 +135,13 @@ type computePayloadSHA256 struct{}
// AddComputePayloadSHA256Middleware adds computePayloadSHA256 to the
// operation middleware stack
func AddComputePayloadSHA256Middleware(stack *middleware.Stack) error {
return stack.Build.Add(&computePayloadSHA256{}, middleware.After)
return stack.Finalize.Insert(&computePayloadSHA256{}, "ResolveEndpointV2", middleware.After)
}

// RemoveComputePayloadSHA256Middleware removes computePayloadSHA256 from the
// operation middleware stack
func RemoveComputePayloadSHA256Middleware(stack *middleware.Stack) error {
_, err := stack.Build.Remove(computePayloadHashMiddlewareID)
_, err := stack.Finalize.Remove(computePayloadHashMiddlewareID)
return err
}

Expand All @@ -159,27 +150,24 @@ func (m *computePayloadSHA256) ID() string {
return computePayloadHashMiddlewareID
}

// HandleBuild compute the payload hash for the request payload
func (m *computePayloadSHA256) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
// HandleFinalize computes the payload hash for the request, storing it to the
// context. This is a no-op if a caller has previously set that value.
func (m *computePayloadSHA256) HandleFinalize(
ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
if GetPayloadHash(ctx) != "" {
return next.HandleFinalize(ctx, in)
}

req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, &HashComputationError{
Err: fmt.Errorf("unexpected request middleware type %T", in.Request),
}
}

// This should not compute the content SHA256 if the value is already
// known. (e.g. application pre-computed SHA256 before making API call)
// Does not have any tight coupling to the X-Amz-Content-Sha256 header, if
// that header is provided a middleware must translate it into the context.
if contentSHA := GetPayloadHash(ctx); len(contentSHA) != 0 {
return next.HandleBuild(ctx, in)
}

hash := sha256.New()
if stream := req.GetStream(); stream != nil {
_, err = io.Copy(hash, stream)
Expand All @@ -198,7 +186,7 @@ func (m *computePayloadSHA256) HandleBuild(

ctx = SetPayloadHash(ctx, hex.EncodeToString(hash.Sum(nil)))

return next.HandleBuild(ctx, in)
return next.HandleFinalize(ctx, in)
}

// SwapComputePayloadSHA256ForUnsignedPayloadMiddleware replaces the
Expand All @@ -207,7 +195,7 @@ func (m *computePayloadSHA256) HandleBuild(
// Use this to disable computing the Payload SHA256 checksum and instead use
// UNSIGNED-PAYLOAD for the SHA256 value.
func SwapComputePayloadSHA256ForUnsignedPayloadMiddleware(stack *middleware.Stack) error {
_, err := stack.Build.Swap(computePayloadHashMiddlewareID, &unsignedPayload{})
_, err := stack.Finalize.Swap(computePayloadHashMiddlewareID, &unsignedPayload{})
return err
}

Expand All @@ -218,13 +206,13 @@ type contentSHA256Header struct{}
// AddContentSHA256HeaderMiddleware adds ContentSHA256Header to the
// operation middleware stack
func AddContentSHA256HeaderMiddleware(stack *middleware.Stack) error {
return stack.Build.Insert(&contentSHA256Header{}, computePayloadHashMiddlewareID, middleware.After)
return stack.Finalize.Insert(&contentSHA256Header{}, computePayloadHashMiddlewareID, middleware.After)
}

// RemoveContentSHA256HeaderMiddleware removes contentSHA256Header middleware
// from the operation middleware stack
func RemoveContentSHA256HeaderMiddleware(stack *middleware.Stack) error {
_, err := stack.Build.Remove((*contentSHA256Header)(nil).ID())
_, err := stack.Finalize.Remove((*contentSHA256Header)(nil).ID())
return err
}

Expand All @@ -233,21 +221,20 @@ func (m *contentSHA256Header) ID() string {
return "SigV4ContentSHA256Header"
}

// HandleBuild sets the X-Amz-Content-Sha256 header value to the Payload hash
// HandleFinalize sets the X-Amz-Content-Sha256 header value to the Payload hash
// stored in the context.
func (m *contentSHA256Header) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
func (m *contentSHA256Header) HandleFinalize(
ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, &HashComputationError{Err: fmt.Errorf("unexpected request middleware type %T", in.Request)}
}

req.Header.Set(v4Internal.ContentSHAKey, GetPayloadHash(ctx))

return next.HandleBuild(ctx, in)
return next.HandleFinalize(ctx, in)
}

// SignHTTPRequestMiddlewareOptions is the configuration options for the SignHTTPRequestMiddleware middleware.
Expand Down Expand Up @@ -332,17 +319,17 @@ type streamingEventsPayload struct{}

// AddStreamingEventsPayload adds the streamingEventsPayload middleware to the stack.
func AddStreamingEventsPayload(stack *middleware.Stack) error {
return stack.Build.Add(&streamingEventsPayload{}, middleware.After)
return stack.Finalize.Add(&streamingEventsPayload{}, middleware.After)
}

func (s *streamingEventsPayload) ID() string {
return computePayloadHashMiddlewareID
}

func (s *streamingEventsPayload) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
func (s *streamingEventsPayload) HandleFinalize(
ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
contentSHA := GetPayloadHash(ctx)
if len(contentSHA) == 0 {
Expand All @@ -351,7 +338,7 @@ func (s *streamingEventsPayload) HandleBuild(

ctx = SetPayloadHash(ctx, contentSHA)

return next.HandleBuild(ctx, in)
return next.HandleFinalize(ctx, in)
}

// GetSignedRequestSignature attempts to extract the signature of the request.
Expand Down
Loading

0 comments on commit d0b37b2

Please sign in to comment.