Skip to content

Commit

Permalink
private/signer/v4: Resign requests which are too old
Browse files Browse the repository at this point in the history 
Requests that are delayed to be sent, or are retried so many times that
the original date the request was signed with is past the age a
signature can be, the request needs to be resigned.  This prevents
issues for request being retried many times, and finally succeding but
encounter an expired signature.

Fix aws#486
  • Loading branch information
@jasdel
jasdel committed Apr 14, 2016
1 parent 573ef8e commit 354bbed
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
6 changes: 4 additions & 2 deletions private/signer/v4/v4.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ func Sign(req *request.Request) {
}

req.Error = s.sign()
req.Time = s.Time
req.SignedHeaderVals = s.signedHeaderVals
}

Expand All @@ -162,11 +163,12 @@ func (v4 *signer) sign() error {
}

if v4.isRequestSigned() {
if !v4.Credentials.IsExpired() {
if !v4.Credentials.IsExpired() && time.Now().Before(v4.Time.Add(10*time.Minute)) {
// If the request is already signed, and the credentials have not
// expired yet ignore the signing request.
// expired, and the request is not too old ignore the signing request.
return nil
}
v4.Time = time.Now()

// The credentials have expired for this request. The current signing
// is invalid, and needs to be request because the request will fail.
Expand Down
23 changes: 23 additions & 0 deletions private/signer/v4/v4_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,29 @@ func TestPreResignRequestExpiredCreds(t *testing.T) {
assert.NotContains(t, signedHeaders, "x-amz-signedHeaders")
}

func TestResignRequestExpiredRequest(t *testing.T) {
creds := credentials.NewStaticCredentials("AKID", "SECRET", "SESSION")
svc := awstesting.NewClient(&aws.Config{Credentials: creds})
r := svc.NewRequest(
&request.Operation{
Name: "BatchGetItem",
HTTPMethod: "POST",
HTTPPath: "/",
},
nil,
nil,
)

Sign(r)
querySig := r.HTTPRequest.Header.Get("Authorization")

// Simulate the request occured 15 minutes in the past
r.Time = r.Time.Add(-15 * time.Minute)

Sign(r)
assert.NotEqual(t, querySig, r.HTTPRequest.Header.Get("Authorization"))
}

func BenchmarkPresignRequest(b *testing.B) {
signer := buildSigner("dynamodb", "us-east-1", time.Now(), 300*time.Second, "{}")
for i := 0; i < b.N; i++ {
Expand Down

0 comments on commit 354bbed

Please sign in to comment.