Fix header updates in payload signer, http fallback to signed

haydenbaker · haydenbaker · commit 1083bbb470d4 · 2023-09-27T13:51:21.000-07:00
diff --git a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/AwsChunkedV4PayloadSigner.java b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/AwsChunkedV4PayloadSigner.java
@@ -26,6 +26,7 @@
 
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import org.reactivestreams.Publisher;
@@ -54,6 +55,7 @@ public final class AwsChunkedV4PayloadSigner implements V4PayloadSigner {
     private final CredentialScope credentialScope;
     private final int chunkSize;
     private final ChecksumAlgorithm checksumAlgorithm;
+    private final List<Pair<String, List<String>>> preExistingTrailers = new ArrayList<>();
 
     private AwsChunkedV4PayloadSigner(Builder builder) {
         this.credentialScope = Validate.paramNotNull(builder.credentialScope, "CredentialScope");
@@ -68,7 +70,6 @@ public static Builder builder() {
     @Override
     public ContentStreamProvider sign(ContentStreamProvider payload, V4Context v4Context) {
         SdkHttpRequest.Builder request = v4Context.getSignedRequest();
-        moveContentLength(request);
 
         String checksum = request.firstMatchingHeader(X_AMZ_CONTENT_SHA256).orElseThrow(
             () -> new IllegalArgumentException(X_AMZ_CONTENT_SHA256 + " must be set!")
@@ -79,7 +80,8 @@ public ContentStreamProvider sign(ContentStreamProvider payload, V4Context v4Con
             .inputStream(payload.newStream())
             .chunkSize(chunkSize)
             .header(chunk -> Integer.toHexString(chunk.length).getBytes(StandardCharsets.UTF_8));
-        setupPreExistingTrailers(chunkedEncodedInputStreamBuilder, request);
+
+        preExistingTrailers.forEach(trailer -> chunkedEncodedInputStreamBuilder.addTrailer(() -> trailer));
 
         switch (checksum) {
             case STREAMING_SIGNED_PAYLOAD: {
@@ -88,12 +90,12 @@ public ContentStreamProvider sign(ContentStreamProvider payload, V4Context v4Con
                 break;
             }
             case STREAMING_UNSIGNED_PAYLOAD_TRAILER:
-                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder, request);
+                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder);
                 break;
             case STREAMING_SIGNED_PAYLOAD_TRAILER: {
                 RollingSigner rollingSigner = new RollingSigner(v4Context.getSigningKey(), v4Context.getSignature());
                 chunkedEncodedInputStreamBuilder.addExtension(new SigV4ChunkExtensionProvider(rollingSigner, credentialScope));
-                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder, request);
+                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder);
                 chunkedEncodedInputStreamBuilder.addTrailer(
                     new SigV4TrailerProvider(chunkedEncodedInputStreamBuilder.trailers(), rollingSigner, credentialScope)
                 );
@@ -111,49 +113,55 @@ public Publisher<ByteBuffer> signAsync(Publisher<ByteBuffer> payload, V4Context
         throw new UnsupportedOperationException();
     }
 
+    @Override
+    public void beforeSigning(SdkHttpRequest.Builder request) {
+        moveContentLength(request);
+        setupPreExistingTrailers(request);
+
+        if (checksumAlgorithm != null) {
+            String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
+            request.appendHeader(X_AMZ_TRAILER, checksumHeaderName);
+        }
+    }
+
+    /**
+     * Set up a map of pre-existing trailer (headers) for the given request to be used when chunk-encoding the payload.
+     * <p>
+     * However, we need to validate that these are valid trailers. Since aws-chunked encoding adds the checksum as a trailer, it
+     * isn't part of the request headers, but other trailers MUST be present in the request-headers.
+     */
+    private void setupPreExistingTrailers(SdkHttpRequest.Builder request) {
+        for (String header : request.matchingHeaders(X_AMZ_TRAILER)) {
+            List<String> values = request.matchingHeaders(header);
+            if (values.isEmpty()) {
+                throw new IllegalArgumentException(header + " must be present in the request headers to be a valid trailer.");
+            }
+            preExistingTrailers.add(Pair.of(header, values));
+            request.removeHeader(header);
+        }
+    }
+
     /**
-     * Add the checksum as a chunk-trailer and add it to the request's trailer header.
+     * Add the checksum as a trailer to the chunk-encoded stream.
      * <p>
-     * The checksum-algorithm MUST be set if this is called, otherwise it will throw.
+     * If the checksum-algorithm is not present, then nothing is done.
      */
-    private void setupChecksumTrailerIfNeeded(ChunkedEncodedInputStream.Builder builder, SdkHttpRequest.Builder request) {
+    private void setupChecksumTrailerIfNeeded(ChunkedEncodedInputStream.Builder builder) {
         if (checksumAlgorithm == null) {
             return;
         }
+        String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
         SdkChecksum sdkChecksum = fromChecksumAlgorithm(checksumAlgorithm);
         ChecksumInputStream checksumInputStream = new ChecksumInputStream(
             builder.inputStream(),
             Collections.singleton(sdkChecksum)
         );
-        String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
 
         TrailerProvider checksumTrailer = new ChecksumTrailerProvider(sdkChecksum, checksumHeaderName);
 
-        request.appendHeader(X_AMZ_TRAILER, checksumHeaderName);
         builder.inputStream(checksumInputStream).addTrailer(checksumTrailer);
     }
 
-    /**
-     * Create chunk-trailers for each pre-existing trailer given in the request.
-     * <p>
-     * However, we need to validate that these are valid trailers. Since aws-chunked encoding adds the checksum as a trailer, it
-     * isn't part of the request headers, but other trailers MUST be present in the request-headers.
-     */
-    private void setupPreExistingTrailers(ChunkedEncodedInputStream.Builder builder, SdkHttpRequest.Builder request) {
-        List<String> trailerHeaders = request.matchingHeaders(X_AMZ_TRAILER);
-
-        for (String header : trailerHeaders) {
-            List<String> values = request.matchingHeaders(header);
-            if (values.isEmpty()) {
-                throw new IllegalArgumentException(header + " must be present in the request headers to be a valid trailer.");
-            }
-
-            // Add the trailer to the aws-chunked stream-builder, and remove it from the request headers
-            builder.addTrailer(() -> Pair.of(header, values));
-            request.removeHeader(header);
-        }
-    }
-
     static class Builder {
         private CredentialScope credentialScope;
         private Integer chunkSize;
diff --git a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.java b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.java
@@ -100,7 +100,7 @@ private static V4RequestSigner v4RequestSigner(
     }
 
     private static Checksummer checksummer(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request) {
-        boolean isPayloadSigning = request.requireProperty(PAYLOAD_SIGNING_ENABLED, true);
+        boolean isPayloadSigning = isPayloadSigning(request);
         boolean isEventStreaming = isEventStreaming(request.request());
         boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
         boolean isTrailing = request.request().firstMatchingHeader(X_AMZ_TRAILER).isPresent();
@@ -142,7 +142,7 @@ private static V4PayloadSigner v4PayloadSigner(
         BaseSignRequest<?, ? extends AwsCredentialsIdentity> request,
         V4Properties properties) {
 
-        boolean isPayloadSigning = request.requireProperty(PAYLOAD_SIGNING_ENABLED, true);
+        boolean isPayloadSigning = isPayloadSigning(request);
         boolean isEventStreaming = isEventStreaming(request.request());
         boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
 
@@ -183,6 +183,8 @@ private static SignedRequest doSign(SignRequest<? extends AwsCredentialsIdentity
 
         checksummer.checksum(request.payload().orElse(null), requestBuilder);
 
+        payloadSigner.beforeSigning(requestBuilder);
+
         V4Context v4Context = requestSigner.sign(requestBuilder);
 
         ContentStreamProvider payload = payloadSigner.sign(request.payload().orElse(null), v4Context);
@@ -231,6 +233,10 @@ private static Duration validateExpirationDuration(Duration expirationDuration)
         return expirationDuration;
     }
 
+    private static boolean isPayloadSigning(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request) {
+        return request.requireProperty(PAYLOAD_SIGNING_ENABLED, true) || !"https".equals(request.request().protocol());
+    }
+
     private static boolean isEventStreaming(SdkHttpRequest request) {
         return "application/vnd.amazon.eventstream".equals(request.firstMatchingHeader(Header.CONTENT_TYPE).orElse(""));
     }
diff --git a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4PayloadSigner.java b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/V4PayloadSigner.java
@@ -19,6 +19,7 @@
 import org.reactivestreams.Publisher;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.http.ContentStreamProvider;
+import software.amazon.awssdk.http.SdkHttpRequest;
 
 /**
  * An interface for defining how to sign a payload via SigV4.
@@ -41,4 +42,10 @@ static V4PayloadSigner create() {
      * Given a payload and v4-context, sign the payload via the SigV4 process.
      */
     Publisher<ByteBuffer> signAsync(Publisher<ByteBuffer> payload, V4Context v4Context);
+
+    /**
+     * Modify a request before it is signed, such as changing headers or query-parameters.
+     */
+    default void beforeSigning(SdkHttpRequest.Builder request) {
+    }
 }
diff --git a/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/TestUtils.java b/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/TestUtils.java
@@ -21,6 +21,10 @@
 import software.amazon.awssdk.utils.async.SimplePublisher;
 
 public final class TestUtils {
+
+    private TestUtils() {
+    }
+
     // Helpers for generating test requests
     public static <T extends AwsCredentialsIdentity> SignRequest<T> generateBasicRequest(
         T credentials,
@@ -33,7 +37,7 @@ public static <T extends AwsCredentialsIdentity> SignRequest<T> generateBasicReq
                                                      .putHeader("Host", "demo.us-east-1.amazonaws.com")
                                                      .putHeader("x-amz-archive-description", "test  test")
                                                      .encodedPath("/")
-                                                     .uri(URI.create("http://demo.us-east-1.amazonaws.com"))
+                                                     .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
                                                      .build()
                                                      .copy(requestOverrides))
                           .payload(() -> new ByteArrayInputStream("{\"TableName\": \"foo\"}".getBytes()))
@@ -57,11 +61,12 @@ public static <T extends AwsCredentialsIdentity> AsyncSignRequest<T> generateBas
 
         return AsyncSignRequest.builder(credentials)
                                .request(SdkHttpRequest.builder()
+                                                      .protocol("https")
                                                       .method(SdkHttpMethod.POST)
                                                       .putHeader("Host", "demo.us-east-1.amazonaws.com")
                                                       .putHeader("x-amz-archive-description", "test  test")
                                                       .encodedPath("/")
-                                                      .uri(URI.create("http://demo.us-east-1.amazonaws.com"))
+                                                      .uri(URI.create("https://demo.us-east-1.amazonaws.com"))
                                                       .build()
                                                       .copy(requestOverrides))
                                .payload(publisher)
diff --git a/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/AwsChunkedV4PayloadSignerTest.java b/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/AwsChunkedV4PayloadSignerTest.java
@@ -89,6 +89,7 @@ public void sign_withSignedPayload_shouldChunkEncodeWithSigV4Ext() throws IOExce
                                                                     .chunkSize(chunkSize)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
@@ -131,6 +132,7 @@ public void sign_withSignedPayloadAndChecksum_shouldChunkEncodeWithSigV4ExtAndSi
                                                                     .checksumAlgorithm(CRC32)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
@@ -173,6 +175,7 @@ public void sign_withChecksum_shouldChunkEncodeWithChecksumTrailer() throws IOEx
                                                                     .checksumAlgorithm(SHA256)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
@@ -222,6 +225,7 @@ public void sign_withPreExistingTrailers_shouldChunkEncodeWithExistingTrailers()
                                                                     .chunkSize(chunkSize)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
@@ -275,6 +279,7 @@ public void sign_withPreExistingTrailersAndChecksum_shouldChunkEncodeWithTrailer
                                                                     .checksumAlgorithm(CRC32)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
@@ -330,6 +335,7 @@ public void sign_withPreExistingTrailersAndChecksumAndSignedPayload_shouldAwsChu
                                                                     .checksumAlgorithm(CRC32)
                                                                     .build();
 
+        signer.beforeSigning(requestBuilder);
         ContentStreamProvider signedPayload = signer.sign(payload, v4Context);
 
         assertThat(requestBuilder.firstMatchingHeader(Header.CONTENT_LENGTH)).isNotPresent();
diff --git a/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSignerTest.java b/core/http-auth-aws/src/test/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSignerTest.java
@@ -26,6 +26,7 @@
 import static software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner.EXPIRATION_DURATION;
 import static software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner.PAYLOAD_SIGNING_ENABLED;
 
+import java.net.URI;
 import java.time.Duration;
 import org.junit.jupiter.api.Test;
 import org.mockito.MockedStatic;
@@ -291,4 +292,19 @@ public void sign_WithEventStreamContentTypeAndUnsignedPayload_Throws() {
 
         assertThrows(UnsupportedOperationException.class, () -> signer.signAsync(request));
     }
+
+    @Test
+    public void sign_WithPayloadSigningFalseAndHttp_FallsBackToPayloadSigning() {
+        SignRequest<? extends AwsCredentialsIdentity> request = generateBasicRequest(
+            AwsCredentialsIdentity.create("access", "secret"),
+            httpRequest -> httpRequest.uri(URI.create("http://demo.us-east-1.amazonaws.com")),
+            signRequest -> signRequest
+                .putProperty(PAYLOAD_SIGNING_ENABLED, false)
+        );
+
+        SignedRequest signedRequest = signer.sign(request);
+
+        assertThat(signedRequest.request().firstMatchingHeader("x-amz-content-sha256"))
+            .hasValue("a15c8292b1d12abbbbe4148605f7872fbdf645618fee5ab0e8072a7b34f155e2");
+    }
 }
