feat: add toggle to SigV4AuthScheme to turn off body signing #1822
Conversation
| s3Config.authSchemes = [SigV4AuthScheme(requestUnsignedBody: true)] | ||
| } | ||
|
|
||
| func testS3PresignedRequest() async throws { |
| @@ -0,0 +1,45 @@ | |||
| // | |||
There was a problem hiding this comment.
Please add:
- One more test case that has payload over the chunked threshold
- An interceptor that asserts that:
Authorizationheader isn't present as expectedx-amz-content-sha256header values match expected values (UNSIGNED-PAYLOADfor single chunk request, andSTREAMING-UNSIGNED-PAYLOAD-TRAILERfor aws chunked request)
There was a problem hiding this comment.
I believe Authorization header is still expected to be there. We are still signing the request just not the body. Will do the rest
|
|
||
| func testS3ToggleUnsignedRequestStreaming() async throws { | ||
| let key = "test-streaming.txt" | ||
| let data = Data((0..<(1024 * 1024)).map { _ in UInt8.random(in: UInt8.min...UInt8.max) }) |
There was a problem hiding this comment.
We also create a data of specified length filled with randomness in S3ConcurrentTests, probably elsewhere like the chunked streaming tests as well.
Perhaps we should extract the logic to do that to a helper function so it may be reused?
There was a problem hiding this comment.
Sure I can move this out
| @@ -69,6 +74,11 @@ public struct SigV4AuthScheme: AuthScheme { | |||
| value: context.isChunkedEligibleStream | |||
| ) | |||
|
|
|||
| // Optionally toggle unsigned body | |||
| if self.requestUnsignedBody == true { | |||
There was a problem hiding this comment.
assume the explicit == true is because self.requestUnsignedBody may be nil as well as false?
| .withUnsignedPayloadTrait(value: false) | ||
| .build() | ||
| let updatedProperties = try customSigV4AuthScheme.customizeSigningProperties(signingProperties: Attributes(), context: context) | ||
| XCTAssertTrue(try XCTUnwrap(updatedProperties.get(key: SigningPropertyKeys.requestUnsignedBody))) |
There was a problem hiding this comment.
Maybe break the XCTUnwrap & XCAssert into two lines for clarity
There was a problem hiding this comment.
Was following other tests format -- if we think its more clear to separate we should go through and change all the tests effected though I personally dont have any issue with this style
| @@ -15,9 +15,14 @@ import struct Smithy.Attributes | |||
| public struct SigV4AuthScheme: AuthScheme { | |||
| public let schemeID: String = "aws.auth#sigv4" | |||
| public let signer: Signer = AWSSigV4Signer() | |||
| public var requestUnsignedBody: Bool? | |||
There was a problem hiding this comment.
The possible values for Bool? are true, false, and nil.
true means unsigned body is requested.
nil means unsigned body was not specified in the auth scheme resolver.
So what is false? I can certainly create a auth scheme resolver with requestUnsignedBody: false. Would that ever be used? Is it undefined? (If it doesn't, we should consider a different data type than Bool? for this setting.)
| @@ -18,38 +18,27 @@ final class S3ConcurrentTests: S3XCTestCase { | |||
| // Payload just below chunked threshold | |||
| // Tests concurrent upload of simple data payloads | |||
| func test_10x_1MB_getObject() async throws { | |||
| fileData = try generateDummyTextData(count: CHUNKED_THRESHOLD - 1) | |||
| fileData = S3ConcurrentTests.generateRandomTextData(ofSizeInMB: 1) | |||
There was a problem hiding this comment.
There is a folder IntegrationTests/AWSIntegrationTestUtils where I think this method belongs
| try await repeatConcurrentlyWithArgs(count: 10, test: getObject, args: fileData!) | ||
| } | ||
|
|
||
| // Payload 256 bytes with 200 concurrent requests, sends as simple data | ||
| // Tests very high concurrency with small data payloads | ||
| func test_200x_256B_getObject() async throws { | ||
| fileData = try generateDummyTextData(count: 256) | ||
| let bytes_256 = Double(256) / (1024 * 1024) |
There was a problem hiding this comment.
Any Swift literal with a decimal point is a Double. So you can just use 256.0 or 256. instead of the Double initializer.
| @@ -116,4 +116,12 @@ class S3XCTestCase: XCTestCase { | |||
| let input = DeleteBucketInput(bucket: bucketName) | |||
| _ = try await client.deleteBucket(input: input) | |||
| } | |||
|
|
|||
| static func generateRandomTextData(ofSizeInMB megabytes: Double) -> Data { | |||
There was a problem hiding this comment.
This method should take a precise integer number of bytes.
I'm okay with it if we have a convenience form that takes a Double number of MB then converts that to bytes.
Also, as mentioned above, let's move this to integration test utils.
Issue #
SWIFT-1849, PR: smithy-lang/smithy-swift#857
Description of changes
requestUnsignedBody. Note this wont effect middlewares or anything else on purpose until we go to actually signx-amz-content-sha256toUNSIGNED-PAYLOADUsage
New/existing dependencies impact assessment, if applicable
Conventional Commits
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.