Skip to content

Disable S3 payload signing. #4499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zoewangg merged 2 commits into from
Sep 28, 2023
Merged

Disable S3 payload signing. #4499

zoewangg merged 2 commits into from
Sep 28, 2023

Conversation

@millems
Copy link
Contributor

@millems millems commented Sep 28, 2023

This is currently redundant, but when useSraAuth is made true, it will ensure that payload signing remains disabled.

@millems millems requested a review from a team as a code owner September 28, 2023 18:05
gosar
gosar approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@gosar gosar left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pre SRA does customer have a way to enable payload signing? Thought being, that if there's a way, maybe have a test that confirms that still works.

With SRA, I think customer can enable payload signing like this -

aws-sdk-java-v2/test/auth-tests/src/it/java/software/amazon/awssdk/sra/ia/SraIdentityAuthTest.java

Line 254 in 4df21e8

void sraS3PayloadSigningOnByDefault() {
(from branch used for surface area review), which I think should still work with this due to putAttributeIfAbsent.

@millems
Copy link
Contributor Author

millems commented Sep 28, 2023

Pre SRA does customer have a way to enable payload signing? Thought being, that if there's a way, maybe have a test that confirms that still works.

Yes, via interceptors. That's tested in the backwards-compatibility changes I pushed yesterday, but it's not actually tested with the latest changes but useSraAuth = false. Let me add a test for that...

@millems
Disable S3 payload signing.
f327eb0 
This is currently redundant, but when useSraAuth is made true, it will ensure that payload signing remains disabled.
@millems
Addressed comments
2fa682d
@millems millems force-pushed the millem/disable-s3-signing branch from 6985723 to 2fa682d Compare September 28, 2023 19:35
@gosar
Copy link
Contributor

gosar commented Sep 28, 2023

Yes, via interceptors.

yeah, I was wondering if there's another supported way (sounds like no), since the S3SignerExecutionAttribute.ENABLE_PAYLOAD_SIGNING is SdkProtectedApi. But yeah, we still want to make sure it continues to work, so the test is good.

With SRA there will be a publicly supported way via SignerProperty! We should add a test for that (non-blocking right now).

My ship it stands anyways!

@zoewangg zoewangg merged commit 9e3d3e3 into feature/master/sra-identity-auth Sep 28, 2023
@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 28, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug C 4 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 2 Security Hotspots
Code Smell A 473 Code Smells

84.2% 84.2% Coverage
4.0% 4.0% Duplication

idea Catch issues before they fail your Quality Gate with our IDE extension sonarlint SonarLint

@gosar gosar mentioned this pull request Dec 29, 2023
Closed
12 tasks
@millems millems deleted the millem/disable-s3-signing branch February 5, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gosar gosar gosar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@millems @gosar @zoewangg