Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for :whitelist_headers in V4 signer #1228

Closed
wants to merge 4 commits into from
Closed

Add option for :whitelist_headers in V4 signer #1228

wants to merge 4 commits into from

Conversation

cjyclaire
Copy link
Contributor

@cjyclaire cjyclaire commented Jun 27, 2016
edited
Loading

Feature request
Issue related: #1051

cc:\ @awood45 @trevorrowe

@toaster toaster mentioned this pull request Jul 8, 2016
Closed
awood45
awood45 reviewed Jul 8, 2016
View reviewed changes
aws-sdk-core/lib/aws-sdk-core/signers/v4.rb
@service_name = service_name
@credentials = credentials.credentials
@region = EndpointProvider.signing_region(region, service_name)
if whitelist_headers.any? && (BLACKLIST_HEADERS & whitelist_headers).any?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be missing something, but why not just remove this whole block and use:

@blacklist = BLACKLIST_HEADERS - whitelist_headers

You already set whitelist headers to be an array by default, so once we get to this point, I'm not sure the if-else block is doing anything.

Copy link
Contributor Author

@cjyclaire cjyclaire Jul 12, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's true, I was thinking checking the intersection of the 2 arrays before getting the result. It seems redundant, I'll remove that.

@awood45
Copy link
Member

awood45 commented Jul 8, 2016

The inner implementation appears to be reasonable, but how would an end user use this? I don't believe we have users creating signer classes directly, so we would need to wire this up to configuration in some way.

@awood45
Copy link
Member

awood45 commented Jul 12, 2016

Some other notes after a deeper dive:

  • In the Aws::Signers::V4 class, this will need to work in the sign method, and the whitelisted headers will have to plumb down to the signed_headers method.
  • This does not necessarily involve the instantiation of a new signer instance, in fact, it usually does not.
  • You may be changing how the internal interface works, so after we get this done we may want to look at if this is a minor version bump.

@cjyclaire
Copy link
Contributor Author

This PR is updated and ready for another review.
@trevorrowe , @awood45

@trevorrowe
Copy link
Member

I've done a quick review of this. I think we should discuss the method in which white-listed headers are provided. I'm of the opinion that this should not be done as client configuration options. Given the client will never consume these options, they increase the surface area of a client just to act as a convenient bag for grouping options. I suspect this was suggested because a Client instance is passed to the pre-signer. Retrospectively, the Aws::S3::Presigner should not have ever accepted a client instance. Instead it should have accepted a credential provider and a region. We can not change that interface now, but we can deprecate it. Lets do a more in-depth review in person and we can update the pull-request.

@cjyclaire cjyclaire force-pushed the feature/v4-signer-whitelist-header branch from 6777835 to 3ce89ff Compare August 2, 2016 20:02
@cjyclaire
Copy link
Contributor Author

This PR is updated and ready for another review @awood45 @trevorrowe

@cjyclaire cjyclaire self-assigned this Oct 13, 2016
awood45
awood45 approved these changes Feb 20, 2017
View reviewed changes
Copy link
Member

@awood45 awood45 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. We should consider adding an integration test for this to ensure it works the way we intend, for example, a test where we presign a URL, call it with the header we whitelisted set, and see that it responds successfully.

@cjyclaire
Copy link
Contributor Author

@awood45 Sounds good, make sense. I'll add that : )

@cjyclaire cjyclaire mentioned this pull request Apr 5, 2017
Closed
@cjyclaire
Copy link
Contributor Author

PR #1477 just opened includes this feature, we'll focus on that one : )
Closing, feel free to chime in and add comments in that PR : )

@cjyclaire cjyclaire closed this Apr 5, 2017
@cjyclaire cjyclaire deleted the feature/v4-signer-whitelist-header branch April 17, 2017 22:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awood45 awood45 awood45 approved these changes

Assignees

@cjyclaire cjyclaire

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cjyclaire @awood45 @trevorrowe