From befb45cfb4f5babef811cbdc6aa065e63fd602ca Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 13:55:44 +0900 Subject: [PATCH 01/11] aws-signing: add es and gracier for payloads special treatment Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index 157ad46aa4b3b..694a33751f4cf 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -24,8 +24,8 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { } void SignerImpl::sign(Http::RequestHeaderMap& headers) { - // S3 payloads require special treatment. - if (service_name_ == "s3") { + // S3, gracier, es payloads require special treatment. + if (service_name_ == "s3" || service_name_ == "gracier" || service_name_ == "es") { headers.setReference(SignatureHeaders::get().ContentSha256, SignatureConstants::get().UnsignedPayload); sign(headers, SignatureConstants::get().UnsignedPayload); From 2ecb848a5782b6b554a9b4a015d3a617cf9db2ab Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 14:45:02 +0900 Subject: [PATCH 02/11] add test and docs link Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 3 ++ .../extensions/common/aws/signer_impl_test.cc | 42 +++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index 694a33751f4cf..ef5cefafb5157 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -25,6 +25,9 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { void SignerImpl::sign(Http::RequestHeaderMap& headers) { // S3, gracier, es payloads require special treatment. + // s3: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html + // es: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html + // gracier: https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html if (service_name_ == "s3" || service_name_ == "gracier" || service_name_ == "es") { headers.setReference(SignatureHeaders::get().ContentSha256, SignatureConstants::get().UnsignedPayload); diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index 2bae6a72b25e5..ac84746336b78 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -211,6 +211,48 @@ TEST_F(SignerImplTest, SignHeadersNonS3) { headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); } +// Verify signing headers for es +TEST_F(SignerImplTest, SignHeadersES) { + auto* credentials_provider = new NiceMock(); + EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); + Http::TestRequestHeaderMapImpl headers{}; + headers.setMethod("GET"); + headers.setPath("/"); + headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); + + SignerImpl signer("es", "region", CredentialsProviderSharedPtr{credentials_provider}, + time_system_); + signer.sign(headers); + + EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/s3/aws4_request, " + "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " + "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", + headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); + EXPECT_EQ(SignatureConstants::get().UnsignedPayload, + headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); +} + +// Verify signing headers for gracier +TEST_F(SignerImplTest, SignHeadersGracier) { + auto* credentials_provider = new NiceMock(); + EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); + Http::TestRequestHeaderMapImpl headers{}; + headers.setMethod("GET"); + headers.setPath("/"); + headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); + + SignerImpl signer("es", "region", CredentialsProviderSharedPtr{credentials_provider}, + time_system_); + signer.sign(headers); + + EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/s3/aws4_request, " + "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " + "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", + headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); + EXPECT_EQ(SignatureConstants::get().UnsignedPayload, + headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); +} + } // namespace } // namespace Aws } // namespace Common From 6926b4ab26a6c244be3500245d3f8d33400e1a67 Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 14:55:10 +0900 Subject: [PATCH 03/11] fix test Signed-off-by: azihsoyn --- test/extensions/common/aws/signer_impl_test.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index ac84746336b78..e4e251aadb89f 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -224,7 +224,7 @@ TEST_F(SignerImplTest, SignHeadersES) { time_system_); signer.sign(headers); - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/s3/aws4_request, " + EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/es/aws4_request, " "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); @@ -241,11 +241,11 @@ TEST_F(SignerImplTest, SignHeadersGracier) { headers.setPath("/"); headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); - SignerImpl signer("es", "region", CredentialsProviderSharedPtr{credentials_provider}, + SignerImpl signer("gracier", "region", CredentialsProviderSharedPtr{credentials_provider}, time_system_); signer.sign(headers); - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/s3/aws4_request, " + EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/gracier/aws4_request, " "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); From dce46eb3965024c5fbfe5a8f2434326b4a718e89 Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 15:20:58 +0900 Subject: [PATCH 04/11] fix comment format Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index ef5cefafb5157..1488fc323e47d 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -25,9 +25,12 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { void SignerImpl::sign(Http::RequestHeaderMap& headers) { // S3, gracier, es payloads require special treatment. - // s3: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html - // es: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html - // gracier: https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html + // s3: + // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html + // es: + // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html + // gracier: + // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html if (service_name_ == "s3" || service_name_ == "gracier" || service_name_ == "es") { headers.setReference(SignatureHeaders::get().ContentSha256, SignatureConstants::get().UnsignedPayload); From 92a519de387f4cc4bf1be94f7aa73190809cd5ba Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 17:30:13 +0900 Subject: [PATCH 05/11] add Gracier to spelling dictionary Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 8 ++++---- test/extensions/common/aws/signer_impl_test.cc | 2 +- tools/spelling/spelling_dictionary.txt | 1 + 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index 1488fc323e47d..bf038635c7525 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -24,12 +24,12 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { } void SignerImpl::sign(Http::RequestHeaderMap& headers) { - // S3, gracier, es payloads require special treatment. - // s3: + // S3, Gracier, ES payloads require special treatment. + // S3: // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html - // es: + // ES: // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html - // gracier: + // Gracier: // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html if (service_name_ == "s3" || service_name_ == "gracier" || service_name_ == "es") { headers.setReference(SignatureHeaders::get().ContentSha256, diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index e4e251aadb89f..6325a8afe186f 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -232,7 +232,7 @@ TEST_F(SignerImplTest, SignHeadersES) { headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); } -// Verify signing headers for gracier +// Verify signing headers for Gracier TEST_F(SignerImplTest, SignHeadersGracier) { auto* credentials_provider = new NiceMock(); EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 4b8f9a058a249..2947fa29a111b 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -121,6 +121,7 @@ GCP GETting GLB GOAWAY +Gracier GRPC GSS GTEST From 45f4cf4f9b44bb2b571bb3924e33f5527b85cff9 Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 18:48:09 +0900 Subject: [PATCH 06/11] fix test Signed-off-by: azihsoyn --- test/extensions/common/aws/signer_impl_test.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index 6325a8afe186f..e31727d7b0049 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -226,7 +226,7 @@ TEST_F(SignerImplTest, SignHeadersES) { EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/es/aws4_request, " "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", + "Signature=0fd9c974bb2ad16c8d8a314dca4f6db151d32cbd04748d9c018afee2a685a02e", headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); EXPECT_EQ(SignatureConstants::get().UnsignedPayload, headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); @@ -247,7 +247,7 @@ TEST_F(SignerImplTest, SignHeadersGracier) { EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/gracier/aws4_request, " "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", + "Signature=06a594b2fa4cf2bfe43e8535dc4bd0a6d3b8ae3080f4fbdbc3c6d8b16b038941", headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); EXPECT_EQ(SignatureConstants::get().UnsignedPayload, headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); From 89348f5328b461a5b09e4f4af1c61e6ee8c8c4bf Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 19:52:59 +0900 Subject: [PATCH 07/11] refactor test Signed-off-by: azihsoyn --- .../extensions/common/aws/signer_impl_test.cc | 113 +++++------------- 1 file changed, 31 insertions(+), 82 deletions(-) diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index e31727d7b0049..488dd4897d231 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -41,6 +41,27 @@ class SignerImplTest : public testing::Test { message_->body() = std::make_unique(body); } + void expectSignHeaders(absl::string_view service_name, absl::string_view signature, + absl::string_view payload) { + auto* credentials_provider = new NiceMock(); + EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); + Http::TestRequestHeaderMapImpl headers{}; + headers.setMethod("GET"); + headers.setPath("/"); + headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); + + SignerImpl signer(service_name, "region", CredentialsProviderSharedPtr{credentials_provider}, + time_system_); + signer.sign(headers); + + EXPECT_EQ(fmt::format("AWS4-HMAC-SHA256 Credential=akid/20180102/region/{}/aws4_request, " + "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " + "Signature={}", + service_name, signature), + headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); + EXPECT_EQ(payload, headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); + } + NiceMock* credentials_provider_; Event::SimulatedTimeSystem time_system_; Http::RequestMessagePtr message_; @@ -169,88 +190,16 @@ TEST_F(SignerImplTest, SignHostHeader) { message_->headers().get(Http::CustomHeaders::get().Authorization)->value().getStringView()); } -// Verify signing headers for S3 -TEST_F(SignerImplTest, SignHeadersS3) { - auto* credentials_provider = new NiceMock(); - EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); - Http::TestRequestHeaderMapImpl headers{}; - headers.setMethod("GET"); - headers.setPath("/"); - headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); - - SignerImpl signer("s3", "region", CredentialsProviderSharedPtr{credentials_provider}, - time_system_); - signer.sign(headers); - - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/s3/aws4_request, " - "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", - headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); - EXPECT_EQ(SignatureConstants::get().UnsignedPayload, - headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); -} - -// Verify signing headers for non S3 -TEST_F(SignerImplTest, SignHeadersNonS3) { - auto* credentials_provider = new NiceMock(); - EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); - Http::TestRequestHeaderMapImpl headers{}; - headers.setMethod("GET"); - headers.setPath("/"); - headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); - - SignerImpl signer("service", "region", CredentialsProviderSharedPtr{credentials_provider}, - time_system_); - signer.sign(headers); - - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/service/aws4_request, " - "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=d9fd9be575a254c924d843964b063d770181d938ae818f5b603ef0575a5ce2cd", - headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); - EXPECT_EQ(SignatureConstants::get().HashedEmptyString, - headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); -} - -// Verify signing headers for es -TEST_F(SignerImplTest, SignHeadersES) { - auto* credentials_provider = new NiceMock(); - EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); - Http::TestRequestHeaderMapImpl headers{}; - headers.setMethod("GET"); - headers.setPath("/"); - headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); - - SignerImpl signer("es", "region", CredentialsProviderSharedPtr{credentials_provider}, - time_system_); - signer.sign(headers); - - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/es/aws4_request, " - "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=0fd9c974bb2ad16c8d8a314dca4f6db151d32cbd04748d9c018afee2a685a02e", - headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); - EXPECT_EQ(SignatureConstants::get().UnsignedPayload, - headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); -} - -// Verify signing headers for Gracier -TEST_F(SignerImplTest, SignHeadersGracier) { - auto* credentials_provider = new NiceMock(); - EXPECT_CALL(*credentials_provider, getCredentials()).WillOnce(Return(credentials_)); - Http::TestRequestHeaderMapImpl headers{}; - headers.setMethod("GET"); - headers.setPath("/"); - headers.addCopy(Http::LowerCaseString("host"), "www.example.com"); - - SignerImpl signer("gracier", "region", CredentialsProviderSharedPtr{credentials_provider}, - time_system_); - signer.sign(headers); - - EXPECT_EQ("AWS4-HMAC-SHA256 Credential=akid/20180102/region/gracier/aws4_request, " - "SignedHeaders=host;x-amz-content-sha256;x-amz-date, " - "Signature=06a594b2fa4cf2bfe43e8535dc4bd0a6d3b8ae3080f4fbdbc3c6d8b16b038941", - headers.get(Http::CustomHeaders::get().Authorization)->value().getStringView()); - EXPECT_EQ(SignatureConstants::get().UnsignedPayload, - headers.get(SignatureHeaders::get().ContentSha256)->value().getStringView()); +// Verify signing headers for services +TEST_F(SignerImplTest, SignHeadersByService) { + expectSignHeaders("s3", "d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", + SignatureConstants::get().UnsignedPayload); + expectSignHeaders("service", "d9fd9be575a254c924d843964b063d770181d938ae818f5b603ef0575a5ce2cd", + SignatureConstants::get().HashedEmptyString); + expectSignHeaders("es", "0fd9c974bb2ad16c8d8a314dca4f6db151d32cbd04748d9c018afee2a685a02e", + SignatureConstants::get().UnsignedPayload); + expectSignHeaders("gracier", "06a594b2fa4cf2bfe43e8535dc4bd0a6d3b8ae3080f4fbdbc3c6d8b16b038941", + SignatureConstants::get().UnsignedPayload); } } // namespace From 280d36ea416d535843605e1eca4db745ead5082b Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Fri, 10 Jul 2020 23:41:14 +0900 Subject: [PATCH 08/11] fix typo Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 12 ++++++------ test/extensions/common/aws/signer_impl_test.cc | 4 ++-- tools/spelling/spelling_dictionary.txt | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index bf038635c7525..bf047dd6d6eb5 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -24,14 +24,14 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { } void SignerImpl::sign(Http::RequestHeaderMap& headers) { - // S3, Gracier, ES payloads require special treatment. + // S3, Glacier, ES payloads require special treatment. // S3: - // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html + // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. // ES: - // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html - // Gracier: - // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html - if (service_name_ == "s3" || service_name_ == "gracier" || service_name_ == "es") { + // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html. + // Glacier: + // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html. + if (service_name_ == "s3" || service_name_ == "glacier" || service_name_ == "es") { headers.setReference(SignatureHeaders::get().ContentSha256, SignatureConstants::get().UnsignedPayload); sign(headers, SignatureConstants::get().UnsignedPayload); diff --git a/test/extensions/common/aws/signer_impl_test.cc b/test/extensions/common/aws/signer_impl_test.cc index 488dd4897d231..857399749fb1d 100644 --- a/test/extensions/common/aws/signer_impl_test.cc +++ b/test/extensions/common/aws/signer_impl_test.cc @@ -190,7 +190,7 @@ TEST_F(SignerImplTest, SignHostHeader) { message_->headers().get(Http::CustomHeaders::get().Authorization)->value().getStringView()); } -// Verify signing headers for services +// Verify signing headers for services. TEST_F(SignerImplTest, SignHeadersByService) { expectSignHeaders("s3", "d97cae067345792b78d2bad746f25c729b9eb4701127e13a7c80398f8216a167", SignatureConstants::get().UnsignedPayload); @@ -198,7 +198,7 @@ TEST_F(SignerImplTest, SignHeadersByService) { SignatureConstants::get().HashedEmptyString); expectSignHeaders("es", "0fd9c974bb2ad16c8d8a314dca4f6db151d32cbd04748d9c018afee2a685a02e", SignatureConstants::get().UnsignedPayload); - expectSignHeaders("gracier", "06a594b2fa4cf2bfe43e8535dc4bd0a6d3b8ae3080f4fbdbc3c6d8b16b038941", + expectSignHeaders("glacier", "8d1f241d77c64cda57b042cd312180f16e98dbd7a96e5545681430f8dbde45a0", SignatureConstants::get().UnsignedPayload); } diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 2947fa29a111b..ce25efd69492c 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -121,7 +121,7 @@ GCP GETting GLB GOAWAY -Gracier +Glacier GRPC GSS GTEST From d25421f5d8f4aa57e9e449a678fb4fc00db81082 Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Mon, 13 Jul 2020 13:43:48 +0900 Subject: [PATCH 09/11] check require_content_hash at initialize Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.cc | 9 +-------- source/extensions/common/aws/signer_impl.h | 10 ++++++++++ 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.cc b/source/extensions/common/aws/signer_impl.cc index bf047dd6d6eb5..86730647966bf 100644 --- a/source/extensions/common/aws/signer_impl.cc +++ b/source/extensions/common/aws/signer_impl.cc @@ -24,14 +24,7 @@ void SignerImpl::sign(Http::RequestMessage& message, bool sign_body) { } void SignerImpl::sign(Http::RequestHeaderMap& headers) { - // S3, Glacier, ES payloads require special treatment. - // S3: - // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. - // ES: - // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html. - // Glacier: - // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html. - if (service_name_ == "s3" || service_name_ == "glacier" || service_name_ == "es") { + if (require_content_hash_) { headers.setReference(SignatureHeaders::get().ContentSha256, SignatureConstants::get().UnsignedPayload); sign(headers, SignatureConstants::get().UnsignedPayload); diff --git a/source/extensions/common/aws/signer_impl.h b/source/extensions/common/aws/signer_impl.h index f925b6046b9dc..01a57b50e70bf 100644 --- a/source/extensions/common/aws/signer_impl.h +++ b/source/extensions/common/aws/signer_impl.h @@ -74,6 +74,16 @@ class SignerImpl : public Signer, public Logger::Loggable { const std::string service_name_; const std::string region_; + + // S3, Glacier, ES payloads require special treatment. + // S3: + // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. + // ES: + // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html. + // Glacier: + // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html. + const bool require_content_hash_{service_name_ == "s3" || service_name_ == "glacier" || + service_name_ == "es"}; CredentialsProviderSharedPtr credentials_provider_; TimeSource& time_source_; DateFormatter long_date_formatter_; From e428afa47979b24b5a700af7d16c006f00c5247d Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Mon, 13 Jul 2020 14:51:30 +0900 Subject: [PATCH 10/11] add new line Signed-off-by: azihsoyn From 375e25c9335cf541de0acbc8ebad694c72f8aa4b Mon Sep 17 00:00:00 2001 From: azihsoyn Date: Tue, 14 Jul 2020 09:54:33 +0900 Subject: [PATCH 11/11] fix nits Signed-off-by: azihsoyn --- source/extensions/common/aws/signer_impl.h | 25 ++++++++++++---------- tools/spelling/spelling_dictionary.txt | 1 - 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/source/extensions/common/aws/signer_impl.h b/source/extensions/common/aws/signer_impl.h index 01a57b50e70bf..78908874e042a 100644 --- a/source/extensions/common/aws/signer_impl.h +++ b/source/extensions/common/aws/signer_impl.h @@ -47,8 +47,19 @@ class SignerImpl : public Signer, public Logger::Loggable { public: SignerImpl(absl::string_view service_name, absl::string_view region, const CredentialsProviderSharedPtr& credentials_provider, TimeSource& time_source) - : service_name_(service_name), region_(region), credentials_provider_(credentials_provider), - time_source_(time_source), long_date_formatter_(SignatureConstants::get().LongDateFormat), + : service_name_(service_name), region_(region), + + // S3, Glacier, ES payloads require special treatment. + // S3: + // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. + // ES: + // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html. + // Glacier: + // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html. + require_content_hash_{service_name_ == "s3" || service_name_ == "glacier" || + service_name_ == "es"}, + credentials_provider_(credentials_provider), time_source_(time_source), + long_date_formatter_(SignatureConstants::get().LongDateFormat), short_date_formatter_(SignatureConstants::get().ShortDateFormat) {} void sign(Http::RequestMessage& message, bool sign_body = false) override; @@ -75,15 +86,7 @@ class SignerImpl : public Signer, public Logger::Loggable { const std::string service_name_; const std::string region_; - // S3, Glacier, ES payloads require special treatment. - // S3: - // https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html. - // ES: - // https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-request-signing.html. - // Glacier: - // https://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-signing-requests.html. - const bool require_content_hash_{service_name_ == "s3" || service_name_ == "glacier" || - service_name_ == "es"}; + const bool require_content_hash_; CredentialsProviderSharedPtr credentials_provider_; TimeSource& time_source_; DateFormatter long_date_formatter_; diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index ce25efd69492c..4b8f9a058a249 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -121,7 +121,6 @@ GCP GETting GLB GOAWAY -Glacier GRPC GSS GTEST