Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SigV4 and SigV4A migration diff validation #2245

Merged
merged 3 commits into from
Apr 23, 2024
Merged

Add SigV4 and SigV4A migration diff validation #2245

merged 3 commits into from
Apr 23, 2024

Conversation

syall
Copy link
Contributor

@syall syall commented Apr 15, 2024
edited
Loading

Overview

Dependent on #2250, which is the first commit of this PR

These changes add SigV4 (aws.auth#sigv4, sigv4) and SigV4A (aws.auth#sigv4a, sigv4a) migration diff validation.

This is important since not all SigV4 credentials work with SigV4A, so migration from SigV4 to SigV4A is not backward compatible.

At the time of writing, it is uncertain whether migrating from SigV4A to SigV4 is backward compatible.

Simplified, the SigV4 migration validation events are emitted when:

  • aws.auth#sigv4 is replaced by aws.auth#sigv4a, or vice versa
  • the order of aws.auth#sigv4 and aws.auth#sigv4a is changed in the effective auth schemes
  • aws.auth#sigv4a is added before an existing aws.auth#sigv4, or vice versa

Validation Tables

Keywords:

  • sigv4 = aws.auth#sigv4
  • sigv4a = aws.auth#sigv4a
  • + = set addition
  • , = list addition (order matters)
  • ... = set, e.g. any, no sigv4, with sigv4

For both @auth and @smithy.rules#endpointRuleSet auth schemes, these are the following validations:

  • SigV4Migration checks for service and operation @auth diffs.
  • EndpointSigV4Migration checks for service @auth and @smithy.rules#endpointRuleSet diffs.
    • At the time of writing, sigv4 also includes sigv4- sub-schemes except sigv4-s3express.
    • At the time of writing, sigv4a also includes sigv4-s3express.
    • beta auth schemes are not considered during SigV4 migration, and will have to manually be added.
Old Model Auth New Model Auth Expectation
[no sigv4 + no sigv4a] [any] Skips validation since no migration
[with sigv4 + no sigv4a] [no sigv4a] Skips validation since no migration
[with sigv4a + no sigv4] [no sigv4] Skips validation since no migration
[with sigv4, with sigv4a] [with sigv4, with sigv4a] Skips validation since no migration
[with sigv4 + no sigv4a] [with sigv4a + no sigv4] Danger: sigv4a replaced sigv4, but not all sigv4 credentials are compatible with sigv4a
[with sigv4a + no sigv4] [with sigv4 + no sigv4a] Danger: sigv4 replaced sigv4a, but signing scope could be narrowed (typically from *)
[with sigv4 + no sigv4a] [with sigv4, with sigv4a] Backward compatible: sigv4 will still resolve before sigv4a
[with sigv4a + no sigv4] [with sigv4a, with sigv4] Backward compatible: sigv4a will still resolve before sigv4
[with sigv4 + no sigv4a] [with sigv4a, with sigv4] Danger: sigv4a will resolve before sigv4, but not all sigv4 credentials are compatible with sigv4a
[with sigv4a + no sigv4] [with sigv4, with sigv4a] Danger: sigv4 will resolve before sigv4a, but signing scope could be narrowed (typically from *)
[with sigv4, with sigv4a] [with sigv4a, with sigv4] Danger: sigv4 and sigv4a order is changed, but not all sigv4 credentials are compatible with sigv4a
[with sigv4a, with sigv4] [with sigv4, with sigv4a] Danger: sigv4 and sigv4a order is changed, but signing scope could be narrowed (typically from *)

Testing

  • Added diff tests according to the validation table
  • CI passes

Related

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 3 times, most recently from 2d1c1ea to 16e5520 Compare April 15, 2024 20:56
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 9 times, most recently from 0cd3d80 to 747dc12 Compare April 17, 2024 15:01
@syall syall marked this pull request as ready for review April 17, 2024 15:06
@syall syall requested a review from a team as a code owner April 17, 2024 15:06
@syall syall requested a review from AndrewFossAWS April 17, 2024 15:06
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 8 times, most recently from e928f91 to 2795d41 Compare April 17, 2024 20:50
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 2 times, most recently from 346722b to f93db2a Compare April 18, 2024 23:21
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch from f93db2a to b131fcc Compare April 19, 2024 20:37
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 6 times, most recently from 3c0ac84 to f19711c Compare April 20, 2024 01:27
@syall syall mentioned this pull request Apr 20, 2024
Closed
@JordonPhillips JordonPhillips requested review from gosar and kstich April 22, 2024 14:18
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 7 times, most recently from 3ef3c2a to 19bc39a Compare April 23, 2024 01:51
gosar
gosar reviewed Apr 23, 2024
View reviewed changes
smithy-aws-traits/src/main/java/software/amazon/smithy/aws/traits/auth/diff/SigV4Migration.java Outdated Show resolved Hide resolved
smithy-aws-endpoints/build.gradle Show resolved Hide resolved
smithy-rules-engine/src/main/java/software/amazon/smithy/rulesengine/language/Endpoint.java Outdated Show resolved Hide resolved
smithy-rules-engine/src/main/java/software/amazon/smithy/rulesengine/language/Endpoint.java Outdated Show resolved Hide resolved
...-rules-engine/src/main/java/software/amazon/smithy/rulesengine/language/EndpointRuleSet.java Show resolved Hide resolved
...c/test/resources/software/amazon/smithy/rulesengine/aws/diffs/sigv4-sigv4a-swap-order.events Outdated Show resolved Hide resolved
...points/src/main/java/software/amazon/smithy/rulesengine/aws/diff/EndpointSigV4Migration.java Outdated Show resolved Hide resolved
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch 4 times, most recently from 50ffc8a to 2f92200 Compare April 23, 2024 19:39
@syall syall force-pushed the sigv4-backward-compatibility-diff-evaluator branch from 2f92200 to 2fbfc46 Compare April 23, 2024 20:43
@syall syall merged commit 9511565 into smithy-lang:main Apr 23, 2024
13 checks passed
@syall syall deleted the sigv4-backward-compatibility-diff-evaluator branch April 23, 2024 21:03
@ghostbuster91 ghostbuster91 mentioned this pull request Sep 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gosar gosar gosar approved these changes

@AndrewFossAWS AndrewFossAWS Awaiting requested review from AndrewFossAWS AndrewFossAWS is a code owner automatically assigned from smithy-lang/smithy

@kstich kstich Awaiting requested review from kstich

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@syall @gosar @kstich