pipe down request to sigv4

override request down provider chain
used custom env declaration for credential track test

Author: kai-ion

src/aws-cpp-sdk-core/include/aws/core/auth/AWSCredentialsProviderChain.h

@@ -29,6 +29,13 @@ namespace Aws
              */
             virtual AWSCredentials GetAWSCredentials();
 
+            /**
+             * When a credentials provider in the chain returns empty credentials,
+             * We go on to the next provider until we have either exhausted the installed providers in the chain or something returns non-empty credentials.
+             * This overload passes the request to providers for user agent feature tracking.
+             */
+            virtual AWSCredentials GetAWSCredentials(Aws::AmazonWebServiceRequest& request);
+
             /**
              * Gets all providers stored in this chain.
              */

src/aws-cpp-sdk-core/include/aws/core/auth/signer/AWSAuthV4Signer.h

@@ -27,6 +27,8 @@ namespace smithy
 
 namespace Aws
 {
+    class AmazonWebServiceRequest;
+    
     namespace Http
     {
         class HttpRequest;
@@ -142,6 +144,13 @@ namespace Aws
              */
             bool SignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, bool signBody) const override;
 
+            /**
+             * Uses AWS Auth V4 signing method with SHA256 HMAC algorithm. If signBody is false
+             * and https is being used then the body of the payload will not be signed.
+             * This overload passes the AWS request to the credentials provider for user agent feature tracking.
+             */
+            bool SignRequest(Aws::Http::HttpRequest& request, Aws::AmazonWebServiceRequest& awsRequest, const char* region, const char* serviceName, bool signBody) const;
+
             /**
             * Takes a request and signs the URI based on the HttpMethod, URI and other info from the request.
             * the region the signer was initialized with will be used for the signature.
@@ -183,6 +192,8 @@ namespace Aws
 
             virtual Aws::Auth::AWSCredentials GetCredentials(const std::shared_ptr<Aws::Http::ServiceSpecificParameters> &serviceSpecificParameters) const;
 
+            virtual Aws::Auth::AWSCredentials GetCredentials(Aws::AmazonWebServiceRequest& awsRequest, const std::shared_ptr<Aws::Http::ServiceSpecificParameters> &serviceSpecificParameters) const;
+
             Aws::String GetServiceName() const { return m_serviceName; }
             Aws::String GetRegion() const { return m_region; }
             Aws::String GenerateSignature(const Aws::Auth::AWSCredentials& credentials,

src/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp

@@ -33,6 +33,29 @@ AWSCredentials AWSCredentialsProviderChain::GetAWSCredentials()
     {
         AWSCredentials credentials = credentialsProvider->GetAWSCredentials();
         if (!credentials.GetAWSAccessKeyId().empty() && !credentials.GetAWSSecretKey().empty())
+        {
+            m_cachedProvider = credentialsProvider;
+            return credentials;
+        }
+    }
+    return AWSCredentials();
+}
+
+AWSCredentials AWSCredentialsProviderChain::GetAWSCredentials(Aws::AmazonWebServiceRequest& request)
+{
+    ReaderLockGuard lock(m_cachedProviderLock);
+    if (m_cachedProvider) {
+      AWSCredentials credentials = m_cachedProvider->GetAWSCredentials(request);
+      if (!credentials.GetAWSAccessKeyId().empty() && !credentials.GetAWSSecretKey().empty())
+      {
+        return credentials;
+      }
+    }
+    lock.UpgradeToWriterLock();
+    for (auto&& credentialsProvider : m_providerChain)
+    {
+        AWSCredentials credentials = credentialsProvider->GetAWSCredentials(request);
+        if (!credentials.GetAWSAccessKeyId().empty() && !credentials.GetAWSSecretKey().empty())
         {
             // TODO: issue of only chain, not overidden
             // which credentials were used -- add it somethow

src/aws-cpp-sdk-core/source/auth/signer/AWSAuthV4Signer.cpp

@@ -339,6 +339,12 @@ bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* r
     return SignRequestWithCreds(request, credentials, region, serviceName, signBody);
 }
 
+bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, Aws::AmazonWebServiceRequest& awsRequest, const char* region, const char* serviceName, bool signBody) const
+{
+    AWSCredentials credentials = GetCredentials(awsRequest, request.GetServiceSpecificParameters());
+    return SignRequestWithCreds(request, credentials, region, serviceName, signBody);
+}
+
 bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, long long expirationTimeInSeconds) const
 {
     return PresignRequest(request, m_region.c_str(), expirationTimeInSeconds);
@@ -595,3 +601,8 @@ Aws::Auth::AWSCredentials AWSAuthV4Signer::GetCredentials(const std::shared_ptr<
     AWS_UNREFERENCED_PARAM(serviceSpecificParameters);
     return m_credentialsProvider->GetAWSCredentials();
 }
+
+Aws::Auth::AWSCredentials AWSAuthV4Signer::GetCredentials(Aws::AmazonWebServiceRequest& awsRequest, const std::shared_ptr<Aws::Http::ServiceSpecificParameters> &serviceSpecificParameters) const {
+    AWS_UNREFERENCED_PARAM(serviceSpecificParameters);
+    return m_credentialsProvider->GetAWSCredentials(awsRequest);
+}

src/aws-cpp-sdk-core/source/client/AWSClient.cpp

@@ -7,6 +7,7 @@
 #include <aws/core/AmazonWebServiceRequest.h>
 #include <aws/core/auth/AWSAuthSigner.h>
 #include <aws/core/auth/AWSAuthSignerProvider.h>
+#include <aws/core/auth/signer/AWSAuthV4Signer.h>
 #include <aws/core/client/AWSUrlPresigner.h>
 #include <aws/core/client/AWSError.h>
 #include <aws/core/client/AWSErrorMarshaller.h>
@@ -579,6 +580,11 @@ HttpResponseOutcome AWSClient::AttemptOneRequest(const std::shared_ptr<Aws::Http
 
     auto signer = GetSignerByName(signerName);
     auto signedRequest = TracingUtils::MakeCallWithTiming<bool>([&]() -> bool {
+            // Use request-aware signing for credential tracking
+            auto* v4Signer = dynamic_cast<AWSAuthV4Signer*>(signer);
+            if (v4Signer) {
+                return v4Signer->SignRequest(*httpRequest, const_cast<Aws::AmazonWebServiceRequest&>(request), signerRegionOverride, signerServiceNameOverride, true);
+            }
             return signer->SignRequest(*httpRequest, signerRegionOverride, signerServiceNameOverride, true);
         },
         TracingUtils::SMITHY_CLIENT_SIGNING_METRIC,
@@ -590,12 +596,6 @@ HttpResponseOutcome AWSClient::AttemptOneRequest(const std::shared_ptr<Aws::Http
         return HttpResponseOutcome(AWSError<CoreErrors>(CoreErrors::CLIENT_SIGNING_FAILURE, "", "SDK failed to sign the request", false/*retryable*/));
     }
 
-    // Track credential provider usage for User-Agent features
-    auto credentialsProvider = GetCredentialsProvider();
-    if (credentialsProvider) {
-      credentialsProvider->GetAWSCredentials(const_cast<Aws::AmazonWebServiceRequest&>(request));
-    }
-
     if (request.GetRequestSignedHandler())
     {
         request.GetRequestSignedHandler()(*httpRequest);

tests/aws-cpp-sdk-core-tests/aws/auth/CredentialTrackingTest.cpp

@@ -7,18 +7,45 @@
 #include <aws/testing/AwsTestHelpers.h>
 #include <aws/testing/mocks/aws/client/MockAWSClient.h>
 #include <aws/testing/mocks/http/MockHttpClient.h>
+#include <aws/testing/platform/PlatformTesting.h>
 #include <aws/core/auth/AWSCredentialsProvider.h>
 #include <aws/core/client/AWSClient.h>
 #include <aws/core/utils/StringUtils.h>
-#include <aws/core/platform/Environment.h>
 
 using namespace Aws::Client;
 using namespace Aws::Auth;
 using namespace Aws::Http;
 
 static const char ALLOCATION_TAG[] = "CredentialTrackingTest";
 
+// Custom client that uses environment credential provider for testing
+class CredentialTestingClient : public Aws::Client::AWSClient
+{
+public:
+    explicit CredentialTestingClient(const Aws::Client::ClientConfiguration& configuration)
+        : AWSClient(configuration,
+                   Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(ALLOCATION_TAG,
+                       Aws::MakeShared<EnvironmentAWSCredentialsProvider>(ALLOCATION_TAG),
+                       "service", configuration.region),
+                   Aws::MakeShared<MockAWSErrorMarshaller>(ALLOCATION_TAG))
+    {
+    }
+
+    Aws::Client::HttpResponseOutcome MakeRequest(const Aws::AmazonWebServiceRequest& request)
+    {
+        auto uri = Aws::Http::URI("https://test.com");
+        return AWSClient::AttemptExhaustively(uri, request, Aws::Http::HttpMethod::HTTP_POST, Aws::Auth::SIGV4_SIGNER);
+    }
+
+    const char* GetServiceClientName() const override { return "CredentialTestingClient"; }
 
+protected:
+    Aws::Client::AWSError<Aws::Client::CoreErrors> BuildAWSError(const std::shared_ptr<Aws::Http::HttpResponse>& response) const override
+    {
+        AWS_UNREFERENCED_PARAM(response);
+        return Aws::Client::AWSError<Aws::Client::CoreErrors>(Aws::Client::CoreErrors::UNKNOWN, false);
+    }
+};
 
 class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
 {
@@ -46,12 +73,14 @@ class CredentialTrackingTest : public Aws::Testing::AwsCppSdkGTestSuite
 
 TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
 {
-    Aws::Environment::SetEnv("AWS_ACCESS_KEY_ID", "test-access-key", 1);
-    Aws::Environment::SetEnv("AWS_SECRET_ACCESS_KEY", "test-secret-key", 1);
+    Aws::Environment::EnvironmentRAII testEnvironment{{
+        {"AWS_ACCESS_KEY_ID", "test-access-key"},
+        {"AWS_SECRET_ACCESS_KEY", "test-secret-key"},
+    }};
 
     // Setup mock response
     std::shared_ptr<HttpRequest> requestTmp =
-        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST, 
+        CreateHttpRequest(Aws::Http::URI("dummy"), Aws::Http::HttpMethod::HTTP_POST,
                         Aws::Utils::Stream::DefaultResponseStreamFactoryMethod);
     auto successResponse = Aws::MakeShared<Standard::StandardHttpResponse>(ALLOCATION_TAG, requestTmp);
     successResponse->SetResponseCode(HttpResponseCode::OK);
@@ -64,22 +93,20 @@ TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
     Aws::Client::ClientConfiguration clientConfig(cfgInit);
     clientConfig.region = Aws::Region::US_EAST_1;
 
-    // Create client with environment credentials signer
-    Aws::Client::AWSClient client(clientConfig,
-        Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(ALLOCATION_TAG,
-            Aws::MakeShared<EnvironmentAWSCredentialsProvider>(ALLOCATION_TAG),
-            "service", clientConfig.region),
-        Aws::MakeShared<MockAWSErrorMarshaller>(ALLOCATION_TAG));
-    
+    // Create credential testing client that uses default provider chain
+    CredentialTestingClient client(clientConfig);
+
+    // Create mock request
     AmazonWebServiceRequestMock mockRequest;
-    auto outcome = client.AttemptExhaustively(Aws::Http::URI("https://test.com"), mockRequest, 
-                                             Aws::Http::HttpMethod::HTTP_POST, Aws::Auth::SIGV4_SIGNER);
-    AWS_ASSERT_SUCCESS(outcome);
+
+    // Make request
+    auto outcome = client.MakeRequest(mockRequest);
+    ASSERT_TRUE(outcome.IsSuccess());
 
     // Verify User-Agent contains environment credentials tracking
     auto lastRequest = mockHttpClient->GetMostRecentHttpRequest();
-    EXPECT_TRUE(lastRequest.HasUserAgent());
-    const auto& userAgent = lastRequest.GetUserAgent();
+    EXPECT_TRUE(lastRequest.HasHeader(Aws::Http::USER_AGENT_HEADER));
+    const auto& userAgent = lastRequest.GetHeaderValue(Aws::Http::USER_AGENT_HEADER);
     EXPECT_FALSE(userAgent.empty());
 
     const auto userAgentParsed = Aws::Utils::StringUtils::Split(userAgent, ' ');
@@ -89,7 +116,4 @@ TEST_F(CredentialTrackingTest, TestEnvironmentCredentialsTracking)
         [](const Aws::String& value) { return value.find("m/") != Aws::String::npos && value.find("g") != Aws::String::npos; });
 
     EXPECT_TRUE(businessMetrics != userAgentParsed.end());
-
-    Aws::Environment::UnSetEnv("AWS_ACCESS_KEY_ID");
-    Aws::Environment::UnSetEnv("AWS_SECRET_ACCESS_KEY");
-}
+}