Merge remote-tracking branch 'public/release'

Author: AWS

.changes/2.36.0.json

@@ -122,12 +122,6 @@
             "contributor": "",
             "description": "Update endpoint ruleset parameters casing"
         },
-        {
-            "type": "feature",
-            "category": "AWS SDK for Java v2",
-            "contributor": "",
-            "description": "Add support for payload signing of async streaming requests signed with SigV4 using default `AwsV4HttpSigner` (using `AwsV4HttpSigner.create()`). Note, requests using the `http` URI scheme will not be signed regardless of the value of `AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED` to remain consistent with existing behavior. This may change in a future release."
-        },
         {
             "type": "feature",
             "category": "AWS Systems Manager Incident Manager",
@@ -309,4 +303,4 @@
             "description": "Updated endpoint and partition metadata."
         }
     ]
-}
+}

CHANGELOG.md

@@ -82,7 +82,6 @@
 
 ## __AWS SDK for Java v2__
   - ### Features
-    - Add support for payload signing of async streaming requests signed with SigV4 using default `AwsV4HttpSigner` (using `AwsV4HttpSigner.create()`). Note, requests using the `http` URI scheme will not be signed regardless of the value of `AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED` to remain consistent with existing behavior. This may change in a future release.
     - Updated endpoint and partition metadata.
 
 ## __AWS Systems Manager Incident Manager__

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/crt/internal/signer/AwsChunkedV4aPayloadSigner.java

@@ -21,6 +21,7 @@
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_ECDSA_SIGNED_PAYLOAD_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_UNSIGNED_PAYLOAD_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_TRAILER;
+import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerUtils.moveContentLength;
 
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
@@ -40,7 +41,6 @@
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.TrailerProvider;
 import software.amazon.awssdk.http.auth.aws.internal.signer.io.ChecksumInputStream;
 import software.amazon.awssdk.http.auth.aws.internal.signer.io.ResettableContentStreamProvider;
-import software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerUtils;
 import software.amazon.awssdk.http.auth.spi.signer.PayloadChecksumStore;
 import software.amazon.awssdk.utils.BinaryUtils;
 import software.amazon.awssdk.utils.Logger;
@@ -115,7 +115,7 @@ public ContentStreamProvider sign(ContentStreamProvider payload, V4aRequestSigni
     @Override
     public void beforeSigning(SdkHttpRequest.Builder request, ContentStreamProvider payload, String checksum) {
         long encodedContentLength = 0;
-        long contentLength = SignerUtils.computeAndMoveContentLength(request, payload);
+        long contentLength = moveContentLength(request, payload);
         setupPreExistingTrailers(request);
 
         // pre-existing trailers

core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/AwsChunkedV4PayloadSigner.java

@@ -23,7 +23,6 @@
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_SIGNED_PAYLOAD_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.STREAMING_UNSIGNED_PAYLOAD_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_CONTENT_SHA256;
-import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_DECODED_CONTENT_LENGTH;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerConstant.X_AMZ_TRAILER;
 import static software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerUtils.moveContentLength;
 
@@ -32,26 +31,20 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
-import java.util.Optional;
-import java.util.concurrent.CompletableFuture;
 import org.reactivestreams.Publisher;
 import software.amazon.awssdk.annotations.SdkInternalApi;
 import software.amazon.awssdk.checksums.SdkChecksum;
 import software.amazon.awssdk.checksums.spi.ChecksumAlgorithm;
 import software.amazon.awssdk.http.ContentStreamProvider;
 import software.amazon.awssdk.http.Header;
 import software.amazon.awssdk.http.SdkHttpRequest;
-import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.AsyncChunkEncodedPayload;
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.ChecksumTrailerProvider;
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.ChunkedEncodedInputStream;
-import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.ChunkedEncodedPayload;
-import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.ChunkedEncodedPublisher;
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.SigV4ChunkExtensionProvider;
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.SigV4TrailerProvider;
-import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.SyncChunkEncodedPayload;
 import software.amazon.awssdk.http.auth.aws.internal.signer.chunkedencoding.TrailerProvider;
+import software.amazon.awssdk.http.auth.aws.internal.signer.io.ChecksumInputStream;
 import software.amazon.awssdk.http.auth.aws.internal.signer.io.ResettableContentStreamProvider;
-import software.amazon.awssdk.http.auth.aws.internal.signer.util.SignerUtils;
 import software.amazon.awssdk.http.auth.spi.signer.PayloadChecksumStore;
 import software.amazon.awssdk.utils.BinaryUtils;
 import software.amazon.awssdk.utils.Logger;
@@ -86,140 +79,81 @@ public static Builder builder() {
 
     @Override
     public ContentStreamProvider sign(ContentStreamProvider payload, V4RequestSigningResult requestSigningResult) {
+        SdkHttpRequest.Builder request = requestSigningResult.getSignedRequest();
+
+        String checksum = request.firstMatchingHeader(X_AMZ_CONTENT_SHA256).orElseThrow(
+            () -> new IllegalArgumentException(X_AMZ_CONTENT_SHA256 + " must be set!")
+        );
+
         ChunkedEncodedInputStream.Builder chunkedEncodedInputStreamBuilder = ChunkedEncodedInputStream
             .builder()
             .inputStream(payload.newStream())
             .chunkSize(chunkSize)
             .header(chunk -> Integer.toHexString(chunk.remaining()).getBytes(StandardCharsets.UTF_8));
 
-        SyncChunkEncodedPayload chunkedPayload = new SyncChunkEncodedPayload(chunkedEncodedInputStreamBuilder);
-        signCommon(chunkedPayload, requestSigningResult);
-
-        return new ResettableContentStreamProvider(chunkedEncodedInputStreamBuilder::build);
-    }
-
-    @Override
-    public Publisher<ByteBuffer> signAsync(Publisher<ByteBuffer> payload, V4RequestSigningResult requestSigningResult) {
-        ChunkedEncodedPublisher.Builder chunkedStreamBuilder = ChunkedEncodedPublisher.builder()
-                                                                                      .publisher(payload)
-                                                                                      .chunkSize(chunkSize)
-                                                                                      .addEmptyTrailingChunk(true);
-
-        AsyncChunkEncodedPayload chunkedPayload = new AsyncChunkEncodedPayload(chunkedStreamBuilder);
-        signCommon(chunkedPayload, requestSigningResult);
-
-        return chunkedStreamBuilder.build();
-    }
-
-    private void signCommon(ChunkedEncodedPayload payload, V4RequestSigningResult requestSigningResult) {
-        preExistingTrailers.forEach(t -> payload.addTrailer(() -> t));
-
-        SdkHttpRequest.Builder request = requestSigningResult.getSignedRequest();
-
-        payload.decodedContentLength(request.firstMatchingHeader(X_AMZ_DECODED_CONTENT_LENGTH)
-                                            .map(Long::parseLong)
-                                            .orElseThrow(() -> {
-                                                String msg = String.format("Expected header '%s' to be present",
-                                                                           X_AMZ_DECODED_CONTENT_LENGTH);
-                                                return new RuntimeException(msg);
-                                            }));
-
-        String checksum = request.firstMatchingHeader(X_AMZ_CONTENT_SHA256).orElseThrow(
-            () -> new IllegalArgumentException(X_AMZ_CONTENT_SHA256 + " must be set!")
-        );
+        preExistingTrailers.forEach(trailer -> chunkedEncodedInputStreamBuilder.addTrailer(() -> trailer));
 
         switch (checksum) {
             case STREAMING_SIGNED_PAYLOAD: {
                 RollingSigner rollingSigner = new RollingSigner(requestSigningResult.getSigningKey(),
                                                                 requestSigningResult.getSignature());
-                payload.addExtension(new SigV4ChunkExtensionProvider(rollingSigner, credentialScope));
+                chunkedEncodedInputStreamBuilder.addExtension(new SigV4ChunkExtensionProvider(rollingSigner, credentialScope));
                 break;
             }
             case STREAMING_UNSIGNED_PAYLOAD_TRAILER:
-                setupChecksumTrailerIfNeeded(payload);
+                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder);
                 break;
             case STREAMING_SIGNED_PAYLOAD_TRAILER: {
-                setupChecksumTrailerIfNeeded(payload);
                 RollingSigner rollingSigner = new RollingSigner(requestSigningResult.getSigningKey(),
                                                                 requestSigningResult.getSignature());
-                payload.addExtension(new SigV4ChunkExtensionProvider(rollingSigner, credentialScope));
-                payload.addTrailer(
-                    new SigV4TrailerProvider(payload.trailers(), rollingSigner, credentialScope)
+                chunkedEncodedInputStreamBuilder.addExtension(new SigV4ChunkExtensionProvider(rollingSigner, credentialScope));
+                setupChecksumTrailerIfNeeded(chunkedEncodedInputStreamBuilder);
+                chunkedEncodedInputStreamBuilder.addTrailer(
+                    new SigV4TrailerProvider(chunkedEncodedInputStreamBuilder.trailers(), rollingSigner, credentialScope)
                 );
                 break;
             }
             default:
                 throw new UnsupportedOperationException();
         }
-    }
 
-    @Override
-    public void beforeSigning(SdkHttpRequest.Builder request, ContentStreamProvider payload) {
-        long encodedContentLength = 0;
-        long contentLength = SignerUtils.computeAndMoveContentLength(request, payload);
-        setupPreExistingTrailers(request);
-
-        // pre-existing trailers
-        encodedContentLength = calculateEncodedContentLength(request, contentLength);
-
-        if (checksumAlgorithm != null) {
-            String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
-            request.appendHeader(X_AMZ_TRAILER, checksumHeaderName);
-        }
-        request.putHeader(Header.CONTENT_LENGTH, Long.toString(encodedContentLength));
-        request.appendHeader(CONTENT_ENCODING, AWS_CHUNKED);
+        return new ResettableContentStreamProvider(chunkedEncodedInputStreamBuilder::build);
     }
 
     @Override
-    public CompletableFuture<Pair<SdkHttpRequest.Builder, Optional<Publisher<ByteBuffer>>>> beforeSigningAsync(
-        SdkHttpRequest.Builder request, Publisher<ByteBuffer> payload) {
-        return moveContentLength(request, payload)
-            .thenApply(p -> {
-                SdkHttpRequest.Builder requestBuilder = p.left();
-                setupPreExistingTrailers(requestBuilder);
-
-                long decodedContentLength = requestBuilder.firstMatchingHeader(X_AMZ_DECODED_CONTENT_LENGTH)
-                                                          .map(Long::parseLong)
-                                                          // should not happen, this header is added by moveContentLength
-                                                          .orElseThrow(() -> new RuntimeException(X_AMZ_DECODED_CONTENT_LENGTH
-                                                                                                  + " header not present"));
-
-                long encodedContentLength = calculateEncodedContentLength(request, decodedContentLength);
-
-                if (checksumAlgorithm != null) {
-                    String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
-                    request.appendHeader(X_AMZ_TRAILER, checksumHeaderName);
-                }
-                request.putHeader(Header.CONTENT_LENGTH, Long.toString(encodedContentLength));
-                request.appendHeader(CONTENT_ENCODING, AWS_CHUNKED);
-                return Pair.of(requestBuilder, p.right());
-            });
+    public Publisher<ByteBuffer> signAsync(Publisher<ByteBuffer> payload, V4RequestSigningResult requestSigningResult) {
+        // TODO(sra-identity-and-auth): implement this first and remove addFlexibleChecksumInTrailer logic in HttpChecksumStage
+        throw new UnsupportedOperationException();
     }
 
-    private long calculateEncodedContentLength(SdkHttpRequest.Builder requestBuilder, long decodedContentLength) {
+    @Override
+    public void beforeSigning(SdkHttpRequest.Builder request, ContentStreamProvider payload) {
         long encodedContentLength = 0;
+        long contentLength = moveContentLength(request, payload);
+        setupPreExistingTrailers(request);
 
+        // pre-existing trailers
         encodedContentLength += calculateExistingTrailersLength();
 
-        String checksum = requestBuilder.firstMatchingHeader(X_AMZ_CONTENT_SHA256).orElseThrow(
+        String checksum = request.firstMatchingHeader(X_AMZ_CONTENT_SHA256).orElseThrow(
             () -> new IllegalArgumentException(X_AMZ_CONTENT_SHA256 + " must be set!")
         );
 
         switch (checksum) {
             case STREAMING_SIGNED_PAYLOAD: {
                 long extensionsLength = 81; // ;chunk-signature:<sigv4 hex signature, 64 bytes>
-                encodedContentLength += calculateChunksLength(decodedContentLength, extensionsLength);
+                encodedContentLength += calculateChunksLength(contentLength, extensionsLength);
                 break;
             }
             case STREAMING_UNSIGNED_PAYLOAD_TRAILER:
                 if (checksumAlgorithm != null) {
                     encodedContentLength += calculateChecksumTrailerLength(checksumHeaderName(checksumAlgorithm));
                 }
-                encodedContentLength += calculateChunksLength(decodedContentLength, 0);
+                encodedContentLength += calculateChunksLength(contentLength, 0);
                 break;
             case STREAMING_SIGNED_PAYLOAD_TRAILER: {
                 long extensionsLength = 81; // ;chunk-signature:<sigv4 hex signature, 64 bytes>
-                encodedContentLength += calculateChunksLength(decodedContentLength, extensionsLength);
+                encodedContentLength += calculateChunksLength(contentLength, extensionsLength);
                 if (checksumAlgorithm != null) {
                     encodedContentLength += calculateChecksumTrailerLength(checksumHeaderName(checksumAlgorithm));
                 }
@@ -233,7 +167,12 @@ private long calculateEncodedContentLength(SdkHttpRequest.Builder requestBuilder
         // terminating \r\n
         encodedContentLength += 2;
 
-        return encodedContentLength;
+        if (checksumAlgorithm != null) {
+            String checksumHeaderName = checksumHeaderName(checksumAlgorithm);
+            request.appendHeader(X_AMZ_TRAILER, checksumHeaderName);
+        }
+        request.putHeader(Header.CONTENT_LENGTH, Long.toString(encodedContentLength));
+        request.appendHeader(CONTENT_ENCODING, AWS_CHUNKED);
     }
 
     /**
@@ -317,7 +256,12 @@ private long calculateChecksumTrailerLength(String checksumHeaderName) {
         return lengthInBytes + 2;
     }
 
-    private void setupChecksumTrailerIfNeeded(ChunkedEncodedPayload payload) {
+    /**
+     * Add the checksum as a trailer to the chunk-encoded stream.
+     * <p>
+     * If the checksum-algorithm is not present, then nothing is done.
+     */
+    private void setupChecksumTrailerIfNeeded(ChunkedEncodedInputStream.Builder builder) {
         if (checksumAlgorithm == null) {
             return;
         }
@@ -329,17 +273,20 @@ private void setupChecksumTrailerIfNeeded(ChunkedEncodedPayload payload) {
         if (cachedChecksum != null) {
             LOG.debug(() -> String.format("Cached payload checksum available for algorithm %s: %s. Using cached value",
                                           checksumAlgorithm.algorithmId(), checksumHeaderName));
-            payload.addTrailer(() -> Pair.of(checksumHeaderName, Collections.singletonList(cachedChecksum)));
+            builder.addTrailer(() -> Pair.of(checksumHeaderName, Collections.singletonList(cachedChecksum)));
             return;
         }
 
         SdkChecksum sdkChecksum = fromChecksumAlgorithm(checksumAlgorithm);
+        ChecksumInputStream checksumInputStream = new ChecksumInputStream(
+            builder.inputStream(),
+            Collections.singleton(sdkChecksum)
+        );
 
         TrailerProvider checksumTrailer =
             new ChecksumTrailerProvider(sdkChecksum, checksumHeaderName, checksumAlgorithm, payloadChecksumStore);
 
-        payload.checksumPayload(sdkChecksum);
-        payload.addTrailer(checksumTrailer);
+        builder.inputStream(checksumInputStream).addTrailer(checksumTrailer);
     }
 
     private String getCachedChecksum() {