1use crate::auth;
7use crate::auth::{
8 extract_endpoint_auth_scheme_signing_name, extract_endpoint_auth_scheme_signing_region,
9 SigV4OperationSigningConfig, SigV4SessionTokenNameOverride, SigV4SigningError,
10};
11use aws_credential_types::Credentials;
12use aws_sigv4::http_request::{
13 sign, SignableBody, SignableRequest, SigningParams, SigningSettings,
14};
15use aws_sigv4::sign::v4;
16use aws_smithy_runtime_api::box_error::BoxError;
17use aws_smithy_runtime_api::client::auth::{
18 AuthScheme, AuthSchemeEndpointConfig, AuthSchemeId, Sign,
19};
20use aws_smithy_runtime_api::client::identity::{Identity, SharedIdentityResolver};
21use aws_smithy_runtime_api::client::orchestrator::HttpRequest;
22use aws_smithy_runtime_api::client::runtime_components::{GetIdentityResolver, RuntimeComponents};
23use aws_smithy_types::config_bag::ConfigBag;
24use aws_types::region::SigningRegion;
25use aws_types::SigningName;
26use std::borrow::Cow;
27use std::time::SystemTime;
28
29const EXPIRATION_WARNING: &str = "Presigned request will expire before the given \
30 `expires_in` duration because the credentials used to sign it will expire first.";
31
32pub const SCHEME_ID: AuthSchemeId = AuthSchemeId::new("sigv4");
34
35#[derive(Debug, Default)]
37pub struct SigV4AuthScheme {
38 signer: SigV4Signer,
39}
40
41impl SigV4AuthScheme {
42 pub fn new() -> Self {
44 Default::default()
45 }
46}
47
48impl AuthScheme for SigV4AuthScheme {
49 fn scheme_id(&self) -> AuthSchemeId {
50 SCHEME_ID
51 }
52
53 fn identity_resolver(
54 &self,
55 identity_resolvers: &dyn GetIdentityResolver,
56 ) -> Option<SharedIdentityResolver> {
57 identity_resolvers.identity_resolver(self.scheme_id())
58 }
59
60 fn signer(&self) -> &dyn Sign {
61 &self.signer
62 }
63}
64
65#[derive(Debug, Default)]
67pub struct SigV4Signer;
68
69impl SigV4Signer {
70 pub fn new() -> Self {
72 Self
73 }
74
75 fn settings(operation_config: &SigV4OperationSigningConfig) -> SigningSettings {
76 super::settings(operation_config)
77 }
78
79 fn signing_params<'a>(
80 settings: SigningSettings,
81 identity: &'a Identity,
82 operation_config: &'a SigV4OperationSigningConfig,
83 request_timestamp: SystemTime,
84 ) -> Result<v4::SigningParams<'a, SigningSettings>, SigV4SigningError> {
85 let creds = identity
86 .data::<Credentials>()
87 .ok_or_else(|| SigV4SigningError::WrongIdentityType(identity.clone()))?;
88
89 if let Some(expires_in) = settings.expires_in {
90 if let Some(creds_expires_time) = creds.expiry() {
91 let presigned_expires_time = request_timestamp + expires_in;
92 if presigned_expires_time > creds_expires_time {
93 tracing::warn!(EXPIRATION_WARNING);
94 }
95 }
96 }
97
98 Ok(v4::SigningParams::builder()
99 .identity(identity)
100 .region(
101 operation_config
102 .region
103 .as_ref()
104 .ok_or(SigV4SigningError::MissingSigningRegion)?
105 .as_ref(),
106 )
107 .name(
108 operation_config
109 .name
110 .as_ref()
111 .ok_or(SigV4SigningError::MissingSigningName)?
112 .as_ref(),
113 )
114 .time(request_timestamp)
115 .settings(settings)
116 .build()
117 .expect("all required fields set"))
118 }
119
120 fn extract_operation_config<'a>(
121 auth_scheme_endpoint_config: AuthSchemeEndpointConfig<'a>,
122 config_bag: &'a ConfigBag,
123 ) -> Result<Cow<'a, SigV4OperationSigningConfig>, SigV4SigningError> {
124 let operation_config = config_bag
125 .load::<SigV4OperationSigningConfig>()
126 .ok_or(SigV4SigningError::MissingOperationSigningConfig)?;
127
128 let name = extract_endpoint_auth_scheme_signing_name(&auth_scheme_endpoint_config)?
129 .or(config_bag.load::<SigningName>().cloned());
130
131 let region = extract_endpoint_auth_scheme_signing_region(&auth_scheme_endpoint_config)?
132 .or(config_bag.load::<SigningRegion>().cloned());
133
134 match (region, name) {
135 (None, None) => Ok(Cow::Borrowed(operation_config)),
136 (region, name) => {
137 let mut operation_config = operation_config.clone();
138 operation_config.region = region.or(operation_config.region);
139 operation_config.name = name.or(operation_config.name);
140 Ok(Cow::Owned(operation_config))
141 }
142 }
143 }
144}
145
146impl Sign for SigV4Signer {
147 fn sign_http_request(
148 &self,
149 request: &mut HttpRequest,
150 identity: &Identity,
151 auth_scheme_endpoint_config: AuthSchemeEndpointConfig<'_>,
152 runtime_components: &RuntimeComponents,
153 config_bag: &ConfigBag,
154 ) -> Result<(), BoxError> {
155 if identity.data::<Credentials>().is_none() {
156 return Err(SigV4SigningError::WrongIdentityType(identity.clone()).into());
157 };
158
159 let operation_config =
160 Self::extract_operation_config(auth_scheme_endpoint_config, config_bag)?;
161 let request_time = runtime_components.time_source().unwrap_or_default().now();
162
163 let settings = if let Some(session_token_name_override) =
164 config_bag.load::<SigV4SessionTokenNameOverride>()
165 {
166 let mut settings = Self::settings(&operation_config);
167 let name_override = session_token_name_override.name_override(&settings, config_bag)?;
168 settings.session_token_name_override = name_override;
169 settings
170 } else {
171 Self::settings(&operation_config)
172 };
173
174 let signing_params =
175 Self::signing_params(settings, identity, &operation_config, request_time)?;
176
177 let (signing_instructions, _signature) = {
178 let signable_body = operation_config
181 .signing_options
182 .payload_override
183 .as_ref()
184 .cloned()
187 .unwrap_or_else(|| {
188 request
189 .body()
190 .bytes()
191 .map(SignableBody::Bytes)
192 .unwrap_or(SignableBody::UnsignedPayload)
193 });
194
195 let signable_request = SignableRequest::new(
196 request.method(),
197 request.uri(),
198 request.headers().iter(),
199 signable_body,
200 )?;
201 sign(signable_request, &SigningParams::V4(signing_params))?
202 }
203 .into_parts();
204
205 #[cfg(feature = "event-stream")]
207 {
208 use aws_smithy_eventstream::frame::DeferredSignerSender;
209 use event_stream::SigV4MessageSigner;
210
211 if let Some(signer_sender) = config_bag.load::<DeferredSignerSender>() {
212 let time_source = runtime_components.time_source().unwrap_or_default();
213 let region = operation_config.region.clone().unwrap();
214 let name = operation_config.name.clone().unwrap();
215 signer_sender
216 .send(Box::new(SigV4MessageSigner::new(
217 _signature,
218 identity.clone(),
219 region,
220 name,
221 time_source,
222 )) as _)
223 .expect("failed to send deferred signer");
224 }
225 }
226 auth::apply_signing_instructions(signing_instructions, request)?;
227 Ok(())
228 }
229}
230
231#[cfg(feature = "event-stream")]
232mod event_stream {
233 use aws_sigv4::event_stream::{sign_empty_message, sign_message};
234 use aws_sigv4::sign::v4;
235 use aws_smithy_async::time::SharedTimeSource;
236 use aws_smithy_eventstream::frame::{SignMessage, SignMessageError};
237 use aws_smithy_runtime_api::client::identity::Identity;
238 use aws_smithy_types::event_stream::Message;
239 use aws_types::region::SigningRegion;
240 use aws_types::SigningName;
241
242 #[derive(Debug)]
244 pub(super) struct SigV4MessageSigner {
245 last_signature: String,
246 identity: Identity,
247 signing_region: SigningRegion,
248 signing_name: SigningName,
249 time: SharedTimeSource,
250 }
251
252 impl SigV4MessageSigner {
253 pub(super) fn new(
254 last_signature: String,
255 identity: Identity,
256 signing_region: SigningRegion,
257 signing_name: SigningName,
258 time: SharedTimeSource,
259 ) -> Self {
260 Self {
261 last_signature,
262 identity,
263 signing_region,
264 signing_name,
265 time,
266 }
267 }
268
269 fn signing_params(&self) -> v4::SigningParams<'_, ()> {
270 let builder = v4::SigningParams::builder()
271 .identity(&self.identity)
272 .region(self.signing_region.as_ref())
273 .name(self.signing_name.as_ref())
274 .time(self.time.now())
275 .settings(());
276 builder.build().unwrap()
277 }
278 }
279
280 impl SignMessage for SigV4MessageSigner {
281 fn sign(&mut self, message: Message) -> Result<Message, SignMessageError> {
282 let (signed_message, signature) = {
283 let params = self.signing_params();
284 sign_message(&message, &self.last_signature, ¶ms)?.into_parts()
285 };
286 self.last_signature = signature;
287 Ok(signed_message)
288 }
289
290 fn sign_empty(&mut self) -> Option<Result<Message, SignMessageError>> {
291 let (signed_message, signature) = {
292 let params = self.signing_params();
293 sign_empty_message(&self.last_signature, ¶ms)
294 .ok()?
295 .into_parts()
296 };
297 self.last_signature = signature;
298 Some(Ok(signed_message))
299 }
300 }
301
302 #[cfg(test)]
303 mod tests {
304 use crate::auth::sigv4::event_stream::SigV4MessageSigner;
305 use aws_credential_types::Credentials;
306 use aws_smithy_async::time::SharedTimeSource;
307 use aws_smithy_eventstream::frame::SignMessage;
308 use aws_smithy_types::event_stream::{HeaderValue, Message};
309
310 use aws_types::region::Region;
311 use aws_types::region::SigningRegion;
312 use aws_types::SigningName;
313 use std::time::{Duration, UNIX_EPOCH};
314
315 fn check_send_sync<T: Send + Sync>(value: T) -> T {
316 value
317 }
318
319 #[test]
320 fn sign_message() {
321 let region = Region::new("us-east-1");
322 let mut signer = check_send_sync(SigV4MessageSigner::new(
323 "initial-signature".into(),
324 Credentials::for_tests_with_session_token().into(),
325 SigningRegion::from(region),
326 SigningName::from_static("transcribe"),
327 SharedTimeSource::new(UNIX_EPOCH + Duration::new(1611160427, 0)),
328 ));
329 let mut signatures = Vec::new();
330 for _ in 0..5 {
331 let signed = signer
332 .sign(Message::new(&b"identical message"[..]))
333 .unwrap();
334 if let HeaderValue::ByteArray(signature) = signed
335 .headers()
336 .iter()
337 .find(|h| h.name().as_str() == ":chunk-signature")
338 .unwrap()
339 .value()
340 {
341 signatures.push(signature.clone());
342 } else {
343 panic!("failed to get the :chunk-signature")
344 }
345 }
346 for i in 1..signatures.len() {
347 assert_ne!(signatures[i - 1], signatures[i]);
348 }
349 }
350 }
351}
352
353#[cfg(test)]
354mod tests {
355 use super::*;
356 use crate::auth::{HttpSignatureType, SigningOptions};
357 use aws_credential_types::Credentials;
358 use aws_sigv4::http_request::SigningSettings;
359 use aws_smithy_types::config_bag::Layer;
360 use aws_smithy_types::Document;
361 use aws_types::region::SigningRegion;
362 use aws_types::SigningName;
363 use std::collections::HashMap;
364 use std::time::{Duration, SystemTime};
365 use tracing_test::traced_test;
366
367 #[test]
368 #[traced_test]
369 fn expiration_warning() {
370 let now = SystemTime::UNIX_EPOCH + Duration::from_secs(1000);
371 let creds_expire_in = Duration::from_secs(100);
372
373 let mut settings = SigningSettings::default();
374 settings.expires_in = Some(creds_expire_in - Duration::from_secs(10));
375
376 let identity = Credentials::new(
377 "test-access-key",
378 "test-secret-key",
379 Some("test-session-token".into()),
380 Some(now + creds_expire_in),
381 "test",
382 )
383 .into();
384 let operation_config = SigV4OperationSigningConfig {
385 region: Some(SigningRegion::from_static("test")),
386 name: Some(SigningName::from_static("test")),
387 signing_options: SigningOptions {
388 double_uri_encode: true,
389 content_sha256_header: true,
390 normalize_uri_path: true,
391 omit_session_token: true,
392 signature_type: HttpSignatureType::HttpRequestHeaders,
393 signing_optional: false,
394 expires_in: None,
395 payload_override: None,
396 },
397 ..Default::default()
398 };
399 SigV4Signer::signing_params(settings, &identity, &operation_config, now).unwrap();
400 assert!(!logs_contain(EXPIRATION_WARNING));
401
402 let mut settings = SigningSettings::default();
403 settings.expires_in = Some(creds_expire_in + Duration::from_secs(10));
404
405 SigV4Signer::signing_params(settings, &identity, &operation_config, now).unwrap();
406 assert!(logs_contain(EXPIRATION_WARNING));
407 }
408
409 #[test]
410 fn endpoint_config_overrides_region_and_service() {
411 let mut layer = Layer::new("test");
412 layer.store_put(SigV4OperationSigningConfig {
413 region: Some(SigningRegion::from_static("override-this-region")),
414 name: Some(SigningName::from_static("override-this-name")),
415 ..Default::default()
416 });
417 let config = Document::Object({
418 let mut out = HashMap::new();
419 out.insert("name".to_string(), "sigv4".to_string().into());
420 out.insert(
421 "signingName".to_string(),
422 "qldb-override".to_string().into(),
423 );
424 out.insert(
425 "signingRegion".to_string(),
426 "us-east-override".to_string().into(),
427 );
428 out
429 });
430 let config = AuthSchemeEndpointConfig::from(Some(&config));
431
432 let cfg = ConfigBag::of_layers(vec![layer]);
433 let result = SigV4Signer::extract_operation_config(config, &cfg).expect("success");
434
435 assert_eq!(
436 result.region,
437 Some(SigningRegion::from_static("us-east-override"))
438 );
439 assert_eq!(result.name, Some(SigningName::from_static("qldb-override")));
440 assert!(matches!(result, Cow::Owned(_)));
441 }
442
443 #[test]
444 fn endpoint_config_supports_fallback_when_region_or_service_are_unset() {
445 let mut layer = Layer::new("test");
446 layer.store_put(SigV4OperationSigningConfig {
447 region: Some(SigningRegion::from_static("us-east-1")),
448 name: Some(SigningName::from_static("qldb")),
449 ..Default::default()
450 });
451 let cfg = ConfigBag::of_layers(vec![layer]);
452 let config = AuthSchemeEndpointConfig::empty();
453
454 let result = SigV4Signer::extract_operation_config(config, &cfg).expect("success");
455
456 assert_eq!(result.region, Some(SigningRegion::from_static("us-east-1")));
457 assert_eq!(result.name, Some(SigningName::from_static("qldb")));
458 assert!(matches!(result, Cow::Borrowed(_)));
459 }
460}