From 4005338e832434116e13e20f1b994ee6d16afa78 Mon Sep 17 00:00:00 2001 From: Ian Smith Botsford Date: Mon, 27 Feb 2023 21:59:56 +0000 Subject: [PATCH] fix: don't sign Expect header in SigV4 --- .../d4ba7f85-24f3-4925-8bb4-25020f294b9a.json | 8 +++++ .../runtime/auth/awssigning/Canonicalizer.kt | 3 +- .../awssigning/DefaultCanonicalizerTest.kt | 33 +++++++++++++++++++ 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 .changes/d4ba7f85-24f3-4925-8bb4-25020f294b9a.json diff --git a/.changes/d4ba7f85-24f3-4925-8bb4-25020f294b9a.json b/.changes/d4ba7f85-24f3-4925-8bb4-25020f294b9a.json new file mode 100644 index 000000000..c7974522a --- /dev/null +++ b/.changes/d4ba7f85-24f3-4925-8bb4-25020f294b9a.json @@ -0,0 +1,8 @@ +{ + "id": "d4ba7f85-24f3-4925-8bb4-25020f294b9a", + "type": "bugfix", + "description": "Skip signing the `Expect` header in SigV4", + "issues": [ + "awslabs/aws-sdk-kotlin#862" + ] +} diff --git a/runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt b/runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt index da6cc2850..300aa117a 100644 --- a/runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt +++ b/runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt @@ -59,9 +59,10 @@ internal interface Canonicalizer { ): CanonicalRequest } -// Taken from https://github.com/awslabs/aws-c-auth/blob/31d573c0dd328db5775f7a55650d27b8c08311ba/source/aws_signing.c#L118-L151 +// Taken from https://github.com/awslabs/aws-c-auth/blob/dd505b55fd46222834f35c6e54165d8cbebbfaaa/source/aws_signing.c#L118-L156 private val skipHeaders = setOf( "connection", + "expect", // https://github.com/awslabs/aws-sdk-kotlin/issues/862 "sec-websocket-key", "sec-websocket-protocol", "sec-websocket-version", diff --git a/runtime/auth/aws-signing-default/common/test/aws/smithy/kotlin/runtime/auth/awssigning/DefaultCanonicalizerTest.kt b/runtime/auth/aws-signing-default/common/test/aws/smithy/kotlin/runtime/auth/awssigning/DefaultCanonicalizerTest.kt index 91944ad39..b4e82daab 100644 --- a/runtime/auth/aws-signing-default/common/test/aws/smithy/kotlin/runtime/auth/awssigning/DefaultCanonicalizerTest.kt +++ b/runtime/auth/aws-signing-default/common/test/aws/smithy/kotlin/runtime/auth/awssigning/DefaultCanonicalizerTest.kt @@ -97,4 +97,37 @@ class DefaultCanonicalizerTest { assertEquals("/2013-04-01/healthcheck/foo%253Cbar%253Ebaz%253C%252Fbar%253E", uri.canonicalPath(config)) } + + @Test + fun testUnsignedHeaders() = runTest { + val request = HttpRequest { + method = HttpMethod.GET + url { host = Host.Domain("bar.amazonaws.com") } + headers { + // These should be signed + set("Content-Type", "application/x-www-form-urlencoded; charset=utf-8") + set("x-amz-user-agent", "baz") + + // These should not be signed + set("Expect", "100-continue") + set("X-Amzn-Trace-Id", "qux") + } + body = HttpBody.Empty + } + + val signingDateString = "20150830T123600Z" + val config = AwsSigningConfig { + region = "foo" + service = "bar" + signingDate = Instant.fromIso8601(signingDateString) + credentialsProvider = testCredentialsProvider + } + val credentials = Credentials("foo", "bar") // anything without a session token set + + val canonicalizer = Canonicalizer.Default + val actual = canonicalizer.canonicalRequest(request, config, credentials) + + val expectedSignedHeaders = "content-type;host;x-amz-date;x-amz-user-agent" + assertEquals(expectedSignedHeaders, actual.signedHeaders) + } }