1use crate::auth::{
7 apply_signing_instructions, extract_endpoint_auth_scheme_signing_name,
8 SigV4OperationSigningConfig, SigV4SigningError,
9};
10use aws_credential_types::Credentials;
11use aws_sigv4::http_request::{sign, SignableBody, SignableRequest, SigningSettings};
12use aws_sigv4::sign::v4a;
13use aws_smithy_runtime_api::box_error::BoxError;
14use aws_smithy_runtime_api::client::auth::{
15 AuthScheme, AuthSchemeEndpointConfig, AuthSchemeId, Sign,
16};
17use aws_smithy_runtime_api::client::identity::{Identity, SharedIdentityResolver};
18use aws_smithy_runtime_api::client::orchestrator::HttpRequest;
19use aws_smithy_runtime_api::client::runtime_components::{GetIdentityResolver, RuntimeComponents};
20use aws_smithy_types::config_bag::ConfigBag;
21use aws_types::region::SigningRegionSet;
22use aws_types::SigningName;
23use std::borrow::Cow;
24use std::time::SystemTime;
25
26const EXPIRATION_WARNING: &str = "Presigned request will expire before the given \
27 `expires_in` duration because the credentials used to sign it will expire first.";
28
29pub const SCHEME_ID: AuthSchemeId = AuthSchemeId::new("sigv4a");
31
32#[derive(Debug, Default)]
34pub struct SigV4aAuthScheme {
35 signer: SigV4aSigner,
36}
37
38impl SigV4aAuthScheme {
39 pub fn new() -> Self {
41 Default::default()
42 }
43}
44
45impl AuthScheme for SigV4aAuthScheme {
46 fn scheme_id(&self) -> AuthSchemeId {
47 SCHEME_ID
48 }
49
50 fn identity_resolver(
51 &self,
52 identity_resolvers: &dyn GetIdentityResolver,
53 ) -> Option<SharedIdentityResolver> {
54 identity_resolvers.identity_resolver(self.scheme_id())
55 }
56
57 fn signer(&self) -> &dyn Sign {
58 &self.signer
59 }
60}
61
62#[derive(Debug, Default)]
64#[non_exhaustive]
65pub struct SigV4aSigner;
66
67impl SigV4aSigner {
68 pub fn new() -> Self {
70 Self
71 }
72
73 fn settings(operation_config: &SigV4OperationSigningConfig) -> SigningSettings {
74 super::settings(operation_config)
75 }
76
77 fn signing_params<'a>(
78 settings: SigningSettings,
79 identity: &'a Identity,
80 operation_config: &'a SigV4OperationSigningConfig,
81 request_timestamp: SystemTime,
82 ) -> Result<v4a::SigningParams<'a, SigningSettings>, SigV4SigningError> {
83 if let Some(expires_in) = settings.expires_in {
84 if let Some(identity_expiration) = identity.expiration() {
85 let presigned_expires_time = request_timestamp + expires_in;
86 if presigned_expires_time > identity_expiration {
87 tracing::warn!(EXPIRATION_WARNING);
88 }
89 }
90 }
91
92 Ok(v4a::SigningParams::builder()
93 .identity(identity)
94 .region_set(
95 operation_config
96 .region_set
97 .as_ref()
98 .ok_or(SigV4SigningError::MissingSigningRegionSet)?
99 .as_ref(),
100 )
101 .name(
102 operation_config
103 .name
104 .as_ref()
105 .ok_or(SigV4SigningError::MissingSigningName)?
106 .as_ref(),
107 )
108 .time(request_timestamp)
109 .settings(settings)
110 .build()
111 .expect("all required fields set"))
112 }
113
114 fn extract_operation_config<'a>(
115 auth_scheme_endpoint_config: AuthSchemeEndpointConfig<'a>,
116 config_bag: &'a ConfigBag,
117 ) -> Result<Cow<'a, SigV4OperationSigningConfig>, SigV4SigningError> {
118 let operation_config = config_bag
119 .load::<SigV4OperationSigningConfig>()
120 .ok_or(SigV4SigningError::MissingOperationSigningConfig)?;
121
122 let name = extract_endpoint_auth_scheme_signing_name(&auth_scheme_endpoint_config)?
123 .or(config_bag.load::<SigningName>().cloned());
124
125 let region_set =
126 extract_endpoint_auth_scheme_signing_region_set(&auth_scheme_endpoint_config)?
127 .or(config_bag.load::<SigningRegionSet>().cloned());
128
129 match (region_set, name) {
130 (None, None) => Ok(Cow::Borrowed(operation_config)),
131 (region_set, name) => {
132 let mut operation_config = operation_config.clone();
133 operation_config.region_set = region_set.or(operation_config.region_set);
134 operation_config.name = name.or(operation_config.name);
135 Ok(Cow::Owned(operation_config))
136 }
137 }
138 }
139}
140
141fn extract_endpoint_auth_scheme_signing_region_set(
142 endpoint_config: &AuthSchemeEndpointConfig<'_>,
143) -> Result<Option<SigningRegionSet>, SigV4SigningError> {
144 use aws_smithy_types::Document::Array;
145 use SigV4SigningError::BadTypeInEndpointAuthSchemeConfig as UnexpectedType;
146
147 match super::extract_field_from_endpoint_config("signingRegionSet", endpoint_config) {
148 Some(Array(docs)) => {
149 let region_set: SigningRegionSet =
151 docs.iter().filter_map(|doc| doc.as_string()).collect();
152
153 Ok(Some(region_set))
154 }
155 None => Ok(None),
156 _it => Err(UnexpectedType("signingRegionSet")),
157 }
158}
159
160impl Sign for SigV4aSigner {
161 fn sign_http_request(
162 &self,
163 request: &mut HttpRequest,
164 identity: &Identity,
165 auth_scheme_endpoint_config: AuthSchemeEndpointConfig<'_>,
166 runtime_components: &RuntimeComponents,
167 config_bag: &ConfigBag,
168 ) -> Result<(), BoxError> {
169 let operation_config =
170 Self::extract_operation_config(auth_scheme_endpoint_config, config_bag)?;
171 let request_time = runtime_components.time_source().unwrap_or_default().now();
172
173 if identity.data::<Credentials>().is_none() {
174 return Err(SigV4SigningError::WrongIdentityType(identity.clone()).into());
175 }
176
177 let settings = Self::settings(&operation_config);
178 let signing_params =
179 Self::signing_params(settings, identity, &operation_config, request_time)?;
180
181 let (signing_instructions, _signature) = {
182 let signable_body = operation_config
185 .signing_options
186 .payload_override
187 .as_ref()
188 .cloned()
191 .unwrap_or_else(|| {
192 request
193 .body()
194 .bytes()
195 .map(SignableBody::Bytes)
196 .unwrap_or(SignableBody::UnsignedPayload)
197 });
198
199 let signable_request = SignableRequest::new(
200 request.method(),
201 request.uri().to_string(),
202 request.headers().iter(),
203 signable_body,
204 )?;
205 sign(signable_request, &signing_params.into())?
206 }
207 .into_parts();
208
209 apply_signing_instructions(signing_instructions, request)?;
210 Ok(())
211 }
212}
213
214#[cfg(test)]
215mod tests {
216 use super::{SigV4OperationSigningConfig, SigV4aSigner, EXPIRATION_WARNING};
217 use crate::auth::{HttpSignatureType, SigningOptions};
218 use aws_credential_types::Credentials;
219 use aws_sigv4::http_request::SigningSettings;
220 use aws_smithy_runtime_api::client::auth::AuthSchemeEndpointConfig;
221 use aws_smithy_types::config_bag::{ConfigBag, Layer};
222 use aws_smithy_types::Document;
223 use aws_types::SigningName;
224 use std::borrow::Cow;
225 use std::collections::HashMap;
226 use std::time::{Duration, SystemTime};
227 use tracing_test::traced_test;
228
229 #[test]
230 #[traced_test]
231 fn expiration_warning() {
232 let now = SystemTime::UNIX_EPOCH + Duration::from_secs(1000);
233 let creds_expire_in = Duration::from_secs(100);
234
235 let mut settings = SigningSettings::default();
236 settings.expires_in = Some(creds_expire_in - Duration::from_secs(10));
237
238 let identity = Credentials::new(
239 "test-access-key",
240 "test-secret-key",
241 Some("test-session-token".into()),
242 Some(now + creds_expire_in),
243 "test",
244 )
245 .into();
246 let operation_config = SigV4OperationSigningConfig {
247 region_set: Some("test".into()),
248 name: Some(SigningName::from_static("test")),
249 signing_options: SigningOptions {
250 double_uri_encode: true,
251 content_sha256_header: true,
252 normalize_uri_path: true,
253 omit_session_token: true,
254 signature_type: HttpSignatureType::HttpRequestHeaders,
255 signing_optional: false,
256 expires_in: None,
257 payload_override: None,
258 },
259 ..Default::default()
260 };
261 SigV4aSigner::signing_params(settings, &identity, &operation_config, now).unwrap();
262 assert!(!logs_contain(EXPIRATION_WARNING));
263
264 let mut settings = SigningSettings::default();
265 settings.expires_in = Some(creds_expire_in + Duration::from_secs(10));
266
267 SigV4aSigner::signing_params(settings, &identity, &operation_config, now).unwrap();
268 assert!(logs_contain(EXPIRATION_WARNING));
269 }
270
271 #[test]
272 fn endpoint_config_overrides_region_and_service() {
273 let mut layer = Layer::new("test");
274 layer.store_put(SigV4OperationSigningConfig {
275 region_set: Some("test".into()),
276 name: Some(SigningName::from_static("override-this-service")),
277 ..Default::default()
278 });
279 let config = Document::Object({
280 let mut out = HashMap::new();
281 out.insert("name".to_owned(), "sigv4a".to_owned().into());
282 out.insert("signingName".to_owned(), "qldb-override".to_owned().into());
283 out.insert(
284 "signingRegionSet".to_string(),
285 Document::Array(vec!["us-east-override".to_string().into()]),
286 );
287 out
288 });
289 let config = AuthSchemeEndpointConfig::from(Some(&config));
290
291 let cfg = ConfigBag::of_layers(vec![layer]);
292 let result = SigV4aSigner::extract_operation_config(config, &cfg).expect("success");
293
294 assert_eq!(result.region_set, Some("us-east-override".into()));
295 assert_eq!(result.name, Some(SigningName::from_static("qldb-override")));
296 assert!(matches!(result, Cow::Owned(_)));
297 }
298
299 #[test]
300 fn endpoint_config_supports_fallback_when_region_or_service_are_unset() {
301 let mut layer = Layer::new("test");
302 layer.store_put(SigV4OperationSigningConfig {
303 region_set: Some("us-east-1".into()),
304 name: Some(SigningName::from_static("qldb")),
305 ..Default::default()
306 });
307 let cfg = ConfigBag::of_layers(vec![layer]);
308 let config = AuthSchemeEndpointConfig::empty();
309
310 let result = SigV4aSigner::extract_operation_config(config, &cfg).expect("success");
311
312 assert_eq!(result.region_set, Some("us-east-1".into()));
313 assert_eq!(result.name, Some(SigningName::from_static("qldb")));
314 assert!(matches!(result, Cow::Borrowed(_)));
315 }
316}