Skip to content

Commit 58c89fb

Browse files
author
luigi liu
committed
use unsigned payload over HTTPS for s3
1 parent 06f6664 commit 58c89fb

3 files changed

Lines changed: 16 additions & 11 deletions

File tree

codegen/aws-sdk-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/s3/ClientConfigIntegration.kt

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,18 @@ class ClientConfigIntegration : KotlinIntegration {
6666
useSymbolWithNullableBuilder(KotlinTypes.Boolean, "true")
6767
documentation = "Flag to enable [aws-chunked](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html) content encoding."
6868
}
69+
70+
val PayloadSigningEnabled: ConfigProperty = ConfigProperty {
71+
name = "payloadSigningEnabled"
72+
useSymbolWithNullableBuilder(KotlinTypes.Boolean, "false")
73+
documentation = """
74+
Flag to control whether request payloads are signed (SHA-256 hash computed) before sending.
75+
When `false` (default), payload signing is automatically disabled for HTTPS requests to improve
76+
performance, since TLS already provides integrity protection. Payloads are always signed for
77+
HTTP (non-TLS) requests regardless of this setting. Set to `true` to force payload signing
78+
even over HTTPS.
79+
""".trimIndent()
80+
}
6981
}
7082

7183
override fun preprocessModel(model: Model, settings: KotlinSettings): Model {
@@ -91,6 +103,7 @@ class ClientConfigIntegration : KotlinIntegration {
91103
UseArnRegionProp,
92104
DisableMrapProp,
93105
EnableAwsChunked,
106+
PayloadSigningEnabled,
94107
)
95108

96109
override val sectionWriters: List<SectionWriterBinding>

codegen/aws-sdk-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/customization/s3/S3SigningConfig.kt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,5 +40,6 @@ class S3SigningConfig : KotlinIntegration {
4040
writer.putIfAbsent(signingAttrs, "UseDoubleUriEncode", "false")
4141
writer.putIfAbsent(signingAttrs, "SignedBodyHeader", writer.format("#T.X_AMZ_CONTENT_SHA256", RuntimeTypes.Auth.Signing.AwsSigningCommon.AwsSignedBodyHeader))
4242
writer.putIfAbsent(signingAttrs, "EnableAwsChunked", "config.enableAwsChunked")
43+
writer.putIfAbsent(signingAttrs, "PayloadSigningEnabled", "config.payloadSigningEnabled")
4344
}
4445
}

services/s3/common/src/aws/sdk/kotlin/services/s3/express/S3ExpressHttpSigner.kt

Lines changed: 2 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,10 @@ package aws.sdk.kotlin.services.s3.express
66

77
import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
88
import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningAttributes
9-
import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
109
import aws.smithy.kotlin.runtime.collections.toMutableAttributes
1110
import aws.smithy.kotlin.runtime.http.auth.HttpSigner
1211
import aws.smithy.kotlin.runtime.http.auth.SignHttpRequest
1312
import aws.smithy.kotlin.runtime.http.request.header
14-
import aws.smithy.kotlin.runtime.net.Scheme
1513

1614
internal const val S3_EXPRESS_SESSION_TOKEN_HEADER = "X-Amz-S3session-Token"
1715
private const val SESSION_TOKEN_HEADER = "X-Amz-Security-Token"
@@ -39,17 +37,10 @@ internal class S3ExpressHttpSigner(
3937
val mutAttrs = signingRequest.signingAttributes.toMutableAttributes()
4038
mutAttrs[AwsSigningAttributes.OmitSessionToken] = true
4139

42-
// 3. use unsigned payload over HTTPS when no explicit hash specification is set
43-
if (!mutAttrs.contains(AwsSigningAttributes.HashSpecification)) {
44-
if (signingRequest.httpRequest.url.scheme == Scheme.HTTPS) {
45-
mutAttrs[AwsSigningAttributes.HashSpecification] = HashSpecification.UnsignedPayload
46-
}
47-
}
48-
49-
// 4. call main signer
40+
// 3. call main signer
5041
httpSigner.sign(signingRequest.copy(signingAttributes = mutAttrs))
5142

52-
// 5. remove session token header
43+
// 4. remove session token header
5344
signingRequest.httpRequest.headers.remove(SESSION_TOKEN_HEADER)
5445
}
5546
}

0 commit comments

Comments
 (0)