S3Express CreateSession Allowlist Headers #492
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #492 +/- ##
==========================================
+ Coverage 89.59% 89.64% +0.04%
==========================================
Files 20 20
Lines 6287 6344 +57
==========================================
+ Hits 5633 5687 +54
- Misses 654 657 +3
|
|
@waahm7 we'll also want to set the S3 Express session mode, will you account for that in this PR? |
waahm7
changed the title
waahm7
changed the title
|
@dannycjones Thanks, I have accounted for it in this PR. |
| @@ -27,6 +27,7 @@ const struct aws_byte_cursor g_s3_create_multipart_upload_excluded_headers[] = { | |||
| AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("x-amz-checksum-sha1"), | |||
| AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("x-amz-checksum-sha256"), | |||
| AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("if-none-match"), | |||
| AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("x-amz-create-session-mode"), | |||
There was a problem hiding this comment.
sse headers passed to create, upload and complete? seems kinda counter intuitive
There was a problem hiding this comment.
Yes, sse headers can be the same as in CreateMPU and Upload Part. From CreateMultipart Docs:
"""
In the Zonal endpoint API calls (except CopyObject and UploadPartCopy) using the REST API, the encryption request headers must match the encryption settings that are specified in the CreateSession request. You can't override the values of the encryption settings (x-amz-server-side-encryption, x-amz-server-side-encryption-aws-kms-key-id, x-amz-server-side-encryption-context, and x-amz-server-side-encryption-bucket-key-enabled) that are specified in the CreateSession request. You don't need to explicitly specify these encryption settings values in Zonal endpoint API calls, and Amazon S3 will use the encryption settings values from the CreateSession request to protect new objects in the directory bucket.
"""
We can exclude them but it feels like needless complexity trying to differentiate between UploadPart for S3 and UploadPart for S3Express after CreateSession.
There was a problem hiding this comment.
They are always excluded in the completeMPU.
| if (aws_http_message_add_header(request, host_header)) { | ||
| goto error; | ||
| /* NOTE: Only for Tests. | ||
| * Don't add the host header for endpoint override. |
There was a problem hiding this comment.
why? sounds like even for overridden endpoint we still need host
There was a problem hiding this comment.
The previous logic was passing the endpoint override to meta_request options, so we didn't need to add the host header. I have updated it to just add the host header from override as that makes it more understandable.
There was a problem hiding this comment.
Found a bug in our host parsing logic: https://github.com/awslabs/aws-c-s3/pull/492/files#diff-5ee13dd0ee005b828bde6d60ff89582070983e3cb7e5d92389b629a9850c27f8R1033
Update the CRT libraries to the latest releases. In particular, include: * S3Express CreateSession Allowlist Headers ([awslabs/aws-c-s3#492](awslabs/aws-c-s3#492)) <details> <summary>Full CRT changelog:</summary> ``` Submodule mountpoint-s3-crt-sys/crt/aws-c-auth 5bc67797..b513db4b: > A bunch of CMake fixes (#258) > Add Account Id to Credentials (#260) > Skip Transfer-Encoding from signing (#261) Submodule mountpoint-s3-crt-sys/crt/aws-c-cal fbbe2612..7299c6ab: > Fix Findcrypto.cmake (#205) > A bunch of CMake fixes (#203) > Switch CI to use roles (#202) Submodule mountpoint-s3-crt-sys/crt/aws-c-common 7a6f5df2..0e7637fa: > A bunch of CMake fixes (#1178) > Fix heap overflow on uri parsing (#1185) > (take 2) Detect when AVX is disabled via OSXSAVE (#1184) > Fixup IPv6 validation logic (#1180) > Detect when AVX is disabled via OSXSAVE (#1182) > proof_ci.yaml must use latest upload-artifact (#1183) > change PR template to ask for clearer wording (#1177) Submodule mountpoint-s3-crt-sys/crt/aws-c-compression c6c1191e..f951ab2b: > A bunch of CMake fixes (#72) > Switch CI to use roles (#71) > chore: Modified bug issue template to add checkbox to report potential regression. (#69) Submodule mountpoint-s3-crt-sys/crt/aws-c-http fc3eded2..590c7b59: > A bunch of CMake fixes (#497) > Fix CI for GCC-13 on Ubuntu-18 (#496) > Switch CI to use roles (#494) Submodule mountpoint-s3-crt-sys/crt/aws-c-io fcb38c80..3041dabf: > A bunch of CMake fixes (#701) > Event Loop & Socket Type Multi-Support (#692) > fix typo in log message (#702) > Fix CI for GCC-13 on Ubuntu-18 (#700) > Switch CI to use roles (#698) Submodule mountpoint-s3-crt-sys/crt/aws-c-s3 a3b401bf..6eb8be53: > A bunch of CMake fixes (#480) > S3Express CreateSession Allowlist Headers (#492) > Auto - Update S3 Ruleset & Partition (#491) Submodule mountpoint-s3-crt-sys/crt/aws-c-sdkutils 1ae8664f..ba6a28fa: > A bunch of CMake fixes (#50) Submodule mountpoint-s3-crt-sys/crt/aws-checksums 3e4101b9..fb8bd0b8: > A bunch of CMake fixes (#101) > Switch CI to use roles (#100) Submodule mountpoint-s3-crt-sys/crt/aws-lc ffd6fb71..138a6ad3: > Prepare AWS-LC v1.44.0 (#2153) > Fix issue with ML-DSA key parsing (#2152) > Add support for PKCS7_set/get_detached (#2134) > Prepare Docker image for CI integration jobs (#2126) > Delete OpenVPN mainline patch from our integration build (#2149) > SHA3/SHAKE Init Updates via FIPS202 API layer (#2101) > Support keypair calculation for PQDSA PKEY (#2145) > Optimize x86/aarch64 MD5 implementation (#2137) > Check for MIPSEB in target.h (#2143) > Ed25519ph and Ed25519ctx Support (#2120) > Support for ML-DSA public key generation from private key (#2142) > Avoid mixing SSE and AVX in XTS-mode AVX512 implementation (#2140) > Remove remaining support for Trusty and Fuchsia operating systems (#2136) > ACVP test harness for ML-DSA (#2127) > Minor symbols to work with Ruby's mainline (#2132) ``` </details> ### Does this change impact existing behavior? No. ### Does this change need a changelog entry? Does it require a version change? No. --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/). Signed-off-by: Alessandro Passaro <[email protected]>
Issue #, if available:
Adding support for SSE and ReadOnly sessions for Mountpoint.
Description of changes:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.