Add tests for PUT presigned URL signature verification (#402)

* Add tests for PUT presigned URL signature verification

Co-authored-by: Nugine <30099658+Nugine@users.noreply.github.com>

* Fix formatting in PUT presigned URL tests

Co-authored-by: Nugine <30099658+Nugine@users.noreply.github.com>

* Simplify PUT presigned URL tests to reduce duplication

Co-authored-by: Nugine <30099658+Nugine@users.noreply.github.com>

* Add e2e tests for PUT presigned URL support

Co-authored-by: Nugine <30099658+Nugine@users.noreply.github.com>

* fix

* Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* audit

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Nugine <30099658+Nugine@users.noreply.github.com>
Co-authored-by: Nugine <nugine@foxmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.cargo/audit.toml

@@ -0,0 +1,10 @@
+# Project-level cargo-audit configuration
+# See: https://github.com/RustSec/rustsec/blob/main/cargo-audit/audit.toml.example
+
+[advisories]
+# Ignored advisories with reasons:
+# RUSTSEC-2025-0134: Transitive dependency 'rustls-pemfile' is marked
+# unmaintained; accepted temporarily due to upstream dependency chain
+# (hyper-rustls via aws-smithy). Re-evaluate and remove when aws-* deps
+# update or the advisory is resolved upstream.
+ignore = ["RUSTSEC-2025-0134"]

Cargo.lock

@@ -25,6 +25,7 @@ bytes = "1.11.0"
 http-body = "1.0.1"
 md-5.workspace = true
 base64-simd = "0.8.0"
+reqwest = { version = "0.12.24", default-features = false, features = ["rustls-tls"] }
 
 [dependencies.aws-config]
 version = "1.8.7"

crates/s3s-e2e/Cargo.toml

@@ -1,22 +1,27 @@
 use crate::case;
 
-use aws_sdk_s3::types::ChecksumAlgorithm;
 use s3s_test::Result;
 use s3s_test::TestFixture;
 use s3s_test::TestSuite;
 use s3s_test::tcx::TestContext;
 
 use std::ops::Not;
 use std::sync::Arc;
+use std::time::Duration;
 
+use aws_sdk_s3::presigning::PresigningConfig;
 use aws_sdk_s3::primitives::ByteStream;
+use aws_sdk_s3::types::ChecksumAlgorithm;
+
 use tracing::debug;
 
 pub fn register(tcx: &mut TestContext) {
     case!(tcx, Advanced, STS, test_assume_role);
     case!(tcx, Advanced, Multipart, test_multipart_upload);
     case!(tcx, Advanced, Tagging, test_object_tagging);
     case!(tcx, Advanced, ListPagination, test_list_objects_with_pagination);
+    case!(tcx, Advanced, PresignedUrl, test_put_presigned_url);
+    case!(tcx, Advanced, PresignedUrl, test_get_presigned_url);
 }
 
 struct Advanced {
@@ -371,3 +376,111 @@ impl ListPagination {
         Ok(())
     }
 }
+
+struct PresignedUrl {
+    s3: aws_sdk_s3::Client,
+    bucket: String,
+    key: String,
+}
+
+impl TestFixture<Advanced> for PresignedUrl {
+    async fn setup(suite: Arc<Advanced>) -> Result<Self> {
+        use crate::utils::*;
+
+        let s3 = &suite.s3;
+        let bucket = "test-presigned-url";
+        let key = "presigned-file";
+
+        delete_object_loose(s3, bucket, key).await?;
+        delete_bucket_loose(s3, bucket).await?;
+        create_bucket(s3, bucket).await?;
+
+        Ok(Self {
+            s3: suite.s3.clone(),
+            bucket: bucket.to_owned(),
+            key: key.to_owned(),
+        })
+    }
+
+    async fn teardown(self) -> Result {
+        use crate::utils::*;
+
+        let Self { s3, bucket, key } = &self;
+        delete_object_loose(s3, bucket, key).await?;
+        delete_bucket_loose(s3, bucket).await?;
+        Ok(())
+    }
+}
+
+impl PresignedUrl {
+    /// Test PUT presigned URL - upload an object using a presigned URL
+    async fn test_put_presigned_url(self: Arc<Self>) -> Result<()> {
+        let s3 = &self.s3;
+        let bucket = self.bucket.as_str();
+        let key = self.key.as_str();
+
+        let content = "Hello from PUT presigned URL!";
+
+        // Create a presigned PUT URL
+        let presigning_config = PresigningConfig::expires_in(Duration::from_secs(3600))?;
+        let presigned_request = s3.put_object().bucket(bucket).key(key).presigned(presigning_config).await?;
+
+        debug!(uri = %presigned_request.uri(), "PUT presigned URL created");
+
+        // Use reqwest to upload content via the presigned URL
+        let client = reqwest::Client::new();
+        let response = client.put(presigned_request.uri()).body(content).send().await?;
+
+        assert!(
+            response.status().is_success(),
+            "PUT presigned URL request failed: {:?}",
+            response.status()
+        );
+
+        // Verify the object was uploaded correctly by reading it back
+        let resp = s3.get_object().bucket(bucket).key(key).send().await?;
+        let body = resp.body.collect().await?;
+        let body = String::from_utf8(body.to_vec())?;
+        assert_eq!(body, content);
+
+        Ok(())
+    }
+
+    /// Test GET presigned URL - download an object using a presigned URL
+    async fn test_get_presigned_url(self: Arc<Self>) -> Result<()> {
+        let s3 = &self.s3;
+        let bucket = self.bucket.as_str();
+        let key = self.key.as_str();
+
+        let content = "Hello from GET presigned URL!";
+
+        // First, upload an object using the regular SDK
+        s3.put_object()
+            .bucket(bucket)
+            .key(key)
+            .body(ByteStream::from_static(content.as_bytes()))
+            .send()
+            .await?;
+
+        // Create a presigned GET URL
+        let presigning_config = PresigningConfig::expires_in(Duration::from_secs(3600))?;
+        let presigned_request = s3.get_object().bucket(bucket).key(key).presigned(presigning_config).await?;
+
+        debug!(uri = %presigned_request.uri(), "GET presigned URL created");
+
+        // Use reqwest to download content via the presigned URL
+        let client = reqwest::Client::new();
+        let response = client.get(presigned_request.uri()).send().await?;
+
+        assert!(
+            response.status().is_success(),
+            "GET presigned URL request failed: {:?}",
+            response.status()
+        );
+
+        let body = response.text().await?;
+        assert_eq!(body, content);
+
+        Ok(())
+    }
+}

crates/s3s-e2e/src/advanced.rs

@@ -1292,6 +1292,94 @@ mod tests {
         assert_eq!(ans, "");
     }
 
+    #[test]
+    fn example_put_presigned_url() {
+        // Test PUT presigned URL signing - similar to GET but with PUT method
+        // This is used for uploading files to S3 using presigned URLs
+        // Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html
+        let secret_access_key = SecretKey::from("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+        let method = Method::PUT;
+        let headers = OrderedHeaders::from_slice_unchecked(&[("host", "examplebucket.s3.amazonaws.com")]);
+
+        // Query strings for signing (without signature - signature is computed from these)
+        let query_strings_for_signing = &[
+            ("X-Amz-Algorithm", "AWS4-HMAC-SHA256"),
+            ("X-Amz-Credential", "AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request"),
+            ("X-Amz-Date", "20130524T000000Z"),
+            ("X-Amz-Expires", "86400"),
+            ("X-Amz-SignedHeaders", "host"),
+        ];
+
+        let canonical_request = create_presigned_canonical_request(&method, "/test.txt", query_strings_for_signing, &headers);
+
+        // Canonical request for PUT should be similar to GET, just with PUT method
+        assert_eq!(
+            canonical_request,
+            concat!(
+                "PUT\n",
+                "/test.txt\n",
+                "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host\n",
+                "host:examplebucket.s3.amazonaws.com\n",
+                "\n",
+                "host\n",
+                "UNSIGNED-PAYLOAD",
+            )
+        );
+
+        let amz_date = AmzDate::parse("20130524T000000Z").unwrap();
+        let string_to_sign = create_string_to_sign(&canonical_request, &amz_date, "us-east-1", "s3");
+        let signature = calculate_signature(&string_to_sign, &secret_access_key, &amz_date, "us-east-1", "s3");
+
+        // Signature value derived from the above test inputs (not from official AWS test vectors)
+        assert_eq!(signature, "f4db56459304dafaa603a99a23c6bea8821890259a65c18ff503a4a72a80efd9");
+    }
+
+    #[test]
+    fn example_put_presigned_url_with_content_type() {
+        // Test PUT presigned URL with content-type signed header
+        // When content-type is in signed headers, it must match the request header exactly
+        let secret_access_key = SecretKey::from("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+        let method = Method::PUT;
+
+        // Headers include content-type which is signed
+        let headers = OrderedHeaders::from_slice_unchecked(&[
+            ("content-type", "application/octet-stream"),
+            ("host", "examplebucket.s3.amazonaws.com"),
+        ]);
+
+        let query_strings_for_signing = &[
+            ("X-Amz-Algorithm", "AWS4-HMAC-SHA256"),
+            ("X-Amz-Credential", "AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request"),
+            ("X-Amz-Date", "20130524T000000Z"),
+            ("X-Amz-Expires", "86400"),
+            ("X-Amz-SignedHeaders", "content-type;host"),
+        ];
+
+        let canonical_request = create_presigned_canonical_request(&method, "/test.txt", query_strings_for_signing, &headers);
+
+        // Canonical request should include content-type header
+        assert_eq!(
+            canonical_request,
+            concat!(
+                "PUT\n",
+                "/test.txt\n",
+                "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIOSFODNN7EXAMPLE%2F20130524%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20130524T000000Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=content-type%3Bhost\n",
+                "content-type:application/octet-stream\n",
+                "host:examplebucket.s3.amazonaws.com\n",
+                "\n",
+                "content-type;host\n",
+                "UNSIGNED-PAYLOAD",
+            )
+        );
+
+        let amz_date = AmzDate::parse("20130524T000000Z").unwrap();
+        let string_to_sign = create_string_to_sign(&canonical_request, &amz_date, "us-east-1", "s3");
+        let signature = calculate_signature(&string_to_sign, &secret_access_key, &amz_date, "us-east-1", "s3");
+
+        // Signature value derived from the test inputs above; not from official AWS test vectors.
+        assert_eq!(signature, "fd31b71961609f4b313497cb07ab0aedd268863bd547cc198db23cf04b8f663d");
+    }
+
     #[test]
     fn multi_value_headers_combined_with_comma() {
         // Test that multiple headers with the same name are combined into a single line