bugfix: cloudfront sigv4a (#2857)

aws · Dec 15, 2023 · 44b936e · 44b936e
1 parent ab796bc
commit 44b936e
Show file tree

Hide file tree

Showing 6 changed files with 119 additions and 137 deletions.
diff --git a/.changes/nextrelease/crt-updates.json b/.changes/nextrelease/crt-updates.json
@@ -0,0 +1,7 @@
+[
+  {
+    "type": "bugfix",
+    "category": "Signature",
+    "description": "Fixes issues with CloudfrontKeyValueStore sigv4a operations."
+  }
+]
diff --git a/features/crt/cloudfront-kvs.feature b/features/crt/cloudfront-kvs.feature
@@ -0,0 +1,6 @@
+@crt @integ @cloudfront-kvs
+Feature: Cloudfront Kvs Sigv4a
+
+  Scenario: Describe a cloudfront kvs
+    Given I have a cloudfront client and I have a key-value store
+    Then I can describe my key-value store using sigv4a
diff --git a/src/Signature/S3SignatureV4.php b/src/Signature/S3SignatureV4.php
@@ -2,6 +2,9 @@
 namespace Aws\Signature;
 
 use Aws\Credentials\CredentialsInterface;
+use AWS\CRT\Auth\SignatureType;
+use AWS\CRT\Auth\SigningAlgorithm;
+use AWS\CRT\Auth\SigningConfigAWS;
 use Psr\Http\Message\RequestInterface;
 
 /**
@@ -41,6 +44,39 @@ public function signRequest(
         return $this->signWithV4a($credentials, $request, $signingService);
     }
 
+    /**
+     * @param CredentialsInterface $credentials
+     * @param RequestInterface $request
+     * @param $signingService
+     * @param SigningConfigAWS|null $signingConfig
+     * @return RequestInterface
+     *
+     * Instantiates a separate sigv4a signing config.  All services except S3
+     * use double encoding.  All services except S3 require path normalization.
+     */
+    protected function signWithV4a(
+        CredentialsInterface $credentials,
+        RequestInterface $request,
+        $signingService,
+        SigningConfigAWS $signingConfig = null
+    ){
+        $this->verifyCRTLoaded();
+        $credentials_provider = $this->createCRTStaticCredentialsProvider($credentials);
+        $signingConfig = new SigningConfigAWS([
+            'algorithm' => SigningAlgorithm::SIGv4_ASYMMETRIC,
+            'signature_type' => SignatureType::HTTP_REQUEST_HEADERS,
+            'credentials_provider' => $credentials_provider,
+            'signed_body_value' => $this->getPayload($request),
+            'region' => "*",
+            'should_normalize_uri_path' => false,
+            'use_double_uri_encode' => false,
+            'service' => $signingService,
+            'date' => time(),
+        ]);
+
+        return parent::signWithV4a($credentials, $request, $signingService, $signingConfig);
+    }
+
     /**
      * Always add a x-amz-content-sha-256 for data integrity.
      *

diff --git a/src/Signature/SignatureV4.php b/src/Signature/SignatureV4.php
@@ -4,6 +4,7 @@
 use Aws\Credentials\CredentialsInterface;
 use AWS\CRT\Auth\Signable;
 use AWS\CRT\Auth\SignatureType;
+use AWS\CRT\Auth\SignedBodyHeaderType;
 use AWS\CRT\Auth\Signing;
 use AWS\CRT\Auth\SigningAlgorithm;
 use AWS\CRT\Auth\SigningConfigAWS;
@@ -446,7 +447,7 @@ private function buildRequest(array $req)
         );
     }
 
-    private function verifyCRTLoaded()
+    protected function verifyCRTLoaded()
     {
         if (!extension_loaded('awscrt')) {
             throw new CommonRuntimeException(
@@ -457,7 +458,7 @@ private function verifyCRTLoaded()
         }
     }
 
-    private function createCRTStaticCredentialsProvider($credentials)
+    protected function createCRTStaticCredentialsProvider($credentials)
     {
         return new StaticCredentialsProvider([
             'access_key_id' => $credentials->getAccessKeyId(),
@@ -472,7 +473,7 @@ private function removeIllegalV4aHeaders(&$request)
             self::AMZ_CONTENT_SHA256_HEADER,
             "aws-sdk-invocation-id",
             "aws-sdk-retry",
-            'x-amz-region-set'
+            'x-amz-region-set',
         ];
         $storedHeaders = [];
 
@@ -500,17 +501,23 @@ private function CRTRequestFromGuzzleRequest($request)
      * @param CredentialsInterface $credentials
      * @param RequestInterface $request
      * @param $signingService
+     * @param SigningConfigAWS|null $signingConfig
      * @return RequestInterface
      */
-    protected function signWithV4a(CredentialsInterface $credentials, RequestInterface $request, $signingService)
-    {
+    protected function signWithV4a(
+        CredentialsInterface $credentials,
+        RequestInterface $request,
+        $signingService,
+        SigningConfigAWS $signingConfig = null
+    ){
         $this->verifyCRTLoaded();
-        $credentials_provider = $this->createCRTStaticCredentialsProvider($credentials);
-        $signingConfig = new SigningConfigAWS([
+        $signingConfig = $signingConfig ?? new SigningConfigAWS([
             'algorithm' => SigningAlgorithm::SIGv4_ASYMMETRIC,
             'signature_type' => SignatureType::HTTP_REQUEST_HEADERS,
-            'credentials_provider' => $credentials_provider,
+            'credentials_provider' => $this->createCRTStaticCredentialsProvider($credentials),
             'signed_body_value' => $this->getPayload($request),
+            'should_normalize_uri_path' => true,
+            'use_double_uri_encode' => true,
             'region' => "*",
             'service' => $signingService,
             'date' => time(),

diff --git a/tests/Api/Parser/EventParsingIteratorTest.php b/tests/Api/Parser/EventParsingIteratorTest.php
@@ -125,7 +125,7 @@ public function testParsedEventsMatchExpectedType($iterator)
         $shapeProperty->setAccessible(true);
         $shape = $shapeProperty->getValue($iterator);
         foreach ($iterator as $event) {
-            $this->testParsedEventMatchExpectedType($shape, $event);
+            $this->parsedEventMatchesExpectedType($shape, $event);
         }
     }
 
@@ -138,7 +138,7 @@ public function testParsedEventsMatchExpectedType($iterator)
      *
      * @return void
      */
-    private function testParsedEventMatchExpectedType($shape, $event)
+    private function parsedEventMatchesExpectedType($shape, $event)
     {
         foreach ($event as $key => $value) {
             $this->assertTrue($shape->hasMember($key), "Shape has not member with name $key");
@@ -148,7 +148,7 @@ private function testParsedEventMatchExpectedType($shape, $event)
                 'Shape type "'. $shapeMember->getType(). '" does not match parsed value type "' . gettype($value) . '"'
             );
             if (is_array($value)) {
-                $this->testParsedEventMatchExpectedType($shapeMember, $value);
+                $this->parsedEventMatchesExpectedType($shapeMember, $value);
             }
         }
     }