From 286133e79e5afbe24abd329166ae73e66f76717a Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Wed, 12 Mar 2025 12:55:59 -0700 Subject: [PATCH 1/3] Pass new request into signer for canonical_request --- packages/aws-sdk-signers/src/aws_sdk_signers/signers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py b/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py index 279528ea4..e0ac6a440 100644 --- a/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py +++ b/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py @@ -441,7 +441,7 @@ async def sign( # Construct core signing components canonical_request = await self.canonical_request( signing_properties=signing_properties, - request=request, + request=new_request, ) string_to_sign = await self.string_to_sign( canonical_request=canonical_request, From 4531831b264b2a15dde138d18145c027a18fada5 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Wed, 12 Mar 2025 14:09:06 -0600 Subject: [PATCH 2/3] Test fields aren't mutated on original request --- .../src/aws_sdk_signers/signers.py | 2 +- .../tests/unit/test_signers.py | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py b/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py index e0ac6a440..0b6b87c88 100644 --- a/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py +++ b/packages/aws-sdk-signers/src/aws_sdk_signers/signers.py @@ -453,7 +453,7 @@ async def sign( signing_properties=new_signing_properties, ) - signing_fields = await self._normalize_signing_fields(request=request) + signing_fields = await self._normalize_signing_fields(request=new_request) credential_scope = await self._scope(signing_properties=new_signing_properties) credential = f"{identity.access_key_id}/{credential_scope}" authorization = await self.generate_authorization_field( diff --git a/packages/aws-sdk-signers/tests/unit/test_signers.py b/packages/aws-sdk-signers/tests/unit/test_signers.py index 3b70c97db..9b7bd7cf9 100644 --- a/packages/aws-sdk-signers/tests/unit/test_signers.py +++ b/packages/aws-sdk-signers/tests/unit/test_signers.py @@ -1,6 +1,7 @@ # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 +import copy import re import typing from datetime import UTC, datetime @@ -76,6 +77,23 @@ def test_sign( authorization_field = signed_request.fields["authorization"] assert SIGV4_RE.match(authorization_field.as_string()) + def test_sign_doesnt_modify_original_request( + self, + aws_identity: AWSCredentialIdentity, + aws_request: AWSRequest, + signing_properties: SigV4SigningProperties, + ) -> None: + original_request = copy.deepcopy(aws_request) + signed_request = self.SIGV4_SYNC_SIGNER.sign( + signing_properties=signing_properties, + request=aws_request, + identity=aws_identity, + ) + assert isinstance(signed_request, AWSRequest) + assert signed_request is not aws_request + assert aws_request.fields == original_request.fields + assert signed_request.fields != aws_request.fields + @typing.no_type_check def test_sign_with_invalid_identity( self, aws_request: AWSRequest, signing_properties: SigV4SigningProperties @@ -127,6 +145,23 @@ async def test_sign( authorization_field = signed_request.fields["authorization"] assert SIGV4_RE.match(authorization_field.as_string()) + async def test_sign_doesnt_modify_original_request( + self, + aws_identity: AWSCredentialIdentity, + aws_request: AWSRequest, + signing_properties: SigV4SigningProperties, + ) -> None: + original_request = copy.deepcopy(aws_request) + signed_request = await self.SIGV4_ASYNC_SIGNER.sign( + signing_properties=signing_properties, + request=aws_request, + identity=aws_identity, + ) + assert isinstance(signed_request, AWSRequest) + assert signed_request is not aws_request + assert aws_request.fields == original_request.fields + assert signed_request.fields != aws_request.fields + @typing.no_type_check async def test_sign_with_invalid_identity( self, aws_request: AWSRequest, signing_properties: SigV4SigningProperties From db4b9fd1a1db61b69b1cdc012cbd0048cb8b3638 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Wed, 12 Mar 2025 14:20:28 -0600 Subject: [PATCH 3/3] Fix new parameter name --- packages/aws-sdk-signers/tests/unit/test_signers.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-sdk-signers/tests/unit/test_signers.py b/packages/aws-sdk-signers/tests/unit/test_signers.py index 087c99a11..5bbfce2f9 100644 --- a/packages/aws-sdk-signers/tests/unit/test_signers.py +++ b/packages/aws-sdk-signers/tests/unit/test_signers.py @@ -86,7 +86,7 @@ def test_sign_doesnt_modify_original_request( original_request = copy.deepcopy(aws_request) signed_request = self.SIGV4_SYNC_SIGNER.sign( signing_properties=signing_properties, - request=aws_request, + http_request=aws_request, identity=aws_identity, ) assert isinstance(signed_request, AWSRequest) @@ -154,7 +154,7 @@ async def test_sign_doesnt_modify_original_request( original_request = copy.deepcopy(aws_request) signed_request = await self.SIGV4_ASYNC_SIGNER.sign( signing_properties=signing_properties, - request=aws_request, + http_request=aws_request, identity=aws_identity, ) assert isinstance(signed_request, AWSRequest)