Smithy SigV4 Middlwares and Retry Middleware Changes (#517)

Author: skmcgrail

aws/middleware/middleware.go

@@ -28,14 +28,14 @@ func (r RequestInvocationIDMiddleware) HandleBuild(ctx context.Context, in middl
 
 	invocationID, err := sdk.UUIDVersion4()
 	if err != nil {
-		return out, middleware.NewMetadata(), err
+		return out, metadata, err
 	}
 
 	switch req := in.Request.(type) {
 	case *smithyHTTP.Request:
 		req.Header.Set(invocationIDHeader, invocationID)
 	default:
-		return middleware.BuildOutput{}, middleware.NewMetadata(), fmt.Errorf("unknown transport type %T", req)
+		return out, metadata, fmt.Errorf("unknown transport type %T", req)
 	}
 
 	return next.HandleBuild(ctx, in)
@@ -56,17 +56,18 @@ func (a AttemptClockSkewMiddleware) HandleDeserialize(ctx context.Context, in mi
 ) {
 	respMeta := ResponseMetadata{}
 
-	deserialize, metadata, err := next.HandleDeserialize(ctx, in)
+	out, metadata, err = next.HandleDeserialize(ctx, in)
 	respMeta.ResponseAt = sdk.NowTime()
 
-	switch resp := deserialize.RawResponse.(type) {
+	switch resp := out.RawResponse.(type) {
 	case *smithyHTTP.Response:
 		respDateHeader := resp.Header.Get("Date")
 		if len(respDateHeader) == 0 {
 			break
 		}
-		respMeta.ServerTime, err = http.ParseTime(respDateHeader)
-		if err != nil {
+		var parseErr error
+		respMeta.ServerTime, parseErr = http.ParseTime(respDateHeader)
+		if parseErr != nil {
 			// TODO: What should logging of errors look like?
 			break
 		}
@@ -76,9 +77,9 @@ func (a AttemptClockSkewMiddleware) HandleDeserialize(ctx context.Context, in mi
 		respMeta.AttemptSkew = respMeta.ServerTime.Sub(respMeta.ResponseAt)
 	}
 
-	SetResponseMetadata(metadata, respMeta)
+	setResponseMetadata(&metadata, respMeta)
 
-	return deserialize, metadata, err
+	return out, metadata, err
 }
 
 type responseMetadataKey struct{}
@@ -96,7 +97,7 @@ func GetResponseMetadata(metadata middleware.Metadata) (v ResponseMetadata) {
 	return v
 }
 
-// SetResponseMetadata sets the ResponseMetadata on the given context
-func SetResponseMetadata(metadata middleware.Metadata, responseMetadata ResponseMetadata) {
+// setResponseMetadata sets the ResponseMetadata on the given context
+func setResponseMetadata(metadata *middleware.Metadata, responseMetadata ResponseMetadata) {
 	metadata.Set(responseMetadataKey{}, responseMetadata)
 }

aws/middleware/middleware_test.go

@@ -38,7 +38,7 @@ func TestRequestInvocationIDMiddleware(t *testing.T) {
 			t.Errorf("invocation id was not a UUIDv4")
 		}
 
-		return out, nil, err
+		return out, metadata, err
 	}))
 	if err != nil {
 		t.Errorf("expected no error, got %v", err)

aws/retry/middleware.go

@@ -15,7 +15,7 @@ import (
 
 // RequestCloner is a function that can take an input request type and clone the request
 // for use in a subsequent retry attempt
-type RequestCloner func(context.Context, interface{}) interface{}
+type RequestCloner func(interface{}) interface{}
 
 type retryMetadata struct {
 	AttemptNum       int
@@ -54,22 +54,28 @@ func (r AttemptMiddleware) HandleFinalize(ctx context.Context, in smithymiddle.F
 
 	relRetryToken := r.retryer.GetInitialToken()
 
-	origReq := r.requestCloner(ctx, in.Request)
-	origCtx := ctx
-
 	for {
 		attemptNum++
 
-		ctx = setRetryMetadata(origCtx, retryMetadata{
+		attemptInput := in
+		attemptInput.Request = r.requestCloner(attemptInput.Request)
+
+		attemptCtx := setRetryMetadata(ctx, retryMetadata{
 			AttemptNum:       attemptNum,
 			AttemptTime:      sdk.NowTime(),
 			MaxAttempts:      maxAttempts,
 			AttemptClockSkew: attemptClockSkew,
 		})
 
-		in.Request = r.requestCloner(ctx, origReq)
+		if attemptNum > 1 {
+			if rewindable, ok := in.Request.(interface{ RewindStream() error }); ok {
+				if err := rewindable.RewindStream(); err != nil {
+					return out, metadata, fmt.Errorf("failed to rewind transport stream for retry, %w", err)
+				}
+			}
+		}
 
-		out, metadata, reqErr := next.HandleFinalize(ctx, in)
+		out, metadata, reqErr := next.HandleFinalize(attemptCtx, attemptInput)
 
 		relRetryToken(reqErr)
 		if reqErr == nil {
@@ -125,7 +131,7 @@ func (r MetricsHeaderMiddleware) HandleFinalize(ctx context.Context, in smithymi
 ) {
 	retryMetadata, ok := getRetryMetadata(ctx)
 	if !ok {
-		return out, smithymiddle.NewMetadata(), fmt.Errorf("retry metadata value not found on context")
+		return out, metadata, fmt.Errorf("retry metadata value not found on context")
 	}
 
 	const retryMetricHeader = "amz-sdk-request"
@@ -152,7 +158,7 @@ func (r MetricsHeaderMiddleware) HandleFinalize(ctx context.Context, in smithymi
 	case *http.Request:
 		req.Header.Set(retryMetricHeader, strings.Join(parts, "; "))
 	default:
-		return smithymiddle.FinalizeOutput{}, smithymiddle.NewMetadata(), fmt.Errorf("unknown transport type %T", req)
+		return out, metadata, fmt.Errorf("unknown transport type %T", req)
 	}
 
 	return next.HandleFinalize(ctx, in)

aws/retry/middleware_test.go

@@ -73,7 +73,7 @@ func TestMetricsHeaderMiddleware(t *testing.T) {
 					t.Errorf("expected %v, got %v", e, a)
 				}
 
-				return out, nil, err
+				return out, metadata, err
 			}))
 			if err != nil && len(tt.expectedErr) == 0 {
 				t.Fatalf("expected no error, got %q", err)

aws/signer/internal/v4/const.go

@@ -4,6 +4,9 @@ const (
 	// EmptyStringSHA256 is the hex encoded sha256 value of an empty string
 	EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
 
+	// UnsignedPayload indicates that the request payload body is unsigned
+	UnsignedPayload = "UNSIGNED-PAYLOAD"
+
 	// AmzAlgorithmKey indicates the signing algorithm
 	AmzAlgorithmKey = "X-Amz-Algorithm"
 

aws/signer/v4/middleware.go

@@ -0,0 +1,165 @@
+package v4
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io"
+
+	v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
+	"github.com/aws/aws-sdk-go-v2/internal/sdk"
+	"github.com/awslabs/smithy-go/middleware"
+	smithyHTTP "github.com/awslabs/smithy-go/transport/http"
+)
+
+// HashComputationError indicates an error occurred while computing the signing hash
+type HashComputationError struct {
+	Err error
+}
+
+// Error is the error message
+func (e *HashComputationError) Error() string {
+	return fmt.Sprintf("failed to compute payload hash: %v", e.Err)
+}
+
+// Unwrap returns the underlying error if one is set
+func (e *HashComputationError) Unwrap() error {
+	return e.Err
+}
+
+// SigningError indicates an error condition occurred while performing SigV4 signing
+type SigningError struct {
+	Err error
+}
+
+func (e *SigningError) Error() string {
+	return fmt.Sprintf("failed to sign request: %v", e.Err)
+}
+
+// Unwrap returns the underlying error cause
+func (e *SigningError) Unwrap() error {
+	return e.Err
+}
+
+// UnsignedPayloadMiddleware sets the SigV4 request payload hash to unsigned
+type UnsignedPayloadMiddleware struct{}
+
+// ID returns the UnsignedPayloadMiddleware identifier
+func (m *UnsignedPayloadMiddleware) ID() string {
+	return "SigV4UnsignedPayloadMiddleware"
+}
+
+// HandleFinalize sets the payload hash to be an unsigned payload
+func (m *UnsignedPayloadMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
+) {
+	ctx = SetPayloadHash(ctx, v4Internal.UnsignedPayload)
+	return next.HandleFinalize(ctx, in)
+}
+
+// ComputePayloadSHA256Middleware computes sha256 payload hash to sign
+type ComputePayloadSHA256Middleware struct{}
+
+// ID is the middleware name
+func (m *ComputePayloadSHA256Middleware) ID() string {
+	return "ComputePayloadSHA256Middleware"
+}
+
+// HandleFinalize compute the payload hash for the request payload
+func (m *ComputePayloadSHA256Middleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyHTTP.Request)
+	if !ok {
+		return out, metadata, &HashComputationError{Err: fmt.Errorf("unexpected request middleware type %T", in.Request)}
+	}
+
+	hash := sha256.New()
+	_, err = io.Copy(hash, req.GetStream())
+	if err != nil {
+		return out, metadata, &HashComputationError{Err: fmt.Errorf("failed to compute payload hash, %w", err)}
+	}
+
+	if err := req.RewindStream(); err != nil {
+		return out, metadata, &HashComputationError{Err: fmt.Errorf("failed to seek body to start, %w", err)}
+	}
+
+	ctx = SetPayloadHash(ctx, hex.EncodeToString(hash.Sum(nil)))
+
+	return next.HandleFinalize(ctx, in)
+}
+
+// SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation for SigV4 HTTP Signing
+type SignHTTPRequestMiddleware struct {
+	signer HTTPSigner
+}
+
+// NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given Signer for signing requests
+func NewSignHTTPRequestMiddleware(signer HTTPSigner) *SignHTTPRequestMiddleware {
+	return &SignHTTPRequestMiddleware{signer: signer}
+}
+
+// ID is the SignHTTPRequestMiddleware identifier
+func (s *SignHTTPRequestMiddleware) ID() string {
+	return "SigV4SignHTTPRequestMiddleware"
+}
+
+// HandleFinalize will take the provided input and sign the request using the SigV4 authentication scheme
+func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyHTTP.Request)
+	if !ok {
+		return out, metadata, &SigningError{Err: fmt.Errorf("unexpected request middleware type %T", in.Request)}
+	}
+
+	signingMetadata := GetSigningMetadata(ctx)
+	payloadHash := GetPayloadHash(ctx)
+	if len(payloadHash) == 0 {
+		return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
+	}
+
+	err = s.signer.SignHTTP(ctx, req.Request, payloadHash, signingMetadata.SigningName, signingMetadata.SigningRegion, sdk.NowTime())
+	if err != nil {
+		return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
+	}
+
+	return next.HandleFinalize(ctx, in)
+}
+
+// SigningMetadata contains the signing name and signing region to be used when signing
+// with SigV4 authentication scheme.
+type SigningMetadata struct {
+	SigningName   string
+	SigningRegion string
+}
+
+type signingMetadataKey struct{}
+
+// GetSigningMetadata retrieves the SigningMetadata from context. If there is no SigningMetadata attached to the context
+// an zero-value SigningMetadata will be returned.
+func GetSigningMetadata(ctx context.Context) (v SigningMetadata) {
+	v, _ = ctx.Value(signingMetadataKey{}).(SigningMetadata)
+	return v
+}
+
+// SetSigningMetadata adds the provided metadata to the context
+func SetSigningMetadata(ctx context.Context, metadata SigningMetadata) context.Context {
+	ctx = context.WithValue(ctx, signingMetadataKey{}, metadata)
+	return ctx
+}
+
+type payloadHashKey struct{}
+
+// GetPayloadHash retrieves the payload hash to use for signing
+func GetPayloadHash(ctx context.Context) (v string) {
+	v, _ = ctx.Value(payloadHashKey{}).(string)
+	return v
+}
+
+// SetPayloadHash sets the payload hash to be used for signing the request
+func SetPayloadHash(ctx context.Context, hash string) context.Context {
+	ctx = context.WithValue(ctx, payloadHashKey{}, hash)
+	return ctx
+}