fix: Update signers to handle anonymous credentials

dscpinheiro · dscpinheiro · commit 1e4450744e68 · 2025-03-06T07:59:22.000-05:00
diff --git a/generator/.DevConfigs/8015db5e-dd8e-4ed8-b367-bbdfe058b43e.json b/generator/.DevConfigs/8015db5e-dd8e-4ed8-b367-bbdfe058b43e.json
@@ -0,0 +1,9 @@
+{
+    "core": {
+        "changeLogMessages": [
+            "Update SDK signers to handle scenarios where anonymous credentials are provided."
+        ],
+        "type": "patch",
+        "updateMinimum": true
+    }
+}
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4Signer.cs
@@ -118,13 +118,16 @@ public override void Sign(IRequest request,
                                   RequestMetrics metrics,
                                   BaseIdentity identity)
         {
-            var credentials = identity as AWSCredentials;
-            if (credentials is null)
+            if (identity is not AWSCredentials credentials)
             {
                 throw new AmazonClientException($"The identity parameter must be of type AWSCredentials for the signer {nameof(AWS4Signer)}.");
             }
 
             var immutableCredentials = credentials.GetCredentials();
+            if (immutableCredentials is null)
+            {
+                return;
+            }
 
             var signingResult = SignRequest(request, clientConfig, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);
             request.Headers[HeaderKeys.AuthorizationHeader] = signingResult.ForAuthorizationHeader;            
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSignerCRTWrapper.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWS4aSignerCRTWrapper.cs
@@ -127,6 +127,11 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM
         {
             var credentials = identity as AWSCredentials;
             var immutableCredentials = credentials.GetCredentials();
+            if (immutableCredentials is null)
+            {
+                return;
+            }
+
             _awsSigV4AProvider.Sign(request, clientConfig, metrics, immutableCredentials);
         }
 
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWSEndpointAuthSchemeSigner.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/AWSEndpointAuthSchemeSigner.cs
@@ -38,13 +38,17 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM
             var aws4Signer = signer as AWS4Signer;
             var useV4a = aws4aSigner != null;
             var useV4 = aws4Signer != null;
-            var credentials = identity as AWSCredentials;
-            if (credentials is null)
+
+            if (identity is not AWSCredentials credentials)
             {
                 throw new AmazonClientException($"The identity parameter must be of type AWSCredentials for the signer {nameof(AWSEndpointAuthSchemeSigner)}.");
             }
 
             var immutableCredentials = credentials.GetCredentials();
+            if (immutableCredentials is null)
+            {
+                return;
+            }
 
             AWSSigningResultBase signingResult;
             
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/CloudFrontSigner.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/CloudFrontSigner.cs
@@ -42,7 +42,7 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM
             }
 
             var immutableCredentials = credentials.GetCredentials();
-            if (String.IsNullOrEmpty(immutableCredentials.AccessKey))
+            if (string.IsNullOrEmpty(immutableCredentials?.AccessKey))
             {
                 throw new ArgumentOutOfRangeException("awsAccessKeyId", "The AWS Access Key ID cannot be NULL or a Zero length string");
             }
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/QueryStringSigner.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/QueryStringSigner.cs
@@ -50,7 +50,7 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM
             var credentials = identity as AWSCredentials;
             var immutableCredentials = credentials.GetCredentials();
 
-            if (String.IsNullOrEmpty(immutableCredentials.AccessKey))
+            if (string.IsNullOrEmpty(immutableCredentials?.AccessKey))
             {
                 throw new ArgumentOutOfRangeException("awsAccessKeyId", "The AWS Access Key ID cannot be NULL or a Zero length string");
             }
diff --git a/sdk/src/Core/Amazon.Runtime/Internal/Auth/S3Signer.cs b/sdk/src/Core/Amazon.Runtime/Internal/Auth/S3Signer.cs
@@ -58,13 +58,17 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM
             var aws4aSigner = signer as AWS4aSignerCRTWrapper;
             var useV4 = aws4Signer != null;
             var useV4a = aws4aSigner != null;
-            var credentials = identity as AWSCredentials;
-            if (credentials is null)
+
+            if (identity is not AWSCredentials credentials)
             {
                 throw new AmazonClientException($"The identity parameter must be of type AWSCredentials for the signer {nameof(S3Signer)}.");
             }
 
             var immutableCredentials = credentials.GetCredentials();
+            if (immutableCredentials is null)
+            {
+                return;
+            }
 
             if (useV4a)
             {
diff --git a/sdk/test/UnitTests/Custom/Runtime/SignerTests.cs b/sdk/test/UnitTests/Custom/Runtime/SignerTests.cs
@@ -6,6 +6,7 @@
 using Amazon.Runtime;
 using Amazon.Runtime.Internal;
 using Amazon.Runtime.Internal.Auth;
+using Amazon.Runtime.Internal.Util;
 using Amazon.Util;
 using AWSSDK_DotNet.IntegrationTests.Utils;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
@@ -226,5 +227,33 @@ public async Task TestSignerWithBasicCredentialsAsync()
             Assert.AreEqual(1, signer.SignCount);
         }
 #endif
+
+        [TestMethod]
+        [TestCategory("Runtime")]
+        [TestCategory("Signer")]
+        public void TestV4SignerHandlesAnonymousCredentials()
+        {
+            var mock = new Moq.Mock<IRequest>().SetupAllProperties();
+            var requestMock = new Moq.Mock<AmazonWebServiceRequest>().SetupAllProperties();
+            var request = mock.Object;
+            var config = new AmazonIotDataConfig();
+
+            mock.SetupGet(x => x.Headers).Returns(new Dictionary<string, string>());
+            mock.SetupGet(x => x.OriginalRequest).Returns(requestMock.Object);
+            request.Endpoint = EndpointResolver.DetermineEndpoint(config, request);
+
+            var signer = new AWS4Signer();
+            var credentials = new AnonymousAWSCredentials();
+
+            // After the SRA changes, the signers were updated to retrieve credentials themselves (instead of
+            // relying on a pipeline handler to place the value in the request context). One miss from the original
+            // implementation is that customers may call the signer indirectly with anonymous credentials (for example, if
+            // their environment is set to assume a role with web identity).
+            signer.Sign(request, config, new RequestMetrics(), credentials);
+
+            // This test verifies the signer does not fail with a null reference exception, but doesn't add the authorization
+            // header either.
+            Assert.IsFalse(request.Headers.ContainsKey(HeaderKeys.AuthorizationHeader));
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -118,13 +118,16 @@ public override void Sign(IRequest request,`
`118`	`118`	`RequestMetrics metrics,`
`119`	`119`	`BaseIdentity identity)`
`120`	`120`	`{`
`121`		`- var credentials = identity as AWSCredentials;`
`122`		`- if (credentials is null)`
	`121`	`+ if (identity is not AWSCredentials credentials)`
`123`	`122`	`{`
`124`	`123`	`throw new AmazonClientException($"The identity parameter must be of type AWSCredentials for the signer {nameof(AWS4Signer)}.");`
`125`	`124`	`}`
`126`	`125`
`127`	`126`	`var immutableCredentials = credentials.GetCredentials();`
	`127`	`+ if (immutableCredentials is null)`
	`128`	`+ {`
	`129`	`+ return;`
	`130`	`+ }`
`128`	`131`
`129`	`132`	`var signingResult = SignRequest(request, clientConfig, metrics, immutableCredentials.AccessKey, immutableCredentials.SecretKey);`
`130`	`133`	`request.Headers[HeaderKeys.AuthorizationHeader] = signingResult.ForAuthorizationHeader;`
Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,11 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM`
`127`	`127`	`{`
`128`	`128`	`var credentials = identity as AWSCredentials;`
`129`	`129`	`var immutableCredentials = credentials.GetCredentials();`
	`130`	`+ if (immutableCredentials is null)`
	`131`	`+ {`
	`132`	`+ return;`
	`133`	`+ }`
	`134`	`+`
`130`	`135`	`_awsSigV4AProvider.Sign(request, clientConfig, metrics, immutableCredentials);`
`131`	`136`	`}`
`132`	`137`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`var immutableCredentials = credentials.GetCredentials();`
`45`		`- if (String.IsNullOrEmpty(immutableCredentials.AccessKey))`
	`45`	`+ if (string.IsNullOrEmpty(immutableCredentials?.AccessKey))`
`46`	`46`	`{`
`47`	`47`	`throw new ArgumentOutOfRangeException("awsAccessKeyId", "The AWS Access Key ID cannot be NULL or a Zero length string");`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM`
`50`	`50`	`var credentials = identity as AWSCredentials;`
`51`	`51`	`var immutableCredentials = credentials.GetCredentials();`
`52`	`52`
`53`		`- if (String.IsNullOrEmpty(immutableCredentials.AccessKey))`
	`53`	`+ if (string.IsNullOrEmpty(immutableCredentials?.AccessKey))`
`54`	`54`	`{`
`55`	`55`	`throw new ArgumentOutOfRangeException("awsAccessKeyId", "The AWS Access Key ID cannot be NULL or a Zero length string");`
`56`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,13 +58,17 @@ public override void Sign(IRequest request, IClientConfig clientConfig, RequestM`
`58`	`58`	`var aws4aSigner = signer as AWS4aSignerCRTWrapper;`
`59`	`59`	`var useV4 = aws4Signer != null;`
`60`	`60`	`var useV4a = aws4aSigner != null;`
`61`		`- var credentials = identity as AWSCredentials;`
`62`		`- if (credentials is null)`
	`61`	`+`
	`62`	`+ if (identity is not AWSCredentials credentials)`
`63`	`63`	`{`
`64`	`64`	`throw new AmazonClientException($"The identity parameter must be of type AWSCredentials for the signer {nameof(S3Signer)}.");`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`var immutableCredentials = credentials.GetCredentials();`
	`68`	`+ if (immutableCredentials is null)`
	`69`	`+ {`
	`70`	`+ return;`
	`71`	`+ }`
`68`	`72`
`69`	`73`	`if (useV4a)`
`70`	`74`	`{`