fix: x-amz-content-sha256 header is expected for unsigned payload and event stream operations (#934)

Author: aajtodd

.changes/4cc18c3e-31f4-4f70-987d-36e1ddee4a57.json

@@ -0,0 +1,8 @@
+{
+    "id": "4cc18c3e-31f4-4f70-987d-36e1ddee4a57",
+    "type": "bugfix",
+    "description": "Set X-Amz-Content-Sha256 header for unsigned payload and event stream operations by default",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#1029"
+    ]
+}

codegen/smithy-kotlin-codegen/src/main/kotlin/software/amazon/smithy/kotlin/codegen/rendering/auth/Sigv4AuthSchemeIntegration.kt

@@ -18,9 +18,11 @@ import software.amazon.smithy.kotlin.codegen.model.buildSymbol
 import software.amazon.smithy.kotlin.codegen.model.hasTrait
 import software.amazon.smithy.kotlin.codegen.model.knowledge.AwsSignatureVersion4
 import software.amazon.smithy.kotlin.codegen.rendering.protocol.ProtocolGenerator
+import software.amazon.smithy.kotlin.codegen.rendering.protocol.ProtocolMiddleware
 import software.amazon.smithy.kotlin.codegen.rendering.util.ConfigProperty
 import software.amazon.smithy.kotlin.codegen.rendering.util.ConfigPropertyType
 import software.amazon.smithy.model.Model
+import software.amazon.smithy.model.knowledge.EventStreamIndex
 import software.amazon.smithy.model.shapes.OperationShape
 import software.amazon.smithy.model.shapes.ShapeId
 
@@ -36,6 +38,11 @@ class Sigv4AuthSchemeIntegration : KotlinIntegration {
 
     override fun authSchemes(ctx: ProtocolGenerator.GenerationContext): List<AuthSchemeHandler> = listOf(SigV4AuthSchemeHandler())
 
+    override fun customizeMiddleware(
+        ctx: ProtocolGenerator.GenerationContext,
+        resolved: List<ProtocolMiddleware>,
+    ): List<ProtocolMiddleware> = resolved + Sigv4SignedBodyHeaderMiddleware()
+
     override fun additionalServiceConfigProps(ctx: CodegenContext): List<ConfigProperty> {
         val credentialsProviderProp = ConfigProperty {
             symbol = RuntimeTypes.Auth.Credentials.AwsCredentials.CredentialsProvider
@@ -87,3 +94,23 @@ open class SigV4AuthSchemeHandler : AuthSchemeHandler {
         writer.write("#T(#T, #S)", RuntimeTypes.Auth.HttpAuthAws.SigV4AuthScheme, RuntimeTypes.Auth.Signing.AwsSigningStandard.DefaultAwsSigner, signingService)
     }
 }
+
+/**
+ * Conditionally updates the operation context to set the signed body header attribute
+ * e.g. to set `X-Amz-Content-Sha256` header.
+ */
+class Sigv4SignedBodyHeaderMiddleware : ProtocolMiddleware {
+    override val name: String = "Sigv4SignedBodyHeaderMiddleware"
+
+    override fun isEnabledFor(ctx: ProtocolGenerator.GenerationContext, op: OperationShape): Boolean {
+        val hasEventStream = EventStreamIndex.of(ctx.model).getInputInfo(op).isPresent
+        return hasEventStream || op.hasTrait<UnsignedPayloadTrait>()
+    }
+    override fun render(ctx: ProtocolGenerator.GenerationContext, op: OperationShape, writer: KotlinWriter) {
+        writer.write(
+            "op.context.set(#T.SignedBodyHeader, #T.X_AMZ_CONTENT_SHA256)",
+            RuntimeTypes.Auth.Signing.AwsSigningCommon.AwsSigningAttributes,
+            RuntimeTypes.Auth.Signing.AwsSigningCommon.AwsSignedBodyHeader,
+        )
+    }
+}

runtime/auth/http-auth-aws/common/src/aws/smithy/kotlin/runtime/http/auth/AwsHttpSigner.kt

@@ -93,6 +93,18 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
          * this parameter has no effect.
          */
         public var expiresAfter: Duration? = null
+
+        /**
+         * A predicate to control which headers are a part of the canonical request. Note that skipping auth-required
+         * headers will result in an unusable signature. Headers injected by the signing process cannot be skipped.
+         *
+         * This function does not override the internal check function (e.g., for `x-amzn-trace-id`, `user-agent`, etc.) but
+         * rather supplements it. In particular, a header will get signed if and only if it returns true to both the
+         * internal check and this function (if defined).
+         *
+         * The default predicate is to not reject signing any headers (i.e., `_ -> true`).
+         */
+        public var shouldSignHeader: ShouldSignHeaderPredicate = { _ -> true }
     }
 
     override suspend fun sign(signingRequest: SignHttpRequest) {
@@ -118,6 +130,7 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
             normalizeUriPath = config.normalizeUriPath
             useDoubleUriEncode = config.useDoubleUriEncode
             expiresAfter = config.expiresAfter
+            shouldSignHeader = config.shouldSignHeader
 
             signedBodyHeader = contextSignedBodyHeader ?: config.signedBodyHeader