feat: implement flexible checksums customization (#772)

Author: lauzadis

.changes/73375c7c-b802-4878-ae24-15b619c065b3.json

@@ -0,0 +1,8 @@
+{
+    "id": "73375c7c-b802-4878-ae24-15b619c065b3",
+    "type": "feature",
+    "description": "Implement flexible checksums customization",
+    "issues": [
+        "https://github.com/awslabs/smithy-kotlin/issues/446"
+    ]
+}

.changes/af027b16-c6f7-4885-9835-1a75315860cf.json

@@ -0,0 +1,5 @@
+{
+    "id": "af027b16-c6f7-4885-9835-1a75315860cf",
+    "type": "feature",
+    "description": "Add support for unsigned `aws-chunked` requests"
+}

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsChunkedByteReadChannel.kt

@@ -6,7 +6,7 @@
 package aws.smithy.kotlin.runtime.auth.awssigning
 
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.AwsChunkedReader
-import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.DeferredHeaders
 import aws.smithy.kotlin.runtime.io.SdkBuffer
 import aws.smithy.kotlin.runtime.io.SdkByteReadChannel
 import aws.smithy.kotlin.runtime.util.InternalApi
@@ -28,7 +28,7 @@ public class AwsChunkedByteReadChannel(
     private val signer: AwsSigner,
     private val signingConfig: AwsSigningConfig,
     private var previousSignature: ByteArray,
-    private val trailingHeaders: Headers = Headers.Empty,
+    private val trailingHeaders: DeferredHeaders = DeferredHeaders.Empty,
 ) : SdkByteReadChannel by delegate {
 
     private val chunkReader = AwsChunkedReader(

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsHttpSigner.kt

@@ -133,15 +133,15 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
 
             hashSpecification = when {
                 contextHashSpecification != null -> contextHashSpecification
-                config.isUnsignedPayload -> HashSpecification.UnsignedPayload
                 body is HttpBody.Empty -> HashSpecification.EmptyBody
                 body.isEligibleForAwsChunkedStreaming -> {
                     if (request.headers.contains("x-amz-trailer")) {
-                        HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers
+                        if (config.isUnsignedPayload) HashSpecification.StreamingUnsignedPayloadWithTrailers else HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers
                     } else {
                         HashSpecification.StreamingAws4HmacSha256Payload
                     }
                 }
+                config.isUnsignedPayload -> HashSpecification.UnsignedPayload
                 // use the payload to compute the hash
                 else -> HashSpecification.CalculateFromPayload
             }
@@ -160,7 +160,12 @@ public class AwsHttpSigner(private val config: Config) : HttpSigner {
         request.update(signedRequest)
 
         if (signingConfig.useAwsChunkedEncoding) {
-            request.setAwsChunkedBody(checkNotNull(config.signer), signingConfig, signingResult.signature)
+            request.setAwsChunkedBody(
+                checkNotNull(config.signer),
+                signingConfig,
+                signingResult.signature,
+                request.trailingHeaders.build(),
+            )
         }
     }
 }

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/HashSpecification.kt

@@ -40,7 +40,12 @@ public sealed class HashSpecification {
     public object StreamingAws4HmacSha256PayloadWithTrailers : HashLiteral("STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER")
 
     /**
-     * The hash value should indicate ???
+     * The hash value used for streaming unsigned requests with trailers
+     */
+    public object StreamingUnsignedPayloadWithTrailers : HashLiteral("STREAMING-UNSIGNED-PAYLOAD-TRAILER")
+
+    /**
+     * The hash value indicates that the streaming request is an event stream
      */
     public object StreamingAws4HmacSha256Events : HashLiteral("STREAMING-AWS4-HMAC-SHA256-EVENTS")
 

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedReader.kt

@@ -9,7 +9,9 @@ import aws.smithy.kotlin.runtime.auth.awssigning.AwsSignatureType
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
 import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
+import aws.smithy.kotlin.runtime.http.DeferredHeaders
 import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.toHeaders
 import aws.smithy.kotlin.runtime.io.SdkBuffer
 
 /**
@@ -27,7 +29,7 @@ internal class AwsChunkedReader(
     private val signer: AwsSigner,
     private val signingConfig: AwsSigningConfig,
     private var previousSignature: ByteArray,
-    private val trailingHeaders: Headers = Headers.Empty,
+    private val trailingHeaders: DeferredHeaders,
 ) {
 
     /**
@@ -69,7 +71,7 @@ internal class AwsChunkedReader(
         val nextChunk = when {
             stream.isClosedForRead() && hasLastChunkBeenSent -> null
             else -> {
-                var next = getSignedChunk()
+                var next = if (signingConfig.isUnsigned) getUnsignedChunk() else getSignedChunk()
                 if (next == null) {
                     check(stream.isClosedForRead()) { "Expected underlying reader to be closed" }
                     next = getFinalChunk()
@@ -93,18 +95,39 @@ internal class AwsChunkedReader(
      */
     private suspend fun getFinalChunk(): SdkBuffer {
         // empty chunk
-        val lastChunk = checkNotNull(getSignedChunk(SdkBuffer()))
+        val lastChunk = checkNotNull(if (signingConfig.isUnsigned) getUnsignedChunk(SdkBuffer()) else getSignedChunk(SdkBuffer()))
 
         // + any trailers
         if (!trailingHeaders.isEmpty()) {
-            val trailingHeaderChunk = getTrailingHeadersChunk(trailingHeaders)
+            val trailingHeaderChunk = getTrailingHeadersChunk(trailingHeaders.toHeaders())
             lastChunk.writeAll(trailingHeaderChunk)
         }
         return lastChunk
     }
 
     /**
-     * Get an aws-chunked encoding of [data].
+     * Read a chunk from the underlying [stream], suspending until a whole chunk has been read OR the channel is exhausted.
+     * @return an SdkBuffer containing a chunk of data, or null if the channel is exhausted.
+     */
+    private suspend fun Stream.readChunk(): SdkBuffer? {
+        val sink = SdkBuffer()
+
+        // fill up to chunk size bytes
+        var remaining = CHUNK_SIZE_BYTES.toLong()
+        while (remaining > 0L) {
+            val rc = read(sink, remaining)
+            if (rc == -1L) break
+            remaining -= rc
+        }
+
+        return when (sink.size) {
+            0L -> null // delegate closed without reading any data
+            else -> sink
+        }
+    }
+
+    /**
+     * Get a signed aws-chunked encoding of [data].
      * If [data] is not set, read the next chunk from [delegate] and add hex-formatted chunk size and chunk signature to the front.
      * Note that this function will suspend until the whole chunk has been read OR the channel is exhausted.
      * The chunk structure is: `string(IntHexBase(chunk-size)) + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n`
@@ -114,23 +137,7 @@ internal class AwsChunkedReader(
      * @return a buffer containing the chunked data or null if no data is available (channel is closed)
      */
     private suspend fun getSignedChunk(data: SdkBuffer? = null): SdkBuffer? {
-        val bodyBuffer = if (data == null) {
-            val sink = SdkBuffer()
-
-            // fill up to chunk size bytes
-            var remaining = CHUNK_SIZE_BYTES.toLong()
-            while (remaining > 0L) {
-                val rc = stream.read(sink, remaining)
-                if (rc == -1L) break
-                remaining -= rc
-            }
-            when (sink.size) {
-                0L -> null // delegate closed without reading any data
-                else -> sink
-            }
-        } else {
-            data
-        }
+        val bodyBuffer = data ?: stream.readChunk()
 
         // signer takes a ByteArray unfortunately...
         val chunkBody = bodyBuffer?.readByteArray() ?: return null
@@ -155,6 +162,31 @@ internal class AwsChunkedReader(
         return signedChunk
     }
 
+    /**
+     * Get an unsigned aws-chunked encoding of [data].
+     * If [data] is not set, read the next chunk from [delegate] and add hex-formatted chunk size to the front.
+     * Note that this function will suspend until the whole chunk has been read OR the channel is exhausted.
+     * The unsigned chunk structure is: `string(IntHexBase(chunk-size)) + \r\n + chunk-data + \r\n`
+     *
+     * @param data the data which will be encoded to aws-chunked. if not provided, will default to
+     * reading up to [CHUNK_SIZE_BYTES] from [delegate].
+     * @return a buffer containing the chunked data or null if no data is available (channel is closed)
+     */
+    private suspend fun getUnsignedChunk(data: SdkBuffer? = null): SdkBuffer? {
+        val bodyBuffer = data ?: stream.readChunk() ?: return null
+
+        val unsignedChunk = SdkBuffer()
+
+        // headers
+        unsignedChunk.apply {
+            writeUtf8(bodyBuffer.size.toString(16))
+            writeUtf8("\r\n")
+            writeAll(bodyBuffer) // append the body
+        }
+
+        return unsignedChunk
+    }
+
     /**
      * Get the trailing headers chunk. The grammar for trailing headers is:
      * trailing-header-A:value CRLF
@@ -170,7 +202,11 @@ internal class AwsChunkedReader(
         previousSignature = trailerSignature
 
         val trailerBody = SdkBuffer()
-        trailerBody.writeTrailers(trailingHeaders, trailerSignature.decodeToString())
+        trailerBody.writeTrailers(trailingHeaders)
+        if (!signingConfig.isUnsigned) {
+            trailerBody.writeTrailerSignature(trailerSignature.decodeToString())
+        }
+
         return trailerBody
     }
 
@@ -193,4 +229,6 @@ internal class AwsChunkedReader(
         signatureType = AwsSignatureType.HTTP_REQUEST_TRAILING_HEADERS // signature is for trailing headers
         hashSpecification = HashSpecification.CalculateFromPayload // calculate the hash from the trailing headers payload
     }.build()
+
+    private val AwsSigningConfig.isUnsigned: Boolean get() = hashSpecification == HashSpecification.StreamingUnsignedPayloadWithTrailers
 }

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedUtil.kt

@@ -9,6 +9,7 @@ import aws.smithy.kotlin.runtime.auth.awssigning.AwsHttpSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
 import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
+import aws.smithy.kotlin.runtime.http.DeferredHeaders
 import aws.smithy.kotlin.runtime.http.Headers
 import aws.smithy.kotlin.runtime.http.HttpBody
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
@@ -19,10 +20,7 @@ import aws.smithy.kotlin.runtime.io.SdkBuffer
  */
 public const val CHUNK_SIZE_BYTES: Int = 65_536
 
-internal fun SdkBuffer.writeTrailers(
-    trailers: Headers,
-    signature: String,
-) {
+internal fun SdkBuffer.writeTrailers(trailers: Headers) {
     trailers
         .entries()
         .sortedBy { entry -> entry.key.lowercase() }
@@ -32,6 +30,9 @@ internal fun SdkBuffer.writeTrailers(
             writeUtf8(entry.value.joinToString(",") { v -> v.trim() })
             writeUtf8("\r\n")
         }
+}
+
+internal fun SdkBuffer.writeTrailerSignature(signature: String) {
     writeUtf8("x-amz-trailer-signature:${signature}\r\n")
 }
 
@@ -47,20 +48,28 @@ internal val HttpBody.isEligibleForAwsChunkedStreaming: Boolean
  */
 internal val AwsSigningConfig.useAwsChunkedEncoding: Boolean
     get() = when (hashSpecification) {
-        is HashSpecification.StreamingAws4HmacSha256Payload, is HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers -> true
+        is HashSpecification.StreamingAws4HmacSha256Payload,
+        is HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers,
+        is HashSpecification.StreamingUnsignedPayloadWithTrailers,
+        -> true
         else -> false
     }
 
 /**
  * Set the HTTP headers required for the aws-chunked content encoding
  */
 internal fun HttpRequestBuilder.setAwsChunkedHeaders() {
-    headers.setMissing("Content-Encoding", "aws-chunked")
-    headers.setMissing("Transfer-Encoding", "chunked")
-    headers.setMissing("X-Amz-Decoded-Content-Length", body.contentLength!!.toString())
+    headers.append("Content-Encoding", "aws-chunked")
+    headers["Transfer-Encoding"] = "chunked"
+    headers["X-Amz-Decoded-Content-Length"] = body.contentLength!!.toString()
 }
 
 /**
  * Update the HTTP body to use aws-chunked content encoding
  */
-internal expect fun HttpRequestBuilder.setAwsChunkedBody(signer: AwsSigner, signingConfig: AwsSigningConfig, signature: ByteArray)
+internal expect fun HttpRequestBuilder.setAwsChunkedBody(
+    signer: AwsSigner,
+    signingConfig: AwsSigningConfig,
+    signature: ByteArray,
+    trailingHeaders: DeferredHeaders,
+)

runtime/auth/aws-signing-common/jvm/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsChunkedSource.kt

@@ -6,7 +6,7 @@
 package aws.smithy.kotlin.runtime.auth.awssigning
 
 import aws.smithy.kotlin.runtime.auth.awssigning.internal.AwsChunkedReader
-import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.DeferredHeaders
 import aws.smithy.kotlin.runtime.io.SdkBuffer
 import aws.smithy.kotlin.runtime.io.SdkSource
 import aws.smithy.kotlin.runtime.io.buffer
@@ -33,7 +33,7 @@ public class AwsChunkedSource(
     signer: AwsSigner,
     signingConfig: AwsSigningConfig,
     previousSignature: ByteArray,
-    trailingHeaders: Headers = Headers.Empty,
+    trailingHeaders: DeferredHeaders = DeferredHeaders.Empty,
 ) : SdkSource {
     private val chunkReader = AwsChunkedReader(
         delegate.asStream(),

runtime/auth/aws-signing-common/jvm/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedUtilJVM.kt

@@ -9,15 +9,27 @@ import aws.smithy.kotlin.runtime.auth.awssigning.AwsChunkedByteReadChannel
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsChunkedSource
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
-import aws.smithy.kotlin.runtime.http.HttpBody
+import aws.smithy.kotlin.runtime.http.*
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
-import aws.smithy.kotlin.runtime.http.toHttpBody
-import aws.smithy.kotlin.runtime.http.toSdkByteReadChannel
 
-internal actual fun HttpRequestBuilder.setAwsChunkedBody(signer: AwsSigner, signingConfig: AwsSigningConfig, signature: ByteArray) {
+internal actual fun HttpRequestBuilder.setAwsChunkedBody(signer: AwsSigner, signingConfig: AwsSigningConfig, signature: ByteArray, trailingHeaders: DeferredHeaders) {
     body = when (body) {
-        is HttpBody.ChannelContent -> AwsChunkedByteReadChannel(checkNotNull(body.toSdkByteReadChannel()), signer, signingConfig, signature).toHttpBody(-1)
-        is HttpBody.SourceContent -> AwsChunkedSource((body as HttpBody.SourceContent).readFrom(), signer, signingConfig, signature).toHttpBody(-1)
+        is HttpBody.ChannelContent -> AwsChunkedByteReadChannel(
+            checkNotNull(body.toSdkByteReadChannel()),
+            signer,
+            signingConfig,
+            signature,
+            trailingHeaders,
+        ).toHttpBody(-1)
+
+        is HttpBody.SourceContent -> AwsChunkedSource(
+            (body as HttpBody.SourceContent).readFrom(),
+            signer,
+            signingConfig,
+            signature,
+            trailingHeaders,
+        ).toHttpBody(-1)
+
         else -> throw ClientException("HttpBody type is not supported")
     }
 }