feat(rt): implement aws-chunked content encoding (#731)

Author: lauzadis

.changes/dd18ebc5-bcba-4b38-ba21-75aa4c6a7e24.json

@@ -0,0 +1,8 @@
+{
+    "id": "dd18ebc5-bcba-4b38-ba21-75aa4c6a7e24",
+    "type": "feature",
+    "description": "Add aws-chunked content encoding",
+    "issues": [
+        "awslabs/aws-sdk-kotlin#747"
+    ]
+}

gradle.properties

@@ -43,4 +43,4 @@ kotlinLoggingVersion=2.1.21
 slf4jVersion=1.7.36
 
 # crt
-crtKotlinVersion=0.6.5
+crtKotlinVersion=0.6.6-SNAPSHOT

runtime/auth/aws-signing-common/build.gradle.kts

@@ -7,6 +7,8 @@ description = "Common types for AWS signing"
 extra["displayName"] = "Smithy :: Kotlin :: AWS Signing Common"
 extra["moduleName"] = "aws.smithy.kotlin.runtime.auth.signing.awssigning"
 
+val coroutinesVersion: String by project
+
 kotlin {
     sourceSets {
         commonMain {

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AbstractAwsChunkedByteReadChannel.kt

@@ -0,0 +1,206 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.smithy.kotlin.runtime.auth.awssigning
+
+import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.io.SdkByteReadChannel
+import aws.smithy.kotlin.runtime.util.InternalApi
+
+public const val CHUNK_SIZE_BYTES: Int = 65536
+
+@InternalApi
+public abstract class AbstractAwsChunkedByteReadChannel(
+    private val chan: SdkByteReadChannel,
+    private val signer: AwsSigner,
+    private val signingConfig: AwsSigningConfig,
+    private var previousSignature: ByteArray,
+    private val trailingHeaders: Headers = Headers.Empty,
+) : SdkByteReadChannel by chan {
+    override val isClosedForRead: Boolean
+        get() = chan.isClosedForRead && (chunk == null || chunkOffset >= chunk!!.size) && hasLastChunkBeenSent
+
+    internal var chunk: ByteArray? = null
+    internal var chunkOffset: Int = 0
+    private var hasLastChunkBeenSent: Boolean = false
+
+    /**
+     * Returns all the bytes remaining in the underlying data source, up to [limit].
+     * @return a [ByteArray] containing at most [limit] bytes. it may contain fewer if there are less than [limit] bytes
+     * remaining in the data source.
+     */
+    override suspend fun readRemaining(limit: Int): ByteArray {
+        if (!ensureValidChunk()) {
+            return byteArrayOf()
+        }
+
+        var bytesWritten = 0
+        val bytes = ByteArray(limit)
+
+        while (bytesWritten != limit) {
+            val numBytesToWrite: Int = minOf(limit - bytesWritten, chunk!!.size - chunkOffset)
+
+            chunk!!.copyInto(bytes, bytesWritten, chunkOffset, chunkOffset + numBytesToWrite)
+
+            bytesWritten += numBytesToWrite
+            chunkOffset += numBytesToWrite
+
+            // read a new chunk. this handles the case where we consumed the whole chunk but still have not sent `limit` bytes
+            if (!ensureValidChunk()) { break }
+        }
+
+        return bytes.sliceArray(0 until bytesWritten)
+    }
+
+    /**
+     * Writes [length] bytes to [sink], starting [offset] bytes from the beginning. If [length] bytes are not available in
+     * the source data, the call will fail with an [IllegalArgumentException].
+     *
+     * @param sink the destination [ByteArray] to write to
+     * @param offset the number of bytes in [sink] to skip before beginning to write
+     * @param length the number of bytes to write to [sink]
+     * @throws IllegalArgumentException when illegal [offset] and [length] arguments are passed
+     * @throws RuntimeException when the source data is exhausted before [length] bytes are written to [sink]
+     */
+    override suspend fun readFully(sink: ByteArray, offset: Int, length: Int) {
+        require(offset >= 0) { "Invalid read: offset must be positive:  $offset" }
+        require(offset + length <= sink.size) { "Invalid read: offset + length should be less than the destination size: $offset + $length < ${sink.size}" }
+        if (length == 0) return
+
+        var bytesWritten = 0
+
+        while (bytesWritten != length) {
+            if (!ensureValidChunk()) {
+                throw RuntimeException("Invalid read: unable to fully read $length bytes. missing ${length - bytesWritten} bytes.")
+            }
+
+            val numBytesToWrite: Int = minOf(length, chunk!!.size - chunkOffset)
+
+            chunk!!.copyInto(sink, offset + bytesWritten, chunkOffset, chunkOffset + numBytesToWrite)
+
+            bytesWritten += numBytesToWrite
+            chunkOffset += numBytesToWrite
+        }
+    }
+
+    /**
+     * Writes up to [length] bytes to [sink], starting [offset] bytes from the beginning.
+     * Returns when [length] bytes or the number of available bytes have been written, whichever is lower.
+     *
+     * This function will read *at most* one chunk of data into the [sink]. Successive calls will be required to read additional chunks.
+     * This is done because the function promises to not suspend unless there are zero bytes currently available,
+     * and we are unable to poll the underlying data source to see if there is a whole chunk available.
+     *
+     * @param sink the [ByteArray] to write the data to
+     * @param offset the number of bytes to skip from the beginning of the chunk
+     * @param length the maximum number of bytes to write to [sink]. the actual number of bytes written may be fewer if
+     * there are less immediately available.
+     * @throws IllegalArgumentException when illegal [offset] and [length] arguments are passed
+     * @return an [Int] representing the number of bytes written
+     */
+    override suspend fun readAvailable(sink: ByteArray, offset: Int, length: Int): Int {
+        require(offset >= 0) { "Invalid read: offset must be positive:  $offset" }
+        require(offset + length <= sink.size) { "Invalid read: offset + length should be less than the destination size: $offset + $length < ${sink.size}" }
+        if (length == 0 || !ensureValidChunk()) {
+            return 0
+        }
+
+        var bytesWritten = 0
+
+        while (bytesWritten != length) {
+            val numBytesToWrite = minOf(length, chunk!!.size - chunkOffset)
+
+            chunk!!.copyInto(sink, offset + bytesWritten, chunkOffset, chunkOffset + numBytesToWrite)
+
+            bytesWritten += numBytesToWrite
+            chunkOffset += numBytesToWrite
+
+            // if we've exhausted the current chunk, exit without suspending for a new one
+            if (chunkOffset >= chunk!!.size) { break }
+        }
+
+        return bytesWritten
+    }
+
+    /**
+     * Ensures that the internal [chunk] is valid for reading. If it's not valid, try to load the next chunk. Note that
+     * this function will suspend until the whole chunk has been loaded.
+     *
+     * @return true if the [chunk] is valid for reading, false if it's invalid (chunk data is exhausted)
+     */
+    internal suspend fun ensureValidChunk(): Boolean {
+        // check if the current chunk is still valid
+        if (chunk != null && chunkOffset < chunk!!.size) { return true }
+
+        // if not, try to fetch a new chunk
+        val nextChunk = if (chan.isClosedForRead && hasLastChunkBeenSent) {
+            null
+        } else if (chan.isClosedForRead && !hasLastChunkBeenSent) {
+            hasLastChunkBeenSent = true
+            getChunk(byteArrayOf()) + if (!trailingHeaders.isEmpty()) { getTrailingHeadersChunk(trailingHeaders) } else byteArrayOf()
+        } else {
+            getChunk()
+        }
+
+        chunkOffset = 0
+        chunk = nextChunk?.plus("\r\n".encodeToByteArray()) // terminating CRLF to signal end of chunk
+        return (chunk != null)
+    }
+
+    /**
+     * Get an aws-chunked encoding of [data].
+     * If [data] is not set, read the next chunk from [chan] and add hex-formatted chunk size and chunk signature to the front.
+     * Note that this function will suspend until the whole chunk has been read.
+     * The chunk structure is: `string(IntHexBase(chunk-size)) + ";chunk-signature=" + signature + \r\n + chunk-data + \r\n`
+     *
+     * @param data the ByteArray of data which will be encoded to aws-chunked. if not provided, will default to
+     * reading up to [CHUNK_SIZE_BYTES] from [chan].
+     * @return a ByteArray containing the chunked data
+     */
+    private suspend fun getChunk(data: ByteArray? = null): ByteArray {
+        val chunkBody = data ?: chan.readRemaining(CHUNK_SIZE_BYTES)
+
+        val chunkSignature = signer.signChunk(chunkBody, previousSignature, signingConfig).signature
+        previousSignature = chunkSignature
+
+        val chunkHeader = buildString {
+            append(chunkBody.size.toString(16))
+            append(";")
+            append("chunk-signature=")
+            append(chunkSignature.decodeToString())
+            append("\r\n")
+        }.encodeToByteArray()
+
+        return chunkHeader + chunkBody
+    }
+
+    /**
+     * Get the trailing headers chunk. The grammar for trailing headers is:
+     * trailing-header-A:value CRLF
+     * trailing-header-B:value CRLF
+     * ...
+     * x-amz-trailer-signature:signature_value CRLF
+     *
+     * @param trailingHeaders a list of [Headers] which will be sent
+     * @return a [ByteArray] containing the trailing headers in aws-chunked encoding, ready to send on the wire
+     */
+    private suspend fun getTrailingHeadersChunk(trailingHeaders: Headers): ByteArray {
+        val trailerSignature = signer.signChunkTrailer(trailingHeaders, previousSignature, signingConfig).signature
+        previousSignature = trailerSignature
+
+        val trailerBody = trailingHeaders.entries().sortedBy { entry -> entry.key.lowercase() }.map { entry ->
+            buildString {
+                append(entry.key)
+                append(":")
+                append(entry.value.joinToString(",") { v -> v.trim() })
+                append("\r\n")
+            }.encodeToByteArray()
+        }.reduce { acc, bytes -> acc + bytes } +
+            "x-amz-trailer-signature:${trailerSignature.decodeToString()}\r\n".encodeToByteArray()
+
+        chunkOffset = 0
+        return trailerBody
+    }
+}

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsChunkedByteReadChannel.kt

@@ -0,0 +1,30 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.smithy.kotlin.runtime.auth.awssigning
+
+import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.io.SdkByteReadChannel
+import aws.smithy.kotlin.runtime.util.InternalApi
+
+/**
+ * aws-chunked content encoding. Operations on this class can not be invoked concurrently.
+ * This class wraps an SdkByteReadChannel. When reads are performed on this class, it will read the wrapped data
+ * and return it in aws-chunked content encoding.
+ * @see <a href="https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html">SigV4 Streaming</a>
+ * @param chan the underlying [SdkByteReadChannel] which will have its data encoded in aws-chunked format
+ * @param signer the signer to use to sign chunks and (optionally) chunk trailer
+ * @param signingConfig the config to use for signing
+ * @param previousSignature the previous signature to use for signing. in most cases, this should be the seed signature
+ * @param trailingHeaders the optional trailing headers to include in the final chunk
+ */
+@InternalApi
+public expect class AwsChunkedByteReadChannel public constructor(
+    chan: SdkByteReadChannel,
+    signer: AwsSigner,
+    signingConfig: AwsSigningConfig,
+    previousSignature: ByteArray,
+    trailingHeaders: Headers = Headers.Empty,
+) : AbstractAwsChunkedByteReadChannel

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsSigner.kt

@@ -4,6 +4,7 @@
  */
 package aws.smithy.kotlin.runtime.auth.awssigning
 
+import aws.smithy.kotlin.runtime.http.Headers
 import aws.smithy.kotlin.runtime.http.request.HttpRequest
 
 /**
@@ -31,4 +32,17 @@ public interface AwsSigner {
         prevSignature: ByteArray,
         config: AwsSigningConfig,
     ): AwsSigningResult<Unit>
+
+    /**
+     * Signs a chunked payload's trailer according to the supplied signing configuration
+     * @param trailingHeaders  the trailing [Headers] to send
+     * @param prevSignature The signature of the previous componenet of the request (in most cases, this is the signature of the final chunk)
+     * @param config The signing configuration
+     * @return The signing result, which should be appended as a trailing header itself, named `x-amz-trailer-signature`
+     */
+    public suspend fun signChunkTrailer(
+        trailingHeaders: Headers,
+        prevSignature: ByteArray,
+        config: AwsSigningConfig,
+    ): AwsSigningResult<Unit>
 }

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsSigningConfig.kt

@@ -45,6 +45,11 @@ public enum class AwsSignatureType {
      */
     HTTP_REQUEST_CHUNK,
 
+    /**
+     * Compute a signature for trailing headers
+     */
+    HTTP_REQUEST_TRAILING_HEADERS,
+
     /**
      * Compute a signature for an event stream
      */

runtime/auth/aws-signing-common/jvm/src/aws/smithy/kotlin/runtime/auth/awssigning/AwsChunkedByteReadChannelJVM.kt

@@ -0,0 +1,48 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.smithy.kotlin.runtime.auth.awssigning
+
+import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.io.SdkByteReadChannel
+import aws.smithy.kotlin.runtime.util.InternalApi
+import java.nio.ByteBuffer
+
+@InternalApi
+public actual class AwsChunkedByteReadChannel actual constructor(
+    chan: SdkByteReadChannel,
+    signer: AwsSigner,
+    signingConfig: AwsSigningConfig,
+    previousSignature: ByteArray,
+    trailingHeaders: Headers,
+) : AbstractAwsChunkedByteReadChannel(chan, signer, signingConfig, previousSignature, trailingHeaders) {
+
+    /**
+     * Read all the available bytes into [sink], up to the [sink]'s limit.
+     * After reading is complete, flips the buffer to ready the content for consumption.
+     * @param sink the [ByteBuffer] to read the bytes into
+     * @return an integer representing the number of bytes written to [sink]
+     */
+    override suspend fun readAvailable(sink: ByteBuffer): Int {
+        if (!ensureValidChunk() || sink.remaining() == 0) {
+            return -1
+        }
+
+        var bytesWritten = 0
+        while (chunkOffset < chunk!!.size && sink.remaining() > 0) {
+            val numBytesToWrite = minOf(sink.remaining(), chunk!!.size - chunkOffset)
+            val bytes = chunk!!.slice(chunkOffset until chunkOffset + numBytesToWrite).toByteArray()
+            sink.put(bytes)
+
+            bytesWritten += numBytesToWrite
+            chunkOffset += numBytesToWrite
+
+            // if we've exhausted the current chunk, exit without suspending for a new one
+            if (chunkOffset >= chunk!!.size) { break }
+        }
+
+        return bytesWritten
+    }
+}

runtime/auth/aws-signing-crt/common/src/aws/smithy/kotlin/runtime/auth/awssigning/crt/CrtAwsSigner.kt

@@ -52,13 +52,26 @@ public object CrtAwsSigner : AwsSigner {
 
         return AwsSigningResult(Unit, crtResult.signature)
     }
+
+    override suspend fun signChunkTrailer(
+        trailingHeaders: Headers,
+        prevSignature: ByteArray,
+        config: AwsSigningConfig,
+    ): AwsSigningResult<Unit> {
+        val crtConfig = config.toCrtSigningConfig()
+        val crtTrailingHeaders = trailingHeaders.toCrtHeaders()
+
+        val crtResult = CrtSigner.signChunkTrailer(crtTrailingHeaders, prevSignature, crtConfig)
+        return AwsSigningResult(Unit, crtResult.signature)
+    }
 }
 
 private fun AwsSignatureType.toCrtSignatureType() = when (this) {
     AwsSignatureType.HTTP_REQUEST_CHUNK -> CrtSignatureType.HTTP_REQUEST_CHUNK
     AwsSignatureType.HTTP_REQUEST_EVENT -> CrtSignatureType.HTTP_REQUEST_EVENT
     AwsSignatureType.HTTP_REQUEST_VIA_HEADERS -> CrtSignatureType.HTTP_REQUEST_VIA_HEADERS
     AwsSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS -> CrtSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS
+    AwsSignatureType.HTTP_REQUEST_TRAILING_HEADERS -> CrtSignatureType.HTTP_REQUEST_TRAILING_HEADERS
 }
 
 private fun AwsSignedBodyHeader.toCrtSignedBodyHeaderType() = when (this) {

runtime/auth/aws-signing-crt/jvm/test/aws/smithy/kotlin/runtime/auth/awssigning/crt/CrtAwsChunkedByteReadChannelTest.kt

@@ -0,0 +1,18 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package aws.smithy.kotlin.runtime.auth.awssigning.crt
+
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
+import aws.smithy.kotlin.runtime.auth.awssigning.tests.AwsChunkedByteReadChannelJVMTestBase
+import aws.smithy.kotlin.runtime.auth.awssigning.tests.AwsChunkedByteReadChannelTestBase
+
+class CrtAwsChunkedByteReadChannelTest : AwsChunkedByteReadChannelTestBase() {
+    override val signer: AwsSigner = CrtAwsSigner
+}
+
+class CrtAwsChunkedByteReadChannelJVMTest : AwsChunkedByteReadChannelJVMTestBase() {
+    override val signer: AwsSigner = CrtAwsSigner
+}