feat(rt): use aws-chunked content-encoding (#746)

Author: lauzadis

.changes/0b8435af-23b7-478a-b31a-260a7dfdfaab.json

@@ -0,0 +1,5 @@
+{
+    "id": "0b8435af-23b7-478a-b31a-260a7dfdfaab",
+    "type": "feature",
+    "description": "Use `aws-chunked` content encoding for streaming requests"
+}

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/HashSpecification.kt

@@ -34,6 +34,11 @@ public sealed class HashSpecification {
      */
     public object StreamingAws4HmacSha256Payload : HashLiteral("STREAMING-AWS4-HMAC-SHA256-PAYLOAD")
 
+    /**
+     * The hash value indicates that the streaming request will have trailers
+     */
+    public object StreamingAws4HmacSha256PayloadWithTrailers : HashLiteral("STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER")
+
     /**
      * The hash value should indicate ???
      */

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedReader.kt

@@ -5,8 +5,10 @@
 
 package aws.smithy.kotlin.runtime.auth.awssigning.internal
 
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSignatureType
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
 import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
+import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
 import aws.smithy.kotlin.runtime.http.Headers
 import aws.smithy.kotlin.runtime.io.SdkBuffer
 
@@ -133,7 +135,7 @@ internal class AwsChunkedReader(
         // signer takes a ByteArray unfortunately...
         val chunkBody = bodyBuffer?.readByteArray() ?: return null
 
-        val chunkSignature = signer.signChunk(chunkBody, previousSignature, signingConfig).signature
+        val chunkSignature = signer.signChunk(chunkBody, previousSignature, signingConfig.toChunkSigningConfig()).signature
         previousSignature = chunkSignature
 
         val signedChunk = SdkBuffer()
@@ -164,11 +166,31 @@ internal class AwsChunkedReader(
      * @return a [SdkBuffer] containing the trailing headers in aws-chunked encoding, ready to send on the wire
      */
     private suspend fun getTrailingHeadersChunk(trailingHeaders: Headers): SdkBuffer {
-        val trailerSignature = signer.signChunkTrailer(trailingHeaders, previousSignature, signingConfig).signature
+        val trailerSignature = signer.signChunkTrailer(trailingHeaders, previousSignature, signingConfig.toTrailingHeadersSigningConfig()).signature
         previousSignature = trailerSignature
 
         val trailerBody = SdkBuffer()
         trailerBody.writeTrailers(trailingHeaders, trailerSignature.decodeToString())
         return trailerBody
     }
+
+    /**
+     * Make a copy of the signing config, changing the signatureType and hashSpecification configuration values
+     * to specify chunk signing.
+     * @return an [AwsSigningConfig] which can be used by a signer to sign chunks
+     */
+    private fun AwsSigningConfig.toChunkSigningConfig(): AwsSigningConfig = this.toBuilder().apply {
+        signatureType = AwsSignatureType.HTTP_REQUEST_CHUNK // signature is for a chunk
+        hashSpecification = HashSpecification.CalculateFromPayload // calculate the hash from the chunk payload
+    }.build()
+
+    /**
+     * Make a copy of the signing config, changing the signatureType and hashSpecification configuration values
+     * to specify trailing headers signing.
+     * @return an [AwsSigningConfig] which can be used by a signer to sign trailing headers
+     */
+    private fun AwsSigningConfig.toTrailingHeadersSigningConfig(): AwsSigningConfig = this.toBuilder().apply {
+        signatureType = AwsSignatureType.HTTP_REQUEST_TRAILING_HEADERS // signature is for trailing headers
+        hashSpecification = HashSpecification.CalculateFromPayload // calculate the hash from the trailing headers payload
+    }.build()
 }

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedUtil.kt

@@ -5,7 +5,13 @@
 
 package aws.smithy.kotlin.runtime.auth.awssigning.internal
 
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
+import aws.smithy.kotlin.runtime.auth.awssigning.HashSpecification
+import aws.smithy.kotlin.runtime.auth.awssigning.middleware.AwsSigningMiddleware
 import aws.smithy.kotlin.runtime.http.Headers
+import aws.smithy.kotlin.runtime.http.HttpBody
+import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
 import aws.smithy.kotlin.runtime.io.SdkBuffer
 
 /**
@@ -28,3 +34,33 @@ internal fun SdkBuffer.writeTrailers(
         }
     writeUtf8("x-amz-trailer-signature:${signature}\r\n")
 }
+
+/**
+ * @return a boolean representing if this HttpBody is eligible to send via aws-chunked content encoding
+ */
+internal val HttpBody.isEligibleForAwsChunkedStreaming: Boolean
+    get() = (this is HttpBody.SourceContent || this is HttpBody.ChannelContent) && contentLength != null &&
+        (isOneShot || contentLength!! > AwsSigningMiddleware.AWS_CHUNKED_THRESHOLD)
+
+/**
+ * @return a boolean representing if the signing configuration is configured (via [HashSpecification]) for aws-chunked content encoding
+ */
+internal val AwsSigningConfig.useAwsChunkedEncoding: Boolean
+    get() = when (hashSpecification) {
+        is HashSpecification.StreamingAws4HmacSha256Payload, is HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers -> true
+        else -> false
+    }
+
+/**
+ * Set the HTTP headers required for the aws-chunked content encoding
+ */
+internal fun HttpRequestBuilder.setAwsChunkedHeaders() {
+    headers.setMissing("Content-Encoding", "aws-chunked")
+    headers.setMissing("Transfer-Encoding", "chunked")
+    headers.setMissing("X-Amz-Decoded-Content-Length", body.contentLength!!.toString())
+}
+
+/**
+ * Update the HTTP body to use aws-chunked content encoding
+ */
+internal expect fun HttpRequestBuilder.setAwsChunkedBody(signer: AwsSigner, signingConfig: AwsSigningConfig, signature: ByteArray)

runtime/auth/aws-signing-common/common/src/aws/smithy/kotlin/runtime/auth/awssigning/middleware/AwsSigningMiddleware.kt

@@ -6,14 +6,17 @@ package aws.smithy.kotlin.runtime.auth.awssigning.middleware
 
 import aws.smithy.kotlin.runtime.auth.awscredentials.CredentialsProvider
 import aws.smithy.kotlin.runtime.auth.awssigning.*
+import aws.smithy.kotlin.runtime.auth.awssigning.internal.*
+import aws.smithy.kotlin.runtime.auth.awssigning.internal.isEligibleForAwsChunkedStreaming
+import aws.smithy.kotlin.runtime.auth.awssigning.internal.setAwsChunkedBody
+import aws.smithy.kotlin.runtime.auth.awssigning.internal.setAwsChunkedHeaders
+import aws.smithy.kotlin.runtime.auth.awssigning.internal.useAwsChunkedEncoding
 import aws.smithy.kotlin.runtime.http.HttpBody
 import aws.smithy.kotlin.runtime.http.operation.*
 import aws.smithy.kotlin.runtime.http.request.HttpRequest
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
-import aws.smithy.kotlin.runtime.tracing.warn
 import aws.smithy.kotlin.runtime.util.InternalApi
 import aws.smithy.kotlin.runtime.util.get
-import kotlin.coroutines.coroutineContext
 import kotlin.time.Duration
 
 /**
@@ -29,6 +32,10 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
             requireNotNull(config.signer) { "A signer must be specified for the middleware" }
             return AwsSigningMiddleware(config)
         }
+
+        @InternalApi
+        // The minimum size of a streaming body before the SDK will begin using aws-chunked content encoding.
+        public const val AWS_CHUNKED_THRESHOLD: Int = CHUNK_SIZE_BYTES * 16
     }
 
     public class Config {
@@ -126,38 +133,28 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
             signedBodyHeader = contextSignedBodyHeader ?: config.signedBodyHeader
 
             // SDKs are supposed to default to signed payload _always_ when possible (and when `unsignedPayload` trait
-            // isn't present).
-            //
-            // There are a few escape hatches/special cases:
-            //     1. Customer explicitly disables signed payload (via Config.isUnsignedPayload)
-            //     2. Customer provides a (potentially) unbounded stream (via HttpBody.Streaming)
-            //
-            // When an unbounded stream (2) is given we proceed as follows:
-            //     2.1. is it replayable?
-            //          (2.1.1) yes -> sign the payload (stream can be consumed more than once)
-            //          (2.1.2) no -> unsigned payload
-            //
-            // NOTE: Chunked signing is NOT enabled through this middleware.
-            // NOTE: 2.1.2 is handled below
-
-            // FIXME - see: https://github.com/awslabs/smithy-kotlin/issues/296
-            // if we know we have a (streaming) body and toSignableRequest() fails to convert it to a CRT equivalent
-            // then we must decide how to compute the payload hash ourselves (defaults to unsigned payload)
+            // isn't present). The only exception is when the customer explicitly disables signed payloads (via Config.isUnsignedPayload).
+
             hashSpecification = when {
                 contextHashSpecification != null -> contextHashSpecification
                 config.isUnsignedPayload -> HashSpecification.UnsignedPayload
                 body is HttpBody.Empty -> HashSpecification.EmptyBody
-                body.isOneShot -> {
-                    coroutineContext.warn<AwsSigningMiddleware> {
-                        "unable to compute hash for unbounded stream; defaulting to unsigned payload"
+                body.isEligibleForAwsChunkedStreaming -> {
+                    if (req.subject.headers.contains("x-amz-trailer")) {
+                        HashSpecification.StreamingAws4HmacSha256PayloadWithTrailers
+                    } else {
+                        HashSpecification.StreamingAws4HmacSha256Payload
                     }
-                    HashSpecification.UnsignedPayload
                 }
                 // use the payload to compute the hash
                 else -> HashSpecification.CalculateFromPayload
             }
         }
 
+        if (signingConfig.useAwsChunkedEncoding) {
+            req.subject.setAwsChunkedHeaders()
+        }
+
         val signingResult = checkNotNull(config.signer).sign(req.subject.build(), signingConfig)
         val signedRequest = signingResult.output
 
@@ -166,6 +163,9 @@ public class AwsSigningMiddleware(private val config: Config) : ModifyRequestMid
 
         req.subject.update(signedRequest)
 
+        if (signingConfig.useAwsChunkedEncoding) {
+            req.subject.setAwsChunkedBody(checkNotNull(config.signer), signingConfig, signingResult.signature)
+        }
         return req
     }
 }

runtime/auth/aws-signing-common/jvm/src/aws/smithy/kotlin/runtime/auth/awssigning/internal/AwsChunkedUtilJVM.kt

@@ -0,0 +1,23 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package aws.smithy.kotlin.runtime.auth.awssigning.internal
+
+import aws.smithy.kotlin.runtime.ClientException
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsChunkedByteReadChannel
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsChunkedSource
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigner
+import aws.smithy.kotlin.runtime.auth.awssigning.AwsSigningConfig
+import aws.smithy.kotlin.runtime.http.HttpBody
+import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
+import aws.smithy.kotlin.runtime.http.toHttpBody
+import aws.smithy.kotlin.runtime.http.toSdkByteReadChannel
+
+internal actual fun HttpRequestBuilder.setAwsChunkedBody(signer: AwsSigner, signingConfig: AwsSigningConfig, signature: ByteArray) {
+    body = when (body) {
+        is HttpBody.ChannelContent -> AwsChunkedByteReadChannel(checkNotNull(body.toSdkByteReadChannel()), signer, signingConfig, signature).toHttpBody(-1)
+        is HttpBody.SourceContent -> AwsChunkedSource((body as HttpBody.SourceContent).readFrom(), signer, signingConfig, signature).toHttpBody(-1)
+        else -> throw ClientException("HttpBody type is not supported")
+    }
+}

runtime/auth/aws-signing-tests/common/src/aws/smithy/kotlin/runtime/auth/awssigning/tests/AwsChunkedByteReadChannelTestBase.kt

@@ -18,16 +18,16 @@ import kotlin.test.*
 import kotlin.time.Duration.Companion.milliseconds
 
 @OptIn(ExperimentalCoroutinesApi::class)
-public abstract class AwsChunkedByteReadChannelTestBase : AwsChunkedTestBase(AwsChunkedReaderFactory.Channel) {
+abstract class AwsChunkedByteReadChannelTestBase : AwsChunkedTestBase(AwsChunkedReaderFactory.Channel) {
     @Test
-    public fun testSlowProducerMultipleChunksPartialLast(): TestResult = runTest {
+    fun testSlowProducerMultipleChunksPartialLast(): TestResult = runTest {
         val numChunks = 6
         val dataLengthBytes = CHUNK_SIZE_BYTES * (numChunks - 1) + CHUNK_SIZE_BYTES / 2 // 5 full chunks, 1 half-full chunk
 
         val data = ByteArray(dataLengthBytes) { Random.Default.nextBytes(1)[0] }
         val chan = SdkByteChannel(true)
         var previousSignature: ByteArray = byteArrayOf()
-        val awsChunked = AwsChunkedByteReadChannel(chan, signer, testSigningConfig, previousSignature)
+        val awsChunked = AwsChunkedByteReadChannel(chan, signer, testChunkSigningConfig, previousSignature)
 
         // launch a coroutine and fill the channel slowly
         val writeJob = launch {
@@ -66,7 +66,7 @@ public abstract class AwsChunkedByteReadChannelTestBase : AwsChunkedTestBase(Aws
             val expectedChunkSignature = signer.signChunk(
                 data.slice(CHUNK_SIZE_BYTES * chunk until (CHUNK_SIZE_BYTES * (chunk + 1))).toByteArray(),
                 previousSignature,
-                testSigningConfig,
+                testChunkSigningConfig,
             ).signature
             previousSignature = expectedChunkSignature
 
@@ -78,14 +78,14 @@ public abstract class AwsChunkedByteReadChannelTestBase : AwsChunkedTestBase(Aws
         var expectedChunkSignature = signer.signChunk(
             data.slice(CHUNK_SIZE_BYTES * (numChunks - 1) until data.size).toByteArray(),
             previousSignature,
-            testSigningConfig,
+            testChunkSigningConfig,
         ).signature
         previousSignature = expectedChunkSignature
         assertEquals(expectedChunkSignature.decodeToString(), chunkSignatures[chunkSignatures.size - 2])
         assertEquals(CHUNK_SIZE_BYTES / 2, chunkSizes[chunkSizes.size - 2])
 
         // validate terminal chunk
-        expectedChunkSignature = signer.signChunk(byteArrayOf(), previousSignature, testSigningConfig).signature
+        expectedChunkSignature = signer.signChunk(byteArrayOf(), previousSignature, testChunkSigningConfig).signature
         assertEquals(expectedChunkSignature.decodeToString(), chunkSignatures.last())
         assertEquals(0, chunkSizes.last())
     }