diff --git a/.changelog/0c026d00c5d04cf3a1a100108e4634da.json b/.changelog/0c026d00c5d04cf3a1a100108e4634da.json new file mode 100644 index 00000000000..3a84210d994 --- /dev/null +++ b/.changelog/0c026d00c5d04cf3a1a100108e4634da.json @@ -0,0 +1,10 @@ +{ + "id": "0c026d00-c5d0-4cf3-a1a1-00108e4634da", + "type": "feature", + "description": "Add support for S3 Multi-Region Access Point ARNs.", + "modules": [ + "config", + "service/internal/s3shared", + "service/s3" + ] +} \ No newline at end of file diff --git a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsHttpPresignURLClientGenerator.java b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsHttpPresignURLClientGenerator.java index 87b1b0640d4..2c526fe27a5 100644 --- a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsHttpPresignURLClientGenerator.java +++ b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsHttpPresignURLClientGenerator.java @@ -72,6 +72,12 @@ public class AwsHttpPresignURLClientGenerator implements GoIntegration { private static final Symbol presignerInterfaceSymbol = SymbolUtils.createPointableSymbolBuilder( "HTTPPresignerV4" ).build(); + + private static final Symbol presignerV4aInterfaceSymbol = SymbolUtils.createPointableSymbolBuilder( + "httpPresignerV4a" + ).build(); + + private static final Symbol v4NewPresignerSymbol = SymbolUtils.createPointableSymbolBuilder( "NewSigner", AwsGoDependency.AWS_SIGNER_V4 ).build(); @@ -176,6 +182,9 @@ public void writeAdditionalFiles( // generate presigner interface writePresignInterface(writer, model, symbolProvider, serviceShape); + // generate s3 sigv4a presigner interface + writePresignV4aInterface(writer, model, symbolProvider, serviceShape); + // generate presign options and helpers per service writePresignOptionType(writer, model, symbolProvider, serviceShape); @@ -371,6 +380,37 @@ private void writeConvertToPresignMiddleware( // s3 service needs expires and sets unsignedPayload if input is stream if (isS3ServiceShape(model, serviceShape)) { + + writer.write(""); + writer.write("// add multi-region access point presigner"); + + // ==== multi-region access point support + Symbol PresignConstructor = SymbolUtils.createValueSymbolBuilder( + "NewPresignHTTPRequestMiddleware", AwsCustomGoDependency.S3_CUSTOMIZATION + ).build(); + + Symbol PresignOptions = SymbolUtils.createValueSymbolBuilder( + "PresignHTTPRequestMiddlewareOptions", AwsCustomGoDependency.S3_CUSTOMIZATION + ).build(); + + Symbol RegisterPresigningMiddleware = SymbolUtils.createValueSymbolBuilder( + "RegisterPreSigningMiddleware", AwsCustomGoDependency.S3_CUSTOMIZATION + ).build(); + + writer.openBlock("signermv := $T($T{", "})", + PresignConstructor,PresignOptions, () -> { + writer.write("CredentialsProvider : options.Credentials,"); + writer.write("V4Presigner : c.Presigner,"); + writer.write("V4aPresigner : c.presignerV4a,"); + writer.write("LogSigning : options.ClientLogMode.IsSigning(),"); + }); + + writer.write("err = $T(stack, signermv)", RegisterPresigningMiddleware); + writer.write("if err != nil { return err }"); + writer.write(""); + + // ======= + writer.openBlock("if c.Expires < 0 {", "}", () -> { writer.addUseImports(SmithyGoDependency.FMT); writer.write( @@ -437,6 +477,13 @@ private void writePresignClientType( }); writer.write(""); + if (isS3ServiceShape(model, serviceShape)) { + writer.openBlock("if options.presignerV4a == nil {", "}", () -> { + writer.write("options.presignerV4a = $L(c.options)", AwsSignatureVersion4.NEW_SIGNER_V4A_FUNC_NAME); + }); + writer.write(""); + } + writer.openBlock("return &$L{", "}", presignClientSymbol, () -> { writer.write("client: c,"); writer.write("options: options,"); @@ -494,6 +541,38 @@ public void writePresignInterface( writer.write(""); } + + /** + * Writes the presigner sigv4a interface used by the presign url client + */ + public void writePresignV4aInterface( + GoWriter writer, + Model model, + SymbolProvider symbolProvider, + ServiceShape serviceShape + ) { + if (!isS3ServiceShape(model, serviceShape)) { + return; + } + + Symbol signerOptionsSymbol = SymbolUtils.createPointableSymbolBuilder( + "SignerOptions", AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + + writer.writeDocs( + String.format("%s represents sigv4a presigner interface used by presign url client", + presignerV4aInterfaceSymbol.getName()) + ); + writer.openBlock("type $T interface {", "}", presignerV4aInterfaceSymbol, () -> { + writer.write("PresignHTTP("); + writer.write("ctx context.Context, credentials v4a.Credentials, r *http.Request,"); + writer.write("payloadHash string, service string, regionSet []string, signingTime time.Time,"); + writer.write("optFns ...func($P),", signerOptionsSymbol); + writer.write(") (url string, signedHeader http.Header, err error)"); + }); + + writer.write(""); + } + /** * Writes the Presign client's type and methods. * @@ -530,8 +609,13 @@ public void writePresignOptionType( ) ); writer.write("Expires time.Duration"); + writer.write(""); + + writer.writeDocs("presignerV4a is the presigner used by the presign url client"); + writer.write("presignerV4a $T", presignerV4aInterfaceSymbol); } }); + writer.openBlock("func (o $T) copy() $T {", "}", presignOptionsSymbol, presignOptionsSymbol, () -> { writer.write("clientOptions := make([]func(*Options), len(o.ClientOptions))"); writer.write("copy(clientOptions, o.ClientOptions)"); @@ -548,7 +632,7 @@ public void writePresignOptionType( writer.openBlock("func $L(optFns ...func(*Options)) func($P) {", "}", PRESIGN_OPTIONS_FROM_CLIENT_OPTIONS, presignOptionsSymbol, () -> { writer.write("return $L(optFns).options", presignOptionsFromClientOptionsInternal.getName()); - }); + }); writer.insertTrailingNewline(); @@ -556,7 +640,7 @@ public void writePresignOptionType( writer.openBlock("func (w $L) options (o $P) {", "}", presignOptionsFromClientOptionsInternal.getName(), presignOptionsSymbol, () -> { writer.write("o.ClientOptions = append(o.ClientOptions, w...)"); - }).insertTrailingNewline(); + }).insertTrailingNewline(); // s3 specific helpers @@ -569,7 +653,7 @@ public void writePresignOptionType( writer.openBlock("func $L(dur time.Duration) func($P) {", "}", PRESIGN_OPTIONS_FROM_EXPIRES, presignOptionsSymbol, () -> { writer.write("return $L(dur).options", presignOptionsFromExpiresInternal.getName()); - }); + }); writer.insertTrailingNewline(); @@ -577,7 +661,7 @@ public void writePresignOptionType( writer.openBlock("func (w $L) options (o $P) {", "}", presignOptionsFromExpiresInternal.getName(), presignOptionsSymbol, () -> { writer.write("o.Expires = time.Duration(w)"); - }).insertTrailingNewline(); + }).insertTrailingNewline(); } } diff --git a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsSignatureVersion4.java b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsSignatureVersion4.java index 8e9027bb078..1970a48251c 100644 --- a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsSignatureVersion4.java +++ b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/AwsSignatureVersion4.java @@ -46,6 +46,7 @@ public final class AwsSignatureVersion4 implements GoIntegration { public static final String SIGNER_INTERFACE_NAME = "HTTPSignerV4"; public static final String SIGNER_CONFIG_FIELD_NAME = SIGNER_INTERFACE_NAME; public static final String NEW_SIGNER_FUNC_NAME = "newDefaultV4Signer"; + public static final String NEW_SIGNER_V4A_FUNC_NAME = "newDefaultV4aSigner"; public static final String SIGNER_RESOLVER = "resolve" + SIGNER_CONFIG_FIELD_NAME; private static final List DISABLE_URI_PATH_ESCAPE = ListUtils.of("com.amazonaws.s3#AmazonS3"); diff --git a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/AwsCustomGoDependency.java b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/AwsCustomGoDependency.java index 7df70902b62..283e3f15b43 100644 --- a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/AwsCustomGoDependency.java +++ b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/AwsCustomGoDependency.java @@ -26,6 +26,7 @@ public final class AwsCustomGoDependency extends AwsGoDependency { "service/dynamodb/internal/customizations", "ddbcust"); public static final GoDependency S3_CUSTOMIZATION = aws("service/s3/internal/customizations", "s3cust"); public static final GoDependency S3CONTROL_CUSTOMIZATION = aws("service/s3control/internal/customizations", "s3controlcust"); + public static final GoDependency S3_SIGV4A_CUSTOMIZATION = aws("service/s3/internal/v4a"); public static final GoDependency APIGATEWAY_CUSTOMIZATION = aws( "service/apigateway/internal/customizations", "agcust"); public static final GoDependency GLACIER_CUSTOMIZATION = aws( diff --git a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3SignatureVersion4a.java b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3SignatureVersion4a.java new file mode 100644 index 00000000000..b3a78d6ff1a --- /dev/null +++ b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3SignatureVersion4a.java @@ -0,0 +1,209 @@ +package software.amazon.smithy.aws.go.codegen.customization; + +import java.util.List; +import software.amazon.smithy.aws.go.codegen.AddAwsConfigFields; +import software.amazon.smithy.aws.go.codegen.AwsGoDependency; +import software.amazon.smithy.aws.go.codegen.AwsSignatureVersion4; +import software.amazon.smithy.aws.traits.ServiceTrait; +import software.amazon.smithy.codegen.core.Symbol; +import software.amazon.smithy.codegen.core.SymbolProvider; +import software.amazon.smithy.go.codegen.GoDelegator; +import software.amazon.smithy.go.codegen.GoSettings; +import software.amazon.smithy.go.codegen.GoWriter; +import software.amazon.smithy.go.codegen.SmithyGoDependency; +import software.amazon.smithy.go.codegen.SymbolUtils; +import software.amazon.smithy.go.codegen.integration.ConfigField; +import software.amazon.smithy.go.codegen.integration.ConfigFieldResolver; +import software.amazon.smithy.go.codegen.integration.GoIntegration; +import software.amazon.smithy.go.codegen.integration.MiddlewareRegistrar; +import software.amazon.smithy.go.codegen.integration.RuntimeClientPlugin; +import software.amazon.smithy.model.Model; +import software.amazon.smithy.model.shapes.ServiceShape; +import software.amazon.smithy.utils.ListUtils; + +/** + * This integration configures the S3 client for Signature Version 4a + */ +public class S3SignatureVersion4a implements GoIntegration { + private static final String RESOLVE_CREDENTIAL_PROVIDER = "resolveCredentialProvider"; + private static final String REGISTER_MIDDLEWARE_FUNCTION = "swapWithCustomHTTPSignerMiddleware"; + private static final String V4A_SIGNER_INTERFACE_NAME = "httpSignerV4a"; + private static final String SIGNER_OPTION_FIELD_NAME = V4A_SIGNER_INTERFACE_NAME; + private static final String NEW_SIGNER_FUNC_NAME = "newDefaultV4aSigner"; + private static final String SIGNER_RESOLVER = "resolveHTTPSignerV4a"; + + /** + * Return true if service is Amazon S3. + * + * @param model is the generation model. + * @param service is the service shape being audited. + */ + private static boolean isS3Service(Model model, ServiceShape service) { + String serviceId = service.expectTrait(ServiceTrait.class).getSdkId(); + return serviceId.equalsIgnoreCase("S3"); + } + + private static final List DISABLE_URI_PATH_ESCAPE = ListUtils.of("com.amazonaws.s3#AmazonS3"); + + @Override + public List getClientPlugins() { + Symbol resolver = SymbolUtils.createValueSymbolBuilder(RESOLVE_CREDENTIAL_PROVIDER) + .build(); + + return ListUtils.of(RuntimeClientPlugin.builder() + .addConfigFieldResolver(ConfigFieldResolver.builder() + .location(ConfigFieldResolver.Location.CLIENT) + .target(ConfigFieldResolver.Target.FINALIZATION) + .resolver(resolver) + .build()) + .addConfigFieldResolver(ConfigFieldResolver.builder() + .location(ConfigFieldResolver.Location.OPERATION) + .target(ConfigFieldResolver.Target.FINALIZATION) + .resolver(resolver) + .build()) + .servicePredicate((model, serviceShape) -> { + if (!S3SignatureVersion4a.isS3Service(model, serviceShape)) { + return false; + } + return AwsSignatureVersion4.isSupportedAuthentication(model, serviceShape); + }) + .build(), + // Add HTTPSigner middleware to operation stack + RuntimeClientPlugin.builder() + .servicePredicate(S3SignatureVersion4a::isS3Service) + .registerMiddleware(MiddlewareRegistrar.builder() + .resolvedFunction(SymbolUtils.createValueSymbolBuilder( + S3SignatureVersion4a.REGISTER_MIDDLEWARE_FUNCTION).build()) + .useClientOptions() + .build()) + .build(), + RuntimeClientPlugin.builder() + .servicePredicate(S3SignatureVersion4a::isS3Service) + .addConfigFieldResolver( + ConfigFieldResolver.builder() + .location(ConfigFieldResolver.Location.CLIENT) + .target(ConfigFieldResolver.Target.INITIALIZATION) + .resolver(SymbolUtils.createValueSymbolBuilder(SIGNER_RESOLVER).build()) + .build()) + .build() + ); + } + + @Override + public void writeAdditionalFiles( + GoSettings settings, + Model model, + SymbolProvider symbolProvider, + GoDelegator goDelegator + ) { + + if (!isS3Service(model, model.expectShape(settings.getService(), ServiceShape.class))) { + return; + } + + ServiceShape serviceShape = settings.getService(model); + goDelegator.useShapeWriter(serviceShape, writer -> { + writeCredentialProviderResolver(writer); + writeMiddlewareRegister(model, writer, serviceShape); + writerSignerInterface(writer); + writerConfigFieldResolver(writer, serviceShape); + writeNewV4ASignerFunc(writer, serviceShape); + }); + + } + + private void writeCredentialProviderResolver(GoWriter writer) { + final String fieldName = AddAwsConfigFields.CREDENTIALS_CONFIG_NAME; + + writer.openBlock("func $L(o *Options) {", "}", RESOLVE_CREDENTIAL_PROVIDER, () -> { + writer.openBlock("if o.$L == nil {", "}", fieldName, () -> writer.write("return")); + + Symbol adaptorSymbol = SymbolUtils.createPointableSymbolBuilder("SymmetricCredentialAdaptor", + AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + Symbol credentialProvider = SymbolUtils.createPointableSymbolBuilder("CredentialsProvider", + AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + + writer.openBlock("if _, ok := o.$L.($T); ok {", "}", fieldName, credentialProvider, + () -> writer.write("return")); + writer.write(""); + + Symbol anonymousCredentials = SymbolUtils.createPointableSymbolBuilder("AnonymousCredentials", + AwsGoDependency.AWS_CORE).build(); + writer.openBlock("switch o.$L.(type) {", "}", fieldName, () -> { + writer.openBlock("case $T, $P:", "", anonymousCredentials, anonymousCredentials, () -> { + writer.write("return"); + }); + }); + writer.write(""); + + writer.write("o.$L = &$T{SymmetricProvider: o.$L}", fieldName, adaptorSymbol, fieldName); + }); + } + + private void writerSignerInterface(GoWriter writer) { + writer.openBlock("type $L interface {", "}", V4A_SIGNER_INTERFACE_NAME, () -> { + writer.addUseImports(SmithyGoDependency.CONTEXT); + writer.addUseImports(AwsGoDependency.AWS_CORE); + writer.addUseImports(AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION); + writer.addUseImports(SmithyGoDependency.NET_HTTP); + writer.addUseImports(SmithyGoDependency.TIME); + writer.write("SignHTTP(ctx context.Context, credentials v4a.Credentials, r *http.Request, " + + "payloadHash string, service string, regionSet []string, signingTime time.Time, " + + "optFns ...func(*v4a.SignerOptions)) error"); + }); + } + + private void writerConfigFieldResolver(GoWriter writer, ServiceShape serviceShape) { + writer.openBlock("func $L(o *Options) {", "}", SIGNER_RESOLVER, () -> { + writer.openBlock("if o.$L != nil {", "}", SIGNER_OPTION_FIELD_NAME, () -> writer.write("return")); + writer.write("o.$L = $L(*o)", SIGNER_OPTION_FIELD_NAME, NEW_SIGNER_FUNC_NAME); + }); + writer.write(""); + } + + private void writeNewV4ASignerFunc(GoWriter writer, ServiceShape serviceShape) { + Symbol signerSymbol = SymbolUtils.createValueSymbolBuilder("Signer", + AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + Symbol newSignerSymbol = SymbolUtils.createValueSymbolBuilder("NewSigner", + AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + Symbol signerOptionsSymbol = SymbolUtils.createPointableSymbolBuilder("SignerOptions", + AwsCustomGoDependency.S3_SIGV4A_CUSTOMIZATION).build(); + + writer.openBlock("func $L(o Options) *$T {", "}", NEW_SIGNER_FUNC_NAME, signerSymbol, () -> { + writer.openBlock("return $T(func(so $P) {", "})", newSignerSymbol, signerOptionsSymbol, () -> { + writer.write("so.Logger = o.$L", AddAwsConfigFields.LOGGER_CONFIG_NAME); + writer.write("so.LogSigning = o.$L.IsSigning()", AddAwsConfigFields.LOG_MODE_CONFIG_NAME); + if (DISABLE_URI_PATH_ESCAPE.contains(serviceShape.getId().toString())) { + writer.write("so.DisableURIPathEscaping = true"); + } + }); + }); + } + + + private void writeMiddlewareRegister(Model model, GoWriter writer, ServiceShape serviceShape) { + writer.addUseImports(SmithyGoDependency.SMITHY_MIDDLEWARE); + Symbol registerSigningMiddleware = SymbolUtils.createValueSymbolBuilder( + "RegisterSigningMiddleware", AwsCustomGoDependency.S3_CUSTOMIZATION + ).build(); + + writer.openBlock("func $L(stack $P, o Options) error {", "}", REGISTER_MIDDLEWARE_FUNCTION, + SymbolUtils.createPointableSymbolBuilder("Stack", SmithyGoDependency.SMITHY_MIDDLEWARE).build(), () -> { + Symbol newMiddlewareSymbol = SymbolUtils.createValueSymbolBuilder( + "NewSignHTTPRequestMiddleware", AwsCustomGoDependency.S3_CUSTOMIZATION).build(); + Symbol middlewareOptionsSymbol = SymbolUtils.createValueSymbolBuilder( + "SignHTTPRequestMiddlewareOptions", AwsCustomGoDependency.S3_CUSTOMIZATION).build(); + + writer.openBlock("mw := $T($T{", "})", newMiddlewareSymbol, middlewareOptionsSymbol, () -> { + writer.write("CredentialsProvider: o.$L,", AddAwsConfigFields.CREDENTIALS_CONFIG_NAME); + writer.write("V4Signer: o.$L,", AwsSignatureVersion4.SIGNER_CONFIG_FIELD_NAME); + writer.write("V4aSigner: o.$L,", SIGNER_OPTION_FIELD_NAME); + writer.write("LogSigning: o.$L.IsSigning(),", AddAwsConfigFields.LOG_MODE_CONFIG_NAME); + }); + + writer.write("return $T(stack, mw)", registerSigningMiddleware); + }); + writer.write(""); + } + +} diff --git a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3UpdateEndpoint.java b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3UpdateEndpoint.java index 5bc92478204..3de8bead5d4 100644 --- a/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3UpdateEndpoint.java +++ b/codegen/smithy-aws-go-codegen/src/main/java/software/amazon/smithy/aws/go/codegen/customization/S3UpdateEndpoint.java @@ -189,6 +189,9 @@ private static class S3 { // options to be generated on Client's options type private static final String USE_PATH_STYLE_OPTION = "UsePathStyle"; private static final String USE_ACCELERATE_OPTION = "UseAccelerate"; + private static final String DISABLE_MRAP_OPTION = "DisableMultiRegionAccessPoints"; + private static final String V4A_SIGNER_INTERFACE_NAME = "httpSignerV4a"; + // private function getter constant private static final String NOP_BUCKET_ACCESSOR = "nopGetBucketAccessor"; // service shape representing s3 @@ -236,6 +239,19 @@ private static List getClientPlugins() { + "accelerate enabled. If the bucket is not enabled for accelerate an error " + "will be returned. The bucket name must be DNS compatible to work " + "with accelerate.") + .build(), + ConfigField.builder() + .name(DISABLE_MRAP_OPTION) + .type(SymbolUtils.createValueSymbolBuilder("bool") + .putProperty(SymbolUtils.GO_UNIVERSE_TYPE, true) + .build()) + .documentation("Allows you to disable S3 Multi-Region access points feature.") + .build(), + ConfigField.builder() + .name(V4A_SIGNER_INTERFACE_NAME) + .type(SymbolUtils.createValueSymbolBuilder(V4A_SIGNER_INTERFACE_NAME) + .build()) + .documentation("Signature Version 4a (SigV4a) Signer") .build() )) .build() @@ -297,6 +313,7 @@ private void writeMiddlewareHelper( + "EndpointResolverOptions: options.EndpointOptions,\n" + "UseDualstack: options.$L,\n" + "UseARNRegion: options.$L,\n" + + "DisableMultiRegionAccessPoints: options.$L,\n" + "})", SymbolUtils.createValueSymbolBuilder(UPDATE_ENDPOINT_INTERNAL_ADDER, AwsCustomGoDependency.S3_CUSTOMIZATION).build(), @@ -311,7 +328,8 @@ private void writeMiddlewareHelper( !NOT_SUPPORT_ACCELERATE.contains(operationName), TARGET_OBJECT_LAMBDAS.contains(operationName), USE_DUALSTACK_OPTION, - USE_ARNREGION_OPTION + USE_ARNREGION_OPTION, + DISABLE_MRAP_OPTION ); }); writer.insertTrailingNewline(); diff --git a/codegen/smithy-aws-go-codegen/src/main/resources/META-INF/services/software.amazon.smithy.go.codegen.integration.GoIntegration b/codegen/smithy-aws-go-codegen/src/main/resources/META-INF/services/software.amazon.smithy.go.codegen.integration.GoIntegration index 9cde1a52539..21d099230c1 100644 --- a/codegen/smithy-aws-go-codegen/src/main/resources/META-INF/services/software.amazon.smithy.go.codegen.integration.GoIntegration +++ b/codegen/smithy-aws-go-codegen/src/main/resources/META-INF/services/software.amazon.smithy.go.codegen.integration.GoIntegration @@ -34,6 +34,7 @@ software.amazon.smithy.aws.go.codegen.customization.S3PaginationExtensions software.amazon.smithy.aws.go.codegen.AwsHttpPresignURLClientGenerator software.amazon.smithy.aws.go.codegen.ResolveClientConfigFromSources software.amazon.smithy.aws.go.codegen.customization.S3GetBucketLocation +software.amazon.smithy.aws.go.codegen.customization.S3SignatureVersion4a software.amazon.smithy.aws.go.codegen.RequestResponseLogging software.amazon.smithy.aws.go.codegen.customization.S3AddPutObjectUnseekableBodyDoc software.amazon.smithy.aws.go.codegen.customization.BackfillEc2UnboxedToBoxedShapes diff --git a/config/env_config.go b/config/env_config.go index 135ec3171c6..4871dc61bad 100644 --- a/config/env_config.go +++ b/config/env_config.go @@ -57,6 +57,8 @@ const ( awsEc2MetadataServiceEndpointEnvVar = "AWS_EC2_METADATA_SERVICE_ENDPOINT" awsEc2MetadataDisabled = "AWS_EC2_METADATA_DISABLED" + + awsS3DisableMultiRegionAccessPointEnvVar = "AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS" ) var ( @@ -202,6 +204,12 @@ type EnvConfig struct { // // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://fd00:ec2::254 EC2IMDSEndpoint string + + // Specifies if the S3 service should disable multi-region access points + // support. + // + // AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS=true + S3DisableMultiRegionAccessPoints *bool } // loadEnvConfig reads configuration values from the OS's environment variables. @@ -256,6 +264,10 @@ func NewEnvConfig() (EnvConfig, error) { } cfg.EC2IMDSEndpoint = os.Getenv(awsEc2MetadataServiceEndpointEnvVar) + if err := setBoolPtrFromEnvVal(&cfg.S3DisableMultiRegionAccessPoints, []string{awsS3DisableMultiRegionAccessPointEnvVar}); err != nil { + return cfg, err + } + return cfg, nil } @@ -363,6 +375,16 @@ func (c EnvConfig) GetS3UseARNRegion(ctx context.Context) (value, ok bool, err e return *c.S3UseARNRegion, true, nil } +// GetS3DisableMultRegionAccessPoints returns whether to disable multi-region access point +// support for the S3 client. +func (c EnvConfig) GetS3DisableMultRegionAccessPoints(ctx context.Context) (value, ok bool, err error) { + if c.S3DisableMultiRegionAccessPoints == nil { + return false, false, nil + } + + return *c.S3DisableMultiRegionAccessPoints, true, nil +} + func setStringFromEnvVal(dst *string, keys []string) { for _, k := range keys { if v := os.Getenv(k); len(v) > 0 { diff --git a/config/env_config_test.go b/config/env_config_test.go index afbe1e438e0..5feb8759631 100644 --- a/config/env_config_test.go +++ b/config/env_config_test.go @@ -316,6 +316,14 @@ func TestNewEnvConfig(t *testing.T) { }, Config: EnvConfig{}, }, + 24: { + Env: map[string]string{ + "AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS": "true", + }, + Config: EnvConfig{ + S3DisableMultiRegionAccessPoints: ptr.Bool(true), + }, + }, } for i, c := range cases { diff --git a/config/shared_config.go b/config/shared_config.go index 6206a222e0d..5593e887607 100644 --- a/config/shared_config.go +++ b/config/shared_config.go @@ -68,6 +68,9 @@ const ( // loading configuration from the config files if another profile name // is not provided. DefaultSharedConfigProfile = `default` + + // S3 Disable Multi-Region AccessPoints + s3DisableMultiRegionAccessPointsKey = `s3_disable_multiregion_access_points` ) // defaultSharedConfigProfile allows for swapping the default profile for testing @@ -167,6 +170,12 @@ type SharedConfig struct { // // ec2_metadata_service_endpoint=http://fd00:ec2::254 EC2IMDSEndpoint string + + // Specifies if the S3 service should disable support for Multi-Region + // access-points + // + // s3_disable_multiregion_access_points=true + S3DisableMultiRegionAccessPoints *bool } // GetS3UseARNRegion returns if the S3 service should allow ARNs to direct the region @@ -188,6 +197,16 @@ func (c SharedConfig) GetEnableEndpointDiscovery(ctx context.Context) (value aws return c.EnableEndpointDiscovery, true, nil } +// GetS3DisableMultiRegionAccessPoints returns if the S3 service should disable support for Multi-Region +// access-points. +func (c SharedConfig) GetS3DisableMultiRegionAccessPoints(ctx context.Context) (value, ok bool, err error) { + if c.S3DisableMultiRegionAccessPoints == nil { + return false, false, nil + } + + return *c.S3DisableMultiRegionAccessPoints, true, nil +} + // GetRegion returns the region for the profile if a region is set. func (c SharedConfig) getRegion(ctx context.Context) (string, bool, error) { if len(c.Region) == 0 { @@ -762,6 +781,25 @@ func mergeSections(dst, src ini.Sections) error { dstSection.UpdateSourceFile(s3UseARNRegionKey, srcSection.SourceFile[s3UseARNRegionKey]) } + if srcSection.Has(s3DisableMultiRegionAccessPointsKey) { + key := srcSection.String(s3DisableMultiRegionAccessPointsKey) + val, err := ini.NewStringValue(key) + if err != nil { + return fmt.Errorf("error merging s3DisableMultiRegionAccessPointsKey, %w", err) + } + + if dstSection.Has(s3DisableMultiRegionAccessPointsKey) { + dstSection.Logs = append(dstSection.Logs, + fmt.Sprintf("For profile: %v, overriding %v value, defined in %v "+ + "with a %v value found in a duplicate profile defined at file %v. \n", + sectionName, s3DisableMultiRegionAccessPointsKey, dstSection.SourceFile[s3DisableMultiRegionAccessPointsKey], + s3DisableMultiRegionAccessPointsKey, srcSection.SourceFile[s3DisableMultiRegionAccessPointsKey])) + } + + dstSection.UpdateValue(s3DisableMultiRegionAccessPointsKey, val) + dstSection.UpdateSourceFile(s3DisableMultiRegionAccessPointsKey, srcSection.SourceFile[s3DisableMultiRegionAccessPointsKey]) + } + // set srcSection on dst srcSection dst = dst.SetSection(sectionName, dstSection) } @@ -906,6 +944,7 @@ func (c *SharedConfig) setFromIniSection(profile string, section ini.Section) er updateEndpointDiscoveryType(&c.EnableEndpointDiscovery, section, enableEndpointDiscoveryKey) updateBoolPtr(&c.S3UseARNRegion, section, s3UseARNRegionKey) + updateBoolPtr(&c.S3DisableMultiRegionAccessPoints, section, s3DisableMultiRegionAccessPointsKey) if err := updateEC2MetadataServiceEndpointMode(&c.EC2IMDSEndpointMode, section, ec2MetadataServiceEndpointModeKey); err != nil { return fmt.Errorf("failed to load %s from shared config, %v", ec2MetadataServiceEndpointModeKey, err) diff --git a/config/shared_config_test.go b/config/shared_config_test.go index 85bb800b605..2e2f204c494 100644 --- a/config/shared_config_test.go +++ b/config/shared_config_test.go @@ -151,6 +151,14 @@ func TestNewSharedConfig(t *testing.T) { S3UseARNRegion: ptr.Bool(true), }, }, + "S3DisableMultiRegionAccessPoints property on profile": { + Profile: "disable_mrap", + ConfigFilenames: []string{testConfigFilename}, + Expected: SharedConfig{ + Profile: "disable_mrap", + S3DisableMultiRegionAccessPoints: ptr.Bool(true), + }, + }, "EndpointDiscovery property enabled on profile": { Profile: "endpoint_discovery_enabled", ConfigFilenames: []string{testConfigFilename}, diff --git a/config/testdata/shared_config b/config/testdata/shared_config index e349f1dc052..86e73e68249 100644 --- a/config/testdata/shared_config +++ b/config/testdata/shared_config @@ -81,6 +81,9 @@ source_profile = assume_role_wo_creds [profile valid_arn_region] s3_use_arn_region=true +[profile disable_mrap] +s3_disable_multiregion_access_points=true + [profile endpoint_discovery_enabled] endpoint_discovery_enabled=true diff --git a/service/internal/s3shared/arn/accesspoint_arn.go b/service/internal/s3shared/arn/accesspoint_arn.go index 39aebaf3358..4f7017e84e7 100644 --- a/service/internal/s3shared/arn/accesspoint_arn.go +++ b/service/internal/s3shared/arn/accesspoint_arn.go @@ -25,9 +25,6 @@ func (a AccessPointARN) GetARN() arn.ARN { // - example: arn:aws:s3:us-west-2:012345678901:accesspoint/myaccesspoint // func ParseAccessPointResource(a arn.ARN, resParts []string) (AccessPointARN, error) { - if len(a.Region) == 0 { - return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "region not set"} - } if isFIPS(a.Region) { return AccessPointARN{}, InvalidARNError{ARN: a, Reason: "FIPS region not allowed in ARN"} } diff --git a/service/internal/s3shared/arn/accesspoint_arn_test.go b/service/internal/s3shared/arn/accesspoint_arn_test.go index 0f9f2991a98..51221b20f32 100644 --- a/service/internal/s3shared/arn/accesspoint_arn_test.go +++ b/service/internal/s3shared/arn/accesspoint_arn_test.go @@ -14,15 +14,6 @@ func TestParseAccessPointResource(t *testing.T) { ExpectErr string ExpectARN AccessPointARN }{ - "region not set": { - ARN: arn.ARN{ - Partition: "aws", - Service: "s3", - AccountID: "012345678901", - Resource: "accesspoint/myendpoint", - }, - ExpectErr: "region not set", - }, "account-id not set": { ARN: arn.ARN{ Partition: "aws", diff --git a/service/s3/api_client.go b/service/s3/api_client.go index ff98795e3ac..49d74516b55 100644 --- a/service/s3/api_client.go +++ b/service/s3/api_client.go @@ -15,6 +15,7 @@ import ( "github.com/aws/aws-sdk-go-v2/service/internal/s3shared" s3sharedconfig "github.com/aws/aws-sdk-go-v2/service/internal/s3shared/config" s3cust "github.com/aws/aws-sdk-go-v2/service/s3/internal/customizations" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a" smithy "github.com/aws/smithy-go" smithydocument "github.com/aws/smithy-go/document" "github.com/aws/smithy-go/logging" @@ -49,10 +50,14 @@ func New(options Options, optFns ...func(*Options)) *Client { resolveDefaultEndpointConfiguration(&options) + resolveHTTPSignerV4a(&options) + for _, fn := range optFns { fn(&options) } + resolveCredentialProvider(&options) + client := &Client{ options: options, } @@ -72,6 +77,9 @@ type Options struct { // The credentials object to use when signing requests. Credentials aws.CredentialsProvider + // Allows you to disable S3 Multi-Region access points feature. + DisableMultiRegionAccessPoints bool + // The endpoint options to be used when attempting to resolve an endpoint. EndpointOptions EndpointResolverOptions @@ -110,6 +118,9 @@ type Options struct { // hosted bucket addressing when possible(https://BUCKET.s3.amazonaws.com/KEY). UsePathStyle bool + // Signature Version 4a (SigV4a) Signer + httpSignerV4a httpSignerV4a + // The HTTP client to invoke API calls with. Defaults to client's default HTTP // implementation if nil. HTTPClient HTTPClient @@ -150,6 +161,8 @@ func (c *Client) invokeOperation(ctx context.Context, opID string, params interf fn(&options) } + resolveCredentialProvider(&options) + for _, fn := range stackFns { if err := fn(stack, options); err != nil { return nil, metadata, err @@ -286,6 +299,51 @@ func resolveUseARNRegion(cfg aws.Config, o *Options) error { return nil } +func resolveCredentialProvider(o *Options) { + if o.Credentials == nil { + return + } + if _, ok := o.Credentials.(v4a.CredentialsProvider); ok { + return + } + + switch o.Credentials.(type) { + case aws.AnonymousCredentials, *aws.AnonymousCredentials: + return + + } + + o.Credentials = &v4a.SymmetricCredentialAdaptor{SymmetricProvider: o.Credentials} +} +func swapWithCustomHTTPSignerMiddleware(stack *middleware.Stack, o Options) error { + mw := s3cust.NewSignHTTPRequestMiddleware(s3cust.SignHTTPRequestMiddlewareOptions{ + CredentialsProvider: o.Credentials, + V4Signer: o.HTTPSignerV4, + V4aSigner: o.httpSignerV4a, + LogSigning: o.ClientLogMode.IsSigning(), + }) + return s3cust.RegisterSigningMiddleware(stack, mw) +} + +type httpSignerV4a interface { + SignHTTP(ctx context.Context, credentials v4a.Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*v4a.SignerOptions)) error +} + +func resolveHTTPSignerV4a(o *Options) { + if o.httpSignerV4a != nil { + return + } + o.httpSignerV4a = newDefaultV4aSigner(*o) +} + +func newDefaultV4aSigner(o Options) *v4a.Signer { + return v4a.NewSigner(func(so *v4a.SignerOptions) { + so.Logger = o.Logger + so.LogSigning = o.ClientLogMode.IsSigning() + so.DisableURIPathEscaping = true + }) +} + func addMetadataRetrieverMiddleware(stack *middleware.Stack) error { return s3shared.AddMetadataRetrieverMiddleware(stack) } @@ -331,6 +389,16 @@ type HTTPPresignerV4 interface { ) (url string, signedHeader http.Header, err error) } +// httpPresignerV4a represents sigv4a presigner interface used by presign url +// client +type httpPresignerV4a interface { + PresignHTTP( + ctx context.Context, credentials v4a.Credentials, r *http.Request, + payloadHash string, service string, regionSet []string, signingTime time.Time, + optFns ...func(*v4a.SignerOptions), + ) (url string, signedHeader http.Header, err error) +} + // PresignOptions represents the presign client options type PresignOptions struct { @@ -345,6 +413,9 @@ type PresignOptions struct { // be the duration in seconds the presigned URL should be considered valid for. If // not set or set to zero, presign url would default to expire after 900 seconds. Expires time.Duration + + // presignerV4a is the presigner used by the presign url client + presignerV4a httpPresignerV4a } func (o PresignOptions) copy() PresignOptions { @@ -399,6 +470,10 @@ func NewPresignClient(c *Client, optFns ...func(*PresignOptions)) *PresignClient options.Presigner = newDefaultV4Signer(c.options) } + if options.presignerV4a == nil { + options.presignerV4a = newDefaultV4aSigner(c.options) + } + return &PresignClient{ client: c, options: options, @@ -425,6 +500,19 @@ func (c presignConverter) convertToPresignMiddleware(stack *middleware.Stack, op if err != nil { return err } + + // add multi-region access point presigner + signermv := s3cust.NewPresignHTTPRequestMiddleware(s3cust.PresignHTTPRequestMiddlewareOptions{ + CredentialsProvider: options.Credentials, + V4Presigner: c.Presigner, + V4aPresigner: c.presignerV4a, + LogSigning: options.ClientLogMode.IsSigning(), + }) + err = s3cust.RegisterPreSigningMiddleware(stack, signermv) + if err != nil { + return err + } + if c.Expires < 0 { return fmt.Errorf("presign URL duration must be 0 or greater, %v", c.Expires) } diff --git a/service/s3/api_op_AbortMultipartUpload.go b/service/s3/api_op_AbortMultipartUpload.go index 12f57bbe09e..cdbb30d0900 100644 --- a/service/s3/api_op_AbortMultipartUpload.go +++ b/service/s3/api_op_AbortMultipartUpload.go @@ -165,6 +165,9 @@ func (c *Client) addOperationAbortMultipartUploadMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpAbortMultipartUploadValidationMiddleware(stack); err != nil { return err } @@ -216,13 +219,14 @@ func addAbortMultipartUploadUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getAbortMultipartUploadBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_CompleteMultipartUpload.go b/service/s3/api_op_CompleteMultipartUpload.go index d5af16fad9b..993572f722d 100644 --- a/service/s3/api_op_CompleteMultipartUpload.go +++ b/service/s3/api_op_CompleteMultipartUpload.go @@ -275,6 +275,9 @@ func (c *Client) addOperationCompleteMultipartUploadMiddlewares(stack *middlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpCompleteMultipartUploadValidationMiddleware(stack); err != nil { return err } @@ -329,13 +332,14 @@ func addCompleteMultipartUploadUpdateEndpoint(stack *middleware.Stack, options O Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getCompleteMultipartUploadBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_CopyObject.go b/service/s3/api_op_CopyObject.go index bf282ec0812..8196b76a93a 100644 --- a/service/s3/api_op_CopyObject.go +++ b/service/s3/api_op_CopyObject.go @@ -485,6 +485,9 @@ func (c *Client) addOperationCopyObjectMiddlewares(stack *middleware.Stack, opti if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpCopyObjectValidationMiddleware(stack); err != nil { return err } @@ -538,13 +541,14 @@ func addCopyObjectUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getCopyObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_CreateBucket.go b/service/s3/api_op_CreateBucket.go index 00e79b1fd86..5c8596da7a4 100644 --- a/service/s3/api_op_CreateBucket.go +++ b/service/s3/api_op_CreateBucket.go @@ -221,6 +221,9 @@ func (c *Client) addOperationCreateBucketMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpCreateBucketValidationMiddleware(stack); err != nil { return err } @@ -272,13 +275,14 @@ func addCreateBucketUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getCreateBucketBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: false, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: false, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_CreateMultipartUpload.go b/service/s3/api_op_CreateMultipartUpload.go index 821905530dd..92d25bdf44b 100644 --- a/service/s3/api_op_CreateMultipartUpload.go +++ b/service/s3/api_op_CreateMultipartUpload.go @@ -531,6 +531,9 @@ func (c *Client) addOperationCreateMultipartUploadMiddlewares(stack *middleware. if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpCreateMultipartUploadValidationMiddleware(stack); err != nil { return err } @@ -582,13 +585,14 @@ func addCreateMultipartUploadUpdateEndpoint(stack *middleware.Stack, options Opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getCreateMultipartUploadBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucket.go b/service/s3/api_op_DeleteBucket.go index 7f875f9065a..3d43d1ab780 100644 --- a/service/s3/api_op_DeleteBucket.go +++ b/service/s3/api_op_DeleteBucket.go @@ -102,6 +102,9 @@ func (c *Client) addOperationDeleteBucketMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketValidationMiddleware(stack); err != nil { return err } @@ -153,13 +156,14 @@ func addDeleteBucketUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: false, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: false, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketAnalyticsConfiguration.go b/service/s3/api_op_DeleteBucketAnalyticsConfiguration.go index 0b885c62653..e5603aebc78 100644 --- a/service/s3/api_op_DeleteBucketAnalyticsConfiguration.go +++ b/service/s3/api_op_DeleteBucketAnalyticsConfiguration.go @@ -122,6 +122,9 @@ func (c *Client) addOperationDeleteBucketAnalyticsConfigurationMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketAnalyticsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -173,13 +176,14 @@ func addDeleteBucketAnalyticsConfigurationUpdateEndpoint(stack *middleware.Stack Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketAnalyticsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketCors.go b/service/s3/api_op_DeleteBucketCors.go index 67e33c20ff5..12651222715 100644 --- a/service/s3/api_op_DeleteBucketCors.go +++ b/service/s3/api_op_DeleteBucketCors.go @@ -105,6 +105,9 @@ func (c *Client) addOperationDeleteBucketCorsMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketCorsValidationMiddleware(stack); err != nil { return err } @@ -156,13 +159,14 @@ func addDeleteBucketCorsUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketCorsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketEncryption.go b/service/s3/api_op_DeleteBucketEncryption.go index bb0aceb14ed..0ec41d860f6 100644 --- a/service/s3/api_op_DeleteBucketEncryption.go +++ b/service/s3/api_op_DeleteBucketEncryption.go @@ -113,6 +113,9 @@ func (c *Client) addOperationDeleteBucketEncryptionMiddlewares(stack *middleware if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketEncryptionValidationMiddleware(stack); err != nil { return err } @@ -164,13 +167,14 @@ func addDeleteBucketEncryptionUpdateEndpoint(stack *middleware.Stack, options Op Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketEncryptionBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketIntelligentTieringConfiguration.go b/service/s3/api_op_DeleteBucketIntelligentTieringConfiguration.go index de02eb75dae..7af33b45ec6 100644 --- a/service/s3/api_op_DeleteBucketIntelligentTieringConfiguration.go +++ b/service/s3/api_op_DeleteBucketIntelligentTieringConfiguration.go @@ -121,6 +121,9 @@ func (c *Client) addOperationDeleteBucketIntelligentTieringConfigurationMiddlewa if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketIntelligentTieringConfigurationValidationMiddleware(stack); err != nil { return err } @@ -172,13 +175,14 @@ func addDeleteBucketIntelligentTieringConfigurationUpdateEndpoint(stack *middlew Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketIntelligentTieringConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketInventoryConfiguration.go b/service/s3/api_op_DeleteBucketInventoryConfiguration.go index 5d0595266f1..2fdcba3450d 100644 --- a/service/s3/api_op_DeleteBucketInventoryConfiguration.go +++ b/service/s3/api_op_DeleteBucketInventoryConfiguration.go @@ -121,6 +121,9 @@ func (c *Client) addOperationDeleteBucketInventoryConfigurationMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketInventoryConfigurationValidationMiddleware(stack); err != nil { return err } @@ -172,13 +175,14 @@ func addDeleteBucketInventoryConfigurationUpdateEndpoint(stack *middleware.Stack Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketInventoryConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketLifecycle.go b/service/s3/api_op_DeleteBucketLifecycle.go index ae5776b2993..c1505017fbf 100644 --- a/service/s3/api_op_DeleteBucketLifecycle.go +++ b/service/s3/api_op_DeleteBucketLifecycle.go @@ -111,6 +111,9 @@ func (c *Client) addOperationDeleteBucketLifecycleMiddlewares(stack *middleware. if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketLifecycleValidationMiddleware(stack); err != nil { return err } @@ -162,13 +165,14 @@ func addDeleteBucketLifecycleUpdateEndpoint(stack *middleware.Stack, options Opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketLifecycleBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketMetricsConfiguration.go b/service/s3/api_op_DeleteBucketMetricsConfiguration.go index 13908663c01..a6ed77d2e48 100644 --- a/service/s3/api_op_DeleteBucketMetricsConfiguration.go +++ b/service/s3/api_op_DeleteBucketMetricsConfiguration.go @@ -127,6 +127,9 @@ func (c *Client) addOperationDeleteBucketMetricsConfigurationMiddlewares(stack * if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketMetricsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -178,13 +181,14 @@ func addDeleteBucketMetricsConfigurationUpdateEndpoint(stack *middleware.Stack, Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketMetricsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketOwnershipControls.go b/service/s3/api_op_DeleteBucketOwnershipControls.go index 71007f2097e..82211a1f4ec 100644 --- a/service/s3/api_op_DeleteBucketOwnershipControls.go +++ b/service/s3/api_op_DeleteBucketOwnershipControls.go @@ -104,6 +104,9 @@ func (c *Client) addOperationDeleteBucketOwnershipControlsMiddlewares(stack *mid if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketOwnershipControlsValidationMiddleware(stack); err != nil { return err } @@ -155,13 +158,14 @@ func addDeleteBucketOwnershipControlsUpdateEndpoint(stack *middleware.Stack, opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketOwnershipControlsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketPolicy.go b/service/s3/api_op_DeleteBucketPolicy.go index 6b2b03b1d09..c76b8ac428f 100644 --- a/service/s3/api_op_DeleteBucketPolicy.go +++ b/service/s3/api_op_DeleteBucketPolicy.go @@ -114,6 +114,9 @@ func (c *Client) addOperationDeleteBucketPolicyMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketPolicyValidationMiddleware(stack); err != nil { return err } @@ -165,13 +168,14 @@ func addDeleteBucketPolicyUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketPolicyBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketReplication.go b/service/s3/api_op_DeleteBucketReplication.go index ef8e1712d4f..214b55c0cb8 100644 --- a/service/s3/api_op_DeleteBucketReplication.go +++ b/service/s3/api_op_DeleteBucketReplication.go @@ -112,6 +112,9 @@ func (c *Client) addOperationDeleteBucketReplicationMiddlewares(stack *middlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketReplicationValidationMiddleware(stack); err != nil { return err } @@ -163,13 +166,14 @@ func addDeleteBucketReplicationUpdateEndpoint(stack *middleware.Stack, options O Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketReplicationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketTagging.go b/service/s3/api_op_DeleteBucketTagging.go index f62cb831cc6..b06905471ec 100644 --- a/service/s3/api_op_DeleteBucketTagging.go +++ b/service/s3/api_op_DeleteBucketTagging.go @@ -103,6 +103,9 @@ func (c *Client) addOperationDeleteBucketTaggingMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketTaggingValidationMiddleware(stack); err != nil { return err } @@ -154,13 +157,14 @@ func addDeleteBucketTaggingUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteBucketWebsite.go b/service/s3/api_op_DeleteBucketWebsite.go index b9932589bc1..200eec07a80 100644 --- a/service/s3/api_op_DeleteBucketWebsite.go +++ b/service/s3/api_op_DeleteBucketWebsite.go @@ -112,6 +112,9 @@ func (c *Client) addOperationDeleteBucketWebsiteMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteBucketWebsiteValidationMiddleware(stack); err != nil { return err } @@ -163,13 +166,14 @@ func addDeleteBucketWebsiteUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteBucketWebsiteBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteObject.go b/service/s3/api_op_DeleteObject.go index 321f9b8ad06..85ad072fadb 100644 --- a/service/s3/api_op_DeleteObject.go +++ b/service/s3/api_op_DeleteObject.go @@ -172,6 +172,9 @@ func (c *Client) addOperationDeleteObjectMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteObjectValidationMiddleware(stack); err != nil { return err } @@ -223,13 +226,14 @@ func addDeleteObjectUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteObjectTagging.go b/service/s3/api_op_DeleteObjectTagging.go index b952ee9f0cc..cf7a5437e75 100644 --- a/service/s3/api_op_DeleteObjectTagging.go +++ b/service/s3/api_op_DeleteObjectTagging.go @@ -135,6 +135,9 @@ func (c *Client) addOperationDeleteObjectTaggingMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteObjectTaggingValidationMiddleware(stack); err != nil { return err } @@ -186,13 +189,14 @@ func addDeleteObjectTaggingUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteObjectTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeleteObjects.go b/service/s3/api_op_DeleteObjects.go index a604c7c2c0b..94de978afd0 100644 --- a/service/s3/api_op_DeleteObjects.go +++ b/service/s3/api_op_DeleteObjects.go @@ -190,6 +190,9 @@ func (c *Client) addOperationDeleteObjectsMiddlewares(stack *middleware.Stack, o if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeleteObjectsValidationMiddleware(stack); err != nil { return err } @@ -244,13 +247,14 @@ func addDeleteObjectsUpdateEndpoint(stack *middleware.Stack, options Options) er Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeleteObjectsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_DeletePublicAccessBlock.go b/service/s3/api_op_DeletePublicAccessBlock.go index 75a3c2a4c1e..020d364f6f0 100644 --- a/service/s3/api_op_DeletePublicAccessBlock.go +++ b/service/s3/api_op_DeletePublicAccessBlock.go @@ -116,6 +116,9 @@ func (c *Client) addOperationDeletePublicAccessBlockMiddlewares(stack *middlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpDeletePublicAccessBlockValidationMiddleware(stack); err != nil { return err } @@ -167,13 +170,14 @@ func addDeletePublicAccessBlockUpdateEndpoint(stack *middleware.Stack, options O Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getDeletePublicAccessBlockBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketAccelerateConfiguration.go b/service/s3/api_op_GetBucketAccelerateConfiguration.go index 7cf04a28f1f..7d091252e38 100644 --- a/service/s3/api_op_GetBucketAccelerateConfiguration.go +++ b/service/s3/api_op_GetBucketAccelerateConfiguration.go @@ -121,6 +121,9 @@ func (c *Client) addOperationGetBucketAccelerateConfigurationMiddlewares(stack * if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketAccelerateConfigurationValidationMiddleware(stack); err != nil { return err } @@ -172,13 +175,14 @@ func addGetBucketAccelerateConfigurationUpdateEndpoint(stack *middleware.Stack, Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketAccelerateConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketAcl.go b/service/s3/api_op_GetBucketAcl.go index 62fbd81df3b..279335a50c7 100644 --- a/service/s3/api_op_GetBucketAcl.go +++ b/service/s3/api_op_GetBucketAcl.go @@ -108,6 +108,9 @@ func (c *Client) addOperationGetBucketAclMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketAclValidationMiddleware(stack); err != nil { return err } @@ -159,13 +162,14 @@ func addGetBucketAclUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketAclBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketAnalyticsConfiguration.go b/service/s3/api_op_GetBucketAnalyticsConfiguration.go index f52fbbc82ee..80590a22347 100644 --- a/service/s3/api_op_GetBucketAnalyticsConfiguration.go +++ b/service/s3/api_op_GetBucketAnalyticsConfiguration.go @@ -127,6 +127,9 @@ func (c *Client) addOperationGetBucketAnalyticsConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketAnalyticsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -178,13 +181,14 @@ func addGetBucketAnalyticsConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketAnalyticsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketCors.go b/service/s3/api_op_GetBucketCors.go index 5c075930eae..f68207794ee 100644 --- a/service/s3/api_op_GetBucketCors.go +++ b/service/s3/api_op_GetBucketCors.go @@ -111,6 +111,9 @@ func (c *Client) addOperationGetBucketCorsMiddlewares(stack *middleware.Stack, o if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketCorsValidationMiddleware(stack); err != nil { return err } @@ -162,13 +165,14 @@ func addGetBucketCorsUpdateEndpoint(stack *middleware.Stack, options Options) er Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketCorsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketEncryption.go b/service/s3/api_op_GetBucketEncryption.go index d10c4c034b3..ca872e2276d 100644 --- a/service/s3/api_op_GetBucketEncryption.go +++ b/service/s3/api_op_GetBucketEncryption.go @@ -121,6 +121,9 @@ func (c *Client) addOperationGetBucketEncryptionMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketEncryptionValidationMiddleware(stack); err != nil { return err } @@ -172,13 +175,14 @@ func addGetBucketEncryptionUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketEncryptionBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketIntelligentTieringConfiguration.go b/service/s3/api_op_GetBucketIntelligentTieringConfiguration.go index 1c5b1ce7c94..9d96a1a8bbe 100644 --- a/service/s3/api_op_GetBucketIntelligentTieringConfiguration.go +++ b/service/s3/api_op_GetBucketIntelligentTieringConfiguration.go @@ -126,6 +126,9 @@ func (c *Client) addOperationGetBucketIntelligentTieringConfigurationMiddlewares if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketIntelligentTieringConfigurationValidationMiddleware(stack); err != nil { return err } @@ -177,13 +180,14 @@ func addGetBucketIntelligentTieringConfigurationUpdateEndpoint(stack *middleware Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketIntelligentTieringConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketInventoryConfiguration.go b/service/s3/api_op_GetBucketInventoryConfiguration.go index 3cdabc5bd5d..4911e92c03e 100644 --- a/service/s3/api_op_GetBucketInventoryConfiguration.go +++ b/service/s3/api_op_GetBucketInventoryConfiguration.go @@ -125,6 +125,9 @@ func (c *Client) addOperationGetBucketInventoryConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketInventoryConfigurationValidationMiddleware(stack); err != nil { return err } @@ -176,13 +179,14 @@ func addGetBucketInventoryConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketInventoryConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketLifecycleConfiguration.go b/service/s3/api_op_GetBucketLifecycleConfiguration.go index e25bd5e2f00..2f11411e990 100644 --- a/service/s3/api_op_GetBucketLifecycleConfiguration.go +++ b/service/s3/api_op_GetBucketLifecycleConfiguration.go @@ -142,6 +142,9 @@ func (c *Client) addOperationGetBucketLifecycleConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketLifecycleConfigurationValidationMiddleware(stack); err != nil { return err } @@ -193,13 +196,14 @@ func addGetBucketLifecycleConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketLifecycleConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketLocation.go b/service/s3/api_op_GetBucketLocation.go index cd896c89c44..7990e01f749 100644 --- a/service/s3/api_op_GetBucketLocation.go +++ b/service/s3/api_op_GetBucketLocation.go @@ -125,6 +125,9 @@ func (c *Client) addOperationGetBucketLocationMiddlewares(stack *middleware.Stac if err = swapDeserializerHelper(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketLocationValidationMiddleware(stack); err != nil { return err } @@ -232,13 +235,14 @@ func addGetBucketLocationUpdateEndpoint(stack *middleware.Stack, options Options Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketLocationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketLogging.go b/service/s3/api_op_GetBucketLogging.go index 755e7ee584d..ca285e65f37 100644 --- a/service/s3/api_op_GetBucketLogging.go +++ b/service/s3/api_op_GetBucketLogging.go @@ -110,6 +110,9 @@ func (c *Client) addOperationGetBucketLoggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketLoggingValidationMiddleware(stack); err != nil { return err } @@ -161,13 +164,14 @@ func addGetBucketLoggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketLoggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketMetricsConfiguration.go b/service/s3/api_op_GetBucketMetricsConfiguration.go index 20586ec0a5e..84ca4f3423b 100644 --- a/service/s3/api_op_GetBucketMetricsConfiguration.go +++ b/service/s3/api_op_GetBucketMetricsConfiguration.go @@ -132,6 +132,9 @@ func (c *Client) addOperationGetBucketMetricsConfigurationMiddlewares(stack *mid if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketMetricsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -183,13 +186,14 @@ func addGetBucketMetricsConfigurationUpdateEndpoint(stack *middleware.Stack, opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketMetricsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketNotificationConfiguration.go b/service/s3/api_op_GetBucketNotificationConfiguration.go index 471b9cce9e4..75e740b43eb 100644 --- a/service/s3/api_op_GetBucketNotificationConfiguration.go +++ b/service/s3/api_op_GetBucketNotificationConfiguration.go @@ -123,6 +123,9 @@ func (c *Client) addOperationGetBucketNotificationConfigurationMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketNotificationConfigurationValidationMiddleware(stack); err != nil { return err } @@ -174,13 +177,14 @@ func addGetBucketNotificationConfigurationUpdateEndpoint(stack *middleware.Stack Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketNotificationConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketOwnershipControls.go b/service/s3/api_op_GetBucketOwnershipControls.go index 889544cd9db..7d0425a015f 100644 --- a/service/s3/api_op_GetBucketOwnershipControls.go +++ b/service/s3/api_op_GetBucketOwnershipControls.go @@ -110,6 +110,9 @@ func (c *Client) addOperationGetBucketOwnershipControlsMiddlewares(stack *middle if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketOwnershipControlsValidationMiddleware(stack); err != nil { return err } @@ -161,13 +164,14 @@ func addGetBucketOwnershipControlsUpdateEndpoint(stack *middleware.Stack, option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketOwnershipControlsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketPolicy.go b/service/s3/api_op_GetBucketPolicy.go index ca63f969963..4d4c1a671a4 100644 --- a/service/s3/api_op_GetBucketPolicy.go +++ b/service/s3/api_op_GetBucketPolicy.go @@ -113,6 +113,9 @@ func (c *Client) addOperationGetBucketPolicyMiddlewares(stack *middleware.Stack, if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketPolicyValidationMiddleware(stack); err != nil { return err } @@ -164,13 +167,14 @@ func addGetBucketPolicyUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketPolicyBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketPolicyStatus.go b/service/s3/api_op_GetBucketPolicyStatus.go index 0c3c32f2334..2cba9cb4ee9 100644 --- a/service/s3/api_op_GetBucketPolicyStatus.go +++ b/service/s3/api_op_GetBucketPolicyStatus.go @@ -122,6 +122,9 @@ func (c *Client) addOperationGetBucketPolicyStatusMiddlewares(stack *middleware. if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketPolicyStatusValidationMiddleware(stack); err != nil { return err } @@ -173,13 +176,14 @@ func addGetBucketPolicyStatusUpdateEndpoint(stack *middleware.Stack, options Opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketPolicyStatusBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketReplication.go b/service/s3/api_op_GetBucketReplication.go index eb7abf100c4..acf3b3789f0 100644 --- a/service/s3/api_op_GetBucketReplication.go +++ b/service/s3/api_op_GetBucketReplication.go @@ -121,6 +121,9 @@ func (c *Client) addOperationGetBucketReplicationMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketReplicationValidationMiddleware(stack); err != nil { return err } @@ -172,13 +175,14 @@ func addGetBucketReplicationUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketReplicationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketRequestPayment.go b/service/s3/api_op_GetBucketRequestPayment.go index 76461ce13b0..2afcd656fff 100644 --- a/service/s3/api_op_GetBucketRequestPayment.go +++ b/service/s3/api_op_GetBucketRequestPayment.go @@ -105,6 +105,9 @@ func (c *Client) addOperationGetBucketRequestPaymentMiddlewares(stack *middlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketRequestPaymentValidationMiddleware(stack); err != nil { return err } @@ -156,13 +159,14 @@ func addGetBucketRequestPaymentUpdateEndpoint(stack *middleware.Stack, options O Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketRequestPaymentBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketTagging.go b/service/s3/api_op_GetBucketTagging.go index a6cd5532fb3..51db0ab1286 100644 --- a/service/s3/api_op_GetBucketTagging.go +++ b/service/s3/api_op_GetBucketTagging.go @@ -119,6 +119,9 @@ func (c *Client) addOperationGetBucketTaggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketTaggingValidationMiddleware(stack); err != nil { return err } @@ -170,13 +173,14 @@ func addGetBucketTaggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketVersioning.go b/service/s3/api_op_GetBucketVersioning.go index 9c2b8caccd0..7c3cccd85a4 100644 --- a/service/s3/api_op_GetBucketVersioning.go +++ b/service/s3/api_op_GetBucketVersioning.go @@ -119,6 +119,9 @@ func (c *Client) addOperationGetBucketVersioningMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketVersioningValidationMiddleware(stack); err != nil { return err } @@ -170,13 +173,14 @@ func addGetBucketVersioningUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketVersioningBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetBucketWebsite.go b/service/s3/api_op_GetBucketWebsite.go index 43c0c61fe3b..ebf126c08ab 100644 --- a/service/s3/api_op_GetBucketWebsite.go +++ b/service/s3/api_op_GetBucketWebsite.go @@ -123,6 +123,9 @@ func (c *Client) addOperationGetBucketWebsiteMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetBucketWebsiteValidationMiddleware(stack); err != nil { return err } @@ -174,13 +177,14 @@ func addGetBucketWebsiteUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetBucketWebsiteBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObject.go b/service/s3/api_op_GetObject.go index a29253621ca..2784e083924 100644 --- a/service/s3/api_op_GetObject.go +++ b/service/s3/api_op_GetObject.go @@ -435,6 +435,9 @@ func (c *Client) addOperationGetObjectMiddlewares(stack *middleware.Stack, optio if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectValidationMiddleware(stack); err != nil { return err } @@ -485,14 +488,15 @@ func addGetObjectUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectAcl.go b/service/s3/api_op_GetObjectAcl.go index f7d4f119d42..7abd6a1bbf0 100644 --- a/service/s3/api_op_GetObjectAcl.go +++ b/service/s3/api_op_GetObjectAcl.go @@ -144,6 +144,9 @@ func (c *Client) addOperationGetObjectAclMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectAclValidationMiddleware(stack); err != nil { return err } @@ -195,13 +198,14 @@ func addGetObjectAclUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectAclBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectLegalHold.go b/service/s3/api_op_GetObjectLegalHold.go index 997da86f726..498ee1a4fc5 100644 --- a/service/s3/api_op_GetObjectLegalHold.go +++ b/service/s3/api_op_GetObjectLegalHold.go @@ -124,6 +124,9 @@ func (c *Client) addOperationGetObjectLegalHoldMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectLegalHoldValidationMiddleware(stack); err != nil { return err } @@ -175,13 +178,14 @@ func addGetObjectLegalHoldUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectLegalHoldBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectLockConfiguration.go b/service/s3/api_op_GetObjectLockConfiguration.go index 6441ac3ea8c..33034d6b975 100644 --- a/service/s3/api_op_GetObjectLockConfiguration.go +++ b/service/s3/api_op_GetObjectLockConfiguration.go @@ -109,6 +109,9 @@ func (c *Client) addOperationGetObjectLockConfigurationMiddlewares(stack *middle if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectLockConfigurationValidationMiddleware(stack); err != nil { return err } @@ -160,13 +163,14 @@ func addGetObjectLockConfigurationUpdateEndpoint(stack *middleware.Stack, option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectLockConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectRetention.go b/service/s3/api_op_GetObjectRetention.go index 63ebb3e2458..99882e3f728 100644 --- a/service/s3/api_op_GetObjectRetention.go +++ b/service/s3/api_op_GetObjectRetention.go @@ -124,6 +124,9 @@ func (c *Client) addOperationGetObjectRetentionMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectRetentionValidationMiddleware(stack); err != nil { return err } @@ -175,13 +178,14 @@ func addGetObjectRetentionUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectRetentionBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectTagging.go b/service/s3/api_op_GetObjectTagging.go index fe2a88b3112..dfff1fbf833 100644 --- a/service/s3/api_op_GetObjectTagging.go +++ b/service/s3/api_op_GetObjectTagging.go @@ -152,6 +152,9 @@ func (c *Client) addOperationGetObjectTaggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectTaggingValidationMiddleware(stack); err != nil { return err } @@ -203,13 +206,14 @@ func addGetObjectTaggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetObjectTorrent.go b/service/s3/api_op_GetObjectTorrent.go index 58ec5425af8..e3cd8e116c7 100644 --- a/service/s3/api_op_GetObjectTorrent.go +++ b/service/s3/api_op_GetObjectTorrent.go @@ -124,6 +124,9 @@ func (c *Client) addOperationGetObjectTorrentMiddlewares(stack *middleware.Stack if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetObjectTorrentValidationMiddleware(stack); err != nil { return err } @@ -175,13 +178,14 @@ func addGetObjectTorrentUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetObjectTorrentBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_GetPublicAccessBlock.go b/service/s3/api_op_GetPublicAccessBlock.go index 428b6cc6006..9c273482f3c 100644 --- a/service/s3/api_op_GetPublicAccessBlock.go +++ b/service/s3/api_op_GetPublicAccessBlock.go @@ -129,6 +129,9 @@ func (c *Client) addOperationGetPublicAccessBlockMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpGetPublicAccessBlockValidationMiddleware(stack); err != nil { return err } @@ -180,13 +183,14 @@ func addGetPublicAccessBlockUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getGetPublicAccessBlockBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_HeadBucket.go b/service/s3/api_op_HeadBucket.go index 8b1bc3983ed..9e4819beaef 100644 --- a/service/s3/api_op_HeadBucket.go +++ b/service/s3/api_op_HeadBucket.go @@ -134,6 +134,9 @@ func (c *Client) addOperationHeadBucketMiddlewares(stack *middleware.Stack, opti if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpHeadBucketValidationMiddleware(stack); err != nil { return err } @@ -477,13 +480,14 @@ func addHeadBucketUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getHeadBucketBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_HeadObject.go b/service/s3/api_op_HeadObject.go index 17edbd5ca3c..e904a5fe414 100644 --- a/service/s3/api_op_HeadObject.go +++ b/service/s3/api_op_HeadObject.go @@ -428,6 +428,9 @@ func (c *Client) addOperationHeadObjectMiddlewares(stack *middleware.Stack, opti if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpHeadObjectValidationMiddleware(stack); err != nil { return err } @@ -781,14 +784,15 @@ func addHeadObjectUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getHeadObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListBucketAnalyticsConfigurations.go b/service/s3/api_op_ListBucketAnalyticsConfigurations.go index 3c61f1a9277..8bc16e360c0 100644 --- a/service/s3/api_op_ListBucketAnalyticsConfigurations.go +++ b/service/s3/api_op_ListBucketAnalyticsConfigurations.go @@ -147,6 +147,9 @@ func (c *Client) addOperationListBucketAnalyticsConfigurationsMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListBucketAnalyticsConfigurationsValidationMiddleware(stack); err != nil { return err } @@ -198,13 +201,14 @@ func addListBucketAnalyticsConfigurationsUpdateEndpoint(stack *middleware.Stack, Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListBucketAnalyticsConfigurationsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListBucketIntelligentTieringConfigurations.go b/service/s3/api_op_ListBucketIntelligentTieringConfigurations.go index b039b4a9380..fec55c34a43 100644 --- a/service/s3/api_op_ListBucketIntelligentTieringConfigurations.go +++ b/service/s3/api_op_ListBucketIntelligentTieringConfigurations.go @@ -139,6 +139,9 @@ func (c *Client) addOperationListBucketIntelligentTieringConfigurationsMiddlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListBucketIntelligentTieringConfigurationsValidationMiddleware(stack); err != nil { return err } @@ -190,13 +193,14 @@ func addListBucketIntelligentTieringConfigurationsUpdateEndpoint(stack *middlewa Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListBucketIntelligentTieringConfigurationsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListBucketInventoryConfigurations.go b/service/s3/api_op_ListBucketInventoryConfigurations.go index f4745b5028a..8156bfaff37 100644 --- a/service/s3/api_op_ListBucketInventoryConfigurations.go +++ b/service/s3/api_op_ListBucketInventoryConfigurations.go @@ -148,6 +148,9 @@ func (c *Client) addOperationListBucketInventoryConfigurationsMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListBucketInventoryConfigurationsValidationMiddleware(stack); err != nil { return err } @@ -199,13 +202,14 @@ func addListBucketInventoryConfigurationsUpdateEndpoint(stack *middleware.Stack, Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListBucketInventoryConfigurationsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListBucketMetricsConfigurations.go b/service/s3/api_op_ListBucketMetricsConfigurations.go index 8762a068786..c7b6c8ce633 100644 --- a/service/s3/api_op_ListBucketMetricsConfigurations.go +++ b/service/s3/api_op_ListBucketMetricsConfigurations.go @@ -151,6 +151,9 @@ func (c *Client) addOperationListBucketMetricsConfigurationsMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListBucketMetricsConfigurationsValidationMiddleware(stack); err != nil { return err } @@ -202,13 +205,14 @@ func addListBucketMetricsConfigurationsUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListBucketMetricsConfigurationsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListBuckets.go b/service/s3/api_op_ListBuckets.go index f3d2858bcde..6c0203d3d02 100644 --- a/service/s3/api_op_ListBuckets.go +++ b/service/s3/api_op_ListBuckets.go @@ -91,6 +91,9 @@ func (c *Client) addOperationListBucketsMiddlewares(stack *middleware.Stack, opt if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = stack.Initialize.Add(newServiceMetadataMiddleware_opListBuckets(options.Region), middleware.Before); err != nil { return err } @@ -129,13 +132,14 @@ func addListBucketsUpdateEndpoint(stack *middleware.Stack, options Options) erro Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: nopGetBucketAccessor, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: false, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: false, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListMultipartUploads.go b/service/s3/api_op_ListMultipartUploads.go index 1e82450e2a1..37aa03f54c4 100644 --- a/service/s3/api_op_ListMultipartUploads.go +++ b/service/s3/api_op_ListMultipartUploads.go @@ -243,6 +243,9 @@ func (c *Client) addOperationListMultipartUploadsMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListMultipartUploadsValidationMiddleware(stack); err != nil { return err } @@ -294,13 +297,14 @@ func addListMultipartUploadsUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListMultipartUploadsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListObjectVersions.go b/service/s3/api_op_ListObjectVersions.go index d6c9b54eb69..100f542db2c 100644 --- a/service/s3/api_op_ListObjectVersions.go +++ b/service/s3/api_op_ListObjectVersions.go @@ -209,6 +209,9 @@ func (c *Client) addOperationListObjectVersionsMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListObjectVersionsValidationMiddleware(stack); err != nil { return err } @@ -260,13 +263,14 @@ func addListObjectVersionsUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListObjectVersionsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListObjects.go b/service/s3/api_op_ListObjects.go index 2fed3ed9a55..54d5518cf88 100644 --- a/service/s3/api_op_ListObjects.go +++ b/service/s3/api_op_ListObjects.go @@ -217,6 +217,9 @@ func (c *Client) addOperationListObjectsMiddlewares(stack *middleware.Stack, opt if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListObjectsValidationMiddleware(stack); err != nil { return err } @@ -268,13 +271,14 @@ func addListObjectsUpdateEndpoint(stack *middleware.Stack, options Options) erro Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListObjectsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListObjectsV2.go b/service/s3/api_op_ListObjectsV2.go index 32c5ebde9cc..57639a01fa4 100644 --- a/service/s3/api_op_ListObjectsV2.go +++ b/service/s3/api_op_ListObjectsV2.go @@ -251,6 +251,9 @@ func (c *Client) addOperationListObjectsV2Middlewares(stack *middleware.Stack, o if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListObjectsV2ValidationMiddleware(stack); err != nil { return err } @@ -388,13 +391,14 @@ func addListObjectsV2UpdateEndpoint(stack *middleware.Stack, options Options) er Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListObjectsV2BucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_ListParts.go b/service/s3/api_op_ListParts.go index 5da2dc65c4e..3097a581439 100644 --- a/service/s3/api_op_ListParts.go +++ b/service/s3/api_op_ListParts.go @@ -240,6 +240,9 @@ func (c *Client) addOperationListPartsMiddlewares(stack *middleware.Stack, optio if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpListPartsValidationMiddleware(stack); err != nil { return err } @@ -374,13 +377,14 @@ func addListPartsUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getListPartsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketAccelerateConfiguration.go b/service/s3/api_op_PutBucketAccelerateConfiguration.go index 38753a82efc..b3fd8ef6d95 100644 --- a/service/s3/api_op_PutBucketAccelerateConfiguration.go +++ b/service/s3/api_op_PutBucketAccelerateConfiguration.go @@ -135,6 +135,9 @@ func (c *Client) addOperationPutBucketAccelerateConfigurationMiddlewares(stack * if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketAccelerateConfigurationValidationMiddleware(stack); err != nil { return err } @@ -186,13 +189,14 @@ func addPutBucketAccelerateConfigurationUpdateEndpoint(stack *middleware.Stack, Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketAccelerateConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketAcl.go b/service/s3/api_op_PutBucketAcl.go index 528fa2e2757..930a20f52a9 100644 --- a/service/s3/api_op_PutBucketAcl.go +++ b/service/s3/api_op_PutBucketAcl.go @@ -259,6 +259,9 @@ func (c *Client) addOperationPutBucketAclMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketAclValidationMiddleware(stack); err != nil { return err } @@ -313,13 +316,14 @@ func addPutBucketAclUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketAclBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketAnalyticsConfiguration.go b/service/s3/api_op_PutBucketAnalyticsConfiguration.go index de52d3d47d8..1d88e743fd6 100644 --- a/service/s3/api_op_PutBucketAnalyticsConfiguration.go +++ b/service/s3/api_op_PutBucketAnalyticsConfiguration.go @@ -167,6 +167,9 @@ func (c *Client) addOperationPutBucketAnalyticsConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketAnalyticsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -218,13 +221,14 @@ func addPutBucketAnalyticsConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketAnalyticsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketCors.go b/service/s3/api_op_PutBucketCors.go index fbe55db92b5..87355a6bebb 100644 --- a/service/s3/api_op_PutBucketCors.go +++ b/service/s3/api_op_PutBucketCors.go @@ -151,6 +151,9 @@ func (c *Client) addOperationPutBucketCorsMiddlewares(stack *middleware.Stack, o if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketCorsValidationMiddleware(stack); err != nil { return err } @@ -205,13 +208,14 @@ func addPutBucketCorsUpdateEndpoint(stack *middleware.Stack, options Options) er Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketCorsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketEncryption.go b/service/s3/api_op_PutBucketEncryption.go index b8124cb2091..66a585d8315 100644 --- a/service/s3/api_op_PutBucketEncryption.go +++ b/service/s3/api_op_PutBucketEncryption.go @@ -138,6 +138,9 @@ func (c *Client) addOperationPutBucketEncryptionMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketEncryptionValidationMiddleware(stack); err != nil { return err } @@ -192,13 +195,14 @@ func addPutBucketEncryptionUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketEncryptionBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketIntelligentTieringConfiguration.go b/service/s3/api_op_PutBucketIntelligentTieringConfiguration.go index a5954fa4256..1e29af44c10 100644 --- a/service/s3/api_op_PutBucketIntelligentTieringConfiguration.go +++ b/service/s3/api_op_PutBucketIntelligentTieringConfiguration.go @@ -158,6 +158,9 @@ func (c *Client) addOperationPutBucketIntelligentTieringConfigurationMiddlewares if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketIntelligentTieringConfigurationValidationMiddleware(stack); err != nil { return err } @@ -209,13 +212,14 @@ func addPutBucketIntelligentTieringConfigurationUpdateEndpoint(stack *middleware Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketIntelligentTieringConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketInventoryConfiguration.go b/service/s3/api_op_PutBucketInventoryConfiguration.go index 596df6f65dd..3d63878c381 100644 --- a/service/s3/api_op_PutBucketInventoryConfiguration.go +++ b/service/s3/api_op_PutBucketInventoryConfiguration.go @@ -168,6 +168,9 @@ func (c *Client) addOperationPutBucketInventoryConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketInventoryConfigurationValidationMiddleware(stack); err != nil { return err } @@ -219,13 +222,14 @@ func addPutBucketInventoryConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketInventoryConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketLifecycleConfiguration.go b/service/s3/api_op_PutBucketLifecycleConfiguration.go index 2a30a2a7490..71db08293d7 100644 --- a/service/s3/api_op_PutBucketLifecycleConfiguration.go +++ b/service/s3/api_op_PutBucketLifecycleConfiguration.go @@ -163,6 +163,9 @@ func (c *Client) addOperationPutBucketLifecycleConfigurationMiddlewares(stack *m if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketLifecycleConfigurationValidationMiddleware(stack); err != nil { return err } @@ -217,13 +220,14 @@ func addPutBucketLifecycleConfigurationUpdateEndpoint(stack *middleware.Stack, o Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketLifecycleConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketLogging.go b/service/s3/api_op_PutBucketLogging.go index 5a3c9e67241..05e04c019a1 100644 --- a/service/s3/api_op_PutBucketLogging.go +++ b/service/s3/api_op_PutBucketLogging.go @@ -149,6 +149,9 @@ func (c *Client) addOperationPutBucketLoggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketLoggingValidationMiddleware(stack); err != nil { return err } @@ -203,13 +206,14 @@ func addPutBucketLoggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketLoggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketMetricsConfiguration.go b/service/s3/api_op_PutBucketMetricsConfiguration.go index c285f6508b2..b9725aa7f42 100644 --- a/service/s3/api_op_PutBucketMetricsConfiguration.go +++ b/service/s3/api_op_PutBucketMetricsConfiguration.go @@ -142,6 +142,9 @@ func (c *Client) addOperationPutBucketMetricsConfigurationMiddlewares(stack *mid if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketMetricsConfigurationValidationMiddleware(stack); err != nil { return err } @@ -193,13 +196,14 @@ func addPutBucketMetricsConfigurationUpdateEndpoint(stack *middleware.Stack, opt Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketMetricsConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketNotificationConfiguration.go b/service/s3/api_op_PutBucketNotificationConfiguration.go index 421d1a7b862..706f247ca1d 100644 --- a/service/s3/api_op_PutBucketNotificationConfiguration.go +++ b/service/s3/api_op_PutBucketNotificationConfiguration.go @@ -134,6 +134,9 @@ func (c *Client) addOperationPutBucketNotificationConfigurationMiddlewares(stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketNotificationConfigurationValidationMiddleware(stack); err != nil { return err } @@ -185,13 +188,14 @@ func addPutBucketNotificationConfigurationUpdateEndpoint(stack *middleware.Stack Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketNotificationConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketOwnershipControls.go b/service/s3/api_op_PutBucketOwnershipControls.go index 91e7e3b882e..f9e0016ae39 100644 --- a/service/s3/api_op_PutBucketOwnershipControls.go +++ b/service/s3/api_op_PutBucketOwnershipControls.go @@ -116,6 +116,9 @@ func (c *Client) addOperationPutBucketOwnershipControlsMiddlewares(stack *middle if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketOwnershipControlsValidationMiddleware(stack); err != nil { return err } @@ -170,13 +173,14 @@ func addPutBucketOwnershipControlsUpdateEndpoint(stack *middleware.Stack, option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketOwnershipControlsBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketPolicy.go b/service/s3/api_op_PutBucketPolicy.go index 3ec46f7fc7d..671f767ee2a 100644 --- a/service/s3/api_op_PutBucketPolicy.go +++ b/service/s3/api_op_PutBucketPolicy.go @@ -126,6 +126,9 @@ func (c *Client) addOperationPutBucketPolicyMiddlewares(stack *middleware.Stack, if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketPolicyValidationMiddleware(stack); err != nil { return err } @@ -180,13 +183,14 @@ func addPutBucketPolicyUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketPolicyBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketReplication.go b/service/s3/api_op_PutBucketReplication.go index 625abb5f735..0aff99944ef 100644 --- a/service/s3/api_op_PutBucketReplication.go +++ b/service/s3/api_op_PutBucketReplication.go @@ -163,6 +163,9 @@ func (c *Client) addOperationPutBucketReplicationMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketReplicationValidationMiddleware(stack); err != nil { return err } @@ -217,13 +220,14 @@ func addPutBucketReplicationUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketReplicationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketRequestPayment.go b/service/s3/api_op_PutBucketRequestPayment.go index de568c3ace5..be7f2c5e65c 100644 --- a/service/s3/api_op_PutBucketRequestPayment.go +++ b/service/s3/api_op_PutBucketRequestPayment.go @@ -119,6 +119,9 @@ func (c *Client) addOperationPutBucketRequestPaymentMiddlewares(stack *middlewar if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketRequestPaymentValidationMiddleware(stack); err != nil { return err } @@ -173,13 +176,14 @@ func addPutBucketRequestPaymentUpdateEndpoint(stack *middleware.Stack, options O Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketRequestPaymentBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketTagging.go b/service/s3/api_op_PutBucketTagging.go index 36704a9339b..eba210db426 100644 --- a/service/s3/api_op_PutBucketTagging.go +++ b/service/s3/api_op_PutBucketTagging.go @@ -164,6 +164,9 @@ func (c *Client) addOperationPutBucketTaggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketTaggingValidationMiddleware(stack); err != nil { return err } @@ -218,13 +221,14 @@ func addPutBucketTaggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketVersioning.go b/service/s3/api_op_PutBucketVersioning.go index 9e4246a13c1..6806d837588 100644 --- a/service/s3/api_op_PutBucketVersioning.go +++ b/service/s3/api_op_PutBucketVersioning.go @@ -141,6 +141,9 @@ func (c *Client) addOperationPutBucketVersioningMiddlewares(stack *middleware.St if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketVersioningValidationMiddleware(stack); err != nil { return err } @@ -195,13 +198,14 @@ func addPutBucketVersioningUpdateEndpoint(stack *middleware.Stack, options Optio Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketVersioningBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutBucketWebsite.go b/service/s3/api_op_PutBucketWebsite.go index e7207eb80cb..4776ae11b5d 100644 --- a/service/s3/api_op_PutBucketWebsite.go +++ b/service/s3/api_op_PutBucketWebsite.go @@ -177,6 +177,9 @@ func (c *Client) addOperationPutBucketWebsiteMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutBucketWebsiteValidationMiddleware(stack); err != nil { return err } @@ -231,13 +234,14 @@ func addPutBucketWebsiteUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutBucketWebsiteBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObject.go b/service/s3/api_op_PutObject.go index 135a77e881a..f43aba1d79c 100644 --- a/service/s3/api_op_PutObject.go +++ b/service/s3/api_op_PutObject.go @@ -400,6 +400,9 @@ func (c *Client) addOperationPutObjectMiddlewares(stack *middleware.Stack, optio if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectValidationMiddleware(stack); err != nil { return err } @@ -450,14 +453,15 @@ func addPutObjectUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObjectAcl.go b/service/s3/api_op_PutObjectAcl.go index a3e1c11acf2..441e81aa9e7 100644 --- a/service/s3/api_op_PutObjectAcl.go +++ b/service/s3/api_op_PutObjectAcl.go @@ -301,6 +301,9 @@ func (c *Client) addOperationPutObjectAclMiddlewares(stack *middleware.Stack, op if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectAclValidationMiddleware(stack); err != nil { return err } @@ -355,13 +358,14 @@ func addPutObjectAclUpdateEndpoint(stack *middleware.Stack, options Options) err Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectAclBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObjectLegalHold.go b/service/s3/api_op_PutObjectLegalHold.go index 6afead3b348..93161433d68 100644 --- a/service/s3/api_op_PutObjectLegalHold.go +++ b/service/s3/api_op_PutObjectLegalHold.go @@ -135,6 +135,9 @@ func (c *Client) addOperationPutObjectLegalHoldMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectLegalHoldValidationMiddleware(stack); err != nil { return err } @@ -189,13 +192,14 @@ func addPutObjectLegalHoldUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectLegalHoldBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObjectLockConfiguration.go b/service/s3/api_op_PutObjectLockConfiguration.go index 54f9d7fd3ac..503e1422866 100644 --- a/service/s3/api_op_PutObjectLockConfiguration.go +++ b/service/s3/api_op_PutObjectLockConfiguration.go @@ -132,6 +132,9 @@ func (c *Client) addOperationPutObjectLockConfigurationMiddlewares(stack *middle if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectLockConfigurationValidationMiddleware(stack); err != nil { return err } @@ -186,13 +189,14 @@ func addPutObjectLockConfigurationUpdateEndpoint(stack *middleware.Stack, option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectLockConfigurationBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObjectRetention.go b/service/s3/api_op_PutObjectRetention.go index ebdae5f9e34..5db15650bce 100644 --- a/service/s3/api_op_PutObjectRetention.go +++ b/service/s3/api_op_PutObjectRetention.go @@ -145,6 +145,9 @@ func (c *Client) addOperationPutObjectRetentionMiddlewares(stack *middleware.Sta if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectRetentionValidationMiddleware(stack); err != nil { return err } @@ -199,13 +202,14 @@ func addPutObjectRetentionUpdateEndpoint(stack *middleware.Stack, options Option Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectRetentionBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutObjectTagging.go b/service/s3/api_op_PutObjectTagging.go index 733fb4969d4..400c3ecf584 100644 --- a/service/s3/api_op_PutObjectTagging.go +++ b/service/s3/api_op_PutObjectTagging.go @@ -189,6 +189,9 @@ func (c *Client) addOperationPutObjectTaggingMiddlewares(stack *middleware.Stack if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutObjectTaggingValidationMiddleware(stack); err != nil { return err } @@ -243,13 +246,14 @@ func addPutObjectTaggingUpdateEndpoint(stack *middleware.Stack, options Options) Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutObjectTaggingBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_PutPublicAccessBlock.go b/service/s3/api_op_PutPublicAccessBlock.go index de9b77fe377..60f43ef6391 100644 --- a/service/s3/api_op_PutPublicAccessBlock.go +++ b/service/s3/api_op_PutPublicAccessBlock.go @@ -138,6 +138,9 @@ func (c *Client) addOperationPutPublicAccessBlockMiddlewares(stack *middleware.S if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpPutPublicAccessBlockValidationMiddleware(stack); err != nil { return err } @@ -192,13 +195,14 @@ func addPutPublicAccessBlockUpdateEndpoint(stack *middleware.Stack, options Opti Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getPutPublicAccessBlockBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_RestoreObject.go b/service/s3/api_op_RestoreObject.go index a8b36240079..7d2bb90d7e3 100644 --- a/service/s3/api_op_RestoreObject.go +++ b/service/s3/api_op_RestoreObject.go @@ -355,6 +355,9 @@ func (c *Client) addOperationRestoreObjectMiddlewares(stack *middleware.Stack, o if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpRestoreObjectValidationMiddleware(stack); err != nil { return err } @@ -406,13 +409,14 @@ func addRestoreObjectUpdateEndpoint(stack *middleware.Stack, options Options) er Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getRestoreObjectBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_UploadPart.go b/service/s3/api_op_UploadPart.go index 39b9b831c09..275f57cb538 100644 --- a/service/s3/api_op_UploadPart.go +++ b/service/s3/api_op_UploadPart.go @@ -290,6 +290,9 @@ func (c *Client) addOperationUploadPartMiddlewares(stack *middleware.Stack, opti if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpUploadPartValidationMiddleware(stack); err != nil { return err } @@ -340,14 +343,15 @@ func addUploadPartUpdateEndpoint(stack *middleware.Stack, options Options) error Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getUploadPartBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_UploadPartCopy.go b/service/s3/api_op_UploadPartCopy.go index 96e4f9a1f4d..2d88c2b8bea 100644 --- a/service/s3/api_op_UploadPartCopy.go +++ b/service/s3/api_op_UploadPartCopy.go @@ -367,6 +367,9 @@ func (c *Client) addOperationUploadPartCopyMiddlewares(stack *middleware.Stack, if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addOpUploadPartCopyValidationMiddleware(stack); err != nil { return err } @@ -421,13 +424,14 @@ func addUploadPartCopyUpdateEndpoint(stack *middleware.Stack, options Options) e Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: getUploadPartCopyBucketMember, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: false, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: false, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/api_op_WriteGetObjectResponse.go b/service/s3/api_op_WriteGetObjectResponse.go index 0dfd5d07a60..6384a9edcf2 100644 --- a/service/s3/api_op_WriteGetObjectResponse.go +++ b/service/s3/api_op_WriteGetObjectResponse.go @@ -305,6 +305,9 @@ func (c *Client) addOperationWriteGetObjectResponseMiddlewares(stack *middleware if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { return err } + if err = swapWithCustomHTTPSignerMiddleware(stack, options); err != nil { + return err + } if err = addEndpointPrefix_opWriteGetObjectResponseMiddleware(stack); err != nil { return err } @@ -387,13 +390,14 @@ func addWriteGetObjectResponseUpdateEndpoint(stack *middleware.Stack, options Op Accessor: s3cust.UpdateEndpointParameterAccessor{ GetBucketFromInput: nopGetBucketAccessor, }, - UsePathStyle: options.UsePathStyle, - UseAccelerate: options.UseAccelerate, - SupportsAccelerate: true, - TargetS3ObjectLambda: true, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointOptions, - UseDualstack: options.UseDualstack, - UseARNRegion: options.UseARNRegion, + UsePathStyle: options.UsePathStyle, + UseAccelerate: options.UseAccelerate, + SupportsAccelerate: true, + TargetS3ObjectLambda: true, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointOptions, + UseDualstack: options.UseDualstack, + UseARNRegion: options.UseARNRegion, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }) } diff --git a/service/s3/internal/arn/arn_parser.go b/service/s3/internal/arn/arn_parser.go index 1e655fdd40e..97b5771bb1f 100644 --- a/service/s3/internal/arn/arn_parser.go +++ b/service/s3/internal/arn/arn_parser.go @@ -66,6 +66,11 @@ func parseOutpostAccessPointResource(a awsarn.ARN, resParts []string) (arn.Outpo var outpostAccessPointARN = arn.OutpostAccessPointARN{} switch resParts[1] { case "accesspoint": + // Do not allow region-less outpost access-point arns. + if len(a.Region) == 0 { + return arn.OutpostAccessPointARN{}, arn.InvalidARNError{ARN: a, Reason: "region is not set"} + } + accessPointARN, err := arn.ParseAccessPointResource(a, resParts[2:]) if err != nil { return arn.OutpostAccessPointARN{}, err @@ -86,15 +91,15 @@ func parseS3ObjectLambdaAccessPointResource(a awsarn.ARN, resParts []string) (ar return arn.S3ObjectLambdaAccessPointARN{}, arn.InvalidARNError{ARN: a, Reason: fmt.Sprintf("service is not %s", s3ObjectsLambdaNamespace)} } + if len(a.Region) == 0 { + return arn.S3ObjectLambdaAccessPointARN{}, arn.InvalidARNError{ARN: a, Reason: fmt.Sprintf("%s region not set", s3ObjectsLambdaNamespace)} + } + accessPointARN, err := arn.ParseAccessPointResource(a, resParts[1:]) if err != nil { return arn.S3ObjectLambdaAccessPointARN{}, err } - if len(accessPointARN.Region) == 0 { - return arn.S3ObjectLambdaAccessPointARN{}, arn.InvalidARNError{ARN: a, Reason: fmt.Sprintf("%s region not set", s3ObjectsLambdaNamespace)} - } - return arn.S3ObjectLambdaAccessPointARN{ AccessPointARN: accessPointARN, }, nil diff --git a/service/s3/internal/customizations/presign_test.go b/service/s3/internal/customizations/presign_test.go index 17ba285df68..2d2e36323cf 100644 --- a/service/s3/internal/customizations/presign_test.go +++ b/service/s3/internal/customizations/presign_test.go @@ -17,7 +17,7 @@ import ( func TestPutObject_PresignURL(t *testing.T) { cases := map[string]struct { input s3.PutObjectInput - options s3.PresignOptions + options []func(*s3.PresignOptions) expectPresignedURLHost string expectRequestURIQuery []string expectSignedHeader http.Header @@ -125,6 +125,45 @@ func TestPutObject_PresignURL(t *testing.T) { "Host": []string{"mock-bucket.s3.us-west-2.amazonaws.com"}, }, }, + "mrap presigned": { + input: s3.PutObjectInput{ + Bucket: aws.String("arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap"), + Key: aws.String("mockkey"), + Body: strings.NewReader("hello-world"), + }, + expectPresignedURLHost: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com/mockkey?", + expectRequestURIQuery: []string{ + "X-Amz-Expires=900", + "X-Amz-Credential", + "X-Amz-Date", + "x-id=PutObject", + "X-Amz-Signature", + "X-Amz-Region-Set", + }, + expectMethod: "PUT", + expectSignedHeader: http.Header{ + "Content-Length": []string{"11"}, + "Content-Type": []string{"application/octet-stream"}, + "Host": []string{"mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com"}, + }, + }, + "mrap presigned with mrap disabled": { + input: s3.PutObjectInput{ + Bucket: aws.String("arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap"), + Key: aws.String("mockkey"), + Body: strings.NewReader("hello-world"), + }, + options: []func(option *s3.PresignOptions){ + func(option *s3.PresignOptions) { + option.ClientOptions = []func(o *s3.Options){ + func(o *s3.Options) { + o.DisableMultiRegionAccessPoints = true + }, + } + }, + }, + expectError: "Multi-Region access point ARNs are disabled", + }, } for name, c := range cases { @@ -137,9 +176,7 @@ func TestPutObject_PresignURL(t *testing.T) { return aws.NopRetryer{} }, } - presignClient := s3.NewPresignClient(s3.NewFromConfig(cfg), func(options *s3.PresignOptions) { - options = &c.options - }) + presignClient := s3.NewPresignClient(s3.NewFromConfig(cfg), c.options...) req, err := presignClient.PresignPutObject(ctx, &c.input) if err != nil { @@ -150,6 +187,7 @@ func TestPutObject_PresignURL(t *testing.T) { if e, a := c.expectError, err.Error(); !strings.Contains(a, e) { t.Fatalf("expected error to be %s, got %s", e, a) } + return } else { if len(c.expectError) != 0 { t.Fatalf("expected error to be %v, got none", c.expectError) diff --git a/service/s3/internal/customizations/process_arn_resource.go b/service/s3/internal/customizations/process_arn_resource.go index bd022866510..5fc9cb3032e 100644 --- a/service/s3/internal/customizations/process_arn_resource.go +++ b/service/s3/internal/customizations/process_arn_resource.go @@ -3,17 +3,19 @@ package customizations import ( "context" "fmt" - "github.com/aws/aws-sdk-go-v2/aws" "net/url" "strings" "github.com/aws/smithy-go/middleware" "github.com/aws/smithy-go/transport/http" + "github.com/aws/aws-sdk-go-v2/aws" awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" "github.com/aws/aws-sdk-go-v2/service/internal/s3shared" "github.com/aws/aws-sdk-go-v2/service/internal/s3shared/arn" s3arn "github.com/aws/aws-sdk-go-v2/service/s3/internal/arn" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/endpoints" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a" ) const ( @@ -38,6 +40,9 @@ type processARNResource struct { // EndpointResolverOptions used by endpoint resolver EndpointResolverOptions EndpointResolverOptions + + // DisableMultiRegionAccessPoints indicates multi-region access point support is disabled + DisableMultiRegionAccessPoints bool } // ID returns the middleware ID. @@ -74,14 +79,31 @@ func (m *processARNResource) HandleSerialize( PartitionID: awsmiddleware.GetPartitionID(ctx), } - // validate resource request - if err := validateResourceRequest(resourceRequest); err != nil { - return out, metadata, err - } - // switch to correct endpoint updater switch tv := resource.(type) { case arn.AccessPointARN: + // multi-region arns do not need to validate for cross partition request + if len(tv.Region) != 0 { + // validate resource request + if err := validateRegionForResourceRequest(resourceRequest); err != nil { + return out, metadata, err + } + } + + // Special handling for region-less ap-arns. + if len(tv.Region) == 0 { + // check if multi-region arn support is disabled + if m.DisableMultiRegionAccessPoints { + return out, metadata, fmt.Errorf("Invalid configuration, Multi-Region access point ARNs are disabled") + } + + // Do not allow dual-stack configuration with multi-region arns. + if m.UseDualstack { + return out, metadata, s3shared.NewClientConfiguredForDualStackError(tv, + resourceRequest.PartitionID, resourceRequest.RequestRegion, nil) + } + } + // check if accelerate if m.UseAccelerate { return out, metadata, s3shared.NewClientConfiguredForAccelerateError(tv, @@ -92,6 +114,12 @@ func (m *processARNResource) HandleSerialize( resolveRegion := tv.Region // check if request region is FIPS if resourceRequest.UseFips() { + // Do not allow Fips support within multi-region arns. + if len(resolveRegion) == 0 { + return out, metadata, s3shared.NewClientConfiguredForFIPSError( + tv, resourceRequest.PartitionID, resourceRequest.RequestRegion, nil) + } + // if use arn region is enabled and request signing region is not same as arn region if m.UseARNRegion && resourceRequest.IsCrossRegion() { // FIPS with cross region is not supported, the SDK must fail @@ -105,13 +133,19 @@ func (m *processARNResource) HandleSerialize( nil, ) } - // if use arn region is NOT set, we should use the request region resolveRegion = resourceRequest.RequestRegion } - // build access point request - ctx, err = buildAccessPointRequest(ctx, accesspointOptions{ + var requestBuilder func(context.Context, accesspointOptions) (context.Context, error) + if len(resolveRegion) == 0 { + requestBuilder = buildMultiRegionAccessPointsRequest + } else { + requestBuilder = buildAccessPointRequest + } + + // build request as per accesspoint builder + ctx, err = requestBuilder(ctx, accesspointOptions{ processARNResource: *m, request: req, resource: tv, @@ -124,6 +158,11 @@ func (m *processARNResource) HandleSerialize( } case arn.S3ObjectLambdaAccessPointARN: + // validate region for resource request + if err := validateRegionForResourceRequest(resourceRequest); err != nil { + return out, metadata, err + } + // check if accelerate if m.UseAccelerate { return out, metadata, s3shared.NewClientConfiguredForAccelerateError(tv, @@ -173,6 +212,11 @@ func (m *processARNResource) HandleSerialize( // process outpost accesspoint ARN case arn.OutpostAccessPointARN: + // validate region for resource request + if err := validateRegionForResourceRequest(resourceRequest); err != nil { + return out, metadata, err + } + // check if accelerate if m.UseAccelerate { return out, metadata, s3shared.NewClientConfiguredForAccelerateError(tv, @@ -210,8 +254,8 @@ func (m *processARNResource) HandleSerialize( return next.HandleSerialize(ctx, in) } -// validate if s3 resource and request config is compatible. -func validateResourceRequest(resourceRequest s3shared.ResourceRequest) error { +// validate if s3 resource and request region config is compatible. +func validateRegionForResourceRequest(resourceRequest s3shared.ResourceRequest) error { // check if resourceRequest leads to a cross partition error v, err := resourceRequest.IsCrossPartition() if err != nil { @@ -368,6 +412,81 @@ func buildS3ObjectLambdaAccessPointRequest(ctx context.Context, options accesspo return ctx, nil } +func buildMultiRegionAccessPointsRequest(ctx context.Context, options accesspointOptions) (context.Context, error) { + const s3_global_label = "s3-global." + const accesspoint_label = "accesspoint." + + tv := options.resource + req := options.request + resolveService := tv.Service + resolveRegion := options.requestRegion + arnPartition := tv.Partition + + // resolve endpoint + endpoint, err := options.EndpointResolver.ResolveEndpoint(resolveRegion, options.EndpointResolverOptions) + if err != nil { + return ctx, s3shared.NewFailedToResolveEndpointError( + tv, + options.partitionID, + options.requestRegion, + err, + ) + } + + // set signing region and version for MRAP + endpoint.SigningRegion = "*" + ctx = awsmiddleware.SetSigningRegion(ctx, endpoint.SigningRegion) + ctx = SetSignerVersion(ctx, v4a.Version) + + if len(endpoint.SigningName) != 0 { + ctx = awsmiddleware.SetSigningName(ctx, endpoint.SigningName) + } else { + ctx = awsmiddleware.SetSigningName(ctx, resolveService) + } + + // skip arn processing, if arn region resolves to a immutable endpoint + if endpoint.HostnameImmutable { + return ctx, nil + } + + // modify endpoint host to use s3-global host prefix + scheme := strings.SplitN(endpoint.URL, "://", 2) + dnsSuffix, err := endpoints.GetDNSSuffix(arnPartition) + if err != nil { + return ctx, fmt.Errorf("Error determining dns suffix from arn partition, %w", err) + } + // set url as per partition + endpoint.URL = scheme[0] + "://" + s3_global_label + dnsSuffix + + // assign resolved endpoint url to request url + req.URL, err = url.Parse(endpoint.URL) + if err != nil { + return ctx, fmt.Errorf("failed to parse endpoint URL: %w", err) + } + + // build access point host prefix + accessPointHostPrefix := tv.AccessPointName + "." + accesspoint_label + + // add host prefix to url + req.URL.Host = accessPointHostPrefix + req.URL.Host + if len(req.Host) > 0 { + req.Host = accessPointHostPrefix + req.Host + } + + // validate the endpoint host + if err := http.ValidateEndpointHost(req.URL.Host); err != nil { + return ctx, fmt.Errorf("endpoint validation error: %w, when using arn %v", err, tv) + } + + // disable host prefix behavior + ctx = http.DisableEndpointHostPrefix(ctx, true) + + // remove the serialized arn in place of /{Bucket} + ctx = setBucketToRemoveOnContext(ctx, tv.String()) + + return ctx, nil +} + func buildAccessPointHostPrefix(ctx context.Context, req *http.Request, tv arn.AccessPointARN) (context.Context, error) { // add host prefix for access point accessPointHostPrefix := tv.AccessPointName + "-" + tv.AccountID + "." diff --git a/service/s3/internal/customizations/signer_wrapper.go b/service/s3/internal/customizations/signer_wrapper.go new file mode 100644 index 00000000000..8044e8c11f1 --- /dev/null +++ b/service/s3/internal/customizations/signer_wrapper.go @@ -0,0 +1,212 @@ +package customizations + +import ( + "context" + "fmt" + "github.com/aws/aws-sdk-go-v2/aws" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a" + "github.com/aws/smithy-go/middleware" +) + +type signerVersionKey struct{} + +// GetSignerVersion retrieves the signer version to use for signing +// +// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues +// to clear all stack values. +func GetSignerVersion(ctx context.Context) (v string) { + v, _ = middleware.GetStackValue(ctx, signerVersionKey{}).(string) + return v +} + +// SetSignerVersion sets the signer version to be used for signing the request +// +// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues +// to clear all stack values. +func SetSignerVersion(ctx context.Context, version string) context.Context { + return middleware.WithStackValue(ctx, signerVersionKey{}, version) +} + +// SignHTTPRequestMiddlewareOptions is the configuration options for the SignHTTPRequestMiddleware middleware. +type SignHTTPRequestMiddlewareOptions struct { + + // credential provider + CredentialsProvider aws.CredentialsProvider + + // log signing + LogSigning bool + + // v4 signer + V4Signer v4.HTTPSigner + + //v4a signer + V4aSigner v4a.HTTPSigner +} + +// NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given Signer for signing requests +func NewSignHTTPRequestMiddleware(options SignHTTPRequestMiddlewareOptions) *SignHTTPRequestMiddleware { + return &SignHTTPRequestMiddleware{ + credentialsProvider: options.CredentialsProvider, + v4Signer: options.V4Signer, + v4aSigner: options.V4aSigner, + logSigning: options.LogSigning, + } +} + +// SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation to select HTTP Signing method +type SignHTTPRequestMiddleware struct { + + // credential provider + credentialsProvider aws.CredentialsProvider + + // log signing + logSigning bool + + // v4 signer + v4Signer v4.HTTPSigner + + //v4a signer + v4aSigner v4a.HTTPSigner +} + +// ID is the SignHTTPRequestMiddleware identifier +func (s *SignHTTPRequestMiddleware) ID() string { + return "Signing" +} + +// HandleFinalize will take the provided input and sign the request using the SigV4 authentication scheme +func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, +) { + // fetch signer type from context + signerVersion := GetSignerVersion(ctx) + + switch signerVersion { + case v4a.Version: + v4aCredentialProvider, ok := s.credentialsProvider.(v4a.CredentialsProvider) + if !ok { + return out, metadata, fmt.Errorf("invalid credential-provider provided for sigV4a Signer") + } + + mw := v4a.NewSignHTTPRequestMiddleware(v4a.SignHTTPRequestMiddlewareOptions{ + Credentials: v4aCredentialProvider, + Signer: s.v4aSigner, + LogSigning: s.logSigning, + }) + return mw.HandleFinalize(ctx, in, next) + + default: + mw := v4.NewSignHTTPRequestMiddleware(v4.SignHTTPRequestMiddlewareOptions{ + CredentialsProvider: s.credentialsProvider, + Signer: s.v4Signer, + LogSigning: s.logSigning, + }) + return mw.HandleFinalize(ctx, in, next) + } +} + +// RegisterSigningMiddleware registers the wrapper signing middleware to the stack. If a signing middleware is already +// present, this provided middleware will be swapped. Otherwise the middleware will be added at the tail of the +// finalize step. +func RegisterSigningMiddleware(stack *middleware.Stack, signingMiddleware *SignHTTPRequestMiddleware) (err error) { + const signingId = "Signing" + _, present := stack.Finalize.Get(signingId) + if present { + _, err = stack.Finalize.Swap(signingId, signingMiddleware) + } else { + err = stack.Finalize.Add(signingMiddleware, middleware.After) + } + return err +} + +// PresignHTTPRequestMiddlewareOptions is the options for the PresignHTTPRequestMiddleware middleware. +type PresignHTTPRequestMiddlewareOptions struct { + CredentialsProvider aws.CredentialsProvider + V4Presigner v4.HTTPPresigner + V4aPresigner v4a.HTTPPresigner + LogSigning bool +} + +// PresignHTTPRequestMiddleware provides the Finalize middleware for creating a +// presigned URL for an HTTP request. +// +// Will short circuit the middleware stack and not forward onto the next +// Finalize handler. +type PresignHTTPRequestMiddleware struct { + + // cred provider and signer for sigv4 + credentialsProvider aws.CredentialsProvider + + // sigV4 signer + v4Signer v4.HTTPPresigner + + // sigV4a signer + v4aSigner v4a.HTTPPresigner + + // log signing + logSigning bool +} + +// NewPresignHTTPRequestMiddleware constructs a PresignHTTPRequestMiddleware using the given Signer for signing requests +func NewPresignHTTPRequestMiddleware(options PresignHTTPRequestMiddlewareOptions) *PresignHTTPRequestMiddleware { + return &PresignHTTPRequestMiddleware{ + credentialsProvider: options.CredentialsProvider, + v4Signer: options.V4Presigner, + v4aSigner: options.V4aPresigner, + logSigning: options.LogSigning, + } +} + +// ID provides the middleware ID. +func (*PresignHTTPRequestMiddleware) ID() string { return "PresignHTTPRequest" } + +// HandleFinalize will take the provided input and create a presigned url for +// the http request using the SigV4 or SigV4a presign authentication scheme. +// +// Since the signed request is not a valid HTTP request +func (p *PresignHTTPRequestMiddleware) HandleFinalize( + ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler, +) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, +) { + // fetch signer type from context + signerVersion := GetSignerVersion(ctx) + + switch signerVersion { + case v4a.Version: + v4aCredentialProvider, ok := p.credentialsProvider.(v4a.CredentialsProvider) + if !ok { + return out, metadata, fmt.Errorf("invalid credential-provider provided for sigV4a Signer") + } + + mw := v4a.NewPresignHTTPRequestMiddleware(v4a.PresignHTTPRequestMiddlewareOptions{ + CredentialsProvider: v4aCredentialProvider, + Presigner: p.v4aSigner, + LogSigning: p.logSigning, + }) + return mw.HandleFinalize(ctx, in, next) + + default: + mw := v4.NewPresignHTTPRequestMiddleware(v4.PresignHTTPRequestMiddlewareOptions{ + CredentialsProvider: p.credentialsProvider, + Presigner: p.v4Signer, + LogSigning: p.logSigning, + }) + return mw.HandleFinalize(ctx, in, next) + } +} + +// RegisterPreSigningMiddleware registers the wrapper pre-signing middleware to the stack. If a pre-signing middleware is already +// present, this provided middleware will be swapped. Otherwise the middleware will be added at the tail of the +// finalize step. +func RegisterPreSigningMiddleware(stack *middleware.Stack, signingMiddleware *PresignHTTPRequestMiddleware) (err error) { + const signingId = "PresignHTTPRequest" + _, present := stack.Finalize.Get(signingId) + if present { + _, err = stack.Finalize.Swap(signingId, signingMiddleware) + } else { + err = stack.Finalize.Add(signingMiddleware, middleware.After) + } + return err +} diff --git a/service/s3/internal/customizations/update_endpoint.go b/service/s3/internal/customizations/update_endpoint.go index fcce7055201..d7ed5d749fe 100644 --- a/service/s3/internal/customizations/update_endpoint.go +++ b/service/s3/internal/customizations/update_endpoint.go @@ -65,6 +65,9 @@ type UpdateEndpointOptions struct { // EndpointResolverOptions used by endpoint resolver EndpointResolverOptions EndpointResolverOptions + + // DisableMultiRegionAccessPoints indicates multi-region access point support is disabled + DisableMultiRegionAccessPoints bool } // UpdateEndpoint adds the middleware to the middleware stack based on the UpdateEndpointOptions. @@ -79,11 +82,12 @@ func UpdateEndpoint(stack *middleware.Stack, options UpdateEndpointOptions) (err // process arn err = stack.Serialize.Insert(&processARNResource{ - UseARNRegion: options.UseARNRegion, - UseAccelerate: options.UseAccelerate, - UseDualstack: options.UseDualstack, - EndpointResolver: options.EndpointResolver, - EndpointResolverOptions: options.EndpointResolverOptions, + UseARNRegion: options.UseARNRegion, + UseAccelerate: options.UseAccelerate, + UseDualstack: options.UseDualstack, + EndpointResolver: options.EndpointResolver, + EndpointResolverOptions: options.EndpointResolverOptions, + DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints, }, "OperationSerializer", middleware.Before) if err != nil { return err diff --git a/service/s3/internal/customizations/update_endpoint_test.go b/service/s3/internal/customizations/update_endpoint_test.go index 6c32c8bd537..b54c108652f 100644 --- a/service/s3/internal/customizations/update_endpoint_test.go +++ b/service/s3/internal/customizations/update_endpoint_test.go @@ -3,6 +3,7 @@ package customizations_test import ( "context" "fmt" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a" "strconv" "strings" "testing" @@ -236,6 +237,18 @@ func TestUpdateEndpointBuild(t *testing.T) { } } +// test case struct used to test endpoint customizations +type testCaseForEndpointCustomization struct { + options s3.Options + bucket string + operation func(ctx context.Context, svc *s3.Client, fm *requestRetriever) (interface{}, error) + expectedErr string + expectedReqURL string + expectedSigningName string + expectedSigningRegion string + expectedHeader map[string]string +} + func TestEndpointWithARN(t *testing.T) { // test cases cases := map[string]testCaseForEndpointCustomization{ @@ -858,38 +871,16 @@ func TestEndpointWithARN(t *testing.T) { for name, c := range cases { t.Run(name, func(t *testing.T) { - runValidations(t, c, func(ctx context.Context, svc *s3.Client, fm *requestRetrieverMiddleware) (interface{}, error) { + runValidations(t, c, func(ctx context.Context, svc *s3.Client, fetcher *requestRetriever) (interface{}, error) { return svc.GetObject(ctx, &s3.GetObjectInput{ Bucket: ptr.String(c.bucket), Key: ptr.String("testkey"), - }, addRequestRetriever(fm)) + }, addRequestRetriever(fetcher)) }) }) } } -type testCaseForEndpointCustomization struct { - options s3.Options - bucket string - operation func(ctx context.Context, svc *s3.Client, fm *requestRetrieverMiddleware) (interface{}, error) - expectedErr string - expectedReqURL string - expectedSigningName string - expectedSigningRegion string -} - -var addRequestRetriever = func(fm *requestRetrieverMiddleware) func(options *s3.Options) { - return func(options *s3.Options) { - // append request retriever middleware for request inspection - options.APIOptions = append(options.APIOptions, - func(stack *middleware.Stack) error { - // adds AFTER operation serializer middleware - stack.Serialize.Insert(fm, "OperationSerializer", middleware.After) - return nil - }) - } -} - func TestVPC_CustomEndpoint(t *testing.T) { cases := map[string]testCaseForEndpointCustomization{ "standard custom endpoint url": { @@ -935,7 +926,7 @@ func TestVPC_CustomEndpoint(t *testing.T) { }), Region: "us-west-2", }, - operation: func(ctx context.Context, svc *s3.Client, fm *requestRetrieverMiddleware) (interface{}, error) { + operation: func(ctx context.Context, svc *s3.Client, fm *requestRetriever) (interface{}, error) { return svc.ListBuckets(ctx, &s3.ListBucketsInput{}, addRequestRetriever(fm)) }, expectedReqURL: "https://bucket.vpce-123-abc.s3.us-west-2.vpce.amazonaws.com/", @@ -1021,7 +1012,7 @@ func TestVPC_CustomEndpoint(t *testing.T) { for name, c := range cases { t.Run(name, func(t *testing.T) { - runValidations(t, c, func(ctx context.Context, svc *s3.Client, fm *requestRetrieverMiddleware) (interface{}, error) { + runValidations(t, c, func(ctx context.Context, svc *s3.Client, fm *requestRetriever) (interface{}, error) { if c.operation != nil { return c.operation(ctx, svc, fm) } @@ -1101,7 +1092,7 @@ func TestWriteGetObjectResponse_UpdateEndpoint(t *testing.T) { for name, c := range cases { t.Run(name, func(t *testing.T) { - runValidations(t, c, func(ctx context.Context, client *s3.Client, retrieverMiddleware *requestRetrieverMiddleware) (interface{}, error) { + runValidations(t, c, func(ctx context.Context, client *s3.Client, retrieverMiddleware *requestRetriever) (interface{}, error) { return client.WriteGetObjectResponse(context.Background(), &s3.WriteGetObjectResponseInput{ RequestRoute: aws.String("test-route"), @@ -1112,8 +1103,234 @@ func TestWriteGetObjectResponse_UpdateEndpoint(t *testing.T) { } } +func TestMultiRegionAccessPoints_UpdateEndpoint(t *testing.T) { + cases := map[string]testCaseForEndpointCustomization{ + "region as us-east-1": { + options: s3.Options{ + Region: "us-east-1", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "region as us-west-2": { + options: s3.Options{ + Region: "us-west-2", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "region as aws-global": { + options: s3.Options{ + Region: "aws-global", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "cn partition": { + options: s3.Options{ + Region: "cn-north-1", + }, + bucket: "arn:aws-cn:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com.cn/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "cn partition arn with cross partition client region": { + options: s3.Options{ + Region: "ap-north-1", + }, + bucket: "arn:aws-cn:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com.cn/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "region as us-west-2 with mrap disabled": { + options: s3.Options{ + Region: "us-west-2", + DisableMultiRegionAccessPoints: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedErr: "Multi-Region access point ARNs are disabled", + }, + "region as aws-global with mrap disabled": { + options: s3.Options{ + Region: "aws-global", + DisableMultiRegionAccessPoints: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedErr: "Multi-Region access point ARNs are disabled", + }, + "with dualstack": { + options: s3.Options{ + Region: "us-west-2", + UseDualstack: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedErr: "client configured for S3 Dual-stack but is not supported with resource", + }, + "with accelerate": { + options: s3.Options{ + Region: "us-west-2", + UseAccelerate: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedErr: "client configured for S3 Accelerate but is not supported with resource", + }, + "access point with no region and mrap disabled": { + options: s3.Options{ + Region: "us-west-2", + DisableMultiRegionAccessPoints: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:myendpoint", + expectedErr: "Multi-Region access point ARNs are disabled", + }, + "endpoint with no region and disabled mrap": { + options: s3.Options{ + Region: "us-west-2", + DisableMultiRegionAccessPoints: true, + }, + bucket: "arn:aws:s3::123456789012:accesspoint:myendpoint", + expectedErr: "Multi-Region access point ARNs are disabled", + }, + "endpoint with no region": { + options: s3.Options{ + Region: "us-west-2", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:myendpoint", + expectedReqURL: "https://myendpoint.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "endpoint containing dot with no region": { + options: s3.Options{ + Region: "us-west-2", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:my.bucket", + expectedReqURL: "https://my.bucket.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "custom endpoint": { + options: s3.Options{ + Region: "us-west-2", + EndpointResolver: s3.EndpointResolverFromURL("https://mockendpoint.amazonaws.com", func(endpoint *aws.Endpoint) { + endpoint.SigningRegion = "us-west-2" + }), + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com/", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "custom endpoint with hostname immutable": { + options: s3.Options{ + Region: "us-west-2", + EndpointResolver: s3.EndpointResolverFromURL("https://mockendpoint.amazonaws.com", func(endpoint *aws.Endpoint) { + endpoint.SigningRegion = "us-west-2" + endpoint.HostnameImmutable = true + }), + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mockendpoint.amazonaws.com/arn%3Aaws%3As3%3A%3A123456789012%3Aaccesspoint%3Amfzwi23gnjvgw.mrap", + expectedHeader: map[string]string{ + v4a.AmzRegionSetKey: "*", + }, + expectedSigningName: "s3", + expectedSigningRegion: "*", + }, + "with client region as fips": { + options: s3.Options{ + Region: "fips-us-west-2", + }, + bucket: "arn:aws:s3::123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedErr: "client configured for fips but cross-region resource ARN provided", + }, + "Accesspoint ARN with region and MRAP disabled": { + options: s3.Options{ + Region: "us-west-2", + DisableMultiRegionAccessPoints: false, + }, + bucket: "arn:aws:s3:us-west-2:123456789012:accesspoint:mfzwi23gnjvgw.mrap", + expectedReqURL: "https://mfzwi23gnjvgw.mrap-123456789012.s3-accesspoint.us-west-2.amazonaws.com/", + expectedSigningName: "s3", + expectedSigningRegion: "us-west-2", + }, + } + + for name, c := range cases { + t.Run(name, func(t *testing.T) { + runValidations(t, c, func(ctx context.Context, svc *s3.Client, reqRetriever *requestRetriever) (interface{}, error) { + if c.operation != nil { + return c.operation(ctx, svc, reqRetriever) + } + + return svc.ListObjects(ctx, &s3.ListObjectsInput{ + Bucket: ptr.String(c.bucket), + }, addRequestRetriever(reqRetriever)) + }) + }) + } +} + +// addRequestRetriever provides request retriever function - that can be used to fetch request from +// various build steps. Currently we support fetching after serializing and after finalized middlewares. +var addRequestRetriever = func(fm *requestRetriever) func(options *s3.Options) { + return func(options *s3.Options) { + // append request retriever middleware for request inspection + options.APIOptions = append(options.APIOptions, + func(stack *middleware.Stack) error { + // adds AFTER operation serializer middleware + return stack.Serialize.Insert(fm.serializedRequest, "OperationSerializer", middleware.After) + }, + func(stack *middleware.Stack) error { + // adds AFTER operation finalize middleware + return stack.Finalize.Add(fm.signedRequest, middleware.After) + }) + } +} + +// requestRetriever can be used to fetch request within various stages of request. +// currently we support fetching requests after serialization, and after signing. +type requestRetriever struct { + // serializedRequest retriver should be used to fetch request after Operation serializers are executed. + serializedRequest *requestRetrieverMiddleware + + // signedRequest retriever should be used to fetch request from Finalize step after + signedRequest *requestRetrieverMiddleware +} + func runValidations(t *testing.T, c testCaseForEndpointCustomization, operation func( - context.Context, *s3.Client, *requestRetrieverMiddleware) (interface{}, error)) { + context.Context, *s3.Client, *requestRetriever) (interface{}, error)) { // options opts := c.options.Copy() opts.Credentials = unit.StubCredentialsProvider{} @@ -1122,13 +1339,20 @@ func runValidations(t *testing.T, c testCaseForEndpointCustomization, operation // build an s3 client svc := s3.New(opts) - // setup a request retriever middleware - fm := requestRetrieverMiddleware{} + + // initialize request fetcher to fetch after input is serialized for request + serializedRequest := requestRetrieverMiddleware{} + + // initialize request fetcher to fetch request after it is signed + signedRequest := requestRetrieverMiddleware{} ctx := context.Background() // call an operation - _, err := operation(ctx, svc, &fm) + _, err := operation(ctx, svc, &requestRetriever{ + serializedRequest: &serializedRequest, + signedRequest: &signedRequest, + }) // inspect any errors if len(c.expectedErr) != 0 { @@ -1145,21 +1369,35 @@ func runValidations(t *testing.T, c testCaseForEndpointCustomization, operation } // build the captured request - req := fm.request.Build(ctx) + req := serializedRequest.request.Build(ctx) // verify the built request is as expected if e, a := c.expectedReqURL, req.URL.String(); e != a { t.Fatalf("expect url %s, got %s", e, a) } - if e, a := c.expectedSigningRegion, fm.signingRegion; !strings.EqualFold(e, a) { + if e, a := c.expectedSigningRegion, serializedRequest.signingRegion; !strings.EqualFold(e, a) { t.Fatalf("expect signing region as %s, got %s", e, a) } - if e, a := c.expectedSigningName, fm.signingName; !strings.EqualFold(e, a) { + if e, a := c.expectedSigningName, serializedRequest.signingName; !strings.EqualFold(e, a) { t.Fatalf("expect signing name as %s, got %s", e, a) } + + // fetch signed request + signedReq := signedRequest.request + // validate if expected headers are present in request + for key, ev := range c.expectedHeader { + av := signedReq.Header.Get(key) + if len(av) == 0 { + t.Fatalf("expected header %v to be present in %v was not", key, req.Header) + } + if !strings.EqualFold(ev, av) { + t.Fatalf("expected header %v to be %v, got %v instead", key, ev, av) + } + } } +// request retriever middleware is used to fetch request within a stack step. type requestRetrieverMiddleware struct { request *smithyhttp.Request signingRegion string @@ -1184,3 +1422,20 @@ func (rm *requestRetrieverMiddleware) HandleSerialize( return next.HandleSerialize(ctx, in) } + +func (rm *requestRetrieverMiddleware) HandleFinalize( + ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler, +) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, +) { + req, ok := in.Request.(*smithyhttp.Request) + if !ok { + return out, metadata, fmt.Errorf("unknown request type %T", req) + } + rm.request = req + + rm.signingName = awsmiddleware.GetSigningName(ctx) + rm.signingRegion = awsmiddleware.GetSigningRegion(ctx) + + return next.HandleFinalize(ctx, in) +} diff --git a/service/s3/internal/v4a/credentials.go b/service/s3/internal/v4a/credentials.go new file mode 100644 index 00000000000..ac92b64f6cb --- /dev/null +++ b/service/s3/internal/v4a/credentials.go @@ -0,0 +1,139 @@ +package v4a + +import ( + "context" + "crypto/ecdsa" + "fmt" + "sync" + "sync/atomic" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/internal/sdk" +) + +// Credentials is Context, ECDSA, and Optional Session Token that can be used +// to sign requests using SigV4a +type Credentials struct { + Context string + PrivateKey *ecdsa.PrivateKey + SessionToken string + + // Time the credentials will expire. + CanExpire bool + Expires time.Time +} + +// Expired returns if the credentials have expired. +func (v Credentials) Expired() bool { + if v.CanExpire { + return !v.Expires.After(sdk.NowTime()) + } + + return false +} + +// HasKeys returns if the credentials keys are set. +func (v Credentials) HasKeys() bool { + return len(v.Context) > 0 && v.PrivateKey != nil +} + +// SymmetricCredentialAdaptor wraps a SigV4 AccessKey/SecretKey provider and adapts the credentials +// to a ECDSA PrivateKey for signing with SiV4a +type SymmetricCredentialAdaptor struct { + SymmetricProvider aws.CredentialsProvider + + asymmetric atomic.Value + m sync.Mutex +} + +// Retrieve retrieves symmetric credentials from the underlying provider. +func (s *SymmetricCredentialAdaptor) Retrieve(ctx context.Context) (aws.Credentials, error) { + symCreds, err := s.retrieveFromSymmetricProvider(ctx) + if err != nil { + return aws.Credentials{}, nil + } + + if asymCreds := s.getCreds(); asymCreds == nil { + return symCreds, nil + } + + s.m.Lock() + defer s.m.Unlock() + + asymCreds := s.getCreds() + if asymCreds == nil { + return symCreds, nil + } + + // if the context does not match the access key id clear it + if asymCreds.Context != symCreds.AccessKeyID { + s.asymmetric.Store((*Credentials)(nil)) + } + + return symCreds, nil +} + +// RetrievePrivateKey returns credentials suitable for SigV4a signing +func (s *SymmetricCredentialAdaptor) RetrievePrivateKey(ctx context.Context) (Credentials, error) { + if asymCreds := s.getCreds(); asymCreds != nil { + return *asymCreds, nil + } + + s.m.Lock() + defer s.m.Unlock() + + if asymCreds := s.getCreds(); asymCreds != nil { + return *asymCreds, nil + } + + symmetricCreds, err := s.retrieveFromSymmetricProvider(ctx) + if err != nil { + return Credentials{}, fmt.Errorf("failed to retrieve symmetric credentials: %v", err) + } + + privateKey, err := deriveKeyFromAccessKeyPair(symmetricCreds.AccessKeyID, symmetricCreds.SecretAccessKey) + if err != nil { + return Credentials{}, fmt.Errorf("failed to derive assymetric key from credentials") + } + + creds := Credentials{ + Context: symmetricCreds.AccessKeyID, + PrivateKey: privateKey, + SessionToken: symmetricCreds.SessionToken, + CanExpire: symmetricCreds.CanExpire, + Expires: symmetricCreds.Expires, + } + + s.asymmetric.Store(&creds) + + return creds, nil +} + +func (s *SymmetricCredentialAdaptor) getCreds() *Credentials { + v := s.asymmetric.Load() + + if v == nil { + return nil + } + + c := v.(*Credentials) + if c != nil && c.HasKeys() && !c.Expired() { + return c + } + + return nil +} + +func (s *SymmetricCredentialAdaptor) retrieveFromSymmetricProvider(ctx context.Context) (aws.Credentials, error) { + credentials, err := s.SymmetricProvider.Retrieve(ctx) + if err != nil { + return aws.Credentials{}, err + } + + return credentials, nil +} + +type CredentialsProvider interface { + RetrievePrivateKey(context.Context) (Credentials, error) +} diff --git a/service/s3/internal/v4a/credentials_test.go b/service/s3/internal/v4a/credentials_test.go new file mode 100644 index 00000000000..f19d73a21b9 --- /dev/null +++ b/service/s3/internal/v4a/credentials_test.go @@ -0,0 +1,61 @@ +package v4a + +import ( + "context" + "fmt" + "github.com/aws/aws-sdk-go-v2/aws" + "testing" +) + +type rotatingCredsProvider struct { + count int +} + +func (r *rotatingCredsProvider) Retrieve(ctx context.Context) (aws.Credentials, error) { + credentials := aws.Credentials{ + AccessKeyID: fmt.Sprintf("ACCESS_KEY_ID_%d", r.count), + SecretAccessKey: fmt.Sprintf("SECRET_ACCESS_KEY_%d", r.count), + SessionToken: fmt.Sprintf("SESSION_TOKEN_%d", r.count), + } + return credentials, nil +} + +func TestSymmetricCredentialAdaptor(t *testing.T) { + provider := &rotatingCredsProvider{} + + adaptor := &SymmetricCredentialAdaptor{SymmetricProvider: provider} + + if symCreds, err := adaptor.Retrieve(context.Background()); err != nil { + t.Fatalf("expect no error, got %v", err) + } else if !symCreds.HasKeys() { + t.Fatalf("expect symmetric credentials to have keys") + } + + if load := adaptor.asymmetric.Load(); load != nil { + t.Errorf("expect asymmetric credentials to be nil") + } + + if asymCreds, err := adaptor.RetrievePrivateKey(context.Background()); err != nil { + t.Fatalf("expect no error, got %v", err) + } else if !asymCreds.HasKeys() { + t.Fatalf("expect asymmetric credentials to have keys") + } + + if _, err := adaptor.Retrieve(context.Background()); err != nil { + t.Fatalf("expect no error, got %v", err) + } + + if load := adaptor.asymmetric.Load(); load.(*Credentials) == nil { + t.Errorf("expect asymmetric credentials to be not nil") + } + + provider.count++ + + if _, err := adaptor.Retrieve(context.Background()); err != nil { + t.Fatalf("expect no error, got %v", err) + } + + if load := adaptor.asymmetric.Load(); load.(*Credentials) != nil { + t.Errorf("expect asymmetric credentials to be nil") + } +} diff --git a/service/s3/internal/v4a/error.go b/service/s3/internal/v4a/error.go new file mode 100644 index 00000000000..380d1742714 --- /dev/null +++ b/service/s3/internal/v4a/error.go @@ -0,0 +1,17 @@ +package v4a + +import "fmt" + +// SigningError indicates an error condition occurred while performing SigV4a signing +type SigningError struct { + Err error +} + +func (e *SigningError) Error() string { + return fmt.Sprintf("failed to sign request: %v", e.Err) +} + +// Unwrap returns the underlying error cause +func (e *SigningError) Unwrap() error { + return e.Err +} diff --git a/service/s3/internal/v4a/internal/crypto/compare.go b/service/s3/internal/v4a/internal/crypto/compare.go new file mode 100644 index 00000000000..a93ec40c8a8 --- /dev/null +++ b/service/s3/internal/v4a/internal/crypto/compare.go @@ -0,0 +1,30 @@ +package crypto + +import "fmt" + +// ConstantTimeByteCompare is a constant-time byte comparison of x and y. This function performs an absolute comparison +// if the two byte slices assuming they represent a big-endian number. +// +// error if len(x) != len(y) +// -1 if x < y +// 0 if x == y +// +1 if x > y +func ConstantTimeByteCompare(x, y []byte) (int, error) { + if len(x) != len(y) { + return 0, fmt.Errorf("slice lengths do not match") + } + + xLarger, yLarger := 0, 0 + + for i := 0; i < len(x); i++ { + xByte, yByte := int(x[i]), int(y[i]) + + x := ((yByte - xByte) >> 8) & 1 + y := ((xByte - yByte) >> 8) & 1 + + xLarger |= x &^ yLarger + yLarger |= y &^ xLarger + } + + return xLarger - yLarger, nil +} diff --git a/service/s3/internal/v4a/internal/crypto/compare_test.go b/service/s3/internal/v4a/internal/crypto/compare_test.go new file mode 100644 index 00000000000..2bbdfdb986b --- /dev/null +++ b/service/s3/internal/v4a/internal/crypto/compare_test.go @@ -0,0 +1,60 @@ +package crypto + +import ( + "bytes" + "math/big" + "testing" +) + +func TestConstantTimeByteCompare(t *testing.T) { + cases := []struct { + x, y []byte + r int + expectErr bool + }{ + {x: []byte{}, y: []byte{}, r: 0}, + {x: []byte{40}, y: []byte{30}, r: 1}, + {x: []byte{30}, y: []byte{40}, r: -1}, + {x: []byte{60, 40, 30, 10, 20}, y: []byte{50, 30, 20, 0, 10}, r: 1}, + {x: []byte{50, 30, 20, 0, 10}, y: []byte{60, 40, 30, 10, 20}, r: -1}, + {x: nil, y: []byte{}, r: 0}, + {x: []byte{}, y: nil, r: 0}, + {x: []byte{}, y: []byte{10}, expectErr: true}, + {x: []byte{10}, y: []byte{}, expectErr: true}, + {x: []byte{10, 20}, y: []byte{10}, expectErr: true}, + } + + for _, tt := range cases { + compare, err := ConstantTimeByteCompare(tt.x, tt.y) + if (err != nil) != tt.expectErr { + t.Fatalf("expectErr=%v, got %v", tt.expectErr, err) + } + if e, a := tt.r, compare; e != a { + t.Errorf("expect %v, got %v", e, a) + } + } +} + +func BenchmarkConstantTimeCompare(b *testing.B) { + x, y := big.NewInt(1023), big.NewInt(1024) + b.ResetTimer() + for i := 0; i < b.N; i++ { + ConstantTimeByteCompare(x.Bytes(), y.Bytes()) + } +} + +func BenchmarkCompare(b *testing.B) { + x, y := big.NewInt(1023).Bytes(), big.NewInt(1024).Bytes() + b.ResetTimer() + for i := 0; i < b.N; i++ { + bytes.Compare(x, y) + } +} + +func mustBigInt(s string) *big.Int { + b, ok := (&big.Int{}).SetString(s, 16) + if !ok { + panic("can't parse as big.Int") + } + return b +} diff --git a/service/s3/internal/v4a/internal/crypto/ecc.go b/service/s3/internal/v4a/internal/crypto/ecc.go new file mode 100644 index 00000000000..758c73fcb3e --- /dev/null +++ b/service/s3/internal/v4a/internal/crypto/ecc.go @@ -0,0 +1,113 @@ +package crypto + +import ( + "bytes" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/hmac" + "encoding/asn1" + "encoding/binary" + "fmt" + "hash" + "math" + "math/big" +) + +type ecdsaSignature struct { + R, S *big.Int +} + +// ECDSAKey takes the given elliptic curve, and private key (d) byte slice +// and returns the private ECDSA key. +func ECDSAKey(curve elliptic.Curve, d []byte) *ecdsa.PrivateKey { + return ECDSAKeyFromPoint(curve, (&big.Int{}).SetBytes(d)) +} + +// ECDSAKeyFromPoint takes the given elliptic curve and point and returns the +// private and public keypair +func ECDSAKeyFromPoint(curve elliptic.Curve, d *big.Int) *ecdsa.PrivateKey { + pX, pY := curve.ScalarBaseMult(d.Bytes()) + + privKey := &ecdsa.PrivateKey{ + PublicKey: ecdsa.PublicKey{ + Curve: curve, + X: pX, + Y: pY, + }, + D: d, + } + + return privKey +} + +// ECDSAPublicKey takes the provide curve and (x, y) coordinates and returns +// *ecdsa.PublicKey. Returns an error if the given points are not on the curve. +func ECDSAPublicKey(curve elliptic.Curve, x, y []byte) (*ecdsa.PublicKey, error) { + xPoint := (&big.Int{}).SetBytes(x) + yPoint := (&big.Int{}).SetBytes(y) + + if !curve.IsOnCurve(xPoint, yPoint) { + return nil, fmt.Errorf("point(%v, %v) is not on the given curve", xPoint.String(), yPoint.String()) + } + + return &ecdsa.PublicKey{ + Curve: curve, + X: xPoint, + Y: yPoint, + }, nil +} + +// VerifySignature takes the provided public key, hash, and asn1 encoded signature and returns +// whether the given signature is valid. +func VerifySignature(key *ecdsa.PublicKey, hash []byte, signature []byte) (bool, error) { + var ecdsaSignature ecdsaSignature + + _, err := asn1.Unmarshal(signature, &ecdsaSignature) + if err != nil { + return false, err + } + + return ecdsa.Verify(key, hash, ecdsaSignature.R, ecdsaSignature.S), nil +} + +// HMACKeyDerivation provides an implementation of a NIST-800-108 of a KDF (Key Derivation Function) in Counter Mode. +// For the purposes of this implantation HMAC is used as the PRF (Pseudorandom function), where the value of +// `r` is defined as a 4 byte counter. +func HMACKeyDerivation(hash func() hash.Hash, bitLen int, key []byte, label, context []byte) ([]byte, error) { + // verify that we won't overflow the counter + n := int64(math.Ceil((float64(bitLen) / 8) / float64(hash().Size()))) + if n > 0x7FFFFFFF { + return nil, fmt.Errorf("unable to derive key of size %d using 32-bit counter", bitLen) + } + + // verify the requested bit length is not larger then the length encoding size + if int64(bitLen) > 0x7FFFFFFF { + return nil, fmt.Errorf("bitLen is greater than 32-bits") + } + + fixedInput := bytes.NewBuffer(nil) + fixedInput.Write(label) + fixedInput.WriteByte(0x00) + fixedInput.Write(context) + if err := binary.Write(fixedInput, binary.BigEndian, int32(bitLen)); err != nil { + return nil, fmt.Errorf("failed to write bit length to fixed input string: %v", err) + } + + var output []byte + + h := hmac.New(hash, key) + + for i := int64(1); i <= n; i++ { + h.Reset() + if err := binary.Write(h, binary.BigEndian, int32(i)); err != nil { + return nil, err + } + _, err := h.Write(fixedInput.Bytes()) + if err != nil { + return nil, err + } + output = append(output, h.Sum(nil)...) + } + + return output[:bitLen/8], nil +} diff --git a/service/s3/internal/v4a/internal/crypto/ecc_test.go b/service/s3/internal/v4a/internal/crypto/ecc_test.go new file mode 100644 index 00000000000..72a5e8dcf9b --- /dev/null +++ b/service/s3/internal/v4a/internal/crypto/ecc_test.go @@ -0,0 +1,277 @@ +package crypto + +import ( + "bytes" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/sha256" + "io" + "testing" +) + +func TestECDSAPublicKeyDerivation_P256(t *testing.T) { + d := []byte{ + 0xc9, 0x80, 0x68, 0x98, 0xa0, 0x33, 0x49, 0x16, 0xc8, 0x60, 0x74, 0x88, 0x80, 0xa5, 0x41, 0xf0, + 0x93, 0xb5, 0x79, 0xa9, 0xb1, 0xf3, 0x29, 0x34, 0xd8, 0x6c, 0x36, 0x3c, 0x39, 0x80, 0x03, 0x57, + } + + x := []byte{ + 0xd0, 0x72, 0x0d, 0xc6, 0x91, 0xaa, 0x80, 0x09, 0x6b, 0xa3, 0x2f, 0xed, 0x1c, 0xb9, 0x7c, 0x2b, + 0x62, 0x06, 0x90, 0xd0, 0x6d, 0xe0, 0x31, 0x7b, 0x86, 0x18, 0xd5, 0xce, 0x65, 0xeb, 0x72, 0x8f, + } + + y := []byte{ + 0x96, 0x81, 0xb5, 0x17, 0xb1, 0xcd, 0xa1, 0x7d, 0x0d, 0x83, 0xd3, 0x35, 0xd9, 0xc4, 0xa8, 0xa9, + 0xa9, 0xb0, 0xb1, 0xb3, 0xc7, 0x10, 0x6d, 0x8f, 0x3c, 0x72, 0xbc, 0x50, 0x93, 0xdc, 0x27, 0x5f, + } + + testKeyDerivation(t, elliptic.P256(), d, x, y) +} + +func TestECDSAPublicKeyDerivation_P384(t *testing.T) { + d := []byte{ + 0x53, 0x94, 0xf7, 0x97, 0x3e, 0xa8, 0x68, 0xc5, 0x2b, 0xf3, 0xff, 0x8d, 0x8c, 0xee, 0xb4, 0xdb, + 0x90, 0xa6, 0x83, 0x65, 0x3b, 0x12, 0x48, 0x5d, 0x5f, 0x62, 0x7c, 0x3c, 0xe5, 0xab, 0xd8, 0x97, + 0x8f, 0xc9, 0x67, 0x3d, 0x14, 0xa7, 0x1d, 0x92, 0x57, 0x47, 0x93, 0x16, 0x62, 0x49, 0x3c, 0x37, + } + + x := []byte{ + 0xfd, 0x3c, 0x84, 0xe5, 0x68, 0x9b, 0xed, 0x27, 0x0e, 0x60, 0x1b, 0x3d, 0x80, 0xf9, 0x0d, 0x67, + 0xa9, 0xae, 0x45, 0x1c, 0xce, 0x89, 0x0f, 0x53, 0xe5, 0x83, 0x22, 0x9a, 0xd0, 0xe2, 0xee, 0x64, + 0x56, 0x11, 0xfa, 0x99, 0x36, 0xdf, 0xa4, 0x53, 0x06, 0xec, 0x18, 0x06, 0x67, 0x74, 0xaa, 0x24, + } + + y := []byte{ + 0xb8, 0x3c, 0xa4, 0x12, 0x6c, 0xfc, 0x4c, 0x4d, 0x1d, 0x18, 0xa4, 0xb6, 0xc2, 0x1c, 0x7f, 0x69, + 0x9d, 0x51, 0x23, 0xdd, 0x9c, 0x24, 0xf6, 0x6f, 0x83, 0x38, 0x46, 0xee, 0xb5, 0x82, 0x96, 0x19, + 0x6b, 0x42, 0xec, 0x06, 0x42, 0x5d, 0xb5, 0xb7, 0x0a, 0x4b, 0x81, 0xb7, 0xfc, 0xf7, 0x05, 0xa0, + } + + testKeyDerivation(t, elliptic.P384(), d, x, y) +} + +func TestECDSAKnownSigningValue_P256(t *testing.T) { + d := []byte{ + 0x51, 0x9b, 0x42, 0x3d, 0x71, 0x5f, 0x8b, 0x58, 0x1f, 0x4f, 0xa8, 0xee, 0x59, 0xf4, 0x77, 0x1a, + 0x5b, 0x44, 0xc8, 0x13, 0x0b, 0x4e, 0x3e, 0xac, 0xca, 0x54, 0xa5, 0x6d, 0xda, 0x72, 0xb4, 0x64, + } + + testKnownSigningValue(t, elliptic.P256(), d) +} + +func TestECDSAKnownSigningValue_P384(t *testing.T) { + d := []byte{ + 0x53, 0x94, 0xf7, 0x97, 0x3e, 0xa8, 0x68, 0xc5, 0x2b, 0xf3, 0xff, 0x8d, 0x8c, 0xee, 0xb4, 0xdb, + 0x90, 0xa6, 0x83, 0x65, 0x3b, 0x12, 0x48, 0x5d, 0x5f, 0x62, 0x7c, 0x3c, 0xe5, 0xab, 0xd8, 0x97, + 0x8f, 0xc9, 0x67, 0x3d, 0x14, 0xa7, 0x1d, 0x92, 0x57, 0x47, 0x93, 0x16, 0x62, 0x49, 0x3c, 0x37, + } + + testKnownSigningValue(t, elliptic.P384(), d) +} + +func testKeyDerivation(t *testing.T, curve elliptic.Curve, d, expectedX, expectedY []byte) { + privKey := ECDSAKey(curve, d) + + if e, a := d, privKey.D.Bytes(); bytes.Compare(e, a) != 0 { + t.Errorf("expected % x, got % x", e, a) + } + + if e, a := expectedX, privKey.X.Bytes(); bytes.Compare(e, a) != 0 { + t.Errorf("expected % x, got % x", e, a) + } + + if e, a := expectedY, privKey.Y.Bytes(); bytes.Compare(e, a) != 0 { + t.Errorf("expected % x, got % x", e, a) + } +} + +func testKnownSigningValue(t *testing.T, curve elliptic.Curve, d []byte) { + signingKey := ECDSAKey(curve, d) + + message := []byte{ + 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, + 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, + 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, + 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, + 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, + 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, + 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, + 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8, + } + + sha256Hash := sha256.New() + _, err := io.Copy(sha256Hash, bytes.NewReader(message)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + msgHash := sha256Hash.Sum(nil) + msgSignature, err := signingKey.Sign(rand.Reader, msgHash, crypto.SHA256) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + verified, err := VerifySignature(&signingKey.PublicKey, msgHash, msgSignature) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + if !verified { + t.Fatalf("failed to verify message msgSignature") + } +} + +func TestECDSAInvalidSignature_P256(t *testing.T) { + testInvalidSignature(t, elliptic.P256()) +} + +func TestECDSAInvalidSignature_P384(t *testing.T) { + testInvalidSignature(t, elliptic.P384()) +} + +func TestECDSAGenKeySignature_P256(t *testing.T) { + testGenKeySignature(t, elliptic.P256()) +} + +func TestECDSAGenKeySignature_P384(t *testing.T) { + testGenKeySignature(t, elliptic.P384()) +} + +func testInvalidSignature(t *testing.T, curve elliptic.Curve) { + privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + t.Fatalf("failed to generate key: %v", err) + } + + message := []byte{ + 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, + 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, + 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, + 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, + 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, + 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, + 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, + 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8, + } + + sha256Hash := sha256.New() + _, err = io.Copy(sha256Hash, bytes.NewReader(message)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + msgHash := sha256Hash.Sum(nil) + msgSignature, err := privateKey.Sign(rand.Reader, msgHash, crypto.SHA256) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + byteToFlip := 15 + switch msgSignature[byteToFlip] { + case 0: + msgSignature[byteToFlip] = 0x0a + default: + msgSignature[byteToFlip] &^= msgSignature[byteToFlip] + } + + verified, err := VerifySignature(&privateKey.PublicKey, msgHash, msgSignature) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + if verified { + t.Fatalf("expected message verification to fail") + } +} + +func testGenKeySignature(t *testing.T, curve elliptic.Curve) { + privateKey, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + t.Fatalf("failed to generate key: %v", err) + } + + message := []byte{ + 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, + 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, + 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, + 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, + 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, + 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, + 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, + 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8, + } + + sha256Hash := sha256.New() + _, err = io.Copy(sha256Hash, bytes.NewReader(message)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + msgHash := sha256Hash.Sum(nil) + msgSignature, err := privateKey.Sign(rand.Reader, msgHash, crypto.SHA256) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + verified, err := VerifySignature(&privateKey.PublicKey, msgHash, msgSignature) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + if !verified { + t.Fatalf("expected message verification to fail") + } +} + +func TestECDSASignatureFormat(t *testing.T) { + asn1Signature := []byte{ + 0x30, 0x45, 0x02, 0x21, 0x00, 0xd7, 0xc5, 0xb9, 0x9e, 0x0b, 0xb1, 0x1a, 0x1f, 0x32, 0xda, 0x66, 0xe0, 0xff, + 0x59, 0xb7, 0x8a, 0x5e, 0xb3, 0x94, 0x9c, 0x23, 0xb3, 0xfc, 0x1f, 0x18, 0xcc, 0xf6, 0x61, 0x67, 0x8b, 0xf1, + 0xc1, 0x02, 0x20, 0x26, 0x4d, 0x8b, 0x7c, 0xaa, 0x52, 0x4c, 0xc0, 0x2e, 0x5f, 0xf6, 0x7e, 0x24, 0x82, 0xe5, + 0xfb, 0xcb, 0xc7, 0x9b, 0x83, 0x0d, 0x19, 0x7e, 0x7a, 0x40, 0x37, 0x87, 0xdd, 0x1c, 0x93, 0x13, 0xc4, + } + + x := []byte{ + 0x1c, 0xcb, 0xe9, 0x1c, 0x07, 0x5f, 0xc7, 0xf4, 0xf0, 0x33, 0xbf, 0xa2, 0x48, 0xdb, 0x8f, 0xcc, + 0xd3, 0x56, 0x5d, 0xe9, 0x4b, 0xbf, 0xb1, 0x2f, 0x3c, 0x59, 0xff, 0x46, 0xc2, 0x71, 0xbf, 0x83, + } + + y := []byte{ + 0xce, 0x40, 0x14, 0xc6, 0x88, 0x11, 0xf9, 0xa2, 0x1a, 0x1f, 0xdb, 0x2c, 0x0e, 0x61, 0x13, 0xe0, + 0x6d, 0xb7, 0xca, 0x93, 0xb7, 0x40, 0x4e, 0x78, 0xdc, 0x7c, 0xcd, 0x5c, 0xa8, 0x9a, 0x4c, 0xa9, + } + + publicKey, err := ECDSAPublicKey(elliptic.P256(), x, y) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + message := []byte{ + 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, + 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, + 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, + 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, + 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, + 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, + 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, + 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8, + } + + hash := sha256.New() + _, err = io.Copy(hash, bytes.NewReader(message)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + msgHash := hash.Sum(nil) + + verifySignature, err := VerifySignature(publicKey, msgHash, asn1Signature) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + if !verifySignature { + t.Fatalf("failed to verify signature") + } +} diff --git a/service/s3/internal/v4a/internal/v4/const.go b/service/s3/internal/v4a/internal/v4/const.go new file mode 100644 index 00000000000..89a76e2eaab --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/const.go @@ -0,0 +1,36 @@ +package v4 + +const ( + // EmptyStringSHA256 is the hex encoded sha256 value of an empty string + EmptyStringSHA256 = `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855` + + // UnsignedPayload indicates that the request payload body is unsigned + UnsignedPayload = "UNSIGNED-PAYLOAD" + + // AmzAlgorithmKey indicates the signing algorithm + AmzAlgorithmKey = "X-Amz-Algorithm" + + // AmzSecurityTokenKey indicates the security token to be used with temporary credentials + AmzSecurityTokenKey = "X-Amz-Security-Token" + + // AmzDateKey is the UTC timestamp for the request in the format YYYYMMDD'T'HHMMSS'Z' + AmzDateKey = "X-Amz-Date" + + // AmzCredentialKey is the access key ID and credential scope + AmzCredentialKey = "X-Amz-Credential" + + // AmzSignedHeadersKey is the set of headers signed for the request + AmzSignedHeadersKey = "X-Amz-SignedHeaders" + + // AmzSignatureKey is the query parameter to store the SigV4 signature + AmzSignatureKey = "X-Amz-Signature" + + // TimeFormat is the time format to be used in the X-Amz-Date header or query parameter + TimeFormat = "20060102T150405Z" + + // ShortTimeFormat is the shorten time format used in the credential scope + ShortTimeFormat = "20060102" + + // ContentSHAKey is the SHA256 of request body + ContentSHAKey = "X-Amz-Content-Sha256" +) diff --git a/service/s3/internal/v4a/internal/v4/header_rules.go b/service/s3/internal/v4a/internal/v4/header_rules.go new file mode 100644 index 00000000000..a15177e8f3f --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/header_rules.go @@ -0,0 +1,82 @@ +package v4 + +import ( + sdkstrings "github.com/aws/aws-sdk-go-v2/internal/strings" +) + +// Rules houses a set of Rule needed for validation of a +// string value +type Rules []Rule + +// Rule interface allows for more flexible rules and just simply +// checks whether or not a value adheres to that Rule +type Rule interface { + IsValid(value string) bool +} + +// IsValid will iterate through all rules and see if any rules +// apply to the value and supports nested rules +func (r Rules) IsValid(value string) bool { + for _, rule := range r { + if rule.IsValid(value) { + return true + } + } + return false +} + +// MapRule generic Rule for maps +type MapRule map[string]struct{} + +// IsValid for the map Rule satisfies whether it exists in the map +func (m MapRule) IsValid(value string) bool { + _, ok := m[value] + return ok +} + +// AllowList is a generic Rule for whitelisting +type AllowList struct { + Rule +} + +// IsValid for AllowList checks if the value is within the AllowList +func (w AllowList) IsValid(value string) bool { + return w.Rule.IsValid(value) +} + +// DenyList is a generic Rule for blacklisting +type DenyList struct { + Rule +} + +// IsValid for AllowList checks if the value is within the AllowList +func (b DenyList) IsValid(value string) bool { + return !b.Rule.IsValid(value) +} + +// Patterns is a list of strings to match against +type Patterns []string + +// IsValid for Patterns checks each pattern and returns if a match has +// been found +func (p Patterns) IsValid(value string) bool { + for _, pattern := range p { + if sdkstrings.HasPrefixFold(value, pattern) { + return true + } + } + return false +} + +// InclusiveRules rules allow for rules to depend on one another +type InclusiveRules []Rule + +// IsValid will return true if all rules are true +func (r InclusiveRules) IsValid(value string) bool { + for _, rule := range r { + if !rule.IsValid(value) { + return false + } + } + return true +} diff --git a/service/s3/internal/v4a/internal/v4/headers.go b/service/s3/internal/v4a/internal/v4/headers.go new file mode 100644 index 00000000000..3487dc3352d --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/headers.go @@ -0,0 +1,67 @@ +package v4 + +// IgnoredHeaders is a list of headers that are ignored during signing +var IgnoredHeaders = Rules{ + DenyList{ + MapRule{ + "Authorization": struct{}{}, + "User-Agent": struct{}{}, + "X-Amzn-Trace-Id": struct{}{}, + }, + }, +} + +// RequiredSignedHeaders is a whitelist for Build canonical headers. +var RequiredSignedHeaders = Rules{ + AllowList{ + MapRule{ + "Cache-Control": struct{}{}, + "Content-Disposition": struct{}{}, + "Content-Encoding": struct{}{}, + "Content-Language": struct{}{}, + "Content-Md5": struct{}{}, + "Content-Type": struct{}{}, + "Expires": struct{}{}, + "If-Match": struct{}{}, + "If-Modified-Since": struct{}{}, + "If-None-Match": struct{}{}, + "If-Unmodified-Since": struct{}{}, + "Range": struct{}{}, + "X-Amz-Acl": struct{}{}, + "X-Amz-Copy-Source": struct{}{}, + "X-Amz-Copy-Source-If-Match": struct{}{}, + "X-Amz-Copy-Source-If-Modified-Since": struct{}{}, + "X-Amz-Copy-Source-If-None-Match": struct{}{}, + "X-Amz-Copy-Source-If-Unmodified-Since": struct{}{}, + "X-Amz-Copy-Source-Range": struct{}{}, + "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{}, + "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{}, + "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, + "X-Amz-Grant-Full-control": struct{}{}, + "X-Amz-Grant-Read": struct{}{}, + "X-Amz-Grant-Read-Acp": struct{}{}, + "X-Amz-Grant-Write": struct{}{}, + "X-Amz-Grant-Write-Acp": struct{}{}, + "X-Amz-Metadata-Directive": struct{}{}, + "X-Amz-Mfa": struct{}{}, + "X-Amz-Request-Payer": struct{}{}, + "X-Amz-Server-Side-Encryption": struct{}{}, + "X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id": struct{}{}, + "X-Amz-Server-Side-Encryption-Customer-Algorithm": struct{}{}, + "X-Amz-Server-Side-Encryption-Customer-Key": struct{}{}, + "X-Amz-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, + "X-Amz-Storage-Class": struct{}{}, + "X-Amz-Website-Redirect-Location": struct{}{}, + "X-Amz-Content-Sha256": struct{}{}, + "X-Amz-Tagging": struct{}{}, + }, + }, + Patterns{"X-Amz-Meta-"}, +} + +// AllowedQueryHoisting is a whitelist for Build query headers. The boolean value +// represents whether or not it is a pattern. +var AllowedQueryHoisting = InclusiveRules{ + DenyList{RequiredSignedHeaders}, + Patterns{"X-Amz-"}, +} diff --git a/service/s3/internal/v4a/internal/v4/hmac.go b/service/s3/internal/v4a/internal/v4/hmac.go new file mode 100644 index 00000000000..e7fa7a1b1e6 --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/hmac.go @@ -0,0 +1,13 @@ +package v4 + +import ( + "crypto/hmac" + "crypto/sha256" +) + +// HMACSHA256 computes a HMAC-SHA256 of data given the provided key. +func HMACSHA256(key []byte, data []byte) []byte { + hash := hmac.New(sha256.New, key) + hash.Write(data) + return hash.Sum(nil) +} diff --git a/service/s3/internal/v4a/internal/v4/host.go b/service/s3/internal/v4a/internal/v4/host.go new file mode 100644 index 00000000000..bf93659a43f --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/host.go @@ -0,0 +1,75 @@ +package v4 + +import ( + "net/http" + "strings" +) + +// SanitizeHostForHeader removes default port from host and updates request.Host +func SanitizeHostForHeader(r *http.Request) { + host := getHost(r) + port := portOnly(host) + if port != "" && isDefaultPort(r.URL.Scheme, port) { + r.Host = stripPort(host) + } +} + +// Returns host from request +func getHost(r *http.Request) string { + if r.Host != "" { + return r.Host + } + + return r.URL.Host +} + +// Hostname returns u.Host, without any port number. +// +// If Host is an IPv6 literal with a port number, Hostname returns the +// IPv6 literal without the square brackets. IPv6 literals may include +// a zone identifier. +// +// Copied from the Go 1.8 standard library (net/url) +func stripPort(hostport string) string { + colon := strings.IndexByte(hostport, ':') + if colon == -1 { + return hostport + } + if i := strings.IndexByte(hostport, ']'); i != -1 { + return strings.TrimPrefix(hostport[:i], "[") + } + return hostport[:colon] +} + +// Port returns the port part of u.Host, without the leading colon. +// If u.Host doesn't contain a port, Port returns an empty string. +// +// Copied from the Go 1.8 standard library (net/url) +func portOnly(hostport string) string { + colon := strings.IndexByte(hostport, ':') + if colon == -1 { + return "" + } + if i := strings.Index(hostport, "]:"); i != -1 { + return hostport[i+len("]:"):] + } + if strings.Contains(hostport, "]") { + return "" + } + return hostport[colon+len(":"):] +} + +// Returns true if the specified URI is using the standard port +// (i.e. port 80 for HTTP URIs or 443 for HTTPS URIs) +func isDefaultPort(scheme, port string) bool { + if port == "" { + return true + } + + lowerCaseScheme := strings.ToLower(scheme) + if (lowerCaseScheme == "http" && port == "80") || (lowerCaseScheme == "https" && port == "443") { + return true + } + + return false +} diff --git a/service/s3/internal/v4a/internal/v4/time.go b/service/s3/internal/v4a/internal/v4/time.go new file mode 100644 index 00000000000..1de06a765d1 --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/time.go @@ -0,0 +1,36 @@ +package v4 + +import "time" + +// SigningTime provides a wrapper around a time.Time which provides cached values for SigV4 signing. +type SigningTime struct { + time.Time + timeFormat string + shortTimeFormat string +} + +// NewSigningTime creates a new SigningTime given a time.Time +func NewSigningTime(t time.Time) SigningTime { + return SigningTime{ + Time: t, + } +} + +// TimeFormat provides a time formatted in the X-Amz-Date format. +func (m *SigningTime) TimeFormat() string { + return m.format(&m.timeFormat, TimeFormat) +} + +// ShortTimeFormat provides a time formatted of 20060102. +func (m *SigningTime) ShortTimeFormat() string { + return m.format(&m.shortTimeFormat, ShortTimeFormat) +} + +func (m *SigningTime) format(target *string, format string) string { + if len(*target) > 0 { + return *target + } + v := m.Time.Format(format) + *target = v + return v +} diff --git a/service/s3/internal/v4a/internal/v4/util.go b/service/s3/internal/v4a/internal/v4/util.go new file mode 100644 index 00000000000..741019b5f9d --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/util.go @@ -0,0 +1,64 @@ +package v4 + +import ( + "net/url" + "strings" +) + +const doubleSpace = " " + +// StripExcessSpaces will rewrite the passed in slice's string values to not +// contain muliple side-by-side spaces. +func StripExcessSpaces(str string) string { + var j, k, l, m, spaces int + // Trim trailing spaces + for j = len(str) - 1; j >= 0 && str[j] == ' '; j-- { + } + + // Trim leading spaces + for k = 0; k < j && str[k] == ' '; k++ { + } + str = str[k : j+1] + + // Strip multiple spaces. + j = strings.Index(str, doubleSpace) + if j < 0 { + return str + } + + buf := []byte(str) + for k, m, l = j, j, len(buf); k < l; k++ { + if buf[k] == ' ' { + if spaces == 0 { + // First space. + buf[m] = buf[k] + m++ + } + spaces++ + } else { + // End of multiple spaces. + spaces = 0 + buf[m] = buf[k] + m++ + } + } + + return string(buf[:m]) +} + +// GetURIPath returns the escaped URI component from the provided URL +func GetURIPath(u *url.URL) string { + var uri string + + if len(u.Opaque) > 0 { + uri = "/" + strings.Join(strings.Split(u.Opaque, "/")[3:], "/") + } else { + uri = u.EscapedPath() + } + + if len(uri) == 0 { + uri = "/" + } + + return uri +} diff --git a/service/s3/internal/v4a/internal/v4/util_test.go b/service/s3/internal/v4a/internal/v4/util_test.go new file mode 100644 index 00000000000..c29c1fa8504 --- /dev/null +++ b/service/s3/internal/v4a/internal/v4/util_test.go @@ -0,0 +1,75 @@ +package v4 + +import ( + "testing" +) + +func TestStripExcessHeaders(t *testing.T) { + vals := []string{ + "", + "123", + "1 2 3", + "1 2 3 ", + " 1 2 3", + "1 2 3", + "1 23", + "1 2 3", + "1 2 ", + " 1 2 ", + "12 3", + "12 3 1", + "12 3 1", + "12 3 1abc123", + } + + expected := []string{ + "", + "123", + "1 2 3", + "1 2 3", + "1 2 3", + "1 2 3", + "1 23", + "1 2 3", + "1 2", + "1 2", + "12 3", + "12 3 1", + "12 3 1", + "12 3 1abc123", + } + + for i := 0; i < len(vals); i++ { + r := StripExcessSpaces(vals[i]) + if e, a := expected[i], r; e != a { + t.Errorf("%d, expect %v, got %v", i, e, a) + } + } +} + +var stripExcessSpaceCases = []string{ + `AWS4-HMAC-SHA256 Credential=AKIDFAKEIDFAKEID/20160628/us-west-2/s3/aws4_request, SignedHeaders=host;x-amz-date, Signature=1234567890abcdef1234567890abcdef1234567890abcdef`, + `123 321 123 321`, + ` 123 321 123 321 `, + ` 123 321 123 321 `, + "123", + "1 2 3", + " 1 2 3", + "1 2 3", + "1 23", + "1 2 3", + "1 2 ", + " 1 2 ", + "12 3", + "12 3 1", + "12 3 1", + "12 3 1abc123", +} + +func BenchmarkStripExcessSpaces(b *testing.B) { + for i := 0; i < b.N; i++ { + for _, v := range stripExcessSpaceCases { + StripExcessSpaces(v) + } + } +} diff --git a/service/s3/internal/v4a/middleware.go b/service/s3/internal/v4a/middleware.go new file mode 100644 index 00000000000..c885cabe0fe --- /dev/null +++ b/service/s3/internal/v4a/middleware.go @@ -0,0 +1,105 @@ +package v4a + +import ( + "context" + "fmt" + "net/http" + "time" + + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" +) + +// HTTPSigner is SigV4a HTTP signer implementation +type HTTPSigner interface { + SignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optfns ...func(*SignerOptions)) error +} + +// SignHTTPRequestMiddlewareOptions is the middleware options for constructing a SignHTTPRequestMiddleware. +type SignHTTPRequestMiddlewareOptions struct { + Credentials CredentialsProvider + Signer HTTPSigner + LogSigning bool +} + +// SignHTTPRequestMiddleware is a middleware for signing an HTTP request using SigV4a. +type SignHTTPRequestMiddleware struct { + credentials CredentialsProvider + signer HTTPSigner + logSigning bool +} + +// NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given SignHTTPRequestMiddlewareOptions. +func NewSignHTTPRequestMiddleware(options SignHTTPRequestMiddlewareOptions) *SignHTTPRequestMiddleware { + return &SignHTTPRequestMiddleware{ + credentials: options.Credentials, + signer: options.Signer, + logSigning: options.LogSigning, + } +} + +// ID the middleware identifier. +func (s *SignHTTPRequestMiddleware) ID() string { + return "Signing" +} + +// HandleFinalize signs an HTTP request using SigV4a. +func (s *SignHTTPRequestMiddleware) HandleFinalize( + ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler, +) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, +) { + if !hasCredentialProvider(s.credentials) { + return next.HandleFinalize(ctx, in) + } + + req, ok := in.Request.(*smithyhttp.Request) + if !ok { + return out, metadata, fmt.Errorf("unexpected request middleware type %T", in.Request) + } + + signingName, signingRegion := awsmiddleware.GetSigningName(ctx), awsmiddleware.GetSigningRegion(ctx) + payloadHash := v4.GetPayloadHash(ctx) + if len(payloadHash) == 0 { + return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")} + } + + credentials, err := s.credentials.RetrievePrivateKey(ctx) + if err != nil { + return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)} + } + + err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, []string{signingRegion}, time.Now().UTC(), func(o *SignerOptions) { + o.Logger = middleware.GetLogger(ctx) + o.LogSigning = s.logSigning + }) + if err != nil { + return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)} + } + + return next.HandleFinalize(ctx, in) +} + +func hasCredentialProvider(p CredentialsProvider) bool { + if p == nil { + return false + } + + return true +} + +// RegisterSigningMiddleware registers the SigV4a signing middleware to the stack. If a signing middleware is already +// present, this provided middleware will be swapped. Otherwise the middleware will be added at the tail of the +// finalize step. +func RegisterSigningMiddleware(stack *middleware.Stack, signingMiddleware *SignHTTPRequestMiddleware) (err error) { + const signingId = "Signing" + _, present := stack.Finalize.Get(signingId) + if present { + _, err = stack.Finalize.Swap(signingId, signingMiddleware) + } else { + err = stack.Finalize.Add(signingMiddleware, middleware.After) + } + return err +} diff --git a/service/s3/internal/v4a/middleware_test.go b/service/s3/internal/v4a/middleware_test.go new file mode 100644 index 00000000000..d1ec869f2cb --- /dev/null +++ b/service/s3/internal/v4a/middleware_test.go @@ -0,0 +1,150 @@ +package v4a + +import ( + "bytes" + "context" + "errors" + "fmt" + "net/http" + "strings" + "testing" + "time" + + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/smithy-go/logging" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" + "github.com/google/go-cmp/cmp" +) + +type stubCredentialsProviderFunc func(context.Context) (Credentials, error) + +func (f stubCredentialsProviderFunc) RetrievePrivateKey(ctx context.Context) (Credentials, error) { + return f(ctx) +} + +type httpSignerFunc func(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) error + +func (f httpSignerFunc) SignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) error { + return f(ctx, credentials, r, payloadHash, service, regionSet, signingTime, optFns...) +} + +func TestSignHTTPRequestMiddleware(t *testing.T) { + cases := map[string]struct { + creds CredentialsProvider + hash string + logSigning bool + expectedErr error + }{ + "success": { + creds: stubCredentials, + hash: "0123456789abcdef", + }, + "error": { + creds: stubCredentialsProviderFunc(func(ctx context.Context) (Credentials, error) { + return Credentials{}, fmt.Errorf("credential error") + }), + hash: "", + expectedErr: &SigningError{}, + }, + "nil creds": { + creds: nil, + }, + "with log signing": { + creds: stubCredentials, + hash: "0123456789abcdef", + logSigning: true, + }, + } + + const ( + signingName = "serviceId" + signingRegion = "regionName" + ) + + for name, tt := range cases { + t.Run(name, func(t *testing.T) { + c := &SignHTTPRequestMiddleware{ + credentials: tt.creds, + signer: httpSignerFunc( + func(ctx context.Context, + credentials Credentials, r *http.Request, payloadHash string, + service string, regionSet []string, signingTime time.Time, + optFns ...func(*SignerOptions), + ) error { + var options SignerOptions + for _, fn := range optFns { + fn(&options) + } + if options.Logger == nil { + t.Errorf("expect logger, got none") + } + if options.LogSigning { + options.Logger.Logf(logging.Debug, t.Name()) + } + + expectCreds, _ := tt.creds.RetrievePrivateKey(ctx) + if diff := cmp.Diff(expectCreds, credentials); len(diff) > 0 { + t.Error(diff) + } + if e, a := tt.hash, payloadHash; e != a { + t.Errorf("expected %v, got %v", e, a) + } + if e, a := signingName, service; e != a { + t.Errorf("expected %v, got %v", e, a) + } + if diff := cmp.Diff([]string{signingRegion}, regionSet); len(diff) > 0 { + t.Error(diff) + } + return nil + }), + logSigning: tt.logSigning, + } + + next := middleware.FinalizeHandlerFunc(func(ctx context.Context, in middleware.FinalizeInput) (out middleware.FinalizeOutput, metadata middleware.Metadata, err error) { + return out, metadata, err + }) + + ctx := awsmiddleware.SetSigningRegion( + awsmiddleware.SetSigningName(context.Background(), signingName), + signingRegion) + + var loggerBuf bytes.Buffer + logger := logging.NewStandardLogger(&loggerBuf) + ctx = middleware.SetLogger(ctx, logger) + + if len(tt.hash) != 0 { + ctx = v4.SetPayloadHash(ctx, tt.hash) + } + + _, _, err := c.HandleFinalize(ctx, middleware.FinalizeInput{ + Request: &smithyhttp.Request{Request: &http.Request{}}, + }, next) + if err != nil && tt.expectedErr == nil { + t.Errorf("expected no error, got %v", err) + } else if err != nil && tt.expectedErr != nil { + e, a := tt.expectedErr, err + if !errors.As(a, &e) { + t.Errorf("expected error type %T, got %T", e, a) + } + } else if err == nil && tt.expectedErr != nil { + t.Errorf("expected error, got nil") + } + + if tt.logSigning { + if e, a := t.Name(), loggerBuf.String(); !strings.Contains(a, e) { + t.Errorf("expect %v logged in %v", e, a) + } + } else { + if loggerBuf.Len() != 0 { + t.Errorf("expect no log, got %v", loggerBuf.String()) + } + } + }) + } +} + +var ( + _ middleware.FinalizeMiddleware = &SignHTTPRequestMiddleware{} +) diff --git a/service/s3/internal/v4a/presign_middleware.go b/service/s3/internal/v4a/presign_middleware.go new file mode 100644 index 00000000000..951fc415d52 --- /dev/null +++ b/service/s3/internal/v4a/presign_middleware.go @@ -0,0 +1,117 @@ +package v4a + +import ( + "context" + "fmt" + "net/http" + "time" + + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/aws-sdk-go-v2/internal/sdk" + "github.com/aws/smithy-go/middleware" + smithyHTTP "github.com/aws/smithy-go/transport/http" +) + +// HTTPPresigner is an interface to a SigV4a signer that can sign create a +// presigned URL for a HTTP requests. +type HTTPPresigner interface { + PresignHTTP( + ctx context.Context, credentials Credentials, r *http.Request, + payloadHash string, service string, regionSet []string, signingTime time.Time, + optFns ...func(*SignerOptions), + ) (url string, signedHeader http.Header, err error) +} + +// PresignHTTPRequestMiddlewareOptions is the options for the PresignHTTPRequestMiddleware middleware. +type PresignHTTPRequestMiddlewareOptions struct { + CredentialsProvider CredentialsProvider + Presigner HTTPPresigner + LogSigning bool +} + +// PresignHTTPRequestMiddleware provides the Finalize middleware for creating a +// presigned URL for an HTTP request. +// +// Will short circuit the middleware stack and not forward onto the next +// Finalize handler. +type PresignHTTPRequestMiddleware struct { + credentialsProvider CredentialsProvider + presigner HTTPPresigner + logSigning bool +} + +// NewPresignHTTPRequestMiddleware returns a new PresignHTTPRequestMiddleware +// initialized with the presigner. +func NewPresignHTTPRequestMiddleware(options PresignHTTPRequestMiddlewareOptions) *PresignHTTPRequestMiddleware { + return &PresignHTTPRequestMiddleware{ + credentialsProvider: options.CredentialsProvider, + presigner: options.Presigner, + logSigning: options.LogSigning, + } +} + +// ID provides the middleware ID. +func (*PresignHTTPRequestMiddleware) ID() string { return "PresignHTTPRequest" } + +// HandleFinalize will take the provided input and create a presigned url for +// the http request using the SigV4 presign authentication scheme. +func (s *PresignHTTPRequestMiddleware) HandleFinalize( + ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler, +) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, +) { + req, ok := in.Request.(*smithyHTTP.Request) + if !ok { + return out, metadata, &SigningError{ + Err: fmt.Errorf("unexpected request middleware type %T", in.Request), + } + } + + httpReq := req.Build(ctx) + if !hasCredentialProvider(s.credentialsProvider) { + out.Result = &v4.PresignedHTTPRequest{ + URL: httpReq.URL.String(), + Method: httpReq.Method, + SignedHeader: http.Header{}, + } + + return out, metadata, nil + } + + signingName := awsmiddleware.GetSigningName(ctx) + signingRegion := awsmiddleware.GetSigningRegion(ctx) + payloadHash := v4.GetPayloadHash(ctx) + if len(payloadHash) == 0 { + return out, metadata, &SigningError{ + Err: fmt.Errorf("computed payload hash missing from context"), + } + } + + credentials, err := s.credentialsProvider.RetrievePrivateKey(ctx) + if err != nil { + return out, metadata, &SigningError{ + Err: fmt.Errorf("failed to retrieve credentials: %w", err), + } + } + + u, h, err := s.presigner.PresignHTTP(ctx, credentials, + httpReq, payloadHash, signingName, []string{signingRegion}, sdk.NowTime(), + func(o *SignerOptions) { + o.Logger = middleware.GetLogger(ctx) + o.LogSigning = s.logSigning + }) + if err != nil { + return out, metadata, &SigningError{ + Err: fmt.Errorf("failed to sign http request, %w", err), + } + } + + out.Result = &v4.PresignedHTTPRequest{ + URL: u, + Method: httpReq.Method, + SignedHeader: h, + } + + return out, metadata, nil +} diff --git a/service/s3/internal/v4a/presign_middleware_test.go b/service/s3/internal/v4a/presign_middleware_test.go new file mode 100644 index 00000000000..19f0bf8c02c --- /dev/null +++ b/service/s3/internal/v4a/presign_middleware_test.go @@ -0,0 +1,223 @@ +package v4a + +import ( + "bytes" + "context" + "net/http" + "net/url" + "strings" + "testing" + "time" + + awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" + v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" + "github.com/aws/smithy-go/logging" + "github.com/aws/smithy-go/middleware" + smithyhttp "github.com/aws/smithy-go/transport/http" + "github.com/google/go-cmp/cmp" +) + +type httpPresignerFunc func( + ctx context.Context, credentials Credentials, r *http.Request, + payloadHash string, service string, regionSet []string, signingTime time.Time, + optFns ...func(*SignerOptions), +) (url string, signedHeader http.Header, err error) + +func (f httpPresignerFunc) PresignHTTP( + ctx context.Context, credentials Credentials, r *http.Request, + payloadHash string, service string, regionSet []string, signingTime time.Time, + optFns ...func(*SignerOptions), +) ( + url string, signedHeader http.Header, err error, +) { + return f(ctx, credentials, r, payloadHash, service, regionSet, signingTime, optFns...) +} + +func TestPresignHTTPRequestMiddleware(t *testing.T) { + cases := map[string]struct { + Request *http.Request + Creds CredentialsProvider + PayloadHash string + LogSigning bool + ExpectResult *v4.PresignedHTTPRequest + ExpectErr string + }{ + "success": { + Request: &http.Request{ + URL: func() *url.URL { + u, _ := url.Parse("https://example.aws/path?query=foo") + return u + }(), + Header: http.Header{}, + }, + Creds: stubCredentials, + PayloadHash: "0123456789abcdef", + ExpectResult: &v4.PresignedHTTPRequest{ + URL: "https://example.aws/path?query=foo", + SignedHeader: http.Header{}, + }, + }, + "error": { + Request: func() *http.Request { + return &http.Request{} + }(), + Creds: stubCredentials, + PayloadHash: "", + ExpectErr: "failed to sign request", + }, + "anonymous creds": { + Request: &http.Request{ + URL: func() *url.URL { + u, _ := url.Parse("https://example.aws/path?query=foo") + return u + }(), + Header: http.Header{}, + }, + Creds: stubCredentials, + PayloadHash: "", + ExpectErr: "failed to sign request", + ExpectResult: &v4.PresignedHTTPRequest{ + URL: "https://example.aws/path?query=foo", + SignedHeader: http.Header{}, + }, + }, + "nil creds": { + Request: &http.Request{ + URL: func() *url.URL { + u, _ := url.Parse("https://example.aws/path?query=foo") + return u + }(), + Header: http.Header{}, + }, + Creds: nil, + ExpectResult: &v4.PresignedHTTPRequest{ + URL: "https://example.aws/path?query=foo", + SignedHeader: http.Header{}, + }, + }, + "with log signing": { + Request: &http.Request{ + URL: func() *url.URL { + u, _ := url.Parse("https://example.aws/path?query=foo") + return u + }(), + Header: http.Header{}, + }, + Creds: stubCredentials, + PayloadHash: "0123456789abcdef", + ExpectResult: &v4.PresignedHTTPRequest{ + URL: "https://example.aws/path?query=foo", + SignedHeader: http.Header{}, + }, + + LogSigning: true, + }, + } + + const ( + signingName = "serviceId" + signingRegion = "regionName" + ) + + for name, tt := range cases { + t.Run(name, func(t *testing.T) { + m := &PresignHTTPRequestMiddleware{ + credentialsProvider: tt.Creds, + + presigner: httpPresignerFunc(func( + ctx context.Context, credentials Credentials, r *http.Request, + payloadHash string, service string, regionSet []string, signingTime time.Time, + optFns ...func(*SignerOptions), + ) (url string, signedHeader http.Header, err error) { + var options SignerOptions + for _, fn := range optFns { + fn(&options) + } + if options.Logger == nil { + t.Errorf("expect logger, got none") + } + if options.LogSigning { + options.Logger.Logf(logging.Debug, t.Name()) + } + + if !hasCredentialProvider(tt.Creds) { + t.Errorf("expect presigner not to be called for not credentials provider") + } + + expectCreds, _ := tt.Creds.RetrievePrivateKey(context.Background()) + if diff := cmp.Diff(expectCreds, credentials); len(diff) > 0 { + t.Error(diff) + } + if e, a := tt.PayloadHash, payloadHash; e != a { + t.Errorf("expected %v, got %v", e, a) + } + if e, a := signingName, service; e != a { + t.Errorf("expected %v, got %v", e, a) + } + if diff := cmp.Diff([]string{signingRegion}, regionSet); len(diff) > 0 { + t.Error(diff) + } + + return tt.ExpectResult.URL, tt.ExpectResult.SignedHeader, nil + }), + logSigning: tt.LogSigning, + } + + next := middleware.FinalizeHandlerFunc( + func(ctx context.Context, in middleware.FinalizeInput) ( + out middleware.FinalizeOutput, metadata middleware.Metadata, err error, + ) { + t.Errorf("expect next handler not to be called") + return out, metadata, err + }) + + ctx := awsmiddleware.SetSigningRegion( + awsmiddleware.SetSigningName(context.Background(), signingName), + signingRegion) + + var loggerBuf bytes.Buffer + logger := logging.NewStandardLogger(&loggerBuf) + ctx = middleware.SetLogger(ctx, logger) + + if len(tt.PayloadHash) != 0 { + ctx = v4.SetPayloadHash(ctx, tt.PayloadHash) + } + + result, _, err := m.HandleFinalize(ctx, middleware.FinalizeInput{ + Request: &smithyhttp.Request{ + Request: tt.Request, + }, + }, next) + if len(tt.ExpectErr) != 0 { + if err == nil { + t.Fatalf("expect error, got none") + } + if e, a := tt.ExpectErr, err.Error(); !strings.Contains(a, e) { + t.Fatalf("expect error to contain %v, got %v", e, a) + } + return + } + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + if diff := cmp.Diff(tt.ExpectResult, result.Result); len(diff) != 0 { + t.Errorf("expect result match\n%v", diff) + } + + if tt.LogSigning { + if e, a := t.Name(), loggerBuf.String(); !strings.Contains(a, e) { + t.Errorf("expect %v logged in %v", e, a) + } + } else { + if loggerBuf.Len() != 0 { + t.Errorf("expect no log, got %v", loggerBuf.String()) + } + } + }) + } +} + +var ( + _ middleware.FinalizeMiddleware = &PresignHTTPRequestMiddleware{} +) diff --git a/service/s3/internal/v4a/shared_test.go b/service/s3/internal/v4a/shared_test.go new file mode 100644 index 00000000000..4f36aca8684 --- /dev/null +++ b/service/s3/internal/v4a/shared_test.go @@ -0,0 +1,18 @@ +package v4a + +import ( + "bytes" + "context" + "crypto/ecdsa" +) + +var stubCredentials = stubCredentialsProviderFunc(func(ctx context.Context) (Credentials, error) { + stubKey, err := ecdsa.GenerateKey(p256, bytes.NewReader(make([]byte, 40))) + if err != nil { + return Credentials{}, err + } + return Credentials{ + Context: "STUB", + PrivateKey: stubKey, + }, nil +}) diff --git a/service/s3/internal/v4a/v4a.go b/service/s3/internal/v4a/v4a.go new file mode 100644 index 00000000000..005d8768d03 --- /dev/null +++ b/service/s3/internal/v4a/v4a.go @@ -0,0 +1,514 @@ +// TODO(GOSDK-1220): This signer has removed the conceptual knowledge of UNSIGNED-PAYLOAD and X-Amz-Content-Sha256 + +package v4a + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/sha256" + "encoding/hex" + "fmt" + "hash" + "math/big" + "net/http" + "net/textproto" + "net/url" + "sort" + "strconv" + "strings" + "time" + + signerCrypto "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/crypto" + v4Internal "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/v4" + "github.com/aws/smithy-go/encoding/httpbinding" + "github.com/aws/smithy-go/logging" +) + +const ( + // AmzRegionSetKey represents the region set header used for sigv4a + AmzRegionSetKey = "X-Amz-Region-Set" + amzAlgorithmKey = v4Internal.AmzAlgorithmKey + amzSecurityTokenKey = v4Internal.AmzSecurityTokenKey + amzDateKey = v4Internal.AmzDateKey + amzCredentialKey = v4Internal.AmzCredentialKey + amzSignedHeadersKey = v4Internal.AmzSignedHeadersKey + authorizationHeader = "Authorization" + + signingAlgorithm = "AWS4-ECDSA-P256-SHA256" + + timeFormat = "20060102T150405Z" + shortTimeFormat = "20060102" + + // EmptyStringSHA256 is a hex encoded SHA-256 hash of an empty string + EmptyStringSHA256 = v4Internal.EmptyStringSHA256 + + // Version of signing v4a + Version = "SigV4A" +) + +var ( + p256 elliptic.Curve + nMinusTwoP256 *big.Int + + one = new(big.Int).SetInt64(1) +) + +func init() { + // Ensure the elliptic curve parameters are initialized on package import rather then on first usage + p256 = elliptic.P256() + + nMinusTwoP256 = new(big.Int).SetBytes(p256.Params().N.Bytes()) + nMinusTwoP256 = nMinusTwoP256.Sub(nMinusTwoP256, new(big.Int).SetInt64(2)) +} + +// SignerOptions is the SigV4a signing options for constructing a Signer. +type SignerOptions struct { + Logger logging.Logger + LogSigning bool + + // Disables the Signer's moving HTTP header key/value pairs from the HTTP + // request header to the request's query string. This is most commonly used + // with pre-signed requests preventing headers from being added to the + // request's query string. + DisableHeaderHoisting bool + + // Disables the automatic escaping of the URI path of the request for the + // siganture's canonical string's path. For services that do not need additional + // escaping then use this to disable the signer escaping the path. + // + // S3 is an example of a service that does not need additional escaping. + // + // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html + DisableURIPathEscaping bool +} + +// Signer is a SigV4a HTTP signing implementation +type Signer struct { + options SignerOptions +} + +// NewSigner constructs a SigV4a Signer. +func NewSigner(optFns ...func(*SignerOptions)) *Signer { + options := SignerOptions{} + + for _, fn := range optFns { + fn(&options) + } + + return &Signer{options: options} +} + +// deriveKeyFromAccessKeyPair derives a NIST P-256 PrivateKey from the given +// IAM AccessKey and SecretKey pair. +// +// Based on FIPS.186-4 Appendix B.4.2 +func deriveKeyFromAccessKeyPair(accessKey, secretKey string) (*ecdsa.PrivateKey, error) { + params := p256.Params() + bitLen := params.BitSize // Testing random candidates does not require an additional 64 bits + counter := 0x01 + + buffer := make([]byte, 1+len(accessKey)) // 1 byte counter + len(accessKey) + kdfContext := bytes.NewBuffer(buffer) + + inputKey := append([]byte("AWS4A"), []byte(secretKey)...) + + d := new(big.Int) + for { + kdfContext.Reset() + kdfContext.WriteString(accessKey) + kdfContext.WriteByte(byte(counter)) + + key, err := signerCrypto.HMACKeyDerivation(sha256.New, bitLen, inputKey, []byte(signingAlgorithm), kdfContext.Bytes()) + if err != nil { + return nil, err + } + + // Check key first before calling SetBytes if key key is in fact a valid candidate. + // This ensures the byte slice is the correct length (32-bytes) to compare in constant-time + cmp, err := signerCrypto.ConstantTimeByteCompare(key, nMinusTwoP256.Bytes()) + if err != nil { + return nil, err + } + if cmp == -1 { + d.SetBytes(key) + break + } + + counter++ + if counter > 0xFF { + return nil, fmt.Errorf("exhausted single byte external counter") + } + } + d = d.Add(d, one) + + priv := new(ecdsa.PrivateKey) + priv.PublicKey.Curve = p256 + priv.D = d + priv.PublicKey.X, priv.PublicKey.Y = p256.ScalarBaseMult(d.Bytes()) + + return priv, nil +} + +type httpSigner struct { + Request *http.Request + ServiceName string + RegionSet []string + Time time.Time + Credentials Credentials + IsPreSign bool + + Logger logging.Logger + Debug bool + + // PayloadHash is the hex encoded SHA-256 hash of the request payload + // If len(PayloadHash) == 0 the signer will attempt to send the request + // as an unsigned payload. Note: Unsigned payloads only work for a subset of services. + PayloadHash string + + DisableHeaderHoisting bool + DisableURIPathEscaping bool +} + +// SignHTTP takes the provided http.Request, payload hash, service, regionSet, and time and signs using SigV4a. +// The passed in request will be modified in place. +func (s *Signer) SignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) error { + options := s.options + for _, fn := range optFns { + fn(&options) + } + + signer := &httpSigner{ + Request: r, + PayloadHash: payloadHash, + ServiceName: service, + RegionSet: regionSet, + Credentials: credentials, + Time: signingTime.UTC(), + DisableHeaderHoisting: options.DisableHeaderHoisting, + DisableURIPathEscaping: options.DisableURIPathEscaping, + } + + signedRequest, err := signer.Build() + if err != nil { + return err + } + + logHTTPSigningInfo(ctx, options, signedRequest) + + return nil +} + +// PresignHTTP takes the provided http.Request, payload hash, service, regionSet, and time and presigns using SigV4a +// Returns the presigned URL along with the headers that were signed with the request. +// +// PresignHTTP will not set the expires time of the presigned request +// automatically. To specify the expire duration for a request add the +// "X-Amz-Expires" query parameter on the request with the value as the +// duration in seconds the presigned URL should be considered valid for. This +// parameter is not used by all AWS services, and is most notable used by +// Amazon S3 APIs. +func (s *Signer) PresignHTTP(ctx context.Context, credentials Credentials, r *http.Request, payloadHash string, service string, regionSet []string, signingTime time.Time, optFns ...func(*SignerOptions)) (signedURI string, signedHeaders http.Header, err error) { + options := s.options + for _, fn := range optFns { + fn(&options) + } + + signer := &httpSigner{ + Request: r, + PayloadHash: payloadHash, + ServiceName: service, + RegionSet: regionSet, + Credentials: credentials, + Time: signingTime.UTC(), + IsPreSign: true, + DisableHeaderHoisting: options.DisableHeaderHoisting, + DisableURIPathEscaping: options.DisableURIPathEscaping, + } + + signedRequest, err := signer.Build() + if err != nil { + return "", nil, err + } + + logHTTPSigningInfo(ctx, options, signedRequest) + + signedHeaders = make(http.Header) + + // For the signed headers we canonicalize the header keys in the returned map. + // This avoids situations where can standard library double headers like host header. For example the standard + // library will set the Host header, even if it is present in lower-case form. + for k, v := range signedRequest.SignedHeaders { + key := textproto.CanonicalMIMEHeaderKey(k) + signedHeaders[key] = append(signedHeaders[key], v...) + } + + return signedRequest.Request.URL.String(), signedHeaders, nil +} + +func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Values) { + amzDate := s.Time.Format(timeFormat) + + if s.IsPreSign { + query.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ",")) + query.Set(amzDateKey, amzDate) + query.Set(amzAlgorithmKey, signingAlgorithm) + if len(s.Credentials.SessionToken) > 0 { + query.Set(amzSecurityTokenKey, s.Credentials.SessionToken) + } + return + } + + headers.Set(AmzRegionSetKey, strings.Join(s.RegionSet, ",")) + headers.Set(amzDateKey, amzDate) + if len(s.Credentials.SessionToken) > 0 { + headers.Set(amzSecurityTokenKey, s.Credentials.SessionToken) + } +} + +func (s *httpSigner) Build() (signedRequest, error) { + req := s.Request + + query := req.URL.Query() + headers := req.Header + + s.setRequiredSigningFields(headers, query) + + // Sort Each Query Key's Values + for key := range query { + sort.Strings(query[key]) + } + + v4Internal.SanitizeHostForHeader(req) + + credentialScope := s.buildCredentialScope() + credentialStr := s.Credentials.Context + "/" + credentialScope + if s.IsPreSign { + query.Set(amzCredentialKey, credentialStr) + } + + unsignedHeaders := headers + if s.IsPreSign && !s.DisableHeaderHoisting { + urlValues := url.Values{} + urlValues, unsignedHeaders = buildQuery(v4Internal.AllowedQueryHoisting, unsignedHeaders) + for k := range urlValues { + query[k] = urlValues[k] + } + } + + host := req.URL.Host + if len(req.Host) > 0 { + host = req.Host + } + + signedHeaders, signedHeadersStr, canonicalHeaderStr := s.buildCanonicalHeaders(host, v4Internal.IgnoredHeaders, unsignedHeaders, s.Request.ContentLength) + + if s.IsPreSign { + query.Set(amzSignedHeadersKey, signedHeadersStr) + } + + rawQuery := strings.Replace(query.Encode(), "+", "%20", -1) + + canonicalURI := v4Internal.GetURIPath(req.URL) + if !s.DisableURIPathEscaping { + canonicalURI = httpbinding.EscapePath(canonicalURI, false) + } + + canonicalString := s.buildCanonicalString( + req.Method, + canonicalURI, + rawQuery, + signedHeadersStr, + canonicalHeaderStr, + ) + + strToSign := s.buildStringToSign(credentialScope, canonicalString) + signingSignature, err := s.buildSignature(strToSign) + if err != nil { + return signedRequest{}, err + } + + if s.IsPreSign { + rawQuery += "&X-Amz-Signature=" + signingSignature + } else { + headers[authorizationHeader] = append(headers[authorizationHeader][:0], buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature)) + } + + req.URL.RawQuery = rawQuery + + return signedRequest{ + Request: req, + SignedHeaders: signedHeaders, + CanonicalString: canonicalString, + StringToSign: strToSign, + PreSigned: s.IsPreSign, + }, nil +} + +func buildAuthorizationHeader(credentialStr, signedHeadersStr, signingSignature string) string { + const credential = "Credential=" + const signedHeaders = "SignedHeaders=" + const signature = "Signature=" + const commaSpace = ", " + + var parts strings.Builder + parts.Grow(len(signingAlgorithm) + 1 + + len(credential) + len(credentialStr) + len(commaSpace) + + len(signedHeaders) + len(signedHeadersStr) + len(commaSpace) + + len(signature) + len(signingSignature), + ) + parts.WriteString(signingAlgorithm) + parts.WriteRune(' ') + parts.WriteString(credential) + parts.WriteString(credentialStr) + parts.WriteString(commaSpace) + parts.WriteString(signedHeaders) + parts.WriteString(signedHeadersStr) + parts.WriteString(commaSpace) + parts.WriteString(signature) + parts.WriteString(signingSignature) + return parts.String() +} + +func (s *httpSigner) buildCredentialScope() string { + return strings.Join([]string{ + s.Time.Format(shortTimeFormat), + s.ServiceName, + "aws4_request", + }, "/") + +} + +func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header) { + query := url.Values{} + unsignedHeaders := http.Header{} + for k, h := range header { + if r.IsValid(k) { + query[k] = h + } else { + unsignedHeaders[k] = h + } + } + + return query, unsignedHeaders +} + +func (s *httpSigner) buildCanonicalHeaders(host string, rule v4Internal.Rule, header http.Header, length int64) (signed http.Header, signedHeaders, canonicalHeadersStr string) { + signed = make(http.Header) + + var headers []string + const hostHeader = "host" + headers = append(headers, hostHeader) + signed[hostHeader] = append(signed[hostHeader], host) + + if length > 0 { + const contentLengthHeader = "content-length" + headers = append(headers, contentLengthHeader) + signed[contentLengthHeader] = append(signed[contentLengthHeader], strconv.FormatInt(length, 10)) + } + + for k, v := range header { + if !rule.IsValid(k) { + continue // ignored header + } + + lowerCaseKey := strings.ToLower(k) + if _, ok := signed[lowerCaseKey]; ok { + // include additional values + signed[lowerCaseKey] = append(signed[lowerCaseKey], v...) + continue + } + + headers = append(headers, lowerCaseKey) + signed[lowerCaseKey] = v + } + sort.Strings(headers) + + signedHeaders = strings.Join(headers, ";") + + var canonicalHeaders strings.Builder + n := len(headers) + const colon = ':' + for i := 0; i < n; i++ { + if headers[i] == hostHeader { + canonicalHeaders.WriteString(hostHeader) + canonicalHeaders.WriteRune(colon) + canonicalHeaders.WriteString(v4Internal.StripExcessSpaces(host)) + } else { + canonicalHeaders.WriteString(headers[i]) + canonicalHeaders.WriteRune(colon) + canonicalHeaders.WriteString(strings.Join(signed[headers[i]], ",")) + } + canonicalHeaders.WriteRune('\n') + } + canonicalHeadersStr = canonicalHeaders.String() + + return signed, signedHeaders, canonicalHeadersStr +} + +func (s *httpSigner) buildCanonicalString(method, uri, query, signedHeaders, canonicalHeaders string) string { + return strings.Join([]string{ + method, + uri, + query, + canonicalHeaders, + signedHeaders, + s.PayloadHash, + }, "\n") +} + +func (s *httpSigner) buildStringToSign(credentialScope, canonicalRequestString string) string { + return strings.Join([]string{ + signingAlgorithm, + s.Time.Format(timeFormat), + credentialScope, + hex.EncodeToString(makeHash(sha256.New(), []byte(canonicalRequestString))), + }, "\n") +} + +func makeHash(hash hash.Hash, b []byte) []byte { + hash.Reset() + hash.Write(b) + return hash.Sum(nil) +} + +func (s *httpSigner) buildSignature(strToSign string) (string, error) { + sig, err := s.Credentials.PrivateKey.Sign(rand.Reader, makeHash(sha256.New(), []byte(strToSign)), crypto.SHA256) + if err != nil { + return "", err + } + return hex.EncodeToString(sig), nil +} + +const logSignInfoMsg = `Request Signature: +---[ CANONICAL STRING ]----------------------------- +%s +---[ STRING TO SIGN ]-------------------------------- +%s%s +-----------------------------------------------------` +const logSignedURLMsg = ` +---[ SIGNED URL ]------------------------------------ +%s` + +func logHTTPSigningInfo(ctx context.Context, options SignerOptions, r signedRequest) { + if !options.LogSigning { + return + } + signedURLMsg := "" + if r.PreSigned { + signedURLMsg = fmt.Sprintf(logSignedURLMsg, r.Request.URL.String()) + } + logger := logging.WithContext(ctx, options.Logger) + logger.Logf(logging.Debug, logSignInfoMsg, r.CanonicalString, r.StringToSign, signedURLMsg) +} + +type signedRequest struct { + Request *http.Request + SignedHeaders http.Header + CanonicalString string + StringToSign string + PreSigned bool +} diff --git a/service/s3/internal/v4a/v4a_test.go b/service/s3/internal/v4a/v4a_test.go new file mode 100644 index 00000000000..1293f400514 --- /dev/null +++ b/service/s3/internal/v4a/v4a_test.go @@ -0,0 +1,353 @@ +package v4a + +import ( + "context" + "encoding/hex" + "fmt" + "math/big" + "net/http" + "net/url" + "strconv" + "strings" + "testing" + "time" + + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/s3/internal/v4a/internal/crypto" + "github.com/aws/smithy-go/logging" +) + +const ( + accessKey = "AKISORANDOMAASORANDOM" + secretKey = "q+jcrXGc+0zWN6uzclKVhvMmUsIfRPa4rlRandom" +) + +func TestDeriveECDSAKeyPairFromSecret(t *testing.T) { + privateKey, err := deriveKeyFromAccessKeyPair(accessKey, secretKey) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + expectedX := func() *big.Int { + t.Helper() + b, ok := new(big.Int).SetString("15D242CEEBF8D8169FD6A8B5A746C41140414C3B07579038DA06AF89190FFFCB", 16) + if !ok { + t.Fatalf("failed to parse big integer") + } + return b + }() + expectedY := func() *big.Int { + t.Helper() + b, ok := new(big.Int).SetString("515242CEDD82E94799482E4C0514B505AFCCF2C0C98D6A553BF539F424C5EC0", 16) + if !ok { + t.Fatalf("failed to parse big integer") + } + return b + }() + + if privateKey.X.Cmp(expectedX) != 0 { + t.Errorf("expected % X, got % X", expectedX, privateKey.X) + } + if privateKey.Y.Cmp(expectedY) != 0 { + t.Errorf("expected % X, got % X", expectedY, privateKey.Y) + } +} + +func TestSignHTTP(t *testing.T) { + req := buildRequest("dynamodb", "us-east-1") + + signer, credProvider := buildSigner(t, true) + + key, err := credProvider.RetrievePrivateKey(context.Background()) + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + err = signer.SignHTTP(context.Background(), key, req, EmptyStringSHA256, "dynamodb", []string{"us-east-1"}, time.Unix(0, 0)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + expectedDate := "19700101T000000Z" + expectedAlg := "AWS4-ECDSA-P256-SHA256" + expectedCredential := "AKISORANDOMAASORANDOM/19700101/dynamodb/aws4_request" + expectedSignedHeaders := "content-length;content-type;host;x-amz-date;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore;x-amz-region-set;x-amz-security-token;x-amz-target" + expectedStrToSignHash := "4ba7d0482cf4d5450cefdc067a00de1a4a715e444856fa3e1d85c35fb34d9730" + + q := req.Header + + validateAuthorization(t, q.Get("Authorization"), expectedAlg, expectedCredential, expectedSignedHeaders, expectedStrToSignHash) + + if e, a := expectedDate, q.Get("X-Amz-Date"); e != a { + t.Errorf("expect %v, got %v", e, a) + } +} + +func TestSignHTTP_NoSessionToken(t *testing.T) { + req := buildRequest("dynamodb", "us-east-1") + + signer, credProvider := buildSigner(t, false) + + key, err := credProvider.RetrievePrivateKey(context.Background()) + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + err = signer.SignHTTP(context.Background(), key, req, EmptyStringSHA256, "dynamodb", []string{"us-east-1"}, time.Unix(0, 0)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + expectedAlg := "AWS4-ECDSA-P256-SHA256" + expectedCredential := "AKISORANDOMAASORANDOM/19700101/dynamodb/aws4_request" + expectedSignedHeaders := "content-length;content-type;host;x-amz-date;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore;x-amz-region-set;x-amz-target" + expectedStrToSignHash := "1aeefb422ae6aa0de7aec829da813e55cff35553cac212dffd5f9474c71e47ee" + + q := req.Header + + validateAuthorization(t, q.Get("Authorization"), expectedAlg, expectedCredential, expectedSignedHeaders, expectedStrToSignHash) +} + +func TestPresignHTTP(t *testing.T) { + req := buildRequest("dynamodb", "us-east-1") + + signer, credProvider := buildSigner(t, false) + + key, err := credProvider.RetrievePrivateKey(context.Background()) + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + query := req.URL.Query() + query.Set("X-Amz-Expires", "18000") + req.URL.RawQuery = query.Encode() + + signedUrl, _, err := signer.PresignHTTP(context.Background(), key, req, EmptyStringSHA256, "dynamodb", []string{"us-east-1"}, time.Unix(0, 0)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + expectedDate := "19700101T000000Z" + expectedAlg := "AWS4-ECDSA-P256-SHA256" + expectedHeaders := "content-length;content-type;host;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore" + expectedCredential := "AKISORANDOMAASORANDOM/19700101/dynamodb/aws4_request" + expectedStrToSignHash := "d7ffbd2fab644384c056957e6ac38de4ae68246764b5f5df171b3824153b6397" + expectedTarget := "prefix.Operation" + + signedReq, err := url.Parse(signedUrl) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + q := signedReq.Query() + + validateSignature(t, expectedStrToSignHash, q.Get("X-Amz-Signature")) + + if e, a := expectedAlg, q.Get("X-Amz-Algorithm"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedCredential, q.Get("X-Amz-Credential"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedHeaders, q.Get("X-Amz-SignedHeaders"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedDate, q.Get("X-Amz-Date"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if a := q.Get("X-Amz-Meta-Other-Header"); len(a) != 0 { + t.Errorf("expect %v to be empty", a) + } + if e, a := expectedTarget, q.Get("X-Amz-Target"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := "us-east-1", q.Get("X-Amz-Region-Set"); e != a { + t.Errorf("expect %v, got %v", e, a) + } +} + +func TestPresignHTTP_BodyWithArrayRequest(t *testing.T) { + req := buildRequest("dynamodb", "us-east-1") + req.URL.RawQuery = "Foo=z&Foo=o&Foo=m&Foo=a" + + signer, credProvider := buildSigner(t, true) + + key, err := credProvider.RetrievePrivateKey(context.Background()) + if err != nil { + t.Fatalf("expect no error, got %v", err) + } + + query := req.URL.Query() + query.Set("X-Amz-Expires", "300") + req.URL.RawQuery = query.Encode() + + signedURI, _, err := signer.PresignHTTP(context.Background(), key, req, EmptyStringSHA256, "dynamodb", []string{"us-east-1"}, time.Unix(0, 0)) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + signedReq, err := url.Parse(signedURI) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + expectedAlg := "AWS4-ECDSA-P256-SHA256" + expectedDate := "19700101T000000Z" + expectedHeaders := "content-length;content-type;host;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore" + expectedStrToSignHash := "acff64fd3689be96259d4112c3742ff79f4da0d813bc58a285dc1c4449760bec" + expectedCred := "AKISORANDOMAASORANDOM/19700101/dynamodb/aws4_request" + expectedTarget := "prefix.Operation" + + q := signedReq.Query() + + validateSignature(t, expectedStrToSignHash, q.Get("X-Amz-Signature")) + + if e, a := expectedAlg, q.Get("X-Amz-Algorithm"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedCred, q.Get("X-Amz-Credential"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedHeaders, q.Get("X-Amz-SignedHeaders"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := expectedDate, q.Get("X-Amz-Date"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if a := q.Get("X-Amz-Meta-Other-Header"); len(a) != 0 { + t.Errorf("expect %v to be empty, was not", a) + } + if e, a := expectedTarget, q.Get("X-Amz-Target"); e != a { + t.Errorf("expect %v, got %v", e, a) + } + if e, a := "us-east-1", q.Get("X-Amz-Region-Set"); e != a { + t.Errorf("expect %v, got %v", e, a) + } +} + +func validateAuthorization(t *testing.T, authorization, expectedAlg, expectedCredential, expectedSignedHeaders, expectedStrToSignHash string) { + t.Helper() + split := strings.SplitN(authorization, " ", 2) + + if len(split) != 2 { + t.Fatal("unexpected authorization header format") + } + + if e, a := split[0], expectedAlg; e != a { + t.Errorf("expected %v, got %v", e, a) + } + + keyValues := strings.Split(split[1], ", ") + seen := make(map[string]string) + + for _, kv := range keyValues { + idx := strings.Index(kv, "=") + if idx == -1 { + continue + } + key, value := kv[:idx], kv[idx+1:] + seen[key] = value + } + + if a, ok := seen["Credential"]; ok { + if expectedCredential != a { + t.Errorf("expected credential %v, got %v", expectedCredential, a) + } + } else { + t.Errorf("Credential not found in authorization string") + } + + if a, ok := seen["SignedHeaders"]; ok { + if expectedSignedHeaders != a { + t.Errorf("expected signed headers %v, got %v", expectedSignedHeaders, a) + } + } else { + t.Errorf("SignedHeaders not found in authorization string") + } + + if a, ok := seen["Signature"]; ok { + validateSignature(t, expectedStrToSignHash, a) + } else { + t.Errorf("signature not found in authorization string") + } +} + +func validateSignature(t *testing.T, expectedHash, signature string) { + t.Helper() + pair, err := deriveKeyFromAccessKeyPair(accessKey, secretKey) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + hash, _ := hex.DecodeString(expectedHash) + sig, _ := hex.DecodeString(signature) + + ok, err := crypto.VerifySignature(&pair.PublicKey, hash, sig) + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + if !ok { + t.Errorf("failed to verify signing singature") + } +} + +func buildRequest(serviceName, region string) *http.Request { + endpoint := "https://" + serviceName + "." + region + ".amazonaws.com" + req, _ := http.NewRequest("POST", endpoint, nil) + req.URL.Opaque = "//example.org/bucket/key-._~,!@%23$%25^&*()" + req.Header.Set("X-Amz-Target", "prefix.Operation") + req.Header.Set("Content-Type", "application/x-amz-json-1.0") + + req.Header.Set("Content-Length", strconv.Itoa(1024)) + + req.Header.Set("X-Amz-Meta-Other-Header", "some-value=!@#$%^&* (+)") + req.Header.Add("X-Amz-Meta-Other-Header_With_Underscore", "some-value=!@#$%^&* (+)") + req.Header.Add("X-amz-Meta-Other-Header_With_Underscore", "some-value=!@#$%^&* (+)") + return req +} + +func buildSigner(t *testing.T, withToken bool) (*Signer, CredentialsProvider) { + creds := aws.Credentials{ + AccessKeyID: accessKey, + SecretAccessKey: secretKey, + } + + if withToken { + creds.SessionToken = "TOKEN" + } + + return NewSigner(func(options *SignerOptions) { + options.Logger = loggerFunc(func(format string, v ...interface{}) { + t.Logf(format, v...) + }) + }), &SymmetricCredentialAdaptor{ + SymmetricProvider: staticCredentialsProvider{ + Value: creds, + }, + } +} + +type loggerFunc func(format string, v ...interface{}) + +func (l loggerFunc) Logf(_ logging.Classification, format string, v ...interface{}) { + l(format, v...) +} + +type staticCredentialsProvider struct { + Value aws.Credentials +} + +func (s staticCredentialsProvider) Retrieve(_ context.Context) (aws.Credentials, error) { + v := s.Value + if v.AccessKeyID == "" || v.SecretAccessKey == "" { + return aws.Credentials{ + Source: "Source Name", + }, fmt.Errorf("static credentials are empty") + } + + if len(v.Source) == 0 { + v.Source = "Source Name" + } + + return v, nil +}