chore(id-auth-sra): S3 Express compatibility with ID & Auth SRA (#6346)

* chore(id-auth-sra): remove s3 from useLegacyAuth list * chore(client-s3): turn off useLegacyAuth * chore(client-s3): id-auth sra and regionRedirect compatibility * chore(client-s3): compatibility for S3Express and httpsigning midware
aws · Aug 2, 2024 · 253d329 · 253d329
1 parent 7bf2e59
commit 253d329
Show file tree

Hide file tree

Showing 20 changed files with 690 additions and 48 deletions.
diff --git a/clients/client-s3/package.json b/clients/client-s3/package.json
@@ -38,7 +38,6 @@
     "@aws-sdk/middleware-logger": "*",
     "@aws-sdk/middleware-recursion-detection": "*",
     "@aws-sdk/middleware-sdk-s3": "*",
-    "@aws-sdk/middleware-signing": "*",
     "@aws-sdk/middleware-ssec": "*",
     "@aws-sdk/middleware-user-agent": "*",
     "@aws-sdk/region-config-resolver": "*",
@@ -76,6 +75,7 @@
     "@smithy/util-defaults-mode-browser": "^3.0.14",
     "@smithy/util-defaults-mode-node": "^3.0.14",
     "@smithy/util-endpoints": "^2.0.5",
+    "@smithy/util-middleware": "^3.0.3",
     "@smithy/util-retry": "^3.0.3",
     "@smithy/util-stream": "^3.1.3",
     "@smithy/util-utf8": "^3.0.0",

diff --git a/clients/client-s3/src/S3Client.ts b/clients/client-s3/src/S3Client.ts
@@ -10,26 +10,26 @@ import { getLoggerPlugin } from "@aws-sdk/middleware-logger";
 import { getRecursionDetectionPlugin } from "@aws-sdk/middleware-recursion-detection";
 import {
   getRegionRedirectMiddlewarePlugin,
+  getS3ExpressHttpSigningPlugin,
   getS3ExpressPlugin,
   getValidateBucketNamePlugin,
   resolveS3Config,
   S3InputConfig,
   S3ResolvedConfig,
 } from "@aws-sdk/middleware-sdk-s3";
-import {
-  AwsAuthInputConfig,
-  AwsAuthResolvedConfig,
-  getAwsAuthPlugin,
-  resolveAwsAuthConfig,
-} from "@aws-sdk/middleware-signing";
 import {
   getUserAgentPlugin,
   resolveUserAgentConfig,
   UserAgentInputConfig,
   UserAgentResolvedConfig,
 } from "@aws-sdk/middleware-user-agent";
-import { Credentials as __Credentials, GetAwsChunkedEncodingStream } from "@aws-sdk/types";
+import { GetAwsChunkedEncodingStream } from "@aws-sdk/types";
 import { RegionInputConfig, RegionResolvedConfig, resolveRegionConfig } from "@smithy/config-resolver";
+import {
+  DefaultIdentityProviderConfig,
+  getHttpAuthSchemeEndpointRuleSetPlugin,
+  getHttpSigningPlugin,
+} from "@smithy/core";
 import {
   EventStreamSerdeInputConfig,
   EventStreamSerdeResolvedConfig,
@@ -46,6 +46,7 @@ import {
   SmithyResolvedConfiguration as __SmithyResolvedConfiguration,
 } from "@smithy/smithy-client";
 import {
+  AwsCredentialIdentityProvider,
   BodyLengthCalculator as __BodyLengthCalculator,
   CheckOptionalClientConfig as __CheckOptionalClientConfig,
   Checksum as __Checksum,
@@ -68,6 +69,12 @@ import {
 } from "@smithy/types";
 import { Readable } from "stream";
 
+import {
+  defaultS3HttpAuthSchemeParametersProvider,
+  HttpAuthSchemeInputConfig,
+  HttpAuthSchemeResolvedConfig,
+  resolveHttpAuthSchemeConfig,
+} from "./auth/httpAuthSchemeProvider";
 import {
   AbortMultipartUploadCommandInput,
   AbortMultipartUploadCommandOutput,
@@ -663,19 +670,11 @@ export interface ClientDefaults extends Partial<__SmithyConfiguration<__HttpHand
 
   /**
    * Default credentials provider; Not available in browser runtime.
+   * @deprecated
    * @internal
    */
-  credentialDefaultProvider?: (input: any) => __Provider<__Credentials>;
+  credentialDefaultProvider?: (input: any) => AwsCredentialIdentityProvider;
 
-  /**
-   * Whether to escape request path when signing the request.
-   */
-  signingEscapePath?: boolean;
-
-  /**
-   * Whether to override the request region with the region inferred from requested resource's ARN. Defaults to false.
-   */
-  useArnRegion?: boolean | Provider<boolean>;
   /**
    * Value for how many times a request will be made at most in case of retry.
    */
@@ -708,6 +707,15 @@ export interface ClientDefaults extends Partial<__SmithyConfiguration<__HttpHand
    */
   defaultsMode?: __DefaultsMode | __Provider<__DefaultsMode>;
 
+  /**
+   * Whether to escape request path when signing the request.
+   */
+  signingEscapePath?: boolean;
+
+  /**
+   * Whether to override the request region with the region inferred from requested resource's ARN. Defaults to false.
+   */
+  useArnRegion?: boolean | Provider<boolean>;
   /**
    * The internal function that inject utilities to runtime-specific stream to help users consume the data
    * @internal
@@ -725,9 +733,9 @@ export type S3ClientConfigType = Partial<__SmithyConfiguration<__HttpHandlerOpti
   RegionInputConfig &
   HostHeaderInputConfig &
   EndpointInputConfig<EndpointParameters> &
-  AwsAuthInputConfig &
-  S3InputConfig &
   EventStreamSerdeInputConfig &
+  HttpAuthSchemeInputConfig &
+  S3InputConfig &
   ClientInputEndpointParameters;
 /**
  * @public
@@ -747,9 +755,9 @@ export type S3ClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHan
   RegionResolvedConfig &
   HostHeaderResolvedConfig &
   EndpointResolvedConfig<EndpointParameters> &
-  AwsAuthResolvedConfig &
-  S3ResolvedConfig &
   EventStreamSerdeResolvedConfig &
+  HttpAuthSchemeResolvedConfig &
+  S3ResolvedConfig &
   ClientResolvedEndpointParameters;
 /**
  * @public
@@ -781,9 +789,9 @@ export class S3Client extends __Client<
     const _config_4 = resolveRegionConfig(_config_3);
     const _config_5 = resolveHostHeaderConfig(_config_4);
     const _config_6 = resolveEndpointConfig(_config_5);
-    const _config_7 = resolveAwsAuthConfig(_config_6);
-    const _config_8 = resolveS3Config(_config_7, { session: [() => this, CreateSessionCommand] });
-    const _config_9 = resolveEventStreamSerdeConfig(_config_8);
+    const _config_7 = resolveEventStreamSerdeConfig(_config_6);
+    const _config_8 = resolveHttpAuthSchemeConfig(_config_7);
+    const _config_9 = resolveS3Config(_config_8, { session: [() => this, CreateSessionCommand] });
     const _config_10 = resolveRuntimeExtensions(_config_9, configuration?.extensions || []);
     super(_config_10);
     this.config = _config_10;
@@ -793,11 +801,22 @@ export class S3Client extends __Client<
     this.middlewareStack.use(getHostHeaderPlugin(this.config));
     this.middlewareStack.use(getLoggerPlugin(this.config));
     this.middlewareStack.use(getRecursionDetectionPlugin(this.config));
-    this.middlewareStack.use(getAwsAuthPlugin(this.config));
+    this.middlewareStack.use(
+      getHttpAuthSchemeEndpointRuleSetPlugin(this.config, {
+        httpAuthSchemeParametersProvider: defaultS3HttpAuthSchemeParametersProvider,
+        identityProviderConfigProvider: async (config: S3ClientResolvedConfig) =>
+          new DefaultIdentityProviderConfig({
+            "aws.auth#sigv4": config.credentials,
+            "aws.auth#sigv4a": config.credentials,
+          }),
+      })
+    );
+    this.middlewareStack.use(getHttpSigningPlugin(this.config));
     this.middlewareStack.use(getValidateBucketNamePlugin(this.config));
     this.middlewareStack.use(getAddExpectContinuePlugin(this.config));
     this.middlewareStack.use(getRegionRedirectMiddlewarePlugin(this.config));
     this.middlewareStack.use(getS3ExpressPlugin(this.config));
+    this.middlewareStack.use(getS3ExpressHttpSigningPlugin(this.config));
   }
 
   /**

diff --git a/clients/client-s3/src/auth/httpAuthExtensionConfiguration.ts b/clients/client-s3/src/auth/httpAuthExtensionConfiguration.ts
@@ -0,0 +1,72 @@
+// smithy-typescript generated code
+import { AwsCredentialIdentity, AwsCredentialIdentityProvider, HttpAuthScheme } from "@smithy/types";
+
+import { S3HttpAuthSchemeProvider } from "./httpAuthSchemeProvider";
+
+/**
+ * @internal
+ */
+export interface HttpAuthExtensionConfiguration {
+  setHttpAuthScheme(httpAuthScheme: HttpAuthScheme): void;
+  httpAuthSchemes(): HttpAuthScheme[];
+  setHttpAuthSchemeProvider(httpAuthSchemeProvider: S3HttpAuthSchemeProvider): void;
+  httpAuthSchemeProvider(): S3HttpAuthSchemeProvider;
+  setCredentials(credentials: AwsCredentialIdentity | AwsCredentialIdentityProvider): void;
+  credentials(): AwsCredentialIdentity | AwsCredentialIdentityProvider | undefined;
+}
+
+/**
+ * @internal
+ */
+export type HttpAuthRuntimeConfig = Partial<{
+  httpAuthSchemes: HttpAuthScheme[];
+  httpAuthSchemeProvider: S3HttpAuthSchemeProvider;
+  credentials: AwsCredentialIdentity | AwsCredentialIdentityProvider;
+}>;
+
+/**
+ * @internal
+ */
+export const getHttpAuthExtensionConfiguration = (
+  runtimeConfig: HttpAuthRuntimeConfig
+): HttpAuthExtensionConfiguration => {
+  const _httpAuthSchemes = runtimeConfig.httpAuthSchemes!;
+  let _httpAuthSchemeProvider = runtimeConfig.httpAuthSchemeProvider!;
+  let _credentials = runtimeConfig.credentials;
+  return {
+    setHttpAuthScheme(httpAuthScheme: HttpAuthScheme): void {
+      const index = _httpAuthSchemes.findIndex((scheme) => scheme.schemeId === httpAuthScheme.schemeId);
+      if (index === -1) {
+        _httpAuthSchemes.push(httpAuthScheme);
+      } else {
+        _httpAuthSchemes.splice(index, 1, httpAuthScheme);
+      }
+    },
+    httpAuthSchemes(): HttpAuthScheme[] {
+      return _httpAuthSchemes;
+    },
+    setHttpAuthSchemeProvider(httpAuthSchemeProvider: S3HttpAuthSchemeProvider): void {
+      _httpAuthSchemeProvider = httpAuthSchemeProvider;
+    },
+    httpAuthSchemeProvider(): S3HttpAuthSchemeProvider {
+      return _httpAuthSchemeProvider;
+    },
+    setCredentials(credentials: AwsCredentialIdentity | AwsCredentialIdentityProvider): void {
+      _credentials = credentials;
+    },
+    credentials(): AwsCredentialIdentity | AwsCredentialIdentityProvider | undefined {
+      return _credentials;
+    },
+  };
+};
+
+/**
+ * @internal
+ */
+export const resolveHttpAuthRuntimeConfig = (config: HttpAuthExtensionConfiguration): HttpAuthRuntimeConfig => {
+  return {
+    httpAuthSchemes: config.httpAuthSchemes(),
+    httpAuthSchemeProvider: config.httpAuthSchemeProvider(),
+    credentials: config.credentials(),
+  };
+};