Service specific presign

source/aws_signing.c

@@ -1336,17 +1336,10 @@ static int s_build_canonical_stable_header_list(
             }
         }
 
-        /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */
-    }
-
-    /*
-     * x-amz-content-sha256 (optional)
-     */
-    if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) {
-        if (state->config.signature_type == AWS_ST_HTTP_REQUEST_HEADERS ||
-            (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS &&
-             aws_byte_cursor_eq(&state->config.signed_body_value, &g_aws_signed_body_value_unsigned_payload))) {
-            /* Add the x-amz-content-sha256 header for UNSIGNED-PAYLOAD when signing via query params as well. */
+        /*
+         * x-amz-content-sha256 (optional)
+         */
+        if (state->config.signed_body_header == AWS_SBHT_X_AMZ_CONTENT_SHA256) {
             if (s_add_authorization_header(
                     state,
                     stable_header_list,
@@ -1356,6 +1349,22 @@ static int s_build_canonical_stable_header_list(
                 return AWS_OP_ERR;
             }
         }
+
+        /* NOTE: Update MAX_AUTHORIZATION_HEADER_COUNT if more headers added */
+    } else if (
+        state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS &&
+        aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) {
+        /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */
+        /* Add unsigned payload as `x-amz-content-sha256` header to the canonical request when signing through query
+         * params.  */
+        if (s_add_authorization_header(
+                state,
+                stable_header_list,
+                out_required_capacity,
+                s_amz_content_sha256_header_name,
+                g_aws_signed_body_value_unsigned_payload)) {
+            return AWS_OP_ERR;
+        }
     }
 
     *out_required_capacity += aws_array_list_length(stable_header_list) * 2; /*  ':' + '\n' per header */
@@ -1518,6 +1527,17 @@ static int s_build_canonical_payload(struct aws_signing_state_aws *state) {
     struct aws_hash *hash = NULL;
 
     int result = AWS_OP_ERR;
+    if (state->config.signature_type == AWS_ST_HTTP_REQUEST_QUERY_PARAMS &&
+        aws_byte_cursor_eq_c_str(&state->config.service, "vpc-lattice-svcs")) {
+        /* NOTES: TEMPORAY WORKAROUND FOR VPC Lattice. SHALL BE REMOVED IN NEAR FUTURE */
+        /* ALWAYS USE UNSIGNED-PAYLOAD FOR VPC Lattice.  */
+        if (aws_byte_buf_append_dynamic(payload_hash_buffer, &g_aws_signed_body_value_unsigned_payload) ==
+            AWS_OP_SUCCESS) {
+            result = AWS_OP_SUCCESS;
+        }
+        goto on_cleanup;
+    }
+
     if (state->config.signed_body_value.len == 0) {
         /* No value provided by user, so we must calculate it */
         hash = aws_sha256_new(allocator);

tests/CMakeLists.txt

@@ -236,7 +236,6 @@ add_test_case(sigv4a_post_header_value_case_test)
 add_test_case(sigv4a_post_vanilla_test)
 add_test_case(sigv4a_post_vanilla_empty_query_value_test)
 add_test_case(sigv4a_post_vanilla_query_test)
-add_test_case(sigv4a_post_unsigned_payload_test)
 add_test_case(sigv4a_post_x_www_form_urlencoded_test)
 add_test_case(sigv4a_post_x_www_form_urlencoded_parameters_test)
 add_test_case(sigv4a_post_sts_header_after_test)
@@ -275,7 +274,6 @@ add_test_case(sigv4_post_header_key_sort_test)
 add_test_case(sigv4_post_header_value_case_test)
 add_test_case(sigv4_post_vanilla_test)
 add_test_case(sigv4_post_vanilla_empty_query_value_test)
-add_test_case(sigv4_post_unsigned_payload_test)
 add_test_case(sigv4_post_vanilla_query_test)
 add_test_case(sigv4_post_x_www_form_urlencoded_test)
 add_test_case(sigv4_post_x_www_form_urlencoded_parameters_test)

tests/aws-signing-test-suite/v4/post-vanilla/context.json

@@ -9,4 +9,4 @@
     "service": "service",
     "sign_body": false,
     "timestamp": "2015-08-30T12:36:00Z"
-}
+}

tests/aws-signing-test-suite/v4/post-x-www-form-urlencoded/context.json

@@ -9,4 +9,4 @@
     "service": "service",
     "sign_body": true,
     "timestamp": "2015-08-30T12:36:00Z"
-}
+}

tests/sigv4_signing_tests.c

@@ -209,7 +209,6 @@ struct v4_test_context {
     struct aws_credentials *credentials;
     bool should_normalize;
     bool should_sign_body;
-    struct aws_string *signed_body_value;
     uint64_t expiration_in_seconds;
     struct aws_input_stream *payload_stream;
     struct aws_ecc_key_pair *signing_key;
@@ -243,7 +242,6 @@ static void s_v4_test_context_clean_up(struct v4_test_context *context) {
     aws_string_destroy(context->region_config);
     aws_string_destroy(context->service);
     aws_string_destroy(context->timestamp);
-    aws_string_destroy(context->signed_body_value);
     aws_credentials_release(context->credentials);
 
     aws_mutex_clean_up(&context->lock);
@@ -267,7 +265,6 @@ AWS_STATIC_STRING_FROM_LITERAL(s_service_name, "service");
 AWS_STATIC_STRING_FROM_LITERAL(s_timestamp_name, "timestamp");
 AWS_STATIC_STRING_FROM_LITERAL(s_normalize_name, "normalize");
 AWS_STATIC_STRING_FROM_LITERAL(s_body_name, "sign_body");
-AWS_STATIC_STRING_FROM_LITERAL(s_signed_body_value_name, "signed_body_value");
 AWS_STATIC_STRING_FROM_LITERAL(s_expiration_name, "expiration_in_seconds");
 AWS_STATIC_STRING_FROM_LITERAL(s_omit_token_name, "omit_session_token");
 
@@ -388,20 +385,6 @@ static int s_v4_test_context_parse_context_file(struct v4_test_context *context)
 
     aws_json_value_get_boolean(body_node, &context->should_sign_body);
 
-    struct aws_json_value *signed_body_value_node =
-        aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_signed_body_value_name));
-    if (signed_body_value_node != NULL && aws_json_value_is_string(signed_body_value_node)) {
-        struct aws_byte_cursor signed_body_value_cursor;
-        /* Optional field. If not set, ignore it. */
-        if (aws_json_value_get_string(signed_body_value_node, &signed_body_value_cursor) == AWS_OP_ERR) {
-            goto done;
-        }
-        context->signed_body_value = aws_string_new_from_cursor(context->allocator, &signed_body_value_cursor);
-        if (context->signed_body_value == NULL) {
-            goto done;
-        }
-    }
-
     struct aws_json_value *expiration_node =
         aws_json_value_get_from_object(document_root, aws_byte_cursor_from_string(s_expiration_name));
     if (expiration_node == NULL || !aws_json_value_is_number(expiration_node)) {
@@ -604,10 +587,6 @@ static int s_v4_test_context_init_signing_config(
     } else {
         context->config->signed_body_value = g_aws_signed_body_value_empty_sha256;
     }
-    if (context->signed_body_value) {
-        /* Override the signed body value */
-        context->config->signed_body_value = aws_byte_cursor_from_string(context->signed_body_value);
-    }
 
     context->config->credentials = context->credentials;
     context->config->expiration_in_seconds = context->expiration_in_seconds;
@@ -1428,7 +1407,6 @@ DECLARE_SIGV4A_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case")
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla, "post-vanilla");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query");
-DECLARE_SIGV4A_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded");
 DECLARE_SIGV4A_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters");
 DECLARE_SIGV4A_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token");
@@ -1492,7 +1470,6 @@ DECLARE_SIGV4_TEST_SUITE_CASE(post_header_value_case, "post-header-value-case");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla, "post-vanilla");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_empty_query_value, "post-vanilla-empty-query-value");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_vanilla_query, "post-vanilla-query");
-DECLARE_SIGV4_TEST_SUITE_CASE(post_unsigned_payload, "post-unsigned-payload");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded, "post-x-www-form-urlencoded");
 DECLARE_SIGV4_TEST_SUITE_CASE(post_x_www_form_urlencoded_parameters, "post-x-www-form-urlencoded-parameters");
 DECLARE_SIGV4_TEST_SUITE_CASE(get_vanilla_with_session_token, "get-vanilla-with-session-token");