-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix handling of repeated headers in aws request canonicalization #2261
Conversation
See spec in https://docs.aws.amazon.com/general/latest/gr/create-signed-request.html#create-canonical-request Previously, repeated headers would appear twice on separate lines in the `CanonicalHeaders` section and twice in the `SignedHeaders` section. This PR fixes it to appear once. This should fix issues like this one awslabs/aws-sdk-rust#720
I was actually able to test that this solves my original bug by running my company's app with this modification to Cargo.toml
It does successfully talk to aws with the new correctly canonicalized headers. |
From my app: Before the fix:
including the following failure:
After
and success! |
@@ -225,7 +225,7 @@ impl<'a> CanonicalRequest<'a> { | |||
} | |||
|
|||
let mut signed_headers = Vec::with_capacity(canonical_headers.len()); | |||
for (name, _) in &canonical_headers { | |||
for name in canonical_headers.keys() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change ensures that each key appears only once in the SignedHeaders
section.
std::str::from_utf8(value.as_bytes()) | ||
.expect("SDK request header values are valid UTF-8") | ||
}) | ||
.collect(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change ensures that all values of the header appear in a comma separated list in the CanonicalHeaders
section on the same row - per the spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the contribution! These changes look good to me.
We're having some issues in CI with Error response from daemon: toomanyrequests: Data limit exceeded
at the moment, so you'll see some failures from that. I'll check back and retry those in a bit so we can get a better view of CI.
"host;x-amz-content-sha256;x-amz-date;x-amz-object-attributes" | ||
); | ||
|
||
let expected = "GET |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding the unit test! Here is my alternative thought, and feel free to incorporate/discard it. Instead of comparing the entire canonical request in the form of a raw string, could we target our verification on x-amz-object-attributes
?
To do so, we need to factor out the code from 341 to 349 into a small method, i.e.
impl<'a> CanonicalRequest<'a> {
// I just chose some name, but feel free to pick any name that makes sense.
fn header_values_for(&self, key: impl AsHeaderName) -> Vec<&str> {
self.headers
.get_all(key)
.into_iter()
.map(|value| {
std::str::from_utf8(value.as_bytes())
.expect("SDK request header values are valid UTF-8")
})
.collect()
}
}
Lines 341-349 will then look like:
let values = self.header_values_for(&header.0);
In the unit test, we can use header_values_for
on creq
, i.e.,
let actual = creq.header_values_for("x-amz-object-attributes");
assert_eq!(actual, vec!["Checksum", "ObjectSize"]);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems reasonable! Will do it.
I personally also like having a test that has the entire thing as well as a bit of an integration test - it'll be really easy to notice if something regresses about how the whole thing fits together. But of course, happy to defer to whatever maintainers think.
If we wanted that, it'd probably be better as a separate test that is very plain.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'll move the "," join into the small method so it also gets coverage in the test - similar to how we test the semicolon joining a few lines above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I personally also like having a test that has the entire thing as well as a bit of an integration test - it'll be really easy to notice if something regresses about how the whole thing fits together.
Thanks for thinking through. If anything goes wrong out of the implementation of this PR, it'll be caught in the existing integration tests (and probably easy to notice as failures should be across the board).
If we wanted that, it'd probably be better as a separate test that is very plain.
I agree and kind of thought that was the benefit of comparing the canonical request as a raw string in your original code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks for incorporating the feedback.
Sounds good! Let me know if there's anything further you need from me. Feel free to do any rebasing/merge conflicts/minor fixes etc on my behalf if that's what's blocking. |
I think we're ready to merge. Just waiting for resolution on our CI issues to avoid having to restart the tests a bunch of times 😅 |
* formatting: run pre-commit on all files (smithy-lang#2236) * formatting: run pre-commit on all files * fix: test broken by string indent * Remove old service builder machinery (smithy-lang#2161) * Remove HandlerGenerator and RegistryGenerator * Shrink RequestRejection * Remove inlineable * Remove Router and RequestParts * Remove old service builder tests * Add missing test dependency * Add missing dev dependency * Remove unused test * Move Router types * Switch AllowUnused to AllowUnusedVariables * Add changelog entry for "Remove old service builder machinery" (smithy-lang#2242) * Dense maps cannot deserialize null values (smithy-lang#2239) * Dense maps cannot deserialize null values Signed-off-by: Daniele Ahmed <[email protected]> * Dense lists cannot deserialize null (smithy-lang#2240) * Dense lists cannot deserialize null Signed-off-by: Daniele Ahmed <[email protected]> * Update changelog * Add changelog entry about smithy-lang#2200 (smithy-lang#2250) Co-authored-by: Julian Antonielli <[email protected]> * Fix `OperationExtensionFuture` poll order (smithy-lang#2247) * Fix `OperationExtensionFuture` poll order * Add CHANGELOG.next.toml entry Co-authored-by: AWS SDK Rust Bot <[email protected]> * Bump version to 0.54.1 in `gradle.properties` (smithy-lang#2249) Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> * Update changelog * Add CI action to test aws-sdk-services (smithy-lang#2251) * run cargo test --all-features instead * Add check-only option, change check to test * Support nested APIs in operation input tests * Newtype FromRequest::Future (smithy-lang#2244) * Add RFC: Providing fallback credentials on timeout (smithy-lang#2218) * Add RFC: providing fallback credentials on timeout * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: John DiSanti <[email protected]> * Incorporate review feedback into RFC This commit addresses the review feedback: smithy-lang#2218 (comment) smithy-lang#2218 (comment) smithy-lang#2218 (comment) In addition, we have renamed the proposed method `on_timeout` to `fallback_on_interrupt` to make it more descriptive. * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update RFC This commit updates RFC and leaves to discussion how `fallback_on_interrupt` should be implemented, i.e., either as a synchronous primitive or an asynchronous primitive. * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update rfc0031_providing_fallback_credentials_on_timeout.md --------- Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: Zelda Hessler <[email protected]> Co-authored-by: John DiSanti <[email protected]> Co-authored-by: Luca Palmieri <[email protected]> * Replace PR bot's diff tool with one that supports pagination (smithy-lang#2245) * Implement paginated diff to html tool * Wire up the new diff tool to PR bot * Add fallback_on_interrupt to the ProvideCredentials trait (smithy-lang#2246) * Implement RFC for providing fallback credentials This commit implements the changes checklist in the RFC for providing fallback credentials. * Remove needless lifetime parameter * Update CHANGELOG.next.toml --------- Co-authored-by: Yuki Saito <[email protected]> * Copy non-service integration tests into SDK root tests directory (smithy-lang#2255) * Copy non-service integration tests into SDK root tests directory For tests in `aws/sdk/integration-tests` that are not named after a service module, copy them into the SDK's root `tests/` directory so that they are run as part of CI on the entire SDK. * Add missing fields to integration test manifests * Remove tests from root workspace * Explicitly exclude the root tests from the root workspace * Update the event stream section in RFC30 (smithy-lang#2243) * Python: Support `document` type (smithy-lang#2188) * Add Python wrapper for `aws_smithy_types::Document` * Remove unused type * Make sure Python SSDKs uses Python specific `Document` type * Allow Python specific `Document` type to be used in serialization and deserialization * Make `pyo3/extension-module` a default feature * Add `PythonServerTypesTest` * Fix linting issues * Add `Data limit exceeded` to build image throttle messages (smithy-lang#2260) * Update smoketest models (smithy-lang#2252) * Make minor fixes to the crate claim workflow (smithy-lang#2259) * Add support for `@uniqueItems` (smithy-lang#2232) This commit adds support for the `@uniqueItems` trait on `list` shapes in server SDKs. Requests with duplicate values for `list` shapes constrained with `@uniqueItems` will be rejected by servers. * Update mentions to codegen configuration key in changelog (smithy-lang#2166) As well as in one error message. The key is `codegen`, not `codegenConfig`. * Change the release flow to use release branches (smithy-lang#2253) * What happens if we comment out the runtime crate version from gradle.properties? * Allow running the release and the CI workflows from an arbitrary commit. * Does a fake version work? * Pass `git_ref` from the release workflow. * It needs to be a valid semver version. * Sketch new command to upgrade version in gradle.properties * Command implementation * Plug the new publisher command into the `release` action. * Plumb end-to-end * Fix copyright header. * Fix lint. * Temporarily comment out the sanity check. * Ignore sanity check * Add a command that prints out the template for CHANGELOG.next.toml * Add branch check + empty TOML generation. * Add copyright headers. * Fix imports. * Remove sanity check. * Move script to a file. * Add a check to validate the tag. * Remove second build step. * Move to .github/scripts folder. * Make the script easier to run locally * Fail if anything fails. * Add comment. * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/workflows/ci.yml Co-authored-by: david-perez <[email protected]> * Remove touch. * Fix indentation and branch name. * Update .github/workflows/ci.yml Co-authored-by: david-perez <[email protected]> * Update .github/workflows/release.yml Co-authored-by: david-perez <[email protected]> * Update .github/workflows/release.yml Co-authored-by: david-perez <[email protected]> * Explicit flags. * Use the path that was provided. * Format --------- Co-authored-by: david-perez <[email protected]> * Reduce Docker image rebuilds (smithy-lang#2269) * Move `acquire-build-image` into `.github` * Move the `tools-hash` script into `.github` * Upload to ECR from PRs as well * Move build tools into `tools/ci-build/` * Move CI scripts out of `ci-build` * Split CI for forks/non-forks * Remove `fetch-depth: 0` from PR workflows * Remove teams from `publisher` ownership list (smithy-lang#2257) * Add static stability support to IMDS credentials provider (smithy-lang#2258) * Add static stability support to ImdsCredentialsProvider This commit adds static stability support to `ImdsCredentialsProvider`. Static stability refers to continued availability of a service in the face of impaired dependencies. In case IMDS is not available, we still allow requests to be dispatched with expired credentials. This, in turn, allows the target service to makes the ultimate decision as to whether requests sent are valid or not instead of the client SDK determining their validity. The way it is implemented is `ImdsCredentialsProvider` now stores a last retrieved credentials which will later be served when IMDS is unreachable. * Add tests to IMDS credentials provider This commit adds tests to IMDS credentials providers for static stability support. These tests are prescribed in smithy-lang#2117. From an IMDS credentials provider' perspective, however, some of the tests are considered to fall under the same equivalence class with others. Therefore, a single test can cover multiple test cases. * Update CHANGELOG.next.toml * Update CHANGELOG.next.toml Co-authored-by: John DiSanti <[email protected]> --------- Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: John DiSanti <[email protected]> * Increase build image backoff time and attempts (smithy-lang#2267) * Must set a member in unions (smithy-lang#2241) * Must set a member in unions Signed-off-by: Daniele Ahmed <[email protected]> * Add `runs-on` (smithy-lang#2273) * Add `runs-on` (smithy-lang#2275) * Fix job trigger. Clarify that short SHAs won't work. (smithy-lang#2278) * Clarify what type of reference we are trying to push. (smithy-lang#2279) * Update gradle properties for dry runs as well. (smithy-lang#2280) * Get verbose logging from the branch script. (smithy-lang#2281) * Fix trigger for following jobs. (smithy-lang#2282) * Fix action paths. (smithy-lang#2283) * We need to checkout in the `smithy-rs` folder because that's an assumption baked into the definition of the docker-build action. (smithy-lang#2284) * Use action-arguments for arguments. (smithy-lang#2285) * Fix if condition. (smithy-lang#2286) * Persist the modified gradle.properties outside of the Docker context (smithy-lang#2287) * Fix if condition. * Make sure that the changes are visible to the push step after the Docker action has executed by persisting the modified repository as an artifact. * Give a name to the argument. * Use larger machines for the slowest CI jobs. (smithy-lang#2263) * Use larger machines for the slowest CI jobs. * Fix invocation. * Fix paths. (smithy-lang#2288) * Commit if modified (smithy-lang#2289) * Fix paths. * Fix commit logic - it should commit when there were changes. * Set user name and email when committing (smithy-lang#2290) * `git push origin` fails if there is nothing to push. (smithy-lang#2291) * Use curly braces to group together the commit and push action (smithy-lang#2292) * Fix syntax error when grouping commands. (smithy-lang#2293) * [release-branches] Fix the reference that gets checked out (smithy-lang#2294) * Fix the reference that gets checked out * Fix * Fix broken doc link to `tokio_stream::Stream` (smithy-lang#2271) * Fix broken doc link to `Stream` This commit fixes broken doc link to `Stream` in codegen clients. That target is `tokio_stream::Stream`, which in turn is a re-export of `futures_core::Stream`. Since we do not have a good way to link to the re-export, we remove a hyper link and just put `Stream`. * Update CHANGELOG.next.toml --------- Co-authored-by: Yuki Saito <[email protected]> * Use docker login when possible (smithy-lang#2265) Login to ECR when credentials are available to improve CI performance * Simplify `AdHocSection` (smithy-lang#2272) Co-authored-by: Russell Cohen <[email protected]> * Fix CI on main and don't acquire Docker login for forks (smithy-lang#2295) * Fix CI on main and don't acquire Docker login for forks * Convert empty env vars into `None` * Optimize base image acquisition on main * Collect more diagnostics. (smithy-lang#2297) * [release-branches] Fix working directory (smithy-lang#2298) * Fix working directory. * Build the Docker image using the latest commit on the invocation branch. * We need a Docker image with the same SHA later in the process. * Clone does not preserve uncommitted changes. This was leading to the gradle.properties update being lost. (smithy-lang#2299) * Make `OperationExtension` store the absolute shape ID (smithy-lang#2276) * Do not alter Operation shape ID * Add OperationExtensionExt test * Add CHANGELOG.next.toml entry * Apply suggestions from code review Co-authored-by: Luca Palmieri <[email protected]> --------- Co-authored-by: Luca Palmieri <[email protected]> * Retrieve the output from outside the Docker context (smithy-lang#2300) Co-authored-by: AWS SDK Rust Bot <[email protected]> * Fix image tagging in CI on main (smithy-lang#2301) * Fix handling of repeated headers in AWS request canonicalization (smithy-lang#2261) * Remove usage of always empty writable in `JsonParserGenerator` (smithy-lang#2192) The writable calculates a string that it never writes. This was added in smithy-lang#2131. * fix --------- Signed-off-by: Daniele Ahmed <[email protected]> Co-authored-by: Zelda Hessler <[email protected]> Co-authored-by: Harry Barber <[email protected]> Co-authored-by: 82marbag <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> Co-authored-by: Russell Cohen <[email protected]> Co-authored-by: ysaito1001 <[email protected]> Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: John DiSanti <[email protected]> Co-authored-by: Luca Palmieri <[email protected]> Co-authored-by: Burak <[email protected]> Co-authored-by: david-perez <[email protected]> Co-authored-by: Nipunn Koorapati <[email protected]>
* formatting: run pre-commit on all files (smithy-lang#2236) * formatting: run pre-commit on all files * fix: test broken by string indent * Remove old service builder machinery (smithy-lang#2161) * Remove HandlerGenerator and RegistryGenerator * Shrink RequestRejection * Remove inlineable * Remove Router and RequestParts * Remove old service builder tests * Add missing test dependency * Add missing dev dependency * Remove unused test * Move Router types * Switch AllowUnused to AllowUnusedVariables * Add changelog entry for "Remove old service builder machinery" (smithy-lang#2242) * Dense maps cannot deserialize null values (smithy-lang#2239) * Dense maps cannot deserialize null values Signed-off-by: Daniele Ahmed <[email protected]> * Dense lists cannot deserialize null (smithy-lang#2240) * Dense lists cannot deserialize null Signed-off-by: Daniele Ahmed <[email protected]> * Update changelog * Add changelog entry about smithy-lang#2200 (smithy-lang#2250) Co-authored-by: Julian Antonielli <[email protected]> * Fix `OperationExtensionFuture` poll order (smithy-lang#2247) * Fix `OperationExtensionFuture` poll order * Add CHANGELOG.next.toml entry Co-authored-by: AWS SDK Rust Bot <[email protected]> * Bump version to 0.54.1 in `gradle.properties` (smithy-lang#2249) Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> * Update changelog * Add CI action to test aws-sdk-services (smithy-lang#2251) * run cargo test --all-features instead * Add check-only option, change check to test * Support nested APIs in operation input tests * Newtype FromRequest::Future (smithy-lang#2244) * Add RFC: Providing fallback credentials on timeout (smithy-lang#2218) * Add RFC: providing fallback credentials on timeout * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: Zelda Hessler <[email protected]> * Update design/src/rfcs/rfc0031_providing_fallback_credentials_on_timeout.md Co-authored-by: John DiSanti <[email protected]> * Incorporate review feedback into RFC This commit addresses the review feedback: smithy-lang#2218 (comment) smithy-lang#2218 (comment) smithy-lang#2218 (comment) In addition, we have renamed the proposed method `on_timeout` to `fallback_on_interrupt` to make it more descriptive. * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update RFC This commit updates RFC and leaves to discussion how `fallback_on_interrupt` should be implemented, i.e., either as a synchronous primitive or an asynchronous primitive. * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update rfc0031_providing_fallback_credentials_on_timeout.md * Update rfc0031_providing_fallback_credentials_on_timeout.md --------- Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: Zelda Hessler <[email protected]> Co-authored-by: John DiSanti <[email protected]> Co-authored-by: Luca Palmieri <[email protected]> * Replace PR bot's diff tool with one that supports pagination (smithy-lang#2245) * Implement paginated diff to html tool * Wire up the new diff tool to PR bot * Add fallback_on_interrupt to the ProvideCredentials trait (smithy-lang#2246) * Implement RFC for providing fallback credentials This commit implements the changes checklist in the RFC for providing fallback credentials. * Remove needless lifetime parameter * Update CHANGELOG.next.toml --------- Co-authored-by: Yuki Saito <[email protected]> * Copy non-service integration tests into SDK root tests directory (smithy-lang#2255) * Copy non-service integration tests into SDK root tests directory For tests in `aws/sdk/integration-tests` that are not named after a service module, copy them into the SDK's root `tests/` directory so that they are run as part of CI on the entire SDK. * Add missing fields to integration test manifests * Remove tests from root workspace * Explicitly exclude the root tests from the root workspace * Update the event stream section in RFC30 (smithy-lang#2243) * Python: Support `document` type (smithy-lang#2188) * Add Python wrapper for `aws_smithy_types::Document` * Remove unused type * Make sure Python SSDKs uses Python specific `Document` type * Allow Python specific `Document` type to be used in serialization and deserialization * Make `pyo3/extension-module` a default feature * Add `PythonServerTypesTest` * Fix linting issues * Add `Data limit exceeded` to build image throttle messages (smithy-lang#2260) * Update smoketest models (smithy-lang#2252) * Make minor fixes to the crate claim workflow (smithy-lang#2259) * Add support for `@uniqueItems` (smithy-lang#2232) This commit adds support for the `@uniqueItems` trait on `list` shapes in server SDKs. Requests with duplicate values for `list` shapes constrained with `@uniqueItems` will be rejected by servers. * Update mentions to codegen configuration key in changelog (smithy-lang#2166) As well as in one error message. The key is `codegen`, not `codegenConfig`. * Change the release flow to use release branches (smithy-lang#2253) * What happens if we comment out the runtime crate version from gradle.properties? * Allow running the release and the CI workflows from an arbitrary commit. * Does a fake version work? * Pass `git_ref` from the release workflow. * It needs to be a valid semver version. * Sketch new command to upgrade version in gradle.properties * Command implementation * Plug the new publisher command into the `release` action. * Plumb end-to-end * Fix copyright header. * Fix lint. * Temporarily comment out the sanity check. * Ignore sanity check * Add a command that prints out the template for CHANGELOG.next.toml * Add branch check + empty TOML generation. * Add copyright headers. * Fix imports. * Remove sanity check. * Move script to a file. * Add a check to validate the tag. * Remove second build step. * Move to .github/scripts folder. * Make the script easier to run locally * Fail if anything fails. * Add comment. * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/scripts/get-or-create-release-branch.sh Co-authored-by: david-perez <[email protected]> * Update .github/workflows/ci.yml Co-authored-by: david-perez <[email protected]> * Remove touch. * Fix indentation and branch name. * Update .github/workflows/ci.yml Co-authored-by: david-perez <[email protected]> * Update .github/workflows/release.yml Co-authored-by: david-perez <[email protected]> * Update .github/workflows/release.yml Co-authored-by: david-perez <[email protected]> * Explicit flags. * Use the path that was provided. * Format --------- Co-authored-by: david-perez <[email protected]> * Reduce Docker image rebuilds (smithy-lang#2269) * Move `acquire-build-image` into `.github` * Move the `tools-hash` script into `.github` * Upload to ECR from PRs as well * Move build tools into `tools/ci-build/` * Move CI scripts out of `ci-build` * Split CI for forks/non-forks * Remove `fetch-depth: 0` from PR workflows * Remove teams from `publisher` ownership list (smithy-lang#2257) * Add static stability support to IMDS credentials provider (smithy-lang#2258) * Add static stability support to ImdsCredentialsProvider This commit adds static stability support to `ImdsCredentialsProvider`. Static stability refers to continued availability of a service in the face of impaired dependencies. In case IMDS is not available, we still allow requests to be dispatched with expired credentials. This, in turn, allows the target service to makes the ultimate decision as to whether requests sent are valid or not instead of the client SDK determining their validity. The way it is implemented is `ImdsCredentialsProvider` now stores a last retrieved credentials which will later be served when IMDS is unreachable. * Add tests to IMDS credentials provider This commit adds tests to IMDS credentials providers for static stability support. These tests are prescribed in smithy-lang#2117. From an IMDS credentials provider' perspective, however, some of the tests are considered to fall under the same equivalence class with others. Therefore, a single test can cover multiple test cases. * Update CHANGELOG.next.toml * Update CHANGELOG.next.toml Co-authored-by: John DiSanti <[email protected]> --------- Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: John DiSanti <[email protected]> * Increase build image backoff time and attempts (smithy-lang#2267) * Must set a member in unions (smithy-lang#2241) * Must set a member in unions Signed-off-by: Daniele Ahmed <[email protected]> * Add `runs-on` (smithy-lang#2273) * Add `runs-on` (smithy-lang#2275) * Fix job trigger. Clarify that short SHAs won't work. (smithy-lang#2278) * Clarify what type of reference we are trying to push. (smithy-lang#2279) * Update gradle properties for dry runs as well. (smithy-lang#2280) * Get verbose logging from the branch script. (smithy-lang#2281) * Fix trigger for following jobs. (smithy-lang#2282) * Fix action paths. (smithy-lang#2283) * We need to checkout in the `smithy-rs` folder because that's an assumption baked into the definition of the docker-build action. (smithy-lang#2284) * Use action-arguments for arguments. (smithy-lang#2285) * Fix if condition. (smithy-lang#2286) * Persist the modified gradle.properties outside of the Docker context (smithy-lang#2287) * Fix if condition. * Make sure that the changes are visible to the push step after the Docker action has executed by persisting the modified repository as an artifact. * Give a name to the argument. * Use larger machines for the slowest CI jobs. (smithy-lang#2263) * Use larger machines for the slowest CI jobs. * Fix invocation. * Fix paths. (smithy-lang#2288) * Commit if modified (smithy-lang#2289) * Fix paths. * Fix commit logic - it should commit when there were changes. * Set user name and email when committing (smithy-lang#2290) * `git push origin` fails if there is nothing to push. (smithy-lang#2291) * Use curly braces to group together the commit and push action (smithy-lang#2292) * Fix syntax error when grouping commands. (smithy-lang#2293) * [release-branches] Fix the reference that gets checked out (smithy-lang#2294) * Fix the reference that gets checked out * Fix * Fix broken doc link to `tokio_stream::Stream` (smithy-lang#2271) * Fix broken doc link to `Stream` This commit fixes broken doc link to `Stream` in codegen clients. That target is `tokio_stream::Stream`, which in turn is a re-export of `futures_core::Stream`. Since we do not have a good way to link to the re-export, we remove a hyper link and just put `Stream`. * Update CHANGELOG.next.toml --------- Co-authored-by: Yuki Saito <[email protected]> * Use docker login when possible (smithy-lang#2265) Login to ECR when credentials are available to improve CI performance * Simplify `AdHocSection` (smithy-lang#2272) Co-authored-by: Russell Cohen <[email protected]> * Fix CI on main and don't acquire Docker login for forks (smithy-lang#2295) * Fix CI on main and don't acquire Docker login for forks * Convert empty env vars into `None` * Optimize base image acquisition on main * Collect more diagnostics. (smithy-lang#2297) * [release-branches] Fix working directory (smithy-lang#2298) * Fix working directory. * Build the Docker image using the latest commit on the invocation branch. * We need a Docker image with the same SHA later in the process. * Clone does not preserve uncommitted changes. This was leading to the gradle.properties update being lost. (smithy-lang#2299) * Make `OperationExtension` store the absolute shape ID (smithy-lang#2276) * Do not alter Operation shape ID * Add OperationExtensionExt test * Add CHANGELOG.next.toml entry * Apply suggestions from code review Co-authored-by: Luca Palmieri <[email protected]> --------- Co-authored-by: Luca Palmieri <[email protected]> * Retrieve the output from outside the Docker context (smithy-lang#2300) Co-authored-by: AWS SDK Rust Bot <[email protected]> * Fix image tagging in CI on main (smithy-lang#2301) * Fix handling of repeated headers in AWS request canonicalization (smithy-lang#2261) * Remove usage of always empty writable in `JsonParserGenerator` (smithy-lang#2192) The writable calculates a string that it never writes. This was added in smithy-lang#2131. --------- Signed-off-by: Daniele Ahmed <[email protected]> Co-authored-by: Zelda Hessler <[email protected]> Co-authored-by: Harry Barber <[email protected]> Co-authored-by: 82marbag <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: Julian Antonielli <[email protected]> Co-authored-by: AWS SDK Rust Bot <[email protected]> Co-authored-by: Russell Cohen <[email protected]> Co-authored-by: ysaito1001 <[email protected]> Co-authored-by: Yuki Saito <[email protected]> Co-authored-by: John DiSanti <[email protected]> Co-authored-by: Luca Palmieri <[email protected]> Co-authored-by: Burak <[email protected]> Co-authored-by: david-perez <[email protected]> Co-authored-by: Nipunn Koorapati <[email protected]>
This PR fixes it to appear once.
This should fix issues like this one
awslabs/aws-sdk-rust#720
Motivation and Context
awslabs/aws-sdk-rust#720
Previously, repeated headers would appear twice on separate lines in the
CanonicalHeaders
section and twice in theSignedHeaders
section, resulting in invalid signatures failing requests.See spec in
https://docs.aws.amazon.com/general/latest/gr/create-signed-request.html#create-canonical-request
Description
Per the spec, the header should appear once with a comma separated list of values.
Testing
I added a test to show the output that is appearing.
I would love to actually test end-to-end with aws to make sure the final requests in fact works, but I'm actually not sure how. Would appreciate assistance (or if someone from amazon's side wants to take over the PR, that would be fine with me as well).
Checklist
CHANGELOG.next.toml
if I made changes to the smithy-rs codegen or runtime cratesBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.