Updates

dagnir · dagnir · commit d301273aea9a · 2025-10-08T11:04:00.000-07:00
diff --git a/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.java b/core/http-auth-aws/src/main/java/software/amazon/awssdk/http/auth/aws/internal/signer/DefaultAwsV4HttpSigner.java
@@ -72,7 +72,7 @@ public CompletableFuture<AsyncSignedRequest> signAsync(AsyncSignRequest<? extend
         Checksummer checksummer = asyncChecksummer(request, checksumStore(request));
         V4Properties v4Properties = v4Properties(request);
         V4RequestSigner v4RequestSigner = v4RequestSigner(request, v4Properties);
-        V4PayloadSigner payloadSigner = v4PayloadSigner(request, v4Properties);
+        V4PayloadSigner payloadSigner = v4PayloadAsyncSigner(request, v4Properties);
 
         return doSignAsync(request, checksummer, v4RequestSigner, payloadSigner);
     }
@@ -129,12 +129,10 @@ private static V4RequestSigner v4RequestSigner(
         return requestSigner.apply(v4Properties);
     }
 
+    // TODO: remove this once we consolidate the behavior for plaintext HTTP signing for sync and async
     private static Checksummer asyncChecksummer(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request,
                                                 PayloadChecksumStore checksumStore) {
-        boolean isHttp = !"https".equals(request.request().protocol());
-        boolean isPayloadSigning = isPayloadSigning(request);
-        boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
-        boolean shouldTreatAsUnsigned = isHttp && isPayloadSigning && isChunkEncoding;
+        boolean shouldTreatAsUnsigned = asyncShouldTreatAsUnsigned(request);
 
         // set the override to false if it should be treated as unsigned, otherwise, null should be passed so that the normal
         // check for payload signing is done.
@@ -143,6 +141,15 @@ private static Checksummer asyncChecksummer(BaseSignRequest<?, ? extends AwsCred
         return checksummer(request, overridePayloadSigning, checksumStore);
     }
 
+    // TODO: remove this once we consolidate the behavior for plaintext HTTP signing for sync and async
+    private static boolean asyncShouldTreatAsUnsigned(BaseSignRequest<?, ? extends AwsCredentialsIdentity> request) {
+        boolean isHttp = !"https".equals(request.request().protocol());
+        boolean isPayloadSigning = isPayloadSigning(request);
+        boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
+
+        return isHttp && isPayloadSigning && isChunkEncoding;
+    }
+
     private static V4PayloadSigner v4PayloadSigner(
         BaseSignRequest<?, ? extends AwsCredentialsIdentity> request, V4Properties properties) {
 
@@ -175,6 +182,40 @@ private static V4PayloadSigner v4PayloadSigner(
         return V4PayloadSigner.create();
     }
 
+    // TODO: remove this once we consolidate the behavior for plaintext HTTP signing for sync and async
+    private static V4PayloadSigner v4PayloadAsyncSigner(
+        AsyncSignRequest<? extends AwsCredentialsIdentity> request,
+        V4Properties properties) {
+
+        boolean isPayloadSigning = !asyncShouldTreatAsUnsigned(request);
+        boolean isEventStreaming = isEventStreaming(request.request());
+        boolean isChunkEncoding = request.requireProperty(CHUNK_ENCODING_ENABLED, false);
+        boolean isTrailing = request.request().firstMatchingHeader(X_AMZ_TRAILER).isPresent();
+        boolean isFlexible = request.hasProperty(CHECKSUM_ALGORITHM) && !hasChecksumHeader(request);
+
+        if (isEventStreaming) {
+            if (isPayloadSigning) {
+                return getEventStreamV4PayloadSigner(
+                    properties.getCredentials(),
+                    properties.getCredentialScope(),
+                    properties.getSigningClock()
+                );
+            }
+            throw new UnsupportedOperationException("Unsigned payload is not supported with event-streaming.");
+        }
+
+        if (useChunkEncoding(isPayloadSigning, isChunkEncoding, isTrailing || isFlexible)) {
+            return AwsChunkedV4PayloadSigner.builder()
+                                            .credentialScope(properties.getCredentialScope())
+                                            .chunkSize(DEFAULT_CHUNK_SIZE_IN_BYTES)
+                                            .checksumStore(checksumStore(request))
+                                            .checksumAlgorithm(request.property(CHECKSUM_ALGORITHM))
+                                            .build();
+        }
+
+        return V4PayloadSigner.create();
+    }
+
     private static SignedRequest doSign(SignRequest<? extends AwsCredentialsIdentity> request,
                                         Checksummer checksummer,
                                         V4RequestSigner requestSigner,
diff --git a/services/s3/src/test/java/software/amazon/awssdk/services/s3/functionaltests/S3ExpressTest.java b/services/s3/src/test/java/software/amazon/awssdk/services/s3/functionaltests/S3ExpressTest.java
@@ -115,7 +115,7 @@ public void putObject(ClientType clientType, Protocol protocol,
         createClientAndCallPutObject(clientType, protocol, s3ExpressSessionAuth, checksumAlgorithm, wm);
 
         verifyPutObject(s3ExpressSessionAuth);
-        verifyPutObjectHeaders(protocol, checksumAlgorithm);
+        verifyPutObjectHeaders(clientType, protocol, checksumAlgorithm);
     }
 
     @ParameterizedTest
@@ -126,7 +126,7 @@ public void uploadPart(ClientType clientType, Protocol protocol,
         createClientAndCallUploadPart(clientType, protocol, s3ExpressSessionAuth, checksumAlgorithm, wm);
 
         verifyUploadPart(s3ExpressSessionAuth);
-        verifyUploadPartHeaders(protocol);
+        verifyUploadPartHeaders(clientType, protocol);
     }
 
     @ParameterizedTest
@@ -268,12 +268,10 @@ private static void verifySessionHeaders() {
             .withHeader("x-amz-content-sha256", equalTo("UNSIGNED-PAYLOAD")));
     }
 
-    void verifyPutObjectHeaders(Protocol protocol, ChecksumAlgorithm checksumAlgorithm) {
-        String streamingSha256;
-        if (protocol == Protocol.HTTP) {
+    void verifyPutObjectHeaders(ClientType clientType, Protocol protocol, ChecksumAlgorithm checksumAlgorithm) {
+        String streamingSha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
+        if (protocol == Protocol.HTTP && clientType == ClientType.SYNC) {
             streamingSha256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER";
-        } else {
-            streamingSha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
         }
         ChecksumAlgorithm expectedChecksumAlgorithm = checksumAlgorithm == ChecksumAlgorithm.UNKNOWN_TO_SDK_VERSION ?
                                                       ChecksumAlgorithm.CRC32 : checksumAlgorithm;
@@ -292,17 +290,15 @@ void verifyPutObjectHeaders(Protocol protocol, ChecksumAlgorithm checksumAlgorit
         assertThat(headers.get("x-amz-content-sha256").get(0)).isEqualToIgnoringCase(streamingSha256);
     }
 
-    void verifyUploadPartHeaders(Protocol protocol) {
+    void verifyUploadPartHeaders(ClientType clientType, Protocol protocol) {
         Map<String, List<String>> headers = CAPTURING_INTERCEPTOR.headers;
         assertThat(headers.get("Content-Length")).isNotNull();
         assertThat(headers.get("x-amz-content-sha256")).isNotNull();
 
         assertThat(headers.get("x-amz-decoded-content-length")).isNotNull();
-        String streamingSha256;
-        if (protocol == Protocol.HTTP) {
+        String streamingSha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
+        if (protocol == Protocol.HTTP && clientType == ClientType.SYNC) {
             streamingSha256 = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER";
-        } else {
-            streamingSha256 = "STREAMING-UNSIGNED-PAYLOAD-TRAILER";
         }
         assertThat(headers.get("x-amz-content-sha256").get(0)).isEqualToIgnoringCase(streamingSha256);
     }
