Skip to content

Support for payload signing + chunked encoding in DefaultAwsV4HttpSigner #6466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Oct 16, 2025
Merged

Support for payload signing + chunked encoding in DefaultAwsV4HttpSigner #6466

merged 15 commits into from
Oct 16, 2025

Conversation

@dagnir
Copy link
Contributor

@dagnir dagnir commented Oct 7, 2025
edited
Loading

Motivation and Context

Add support for payload signing of async streaming requests signed with SigV4 using default AwsV4HttpSigner (using AwsV4HttpSigner.create()). Note, requests using the http URI scheme will not be signed regardless of the value of AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED to remain consistent with existing behavior. This may change in a future release.

Modifications

Testing

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

dagnir added 5 commits August 5, 2025 14:14
@dagnir
Support async V4 payload signing
7c7941c 
This commit adds support for SigV4 signing of async request payloads.

In addition this commit moves the support for trailing checksums from
HttpChecksumStage to the V4 signer implementation; this puts it in line
with how sync chunked bodies are already handled.
@dagnir
Review comments
a222719 
 - Rename to computeAndMoveContentLength
 - Rename variable to chunkedPayload
 - Fix javadocs
 - Sign payload only if non-null
@dagnir
Combine chunking + encoding
1d15408 
Combine these two steps to improve performance by reducing memory
allocations.
@dagnir
Merge remote-tracking branch 'origin/master' into dongie/sra-chunk-en…
3d1d896 
…coding-rebase
@dagnir
Merge remote-tracking branch 'origin/master' into dongie/sra-chunk-en…
119cfbf 
…coding-pt1
@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt1 branch from fcda677 to 488b723 Compare October 7, 2025 22:18
@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt1 branch from 3a9cb34 to e52ea62 Compare October 8, 2025 21:30
@dagnir dagnir marked this pull request as ready for review October 8, 2025 21:40
@dagnir dagnir requested a review from a team as a code owner October 8, 2025 21:40
zoewangg
zoewangg reviewed Oct 10, 2025
View reviewed changes
@dagnir dagnir mentioned this pull request Oct 10, 2025
Closed
12 tasks
dagnir added 3 commits October 10, 2025 12:22
@dagnir
Review comments
0a236dc 
 - Update variable naming
 - Throw if decoded content length not present
 - Throw if input request doesn't have content-length header
@dagnir
Additional test for no content-length
d480132
@dagnir
Fix test after throw change
977d738
@dagnir dagnir changed the base branch from master to feature/master/sra-async-chunked-encoding October 14, 2025 20:15
@Fred1155
Copy link
Contributor

Are we planning to have intergration test on the full S3 async flow for this PR? Or we'll add that after consolidating the behavior and before merging to master

@dagnir
Copy link
Contributor Author

dagnir commented Oct 15, 2025
edited
Loading

Are we planning to have intergration test on the full S3 async flow for this PR? Or we'll add that after consolidating the behavior and before merging to master

Did you have specific tests in mind?

We have existing integration tests that exercise the async checksumming: services/s3/src/it/java/software/amazon/awssdk/services/s3/checksum/AsyncHttpChecksumIntegrationTest.java

@Fred1155
Copy link
Contributor

Fred1155 commented Oct 15, 2025
edited
Loading

Nice, we might need to update the TODO comments here:

aws-sdk-java-v2/services/s3/src/it/java/software/amazon/awssdk/services/s3/checksum/AsyncHttpChecksumIntegrationTest.java

Line 258 in 6f7f0e7

* TODO: Update this test with right asserts when payload signing is supported in async.

@dagnir
Copy link
Contributor Author

dagnir commented Oct 15, 2025
edited
Loading

Nice, we might need to update the TODO comments here:

aws-sdk-java-v2/services/s3/src/it/java/software/amazon/awssdk/services/s3/checksum/AsyncHttpChecksumIntegrationTest.java

Line 258 in 6f7f0e7

* TODO: Update this test with right asserts when payload signing is supported in async.

Hmm that can't be addressed right now actually, same for the other TODO. AFAICT from the javadoc, it's expecting the body to be signed because the client is using an http endpoint. However, we are explicitly not forcing signing for http endpoints right now to preserve the existing behavior for async requests.

    /**
     * S3 clients by default don't do payload signing. But when http is used, payload signing is expected to be enforced. But
     * payload signing is not currently supported in async path (for both pre/post SRA signers).
     * However, this test passes, because of https://github
     * .com/aws/aws-sdk-java-v2/blob/38e221bd815af31a6c6b91557499af155103c21a/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAwsS3V4Signer.java#L279-L285.
     * Keeping this test enabled, to ensure moving to SRA Identity & Auth, does not break current behavior.
     * TODO: Update this test with right asserts when payload signing is supported in async.
     */

@Fred1155
Copy link
Contributor

Hmm that can't be addressed right now actually, same for the other TODO. AFAICT from the javadoc, it's expecting the body to be signed because the client is using an http endpoint. However, we are explicitly not forcing signing for http endpoints right now to preserve the existing behavior for async requests.

Oh you are right, I misunderstood what this test does.

@dagnir dagnir force-pushed the dongie/sra-chunk-encoding-pt1 branch from 2da656f to efa994b Compare October 15, 2025 20:36
@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
32 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dagnir dagnir merged commit 5cbd30a into feature/master/sra-async-chunked-encoding Oct 16, 2025
39 of 40 checks passed
@github-actions
Copy link

This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@zoewangg zoewangg zoewangg approved these changes

@Fred1155 Fred1155 Fred1155 approved these changes

@RanVaknin RanVaknin RanVaknin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dagnir @Fred1155 @zoewangg @RanVaknin