bugfix: cloudfront sigv4a (#2857)

stobrien89 · web-flow · commit 44b936e9c460 · 2023-12-15T13:19:51.000-05:00
diff --git a/.changes/nextrelease/crt-updates.json b/.changes/nextrelease/crt-updates.json
@@ -0,0 +1,7 @@
+[
+  {
+    "type": "bugfix",
+    "category": "Signature",
+    "description": "Fixes issues with CloudfrontKeyValueStore sigv4a operations."
+  }
+]
diff --git a/features/crt/cloudfront-kvs.feature b/features/crt/cloudfront-kvs.feature
@@ -0,0 +1,6 @@
+@crt @integ @cloudfront-kvs
+Feature: Cloudfront Kvs Sigv4a
+
+  Scenario: Describe a cloudfront kvs
+    Given I have a cloudfront client and I have a key-value store
+    Then I can describe my key-value store using sigv4a
diff --git a/src/Signature/S3SignatureV4.php b/src/Signature/S3SignatureV4.php
@@ -2,6 +2,9 @@
 namespace Aws\Signature;
 
 use Aws\Credentials\CredentialsInterface;
+use AWS\CRT\Auth\SignatureType;
+use AWS\CRT\Auth\SigningAlgorithm;
+use AWS\CRT\Auth\SigningConfigAWS;
 use Psr\Http\Message\RequestInterface;
 
 /**
@@ -41,6 +44,39 @@ public function signRequest(
         return $this->signWithV4a($credentials, $request, $signingService);
     }
 
+    /**
+     * @param CredentialsInterface $credentials
+     * @param RequestInterface $request
+     * @param $signingService
+     * @param SigningConfigAWS|null $signingConfig
+     * @return RequestInterface
+     *
+     * Instantiates a separate sigv4a signing config.  All services except S3
+     * use double encoding.  All services except S3 require path normalization.
+     */
+    protected function signWithV4a(
+        CredentialsInterface $credentials,
+        RequestInterface $request,
+        $signingService,
+        SigningConfigAWS $signingConfig = null
+    ){
+        $this->verifyCRTLoaded();
+        $credentials_provider = $this->createCRTStaticCredentialsProvider($credentials);
+        $signingConfig = new SigningConfigAWS([
+            'algorithm' => SigningAlgorithm::SIGv4_ASYMMETRIC,
+            'signature_type' => SignatureType::HTTP_REQUEST_HEADERS,
+            'credentials_provider' => $credentials_provider,
+            'signed_body_value' => $this->getPayload($request),
+            'region' => "*",
+            'should_normalize_uri_path' => false,
+            'use_double_uri_encode' => false,
+            'service' => $signingService,
+            'date' => time(),
+        ]);
+
+        return parent::signWithV4a($credentials, $request, $signingService, $signingConfig);
+    }
+
     /**
      * Always add a x-amz-content-sha-256 for data integrity.
      *
diff --git a/src/Signature/SignatureV4.php b/src/Signature/SignatureV4.php
@@ -4,6 +4,7 @@
 use Aws\Credentials\CredentialsInterface;
 use AWS\CRT\Auth\Signable;
 use AWS\CRT\Auth\SignatureType;
+use AWS\CRT\Auth\SignedBodyHeaderType;
 use AWS\CRT\Auth\Signing;
 use AWS\CRT\Auth\SigningAlgorithm;
 use AWS\CRT\Auth\SigningConfigAWS;
@@ -446,7 +447,7 @@ private function buildRequest(array $req)
         );
     }
 
-    private function verifyCRTLoaded()
+    protected function verifyCRTLoaded()
     {
         if (!extension_loaded('awscrt')) {
             throw new CommonRuntimeException(
@@ -457,7 +458,7 @@ private function verifyCRTLoaded()
         }
     }
 
-    private function createCRTStaticCredentialsProvider($credentials)
+    protected function createCRTStaticCredentialsProvider($credentials)
     {
         return new StaticCredentialsProvider([
             'access_key_id' => $credentials->getAccessKeyId(),
@@ -472,7 +473,7 @@ private function removeIllegalV4aHeaders(&$request)
             self::AMZ_CONTENT_SHA256_HEADER,
             "aws-sdk-invocation-id",
             "aws-sdk-retry",
-            'x-amz-region-set'
+            'x-amz-region-set',
         ];
         $storedHeaders = [];
 
@@ -500,17 +501,23 @@ private function CRTRequestFromGuzzleRequest($request)
      * @param CredentialsInterface $credentials
      * @param RequestInterface $request
      * @param $signingService
+     * @param SigningConfigAWS|null $signingConfig
      * @return RequestInterface
      */
-    protected function signWithV4a(CredentialsInterface $credentials, RequestInterface $request, $signingService)
-    {
+    protected function signWithV4a(
+        CredentialsInterface $credentials,
+        RequestInterface $request,
+        $signingService,
+        SigningConfigAWS $signingConfig = null
+    ){
         $this->verifyCRTLoaded();
-        $credentials_provider = $this->createCRTStaticCredentialsProvider($credentials);
-        $signingConfig = new SigningConfigAWS([
+        $signingConfig = $signingConfig ?? new SigningConfigAWS([
             'algorithm' => SigningAlgorithm::SIGv4_ASYMMETRIC,
             'signature_type' => SignatureType::HTTP_REQUEST_HEADERS,
-            'credentials_provider' => $credentials_provider,
+            'credentials_provider' => $this->createCRTStaticCredentialsProvider($credentials),
             'signed_body_value' => $this->getPayload($request),
+            'should_normalize_uri_path' => true,
+            'use_double_uri_encode' => true,
             'region' => "*",
             'service' => $signingService,
             'date' => time(),
diff --git a/tests/Api/Parser/EventParsingIteratorTest.php b/tests/Api/Parser/EventParsingIteratorTest.php
@@ -125,7 +125,7 @@ public function testParsedEventsMatchExpectedType($iterator)
         $shapeProperty->setAccessible(true);
         $shape = $shapeProperty->getValue($iterator);
         foreach ($iterator as $event) {
-            $this->testParsedEventMatchExpectedType($shape, $event);
+            $this->parsedEventMatchesExpectedType($shape, $event);
         }
     }
 
@@ -138,7 +138,7 @@ public function testParsedEventsMatchExpectedType($iterator)
      *
      * @return void
      */
-    private function testParsedEventMatchExpectedType($shape, $event)
+    private function parsedEventMatchesExpectedType($shape, $event)
     {
         foreach ($event as $key => $value) {
             $this->assertTrue($shape->hasMember($key), "Shape has not member with name $key");
@@ -148,7 +148,7 @@ private function testParsedEventMatchExpectedType($shape, $event)
                 'Shape type "'. $shapeMember->getType(). '" does not match parsed value type "' . gettype($value) . '"'
             );
             if (is_array($value)) {
-                $this->testParsedEventMatchExpectedType($shapeMember, $value);
+                $this->parsedEventMatchesExpectedType($shapeMember, $value);
             }
         }
     }
diff --git a/tests/Integ/CrtContext.php b/tests/Integ/CrtContext.php

Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ public function testParsedEventsMatchExpectedType($iterator)`
`125`	`125`	`$shapeProperty->setAccessible(true);`
`126`	`126`	`$shape = $shapeProperty->getValue($iterator);`
`127`	`127`	`foreach ($iterator as $event) {`
`128`		`- $this->testParsedEventMatchExpectedType($shape, $event);`
	`128`	`+ $this->parsedEventMatchesExpectedType($shape, $event);`
`129`	`129`	`}`
`130`	`130`	`}`
`131`	`131`
`@@ -138,7 +138,7 @@ public function testParsedEventsMatchExpectedType($iterator)`
`138`	`138`	`*`
`139`	`139`	`* @return void`
`140`	`140`	`*/`
`141`		`- private function testParsedEventMatchExpectedType($shape, $event)`
	`141`	`+ private function parsedEventMatchesExpectedType($shape, $event)`
`142`	`142`	`{`
`143`	`143`	`foreach ($event as $key => $value) {`
`144`	`144`	`$this->assertTrue($shape->hasMember($key), "Shape has not member with name $key");`
`@@ -148,7 +148,7 @@ private function testParsedEventMatchExpectedType($shape, $event)`
`148`	`148`	`'Shape type "'. $shapeMember->getType(). '" does not match parsed value type "' . gettype($value) . '"'`
`149`	`149`	`);`
`150`	`150`	`if (is_array($value)) {`
`151`		`- $this->testParsedEventMatchExpectedType($shapeMember, $value);`
	`151`	`+ $this->parsedEventMatchesExpectedType($shapeMember, $value);`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`	`}`