You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by "roeap (via GitHub)" <gi...@apache.org> on 2023/02/23 22:28:43 UTC

[GitHub] [arrow-rs] roeap commented on a diff in pull request #3741: Add support for unsigned payloads in aws

roeap commented on code in PR #3741:
URL: https://github.com/apache/arrow-rs/pull/3741#discussion_r1116314033


##########
object_store/src/aws/mod.rs:
##########
@@ -822,6 +837,13 @@ impl AmazonS3Builder {
         self
     }
 
+    /// Sets the client to not include payload checksum in signature calculation.
+    /// See [unsigned payload option](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html)
+    pub fn with_unsigned_payload(mut self) -> Self {

Review Comment:
   in other cases for boolean options, we pass in the actual parameter, so that true and false can explicitly be set. While not overly critical, I think its better to be consistent,.



##########
object_store/src/aws/credential.rs:
##########
@@ -621,12 +630,51 @@ mod tests {
             credential: &credential,
             service: "ec2",
             region: "us-east-1",
+            sign_payload: true,
         };
 
         signer.sign(&mut request);
         assert_eq!(request.headers().get(AUTH_HEADER).unwrap(), "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20220806/us-east-1/ec2/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=a3c787a7ed37f7fdfbfd2d7056a3d7c9d85e6d52a2bfbec73793c0be6e7862d4")
     }
 
+    #[test]
+    fn test_sign_with_unsigned_payload() {
+        let client = Client::new();
+
+        // Test credentials from https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html
+        let credential = AwsCredential {
+            key_id: "AKIAIOSFODNN7EXAMPLE".to_string(),
+            secret_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY".to_string(),
+            token: None,
+        };
+
+        // method = 'GET'
+        // service = 'ec2'
+        // host = 'ec2.amazonaws.com'
+        // region = 'us-east-1'
+        // endpoint = 'https://ec2.amazonaws.com'
+        // request_parameters = ''
+        let date = DateTime::parse_from_rfc3339("2022-08-06T18:01:34Z")
+            .unwrap()
+            .with_timezone(&Utc);
+
+        let mut request = client
+            .request(Method::GET, "https://ec2.amazon.com/")
+            .build()
+            .unwrap();

Review Comment:
   In both the signed and unsiged test, we test with a GET request without a body. would it make sense to do a request that has a body, so we see the signing in action? 



##########
object_store/src/aws/mod.rs:
##########
@@ -1222,6 +1250,14 @@ mod tests {
         stream_get(&integration).await;
     }
 
+    #[tokio::test]
+    async fn s3_test_unsigned_payload() {
+        let config = maybe_skip_integration!().with_unsigned_payload();
+        let is_local = matches!(&config.endpoint, Some(e) if e.starts_with("http://"));
+        let integration = config.build().unwrap();
+        put_get_delete_list_opts(&integration, is_local).await;

Review Comment:
   i guess er are testing with bodies here :). 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org