fix S3 pre-signed logic for IGNORED_SIGV4_HEADERS #9609

bentsku · 2023-11-12T02:28:11Z

Motivation

Following up on #9603, I've quickly investigated the issue for the pre-signed URL message showing a non valid signature for a very simple request and quickly found the issue related to signed headers being in the ignore list.

Changes

fix the logic when ignoring SigV4 headers, we should still include them if they're in the SignedHeaders, and only ignore if they're missing
add a test validating this behavior and copying the Go SDK behavior with the help of registering handlers. This was extremely tricky to force boto to behave this way, as the AWS CRT library does not allow you to do so. The Go SDK seems a bit weird, but it allowed us to verify the behavior of previously thought "ignored" headers.

coveralls · 2023-11-12T03:03:19Z

coverage: 84.003% (+0.01%) from 83.992%
when pulling 5297618 on fix-s3-presign-content-sha
into 6adf6da on master.

github-actions · 2023-11-12T03:10:55Z

LocalStack Community integration with Pro

      2 files       2 suites 1h 5m 13s ⏱️
2 314 tests 2 015 ✔️ 299 💤 0 ❌
2 315 runs 2 015 ✔️ 300 💤 0 ❌

Results for commit 5297618.

♻️ This comment has been updated with latest results.

bentsku · Nov 14, 2023

localstack/services/s3/presigned_url.py

-ALLOWED_QUERY_PARAMS = [
-    "x-id",
-    "x-amz-user-agent",
-    "x-amz-content-sha256",
-    "versionid",
-    "uploadid",
-    "partnumber",
-]


this was not used anywhere

steffyP

Great work, @bentsku! 🙇‍♀️ 🚀

Love that the test is even aws validated ❤️ and very smart test setup with the meta-events 😄

This is already a very specific case for S3, the new provider is truely amazing 🚀 👏

Just added a few NITs, but nothing blocking the merge!

localstack/services/s3/presigned_url.py

tests/aws/services/s3/test_s3.py

bentsku added aws:s3 Amazon Simple Storage Service semver: patch Non-breaking changes which can be included in patch releases labels Nov 12, 2023

bentsku added this to the 3.0 milestone Nov 12, 2023

bentsku self-assigned this Nov 12, 2023

bentsku force-pushed the fix-s3-presign-content-sha branch 3 times, most recently from 0f4221c to e6aba66 Compare November 14, 2023 14:58

bentsku requested a review from steffyP November 14, 2023 17:43

bentsku marked this pull request as ready for review November 14, 2023 17:43

bentsku requested a review from macnev2013 as a code owner November 14, 2023 17:43

bentsku commented Nov 14, 2023

View reviewed changes

steffyP approved these changes Nov 14, 2023

View reviewed changes

localstack/services/s3/presigned_url.py Outdated Show resolved Hide resolved

tests/aws/services/s3/test_s3.py Show resolved Hide resolved

tests/aws/services/s3/test_s3.py Outdated Show resolved 8000 Hide resolved

bentsku added 5 commits November 14, 2023 22:20

fix logic for IGNORED_SIGV4_HEADERS

35f68b5

add test

50c89d3

try remove unique_id

b3ac5d0

fix test via Signer selection

08e01d0

address PR comments

5297618

bentsku force-pushed the fix-s3-presign-content-sha branch from 9d278f4 to 5297618 Compare November 14, 2023 21:20

bentsku merged commit 46f056d into master Nov 14, 2023

bentsku deleted the fix-s3-presign-content-sha branch November 14, 2023 22:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

fix S3 pre-signed logic for IGNORED_SIGV4_HEADERS #9609

fix S3 pre-signed logic for IGNORED_SIGV4_HEADERS #9609

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

fix S3 pre-signed logic for IGNORED_SIGV4_HEADERS #9609

fix S3 pre-signed logic for IGNORED_SIGV4_HEADERS #9609

Uh oh!

Conversation

Uh oh!

Motivation

Changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

LocalStack Community integration with Pro

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants