AwsSigningConfig.signed_body_value is now a string instead of an enum (#172)

This allows precalculated hashes to be used.

Author: graebm

aws-common-runtime/aws-c-auth

@@ -208,24 +208,32 @@ class AwsSignatureType(IntEnum):
     """
 
 
-class AwsSignedBodyValueType(IntEnum):
-    """Controls what goes in the canonical request's body value."""
+class AwsSignedBodyValue:
+    """
+    Values for use with :attr:`AwsSigningConfig.signed_body_value`.
+
+    Some services use special values (e.g. "UNSIGNED-PAYLOAD") when the body
+    is not being signed in the usual way.
+    """
+
+    EMPTY_SHA256 = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+    """The SHA-256 of the empty string."""
 
-    EMPTY = 0
-    """Use the SHA-256 of the empty string."""
+    UNSIGNED_PAYLOAD = 'UNSIGNED-PAYLOAD'
+    """Unsigned payload option (not accepted by all services)"""
 
-    PAYLOAD = 1
-    """Use the SHA-256 of the actual payload."""
+    STREAMING_AWS4_HMAC_SHA256_PAYLOAD = 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD'
+    """Each payload chunk will be signed (not accepted by all services)"""
 
-    UNSIGNED_PAYLOAD = 2
-    """Use the literal string "UNSIGNED-PAYLOAD"."""
+    STREAMING_AWS4_HMAC_SHA256_EVENTS = 'STREAMING-AWS4-HMAC-SHA256-EVENTS'
+    """Each event will be signed (not accepted by all services)"""
 
 
 class AwsSignedBodyHeaderType(IntEnum):
     """
     Controls if signing adds a header containing the canonical request's signed body value.
 
-    See :class:`AwsSignedBodyValueType`.
+    See :attr:`AwsSigningConfig.signed_body_value`.
     """
 
     NONE = 0
@@ -280,9 +288,13 @@ class AwsSigningConfig(NativeResource):
         should_normalize_uri_path (bool): Whether the resource paths are
             normalized when building the canonical request.
 
-        signed_body_value_type (AwsSignedBodyValueType): Controls what goes in
-            the canonical request's body value. Default is to use the SHA-256
-            of the actual payload.
+        signed_body_value (Optional[str]): If set, this value is used as the
+            canonical request's body value. Typically, this is the SHA-256
+            of the payload, written as lowercase hex. If this has been
+            precalculated, it can be set here. Special values used by certain
+            services can also be set (see :class:`AwsSignedBodyValue`). If `None`
+            is passed (the default), the typical value will be calculated from
+            the payload during signing.
 
         signed_body_header_type (AwsSignedBodyHeaderType): Controls if signing
             adds a header containing the canonical request's signed body value.
@@ -308,7 +320,7 @@ class AwsSigningConfig(NativeResource):
         'should_sign_header',
         'use_double_uri_encode',
         'should_normalize_uri_path',
-        'signed_body_value_type',
+        'signed_body_value',
         'signed_body_header_type',
         'expiration_in_seconds',
         'omit_session_token',
@@ -324,7 +336,7 @@ def __init__(self,
                  should_sign_header=None,
                  use_double_uri_encode=True,
                  should_normalize_uri_path=True,
-                 signed_body_value_type=AwsSignedBodyValueType.PAYLOAD,
+                 signed_body_value=None,
                  signed_body_header_type=AwsSignedBodyHeaderType.NONE,
                  expiration_in_seconds=None,
                  omit_session_token=False,
@@ -336,7 +348,7 @@ def __init__(self,
         assert isinstance_str(region)
         assert isinstance_str(service)
         assert callable(should_sign_header) or should_sign_header is None
-        assert isinstance(signed_body_value_type, AwsSignedBodyValueType)
+        assert signed_body_value is None or (isinstance(signed_body_value, str) and len(signed_body_value) > 0)
         assert isinstance(signed_body_header_type, AwsSignedBodyHeaderType)
         assert expiration_in_seconds is None or expiration_in_seconds > 0
 
@@ -379,7 +391,7 @@ def should_sign_header_wrapper(name):
             should_sign_header_wrapper,
             use_double_uri_encode,
             should_normalize_uri_path,
-            signed_body_value_type,
+            signed_body_value,
             signed_body_header_type,
             expiration_in_seconds,
             omit_session_token)
@@ -463,11 +475,16 @@ def should_normalize_uri_path(self):
         return _awscrt.signing_config_get_should_normalize_uri_path(self._binding)
 
     @property
-    def signed_body_value_type(self):
+    def signed_body_value(self):
         """
-        AwsSignedBodyValueType: Controls what goes in the canonical request's body value.
+        Optional[str]: What to use as the canonical request's body value.
+        If `None` is set (the default), a value will be calculated from
+        the payload during signing. Typically, this is the SHA-256 of the
+        payload, written as lowercase hex. If this has been precalculated,
+        it can be set here. Special values used by certain services can also
+        be set (see :class:`AwsSignedBodyValue`).
         """
-        return AwsSignedBodyValueType(_awscrt.signing_config_get_signed_body_value_type(self._binding))
+        return _awscrt.signing_config_get_signed_body_value(self._binding)
 
     @property
     def signed_body_header_type(self):

aws-common-runtime/aws-c-common

@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = source
+BUILDDIR      = build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

aws-common-runtime/aws-c-http

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+pushd `dirname $0`/docsrc > /dev/null
+make html
+cp -a build/html/. ../docs
+popd > /dev/null

aws-common-runtime/aws-c-io

@@ -26,7 +26,7 @@ PyObject *aws_py_signing_config_get_service(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_date(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_use_double_uri_encode(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_should_normalize_uri_path(PyObject *self, PyObject *args);
-PyObject *aws_py_signing_config_get_signed_body_value_type(PyObject *self, PyObject *args);
+PyObject *aws_py_signing_config_get_signed_body_value(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_signed_body_header_type(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_expiration_in_seconds(PyObject *self, PyObject *args);
 PyObject *aws_py_signing_config_get_omit_session_token(PyObject *self, PyObject *args);

awscrt/auth.py

@@ -78,13 +78,13 @@ PyObject *aws_py_signing_config_new(PyObject *self, PyObject *args) {
     PyObject *py_should_sign_header_fn;
     PyObject *py_use_double_uri_encode;
     PyObject *py_should_normalize_uri_path;
-    int signed_body_value_type;
+    struct aws_byte_cursor signed_body_value;
     int signed_body_header_type;
     uint64_t expiration_in_seconds;
     PyObject *py_omit_session_token;
     if (!PyArg_ParseTuple(
             args,
-            "iiOs#s#OdOOOiiKO",
+            "iiOs#s#OdOOOz#iKO",
             &algorithm,
             &signature_type,
             &py_credentials_provider,
@@ -97,7 +97,8 @@ PyObject *aws_py_signing_config_new(PyObject *self, PyObject *args) {
             &py_should_sign_header_fn,
             &py_use_double_uri_encode,
             &py_should_normalize_uri_path,
-            &signed_body_value_type,
+            &signed_body_value.ptr,
+            &signed_body_value.len,
             &signed_body_header_type,
             &expiration_in_seconds,
             &py_omit_session_token)) {
@@ -123,9 +124,11 @@ PyObject *aws_py_signing_config_new(PyObject *self, PyObject *args) {
     binding->native.config_type = AWS_SIGNING_CONFIG_AWS;
     binding->native.algorithm = algorithm;
     binding->native.signature_type = signature_type;
+    binding->native.region = region;
+    binding->native.service = service;
     binding->native.flags.use_double_uri_encode = PyObject_IsTrue(py_use_double_uri_encode);
     binding->native.flags.should_normalize_uri_path = PyObject_IsTrue(py_should_normalize_uri_path);
-    binding->native.signed_body_value = signed_body_value_type;
+    binding->native.signed_body_value = signed_body_value;
     binding->native.signed_body_header = signed_body_header_type;
     binding->native.expiration_in_seconds = expiration_in_seconds;
     binding->native.flags.omit_session_token = PyObject_IsTrue(py_omit_session_token);
@@ -138,26 +141,17 @@ PyObject *aws_py_signing_config_new(PyObject *self, PyObject *args) {
     binding->py_credentials_provider = py_credentials_provider;
     Py_INCREF(binding->py_credentials_provider);
 
-    /* strings: service, region */
-    size_t total_string_len;
-    if (aws_add_size_checked(region.len, service.len, &total_string_len)) {
-        PyErr_SetAwsLastError();
+    /* backup strings */
+    if (aws_byte_buf_init_cache_and_update_cursors(
+            &binding->string_storage,
+            aws_py_get_allocator(),
+            &binding->native.region,
+            &binding->native.service,
+            &binding->native.signed_body_value,
+            NULL)) {
         goto error;
     }
 
-    if (aws_byte_buf_init(&binding->string_storage, aws_py_get_allocator(), total_string_len)) {
-        PyErr_SetAwsLastError();
-        goto error;
-    }
-
-    binding->native.region.ptr = binding->string_storage.buffer + binding->string_storage.len;
-    binding->native.region.len = region.len;
-    aws_byte_buf_write_from_whole_cursor(&binding->string_storage, region);
-
-    binding->native.service.ptr = binding->string_storage.buffer + binding->string_storage.len;
-    binding->native.service.len = service.len;
-    aws_byte_buf_write_from_whole_cursor(&binding->string_storage, service);
-
     /* date: store original datetime python object so user doesn't see different timezones after set/get */
     aws_date_time_init_epoch_secs(&binding->native.date, timestamp);
     binding->py_date = py_date;
@@ -275,13 +269,19 @@ PyObject *aws_py_signing_config_get_should_normalize_uri_path(PyObject *self, Py
     return PyBool_FromLong(binding->native.flags.should_normalize_uri_path);
 }
 
-PyObject *aws_py_signing_config_get_signed_body_value_type(PyObject *self, PyObject *args) {
+PyObject *aws_py_signing_config_get_signed_body_value(PyObject *self, PyObject *args) {
     struct config_binding *binding = s_common_get(self, args);
     if (!binding) {
         return NULL;
     }
 
-    return PyLong_FromLong(binding->native.signed_body_value);
+    /* In C layer, 0 length cursor indicates "defaults please".
+     * In Python layer, None indicates "defaults please". */
+    if (binding->native.signed_body_value.len == 0) {
+        Py_RETURN_NONE;
+    }
+
+    return PyString_FromAwsByteCursor(&binding->native.signed_body_value);
 }
 
 PyObject *aws_py_signing_config_get_signed_body_header_type(PyObject *self, PyObject *args) {

docsrc/Makefile

@@ -554,7 +554,7 @@ static PyMethodDef s_module_methods[] = {
     AWS_PY_METHOD_DEF(signing_config_get_date, METH_VARARGS),
     AWS_PY_METHOD_DEF(signing_config_get_use_double_uri_encode, METH_VARARGS),
     AWS_PY_METHOD_DEF(signing_config_get_should_normalize_uri_path, METH_VARARGS),
-    AWS_PY_METHOD_DEF(signing_config_get_signed_body_value_type, METH_VARARGS),
+    AWS_PY_METHOD_DEF(signing_config_get_signed_body_value, METH_VARARGS),
     AWS_PY_METHOD_DEF(signing_config_get_signed_body_header_type, METH_VARARGS),
     AWS_PY_METHOD_DEF(signing_config_get_expiration_in_seconds, METH_VARARGS),
     AWS_PY_METHOD_DEF(signing_config_get_omit_session_token, METH_VARARGS),