AWSAuthV4Signer not respecting signBody parameter

[goyalishant001]

Describe the bug

We had been using AWSAuthV4Signer to sign out S3 requests. Note that we are only using it to sign the headers, and the request (alongside the body) is sent using libcurl's asynchronous mechanism.
Now, to achieve this, we utilise AWSAuthV4Signer's SignRequest method with signBody set to true. Earlier, it used to stamp such requests with the header x-amz-content-sha256: UNSIGNED-PAYLOAD, which was working fine. But now, as we upgraded to the latest SDK, I observed that the signer is stamping empty string's sha256 x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 with the request since it assumes there is no body. Essentially, the code is not respecting the signBody parameter at all.

Can we fall back on older behaviour where the SDK used to respect the signBody parameter, and hence, this sort of use case can be handled. It actually seems like a regression to me since. Thoughts?

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The AWSAuthV4Signer's SignRequest method should respect the signBody parameter

Current Behavior

The AWSAuthV4Signer's SignRequest method is not respecting the signBody parameter

Reproduction Steps

Use AWSAuthV4Signer to sign the request headers (not the body) and later use libcurl to send the request

Possible Solution

No response

Additional Information/Context

No response

AWS CPP SDK version used

1.11.588

Compiler and Version used

gcc (GCC) 8.5.0 20210514

Operating System and version

Rocky Linux v8.10

[goyalishant001]

Raised a PR for the same >> #3455
Please have a look. Thanks

[sbiscigl]

please take a look at the issue #3297 where this is talk about a lot. copying form there.

I see the AWSAuthV4Signer::PayloadSigningPolicy::Never won't work any more, so is this a bug? or by designed?

it is by design and it relates to the change for default checksum behavior in S3 #3253

before this change "Payload Signing Policy" essentially meant

if(signBody || !https) {
  request_headers.put("checksum-value", calculate_checksum(request_body))
} else {
  request_headers.put("trailing-checksum", "checksum-alogithm")
  request.notify_http_client_to_chunk_encode()
}

so PayloadSigningPolicy before this change more or less meant
Always -> put the checksum in the header
RequestDependent -> fallback to what is modeled in the request
Never -> put the checksum in the trailer

so to summarize this sign body variable only had a effect if you used checksums which is currently only the s3 client.

the updated logic will always chunk encode requests that support it unless a pre-calculated checksum is provided.

if(streaming_body) {
  request_headers.put("trailing-checksum", "checksum-alogithm")
  request.notify_http_client_to_chunk_sign()
} else {
  request_headers.put("checksum-value", calculate_checksum(request_body))
}

in essence AWSAuthV4Signer::PayloadSigningPolicy::Never is the default behavior now. more details on the behavior can be found in this doc that describes how to disable checksums all together if you want to.

So you are right in that that variable has no effect, we can update the doc on it so notify that it has no effect anymore, but how is it impacting you and how is the current behavior different from what you want?

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.