Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added optional headers to the AWS SigningDecorator. #253

Merged
merged 6 commits into from
Jan 18, 2025
Merged

Added optional headers to the AWS SigningDecorator. #253

merged 6 commits into from
Jan 18, 2025

Conversation

dblock
Copy link
Member

@dblock dblock commented Jan 10, 2025

Description

  • Added an optional headers to the signing decorator to pass Host.
  • Added docs on auth.

Issues Resolved

Closes #248.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@dblock
Fix up UPGRADING.md.
e1849b1 
Signed-off-by: dblock <[email protected]>
@dblock dblock mentioned this pull request Jan 10, 2025
Closed
@dmnlk
Copy link

dmnlk commented Jan 11, 2025
edited
Loading

@dblock

Thank you for the fix. I have confirmed that it works correctly in my environment.
However, I believe this fix requires knowledge of AWS specifications.

As stated in the following documentation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-signing-elements.html

For HTTP/1.1 requests, you must include the Host header. For HTTP/2 requests, you can include the :authority header or the Host header. Use only the :authority header for compliance with the HTTP/2 specification. Not all services support HTTP/2 requests.

The Host or :authority header is mandatory.

Since the SigningClientDecorator is located under the aws folder, it is intended for AWS.
In this case, it would be more helpful to include code like the following:

Although the current OpenSearch does not support HTTP/2.0, it is planned to support it in version 3.0, so the following code conforms to that specification:
https://forum.opensearch.org/t/support-for-http-2-with-opensearch-version-2-11-1/17799?utm_source=chatgpt.com

public function sendRequest(RequestInterface $request): ResponseInterface
{
    foreach ($this->headers as $name => $value) {
        $request = $request->withHeader($name, $value);
    }
    if ($request->getProtocolVersion() === 'HTTP/1.0' || $request->getHeader('Host') === null) {
        throw new \IRuntimeException('Header Host must be set');
    }
    if ($request->getProtocolVersion() === 'HTTP/2.0' || $request->getHeader(':authority') === null) {
        throw new \RuntimeException('Header authority must be set');
    }
    $request = $request->withHeader('x-amz-content-sha256', hash('sha256', (string) $request->getBody()));
    $request = $this->signer->signRequest($request, $this->credentials);
    return $this->inner->sendRequest($request);
}

shyim
shyim previously approved these changes Jan 12, 2025
View reviewed changes
@dblock dblock requested a review from kimpepper as a code owner January 13, 2025 14:21
@codecov Codecov
Copy link

codecov bot commented Jan 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 24.06%. Comparing base (887df5e) to head (ad4ed40).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main     #253      +/-   ##
============================================
+ Coverage     24.02%   24.06%   +0.03%     
- Complexity     3398     3400       +2     
============================================
  Files           485      485              
  Lines         12984    12988       +4     
============================================
+ Hits           3120     3126       +6     
+ Misses         9864     9862       -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@dblock
Copy link
Member Author

dblock commented Jan 13, 2025
edited
Loading

@dmnlk Good point. I updated the code to raise an error when the Host header is missing.

HTTP2 support in OpenSearch was added in opensearch-project/OpenSearch#3847 and I am not sure whether AWS OpenSearch supports it today. For this PR I didn't include the protocol check, I'd prefer it if we made sure we can do HTTP/2 first, then add code like this (please do help!).

@dblock dblock requested a review from shyim January 13, 2025 14:24
@dblock dblock force-pushed the signing-decorator-headers branch from ed6a44e to dc07f55 Compare January 13, 2025 14:24
@dmnlk
Copy link

dmnlk commented Jan 13, 2025

Good!! Thanks! @dblock

@dblock dblock force-pushed the signing-decorator-headers branch from dc07f55 to ad4ed40 Compare January 13, 2025 18:20
@dblock
Copy link
Member Author

dblock commented Jan 15, 2025

@kimpepper I know you're saying we should be able to retrieve the Host from the request, however I was not able to do so (code in https://github.com/dblock/opensearch-php-client-demo/tree/2.4.0). There's no URL nor host in the intercepted request, so getHeaderLine or other methods don't return anything. Maybe I am missing something and you will have better luck?

@kimpepper
Copy link
Collaborator

Looks like it might be the Symfony implementation. I think we need a test for that.

@kimpepper
Copy link
Collaborator

Added tests in #256 and confirmed you need to set a default Host header when using the Symfony client. We don't need to add extra headers in the decorator.

kimpepper
kimpepper previously approved these changes Jan 18, 2025
View reviewed changes
Copy link
Collaborator

@kimpepper kimpepper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor nitpick.

dblock and others added 4 commits January 17, 2025 20:34
@dblock
Added optional headers to the AWS SigningDecorator.
a944379 
Signed-off-by: dblock <[email protected]>
@dblock
Raise an error when host header is empty.
d41f131 
Signed-off-by: dblock <[email protected]>
@dblock @kimpepper
Require Host.
42d731b 
Co-authored-by: Kim Pepper <[email protected]>
Signed-off-by: Daniel (dB.) Doubrovkine <[email protected]>
@dblock
Fix tests.
b3e4890 
Signed-off-by: dblock <[email protected]>
@dblock dblock force-pushed the signing-decorator-headers branch from f554938 to b3e4890 Compare January 18, 2025 01:34
@dblock dblock requested a review from kimpepper January 18, 2025 01:37
@dblock dblock merged commit 70e71ff into opensearch-project:main Jan 18, 2025
45 checks passed
@dblock dblock deleted the signing-decorator-headers branch January 18, 2025 04:32
@dblock
Copy link
Member Author

dblock commented Jan 22, 2025

I've tested this successfully in dblock/opensearch-php-client-demo#1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kimpepper kimpepper kimpepper approved these changes

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@harshavamsi harshavamsi Awaiting requested review from harshavamsi harshavamsi is a code owner

@saimedhi saimedhi Awaiting requested review from saimedhi saimedhi is a code owner

@shyim shyim Awaiting requested review from shyim shyim is a code owner

Assignees
No one assigned
Labels
skip-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG]Host' or ':authority' must be a 'SignedHeader' in the AWS Authorization.
4 participants
@dblock @dmnlk @kimpepper @shyim