Enable S3 express auth (#2839)

Co-authored-by: SamRemis <sjremis94@amazon.com>

.changes/nextrelease/feature-s3express-auth.json

@@ -0,0 +1,7 @@
+[
+ {
+ "type": "feature",
+ "category": "S3",
+ "description": "This release adds support for the S3express identity provider"
+ }
+]

src/AwsClient.php

@@ -445,7 +445,11 @@ private function addSignatureMiddleware()
  return SignatureProvider::resolve($provider, $version, $name, $region);
  };
  $this->handlerList->appendSign(
- Middleware::signer($this->credentialProvider, $resolver, $this->tokenProvider),
+ Middleware::signer($this->credentialProvider,
+ $resolver,
+ $this->tokenProvider,
+ $this->getConfig()
+ ),
  'signer'
  );
  }

src/Command.php

@@ -77,11 +77,11 @@ public function setAuthSchemes(array $authSchemes)
  * Get auth schemes added to command as required
  * for endpoint resolution
  *
- * @returns array | null
+ * @returns array
  */
  public function getAuthSchemes()
  {
- return $this->authSchemes;
+ return $this->authSchemes ?: [];
  }
 
  /** @deprecated */

src/EndpointV2/EndpointV2SerializerTrait.php

@@ -173,7 +173,7 @@ private function applyAuthSchemeToCommand($endpoint, $command)
 
  private function selectAuthScheme($authSchemes)
  {
- $validAuthSchemes = ['sigv4', 'sigv4a', 'none', 'bearer'];
+ $validAuthSchemes = ['sigv4', 'sigv4a', 'none', 'bearer', 'sigv4-s3express'];
  $invalidAuthSchemes = [];
 
  foreach($authSchemes as $authScheme) {
@@ -204,6 +204,7 @@ private function normalizeAuthScheme($authScheme)
  if (isset($authScheme['disableDoubleEncoding'])
  && $authScheme['disableDoubleEncoding'] === true
  && $authScheme['name'] !== 'sigv4a'
+ && $authScheme['name'] !== 'sigv4-s3express'
  ) {
  $normalizedAuthScheme['version'] = 's3v4';
  } elseif ($authScheme['name'] === 'none') {

src/Identity/S3/S3ExpressIdentity.php

@@ -0,0 +1,6 @@
+<?php
+namespace Aws\Identity\S3;
+
+use Aws\Credentials\Credentials;
+
+class S3ExpressIdentity extends Credentials {}

src/Identity/S3/S3ExpressIdentityProvider.php

@@ -0,0 +1,44 @@
+<?php
+namespace Aws\Identity\S3;
+
+use Aws;
+use Aws\LruArrayCache;
+use GuzzleHttp\Promise;
+
+class S3ExpressIdentityProvider
+{
+
+ private $cache;
+ private $s3Client;
+ public function __construct(string $clientRegion, array $config = [])
+ {
+ $this->cache = new LruArrayCache(100);
+ $this->s3Client = isset($config['client'])
+ ? $config['client'] // internal use only
+ : new Aws\S3\S3Client([
+ 'region' => $clientRegion,
+ 'disable_express_session_auth' => true
+ ]);
+ }
+
+ public function __invoke($command)
+ {
+ return function () use ($command) {
+ $bucket = $command['Bucket'];
+ if ($identity = $this->cache->get($bucket)) {
+ if (!$identity->isExpired()) {
+ return Promise\Create::promiseFor($identity);
+ }
+ }
+ $response = $this->s3Client->createSession(['Bucket' => $bucket]);
+ $identity = new Aws\Identity\S3\S3ExpressIdentity(
+ $response['Credentials']['AccessKeyId'],
+ $response['Credentials']['SecretAccessKey'],
+ $response['Credentials']['SessionToken'],
+ $response['Credentials']['Expiration']->getTimestamp()
+ );
+ $this->cache->set($bucket, $identity);
+ return Promise\Create::promiseFor($identity);
+ };
+ }
+}

src/Middleware.php

@@ -6,6 +6,7 @@
 use Aws\Credentials\CredentialsInterface;
 use Aws\EndpointV2\EndpointProviderV2;
 use Aws\Exception\AwsException;
+use Aws\Signature\S3ExpressSignature;
 use Aws\Token\TokenAuthorization;
 use Aws\Token\TokenInterface;
 use GuzzleHttp\Promise;
@@ -125,13 +126,13 @@ public static function requestBuilder(
  *
  * @return callable
  */
- public static function signer(callable $credProvider, callable $signatureFunction, $tokenProvider = null)
+ public static function signer(callable $credProvider, callable $signatureFunction, $tokenProvider = null, $config = [])
  {
- return function (callable $handler) use ($signatureFunction, $credProvider, $tokenProvider) {
+ return function (callable $handler) use ($signatureFunction, $credProvider, $tokenProvider, $config) {
  return function (
  CommandInterface $command,
  RequestInterface $request
- ) use ($handler, $signatureFunction, $credProvider, $tokenProvider) {
+ ) use ($handler, $signatureFunction, $credProvider, $tokenProvider, $config) {
  $signer = $signatureFunction($command);
  if ($signer instanceof TokenAuthorization) {
  return $tokenProvider()->then(
@@ -143,17 +144,23 @@ function (TokenInterface $token)
  );
  }
  );
+ }
+
+ if ($signer instanceof S3ExpressSignature) {
+ $credentialPromise = $config['s3_express_identity_provider']($command)();
  } else {
- return $credProvider()->then(
- function (CredentialsInterface $creds)
- use ($handler, $command, $signer, $request) {
- return $handler(
- $command,
- $signer->signRequest($request, $creds)
- );
- }
- );
+ $credentialPromise = $credProvider();
  }
+
+ return $credentialPromise->then(
+ function (CredentialsInterface $creds)
+ use ($handler, $command, $signer, $request) {
+ return $handler(
+ $command,
+ $signer->signRequest($request, $creds)
+ );
+ }
+ );
  };
  };
  }

src/S3/ApplyChecksumMiddleware.php

@@ -6,6 +6,7 @@
 use GuzzleHttp\Psr7;
 use InvalidArgumentException;
 use Psr\Http\Message\RequestInterface;
+use Psr\Http\Message\StreamInterface;
 
 /**
  * Apply required or optional checksums to requests before sending.
@@ -79,11 +80,7 @@ public function __invoke(
  if (is_array($supportedAlgorithms)
  && in_array($requestedAlgorithm, $supportedAlgorithms)
  ) {
- $headerName = "x-amz-checksum-{$requestedAlgorithm}";
- $encoded = $this->getEncodedValue($requestedAlgorithm, $body);
- if (!$request->hasHeader($headerName)) {
- $request = $request->withHeader($headerName, $encoded);
- }
+ $request = $this->addAlgorithmHeader($requestedAlgorithm, $request, $body);
  } else {
  throw new InvalidArgumentException(
  "Unsupported algorithm supplied for input variable {$checksumMemberName}."
@@ -99,14 +96,19 @@ public function __invoke(
  $checksumRequired = isset($checksumInfo['requestChecksumRequired'])
  ? $checksumInfo['requestChecksumRequired']
  : null;
- if ((!empty($checksumRequired) && !$request->hasHeader('Content-MD5'))
+ if ((!empty($checksumRequired))
  || (in_array($name, self::$sha256AndMd5) && $addContentMD5)
  ) {
- // Set the content MD5 header for operations that require it.
- $request = $request->withHeader(
- 'Content-MD5',
- base64_encode(Psr7\Utils::hash($body, 'md5', true))
- );
+ //S3Express doesn't support MD5; default to crc32 instead
+ if ($this->isS3Express($command)) {
+ $request = $this->addAlgorithmHeader('crc32', $request, $body);
+ } elseif (!$request->hasHeader('Content-MD5')) {
+ // Set the content MD5 header for operations that require it.
+ $request = $request->withHeader(
+ 'Content-MD5',
+ base64_encode(Psr7\Utils::hash($body, 'md5', true))
+ );
+ }
  return $next($command, $request);
  }
  }
@@ -121,4 +123,33 @@ public function __invoke(
 
  return $next($command, $request);
  }
+
+ /**
+ * @param string $requestedAlgorithm
+ * @param RequestInterface $request
+ * @param StreamInterface $body
+ * @return RequestInterface
+ */
+ private function addAlgorithmHeader(
+ string $requestedAlgorithm,
+ RequestInterface $request,
+ StreamInterface $body
+ ) {
+ $headerName = "x-amz-checksum-{$requestedAlgorithm}";
+ if (!$request->hasHeader($headerName)) {
+ $encoded = $this->getEncodedValue($requestedAlgorithm, $body);
+ $request = $request->withHeader($headerName, $encoded);
+ }
+ return $request;
+ }
+
+ /**
+ * @param CommandInterface $command
+ * @return bool
+ */
+ private function isS3Express($command): bool
+ {
+ $authSchemes = $command->getAuthSchemes();
+ return isset($authSchemes['name']) && $authSchemes['name'] == 's3express';
+ }
 }