From 5ace9f282d1d6a28558489575fd2465237fad2ad Mon Sep 17 00:00:00 2001 From: Sichan Yoo Date: Thu, 26 Dec 2024 11:49:24 -0800 Subject: [PATCH] Add an integration test that asserts on resolved signing region for a SigV4A operation. --- .../SigV4ASigningRegionTest.swift | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 IntegrationTests/Services/AWSS3IntegrationTests/SigV4ASigningRegionTest.swift diff --git a/IntegrationTests/Services/AWSS3IntegrationTests/SigV4ASigningRegionTest.swift b/IntegrationTests/Services/AWSS3IntegrationTests/SigV4ASigningRegionTest.swift new file mode 100644 index 00000000000..c3c5b8702ab --- /dev/null +++ b/IntegrationTests/Services/AWSS3IntegrationTests/SigV4ASigningRegionTest.swift @@ -0,0 +1,64 @@ +// +// Copyright Amazon.com Inc. or its affiliates. +// All Rights Reserved. +// +// SPDX-License-Identifier: Apache-2.0 +// + +import AWSS3 +import AWSSDKHTTPAuth +import ClientRuntime +import Smithy +import SmithyHTTPAPI +import SmithyHTTPAuthAPI +import SmithyTestUtil +import XCTest + +// Checks that S3's rules-based SigV4A operations resolve signing region to "*" using PutObject with MRAP ARN. +class SigV4ASigningRegionTest: XCTestCase { + private var sigv4aClient: S3Client! + private var sigv4aConfig: S3Client.S3ClientConfiguration! + + override func setUp() async throws { + sigv4aConfig = try await S3Client.S3ClientConfiguration(region: "dummy-region") + sigv4aConfig.authSchemes = [SigV4AAuthScheme()] + sigv4aConfig.httpClientEngine = ProtocolTestClient() // Mock HTTP client that doesn't actually send a request + sigv4aConfig.addInterceptorProvider(SigningRegionAssertInterceptorProvider()) + sigv4aClient = S3Client(config: sigv4aConfig) + } + + func testResolvedSigningRegionIsAsterisk() async throws { + do { + // Providing input.bucket value in the format of MRAP ARN causes endpoint to resolve to MRAP endpoint with + // auth schemes property that has SigV4A. + // Then, when signing properties are resolved by the auth scheme, signing region resolved by the service's + // AuthSchemeResolver, saved in AuthOption, supersedes the one provided in config, saved in context. + _ = try await sigv4aClient.putObject(input: PutObjectInput( + body: ByteStream.data(Data()), + bucket: "arn:aws:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap", // Dummy ARN for MRAP + key: "dummy-key" + )) + } catch is TestCheckError { + // This is the expected error thrown by Mock HTTP client; no-op. + } + } +} + +class SigningRegionAssertInterceptor: Interceptor { + typealias RequestType = HTTPRequest + typealias ResponseType = HTTPResponse + + func readBeforeSigning(context: some AfterSerialization) async throws { + let resolvedSigningRegion = context.getAttributes().selectedAuthScheme?.signingProperties?.get( + key: SigningPropertyKeys.signingRegion + ) + XCTAssertNotNil(resolvedSigningRegion) + XCTAssertEqual(resolvedSigningRegion!, "*") // Assert that the resolved signing region is "*", as expected. + } +} + +class SigningRegionAssertInterceptorProvider: HttpInterceptorProvider { + func create() -> any Interceptor { + return SigningRegionAssertInterceptor() + } +}