adds context to the V4 signer's utilities

Author: skotambkar

aws/signer/v4/functional_test.go

@@ -1,6 +1,7 @@
 package v4_test
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -162,7 +163,7 @@ func TestStandaloneSign_CustomURIEscape(t *testing.T) {
 	req.URL.Path = `/log-*/_search`
 	req.URL.Opaque = "//subdomain.us-east-1.es.amazonaws.com/log-%2A/_search"
 
-	_, err = signer.Sign(req, nil, "es", "us-east-1", time.Unix(0, 0))
+	_, err = signer.Sign(context.Background(), req, nil, "es", "us-east-1", time.Unix(0, 0))
 	if err != nil {
 		t.Fatalf("expect no error, got %v", err)
 	}
@@ -191,7 +192,7 @@ func TestStandaloneSign(t *testing.T) {
 		req.URL.Path = c.OrigURI
 		req.URL.RawQuery = c.OrigQuery
 
-		_, err = signer.Sign(req, nil, c.Service, c.Region, time.Unix(0, 0))
+		_, err = signer.Sign(context.Background(), req, nil, c.Service, c.Region, time.Unix(0, 0))
 		if err != nil {
 			t.Errorf("expected no error, but received %v", err)
 		}
@@ -228,7 +229,7 @@ func TestStandaloneSign_RawPath(t *testing.T) {
 		req.URL.RawPath = c.EscapedURI
 		req.URL.RawQuery = c.OrigQuery
 
-		_, err = signer.Sign(req, nil, c.Service, c.Region, time.Unix(0, 0))
+		_, err = signer.Sign(context.Background(), req, nil, c.Service, c.Region, time.Unix(0, 0))
 		if err != nil {
 			t.Errorf("expected no error, but received %v", err)
 		}

aws/signer/v4/v4.go

@@ -263,8 +263,8 @@ type signingCtx struct {
 // generated. To bypass the signer computing the hash you can set the
 // "X-Amz-Content-Sha256" header with a precomputed value. The signer will
 // only compute the hash if the request header value is empty.
-func (v4 Signer) Sign(r *http.Request, body io.ReadSeeker, service, region string, signTime time.Time) (http.Header, error) {
-	return v4.signWithBody(r, body, service, region, 0, signTime)
+func (v4 Signer) Sign(ctx context.Context, r *http.Request, body io.ReadSeeker, service, region string, signTime time.Time) (http.Header, error) {
+	return v4.signWithBody(ctx, r, body, service, region, 0, signTime)
 }
 
 // Presign signs AWS v4 requests with the provided body, service name, region
@@ -297,12 +297,12 @@ func (v4 Signer) Sign(r *http.Request, body io.ReadSeeker, service, region strin
 // PUT/GET capabilities. If you would like to include the body's SHA256 in the
 // presigned request's signature you can set the "X-Amz-Content-Sha256"
 // HTTP header and that will be included in the request's signature.
-func (v4 Signer) Presign(r *http.Request, body io.ReadSeeker, service, region string, exp time.Duration, signTime time.Time) (http.Header, error) {
-	return v4.signWithBody(r, body, service, region, exp, signTime)
+func (v4 Signer) Presign(ctx context.Context, r *http.Request, body io.ReadSeeker, service, region string, exp time.Duration, signTime time.Time) (http.Header, error) {
+	return v4.signWithBody(ctx, r, body, service, region, exp, signTime)
 }
 
-func (v4 Signer) signWithBody(r *http.Request, body io.ReadSeeker, service, region string, exp time.Duration, signTime time.Time) (http.Header, error) {
-	ctx := &signingCtx{
+func (v4 Signer) signWithBody(ctx context.Context, r *http.Request, body io.ReadSeeker, service, region string, exp time.Duration, signTime time.Time) (http.Header, error) {
+	signingCtx := &signingCtx{
 		Request:                r,
 		Body:                   body,
 		Query:                  r.URL.Query(),
@@ -315,31 +315,31 @@ func (v4 Signer) signWithBody(r *http.Request, body io.ReadSeeker, service, regi
 		unsignedPayload:        v4.UnsignedPayload,
 	}
 
-	for key := range ctx.Query {
-		sort.Strings(ctx.Query[key])
+	for key := range signingCtx.Query {
+		sort.Strings(signingCtx.Query[key])
 	}
 
-	if ctx.isRequestSigned() {
-		ctx.Time = sdk.NowTime()
-		ctx.handlePresignRemoval()
+	if signingCtx.isRequestSigned() {
+		signingCtx.Time = sdk.NowTime()
+		signingCtx.handlePresignRemoval()
 	}
 
 	var err error
-	ctx.credValues, err = v4.Credentials.Retrieve(context.Background())
+	signingCtx.credValues, err = v4.Credentials.Retrieve(ctx)
 	if err != nil {
 		return http.Header{}, err
 	}
 
-	aws.SanitizeHostForHeader(ctx.Request)
-	ctx.assignAmzQueryValues()
-	if err := ctx.build(v4.DisableHeaderHoisting); err != nil {
+	aws.SanitizeHostForHeader(signingCtx.Request)
+	signingCtx.assignAmzQueryValues()
+	if err := signingCtx.build(v4.DisableHeaderHoisting); err != nil {
 		return nil, err
 	}
 
 	// If the request is not presigned the body should be attached to it. This
 	// prevents the confusion of wanting to send a signed request without
 	// the body the request was signed for attached.
-	if !(v4.DisableRequestBodyOverwrite || ctx.isPresign) {
+	if !(v4.DisableRequestBodyOverwrite || signingCtx.isPresign) {
 		var reader io.ReadCloser
 		if body != nil {
 			var ok bool
@@ -351,10 +351,10 @@ func (v4 Signer) signWithBody(r *http.Request, body io.ReadSeeker, service, regi
 	}
 
 	if v4.Debug.Matches(aws.LogDebugWithSigning) {
-		v4.logSigningInfo(ctx)
+		v4.logSigningInfo(signingCtx)
 	}
 
-	return ctx.SignedHeaderVals, nil
+	return signingCtx.SignedHeaderVals, nil
 }
 
 func (ctx *signingCtx) handlePresignRemoval() {
@@ -455,7 +455,7 @@ func SignSDKRequest(req *aws.Request, opts ...func(*Signer)) {
 		signingTime = req.LastSignedAt
 	}
 
-	signedHeaders, err := v4.signWithBody(req.HTTPRequest, req.GetBody(),
+	signedHeaders, err := v4.signWithBody(req.Context(), req.HTTPRequest, req.GetBody(),
 		name, region, req.ExpireTime, signingTime,
 	)
 	if err != nil {

aws/signer/v4/v4_test.go

@@ -125,7 +125,7 @@ func TestPresignRequest(t *testing.T) {
 	req, body := buildRequest("dynamodb", "us-east-1", "{}")
 
 	signer := buildSigner()
-	signer.Presign(req, body, "dynamodb", "us-east-1", 300*time.Second, time.Unix(0, 0))
+	signer.Presign(context.Background(), req, body, "dynamodb", "us-east-1", 300*time.Second, time.Unix(0, 0))
 
 	expectedDate := "19700101T000000Z"
 	expectedHeaders := "content-length;content-type;host;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore"
@@ -159,7 +159,7 @@ func TestPresignBodyWithArrayRequest(t *testing.T) {
 	req.URL.RawQuery = "Foo=z&Foo=o&Foo=m&Foo=a"
 
 	signer := buildSigner()
-	signer.Presign(req, body, "dynamodb", "us-east-1", 300*time.Second, time.Unix(0, 0))
+	signer.Presign(context.Background(), req, body, "dynamodb", "us-east-1", 300*time.Second, time.Unix(0, 0))
 
 	expectedDate := "19700101T000000Z"
 	expectedHeaders := "content-length;content-type;host;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore"
@@ -191,7 +191,7 @@ func TestPresignBodyWithArrayRequest(t *testing.T) {
 func TestSignRequest(t *testing.T) {
 	req, body := buildRequest("dynamodb", "us-east-1", "{}")
 	signer := buildSigner()
-	signer.Sign(req, body, "dynamodb", "us-east-1", time.Unix(0, 0))
+	signer.Sign(context.Background(), req, body, "dynamodb", "us-east-1", time.Unix(0, 0))
 
 	expectedDate := "19700101T000000Z"
 	expectedSig := "AWS4-HMAC-SHA256 Credential=AKID/19700101/us-east-1/dynamodb/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-meta-other-header;x-amz-meta-other-header_with_underscore;x-amz-security-token;x-amz-target, Signature=a518299330494908a70222cec6899f6f32f297f8595f6df1776d998936652ad9"
@@ -208,7 +208,7 @@ func TestSignRequest(t *testing.T) {
 func TestSignUnseekableBody(t *testing.T) {
 	req, body := buildRequestWithBodyReader("mock-service", "mock-region", bytes.NewBuffer([]byte("hello")))
 	signer := buildSigner()
-	_, err := signer.Sign(req, body, "mock-service", "mock-region", time.Now())
+	_, err := signer.Sign(context.Background(), req, body, "mock-service", "mock-region", time.Now())
 	if err == nil {
 		t.Fatalf("expect error signing request")
 	}
@@ -224,7 +224,7 @@ func TestSignUnsignedPayloadUnseekableBody(t *testing.T) {
 	signer := buildSigner()
 	signer.UnsignedPayload = true
 
-	_, err := signer.Sign(req, body, "mock-service", "mock-region", time.Now())
+	_, err := signer.Sign(context.Background(), req, body, "mock-service", "mock-region", time.Now())
 	if err != nil {
 		t.Fatalf("expect no error, got %v", err)
 	}
@@ -241,7 +241,7 @@ func TestSignPreComputedHashUnseekableBody(t *testing.T) {
 	signer := buildSigner()
 
 	req.Header.Set("X-Amz-Content-Sha256", "some-content-sha256")
-	_, err := signer.Sign(req, body, "mock-service", "mock-region", time.Now())
+	_, err := signer.Sign(context.Background(), req, body, "mock-service", "mock-region", time.Now())
 	if err != nil {
 		t.Fatalf("expect no error, got %v", err)
 	}
@@ -255,7 +255,7 @@ func TestSignPreComputedHashUnseekableBody(t *testing.T) {
 func TestSignBodyS3(t *testing.T) {
 	req, body := buildRequest("s3", "us-east-1", "hello")
 	signer := buildSigner()
-	signer.Sign(req, body, "s3", "us-east-1", time.Now())
+	signer.Sign(context.Background(), req, body, "s3", "us-east-1", time.Now())
 	hash := req.Header.Get("X-Amz-Content-Sha256")
 	if e, a := "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", hash; e != a {
 		t.Errorf("expect %v, got %v", e, a)
@@ -265,7 +265,7 @@ func TestSignBodyS3(t *testing.T) {
 func TestSignBodyGlacier(t *testing.T) {
 	req, body := buildRequest("glacier", "us-east-1", "hello")
 	signer := buildSigner()
-	signer.Sign(req, body, "glacier", "us-east-1", time.Now())
+	signer.Sign(context.Background(), req, body, "glacier", "us-east-1", time.Now())
 	hash := req.Header.Get("X-Amz-Content-Sha256")
 	if e, a := "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", hash; e != a {
 		t.Errorf("expect %v, got %v", e, a)
@@ -275,7 +275,7 @@ func TestSignBodyGlacier(t *testing.T) {
 func TestPresign_SignedPayload(t *testing.T) {
 	req, body := buildRequest("glacier", "us-east-1", "hello")
 	signer := buildSigner()
-	signer.Presign(req, body, "glacier", "us-east-1", 5*time.Minute, time.Now())
+	signer.Presign(context.Background(), req, body, "glacier", "us-east-1", 5*time.Minute, time.Now())
 	hash := req.Header.Get("X-Amz-Content-Sha256")
 	if e, a := "2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824", hash; e != a {
 		t.Errorf("expect %v, got %v", e, a)
@@ -286,7 +286,7 @@ func TestPresign_UnsignedPayload(t *testing.T) {
 	req, body := buildRequest("service-name", "us-east-1", "hello")
 	signer := buildSigner()
 	signer.UnsignedPayload = true
-	signer.Presign(req, body, "service-name", "us-east-1", 5*time.Minute, time.Now())
+	signer.Presign(context.Background(), req, body, "service-name", "us-east-1", 5*time.Minute, time.Now())
 	hash := req.Header.Get("X-Amz-Content-Sha256")
 	if e, a := "UNSIGNED-PAYLOAD", hash; e != a {
 		t.Errorf("expect %v, got %v", e, a)
@@ -296,7 +296,7 @@ func TestPresign_UnsignedPayload(t *testing.T) {
 func TestPresign_UnsignedPayload_S3(t *testing.T) {
 	req, body := buildRequest("s3", "us-east-1", "hello")
 	signer := buildSigner()
-	signer.Presign(req, body, "s3", "us-east-1", 5*time.Minute, time.Now())
+	signer.Presign(context.Background(), req, body, "s3", "us-east-1", 5*time.Minute, time.Now())
 	if a := req.Header.Get("X-Amz-Content-Sha256"); len(a) != 0 {
 		t.Errorf("expect no content sha256 got %v", a)
 	}
@@ -306,7 +306,7 @@ func TestSignPrecomputedBodyChecksum(t *testing.T) {
 	req, body := buildRequest("dynamodb", "us-east-1", "hello")
 	req.Header.Set("X-Amz-Content-Sha256", "PRECOMPUTED")
 	signer := buildSigner()
-	signer.Sign(req, body, "dynamodb", "us-east-1", time.Now())
+	signer.Sign(context.Background(), req, body, "dynamodb", "us-east-1", time.Now())
 	hash := req.Header.Get("X-Amz-Content-Sha256")
 	if e, a := "PRECOMPUTED", hash; e != a {
 		t.Errorf("expect %v, got %v", e, a)
@@ -620,7 +620,7 @@ func TestSignWithRequestBody(t *testing.T) {
 
 	req, err := http.NewRequest("POST", server.URL, nil)
 
-	_, err = signer.Sign(req, bytes.NewReader(expectBody), "service", "region", time.Now())
+	_, err = signer.Sign(context.Background(), req, bytes.NewReader(expectBody), "service", "region", time.Now())
 	if err != nil {
 		t.Errorf("expect not no error, got %v", err)
 	}
@@ -654,7 +654,7 @@ func TestSignWithRequestBody_Overwrite(t *testing.T) {
 
 	req, err := http.NewRequest("GET", server.URL, strings.NewReader("invalid body"))
 
-	_, err = signer.Sign(req, nil, "service", "region", time.Now())
+	_, err = signer.Sign(context.Background(), req, nil, "service", "region", time.Now())
 	req.ContentLength = 0
 
 	if err != nil {
@@ -698,7 +698,7 @@ func TestSignWithBody_ReplaceRequestBody(t *testing.T) {
 	s := NewSigner(creds)
 	origBody := req.Body
 
-	_, err := s.Sign(req, seekerBody, "dynamodb", "us-east-1", time.Now())
+	_, err := s.Sign(context.Background(), req, seekerBody, "dynamodb", "us-east-1", time.Now())
 	if err != nil {
 		t.Fatalf("expect no error, got %v", err)
 	}
@@ -723,7 +723,7 @@ func TestSignWithBody_NoReplaceRequestBody(t *testing.T) {
 
 	origBody := req.Body
 
-	_, err := s.Sign(req, seekerBody, "dynamodb", "us-east-1", time.Now())
+	_, err := s.Sign(context.Background(), req, seekerBody, "dynamodb", "us-east-1", time.Now())
 	if err != nil {
 		t.Fatalf("expect no error, got %v", err)
 	}
@@ -757,15 +757,15 @@ func BenchmarkPresignRequest(b *testing.B) {
 	signer := buildSigner()
 	req, body := buildRequest("dynamodb", "us-east-1", "{}")
 	for i := 0; i < b.N; i++ {
-		signer.Presign(req, body, "dynamodb", "us-east-1", 300*time.Second, time.Now())
+		signer.Presign(context.Background(), req, body, "dynamodb", "us-east-1", 300*time.Second, time.Now())
 	}
 }
 
 func BenchmarkSignRequest(b *testing.B) {
 	signer := buildSigner()
 	req, body := buildRequest("dynamodb", "us-east-1", "{}")
 	for i := 0; i < b.N; i++ {
-		signer.Sign(req, body, "dynamodb", "us-east-1", time.Now())
+		signer.Sign(context.Background(), req, body, "dynamodb", "us-east-1", time.Now())
 	}
 }
 

example/service/rds/rdsutils/authentication/iam_authentication.go

@@ -3,16 +3,17 @@
 package main
 
 import (
+	"context"
 	"database/sql"
 	"fmt"
 	"os"
 
-	"github.com/go-sql-driver/mysql"
-
 	"github.com/aws/aws-sdk-go-v2/aws/external"
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	"github.com/aws/aws-sdk-go-v2/aws/stscreds"
 	"github.com/aws/aws-sdk-go-v2/service/rds/rdsutils"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
+	"github.com/go-sql-driver/mysql"
 )
 
 // Usage ./iam_authentication <region> <db user> <db name> <endpoint to database> <iam arn>
@@ -35,8 +36,8 @@ func main() {
 	cfg.Region = awsRegion
 
 	credProvider := stscreds.NewAssumeRoleProvider(sts.New(cfg), os.Args[5])
-
-	authToken, err := rdsutils.BuildAuthToken(dbEndpoint, awsRegion, dbUser, credProvider)
+	signer := v4.NewSigner(credProvider)
+	authToken, err := rdsutils.BuildAuthToken(context.Background(), dbEndpoint, awsRegion, dbUser, signer)
 
 	// Create the MySQL DNS string for the DB connection
 	// user:password@protocol(endpoint)/dbname?<params>

service/rds/rdsutils/builder.go

@@ -1,10 +1,10 @@
 package rdsutils
 
 import (
+	"context"
 	"fmt"
 	"net/url"
 
-	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/awserr"
 )
 
@@ -26,24 +26,24 @@ var ErrNoConnectionFormat = awserr.New("NoConnectionFormat", "No connection form
 // string with the provided parameters. params field is required to have
 // a tls specification and allowCleartextPasswords must be set to true.
 type ConnectionStringBuilder struct {
-	dbName       string
-	endpoint     string
-	region       string
-	user         string
-	credProvider aws.CredentialsProvider
+	dbName   string
+	endpoint string
+	region   string
+	user     string
+	signer   HTTPV4Signer
 
 	connectFormat ConnectionFormat
 	params        url.Values
 }
 
 // NewConnectionStringBuilder will return an ConnectionStringBuilder
-func NewConnectionStringBuilder(endpoint, region, dbUser, dbName string, credProvider aws.CredentialsProvider) ConnectionStringBuilder {
+func NewConnectionStringBuilder(endpoint, region, dbUser, dbName string, signer HTTPV4Signer) ConnectionStringBuilder {
 	return ConnectionStringBuilder{
-		dbName:       dbName,
-		endpoint:     endpoint,
-		region:       region,
-		user:         dbUser,
-		credProvider: credProvider,
+		dbName:   dbName,
+		endpoint: endpoint,
+		region:   region,
+		user:     dbUser,
+		signer:   signer,
 	}
 }
 
@@ -99,19 +99,19 @@ func (b ConnectionStringBuilder) WithTCPFormat() ConnectionStringBuilder {
 // to the desired database.
 //
 //	Example:
-//	b := rdsutils.NewConnectionStringBuilder(endpoint, region, user, dbname, credProvider)
-//	connectStr, err := b.WithTCPFormat().Build()
+//	signer := v4.NewSigner(credsProvider)
+//	b := rdsutils.NewConnectionStringBuilder(endpoint, region, user, dbname, signer)
+//	connectStr, err := b.WithTCPFormat().Build(ctx)
 //	if err != nil {
 //		panic(err)
 //	}
 //	const dbType = "mysql"
 //	db, err := sql.Open(dbType, connectStr)
-func (b ConnectionStringBuilder) Build() (string, error) {
+func (b ConnectionStringBuilder) Build(ctx context.Context) (string, error) {
 	if b.connectFormat == NoConnectionFormat {
 		return "", ErrNoConnectionFormat
 	}
-
-	authToken, err := BuildAuthToken(b.endpoint, b.region, b.user, b.credProvider)
+	authToken, err := BuildAuthToken(ctx, b.endpoint, b.region, b.user, b.signer)
 	if err != nil {
 		return "", err
 	}