-
Notifications
You must be signed in to change notification settings - Fork 566
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
otelaws: Add finalize middleware after instead of before #5975
otelaws: Add finalize middleware after instead of before #5975
Conversation
@akats7 PTAL as a code owner. |
Hey @jacksehr, will take a look at this later today, thanks |
Hey @jacksehr, can you please resolve the issues in the unit tests to use your updated method, also would you be able to add/update a test case to reflect this change. |
Hey @jacksehr, any update on this? |
…lemetry-go-contrib into no-inject-presigned-urls
Please add a changelog entry |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #5975 +/- ##
=====================================
Coverage 66.9% 66.9%
=====================================
Files 193 193
Lines 15652 15652
=====================================
+ Hits 10479 10483 +4
+ Misses 4882 4879 -3
+ Partials 291 290 -1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thanks!
@akats7 I've just updated the branch, but I can't merge it even when the checks are all green -- can I get one of you to merge it then the checks run? |
Fixes #3368.
Summary
In any presigned URL flow, the AWS SDK skips all
Finalize
middlewares after the PresignHTTPMiddleware. So, if we move context propagation after thePresignHTTPMiddleware
, we will not include context propagation headers in presigned URL requests, which should prevent the reported issue with signatures.Context
The existing middleware in this package adds propagation headers (e.g.
traceparent
) to outgoing AWS requests, presumably to be used in things like AWS X-Ray. However, when making requests for presigned URLs, the AWS SDK adds a bunch of middleware of its own to requests. The most important of these is the PresignHTTPMiddleware. This does a lot of things, but for the purposes of this PR/issue, there are two particularly relevant things it does:Incorporating request headers into the presigned URL signature
When it is built, the middleware receives a presigner. Then, when it is actually run, it receives a
*smithyHTTP.Request
, and it's entirely up to the presigner if the headers on the*smithyHTTP.Request
are incorporated in the calculation of the presigned URL's signature. If we look in the internals of the default v4 signer, it appears to just incorporate all existing headers and use them to sign the URL. This leads to the problem described in the above issue:As observed by the comments in that issue, disabling the context propagation solves this issue, which makes sense as that removes the
traceparent
header from the signature calculation.This leads us to the second relevant behaviour of the
PresignHTTPMiddleware
.Short circuiting remaining middleware
From the comments of the
PresignHTTPMiddleware
:In addition to this, the Deserialize middlewares get cleared, as seen here.
So, in the presigned URL flow, the last middleware that will get called will be the
PresignHTTPRequestMiddleware
. This is actually useful for us now, as if we just ensure our context propagation middleware comes last in theFinalize
step, then we can be sure it will never run in the presign flow. Simply shifting frommiddleware.Before
tomiddleware.After
does just that.I've also renamed the function and moved it so that its order reflects the order of middleware execution (i.e. finalize before deserialize)