Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

otelaws: Add finalize middleware after instead of before #5975

Merged
merged 16 commits into from
Nov 25, 2024

Conversation

jacksehr
Copy link
Contributor

@jacksehr jacksehr commented Aug 2, 2024

Fixes #3368.

Summary

In any presigned URL flow, the AWS SDK skips all Finalize middlewares after the PresignHTTPMiddleware. So, if we move context propagation after the PresignHTTPMiddleware, we will not include context propagation headers in presigned URL requests, which should prevent the reported issue with signatures.

Context

The existing middleware in this package adds propagation headers (e.g. traceparent) to outgoing AWS requests, presumably to be used in things like AWS X-Ray. However, when making requests for presigned URLs, the AWS SDK adds a bunch of middleware of its own to requests. The most important of these is the PresignHTTPMiddleware. This does a lot of things, but for the purposes of this PR/issue, there are two particularly relevant things it does:

Incorporating request headers into the presigned URL signature

When it is built, the middleware receives a presigner. Then, when it is actually run, it receives a *smithyHTTP.Request, and it's entirely up to the presigner if the headers on the *smithyHTTP.Request are incorporated in the calculation of the presigned URL's signature. If we look in the internals of the default v4 signer, it appears to just incorporate all existing headers and use them to sign the URL. This leads to the problem described in the above issue:

The URL generated from code with otelaws middlewares has two values host and traceparent, while the one without otelaws middlewares has only host.

As observed by the comments in that issue, disabling the context propagation solves this issue, which makes sense as that removes the traceparent header from the signature calculation.

This leads us to the second relevant behaviour of the PresignHTTPMiddleware.

Short circuiting remaining middleware

From the comments of the PresignHTTPMiddleware:

// PresignHTTPRequestMiddleware provides the Finalize middleware for creating a
// presigned URL for an HTTP request.
//
// Will short circuit the middleware stack and not forward onto the next
// Finalize handler.

In addition to this, the Deserialize middlewares get cleared, as seen here.

So, in the presigned URL flow, the last middleware that will get called will be the PresignHTTPRequestMiddleware. This is actually useful for us now, as if we just ensure our context propagation middleware comes last in the Finalize step, then we can be sure it will never run in the presign flow. Simply shifting from middleware.Before to middleware.After does just that.

I've also renamed the function and moved it so that its order reflects the order of middleware execution (i.e. finalize before deserialize)

Copy link

linux-foundation-easycla bot commented Aug 2, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

@jacksehr jacksehr marked this pull request as ready for review August 5, 2024 01:00
@jacksehr jacksehr requested a review from a team August 5, 2024 01:00
@pellared pellared changed the title awsotel: add finalize middleware after instead of before otelaws: Add finalize middleware after instead of before Aug 7, 2024
@pellared
Copy link
Member

pellared commented Aug 7, 2024

@akats7 PTAL as a code owner.

@pellared pellared assigned pellared and akats7 and unassigned pellared Aug 7, 2024
@akats7
Copy link
Contributor

akats7 commented Aug 13, 2024

Hey @jacksehr, will take a look at this later today, thanks

@akats7
Copy link
Contributor

akats7 commented Aug 20, 2024

Hey @jacksehr, can you please resolve the issues in the unit tests to use your updated method, also would you be able to add/update a test case to reflect this change.

@akats7
Copy link
Contributor

akats7 commented Sep 12, 2024

Hey @jacksehr, any update on this?

@jacksehr jacksehr requested a review from a team as a code owner November 15, 2024 03:46
@jacksehr
Copy link
Contributor Author

Hey @jacksehr, any update on this?

Hey @akats7, sorry for the delay, circling back to this -- I've updated with a test and resolved the compilation issue.

@pellared
Copy link
Member

Please add a changelog entry

Copy link

codecov bot commented Nov 17, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.9%. Comparing base (96b1ed1) to head (c29ec15).
Report is 1 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@          Coverage Diff          @@
##            main   #5975   +/-   ##
=====================================
  Coverage   66.9%   66.9%           
=====================================
  Files        193     193           
  Lines      15652   15652           
=====================================
+ Hits       10479   10483    +4     
+ Misses      4882    4879    -3     
+ Partials     291     290    -1     
Files with missing lines Coverage Δ
...tation/github.com/aws/aws-sdk-go-v2/otelaws/aws.go 95.6% <100.0%> (+1.0%) ⬆️

... and 1 file with indirect coverage changes

---- 🚨 Try these New Features:

@jacksehr
Copy link
Contributor Author

@pellared @akats7 I can update with main again if needed, otherwise let me know if there's anything else this PR needs to get merged 🙂

Copy link
Contributor

@akats7 akats7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

@jacksehr
Copy link
Contributor Author

@akats7 I've just updated the branch, but I can't merge it even when the checks are all green -- can I get one of you to merge it then the checks run?

@akats7
Copy link
Contributor

akats7 commented Nov 25, 2024

@akats7 I've just updated the branch, but I can't merge it even when the checks are all green -- can I get one of you to merge it then the checks run?

It can only be merged by one of the maintainers

cc @dmathieu @pellared

@dmathieu dmathieu merged commit b508e33 into open-telemetry:main Nov 25, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

otelaws AppendMiddlewares causes S3 pre-signed URLs to stop working
4 participants