fix(s3-request-presigner): identify correct authscheme for mrap (#5742)

* fix(s3-request-presigner): adjust signing region based on authScheme for sigv4a * fix(s3-request-presigner): identify correct authscheme for mrap * fix(s3-request-presigner): small refactor * chore: remove unused import --------- Co-authored-by: Ran Vaknin <[email protected]> Co-authored-by: RanVaknin <[email protected]> Co-authored-by: George Fu <[email protected]>
aws · Jan 31, 2024 · 04df491 · 04df491
1 parent d054fe1
commit 04df491
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/packages/s3-request-presigner/src/getSignedUrl.spec.ts b/packages/s3-request-presigner/src/getSignedUrl.spec.ts
@@ -27,6 +27,20 @@ import { RequestPresigningArguments } from "@smithy/types";
 
 import { getSignedUrl } from "./getSignedUrl";
 
+jest.mock("@smithy/middleware-endpoint", () => {
+  const originalModule = jest.requireActual("@smithy/middleware-endpoint");
+  return {
+    ...originalModule,
+    getEndpointFromInstructions: jest.fn(() =>
+      Promise.resolve({
+        properties: {
+          authSchemes: [{ name: "sigv4a", signingRegionSet: ["*"] }],
+        },
+      })
+    ),
+  };
+});
+
 describe("getSignedUrl", () => {
   const clientParams = {
     region: "us-foo-1",
@@ -141,6 +155,23 @@ describe("getSignedUrl", () => {
       expect(mockPresign.mock.calls[0][0].headers[header]).toBeUndefined();
     }
   );
+  it("should set region to * when sigv4a is the auth scheme", async () => {
+    const mockPresigned = "a presigned url";
+    mockPresign.mockReturnValue(mockPresigned);
+
+    const client = new S3Client(clientParams);
+    const command = new GetObjectCommand({
+      Bucket: "Bucket",
+      Key: "Key",
+    });
+
+    await getSignedUrl(client, command);
+    const presignerArgs = mockPresigner.mock.calls[0][0];
+    const region = await presignerArgs.region();
+
+    expect(region).toBe("*");
+    expect(mockPresign).toBeCalled();
+  });
 
   // TODO(endpointsv2) fix this test
   it.skip("should presign request with MRAP ARN", async () => {

diff --git a/packages/s3-request-presigner/src/getSignedUrl.ts b/packages/s3-request-presigner/src/getSignedUrl.ts
@@ -26,18 +26,23 @@ export const getSignedUrl = async <
 ): Promise<string> => {
   let s3Presigner: S3RequestPresigner;
 
+  let region: string | undefined;
   if (typeof client.config.endpointProvider === "function") {
     const endpointV2: EndpointV2 = await getEndpointFromInstructions(
       command.input as Record<string, unknown>,
       command.constructor as EndpointParameterInstructionsSupplier,
       client.config
     );
     const authScheme = endpointV2.properties?.authSchemes?.[0];
-
+    if (authScheme?.name === "sigv4a") {
+      region = authScheme?.signingRegionSet?.join(",");
+    } else {
+      region = authScheme?.signingRegion;
+    }
     s3Presigner = new S3RequestPresigner({
       ...client.config,
       signingName: authScheme?.signingName,
-      region: async () => authScheme?.signingRegion,
+      region: async () => region,
     });
   } else {
     s3Presigner = new S3RequestPresigner(client.config);
@@ -58,7 +63,7 @@ export const getSignedUrl = async <
       let presigned: IHttpRequest;
       const presignerOptions = {
         ...options,
-        signingRegion: options.signingRegion ?? context["signing_region"],
+        signingRegion: options.signingRegion ?? context["signing_region"] ?? region,
         signingService: options.signingService ?? context["signing_service"],
       };