Conversation
This adds an intermediate type, StreamingSignatureState, used to hold the ongoing state of the signature validation across multiple chunks.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for validating SigV4 “amz-chunked” streaming requests by splitting validation into an initial header check (before reading the body) and per-chunk signature verification.
Changes:
- Introduces
sigv4_validate_streaming_headersandStreamingSignatureState::sigv4_validate_streaming_chunkfor S3-style streaming signature validation. - Refactors
IntoRequestBytesinto a newbodymodule and exposes it at the crate root. - Extends
SignatureOptionswithallowed_mismatchand adds/renames several SigV4/S3-related constants and error variants.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
src/signature.rs |
Adds streaming header + chunk validation APIs; adds allowed_mismatch; adds new streaming tests. |
src/canonical.rs |
Adds from_request_and_body_hash to canonicalize without reading the body. |
src/auth.rs |
Adds validate_signature_with_key helper and exposes some internal fields for streaming state construction. |
src/body.rs |
New module containing IntoRequestBytes and basic implementations. |
src/lib.rs |
Wires in body module and re-exports it. |
src/signing_key.rs |
Adjusts doc link formatting and makes signing_key field pub(crate) for internal moves. |
src/error.rs |
Adds new SignatureError variants and mappings. |
src/constants.rs |
Adds new error codes/messages and S3 streaming-related constants; renames unsigned payload constant. |
Cargo.toml |
Adds streaming feature, http-body dependency, and optional tokio. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a new function,
sigv4_validate_streaming_headers, that is used to validate the headers of a streaming request. This is intended to be called after the headers have been read but before the body has been read, allowing for short-circuitingExpect: 100-Continuestyle requests when the headers are either malformed or incorrectly signed.sigv4_validate_streaming_headersreturns a new type,StreamingSignatureState, that has its own method,sigv4_validate_streaming_chunk, used to validate each chunk of anamz-chunkedbody. This must be called for each chunk, including the final, empty, terminating chunk.I have not yet considered how this works with trailers.