Fixed an issue where transcribe streaming transcriptions that take place over two days would fail when the clock rolled over between days.

Author: millems

.changes/next-release/bugfix-AmazonTranscribeService-ffab078.json

@@ -0,0 +1,5 @@
+{
+    "type": "bugfix",
+    "category": "Amazon Transcribe Service",
+    "description": "Fixed an issue where streaming transcriptions would fail with signature validation errors if the date changed during the request."
+}

core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/Aws4SignerUtils.java

@@ -46,6 +46,10 @@ public static String formatDateStamp(long timeMilli) {
         return DATE_FORMATTER.format(Instant.ofEpochMilli(timeMilli));
     }
 
+    public static String formatDateStamp(Instant instant) {
+        return DATE_FORMATTER.format(instant);
+    }
+
     /**
      * Returns a string representation of the given date time in
      * yyyyMMdd'T'HHmmss'Z' format. The date returned is in the UTC zone.

core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/BaseEventStreamAsyncAws4Signer.java

@@ -129,14 +129,13 @@ public ByteBuffer apply(ByteBuffer byteBuffer) {
                  */
                 Map<String, HeaderValue> nonSignatureHeaders = new HashMap<>();
                 Instant signingInstant = requestParams.getSigningClock().instant();
-                String signingDate = Aws4SignerUtils.formatTimestamp(signingInstant);
                 nonSignatureHeaders.put(EVENT_STREAM_DATE, HeaderValue.fromTimestamp(signingInstant));
 
                 /**
                  * Calculate rolling signature
                  */
                 byte[] payload = byteBuffer.array();
-                byte[] signatureBytes = signEventStream(priorSignature, key, signingDate, requestParams,
+                byte[] signatureBytes = signEventStream(priorSignature, key, signingInstant, requestParams,
                                                         nonSignatureHeaders, payload);
                 priorSignature = BinaryUtils.toHex(signatureBytes);
 
@@ -162,7 +161,7 @@ public ByteBuffer apply(ByteBuffer byteBuffer) {
      *
      * @param priorSignature signature of previous frame (Header frame is the 0th frame)
      * @param signingKey derived signing key
-     * @param date siging date
+     * @param signingInstant the instant at which this message is being signed
      * @param requestParams request parameters
      * @param nonSignatureHeaders non-signature headers
      * @param payload event stream payload
@@ -171,7 +170,7 @@ public ByteBuffer apply(ByteBuffer byteBuffer) {
     private byte[] signEventStream(
         String priorSignature,
         byte[] signingKey,
-        String date,
+        Instant signingInstant,
         Aws4SignerRequestParams requestParams,
         Map<String, HeaderValue> nonSignatureHeaders,
         byte[] payload) {
@@ -180,9 +179,9 @@ private byte[] signEventStream(
         String stringToSign =
             EVENT_STREAM_PAYLOAD +
             SignerConstant.LINE_SEPARATOR +
-            date +
+            Aws4SignerUtils.formatTimestamp(signingInstant) +
             SignerConstant.LINE_SEPARATOR +
-            requestParams.getScope() +
+            computeScope(signingInstant, requestParams) +
             SignerConstant.LINE_SEPARATOR +
             priorSignature +
             SignerConstant.LINE_SEPARATOR +
@@ -195,6 +194,13 @@ private byte[] signEventStream(
                     SigningAlgorithm.HmacSHA256);
     }
 
+    private String computeScope(Instant signingInstant, Aws4SignerRequestParams requestParams) {
+        return Aws4SignerUtils.formatDateStamp(signingInstant) + "/" +
+               requestParams.getRegionName() + "/" +
+               requestParams.getServiceSigningName() + "/" +
+               SignerConstant.AWS4_TERMINATOR;
+    }
+
     /**
      * Sort headers in alphabetic order, with exception that EVENT_STREAM_SIGNATURE header always at last
      *

core/auth/src/test/java/software/amazon/awssdk/auth/signer/EventStreamAws4SignerTest.java

@@ -0,0 +1,105 @@
+package software.amazon.awssdk.auth.signer;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.assertj.core.api.Assertions.assertThat;
+
+import io.reactivex.Flowable;
+import java.net.URI;
+import java.nio.ByteBuffer;
+import java.time.Clock;
+import java.time.Instant;
+import java.time.ZoneId;
+import java.time.ZoneOffset;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.Callable;
+import org.junit.Test;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.signer.internal.SignerTestUtils;
+import software.amazon.awssdk.core.async.AsyncRequestBody;
+import software.amazon.awssdk.http.SdkHttpFullRequest;
+import software.amazon.awssdk.http.SdkHttpMethod;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.eventstream.HeaderValue;
+import software.amazon.eventstream.Message;
+import software.amazon.eventstream.MessageDecoder;
+
+public class EventStreamAws4SignerTest {
+    /**
+     * Verify that when an event stream is open from one day to the next, the signature is properly signed for the day of the
+     * event.
+     */
+    @Test
+    public void openStreamEventSignaturesCanRollOverBetweenDays() {
+        EventStreamAws4Signer signer = EventStreamAws4Signer.create();
+
+        Region region = Region.US_WEST_2;
+        AwsCredentials credentials = AwsBasicCredentials.create("a", "s");
+        String signingName = "name";
+        AdjustableClock clock = new AdjustableClock();
+        clock.time = Instant.parse("2020-01-01T23:59:59Z");
+
+        SdkHttpFullRequest initialRequest = SdkHttpFullRequest.builder()
+                                                              .uri(URI.create("http://localhost:8080"))
+                                                              .method(SdkHttpMethod.GET)
+                                                              .build();
+        SdkHttpFullRequest signedRequest = SignerTestUtils.signRequest(signer, initialRequest, credentials, signingName, clock,
+                                                                       region.id());
+
+        ByteBuffer event = new Message(Collections.emptyMap(), "foo".getBytes(UTF_8)).toByteBuffer();
+
+        Callable<ByteBuffer> lastEvent = () -> {
+            clock.time = Instant.parse("2020-01-02T00:00:00Z");
+            return event;
+        };
+
+        AsyncRequestBody requestBody = AsyncRequestBody.fromPublisher(Flowable.concatArray(Flowable.just(event),
+                                                                                           Flowable.fromCallable(lastEvent)));
+
+        AsyncRequestBody signedBody = SignerTestUtils.signAsyncRequest(signer, signedRequest, requestBody, credentials,
+                                                                       signingName, clock, region.id());
+
+        List<Message> signedMessages = readMessages(signedBody);
+        assertThat(signedMessages.size()).isEqualTo(3);
+
+        Map<String, HeaderValue> firstMessageHeaders = signedMessages.get(0).getHeaders();
+        assertThat(firstMessageHeaders.get(":date").getTimestamp()).isEqualTo("2020-01-01T23:59:59Z");
+        assertThat(Base64.getEncoder().encodeToString(firstMessageHeaders.get(":chunk-signature").getByteArray()))
+            .isEqualTo("EFt7ZU043r/TJE8U+1GxJXscmNxoqmIdGtUIl8wE9u0=");
+
+        Map<String, HeaderValue> lastMessageHeaders = signedMessages.get(2).getHeaders();
+        assertThat(lastMessageHeaders.get(":date").getTimestamp()).isEqualTo("2020-01-02T00:00:00Z");
+        assertThat(Base64.getEncoder().encodeToString(lastMessageHeaders.get(":chunk-signature").getByteArray()))
+            .isEqualTo("vgDFcmKOVDUSSzKaBzcj0v9gUSgCK5IwnQ4dMB38NlE=");
+
+    }
+
+    private List<Message> readMessages(AsyncRequestBody signedBody) {
+        MessageDecoder decoder = new MessageDecoder();
+        Flowable.fromPublisher(signedBody).blockingForEach(x -> decoder.feed(x.array()));
+        return decoder.getDecodedMessages();
+    }
+
+    private static class AdjustableClock extends Clock {
+        private Instant time;
+
+        @Override
+        public ZoneId getZone() {
+            return ZoneOffset.UTC;
+        }
+
+        @Override
+        public Clock withZone(ZoneId zone) {
+            throw new UnsupportedOperationException();
+        }
+
+        @Override
+        public Instant instant() {
+            return time;
+        }
+    }
+
+}