Use special payload hash for event streams

This updates the async signer to use the special payload hash
for event stream operations.

Author: JordonPhillips

packages/aws-sdk-signers/src/aws_sdk_signers/signers.py

@@ -36,6 +36,8 @@
 
 SIGV4_TIMESTAMP_FORMAT: str = "%Y%m%dT%H%M%SZ"
 UNSIGNED_PAYLOAD: str = "UNSIGNED-PAYLOAD"
+EVENT_STREAM_CONTENT_TYPE = "application/vnd.amazon.eventstream"
+EVENT_STREAM_HASH = "STREAMING-AWS4-HMAC-SHA256-EVENTS"
 EMPTY_SHA256_HASH = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
 
 
@@ -755,6 +757,12 @@ async def _format_canonical_payload(
         ):
             return request.fields["X-Amz-Content-SHA256"].values[0]
 
+        if self._is_event_stream(request=request):
+            request.fields.set_field(
+                Field(name="X-Amz-Content-SHA256", values=[EVENT_STREAM_HASH])
+            )
+            return EVENT_STREAM_HASH
+
         payload_hash = await self._compute_payload_hash(
             request=request, signing_properties=signing_properties
         )
@@ -804,6 +812,12 @@ async def _compute_payload_hash(
             request.body = AsyncBytesReader(buffer)
         return checksum.hexdigest()
 
+    def _is_event_stream(self, request: AWSRequest) -> bool:
+        if "Content-Type" not in request.fields:
+            return False
+        content_type = request.fields["Content-Type"].as_string()
+        return content_type == EVENT_STREAM_CONTENT_TYPE
+
     def _seekable(self, body: AsyncIterable[bytes]) -> TypeGuard[AsyncSeekable]:
         if isinstance(body, ConditionallySeekable):
             return body.seekable()

packages/aws-sdk-signers/tests/unit/test_signers.py

@@ -12,6 +12,7 @@
     AsyncSigV4Signer,
     AWSCredentialIdentity,
     AWSRequest,
+    Field,
     Fields,
     SigV4Signer,
     SigV4SigningProperties,
@@ -125,6 +126,14 @@ def test_sign_with_expired_identity(
             )
 
 
+class UnreadableAsyncStream:
+    def __aiter__(self) -> typing.Self:
+        return self
+
+    async def __anext__(self) -> bytes:
+        raise Exception("Read should not have been called!")
+
+
 class TestAsyncSigV4Signer:
     SIGV4_ASYNC_SIGNER = AsyncSigV4Signer()
 
@@ -191,3 +200,34 @@ async def test_sign_with_expired_identity(
                 request=aws_request,
                 identity=identity,
             )
+
+    async def test_sign_event_stream(
+        self,
+        aws_identity: AWSCredentialIdentity,
+    ) -> None:
+        headers = Fields()
+        headers.set_field(
+            Field(name="Content-Type", values=["application/vnd.amazon.eventstream"])
+        )
+        request = AWSRequest(
+            destination=URI(
+                scheme="https",
+                host="127.0.0.1",
+                port=8000,
+            ),
+            method="GET",
+            body=UnreadableAsyncStream(),
+            fields=headers,
+        )
+        signed = await self.SIGV4_ASYNC_SIGNER.sign(
+            properties=SigV4SigningProperties(
+                region="us-west-2",
+                service="ec2",
+                date="0",
+            ),
+            request=request,
+            identity=aws_identity,
+        )
+        assert "X-Amz-Content-SHA256" in signed.fields
+        payload_hash = signed.fields["X-Amz-Content-SHA256"].as_string()
+        assert payload_hash == "STREAMING-AWS4-HMAC-SHA256-EVENTS"