feat(signature-v4): validate credential is valid before signing (#3892)

Author: AllanZhengYP

packages/signature-v4/src/SignatureV4.spec.ts

@@ -54,6 +54,16 @@ describe("SignatureV4", () => {
       signingDate: new Date("2000-01-01T00:00:00.000Z"),
     };
 
+    it("should throw on invalid credential", async () => {
+      const signer = new SignatureV4({ ...signerInit, credentials: {} as any });
+      try {
+        await signer.presign(minimalRequest, presigningOptions);
+        fail("This test is expected to fail");
+      } catch (e) {
+        expect(e.message).toBe("Resolved credential object is not valid");
+      }
+    });
+
     it("should sign requests without bodies", async () => {
       const { query } = await signer.presign(minimalRequest, presigningOptions);
       expect(query).toEqual({
@@ -364,6 +374,16 @@ describe("SignatureV4", () => {
   });
 
   describe("#sign (request)", () => {
+    it("should throw on invalid credential", async () => {
+      const signer = new SignatureV4({ ...signerInit, credentials: {} as any });
+      try {
+        await signer.sign(minimalRequest);
+        fail("This test is expected to fail");
+      } catch (e) {
+        expect(e.message).toBe("Resolved credential object is not valid");
+      }
+    });
+
     it("should sign requests without bodies", async () => {
       const { headers } = await signer.sign(minimalRequest, {
         signingDate: new Date("2000-01-01T00:00:00.000Z"),
@@ -658,6 +678,16 @@ describe("SignatureV4", () => {
       sha256: Sha256,
     };
 
+    it("should throw on invalid credential", async () => {
+      const signer = new SignatureV4({ ...signerInit, credentials: {} as any });
+      try {
+        await signer.sign("STRING_TO_SIGN");
+        fail("This test is expected to fail");
+      } catch (e) {
+        expect(e.message).toBe("Resolved credential object is not valid");
+      }
+    });
+
     it("should produce signatures matching known outputs", async () => {
       // Example copied from https://github.com/aws/aws-sdk-php/blob/3.42.0/tests/S3/PostObjectV4Test.php#L37
       const signer = new SignatureV4(signerInit);
@@ -700,6 +730,25 @@ describe("SignatureV4", () => {
       sha256: Sha256,
     };
 
+    it("should throw on invalid credential", async () => {
+      const signer = new SignatureV4({ ...signerInit, credentials: {} as any });
+      try {
+        await signer.sign(
+          {
+            headers: Uint8Array.from([5, 58, 100, 97, 116, 101, 8, 0, 0, 1, 103, 247, 125, 87, 112]),
+            payload: "foo" as any,
+          },
+          {
+            signingDate: new Date(1369353600000),
+            priorSignature: "",
+          }
+        );
+        fail("This test is expected to fail");
+      } catch (e) {
+        expect(e.message).toBe("Resolved credential object is not valid");
+      }
+    });
+
     it("support event signing", async () => {
       const signer = new SignatureV4(signerInit);
       const eventSignature = await signer.sign(

packages/signature-v4/src/SignatureV4.ts

@@ -127,6 +127,7 @@ export class SignatureV4 implements RequestPresigner, RequestSigner, StringSigne
       signingService,
     } = options;
     const credentials = await this.credentialProvider();
+    this.validateResolvedCredentials(credentials);
     const region = signingRegion ?? (await this.regionProvider());
 
     const { longDate, shortDate } = formatDate(signingDate);
@@ -200,6 +201,7 @@ export class SignatureV4 implements RequestPresigner, RequestSigner, StringSigne
     { signingDate = new Date(), signingRegion, signingService }: SigningArguments = {}
   ): Promise<string> {
     const credentials = await this.credentialProvider();
+    this.validateResolvedCredentials(credentials);
     const region = signingRegion ?? (await this.regionProvider());
     const { shortDate } = formatDate(signingDate);
 
@@ -219,6 +221,7 @@ export class SignatureV4 implements RequestPresigner, RequestSigner, StringSigne
     }: RequestSigningArguments = {}
   ): Promise<HttpRequest> {
     const credentials = await this.credentialProvider();
+    this.validateResolvedCredentials(credentials);
     const region = signingRegion ?? (await this.regionProvider());
     const request = prepareRequest(requestToSign);
     const { longDate, shortDate } = formatDate(signingDate);
@@ -327,6 +330,18 @@ ${toHex(hashedRequest)}`;
   ): Promise<Uint8Array> {
     return getSigningKey(this.sha256, credentials, shortDate, region, service || this.service);
   }
+
+  private validateResolvedCredentials(credentials: unknown) {
+    if (
+      typeof credentials !== "object" ||
+      // @ts-expect-error: Property 'accessKeyId' does not exist on type 'object'.ts(2339)
+      typeof credentials.accessKeyId !== "string" ||
+      // @ts-expect-error: Property 'secretAccessKey' does not exist on type 'object'.ts(2339)
+      typeof credentials.secretAccessKey !== "string"
+    ) {
+      throw new Error("Resolved credential object is not valid");
+    }
+  }
 }
 
 const formatDate = (now: DateInput): { longDate: string; shortDate: string } => {