smithy-lang · JordonPhillips · Aug 27, 2024
@@ -55,6 +55,7 @@ lint-py: pants
 	./pants fix lint python-packages/smithy-aws-core::
 	./pants fix lint python-packages/smithy-json::
 	./pants fix lint python-packages/smithy-event-stream::
+	./pants fix lint python-packages/aws-event-stream::
 
 
 ## Runs checkers for the python packages.
@@ -64,6 +65,7 @@ check-py: pants
 	./pants check python-packages/smithy-aws-core::
 	./pants check python-packages/smithy-json::
 	./pants check python-packages/smithy-event-stream::
+	./pants check python-packages/aws-event-stream::
 
 
 ## Runs tests for the python packages.
@@ -73,6 +75,7 @@ test-py: pants
 	./pants test python-packages/smithy-aws-core::
 	./pants test python-packages/smithy-json::
 	./pants test python-packages/smithy-event-stream::
+	./pants test python-packages/aws-event-stream::
 
 
 ## Runs formatters/fixers/linters/checkers/tests for the python packages.

@@ -0,0 +1,28 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+resource(name="pyproject", source="pyproject.toml")
+resource(name="readme", source="README.md")
+resource(name="notice", source="NOTICE")
+
+python_distribution(
+    name="dist",
+    dependencies=[
+        ":pyproject",
+        ":readme",
+        ":notice",
+        "python-packages/aws-event-stream/aws_event_stream:source",
+    ],
+    provides=python_artifact(
+        name="aws_event_stream",
+        version="0.0.1",
+    ),
+)
+
+# We shouldn't need this, but pants will assume that smithy_core is an external
+# dependency since it's in pyproject.toml and there's no way to exclude it, so
+# for now we need to duplicate things.
+python_requirements(
+    name="requirements",
+    source="requirements.txt",
+)
@@ -0,0 +1 @@
+include aws_event_stream/py.typed
@@ -0,0 +1 @@
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
@@ -0,0 +1,13 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+resource(name="pytyped", source="py.typed")
+
+python_sources(
+    name="source",
+    dependencies=[
+        ":pytyped",
+        "python-packages/aws-event-stream:requirements",
+    ],
+    sources=["**/*.py"],
+)
@@ -0,0 +1,2 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
@@ -0,0 +1,106 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+import datetime
+import hmac
+from binascii import hexlify
+from collections.abc import Callable
+from dataclasses import dataclass
+from hashlib import sha256
+from typing import Optional
+
+from .eventstream import (
+    HEADER_SERIALIZATION_VALUE,
+    HEADERS_SERIALIZATION_DICT,
+    EventStreamMessageSerializer,
+)
+
+
+def _utc_now() -> datetime.datetime:
+    return datetime.datetime.now(datetime.UTC)
+
+
+@dataclass
+class Credentials:
+    access_key_id: str
+    secret_access_key: str
+    session_token: str | None
+
+
+class EventSigner:
+    _ISO8601_TIMESTAMP_FMT = "%Y%m%dT%H%M%SZ"
+    _NOW_TYPE = Optional[Callable[[], datetime.datetime]]
+
+    def __init__(
+        self,
+        signing_name: str,
+        region: str,
+        utc_now: _NOW_TYPE = None,
+    ):
+        self.signing_name = signing_name
+        self.region = region
+        self.serializer = EventStreamMessageSerializer()
+        if utc_now is None:
+            utc_now = _utc_now
+        self._utc_now = utc_now
+
+    def sign(
+        self, payload: bytes, prior_signature: bytes, credentials: Credentials
+    ) -> HEADERS_SERIALIZATION_DICT:
+        now = self._utc_now()
+
+        # pyright gets confused for some reason if we use
+        # HEADERS_SERIALIZATION_DICT here. It gets convinced that the dict
+        # can only have datetime values.
+        headers: dict[str, HEADER_SERIALIZATION_VALUE] = {
+            ":date": now,
+        }
+
+        timestamp = now.strftime(self._ISO8601_TIMESTAMP_FMT)
+        string_to_sign = self._string_to_sign(
+            timestamp, headers, payload, prior_signature
+        )
+        event_signature = self._sign_event(timestamp, string_to_sign, credentials)
+        headers[":chunk-signature"] = event_signature
+        return headers
+
+    def _keypath(self, timestamp: str) -> str:
+        parts = [
+            timestamp[:8],  # Only using the YYYYMMDD
+            self.region,
+            self.signing_name,
+            "aws4_request",
+        ]
+        return "/".join(parts)
+
+    def _string_to_sign(
+        self,
+        timestamp: str,
+        headers: HEADERS_SERIALIZATION_DICT,
+        payload: bytes,
+        prior_signature: bytes,
+    ) -> str:
+        encoded_headers = self.serializer.encode_headers(headers)
+        parts = [
+            "AWS4-HMAC-SHA256-PAYLOAD",
+            timestamp,
+            self._keypath(timestamp),
+            hexlify(prior_signature).decode("utf-8"),
+            sha256(encoded_headers).hexdigest(),
+            sha256(payload).hexdigest(),
+        ]
+        return "\n".join(parts)
+
+    def _hmac(self, key: bytes, msg: bytes) -> bytes:
+        return hmac.new(key, msg, sha256).digest()
+
+    def _sign_event(
+        self, timestamp: str, string_to_sign: str, credentials: Credentials
+    ) -> bytes:
+        key = credentials.secret_access_key.encode("utf-8")
+        today = timestamp[:8].encode("utf-8")  # Only using the YYYYMMDD
+        k_date = self._hmac(b"AWS4" + key, today)
+        k_region = self._hmac(k_date, self.region.encode("utf-8"))
+        k_service = self._hmac(k_region, self.signing_name.encode("utf-8"))
+        k_signing = self._hmac(k_service, b"aws4_request")
+        return self._hmac(k_signing, string_to_sign.encode("utf-8"))