aws sig v4 authen

test/s3/sse/s3_sse_range_server_test.go

@@ -3,18 +3,44 @@ package sse_test
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"fmt"
 	"io"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
 	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+// signRawHTTPRequest signs a raw HTTP request with AWS Signature V4
+func signRawHTTPRequest(ctx context.Context, req *http.Request, cfg *S3SSETestConfig) error {
+	// Create credentials
+	creds := aws.Credentials{
+		AccessKeyID:     cfg.AccessKey,
+		SecretAccessKey: cfg.SecretKey,
+	}
+
+	// Create signer
+	signer := v4.NewSigner()
+
+	// Calculate payload hash (empty for GET requests)
+	payloadHash := fmt.Sprintf("%x", sha256.Sum256([]byte{}))
+
+	// Sign the request
+	err := signer.SignHTTP(ctx, creds, req, payloadHash, "s3", cfg.Region, time.Now())
+	if err != nil {
+		return fmt.Errorf("failed to sign request: %w", err)
+	}
+
+	return nil
+}
+
 // TestSSECRangeRequestsServerBehavior tests that the server correctly handles Range requests
 // for SSE-C encrypted objects by checking actual HTTP response (not SDK-processed response)
 func TestSSECRangeRequestsServerBehavior(t *testing.T) {
@@ -121,6 +147,10 @@ func TestSSECRangeRequestsServerBehavior(t *testing.T) {
 			req.Header.Set("x-amz-server-side-encryption-customer-key", sseKey.KeyB64)
 			req.Header.Set("x-amz-server-side-encryption-customer-key-MD5", sseKey.KeyMD5)
 
+			// Sign the request with AWS Signature V4
+			err = signRawHTTPRequest(ctx, req, defaultConfig)
+			require.NoError(t, err, "Failed to sign HTTP request")
+
 			// Make request with raw HTTP client
 			httpClient := &http.Client{}
 			resp, err := httpClient.Do(req)
@@ -214,6 +244,10 @@ func TestSSEKMSRangeRequestsServerBehavior(t *testing.T) {
 			require.NoError(t, err)
 			req.Header.Set("Range", tc.rangeHeader)
 
+			// Sign the request with AWS Signature V4
+			err = signRawHTTPRequest(ctx, req, defaultConfig)
+			require.NoError(t, err, "Failed to sign HTTP request")
+
 			httpClient := &http.Client{}
 			resp, err := httpClient.Do(req)
 			require.NoError(t, err)
@@ -274,6 +308,10 @@ func TestSSES3RangeRequestsServerBehavior(t *testing.T) {
 	require.NoError(t, err)
 	req.Header.Set("Range", "bytes=1000-1999")
 
+	// Sign the request with AWS Signature V4
+	err = signRawHTTPRequest(ctx, req, defaultConfig)
+	require.NoError(t, err, "Failed to sign HTTP request")
+
 	httpClient := &http.Client{}
 	resp, err := httpClient.Do(req)
 	require.NoError(t, err)
@@ -378,6 +416,10 @@ func TestSSEMultipartRangeRequestsServerBehavior(t *testing.T) {
 	req.Header.Set("x-amz-server-side-encryption-customer-key", sseKey.KeyB64)
 	req.Header.Set("x-amz-server-side-encryption-customer-key-MD5", sseKey.KeyMD5)
 
+	// Sign the request with AWS Signature V4
+	err = signRawHTTPRequest(ctx, req, defaultConfig)
+	require.NoError(t, err, "Failed to sign HTTP request")
+
 	httpClient := &http.Client{}
 	resp, err := httpClient.Do(req)
 	require.NoError(t, err)