From 8859372f8b5b96db404fdd9e226e4b40cc2496b3 Mon Sep 17 00:00:00 2001
From: Luc Talatinian <lucix@amazon.com>
Date: Wed, 25 Sep 2024 18:42:35 -0400
Subject: [PATCH] switch to unsigned payload as func

---
 aws-http-auth/internal/v4/signer.go      |  2 +-
 aws-http-auth/internal/v4/signer_test.go |  4 ++--
 aws-http-auth/sigv4/sigv4_test.go        |  2 +-
 aws-http-auth/sigv4a/e2e_test.go         |  2 +-
 aws-http-auth/sigv4a/sigv4a_test.go      |  4 ++--
 aws-http-auth/v4/v4.go                   | 10 ++++++----
 6 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/aws-http-auth/internal/v4/signer.go b/aws-http-auth/internal/v4/signer.go
index c8c7db63..3ded1048 100644
--- a/aws-http-auth/internal/v4/signer.go
+++ b/aws-http-auth/internal/v4/signer.go
@@ -91,7 +91,7 @@ func (s *Signer) resolvePayloadHash() error {
 
 	rs, ok := s.Request.Body.(io.ReadSeeker)
 	if !ok || s.Options.DisableImplicitPayloadHashing {
-		s.PayloadHash = []byte(v4.UnsignedPayload)
+		s.PayloadHash = v4.UnsignedPayload()
 		return nil
 	}
 
diff --git a/aws-http-auth/internal/v4/signer_test.go b/aws-http-auth/internal/v4/signer_test.go
index d721e97a..842800f8 100644
--- a/aws-http-auth/internal/v4/signer_test.go
+++ b/aws-http-auth/internal/v4/signer_test.go
@@ -153,7 +153,7 @@ func TestBuildCanonicalRequest_SortQuery(t *testing.T) {
 	req.Header.Set("Host", "service.region.amazonaws.com")
 	s := &Signer{
 		Request:     req,
-		PayloadHash: []byte(v4.UnsignedPayload),
+		PayloadHash: v4.UnsignedPayload(),
 		Options: v4.SignerOptions{
 			HeaderRules: defaultHeaderRules{},
 		},
@@ -186,7 +186,7 @@ func TestBuildCanonicalRequest_EmptyQuery(t *testing.T) {
 	req.Header.Set("Host", "service.region.amazonaws.com")
 	s := &Signer{
 		Request:     req,
-		PayloadHash: []byte(v4.UnsignedPayload),
+		PayloadHash: v4.UnsignedPayload(),
 		Options: v4.SignerOptions{
 			HeaderRules: defaultHeaderRules{},
 		},
diff --git a/aws-http-auth/sigv4/sigv4_test.go b/aws-http-auth/sigv4/sigv4_test.go
index df7571a7..6576b192 100644
--- a/aws-http-auth/sigv4/sigv4_test.go
+++ b/aws-http-auth/sigv4/sigv4_test.go
@@ -116,7 +116,7 @@ func TestSignRequest(t *testing.T) {
 		"explicit unsigned payload": {
 			Input: &SignRequestInput{
 				Request:     newRequest(seekable("{}")),
-				PayloadHash: []byte(v4.UnsignedPayload),
+				PayloadHash: v4.UnsignedPayload(),
 				Credentials: credsSession,
 				Service:     "dynamodb",
 				Region:      "us-east-1",
diff --git a/aws-http-auth/sigv4a/e2e_test.go b/aws-http-auth/sigv4a/e2e_test.go
index 00b3cdf4..bc12be45 100644
--- a/aws-http-auth/sigv4a/e2e_test.go
+++ b/aws-http-auth/sigv4a/e2e_test.go
@@ -150,7 +150,7 @@ func signV4(signer *sigv4.Signer, creds credentials.Credentials, region string)
 func signV4A(signer *Signer, creds credentials.Credentials, isUnsignedPayload bool) func(*http.Request) error {
 	var payloadHash []byte
 	if isUnsignedPayload {
-		payloadHash = []byte(v4.UnsignedPayload)
+		payloadHash = v4.UnsignedPayload()
 	}
 	return func(r *http.Request) error {
 		err := signer.SignRequest(&SignRequestInput{
diff --git a/aws-http-auth/sigv4a/sigv4a_test.go b/aws-http-auth/sigv4a/sigv4a_test.go
index 801afe2d..fc545aae 100644
--- a/aws-http-auth/sigv4a/sigv4a_test.go
+++ b/aws-http-auth/sigv4a/sigv4a_test.go
@@ -184,7 +184,7 @@ func TestSignRequest(t *testing.T) {
 		"explicit unsigned payload": {
 			Input: &SignRequestInput{
 				Request:     newRequest(seekable("{}")),
-				PayloadHash: []byte(v4.UnsignedPayload),
+				PayloadHash: v4.UnsignedPayload(),
 				Credentials: credsSession,
 				Service:     "dynamodb",
 				RegionSet:   []string{"us-east-1"},
@@ -395,7 +395,7 @@ func TestSignRequest_SignStringError(t *testing.T) {
 
 	err := s.SignRequest(&SignRequestInput{
 		Request:     newRequest(http.NoBody),
-		PayloadHash: []byte(v4.UnsignedPayload),
+		PayloadHash: v4.UnsignedPayload(),
 	})
 	if err == nil {
 		t.Fatal("expect error but didn't get one")
diff --git a/aws-http-auth/v4/v4.go b/aws-http-auth/v4/v4.go
index ab242a0a..15df1ba3 100644
--- a/aws-http-auth/v4/v4.go
+++ b/aws-http-auth/v4/v4.go
@@ -1,10 +1,6 @@
 // Package v4 exposes common APIs for AWS Signature Version 4.
 package v4
 
-// UnsignedPayload is a sentinel value for a payload hash to indicate that a
-// request's payload is unsigned.
-const UnsignedPayload = "UNSIGNED-PAYLOAD"
-
 // SignerOption applies configuration to a signer.
 type SignerOption func(*SignerOptions)
 
@@ -40,3 +36,9 @@ type SignerOptions struct {
 type SignedHeaderRules interface {
 	IsSigned(string) bool
 }
+
+// UnsignedPayload provides the sentinel value for a payload hash to indicate
+// that a request's payload is unsigned.
+func UnsignedPayload() []byte {
+	return []byte("UNSIGNED-PAYLOAD")
+}