AWS SDK

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-form-url:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-event-stream:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:smithy-test:1.4.4-SNAPSHOT")

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs

import aws.sdk.kotlin.runtime.ClientException

import aws.sdk.kotlin.services.sqs.internal.ValidationEnabled

import aws.sdk.kotlin.services.sqs.internal.ValidationScope

import aws.sdk.kotlin.services.sqs.model.*

import aws.smithy.kotlin.runtime.client.ResponseInterceptorContext

import aws.smithy.kotlin.runtime.collections.AttributeKey

import aws.smithy.kotlin.runtime.hashing.md5

import aws.smithy.kotlin.runtime.http.interceptors.ChecksumMismatchException

import aws.smithy.kotlin.runtime.http.interceptors.HttpInterceptor

import aws.smithy.kotlin.runtime.http.request.HttpRequest

import aws.smithy.kotlin.runtime.http.response.HttpResponse

import aws.smithy.kotlin.runtime.io.SdkBuffer

import aws.smithy.kotlin.runtime.telemetry.logging.Logger

import aws.smithy.kotlin.runtime.telemetry.logging.error

import aws.smithy.kotlin.runtime.telemetry.logging.logger

import aws.smithy.kotlin.runtime.util.asyncLazy

import kotlinx.coroutines.runBlocking

import kotlin.coroutines.coroutineContext

private const val STRING_TYPE_FIELD_INDEX: Byte = 1

private const val BINARY_TYPE_FIELD_INDEX: Byte = 2

private const val STRING_LIST_TYPE_FIELD_INDEX: Byte = 3

private const val BINARY_LIST_TYPE_FIELD_INDEX: Byte = 4

/**

 * Interceptor that validates MD5 checksums for SQS message operations.

 *

 * This interceptor performs client-side validation of MD5 checksums returned by SQS to ensure

 * message integrity during transmission. It validates the following components:

 * - Message body

 * - Message attributes

 * - Message system attributes

 *

 * The validation behavior can be configured using:

 * - [checksumValidationEnabled] - Controls when validation occurs (`ALWAYS`, `WHEN_SENDING`, `WHEN_RECEIVING`, `NEVER`)

 * - [checksumValidationScopes] - Specifies which message components to validate

 *

 * Supported operations:

 * - SendMessage

 * - SendMessageBatch

 * - ReceiveMessage

 */

@OptIn(ExperimentalStdlibApi::class)

public class SqsMd5ChecksumValidationInterceptor(

    private val validationEnabled: ValidationEnabled,

    private val validationScopes: Set<ValidationScope>,

) : HttpInterceptor {

    public companion object {

        private val isMd5Available = asyncLazy {

            try {

                "MD5".encodeToByteArray().md5()

                true

            } catch (e: Exception) {

                coroutineContext.error<SqsMd5ChecksumValidationInterceptor>(e) {

                    "MD5 checksums are not available (likely due to FIPS mode). Checksum validation will be disabled."

                }

                false

            }

        }

    }

    override fun readAfterExecution(context: ResponseInterceptorContext<Any, Any, HttpRequest?, HttpResponse?>) {

        if (validationEnabled == ValidationEnabled.NEVER || runBlocking { !isMd5Available.get() }) return

        val logger = context.executionContext.coroutineContext.logger<SqsMd5ChecksumValidationInterceptor>()

        val request = context.request

        context.response.getOrNull()?.let { response ->

            when (request) {

                is SendMessageRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_RECEIVING) return

                    val sendMessageResponse = response as SendMessageResponse

                    sendMessageOperationMd5Check(request, sendMessageResponse, logger)

                }

                is ReceiveMessageRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_SENDING) return

                    val receiveMessageResponse = response as ReceiveMessageResponse

                    receiveMessageResultMd5Check(receiveMessageResponse, logger)

                }

                is SendMessageBatchRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_RECEIVING) return

                    val sendMessageBatchResponse = response as SendMessageBatchResponse

                    sendMessageBatchOperationMd5Check(request, sendMessageBatchResponse, logger)

                }

            }

        }

        // Sets validation flag in execution context for e2e test assertions

        val checksumValidated: AttributeKey<Boolean> = AttributeKey("checksumValidated")

        context.executionContext[checksumValidated] = true

    }

    private fun sendMessageOperationMd5Check(

        sendMessageRequest: SendMessageRequest,

        sendMessageResponse: SendMessageResponse,

        logger: Logger,

    ) {

        if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

            val messageBodyMd5Returned = sendMessageResponse.md5OfMessageBody

            val messageBodySent = sendMessageRequest.messageBody

            if (!messageBodyMd5Returned.isNullOrEmpty() && !messageBodySent.isNullOrEmpty()) {

                logger.debug { "Validating message body MD5 checksum for SendMessage" }

                val clientSideBodyMd5 = calculateMessageBodyMd5(messageBodySent)

                validateMd5(clientSideBodyMd5, messageBodyMd5Returned)

                logger.debug { "Message body MD5 checksum for SendMessage validated" }

            }

        }

        if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

            val messageAttrMd5Returned = sendMessageResponse.md5OfMessageAttributes

            val messageAttrSent = sendMessageRequest.messageAttributes

            if (!messageAttrMd5Returned.isNullOrEmpty() && !messageAttrSent.isNullOrEmpty()) {

                logger.debug { "Validating message attribute MD5 checksum for SendMessage" }

                val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttrSent)

                validateMd5(clientSideAttrMd5, messageAttrMd5Returned)

                logger.debug { "Message attribute MD5 checksum for SendMessage validated" }

            }

        }

        if (validationScopes.contains(ValidationScope.MESSAGE_SYSTEM_ATTRIBUTES)) {

            val messageSysAttrMD5Returned = sendMessageResponse.md5OfMessageSystemAttributes

            val messageSysAttrSent = sendMessageRequest.messageSystemAttributes

            if (!messageSysAttrMD5Returned.isNullOrEmpty() && !messageSysAttrSent.isNullOrEmpty()) {

                logger.debug { "Validating message system attribute MD5 checksum for SendMessage" }

                val clientSideSysAttrMd5 = calculateMessageSystemAttributesMd5(messageSysAttrSent)

                validateMd5(clientSideSysAttrMd5, messageSysAttrMD5Returned)

                logger.debug { "Message system attribute MD5 checksum for SendMessage validated" }

            }

        }

    }

    private fun receiveMessageResultMd5Check(receiveMessageResponse: ReceiveMessageResponse, logger: Logger) {

        receiveMessageResponse.messages?.forEach { messageReceived ->

            if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

                val messageBodyMd5Returned = messageReceived.md5OfBody

                val messageBodyReturned = messageReceived.body

                if (!messageBodyMd5Returned.isNullOrEmpty() && !messageBodyReturned.isNullOrEmpty()) {

                    logger.debug { "Validating message body MD5 checksum for ReceiveMessage" }

                    val clientSideBodyMd5 = calculateMessageBodyMd5(messageBodyReturned)

                    validateMd5(clientSideBodyMd5, messageBodyMd5Returned)

                    logger.debug { "Message body MD5 checksum for ReceiveMessage validated" }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

                val messageAttrMd5Returned = messageReceived.md5OfMessageAttributes

                val messageAttrReturned = messageReceived.messageAttributes

                if (!messageAttrMd5Returned.isNullOrEmpty() && !messageAttrReturned.isNullOrEmpty()) {

                    logger.debug { "Validating message attribute MD5 checksum for ReceiveMessage" }

                    val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttrReturned)

                    validateMd5(clientSideAttrMd5, messageAttrMd5Returned)

                    logger.debug { "Message attribute MD5 checksum for ReceiveMessage validated" }

                }

            }

        }

    }

    private fun sendMessageBatchOperationMd5Check(

        sendMessageBatchRequest: SendMessageBatchRequest,

        sendMessageBatchResponse: SendMessageBatchResponse,

        logger: Logger,

    ) {

        val idToRequestEntry = sendMessageBatchRequest

            .entries

            .orEmpty()

            .associateBy { it.id }

        for (entry in sendMessageBatchResponse.successful) {

            if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

                val messageBodyMd5Returned = entry.md5OfMessageBody

                val messageBodySent = idToRequestEntry[entry.id]?.messageBody

                if (!messageBodyMd5Returned.isNullOrEmpty() && !messageBodySent.isNullOrEmpty()) {

                    logger.debug { "Validating message body MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val clientSideBodyMd5 = calculateMessageBodyMd5(messageBodySent)

                    validateMd5(clientSideBodyMd5, messageBodyMd5Returned)

                    logger.debug { "Message body MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

                val messageAttrMD5Returned = entry.md5OfMessageAttributes

                val messageAttrSent = idToRequestEntry[entry.id]?.messageAttributes

                if (!messageAttrMD5Returned.isNullOrEmpty() && !messageAttrSent.isNullOrEmpty()) {

                    logger.debug { "Validating message attribute MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttrSent)

                    validateMd5(clientSideAttrMd5, messageAttrMD5Returned)

                    logger.debug { "Message attribute MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_SYSTEM_ATTRIBUTES)) {

                val messageSysAttrMD5Returned = entry.md5OfMessageSystemAttributes

                val messageSysAttrSent = idToRequestEntry[entry.id]?.messageSystemAttributes

                if (!messageSysAttrMD5Returned.isNullOrEmpty() && !messageSysAttrSent.isNullOrEmpty()) {

                    logger.debug { "Validating message system attribute MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val clientSideSysAttrMd5 = calculateMessageSystemAttributesMd5(messageSysAttrSent)

                    validateMd5(clientSideSysAttrMd5, messageSysAttrMD5Returned)

                    logger.debug { "Message system attribute MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

        }

    }

    private fun validateMd5(clientSideMd5: String, md5Returned: String) {

        if (clientSideMd5 != md5Returned) {

            throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideMd5 but was $md5Returned")

        }

    }

    private fun calculateMessageBodyMd5(messageBody: String) =

        messageBody.encodeToByteArray().md5().toHexString()

    /**

     * Calculates the MD5 digest for message attributes according to SQS specifications.

     * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-message-metadata.html#sqs-attributes-md5-message-digest-calculation

     */

    private fun calculateMessageAttributesMd5(messageAttributes: Map<String, MessageAttributeValue>): String {

        val buffer = SdkBuffer()

        messageAttributes

            .entries

            .sortedBy { (attributeName, _) -> attributeName }

            .forEach { (attributeName, attributeValue) ->

                updateLengthAndBytes(buffer, attributeName)

                updateLengthAndBytes(buffer, attributeValue.dataType)

                when {

                    attributeValue.stringValue != null -> updateForStringType(buffer, attributeValue.stringValue)

                    attributeValue.binaryValue != null -> updateForBinaryType(buffer, attributeValue.binaryValue)

                    !attributeValue.stringListValues.isNullOrEmpty() -> updateForStringListType(buffer, attributeValue.stringListValues)

                    !attributeValue.binaryListValues.isNullOrEmpty() -> updateForBinaryListType(buffer, attributeValue.binaryListValues)

                    else -> throw ClientException("No value type found for attribute $attributeName")

                }

            }

        val payload = buffer.readByteArray()

        return payload.md5().toHexString()

    }

    private fun calculateMessageSystemAttributesMd5(

        messageSystemAttributes: Map<MessageSystemAttributeNameForSends, MessageSystemAttributeValue>,

    ): String {

        val buffer = SdkBuffer()

        messageSystemAttributes

            .entries

            .sortedBy { (systemAttributeName, _) -> systemAttributeName.value }

            .forEach { (systemAttributeName, systemAttributeValue) ->

                updateLengthAndBytes(buffer, systemAttributeName.value)

                updateLengthAndBytes(buffer, systemAttributeValue.dataType)

                when {

                    systemAttributeValue.stringValue != null -> updateForStringType(buffer, systemAttributeValue.stringValue)

                    systemAttributeValue.binaryValue != null -> updateForBinaryType(buffer, systemAttributeValue.binaryValue)

                    !systemAttributeValue.stringListValues.isNullOrEmpty() -> updateForStringListType(buffer, systemAttributeValue.stringListValues)

                    !systemAttributeValue.binaryListValues.isNullOrEmpty() -> updateForBinaryListType(buffer, systemAttributeValue.binaryListValues)

                    else -> throw ClientException("No value type found for system attribute $systemAttributeName")

                }

            }

        val payload = buffer.readByteArray()

        return payload.md5().toHexString()

    }

    private fun updateForStringType(buffer: SdkBuffer, value: String) {

        buffer.writeByte(STRING_TYPE_FIELD_INDEX)

        updateLengthAndBytes(buffer, value)

    }

    private fun updateForBinaryType(buffer: SdkBuffer, value: ByteArray) {

        buffer.writeByte(BINARY_TYPE_FIELD_INDEX)

        updateLengthAndBytes(buffer, value)

    }

    private fun updateForStringListType(buffer: SdkBuffer, values: List<String>) {

        buffer.writeByte(STRING_LIST_TYPE_FIELD_INDEX)

        values.forEach { value ->

            updateLengthAndBytes(buffer, value)

        }

    }

    private fun updateForBinaryListType(buffer: SdkBuffer, values: List<ByteArray>) {

        buffer.writeByte(BINARY_LIST_TYPE_FIELD_INDEX)

        values.forEach { value ->

            updateLengthAndBytes(buffer, value)

        }

    }

    private fun updateLengthAndBytes(buffer: SdkBuffer, stringValue: String) =

        updateLengthAndBytes(buffer, stringValue.encodeToByteArray())

    /**

     * Update the digest using a sequence of bytes that consists of the length (in 4 bytes) of the

     * input binaryValue and all the bytes it contains.

     */

    private fun updateLengthAndBytes(buffer: SdkBuffer, binaryValue: ByteArray) {

        buffer.writeInt(binaryValue.size)

        buffer.write(binaryValue)

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs.internal

import aws.sdk.kotlin.runtime.config.profile.*

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.smithy.kotlin.runtime.config.resolve

import aws.smithy.kotlin.runtime.util.LazyAsyncValue

import aws.smithy.kotlin.runtime.util.PlatformProvider

internal suspend fun finalizeSqsConfig(

    builder: SqsClient.Builder,

    sharedConfig: LazyAsyncValue<AwsSharedConfig>,

    provider: PlatformProvider = PlatformProvider.System,

) {

    val activeProfile = sharedConfig.get().activeProfile

    builder.config.checksumValidationEnabled = builder.config.checksumValidationEnabled

        ?: SqsSetting.checksumValidationEnabled.resolve(provider)

        ?: activeProfile.checksumValidationEnabled

        ?: ValidationEnabled.NEVER // TODO: MD5 checksum validation is temporarily disabled. Set default to ALWAYS in v1.5

    builder.config.checksumValidationScopes = builder.config.checksumValidationScopes

        ?: SqsSetting.checksumValidationScopes.resolve(provider)

        ?: activeProfile.checksumValidationScopes

        ?: ValidationScope.entries.toSet()

}

private val AwsProfile.checksumValidationEnabled: ValidationEnabled?

    get() = getEnumOrNull<ValidationEnabled>("sqs_checksum_validation_enabled")

private val AwsProfile.checksumValidationScopes: Set<ValidationScope>?

    get() = getEnumSetOrNull<ValidationScope>("sqs_checksum_validation_scope")

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs.internal

import aws.smithy.kotlin.runtime.config.*

/**

 * SQS specific system settings

 */

internal object SqsSetting {

    /**

     * Configure when MD5 checksum validation is performed for SQS operations.

     *

     * Can be configured using:

     * - System property: aws.SqsChecksumValidationEnabled

     * - Environment variable: AWS_SQS_CHECKSUM_VALIDATION_ENABLED

     *

     * Valid values:

     * - ALWAYS - Validates checksums for both sending and receiving operations

     * - WHEN_SENDING - Validates checksums only when sending messages

     * - WHEN_RECEIVING - Validates checksums only when receiving messages

     * - NEVER (default) - Disables checksum validation

     *

     * Note: Value matching is case-insensitive when configured via environment variables.

     */

    public val checksumValidationEnabled: EnvironmentSetting<ValidationEnabled> =

        enumEnvSetting("aws.SqsChecksumValidationEnabled", "AWS_SQS_CHECKSUM_VALIDATION_ENABLED")

    /**

     * Configure the scope of checksum validation for SQS operations.

     *

     * Can be configured using:

     * - System property: aws.SqsChecksumValidationScope

     * - Environment variable: AWS_SQS_CHECKSUM_VALIDATION_SCOPE

     *

     * Valid values are comma-separated combinations of:

     * - MESSAGE_BODY: Validate message body checksums

     * - MESSAGE_ATTRIBUTES: Validate message attribute checksums

     * - SYSTEM_ATTRIBUTES: Validate system attribute checksums

     *

     * Example: "MESSAGE_BODY,MESSAGE_ATTRIBUTES"

     *

     * If not specified, defaults to validating all scopes.

     */

    public val checksumValidationScopes: EnvironmentSetting<Set<ValidationScope>?> =

        enumSetEnvSetting<ValidationScope>("aws.SqsChecksumValidationScope", "AWS_SQS_CHECKSUM_VALIDATION_SCOPE")

}

package aws.sdk.kotlin.services.sqs.internal

/**

 * Controls when MD5 checksum validation is performed for SQS operations.

 *

 * This configuration determines under which conditions checksums will be automatically

 * calculated and validated for SQS message operations.

 *

 * Valid values:

 * - `ALWAYS` - Validates checksums for both sending and receiving operations

 *           (SendMessage, SendMessageBatch, and ReceiveMessage)

 * - `WHEN_SENDING` - Validates checksums only when sending messages

 *                 (SendMessage and SendMessageBatch)

 * - `WHEN_RECEIVING` - Validates checksums only when receiving messages

 *                   (ReceiveMessage)

 * - `NEVER` - Disables checksum validation completely

 *

 * Default: `NEVER`

 */

// TODO: MD5 checksum validation is temporarily disabled. Change default to ALWAYS in v1.5

public enum class ValidationEnabled {

    ALWAYS,

    WHEN_SENDING,

    WHEN_RECEIVING,

    NEVER,

}

/**

 * Specifies which parts of an SQS message should undergo MD5 checksum validation.

 *

 * This configuration determines which components of a message will be validated

 * when checksum validation is enabled.

 *

 * Valid values:

 * - `MESSAGE_ATTRIBUTES` - Validates checksums for message attributes

 * - `MESSAGE_SYSTEM_ATTRIBUTES` - Validates checksums for message system attributes

 *   (Note: Not available for ReceiveMessage operations as SQS does not calculate

 *   checksums for system attributes during message receipt)

 * - `MESSAGE_BODY` - Validates checksums for the message body

 *

 * Default: All scopes enabled

 */

public enum class ValidationScope {

    MESSAGE_ATTRIBUTES,

    MESSAGE_SYSTEM_ATTRIBUTES,

    MESSAGE_BODY,

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.e2etest

import aws.sdk.kotlin.e2etest.SqsTestUtils.DEFAULT_REGION

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_ATTRIBUTES_NAME

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_ATTRIBUTES_VALUE

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_BODY

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_QUEUE_PREFIX

import aws.sdk.kotlin.e2etest.SqsTestUtils.buildSendMessageBatchRequestEntry

import aws.sdk.kotlin.e2etest.SqsTestUtils.deleteQueueAndAllMessages

import aws.sdk.kotlin.e2etest.SqsTestUtils.getTestQueueUrl

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.sdk.kotlin.services.sqs.internal.ValidationEnabled

import aws.sdk.kotlin.services.sqs.model.*

import aws.smithy.kotlin.runtime.client.ResponseInterceptorContext

import aws.smithy.kotlin.runtime.collections.AttributeKey

import aws.smithy.kotlin.runtime.collections.get

import aws.smithy.kotlin.runtime.hashing.md5

import aws.smithy.kotlin.runtime.http.interceptors.ChecksumMismatchException

import aws.smithy.kotlin.runtime.http.interceptors.HttpInterceptor

import aws.smithy.kotlin.runtime.http.request.HttpRequest

import aws.smithy.kotlin.runtime.http.response.HttpResponse

import kotlinx.coroutines.runBlocking

import org.junit.jupiter.api.*

import org.junit.jupiter.api.Assertions.assertNotNull

/**

 * Tests for Sqs MD5 checksum validation

 */

@TestInstance(TestInstance.Lifecycle.PER_CLASS)

class SqsMd5ChecksumValidationTest {

    // An interceptor that set wrong md5 checksums in SQS response

    @OptIn(ExperimentalStdlibApi::class)

    private val wrongChecksumInterceptor = object : HttpInterceptor {

        override suspend fun modifyBeforeCompletion(

            context: ResponseInterceptorContext<Any, Any, HttpRequest?, HttpResponse?>,

        ): Result<Any> {

            val wrongMd5ofMessageBody = "wrong message md5".encodeToByteArray().md5().toHexString()

            val wrongMd5ofMessageAttribute = "wrong attribute md5".encodeToByteArray().md5().toHexString()

            val wrongMd5ofMessageSystemAttribute = "wrong system attribute md5".encodeToByteArray().md5().toHexString()

            when (val response = context.response.getOrNull()) {

                is SendMessageResponse -> {

                    val modifiedResponse = response.copy {

                        md5OfMessageAttributes = wrongMd5ofMessageAttribute

                    }

                    return Result.success(modifiedResponse)

                }

                is ReceiveMessageResponse -> {

                    val modifiedMessages = response.messages?.map { message ->

                        message.copy {

                            md5OfBody = wrongMd5ofMessageBody

                        }

                    }

                    val modifiedResponse = ReceiveMessageResponse {

                        messages = modifiedMessages

                    }

                    return Result.success(modifiedResponse)

                }

                is SendMessageBatchResponse -> {

                    val modifiedEntries = response.successful.map { entry ->

                        entry.copy {

                            md5OfMessageSystemAttributes = wrongMd5ofMessageSystemAttribute

                        }

                    }

                    val modifiedResponse = SendMessageBatchResponse {

                        successful = modifiedEntries

                        failed = response.failed

                    }

                    return Result.success(modifiedResponse)

                }

            }

            return context.response

        }

    }

    // An interceptor that checks if the SQS md5 checksum was validated

    private val checksumValidationAssertionInterceptor = object : HttpInterceptor {

        private val supportedOperations = setOf(

            "SendMessage",

            "SendMessageBatch",

            "ReceiveMessage",

        )

        override fun readAfterExecution(context: ResponseInterceptorContext<Any, Any, HttpRequest?, HttpResponse?>) {

            val operationName = context.executionContext.attributes[AttributeKey("aws.smithy.kotlin#OperationName")] as String

            if (operationName !in supportedOperations) {

                return

            }

            assertNotNull(context.executionContext.attributes[AttributeKey("checksumValidated")])

            val isChecksumValidated = context.executionContext.attributes[AttributeKey("checksumValidated")] as Boolean

            assert(isChecksumValidated)

        }

    }

    private lateinit var correctChecksumClient: SqsClient

    private lateinit var wrongChecksumClient: SqsClient

    private lateinit var testQueueUrl: String

    @BeforeAll

    private fun setUp(): Unit = runBlocking {

        correctChecksumClient = SqsClient.fromEnvironment {

            region = DEFAULT_REGION

            checksumValidationEnabled = ValidationEnabled.ALWAYS

            interceptors += checksumValidationAssertionInterceptor

        }

        wrongChecksumClient = SqsClient.fromEnvironment {

            region = DEFAULT_REGION

            checksumValidationEnabled = ValidationEnabled.ALWAYS

            interceptors += wrongChecksumInterceptor

        }

        testQueueUrl = getTestQueueUrl(correctChecksumClient, TEST_QUEUE_PREFIX)

    }

    @AfterAll

    private fun cleanUp(): Unit = runBlocking {

        deleteQueueAndAllMessages(correctChecksumClient, testQueueUrl)

        correctChecksumClient.close()

        wrongChecksumClient.close()

    }

    @Test

    fun testSendMessage(): Unit = runBlocking {

        correctChecksumClient.sendMessage(

            SendMessageRequest {

                queueUrl = testQueueUrl

                messageBody = TEST_MESSAGE_BODY

                messageAttributes = mapOf(

                    TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                        dataType = "String"

                        stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE

                    },

                    TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                        dataType = "Binary"

                        binaryValue = TEST_MESSAGE_ATTRIBUTES_VALUE.toByteArray()

                    },

                )

                messageSystemAttributes = mapOf(

                    MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                        dataType = "String"

                        stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

                    },

                )

            },

        )

    }

    @Test

    fun testReceiveMessage(): Unit = runBlocking {

        correctChecksumClient.receiveMessage(

            ReceiveMessageRequest {

                queueUrl = testQueueUrl

                maxNumberOfMessages = 1

                messageAttributeNames = listOf(TEST_MESSAGE_ATTRIBUTES_NAME)

                messageSystemAttributeNames = listOf(MessageSystemAttributeName.AwsTraceHeader)

            },

        )

    }

    @Test

    fun testSendMessageBatch(): Unit = runBlocking {

        val entries = (1..5).map { batchId ->

            buildSendMessageBatchRequestEntry(batchId)

        }

        correctChecksumClient.sendMessageBatch(

            SendMessageBatchRequest {

                queueUrl = testQueueUrl

                this.entries = entries

            },

        )

    }

    @Test

    fun testSendMessageWithWrongChecksum(): Unit = runBlocking {

        assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.sendMessage(

                SendMessageRequest {

                    queueUrl = testQueueUrl

                    messageBody = TEST_MESSAGE_BODY

                    messageAttributes = mapOf(

                        TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                            dataType = "String"

                            stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE

                        },

                    )

                    messageSystemAttributes = mapOf(

                        MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                            dataType = "String"

                            stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

                        },

                    )

                },

            )

        }

    }

    @Test

    fun testReceiveMessageWithWrongChecksum(): Unit = runBlocking {

        assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.receiveMessage(

                ReceiveMessageRequest {

                    queueUrl = testQueueUrl

                    maxNumberOfMessages = 1

                    messageAttributeNames = listOf(TEST_MESSAGE_ATTRIBUTES_NAME)

                    messageSystemAttributeNames = listOf(MessageSystemAttributeName.AwsTraceHeader)

                },

            )

        }

    }

    @Test

    fun testSendMessageBatchWithWrongChecksum(): Unit = runBlocking {

        val entries = (1..5).map { batchId ->

            buildSendMessageBatchRequestEntry(batchId)

        }

        assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.sendMessageBatch(

                SendMessageBatchRequest {

                    queueUrl = testQueueUrl

                    this.entries = entries

                },

            )

        }

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.e2etest

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.sdk.kotlin.services.sqs.createQueue

import aws.sdk.kotlin.services.sqs.model.*

import aws.sdk.kotlin.services.sqs.paginators.listQueuesPaginated

import aws.sdk.kotlin.services.sqs.paginators.queueUrls

import kotlinx.coroutines.flow.firstOrNull

import kotlinx.coroutines.withTimeout

import java.util.*

import kotlin.time.Duration.Companion.seconds

object SqsTestUtils {

    const val DEFAULT_REGION = "us-west-2"

    const val TEST_QUEUE_PREFIX = "sqs-test-queue-"

    const val TEST_MESSAGE_BODY = "Hello World"

    const val TEST_MESSAGE_ATTRIBUTES_NAME = "TestAttribute"

    const val TEST_MESSAGE_ATTRIBUTES_VALUE = "TestAttributeValue"

    const val TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE = "TestSystemAttributeValue"

    suspend fun getTestQueueUrl(client: SqsClient, prefix: String): String =

        getQueueUrlWithPrefix(client, prefix)

    private suspend fun getQueueUrlWithPrefix(client: SqsClient, prefix: String): String = withTimeout(60.seconds) {

        var matchingQueueUrl = client

            .listQueuesPaginated { queueNamePrefix = prefix }

            .queueUrls()

            .firstOrNull()

        if (matchingQueueUrl == null) {

            matchingQueueUrl = prefix + UUID.randomUUID()

            println("Creating SQS queue: $matchingQueueUrl")

            client.createQueue {

                queueName = matchingQueueUrl

            }

        } else {

            println("Using existing SQS queue: $matchingQueueUrl")

        }

        matchingQueueUrl

    }

    suspend fun deleteQueueAndAllMessages(client: SqsClient, queueUrl: String) {

        try {

            println("Purging SQS queue: $queueUrl")

            client.purgeQueue(

                PurgeQueueRequest {

                    this.queueUrl = queueUrl

                },

            )

            println("Queue purged successfully.")

            println("Deleting SQS queue: $queueUrl")

            client.deleteQueue(

                DeleteQueueRequest {

                    this.queueUrl = queueUrl

                },

            )

            println("Queue deleted successfully.")

        } catch (e: SqsException) {

            println("Error during delete SQS queue: ${e.message}")

        }

    }

    fun buildSendMessageBatchRequestEntry(batchId: Int): SendMessageBatchRequestEntry = SendMessageBatchRequestEntry {

        id = batchId.toString()

        messageBody = TEST_MESSAGE_BODY + batchId

        messageAttributes = mapOf(

            TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                dataType = "String"

                stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE + batchId

            },

        )

        messageSystemAttributes = mapOf(

            MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                dataType = "String"

                stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE + batchId

            },

        )

    }

}

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-form-url:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")