AWS SDK

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-form-url:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-json-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-json:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-event-stream:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:smithy-test:1.4.4-SNAPSHOT")

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs

import aws.sdk.kotlin.services.sqs.internal.ValidationEnabled

import aws.sdk.kotlin.services.sqs.internal.ValidationScope

import aws.sdk.kotlin.services.sqs.model.*

import aws.smithy.kotlin.runtime.client.ResponseInterceptorContext

import aws.smithy.kotlin.runtime.hashing.md5

import aws.smithy.kotlin.runtime.http.interceptors.ChecksumMismatchException

import aws.smithy.kotlin.runtime.http.interceptors.HttpInterceptor

import aws.smithy.kotlin.runtime.http.request.HttpRequest

import aws.smithy.kotlin.runtime.http.response.HttpResponse

import aws.smithy.kotlin.runtime.io.SdkBuffer

import aws.smithy.kotlin.runtime.telemetry.logging.Logger

import aws.smithy.kotlin.runtime.telemetry.logging.logger

/**

 * Interceptor that validates MD5 checksums for SQS message operations.

 *

 * This interceptor performs client-side validation of MD5 checksums returned by SQS to ensure

 * message integrity during transmission. It validates the following components:

 * - Message body

 * - Message attributes

 * - Message system attributes

 *

 * The validation behavior can be configured using:

 * - [checksumValidationEnabled] - Controls when validation occurs (ALWAYS, WHEN_SENDING, WHEN_RECEIVING, NEVER)

 * - [checksumValidationScopes] - Specifies which message components to validate

 *

 * Supported operations:

 * - SendMessage

 * - SendMessageBatch

 * - ReceiveMessage

 */

@OptIn(ExperimentalStdlibApi::class)

public class SqsMd5ChecksumValidationInterceptor(

    private val validationEnabled: ValidationEnabled?,

    private val validationScopes: Set<ValidationScope>,

) : HttpInterceptor {

    public companion object {

        private const val STRING_TYPE_FIELD_INDEX: Byte = 1

        private const val BINARY_TYPE_FIELD_INDEX: Byte = 2

        private const val STRING_LIST_TYPE_FIELD_INDEX: Byte = 3

        private const val BINARY_LIST_TYPE_FIELD_INDEX: Byte = 4

    }

    override fun readAfterExecution(context: ResponseInterceptorContext<Any, Any, HttpRequest?, HttpResponse?>) {

        if (validationEnabled == ValidationEnabled.NEVER) return

        val logger = context.executionContext.coroutineContext.logger<SqsMd5ChecksumValidationInterceptor>()

        // Test MD5 availability

        try {

            "MD5".encodeToByteArray().md5()

        } catch (e: Exception) {

            logger.error { "MD5 checksums are not available (likely due to FIPS mode). Checksum validation will be disabled." }

            return

        }

        val request = context.request

        val response = context.response.getOrNull()

        if (response != null) {

            when (request) {

                is SendMessageRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_RECEIVING) return

                    val sendMessageRequest = request as SendMessageRequest

                    val sendMessageResponse = response as SendMessageResponse

                    sendMessageOperationMd5Check(sendMessageRequest, sendMessageResponse, logger)

                }

                is ReceiveMessageRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_SENDING) return

                    val receiveMessageResponse = response as ReceiveMessageResponse

                    receiveMessageResultMd5Check(receiveMessageResponse, logger)

                }

                is SendMessageBatchRequest -> {

                    if (validationEnabled == ValidationEnabled.WHEN_RECEIVING) return

                    val sendMessageBatchRequest = request as SendMessageBatchRequest

                    val sendMessageBatchResponse = response as SendMessageBatchResponse

                    sendMessageBatchOperationMd5Check(sendMessageBatchRequest, sendMessageBatchResponse, logger)

                }

            }

        }

    }

    private fun sendMessageOperationMd5Check(

        sendMessageRequest: SendMessageRequest,

        sendMessageResponse: SendMessageResponse,

        logger: Logger,

    ) {

        if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

            val messageBodySent = sendMessageRequest.messageBody

            if (!messageBodySent.isNullOrEmpty()) {

                logger.debug { "Validating message body MD5 checksum for SendMessage" }

                val bodyMD5Returned = sendMessageResponse.md5OfMessageBody

                val clientSideBodyMd5 = calculateMessageBodyMd5(messageBodySent)

                if (clientSideBodyMd5 != bodyMD5Returned) {

                    throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideBodyMd5 but was $bodyMD5Returned")

                }

                logger.debug { "Message body MD5 checksum for SendMessage validated" }

            }

        }

        if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

            val messageAttrSent = sendMessageRequest.messageAttributes

            if (!messageAttrSent.isNullOrEmpty()) {

                logger.debug { "Validating message attribute MD5 checksum for SendMessage" }

                val messageAttrMD5Returned = sendMessageResponse.md5OfMessageAttributes

                val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttrSent)

                if (clientSideAttrMd5 != messageAttrMD5Returned) {

                    throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideAttrMd5 but was $messageAttrMD5Returned")

                }

                logger.debug { "Message attribute MD5 checksum for SendMessage validated" }

            }

        }

        if (validationScopes.contains(ValidationScope.MESSAGE_SYSTEM_ATTRIBUTES)) {

            val messageSysAttrSent = sendMessageRequest.messageSystemAttributes

            if (!messageSysAttrSent.isNullOrEmpty()) {

                logger.debug { "Validating message system attribute MD5 checksum for SendMessage" }

                val messageSysAttrMD5Returned = sendMessageResponse.md5OfMessageSystemAttributes

                val clientSideSysAttrMd5 = calculateMessageSystemAttributesMd5(messageSysAttrSent)

                if (clientSideSysAttrMd5 != messageSysAttrMD5Returned) {

                    throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideSysAttrMd5 but was $messageSysAttrMD5Returned")

                }

                logger.debug { "Message system attribute MD5 checksum for SendMessage validated" }

            }

        }

    }

    private fun receiveMessageResultMd5Check(receiveMessageResponse: ReceiveMessageResponse, logger: Logger) {

        receiveMessageResponse.messages?.forEach { messageReceived ->

            if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

                val messageBody = messageReceived.body

                if (!messageBody.isNullOrEmpty()) {

                    logger.debug { "Validating message body MD5 checksum for ReceiveMessage" }

                    val bodyMd5Returned = messageReceived.md5OfBody

                    val clientSideBodyMd5 = calculateMessageBodyMd5(messageBody)

                    if (clientSideBodyMd5 != bodyMd5Returned) {

                        throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideBodyMd5 but was $bodyMd5Returned")

                    }

                    logger.debug { "Message body MD5 checksum for ReceiveMessage validated " }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

                val messageAttr = messageReceived.messageAttributes

                if (!messageAttr.isNullOrEmpty()) {

                    logger.debug { "Validating message attribute MD5 checksum for ReceiveMessage" }

                    val attrMd5Returned = messageReceived.md5OfMessageAttributes

                    val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttr)

                    if (clientSideAttrMd5 != attrMd5Returned) {

                        throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideAttrMd5 but was $attrMd5Returned")

                    }

                    logger.debug { "Message attribute MD5 checksum for ReceiveMessage validated " }

                }

            }

        }

    }

    private fun sendMessageBatchOperationMd5Check(

        sendMessageBatchRequest: SendMessageBatchRequest,

        sendMessageBatchResponse: SendMessageBatchResponse,

        logger: Logger,

    ) {

        val idToRequestEntryMap = sendMessageBatchRequest

            .entries

            .orEmpty()

            .associateBy { it.id }

        for (entry in sendMessageBatchResponse.successful) {

            if (validationScopes.contains(ValidationScope.MESSAGE_BODY)) {

                val messageBody = idToRequestEntryMap[entry.id]?.messageBody

                if (!messageBody.isNullOrEmpty()) {

                    logger.debug { "Validating message body MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val bodyMd5Returned = entry.md5OfMessageBody

                    val clientSideBodyMd5 = calculateMessageBodyMd5(messageBody)

                    if (clientSideBodyMd5 != bodyMd5Returned) {

                        throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideBodyMd5 but was $bodyMd5Returned")

                    }

                    logger.debug { "Message body MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_ATTRIBUTES)) {

                val messageAttrSent = idToRequestEntryMap[entry.id]?.messageAttributes

                if (!messageAttrSent.isNullOrEmpty()) {

                    logger.debug { "Validating message attribute MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val messageAttrMD5Returned = entry.md5OfMessageAttributes

                    val clientSideAttrMd5 = calculateMessageAttributesMd5(messageAttrSent)

                    if (clientSideAttrMd5 != messageAttrMD5Returned) {

                        throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideAttrMd5 but was $messageAttrMD5Returned")

                    }

                    logger.debug { "Message attribute MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

            if (validationScopes.contains(ValidationScope.MESSAGE_SYSTEM_ATTRIBUTES)) {

                val messageSysAttrSent = idToRequestEntryMap[entry.id]?.messageSystemAttributes

                if (!messageSysAttrSent.isNullOrEmpty()) {

                    logger.debug { "Validating message system attribute MD5 checksum for SendMessageBatch: ${entry.messageId}" }

                    val messageSysAttrMD5Returned = entry.md5OfMessageSystemAttributes

                    val clientSideSysAttrMd5 = calculateMessageSystemAttributesMd5(messageSysAttrSent)

                    if (clientSideSysAttrMd5 != messageSysAttrMD5Returned) {

                        throw ChecksumMismatchException("Checksum mismatch. Expected $clientSideSysAttrMd5 but was $messageSysAttrMD5Returned")

                    }

                    logger.debug { "Message system attribute MD5 checksum for SendMessageBatch: ${entry.messageId} validated" }

                }

            }

        }

    }

    private fun calculateMessageBodyMd5(messageBody: String): String {

        val expectedMD5 = messageBody.encodeToByteArray().md5()

        val expectedMD5Hex = expectedMD5.toHexString()

        return expectedMD5Hex

    }

    /**

     * Calculates the MD5 digest for message attributes according to SQS specifications.

     * https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-message-metadata.html#sqs-attributes-md5-message-digest-calculation

     */

    private fun calculateMessageAttributesMd5(messageAttributes: Map<String, MessageAttributeValue>): String {

        val buffer = SdkBuffer()

        messageAttributes

            .entries

            .sortedBy { (name, _) -> name }

            .forEach { (attributeName, attributeValue) ->

                updateLengthAndBytes(buffer, attributeName)

                updateLengthAndBytes(buffer, attributeValue.dataType)

                val stringValue = attributeValue.stringValue

                val binaryValue = attributeValue.binaryValue

                val stringListValues = attributeValue.stringListValues

                val binaryListValues = attributeValue.binaryListValues

                when {

                    stringValue != null -> updateForStringType(buffer, stringValue)

                    binaryValue != null -> updateForBinaryType(buffer, binaryValue)

                    !stringListValues.isNullOrEmpty() -> updateForStringListType(buffer, stringListValues)

                    !binaryListValues.isNullOrEmpty() -> updateForBinaryListType(buffer, binaryListValues)

                }

            }

        val payload = buffer.readByteArray()

        return payload.md5().toHexString()

    }

    private fun calculateMessageSystemAttributesMd5(

        messageSysAttrs: Map<MessageSystemAttributeNameForSends, MessageSystemAttributeValue>,

    ): String {

        val buffer = SdkBuffer()

        messageSysAttrs

            .entries

            .sortedBy { (name, _) -> name.value }

            .forEach { (attributeName, attributeValue) ->

                updateLengthAndBytes(buffer, attributeName.value)

                updateLengthAndBytes(buffer, attributeValue.dataType)

                val stringValue = attributeValue.stringValue

                val binaryValue = attributeValue.binaryValue

                val stringListValues = attributeValue.stringListValues

                val binaryListValues = attributeValue.binaryListValues

                when {

                    stringValue != null -> updateForStringType(buffer, stringValue)

                    binaryValue != null -> updateForBinaryType(buffer, binaryValue)

                    !stringListValues.isNullOrEmpty() -> updateForStringListType(buffer, stringListValues)

                    !binaryListValues.isNullOrEmpty() -> updateForBinaryListType(buffer, binaryListValues)

                }

            }

        val payload = buffer.readByteArray()

        return payload.md5().toHexString()

    }

    private fun updateForStringType(buffer: SdkBuffer, value: String) {

        buffer.writeByte(STRING_TYPE_FIELD_INDEX)

        updateLengthAndBytes(buffer, value)

    }

    private fun updateForBinaryType(buffer: SdkBuffer, value: ByteArray) {

        buffer.writeByte(BINARY_TYPE_FIELD_INDEX)

        updateLengthAndBytes(buffer, value)

    }

    private fun updateForStringListType(buffer: SdkBuffer, values: List<String>) {

        buffer.writeByte(STRING_LIST_TYPE_FIELD_INDEX)

        values.forEach { value ->

            updateLengthAndBytes(buffer, value)

        }

    }

    private fun updateForBinaryListType(buffer: SdkBuffer, values: List<ByteArray>) {

        buffer.writeByte(BINARY_LIST_TYPE_FIELD_INDEX)

        values.forEach { value ->

            updateLengthAndBytes(buffer, value)

        }

    }

    private fun updateLengthAndBytes(buffer: SdkBuffer, stringValue: String) =

        updateLengthAndBytes(buffer, stringValue.encodeToByteArray())

    /**

     * Update the digest using a sequence of bytes that consists of the length (in 4 bytes) of the

     * input binaryValue and all the bytes it contains.

     */

    private fun updateLengthAndBytes(buffer: SdkBuffer, binaryValue: ByteArray) {

        buffer.writeInt(binaryValue.size)

        buffer.write(binaryValue)

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs.internal

import aws.sdk.kotlin.runtime.config.profile.*

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.smithy.kotlin.runtime.config.resolve

import aws.smithy.kotlin.runtime.util.LazyAsyncValue

import aws.smithy.kotlin.runtime.util.PlatformProvider

internal suspend fun finalizeSqsConfig(

    builder: SqsClient.Builder,

    sharedConfig: LazyAsyncValue<AwsSharedConfig>,

    provider: PlatformProvider = PlatformProvider.System,

) {

    val activeProfile = sharedConfig.get().activeProfile

    builder.config.checksumValidationEnabled = builder.config.checksumValidationEnabled

        ?: SqsSetting.checksumValidationEnabled.resolve(provider)

        ?: activeProfile.checksumValidationEnabled

        ?: ValidationEnabled.NEVER // TODO: MD5 checksum validation is temporarily disabled. Set default to ALWAYS in next minor version

    builder.config.checksumValidationScopes = builder.config.checksumValidationScopes.ifEmpty {

        SqsSetting.checksumValidationScopes.resolve(provider)

            ?: activeProfile.checksumValidationScopes

            ?: ValidationScope.entries.toSet()

    }

}

private val AwsProfile.checksumValidationEnabled: ValidationEnabled?

    get() = getEnumOrNull<ValidationEnabled>("sqs_checksum_validation_enabled")

private val AwsProfile.checksumValidationScopes: Set<ValidationScope>?

    get() = getEnumSetOrNull<ValidationScope>("sqs_checksum_validation_scope")

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.services.sqs.internal

import aws.smithy.kotlin.runtime.config.*

/**

 * SQS specific system settings

 */

internal object SqsSetting {

    /**

     * Configure when MD5 checksum validation is performed for SQS operations.

     *

     * Can be configured using:

     * - System property: aws.SqsChecksumValidationEnabled

     * - Environment variable: AWS_SQS_CHECKSUM_VALIDATION_ENABLED

     *

     * Valid values:

     * - ALWAYS (default) - Validates checksums for both sending and receiving operations

     * - WHEN_SENDING - Validates checksums only when sending messages

     * - WHEN_RECEIVING - Validates checksums only when receiving messages

     * - NEVER - Disables checksum validation

     *

     * Note: Value matching is case-insensitive when configured via environment variables.

     */

    public val checksumValidationEnabled: EnvironmentSetting<ValidationEnabled> =

        enumEnvSetting("aws.SqsChecksumValidationEnabled", "AWS_SQS_CHECKSUM_VALIDATION_ENABLED")

    /**

     * Configure the scope of checksum validation for SQS operations.

     *

     * Can be configured using:

     * - System property: aws.SqsChecksumValidationScope

     * - Environment variable: AWS_SQS_CHECKSUM_VALIDATION_SCOPE

     *

     * Valid values are comma-separated combinations of:

     * - MESSAGE_BODY: Validate message body checksums

     * - MESSAGE_ATTRIBUTES: Validate message attribute checksums

     * - SYSTEM_ATTRIBUTES: Validate system attribute checksums

     *

     * Example: "MESSAGE_BODY,MESSAGE_ATTRIBUTES"

     *

     * If not specified, defaults to validating all scopes.

     */

    public val checksumValidationScopes: EnvironmentSetting<Set<ValidationScope>?> =

        enumSetEnvSetting<ValidationScope>("aws.SqsChecksumValidationScope", "AWS_SQS_CHECKSUM_VALIDATION_SCOPE")

}

package aws.sdk.kotlin.services.sqs.internal

/**

 * Controls when MD5 checksum validation is performed for SQS operations.

 *

 * This configuration determines under which conditions checksums will be automatically

 * calculated and validated for SQS message operations.

 *

 * Valid values:

 * - ALWAYS - Validates checksums for both sending and receiving operations

 *           (SendMessage, SendMessageBatch, and ReceiveMessage)

 * - WHEN_SENDING - Validates checksums only when sending messages

 *                 (SendMessage and SendMessageBatch)

 * - WHEN_RECEIVING - Validates checksums only when receiving messages

 *                   (ReceiveMessage)

 * - NEVER - Disables checksum validation completely

 *

 * Default: ALWAYS

 */

public enum class ValidationEnabled {

    ALWAYS,

    WHEN_SENDING,

    WHEN_RECEIVING,

    NEVER,

}

/**

 * Specifies which parts of an SQS message should undergo MD5 checksum validation.

 *

 * This configuration determines which components of a message will be validated

 * when checksum validation is enabled.

 *

 * Valid values:

 * - MESSAGE_ATTRIBUTES - Validates checksums for message attributes

 * - MESSAGE_SYSTEM_ATTRIBUTES - Validates checksums for message system attributes

 *   (Note: Not available for ReceiveMessage operations as SQS does not calculate

 *   checksums for system attributes during message receipt)

 * - MESSAGE_BODY - Validates checksums for the message body

 *

 * Default: All scopes enabled

 */

public enum class ValidationScope {

    MESSAGE_ATTRIBUTES,

    MESSAGE_SYSTEM_ATTRIBUTES,

    MESSAGE_BODY,

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.e2etest

import aws.sdk.kotlin.e2etest.SqsTestUtils.DEFAULT_REGION

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_ATTRIBUTES_NAME

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_ATTRIBUTES_VALUE

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_BODY

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_QUEUE_CORRECT_CHECKSUM_PREFIX

import aws.sdk.kotlin.e2etest.SqsTestUtils.TEST_QUEUE_WRONG_CHECKSUM_PREFIX

import aws.sdk.kotlin.e2etest.SqsTestUtils.buildSendMessageBatchRequestEntry

import aws.sdk.kotlin.e2etest.SqsTestUtils.deleteQueueAndAllMessages

import aws.sdk.kotlin.e2etest.SqsTestUtils.getTestQueueUrl

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.sdk.kotlin.services.sqs.internal.ValidationEnabled

import aws.sdk.kotlin.services.sqs.internal.ValidationScope

import aws.sdk.kotlin.services.sqs.model.*

import aws.smithy.kotlin.runtime.client.ResponseInterceptorContext

import aws.smithy.kotlin.runtime.hashing.md5

import aws.smithy.kotlin.runtime.http.interceptors.ChecksumMismatchException

import aws.smithy.kotlin.runtime.http.interceptors.HttpInterceptor

import aws.smithy.kotlin.runtime.http.request.HttpRequest

import aws.smithy.kotlin.runtime.http.response.HttpResponse

import kotlinx.coroutines.runBlocking

import org.junit.jupiter.api.*

/**

 * Tests for Sqs MD5 checksum validation

 */

@TestInstance(TestInstance.Lifecycle.PER_CLASS)

class SqsMd5ChecksumValidationTest {

    // An interceptor that set wrong md5 checksums in SQS response

    @OptIn(ExperimentalStdlibApi::class)

    private val wrongChecksumInterceptor = object : HttpInterceptor {

        override suspend fun modifyBeforeCompletion(

            context: ResponseInterceptorContext<Any, Any, HttpRequest?, HttpResponse?>,

        ): Result<Any> {

            val wrongMd5ofMessageBody = "wrong message md5".encodeToByteArray().md5().toHexString()

            val wrongMd5ofMessageAttribute = "wrong attribute md5".encodeToByteArray().md5().toHexString()

            val wrongMd5ofMessageSystemAttribute = "wrong system attribute md5".encodeToByteArray().md5().toHexString()

            when (val response = context.response.getOrNull()) {

                is SendMessageResponse -> {

                    val modifiedResponse = response.copy {

                        md5OfMessageBody = wrongMd5ofMessageBody

                        md5OfMessageAttributes = wrongMd5ofMessageAttribute

                        md5OfMessageSystemAttributes = wrongMd5ofMessageSystemAttribute

                    }

                    return Result.success(modifiedResponse)

                }

                is ReceiveMessageResponse -> {

                    val modifiedMessages = response.messages?.map { message ->

                        message.copy {

                            md5OfBody = wrongMd5ofMessageBody

                            md5OfMessageAttributes = wrongMd5ofMessageAttribute

                        }

                    }

                    val modifiedResponse = ReceiveMessageResponse {

                        messages = modifiedMessages

                    }

                    return Result.success(modifiedResponse)

                }

                is SendMessageBatchResponse -> {

                    val modifiedEntries = response.successful.map { entry ->

                        entry.copy {

                            md5OfMessageBody = wrongMd5ofMessageBody

                            md5OfMessageAttributes = wrongMd5ofMessageAttribute

                            md5OfMessageSystemAttributes = wrongMd5ofMessageSystemAttribute

                        }

                    }

                    val modifiedResponse = SendMessageBatchResponse {

                        successful = modifiedEntries

                        failed = response.failed

                    }

                    return Result.success(modifiedResponse)

                }

            }

            return context.response

        }

    }

    private val correctChecksumClient = SqsClient {

        region = DEFAULT_REGION

        checksumValidationEnabled = ValidationEnabled.ALWAYS

        checksumValidationScopes = ValidationScope.entries.toSet()

    }

    // used for wrong checksum tests

    private val wrongChecksumClient = SqsClient {

        region = DEFAULT_REGION

        checksumValidationEnabled = ValidationEnabled.ALWAYS

        checksumValidationScopes = ValidationScope.entries.toSet()

        interceptors += wrongChecksumInterceptor

    }

    private lateinit var correctChecksumTestQueueUrl: String

    private lateinit var wrongChecksumTestQueueUrl: String

    @BeforeAll

    private fun setUp(): Unit = runBlocking {

        correctChecksumTestQueueUrl = getTestQueueUrl(correctChecksumClient, TEST_QUEUE_CORRECT_CHECKSUM_PREFIX, DEFAULT_REGION)

        wrongChecksumTestQueueUrl = getTestQueueUrl(wrongChecksumClient, TEST_QUEUE_WRONG_CHECKSUM_PREFIX, DEFAULT_REGION)

    }

    @AfterAll

    private fun cleanUp(): Unit = runBlocking {

        deleteQueueAndAllMessages(correctChecksumClient, correctChecksumTestQueueUrl)

        deleteQueueAndAllMessages(wrongChecksumClient, wrongChecksumTestQueueUrl)

        correctChecksumClient.close()

        wrongChecksumClient.close()

    }

    @Test

    fun testSendMessage(): Unit = runBlocking {

        correctChecksumClient.sendMessage(

            SendMessageRequest {

                queueUrl = correctChecksumTestQueueUrl

                messageBody = TEST_MESSAGE_BODY

                messageAttributes = hashMapOf(

                    TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                        dataType = "String"

                        stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE

                    },

                )

                messageSystemAttributes = hashMapOf(

                    MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                        dataType = "String"

                        stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

                    },

                )

            },

        )

    }

    @Test

    fun testReceiveMessage(): Unit = runBlocking {

        correctChecksumClient.receiveMessage(

            ReceiveMessageRequest {

                queueUrl = correctChecksumTestQueueUrl

                maxNumberOfMessages = 1

                messageAttributeNames = listOf(TEST_MESSAGE_ATTRIBUTES_NAME)

                messageSystemAttributeNames = listOf(MessageSystemAttributeName.AwsTraceHeader)

            },

        )

    }

    @Test

    fun testSendMessageBatch(): Unit = runBlocking {

        val entries = (1..5).map { batchId ->

            buildSendMessageBatchRequestEntry(batchId)

        }

        correctChecksumClient.sendMessageBatch(

            SendMessageBatchRequest {

                queueUrl = correctChecksumTestQueueUrl

                this.entries = entries

            },

        )

    }

    @Test

    fun testSendMessageWithWrongChecksum(): Unit = runBlocking {

        val exception = assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.sendMessage(

                SendMessageRequest {

                    queueUrl = wrongChecksumTestQueueUrl

                    messageBody = TEST_MESSAGE_BODY

                    messageAttributes = hashMapOf(

                        TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                            dataType = "String"

                            stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE

                        },

                    )

                    messageSystemAttributes = hashMapOf(

                        MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                            dataType = "String"

                            stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE

                        },

                    )

                },

            )

        }

        assert(exception.message!!.contains("Checksum mismatch"))

    }

    @Test

    fun testReceiveMessageWithWrongChecksum(): Unit = runBlocking {

        val exception = assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.receiveMessage(

                ReceiveMessageRequest {

                    queueUrl = wrongChecksumTestQueueUrl

                    maxNumberOfMessages = 1

                    messageAttributeNames = listOf(TEST_MESSAGE_ATTRIBUTES_NAME)

                    messageSystemAttributeNames = listOf(MessageSystemAttributeName.AwsTraceHeader)

                },

            )

        }

        assert(exception.message!!.contains("Checksum mismatch"))

    }

    @Test

    fun testSendMessageBatchWithWrongChecksum(): Unit = runBlocking {

        val entries = (1..5).map { batchId ->

            buildSendMessageBatchRequestEntry(batchId)

        }

        val exception = assertThrows<ChecksumMismatchException> {

            wrongChecksumClient.sendMessageBatch(

                SendMessageBatchRequest {

                    queueUrl = wrongChecksumTestQueueUrl

                    this.entries = entries

                },

            )

        }

        assert(exception.message!!.contains("Checksum mismatch"))

    }

}

/*

 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

 * SPDX-License-Identifier: Apache-2.0

 */

package aws.sdk.kotlin.e2etest

import aws.sdk.kotlin.services.sqs.SqsClient

import aws.sdk.kotlin.services.sqs.createQueue

import aws.sdk.kotlin.services.sqs.model.*

import aws.sdk.kotlin.services.sqs.paginators.listQueuesPaginated

import aws.sdk.kotlin.services.sqs.paginators.queueUrls

import kotlinx.coroutines.flow.firstOrNull

import kotlinx.coroutines.withTimeout

import java.util.*

import kotlin.time.Duration.Companion.seconds

object SqsTestUtils {

    const val DEFAULT_REGION = "us-west-2"

    const val TEST_QUEUE_WRONG_CHECKSUM_PREFIX = "sqs-test-queue-wrong-checksum-"

    const val TEST_QUEUE_CORRECT_CHECKSUM_PREFIX = "sqs-test-queue-correct-checksum-"

    const val TEST_MESSAGE_BODY = "Hello World"

    const val TEST_MESSAGE_ATTRIBUTES_NAME = "TestAttribute"

    const val TEST_MESSAGE_ATTRIBUTES_VALUE = "TestAttributeValue"

    const val TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE = "TestSystemAttributeValue"

    suspend fun getTestQueueUrl(

        client: SqsClient,

        prefix: String,

        region: String? = null,

    ): String = getQueueUrlWithPrefix(client, prefix, region)

    private suspend fun getQueueUrlWithPrefix(

        client: SqsClient,

        prefix: String,

        region: String? = null,

    ): String = withTimeout(60.seconds) {

        var matchingQueueUrl = client

            .listQueuesPaginated { queueNamePrefix = prefix }

            .queueUrls()

            .firstOrNull()

        if (matchingQueueUrl == null) {

            matchingQueueUrl = prefix + UUID.randomUUID()

            println("Creating Sqs queue: $matchingQueueUrl")

            client.createQueue {

                queueName = matchingQueueUrl

            }

        } else {

            println("Using existing Sqs queue: $matchingQueueUrl")

        }

        matchingQueueUrl

    }

    suspend fun deleteQueueAndAllMessages(client: SqsClient, queueUrl: String) {

        try {

            println("Purging Sqs queue: $queueUrl")

            client.purgeQueue(

                PurgeQueueRequest {

                    this.queueUrl = queueUrl

                },

            )

            println("Queue purged successfully.")

            println("Deleting Sqs queue: $queueUrl")

            client.deleteQueue(

                DeleteQueueRequest {

                    this.queueUrl = queueUrl

                },

            )

            println("Queue deleted successfully.")

        } catch (e: SqsException) {

            println("Error during delete SQS queue: ${e.message}")

        }

    }

    fun buildSendMessageBatchRequestEntry(batchId: Int): SendMessageBatchRequestEntry = SendMessageBatchRequestEntry {

        id = batchId.toString()

        messageBody = TEST_MESSAGE_BODY + batchId

        messageAttributes = mapOf(

            TEST_MESSAGE_ATTRIBUTES_NAME to MessageAttributeValue {

                dataType = "String"

                stringValue = TEST_MESSAGE_ATTRIBUTES_VALUE + batchId

            },

        )

        messageSystemAttributes = mapOf(

            MessageSystemAttributeNameForSends.AwsTraceHeader to MessageSystemAttributeValue {

                dataType = "String"

                stringValue = TEST_MESSAGE_SYSTEM_ATTRIBUTES_VALUE + batchId

            },

        )

    }

}

                implementation("aws.smithy.kotlin:aws-credentials:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-protocol-core:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-common:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-signing-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:aws-xml-protocols:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-auth-aws:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:http-client-engine-default:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:identity-api:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-form-url:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:serde-xml:1.4.4-SNAPSHOT")

                implementation("aws.smithy.kotlin:telemetry-defaults:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:http-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:runtime-core:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:smithy-client:1.4.4-SNAPSHOT")

                api("aws.smithy.kotlin:telemetry-api:1.4.4-SNAPSHOT")