HTTP request signature fails if the path contains an '*' #866
Comments
|
Thanks for contacting us @dcu. Are you seeing this issue with a service client API operation, or is the signer being used standalone by its self? The Signer will escape query paths containing non alpha numeric characters. Do you have an example of what the request would look like? |
jasdel
added
the
response-requested
|
@jasdel see the linked ticket. It's this code: https://github.com/edoardo849/apex-aws-signer/blob/master/signer.go#L49 If I change it to: originalPath := req.URL.Path
req.URL.Path = req.URL.EscapedPath()
_, err := t.awsSigner.Sign(req, payload, t.awsServiceName, t.awsRegion, time.Now())
if err != nil {
log.WithError(err).Error("Couldn't sign the request")
return nil, err
}
req.URL.Path = originalPathit works fine |
|
Thanks for the update @dcu. Could you include a example of the request's URL that is being used in the signer? Specifically looking for what the path looks like. It would also be helpful to see the error message from the service. In addition, what the service is being used? |
|
The url looks like this:
and it's a POST I'm using the AWS ES service with https://godoc.org/gopkg.in/olivere/elastic.v3 |
|
@dcu I'm looking into this issue. Its correct that the signer needs to have fields escaped before they are sent. To dig deeper into what the cause of the problem is though it would be very helpful if you could provide the HTTP wire log of the request(minus body) and service's error response. Specifically we're looking for any information in the service's error message that may provide more insight into why the request signature does not match what is expected. The In addition could you enable the debug with the signer. v4 := NewSigner(req.Config.Credentials, func(v4 *Signer) {
v4.Debug = aws.LogDebugWithSigning
v4.Logger = aws.NewDefaultLogger()
}) |
jasdel
added
service-api
|
I investigated this issue some more and it looks like the SDK's signer performs escaping of the The reason the signed request needs to be double encoded is because the URI I think a workaround for this is to add a configuration flag to the v4 signer which will enable double escaping of the URI. I prototyped this locally and it looks to resolve the issue. |
|
good to know @jasdel |
|
@dcu I'm experimenting with https://github.com/jasdel/aws-sdk-go/tree/feature/SignEscapeStrategy, but I'm not really happy with exposing the double escaping this way. I think it would be nice to have a better solution would hide this complexity. |
Adds support for the URL.EscapedPath method added in Go1.5. This allows you to hint to the signer and Go HTTP client what the escaped form of the request's URI path will be. This is needed when using the AWS v4 Signer outside of the context of the SDK on http.Requests you manage. Also adds documentation to the signer that pre-escaping of the URI path is needed, and suggestions how how to do this. aws/signer/v4 TestStandaloneSign test function is an example using the request signer outside of the SDK. Fix aws#866
Adds support for the URL.EscapedPath method added in Go1.5. This allows you to hint to the signer and Go HTTP client what the escaped form of the request's URI path will be. This is needed when using the AWS v4 Signer outside of the context of the SDK on http.Requests you manage. Also adds documentation to the signer that pre-escaping of the URI path is needed, and suggestions how how to do this. aws/signer/v4 TestStandaloneSign test function is an example using the request signer outside of the SDK. Fix #866
jasdel
added
bug
|
thanks! are you planning to release this change soon? |
|
This change should be be included in the SDK's next release. I'll update here, when that release goes live. |
For example, when using elastic search service it's normal to specify the index with an "*" and in that case it fails.
This is related to edoardo849/apex-aws-signer#1
The text was updated successfully, but these errors were encountered: