go-aws-auth icon indicating copy to clipboard operation
go-aws-auth copied to clipboard

Published 20 hours ago verified publisher icon smarty-archives

URL needs double-encoding for non-S3 endpoints

Open danopia opened this issue 9 years ago • 7 comments

Hey,

I'm using this library to sign requests to an AWS ES Service endpoint. Basic requests work fine, but those with a * have a signing error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/.kibana-4/_mapping/%252A/field/_source
_=1447104608354
...

The canonical request generated by go-aws-auth only single-encoded the symbol: /.kibana-4/_mapping/%2A/field/_source

Adding another encodePathFrag() call around the existing one in normuri() fixed the request.

Docs don't talk much about this but a spec on node's aws-sdk checks that URIs are double-encoded for non-S3 endpoints only. https://github.com/aws/aws-sdk-js/blob/333b9d1507a70c8e5b6459a1b513f9fcddd16457/test/signers/v4.spec.coffee#L124

danopia avatar Nov 09 '15 21:11 danopia

I would've loved for this to be cut-and-dry but another request with a comma in the URL is requiring a single-encode. I'm going to open an AWS ticket about this.

danopia avatar Nov 09 '15 23:11 danopia

For ES endpoint, these characters require double-encoding: !"#%'()* These are single encoded: $&+,

I've opened AWS support ticket about it, and will post the received response here.

mwek avatar Feb 17 '16 09:02 mwek

And the response is: "Thanks for pointing out this inconsistency between our documentation and the behavior you see. I am forwarding this for evaluation to see if we have a bug or design flaw on our hands."

Will keep you updated.

mwek avatar Feb 17 '16 21:02 mwek

Seems that commas need to be double encoded these days?

bjorn-ali-goransson avatar May 04 '16 08:05 bjorn-ali-goransson

For those still awaiting a resolution of this, please help me review #35 as I'm not using go-aws-auth for anything other than Elasticsearch Service.

sha1sum avatar Sep 13 '16 13:09 sha1sum

I am using AWS elasticsearch and using AWS signature V4 to communicate with the instance. I tried encoding my URI as follows: /index1%2Cindex2/type1%2Ctype2/_search and (Double encoding) /index1%252Cindex2/type1%252Ctype2/_search

Still AWS expects the % to be encoded again as follows. /index1%25252Cindex2/type1%25252Ctype2/_search

Any help would be appreciated.

sgsandeep avatar Mar 08 '17 05:03 sgsandeep

@sgsandeep are you using the branch on #35 ?

sha1sum avatar Mar 08 '17 13:03 sha1sum