search

smarty-archives / go-aws-auth

[DEPRECATED] Signs requests to Amazon Web Services (AWS) using IAM roles or signed signature versions 2, 3, and 4. Supports S3 and STS.
https://github.com/smartystreets/go-aws-auth/issues/49
Other
216 stars 71 forks source link

URL needs double-encoding for non-S3 endpoints #28

Open danopia opened 9 years ago

danopia commented 9 years ago

Hey,

I'm using this library to sign requests to an AWS ES Service endpoint. Basic requests work fine, but those with a * have a signing error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/.kibana-4/_mapping/%252A/field/_source
_=1447104608354
...

The canonical request generated by go-aws-auth only single-encoded the symbol: /.kibana-4/_mapping/%2A/field/_source

Adding another encodePathFrag() call around the existing one in normuri() fixed the request.

Docs don't talk much about this but a spec on node's aws-sdk checks that URIs are double-encoded for non-S3 endpoints only. https://github.com/aws/aws-sdk-js/blob/333b9d1507a70c8e5b6459a1b513f9fcddd16457/test/signers/v4.spec.coffee#L124

danopia commented 9 years ago

I would've loved for this to be cut-and-dry but another request with a comma in the URL is requiring a single-encode. I'm going to open an AWS ticket about this.

mwek commented 8 years ago

For ES endpoint, these characters require double-encoding: !"#%'()* These are single encoded: $&+,

I've opened AWS support ticket about it, and will post the received response here.

mwek commented 8 years ago

And the response is: "Thanks for pointing out this inconsistency between our documentation and the behavior you see. I am forwarding this for evaluation to see if we have a bug or design flaw on our hands."

Will keep you updated.

bjorn-ali-goransson commented 8 years ago

Seems that commas need to be double encoded these days?

sha1sum commented 8 years ago

For those still awaiting a resolution of this, please help me review #35 as I'm not using go-aws-auth for anything other than Elasticsearch Service.

sgsandeep commented 7 years ago

I am using AWS elasticsearch and using AWS signature V4 to communicate with the instance. I tried encoding my URI as follows: /index1%2Cindex2/type1%2Ctype2/_search and (Double encoding) /index1%252Cindex2/type1%252Ctype2/_search

Still AWS expects the % to be encoded again as follows. /index1%25252Cindex2/type1%25252Ctype2/_search

Any help would be appreciated.

sha1sum commented 7 years ago

@sgsandeep are you using the branch on #35 ?