Closed cloudshiftchris closed 7 months ago
Thanks for the bug report, @cloudshiftchris, I've reproduced the issue locally and I should have a fix available shortly.
The fix for this issue has been pushed to main and released in smithy-kotlin 1.0.3. The change should be available in the latest release of aws-sdk-kotlin later today.
Amazing. Thanks for the quick turnaround.
Unfortunately the change did not make it into today's SDK release. It's staged and ready to release on Monday. Sorry for the delay.
The fix is now released and available in aws-sdk-kotlin 1.0.14.
Ran a repro with 1.0.14 with the same (failing) results; it looks like 1.0.14 still depends on smithy 1.0.2?
For reference this appears to pull in smithy 1.0.2 (the IDE and a Gradle BuildScan show 1.0.2):
plugins {
kotlin("jvm") version "1.9.21"
}
dependencies {
repositories {
mavenCentral()
}
implementation("org.apache.logging.log4j:log4j-api:2.22.0")
implementation("org.apache.logging.log4j:log4j-core:2.22.0")
implementation("org.apache.logging.log4j:log4j-slf4j2-impl:2.22.0")
// 0.36.1-beta works; 1.0.0+ (up to 1.0.10, as of current date) do not work
implementation("aws.sdk.kotlin:apigatewaymanagementapi-jvm:1.0.14")
// implementation("aws.sdk.kotlin:apigatewaymanagementapi-jvm:0.36.1-beta")
}
...do see the ASK SDK commit for libs.versions.toml
to consume smithy 1.0.3. Hmmm.
The latest 1.0.15 release of aws-sdk-kotlin now references the correct smithy-kotlin release and properly signs URLs containing special characters.
Describe the bug
When using
ApiGatewayManagementClient
(AWS Kotlin SDK 1.0.0 or higher) to send a message on an API GW Websocket calls toApiGatewayManagementClient.postToConnection
now fail with aInvalidSignatureException
due to a signature validation error.This exception did not occur with v0.36.1-beta or previous versions.
This appears to be related to the URL encoding changes, specifically the canonicalization of a Url here. A quick review of that code allows
@
as a valid (hence unescaped) character, whereas it was previously escaped, with the endpoint expecting it to be escaped.Walking through both SDK versions with a debugger we end up with a string-to-sign (fragment) of:
0.36.1-beta
(works):/%40connections/PiJ_BfnLoAMCJEw%253D
1.0.0+
(fails):/@connections/PiJ_BfnLoAMCJEw%253D
Note the failing version does not escape
@
as noted earlier.While this specific issue pertains to API GW WS SDK calls it's likely there are other areas that are similarly affected given the convergence of signing / canonicalization. Any SDK call with
@
in the path will fail to generate the correct canonical string; there may be other characters likewise affected.Expected Behavior
SDK calls generate a proper, valid signature, as expected and validated by AWS endpoints.
Current Behavior
The noted SDK call generates an invalid signature and is rejected by the AWS endpoint.
The full exception (sensitive portions redacted):
Steps to Reproduce
A reproducer can be made available if need be; the above information should be enough to craft unit tests to validate issues with canonicalization.
Possible Solution
n/a
Context
This issue affects the SDK 1.0.0+ and prevents use of SDK calls that incorrectly sign the request. At the moment, for our use cases, it is limited to AWS API GW Websocket 'post to connection' calls.
Any SDK calls that have
@
in the URL path may also be affected in a similar manner; the issue may extend beyond just the failure to escape@
and include other characters that invalidate the signature.Your Environment