tahseen / amazon-cloudsearch-client-java

Amazon CloudSearch Client for Document Service and Searching
18 stars 22 forks source link

No support for signed requests? #8

Closed coffee-to-code closed 7 years ago

coffee-to-code commented 8 years ago

Hello, I have been able to run my test code using cloudsearch policy "Allow open access to all services", i.e. any anonymous user can submit documents. However, as soon as I set a policy that is suitable for my production environment, i.e. "anonymous can search, only a IAM user can add documents", I get the following error:

Exception in thread "main" aws.services.cloudsearchv2.AmazonCloudSearchRequestException: {
    "__type": "#AccessDenied",
    "errors": [{"message": "[*Deprecated*: Use the outer message field] User: anonymous is not authorized to perform: cloudsearch:document on resource: arn:aws:cloudsearch:eu-west-1:170264827209:domain/test"}],
    "message": "User: anonymous is not authorized to perform: cloudsearch:document on resource: arn:aws:cloudsearch:eu-west-1:170264827209:domain/test",
    "status": "error"
}
    at aws.services.cloudsearchv2.AmazonCloudSearchClient.updateDocumentRequest(AmazonCloudSearchClient.java:258)

After inspecting the code from your library, it seems that there is no support at all for authenticated requests, because these requests should be signed according to this Signing Amazon CloudSearch Requests. Here is an excerpt of the method used to add multiple documents:

private void updateDocumentRequest(String requestBody) throws AmazonCloudSearchRequestException, AmazonCloudSearchInternalServerException {
        String responseBody = null;
        try {
            Response response = Request.Post("https://" + getDocumentEndpoint() + "/2013-01-01/documents/batch")
                    .useExpectContinue()
                    .version(HttpVersion.HTTP_1_1)
                    .addHeader("Content-Type", ContentType.APPLICATION_JSON.getMimeType())
                    .addHeader("Accept", ContentType.APPLICATION_JSON.getMimeType())
                    .bodyString(requestBody, ContentType.APPLICATION_JSON)
                    .execute();

            HttpResponse resp = response.returnResponse();
            responseBody = inputStreamToString(resp.getEntity().getContent());
            JSONObject json = new JSONObject(responseBody); // convert it to JSON object
            responseBody = json.toString(4); // format the json response

I do not see the "Authorization" header or any other authentication information.

Do you confirm that the library only works when CloudSearch is configured to use an anonymous policy?

tahseen commented 8 years ago

Yes no signed request support present at the moment.