feat(api): fix querystring encoding according to AWS SigV4 (#1068)

* fix(api): fix querystring encoding according to AWS SigV4

fix #977

* fix(api): refactor RESTOperationRequestUtils tests, remove params reordering

* fix(api): add integration tests

* fix(api): encode individual components

* fix(api): address PR comments

* fix(api): throw if invalid query params

* fix(api): throw APIError if invalid query params

* fix(api): error message rewording

* chore: add more tests

Author: diegocstn

AmplifyPlugins/API/APICategoryPlugin.xcodeproj/project.pbxproj

@@ -135,6 +135,7 @@
 		6B8D479D25801DF700E841CB /* AmplifyReachability.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6B8D479C25801DF700E841CB /* AmplifyReachability.swift */; };
 		6BD4620625380EA200906831 /* OIDCAuthProviderWrapper.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BD4620525380EA200906831 /* OIDCAuthProviderWrapper.swift */; };
 		6BD462082538102500906831 /* AuthTokenProviderWrapper.swift in Sources */ = {isa = PBXBuildFile; fileRef = 6BD462072538102500906831 /* AuthTokenProviderWrapper.swift */; };
+		76148E0925D896EA007F3F21 /* URLComponents+sigv4Encoding.swift in Sources */ = {isa = PBXBuildFile; fileRef = 76148E0825D896EA007F3F21 /* URLComponents+sigv4Encoding.swift */; };
 		7632AD8A252E1E10009B5BC9 /* AppSyncJSONValue+toJSONValue.swift in Sources */ = {isa = PBXBuildFile; fileRef = 7632AD89252E1E10009B5BC9 /* AppSyncJSONValue+toJSONValue.swift */; };
 		9B13EA5E48896E8B38883633 /* Pods_HostApp.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 930DD773E0FB4047393CA2AD /* Pods_HostApp.framework */; };
 		A04815BCD5F9181C8AEDEF43 /* Pods_AWSAPICategoryPlugin.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 881AB4B98B48235DEC7754C2 /* Pods_AWSAPICategoryPlugin.framework */; };
@@ -471,6 +472,7 @@
 		6BD462072538102500906831 /* AuthTokenProviderWrapper.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AuthTokenProviderWrapper.swift; sourceTree = "<group>"; };
 		6DD6386039136045F18D44AC /* Pods_HostApp_AWSAPICategoryPluginTestCommon_RESTWithUserPoolIntegrationTests.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_HostApp_AWSAPICategoryPluginTestCommon_RESTWithUserPoolIntegrationTests.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		74EDB7008F5342ED4B38C9CA /* Pods_HostApp_AWSAPICategoryPluginIntegrationTests.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_HostApp_AWSAPICategoryPluginIntegrationTests.framework; sourceTree = BUILT_PRODUCTS_DIR; };
+		76148E0825D896EA007F3F21 /* URLComponents+sigv4Encoding.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "URLComponents+sigv4Encoding.swift"; sourceTree = "<group>"; };
 		7632AD89252E1E10009B5BC9 /* AppSyncJSONValue+toJSONValue.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = "AppSyncJSONValue+toJSONValue.swift"; sourceTree = "<group>"; };
 		77792DD821FC754D857FC63C /* Pods-HostApp-AWSAPICategoryPluginTestCommon-GraphQLWithIAMIntegrationTests.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-HostApp-AWSAPICategoryPluginTestCommon-GraphQLWithIAMIntegrationTests.release.xcconfig"; path = "Target Support Files/Pods-HostApp-AWSAPICategoryPluginTestCommon-GraphQLWithIAMIntegrationTests/Pods-HostApp-AWSAPICategoryPluginTestCommon-GraphQLWithIAMIntegrationTests.release.xcconfig"; sourceTree = "<group>"; };
 		7866FCFB5807C2D20219CEBE /* Pods-HostApp-AWSAPICategoryPluginTestCommon-RESTWithIAMIntegrationTests.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-HostApp-AWSAPICategoryPluginTestCommon-RESTWithIAMIntegrationTests.release.xcconfig"; path = "Target Support Files/Pods-HostApp-AWSAPICategoryPluginTestCommon-RESTWithIAMIntegrationTests/Pods-HostApp-AWSAPICategoryPluginTestCommon-RESTWithIAMIntegrationTests.release.xcconfig"; sourceTree = "<group>"; };
@@ -963,6 +965,7 @@
 			isa = PBXGroup;
 			children = (
 				21D7A0C5237B54D90057D00D /* AWSAppSyncGraphQLResponse.swift */,
+				76148E0825D896EA007F3F21 /* URLComponents+sigv4Encoding.swift */,
 			);
 			path = Internal;
 			sourceTree = "<group>";
@@ -2398,6 +2401,7 @@
 				6B382B452538E53700906593 /* AWSAPIPlugin+APIAuthProviderFactoryBehavior.swift in Sources */,
 				6B33897023AABF1800561E5B /* NetworkReachability.swift in Sources */,
 				21D7A0FE237B54D90057D00D /* URLSessionDataTaskBehavior.swift in Sources */,
+				76148E0925D896EA007F3F21 /* URLComponents+sigv4Encoding.swift in Sources */,
 				21A4F94C25A7ACE600E1047D /* GraphQLRequest+toListQuery.swift in Sources */,
 				216449482587E92B00C548A5 /* GraphQLResponseDecoder.swift in Sources */,
 				21D7A0E5237B54D90057D00D /* AWSAPICategoryPluginConfiguration.swift in Sources */,

AmplifyPlugins/API/AWSAPICategoryPlugin/Support/Internal/URLComponents+sigv4Encoding.swift

@@ -0,0 +1,57 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+import Amplify
+
+/// Per AWS reference guide https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
+/// URL querystring should be encoded according to the following rules:
+/// - percent-encode with %XY (X and Y are hexadecimal characters) all characters
+///   but any of the __unreserved characters__ defined by `RFC3986` (A-Za-z0-9-_.~)
+/// - encode spaces with %20
+/// - double encode any equals in params values
+///
+/// `URLComponents` encodes queryItems values by strictly following `RFC 3986`.
+extension URLComponents {
+    static var sigV4UnreservedCharacters: CharacterSet = {
+        var sigV4UnreservedCharacters = CharacterSet(charactersIn: "A" ... "Z")
+        sigV4UnreservedCharacters = sigV4UnreservedCharacters.union(CharacterSet(charactersIn: "a" ... "z"))
+        sigV4UnreservedCharacters = sigV4UnreservedCharacters.union(CharacterSet(charactersIn: "0" ... "9"))
+        sigV4UnreservedCharacters = sigV4UnreservedCharacters.union(CharacterSet(charactersIn: "-_~."))
+        return sigV4UnreservedCharacters
+    }()
+
+    private func encodeQueryParamItemBySigV4Rules(_ value: String) -> String? {
+        // removingPercentEncoding returns `nil` if called on a value
+        // that hasn't been prior encoded
+        let unencoded = value.removingPercentEncoding ?? value
+
+        return unencoded.addingPercentEncoding(
+            withAllowedCharacters: Self.sigV4UnreservedCharacters)
+    }
+
+    /// Encodes query items per SigV4 rules, no-op for already encoded items.
+    mutating func encodeQueryItemsPerSigV4Rules(_ queryItems: [String: String]?) throws {
+        guard let queryItems = queryItems else {
+            return
+        }
+        percentEncodedQuery = try queryItems.map { name, value in
+            guard let encodedName = encodeQueryParamItemBySigV4Rules(name),
+                  let encodedValue = encodeQueryParamItemBySigV4Rules(value) else {
+                throw APIError.invalidURL(
+                    "Invalid query parameter.",
+                    """
+                    Review your Amplify.API call to make sure you are passing \
+                    valid UTF-8 query parameters in your request.
+                    The value passed was '\(name)=\(value)'
+                    """)
+            }
+
+            return [encodedName, encodedValue].joined(separator: "=")
+        }.joined(separator: "&")
+    }
+}

AmplifyPlugins/API/AWSAPICategoryPlugin/Support/Utils/RESTOperationRequestUtils.swift

@@ -29,11 +29,7 @@ final class RESTOperationRequestUtils {
             components.path.append(path)
         }
 
-        if let queryParameters = queryParameters {
-            components.queryItems = queryParameters.map { (name, value) -> URLQueryItem in
-                URLQueryItem(name: name, value: value)
-            }
-        }
+        try components.encodeQueryItemsPerSigV4Rules(queryParameters)
 
         guard let url = components.url else {
             throw APIError.invalidURL(

AmplifyPlugins/API/AWSAPICategoryPluginIntegrationTests/REST/RESTWithIAMIntegrationTests/RESTWithIAMIntegrationTests.swift

@@ -81,6 +81,49 @@ class RESTWithIAMIntegrationTests: XCTestCase {
         wait(for: [failedInvoked], timeout: TestCommonConstants.networkTimeout)
     }
 
+    func testGetAPIWithQueryParamsSuccess() {
+        let completeInvoked = expectation(description: "request completed")
+        let request = RESTRequest(path: "/items",
+                                  queryParameters: [
+                                    "user": "[email protected]",
+                                    "created": "2021-06-18T09:00:00Z"
+                                  ])
+        _ = Amplify.API.get(request: request) { event in
+            switch event {
+            case .success(let data):
+                let result = String(decoding: data, as: UTF8.self)
+                print(result)
+                completeInvoked.fulfill()
+            case .failure(let error):
+                XCTFail("Unexpected .failed event: \(error)")
+            }
+        }
+
+        wait(for: [completeInvoked], timeout: TestCommonConstants.networkTimeout)
+    }
+
+    func testGetAPIWithEncodedQueryParamsSuccess() {
+        let completeInvoked = expectation(description: "request completed")
+        let request = RESTRequest(path: "/items",
+                                  queryParameters: [
+                                    "user": "hello%40email.com",
+                                    "created": "2021-06-18T09%3A00%3A00Z"
+                                  ])
+        _ = Amplify.API.get(request: request) { event in
+            switch event {
+            case .success(let data):
+                let result = String(decoding: data, as: UTF8.self)
+                print(result)
+                completeInvoked.fulfill()
+            case .failure(let error):
+                XCTFail("Unexpected .failed event: \(error)")
+            }
+        }
+
+        wait(for: [completeInvoked], timeout: TestCommonConstants.networkTimeout)
+    }
+
+
     func testPutAPISuccess() {
         let completeInvoked = expectation(description: "request completed")
         let request = RESTRequest(path: "/items")

AmplifyPlugins/API/AWSAPICategoryPluginIntegrationTests/REST/RESTWithUserPoolIntegrationTests/RESTWithUserPoolIntegrationTests.swift

@@ -65,6 +65,50 @@ class RESTWithUserPoolIntegrationTests: XCTestCase {
         wait(for: [completeInvoked], timeout: TestCommonConstants.networkTimeout)
     }
 
+    func testGetAPIWithQueryParamsSuccess() {
+        signIn(username: user1.username, password: user1.password)
+        let completeInvoked = expectation(description: "request completed")
+        let request = RESTRequest(path: "/items",
+                                  queryParameters: [
+                                    "user": "[email protected]",
+                                    "created": "2021-06-18T09:00:00Z"
+                                  ])
+        _ = Amplify.API.get(request: request) { event in
+            switch event {
+            case .success(let data):
+                let result = String(decoding: data, as: UTF8.self)
+                print(result)
+                completeInvoked.fulfill()
+            case .failure(let error):
+                XCTFail("Unexpected .failed event: \(error)")
+            }
+        }
+
+        wait(for: [completeInvoked], timeout: TestCommonConstants.networkTimeout)
+    }
+
+    func testGetAPIWithEncodedQueryParamsSuccess() {
+        signIn(username: user1.username, password: user1.password)
+        let completeInvoked = expectation(description: "request completed")
+        let request = RESTRequest(path: "/items",
+                                  queryParameters: [
+                                    "user": "hello%40email.com",
+                                    "created": "2021-06-18T09%3A00%3A00Z"
+                                  ])
+        _ = Amplify.API.get(request: request) { event in
+            switch event {
+            case .success(let data):
+                let result = String(decoding: data, as: UTF8.self)
+                print(result)
+                completeInvoked.fulfill()
+            case .failure(let error):
+                XCTFail("Unexpected .failed event: \(error)")
+            }
+        }
+
+        wait(for: [completeInvoked], timeout: TestCommonConstants.networkTimeout)
+    }
+
     func testGetAPIFailedWithSignedOutError() {
         let failedInvoked = expectation(description: "request failed")
         let request = RESTRequest(path: "/items")

AmplifyPlugins/API/AWSAPICategoryPluginTests/Support/Utils/RESTRequestUtilsTests.swift

@@ -6,9 +6,107 @@
 //
 
 import XCTest
+@testable import Amplify
+@testable import AWSAPICategoryPlugin
 
 class RESTRequestUtilsTests: XCTestCase {
-    func testClassMustNotBeEmptyOrSwiftFormatWillCrash() {
-        //TODO implement code
+    private struct ConstructURLTestCase {
+        let baseURL: URL
+        let path: String?
+        let queryParameters: [String: String]?
+        let expectedParameters: [String: String]?
+
+        init(_ url: String,
+             _ path: String?,
+             _ params: [String: String]?,
+             expectedParameters: [String: String]?) {
+            self.baseURL = URL(string: url)!
+            self.path = path
+            self.queryParameters = params
+            self.expectedParameters = expectedParameters
+        }
+    }
+
+    private func assertQueryParameters(testCase: Int, withURL url: URL, expected: [String: String]?) throws {
+        var queryParams: [String: String] = [:]
+        url.query?.split(separator: "&").forEach {
+            let components = $0.split(separator: "=")
+            if let name = components.first, let value = components.last {
+                queryParams[String(name)] = String(value)
+            }
+        }
+
+        guard let expected = expected else {
+            XCTAssertTrue(queryParams.isEmpty,
+                          "Test \(testCase): Unexpected query items found \(queryParams)")
+            return
+        }
+        XCTAssertEqual(queryParams, expected, "Test \(testCase): query params mismatch")
+    }
+
+    func testConstructURL() throws {
+        let baseURL = "https://aws.amazon.com"
+        let path = "/projects"
+        let testCases: [ConstructURLTestCase] = [
+            ConstructURLTestCase(baseURL,
+                                 path,
+                              ["author": "[email protected]"],
+                              expectedParameters: ["author": "john%40email.com"]),
+            ConstructURLTestCase(baseURL,
+                                 path,
+                              ["created": "2021-06-18T09:00:00Z"],
+                              expectedParameters: ["created": "2021-06-18T09%3A00%3A00Z"]),
+            ConstructURLTestCase(baseURL,
+                                 path,
+                                 [
+                                  "created": "2021-06-18T09:00:00Z",
+                                  "param1": "query!",
+                                  "param2": "!*';:@&=+$,/?%#[]()\\"],
+                                 expectedParameters: [
+                                    "created": "2021-06-18T09%3A00%3A00Z",
+                                    "param1": "query%21",
+                                    "param2": "%21%2A%27%3B%3A%40%26%3D%2B%24%2C%2F%3F%25%23%5B%5D%28%29%5C"]),
+            ConstructURLTestCase(baseURL,
+                                 path,
+                                 nil,
+                                 expectedParameters: nil),
+            ConstructURLTestCase(baseURL, nil, nil, expectedParameters: nil),
+            ConstructURLTestCase(baseURL,
+                                 path,
+                                 ["author": "john%40email.com"],
+                                 expectedParameters: ["author": "john%40email.com"])
+        ]
+        for (index, test) in testCases.enumerated() {
+            let resultURL = try RESTOperationRequestUtils.constructURL(
+                for: test.baseURL,
+                with: test.path,
+                with: test.queryParameters)
+            try assertQueryParameters(testCase: index, withURL: resultURL, expected: test.expectedParameters)
+        }
+    }
+
+    func testConstructURLRequest() throws {
+        let baseURL = URL(string: "https://aws.amazon.com")!
+        let url = try RESTOperationRequestUtils.constructURL(for: baseURL, with: "/projects", with: nil)
+        let urlRequest = RESTOperationRequestUtils.constructURLRequest(with: url,
+                                                                       operationType: .get,
+                                                                       headers: nil,
+                                                                       requestPayload: nil)
+
+        XCTAssertEqual(urlRequest.httpMethod, RESTOperationType.get.rawValue)
+
+        // a REST operation request should always have at least a "content-type" header
+        XCTAssertFalse(urlRequest.allHTTPHeaderFields!.isEmpty)
+    }
+
+    func testConstructURLRequestFailsWithInvalidQueryParams() throws {
+        let baseURL = URL(string: "https://aws.amazon.com")!
+        let paramValue = String(
+            bytes: [0xd8, 0x00] as [UInt8],
+            encoding: String.Encoding.utf16BigEndian)!
+        let invalidQueryParams: [String: String] = ["param": paramValue]
+        XCTAssertThrowsError(try RESTOperationRequestUtils.constructURL(for: baseURL,
+                                                             with: "/projects",
+                                                             with: invalidQueryParams))
     }
 }