Use getRawPath and getRawQuery for signed URLs (#3795)

* Use getRawPath and getRawQuery for signed URLs

* Rename test url

Author: davidh44

services/cloudfront/src/main/java/software/amazon/awssdk/services/cloudfront/CloudFrontUtilities.java

@@ -145,8 +145,8 @@ public SignedUrl getSignedUrlWithCannedPolicy(CannedSignerRequest request) {
             URI uri = URI.create(resourceUrl);
             String protocol = uri.getScheme();
             String domain = uri.getHost();
-            String encodedPath = uri.getPath()
-                                 + (uri.getQuery() != null ? "?" + uri.getQuery() + "&" : "?")
+            String encodedPath = uri.getRawPath()
+                                 + (uri.getQuery() != null ? "?" + uri.getRawQuery() + "&" : "?")
                                  + "Expires=" + request.expirationDate().getEpochSecond()
                                  + "&Signature=" + urlSafeSignature
                                  + "&Key-Pair-Id=" + request.keyPairId();
@@ -254,8 +254,8 @@ public SignedUrl getSignedUrlWithCustomPolicy(CustomSignerRequest request) {
             URI uri = URI.create(resourceUrl);
             String protocol = uri.getScheme();
             String domain = uri.getHost();
-            String encodedPath = uri.getPath()
-                                 + (uri.getQuery() != null ? "?" + uri.getQuery() + "&" : "?")
+            String encodedPath = uri.getRawPath()
+                                 + (uri.getQuery() != null ? "?" + uri.getRawQuery() + "&" : "?")
                                  + "Policy=" + urlSafePolicy
                                  + "&Signature=" + urlSafeSignature
                                  + "&Key-Pair-Id=" + request.keyPairId();

services/cloudfront/src/test/java/software/amazon/awssdk/services/cloudfront/CloudFrontUtilitiesTest.java

@@ -214,6 +214,52 @@ void getSignedURLWithCustomPolicy_withMissingExpirationDate_shouldThrowException
         assertThat(exception.getMessage().contains("Expiration date must be provided to sign CloudFront URLs"));
     }
 
+    @Test
+    void getSignedURLWithCannedPolicy_withEncodedUrl_doesNotDecodeUrl() {
+        String encodedUrl = "https://distributionDomain/s3ObjectKey/%40blob?v=1n1dm%2F01n1dm0";
+        Instant expirationDate = LocalDate.of(2024, 1, 1).atStartOfDay().toInstant(ZoneOffset.of("Z"));
+        SignedUrl signedUrl =
+            cloudFrontUtilities.getSignedUrlWithCannedPolicy(r -> r
+                .resourceUrl(encodedUrl)
+                .privateKey(keyPair.getPrivate())
+                .keyPairId("keyPairId")
+                .expirationDate(expirationDate));
+        String url = signedUrl.url();
+        String signature = url.substring(url.indexOf("&Signature"), url.indexOf("&Key-Pair-Id"));
+        String expected = "https://distributionDomain/s3ObjectKey/%40blob?v=1n1dm%2F01n1dm0&Expires=1704067200"
+                          + signature
+                          + "&Key-Pair-Id=keyPairId";
+        assertThat(expected).isEqualTo(url);
+    }
+
+    @Test
+    void getSignedURLWithCustomPolicy_withEncodedUrl_doesNotDecodeUrl() {
+        String encodedUrl = "https://distributionDomain/s3ObjectKey/%40blob?v=1n1dm%2F01n1dm0";
+        Instant activeDate = LocalDate.of(2022, 1, 1).atStartOfDay().toInstant(ZoneOffset.of("Z"));
+        Instant expirationDate = LocalDate.of(2024, 1, 1).atStartOfDay().toInstant(ZoneOffset.of("Z"));
+        String ipRange = "1.2.3.4";
+        SignedUrl signedUrl = cloudFrontUtilities.getSignedUrlWithCustomPolicy(r -> {
+            try {
+                r.resourceUrl(encodedUrl)
+                 .privateKey(keyFilePath)
+                 .keyPairId("keyPairId")
+                 .expirationDate(expirationDate)
+                 .activeDate(activeDate)
+                 .ipRange(ipRange);
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        });
+        String url = signedUrl.url();
+        String policy = url.substring(url.indexOf("Policy=") + 7, url.indexOf("&Signature"));
+        String signature = url.substring(url.indexOf("&Signature"), url.indexOf("&Key-Pair-Id"));
+        String expected = "https://distributionDomain/s3ObjectKey/%40blob?v=1n1dm%2F01n1dm0&Policy="
+                          + policy
+                          + signature
+                          + "&Key-Pair-Id=keyPairId";
+        assertThat(expected).isEqualTo(url);
+    }
+
     @Test
     void getCookiesForCannedPolicy_producesValidCookies() throws Exception {
         Instant expirationDate = LocalDate.of(2024, 1, 1).atStartOfDay().toInstant(ZoneOffset.of("Z"));