fix(codegen): Fix usage of unicode in bucket names of s3 presigner (#487)

Author: kggilmer

aws-runtime/aws-signing/common/src/aws/sdk/kotlin/runtime/auth/signing/Presigner.kt

@@ -29,24 +29,28 @@ import aws.sdk.kotlin.crt.http.HttpRequest as CrtHttpRequest
 /**
  * The service configuration details for a presigned request
  *
- * @property region The AWS region to which the request is going.
- * @property signingName The signing name used to sign the request.
- * @property serviceId the service id used to sign the request.
- * @property endpointResolver Resolves the endpoint to determine where the request should be sent.
- * @property credentialsProvider Resolves credentials to sign the request with.
+ * @property region The AWS region to which the request is going
+ * @property signingName The signing name used to sign the request
+ * @property serviceId the service id used to sign the request
+ * @property endpointResolver Resolves the endpoint to determine where the request should be sent
+ * @property credentialsProvider Resolves credentials to sign the request with
+ * @property useDoubleUriEncode Determines if presigner should double encode Uri
+ * @property normalizeUriPath Determines if presigned URI path will be normalized
  */
 public interface ServicePresignConfig {
     public val region: String
     public val signingName: String
     public val serviceId: String
     public val endpointResolver: AwsEndpointResolver
     public val credentialsProvider: CredentialsProvider
+    public val useDoubleUriEncode: Boolean
+    public val normalizeUriPath: Boolean
 }
 
 /**
  * Where the signature is placed in the presigned request
- * @property HEADER Signing details to be placed in a header.
- * @property QUERY_STRING Signing details to be added to the query string.
+ * @property HEADER Signing details to be placed in a header
+ * @property QUERY_STRING Signing details to be added to the query string
  */
 public enum class SigningLocation {
     HEADER,
@@ -58,7 +62,7 @@ public enum class SigningLocation {
  * @property method HTTP method of the presigned request
  * @property path HTTP path of the presigned request
  * @property queryString the HTTP querystring of the presigned request
- * @property durationSeconds Number of seconds that the request will be valid for after being signed.
+ * @property durationSeconds Number of seconds that the request will be valid for after being signed
  * @property signBody Specifies if the request body should be signed
  * @property signingLocation Specifies where the signing information should be placed in the presigned request
  * @property additionalHeaders Custom headers that should be signed as part of the request
@@ -74,10 +78,10 @@ public data class PresignedRequestConfig(
 )
 
 /**
- * Generate a presigned request given the service and operation configurations.
+ * Generate a presigned request given the service and operation configurations
  * @param serviceConfig The service configuration to use in signing the request
  * @param requestConfig The presign configuration to use in signing the request
- * @return a [HttpRequest] that can be executed by any HTTP client within the specified duration.
+ * @return a [HttpRequest] that can be executed by any HTTP client within the specified duration
  */
 @InternalSdkApi
 public suspend fun createPresignedRequest(serviceConfig: ServicePresignConfig, requestConfig: PresignedRequestConfig): HttpRequest {
@@ -92,6 +96,8 @@ public suspend fun createPresignedRequest(serviceConfig: ServicePresignConfig, r
         signedBodyHeader = AwsSignedBodyHeaderType.X_AMZ_CONTENT_SHA256
         signedBodyValue = if (requestConfig.signBody) null else AwsSignedBodyValue.UNSIGNED_PAYLOAD
         expirationInSeconds = requestConfig.durationSeconds
+        useDoubleUriEncode = serviceConfig.useDoubleUriEncode
+        normalizeUriPath = serviceConfig.normalizeUriPath
     }
 
     val unsignedUrl = Url(

codegen/smithy-aws-kotlin-codegen/src/main/kotlin/aws/sdk/kotlin/codegen/PresignerGenerator.kt

@@ -56,9 +56,8 @@ data class PresignableOperation(
  * This integration applies to any AWS service that provides presign capability on one or more operations.
  */
 class PresignerGenerator : KotlinIntegration {
-
     /**
-     * Identifies the [PresignConfigFn] section for overriding generated implementation.
+     * Identifies the [PresignConfigFnSection] section for overriding generated implementation.
      */
     object PresignConfigFnSection : SectionId {
         const val CodegenContext = "CodegenContext"
@@ -183,67 +182,25 @@ class PresignerGenerator : KotlinIntegration {
         }
 
         // Generate presign config builder
+        val clientProperties: List<ClientConfigProperty> = getClientProperties(sigv4ServiceName, serviceShape.sdkId)
         val rc = RenderingContext(writer, serviceShape, ctx.model, ctx.symbolProvider, ctx.settings)
-        renderPresignConfigBuilder(writer, presignConfigTypeName, sigv4ServiceName, serviceShape.sdkId, rc)
+        renderPresignConfigBuilder(writer, presignConfigTypeName, rc, clientProperties)
     }
 
-    private fun renderPresignConfigBuilder(writer: KotlinWriter, presignConfigTypeName: String, sigv4ServiceName: String, serviceId: String, renderingContext: RenderingContext<ServiceShape>) {
+    private fun renderPresignConfigBuilder(writer: KotlinWriter, presignConfigTypeName: String, renderingContext: RenderingContext<ServiceShape>, clientProperties: List<ClientConfigProperty>) {
         writer.dokka {
             write("Provides a subset of the service client configuration necessary to presign a request.")
             write("This type can be used to presign requests in cases where an existing service client")
             write("instance is not available.")
         }
         writer.addImport(AwsRuntimeTypes.Core.ClientException)
         writer.putContext("configClass.name", presignConfigTypeName)
-        val credentialsProviderProperty = ClientConfigProperty {
-            symbol = AwsRuntimeTypes.Types.CredentialsProvider
-            name = "credentialsProvider"
-            documentation = "The AWS credentials provider to use for authenticating requests. If not provided a [aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider] instance will be used."
-            baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
-            propertyType = ClientConfigPropertyType.RequiredWithDefault("DefaultChainCredentialsProvider()")
-        }
-        val endpointResolverProperty = ClientConfigProperty {
-            symbol = AwsRuntimeTypes.Endpoint.AwsEndpointResolver
-            name = "endpointResolver"
-            documentation = "Determines the endpoint (hostname) to make requests to. When not provided a default resolver is configured automatically. This is an advanced client option."
-            baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
-            propertyType = ClientConfigPropertyType.RequiredWithDefault("DefaultEndpointResolver()")
-        }
-        val region = ClientConfigProperty {
-            symbol = buildSymbol {
-                name = "String"
-                namespace = "kotlin"
-                nullable = true
-            }
-            name = "region"
-            documentation = "AWS region to make requests for"
-            baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
-            propertyType = ClientConfigPropertyType.Required()
-        }
-        val signingNameProperty = ClientConfigProperty {
-            symbol = KotlinTypes.String
-            name = "signingName"
-            documentation = "Service identifier used to sign requests"
-            baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
-            propertyType = ClientConfigPropertyType.ConstantValue(sigv4ServiceName.dq())
-        }
-        val serviceIdProperty = ClientConfigProperty {
-            symbol = KotlinTypes.String
-            name = "serviceId"
-            documentation = "Service identifier used to resolve endpoints"
-            baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
-            propertyType = ClientConfigPropertyType.ConstantValue(serviceId.dq())
-        }
 
         val ccg = ClientConfigGenerator(
             renderingContext,
             false,
             AwsRuntimeTypes.Signing.ServicePresignConfig,
-            credentialsProviderProperty,
-            endpointResolverProperty,
-            region,
-            signingNameProperty,
-            serviceIdProperty
+            *clientProperties.toTypedArray()
         )
         ccg.render()
     }
@@ -351,4 +308,85 @@ class PresignerGenerator : KotlinIntegration {
             write("return createPresignedRequest(presignConfig, $requestConfigFnName(this, durationSeconds))")
         }
     }
+
+    // Provide all client properties for a presigner client
+    private fun getClientProperties(sigv4ServiceName: String, serviceId: String): List<ClientConfigProperty> =
+        listOf(
+            ClientConfigProperty {
+                symbol = AwsRuntimeTypes.Types.CredentialsProvider
+                name = "credentialsProvider"
+                documentation = "The AWS credentials provider to use for authenticating requests. If not provided a [aws.sdk.kotlin.runtime.auth.credentials.DefaultChainCredentialsProvider] instance will be used."
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.RequiredWithDefault("DefaultChainCredentialsProvider()")
+            },
+            ClientConfigProperty {
+                symbol = AwsRuntimeTypes.Endpoint.AwsEndpointResolver
+                name = "endpointResolver"
+                documentation = "Determines the endpoint (hostname) to make requests to. When not provided a default resolver is configured automatically. This is an advanced client option."
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.RequiredWithDefault("DefaultEndpointResolver()")
+            },
+            ClientConfigProperty {
+                symbol = buildSymbol {
+                    name = "String"
+                    namespace = "kotlin"
+                    nullable = true
+                }
+                name = "region"
+                documentation = "AWS region to make requests for"
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.Required()
+            },
+            ClientConfigProperty {
+                symbol = KotlinTypes.String
+                name = "signingName"
+                documentation = "Service identifier used to sign requests"
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.ConstantValue(sigv4ServiceName.dq())
+            },
+            ClientConfigProperty {
+                symbol = KotlinTypes.String
+                name = "serviceId"
+                documentation = "Service identifier used to resolve endpoints"
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.ConstantValue(serviceId.dq())
+            },
+            ClientConfigProperty {
+                symbol = buildSymbol {
+                    name = "Boolean"
+                    namespace = "kotlin"
+                    nullable = true
+                }
+                name = "useDoubleUriEncode"
+                documentation = "Determines if presigner should double encode Uri"
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.ConstantValue(useDoubleUriEncodeValueForService(serviceId))
+            },
+            ClientConfigProperty {
+                symbol = buildSymbol {
+                    name = "Boolean"
+                    namespace = "kotlin"
+                    nullable = true
+                }
+                name = "normalizeUriPath"
+                documentation = "Determines if presigned URI path will be normalized"
+                baseClass = AwsRuntimeTypes.Signing.ServicePresignConfig
+                propertyType = ClientConfigPropertyType.ConstantValue(normalizeUriPathValueForService(serviceId))
+            }
+        )
+
+    // Determine useDoubleUriEncode setting based on service
+    // From https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html:
+    //   "Each path segment must be URI-encoded twice (except for Amazon S3 which only gets URI-encoded once)."
+    private fun useDoubleUriEncodeValueForService(serviceId: String): String =
+        when (serviceId) {
+            "S3" -> false
+            else -> true
+        }.toString()
+
+    // Determine normalizeUriPath setting based on service
+    // From https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html#canonical-request:
+    //   "You do not normalize URI paths for requests to Amazon S3. For example, you may have a bucket with an object named "my-object//example//photo.user". Normalizing the path changes the object name in the request to "my-object/example/photo.user". This is an incorrect path for that object."
+    private fun normalizeUriPathValueForService(serviceId: String): String =
+        useDoubleUriEncodeValueForService(serviceId)
 }

codegen/smithy-aws-kotlin-codegen/src/test/kotlin/aws/sdk/kotlin/codegen/PresignerGeneratorTest.kt

@@ -227,9 +227,11 @@ class PresignerGeneratorTest {
             class TestPresignConfig private constructor(builder: Builder): ServicePresignConfig {
                 override val credentialsProvider: CredentialsProvider = builder.credentialsProvider ?: DefaultChainCredentialsProvider()
                 override val endpointResolver: AwsEndpointResolver = builder.endpointResolver ?: DefaultEndpointResolver()
+                override val normalizeUriPath: Boolean = true
                 override val region: String = requireNotNull(builder.region) { "region is a required configuration property" }
                 override val serviceId: String = "example"
                 override val signingName: String = "example-signing-name"
+                override val useDoubleUriEncode: Boolean = true
                 companion object {
                     inline operator fun invoke(block: Builder.() -> kotlin.Unit): ServicePresignConfig = Builder().apply(block).build()
                 }