fix: properly encode URI paths that contain non-standard characters (#658)

Author: ianbotsf

.changes/cc2cb6a3-fc49-4c83-9ca8-448e2f8131d6.json

@@ -0,0 +1,8 @@
+{
+    "id": "cc2cb6a3-fc49-4c83-9ca8-448e2f8131d6",
+    "type": "bugfix",
+    "description": "Fix bug in URI encoding during signing when dealing with special characters like '<', '>', and '/'",
+    "issues": [
+        "awslabs/smithy-kotlin#657"
+    ]
+}

runtime/auth/aws-signing-default/common/src/aws/smithy/kotlin/runtime/auth/awssigning/Canonicalizer.kt

@@ -13,13 +13,11 @@ import aws.smithy.kotlin.runtime.http.UrlBuilder
 import aws.smithy.kotlin.runtime.http.request.HttpRequest
 import aws.smithy.kotlin.runtime.http.request.HttpRequestBuilder
 import aws.smithy.kotlin.runtime.http.request.toBuilder
+import aws.smithy.kotlin.runtime.http.util.encodeLabel
 import aws.smithy.kotlin.runtime.io.SdkByteReadChannel
 import aws.smithy.kotlin.runtime.time.TimestampFormat
 import aws.smithy.kotlin.runtime.util.*
-import aws.smithy.kotlin.runtime.util.text.encodeUrlPath
-import aws.smithy.kotlin.runtime.util.text.normalizePathSegments
-import aws.smithy.kotlin.runtime.util.text.urlEncodeComponent
-import aws.smithy.kotlin.runtime.util.text.urlReencodeComponent
+import aws.smithy.kotlin.runtime.util.text.*
 
 /**
  * The data for a canonical request.
@@ -171,11 +169,10 @@ private const val STREAM_CHUNK_BYTES = 16384 // 16KB
  * @param config The signing configuration to use
  * @return The canonicalized path
  */
-private fun UrlBuilder.canonicalPath(config: AwsSigningConfig): String {
-    val raw = path.trim()
-    val normalized = if (config.normalizeUriPath) raw.normalizePathSegments() else raw
-    val preEncoded = normalized.encodeUrlPath()
-    return if (config.useDoubleUriEncode) preEncoded.encodeUrlPath() else preEncoded
+internal fun UrlBuilder.canonicalPath(config: AwsSigningConfig): String {
+    val segmentTransform = if (config.useDoubleUriEncode) { s: String -> s.encodeLabel() } else null
+    val pathTransform = if (config.normalizeUriPath) String::normalizePathSegments else String::transformPathSegments
+    return pathTransform(path.trim(), segmentTransform)
 }
 
 /**

runtime/auth/aws-signing-default/common/test/aws/smithy/kotlin/runtime/auth/awssigning/DefaultCanonicalizerTest.kt

@@ -6,10 +6,7 @@ package aws.smithy.kotlin.runtime.auth.awssigning
 
 import aws.smithy.kotlin.runtime.auth.awscredentials.Credentials
 import aws.smithy.kotlin.runtime.auth.awssigning.tests.testCredentialsProvider
-import aws.smithy.kotlin.runtime.http.Headers
-import aws.smithy.kotlin.runtime.http.HttpBody
-import aws.smithy.kotlin.runtime.http.HttpMethod
-import aws.smithy.kotlin.runtime.http.parameters
+import aws.smithy.kotlin.runtime.http.*
 import aws.smithy.kotlin.runtime.http.request.*
 import aws.smithy.kotlin.runtime.time.Instant
 import kotlinx.coroutines.ExperimentalCoroutinesApi
@@ -80,4 +77,21 @@ class DefaultCanonicalizerTest {
         }.entries()
         assertEquals(expectedHeaders, actual.request.headers.entries())
     }
+
+    // Targeted test for proper URI path escaping. See https://github.com/awslabs/smithy-kotlin/issues/657
+    @Test
+    fun testEscapablePath() {
+        val uri = UrlBuilder()
+        uri.path = "/2013-04-01/healthcheck/foo%3Cbar%3Ebaz%3C%2Fbar%3E"
+
+        val config = AwsSigningConfig {
+            normalizeUriPath = true
+            useDoubleUriEncode = true
+            region = "the-moon"
+            service = "landing-pad"
+            credentialsProvider = testCredentialsProvider
+        }
+
+        assertEquals("/2013-04-01/healthcheck/foo%253Cbar%253Ebaz%253C%252Fbar%253E", uri.canonicalPath(config))
+    }
 }

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/context.json

@@ -0,0 +1,12 @@
+{
+    "credentials": {
+        "access_key_id": "AKIDEXAMPLE",
+        "secret_access_key": "wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY"
+    },
+    "expiration_in_seconds": 3600,
+    "normalize": true,
+    "region": "us-east-1",
+    "service": "service",
+    "sign_body": false,
+    "timestamp": "2015-08-30T12:36:00Z"
+}

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/header-canonical-request.txt

@@ -0,0 +1,8 @@
+GET
+/foo/bar/baz%253Cqux%253Aquux
+
+host:example.amazonaws.com
+x-amz-date:20150830T123600Z
+
+host;x-amz-date
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/header-signature.txt

@@ -0,0 +1 @@
+64ee2b4fb5e80890c58f8ccc1221231f3e3a556ba0f9c485d32bb2742a74e8ac

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/header-signed-request.txt

@@ -0,0 +1,5 @@
+GET /foo/bar/baz%3Cqux%3Aquux HTTP/1.1
+Host:example.amazonaws.com
+X-Amz-Date:20150830T123600Z
+Authorization:AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/service/aws4_request, SignedHeaders=host;x-amz-date, Signature=64ee2b4fb5e80890c58f8ccc1221231f3e3a556ba0f9c485d32bb2742a74e8ac
+

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/header-string-to-sign.txt

@@ -0,0 +1,4 @@
+AWS4-HMAC-SHA256
+20150830T123600Z
+20150830/us-east-1/service/aws4_request
+4eb677b0ad9b3c4265bdb9eb11e09772e7ba1a11ef323d6f89800e59186ae790

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/query-canonical-request.txt

@@ -0,0 +1,7 @@
+GET
+/foo/bar/baz%253Cqux%253Aquux
+X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fservice%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host
+host:example.amazonaws.com
+
+host
+e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

runtime/auth/aws-signing-tests/common/resources/aws-signing-test-suite/v4/get-percent-encoded/query-signature.txt

@@ -0,0 +1 @@
+d1f120edc32fec5ee3797a82306977229dca6d3614e3c530897b87db9442533c