[App Configuration] - Fix http bug (Azure#43354)

* fix http bug

* add change log

* use const for connection string prefixes

* fix format

* keep the type check for base_url

* add test

* revert change

* fix lint

* revert change

Author: zhiyuanliang-ms

sdk/appconfiguration/azure-appconfiguration/CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+- Fixed a bug where non-HTTPS endpoints would not function correctly.
 
 ### Other Changes
 

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_azure_appconfiguration_requests.py

@@ -7,6 +7,7 @@
 import hashlib
 import base64
 import hmac
+from urllib.parse import urlparse
 from azure.core.credentials import AzureKeyCredential
 from azure.core.pipeline.policies import HTTPPolicy
 from ._utils import get_current_utc_time
@@ -18,14 +19,15 @@ class AppConfigRequestsCredentialsPolicy(HTTPPolicy):
     def __init__(self, credential: AzureKeyCredential, endpoint: str, id_credential: str):
         super(AppConfigRequestsCredentialsPolicy, self).__init__()
         self._credential = credential
-        self._host = str(endpoint[8:])
+        self._endpoint = endpoint
         self._id_credential = id_credential
 
     def _signed_request(self, request):
         verb = request.http_request.method.upper()
 
-        # Get the path and query from url, which looks like https://host/path/query
-        query_url = str(request.http_request.url[len(self._host) + 8 :])
+        parsed_url = urlparse(self._endpoint)
+        # Get the path, query and hash fragment from url, which looks like https://host/path?query#fragment
+        query_url = str(request.http_request.url[len(parsed_url.geturl()) :])
         # Need URL() to get a correct encoded key value, from "%2A" to "*", when transport is in type AioHttpTransport.
         # There's a similar scenario in azure-storage-blob, the check logic is from there.
         try:
@@ -53,7 +55,7 @@ def _signed_request(self, request):
         content_digest = hashlib.sha256((request.http_request.body.encode("utf-8"))).digest()
         content_hash = base64.b64encode(content_digest).decode("utf-8")
 
-        string_to_sign = verb + "\n" + query_url + "\n" + utc_now + ";" + self._host + ";" + content_hash
+        string_to_sign = verb + "\n" + query_url + "\n" + utc_now + ";" + parsed_url.netloc + ";" + content_hash
 
         decoded_secret = base64.b64decode(self._credential.key)
         digest = hmac.new(decoded_secret, string_to_sign.encode("utf-8"), hashlib.sha256).digest()

sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_utils.py

@@ -7,6 +7,11 @@
 from datetime import datetime
 from typing import Optional, Tuple, Dict, Any
 
+# Connection string component prefixes
+_ENDPOINT_PREFIX = "Endpoint="
+_ID_PREFIX = "Id="
+_SECRET_PREFIX = "Secret="
+
 
 def parse_connection_string(connection_string: str) -> Tuple[str, str, str]:
     # connection_string looks like Endpoint=https://xxxxx;Id=xxxxx;Secret=xxxx
@@ -19,12 +24,12 @@ def parse_connection_string(connection_string: str) -> Tuple[str, str, str]:
     secret = ""
     for segment in segments:
         segment = segment.strip()
-        if segment.startswith("Endpoint"):
-            endpoint = str(segment[17:])
-        elif segment.startswith("Id"):
-            id_ = str(segment[3:])
-        elif segment.startswith("Secret"):
-            secret = str(segment[7:])
+        if segment.startswith(_ENDPOINT_PREFIX):
+            endpoint = str(segment[len(_ENDPOINT_PREFIX) :])
+        elif segment.startswith(_ID_PREFIX):
+            id_ = str(segment[len(_ID_PREFIX) :])
+        elif segment.startswith(_SECRET_PREFIX):
+            secret = str(segment[len(_SECRET_PREFIX) :])
         else:
             raise ValueError("Invalid connection string.")
 

sdk/appconfiguration/azure-appconfiguration/tests/test_http.py

@@ -0,0 +1,47 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+
+import base64
+from types import SimpleNamespace
+from azure.core.credentials import AzureKeyCredential
+from azure.core.pipeline.transport import HttpRequest
+from azure.core.pipeline import PipelineRequest
+from azure.appconfiguration._azure_appconfiguration_requests import (
+    AppConfigRequestsCredentialsPolicy,
+)
+from azure.appconfiguration._utils import parse_connection_string
+
+
+def test_parse_connection_string_returns_http_endpoint():
+    # An http (not https) endpoint to ensure scheme is preserved
+    conn_str = "Endpoint=http://localhost:8483;Id=test-id;Secret=test-secret"
+    endpoint, id_, secret = parse_connection_string(conn_str)
+    assert endpoint == "http://localhost:8483"
+    assert id_ == "test-id"
+    assert secret == "test-secret"
+
+
+def test_signed_request_with_http_endpoint():
+    endpoint = "http://localhost:8483"
+    request = HttpRequest("GET", endpoint + "/kv/foo?label=env")
+    # Create pipeline request with placeholder context, then replace with a namespace that has a transport attr.
+    pipeline_request = PipelineRequest(request, {})
+    pipeline_request.context = SimpleNamespace(transport=object())
+
+    key = base64.b64encode(b"secret").decode("utf-8")
+    credential = AzureKeyCredential(key)
+    policy = AppConfigRequestsCredentialsPolicy(credential, endpoint, "test-id")
+
+    policy._signed_request(pipeline_request)  # pylint: disable=protected-access
+
+    headers = pipeline_request.http_request.headers
+
+    assert pipeline_request.http_request.url.startswith("http://")
+    assert "x-ms-date" in headers
+    assert "x-ms-content-sha256" in headers
+    auth = headers.get("Authorization")
+    assert auth is not None
+    assert auth.startswith("HMAC-SHA256 ")