-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix AuthorizationException with AWSV4SignerAsyncAuth when the doc ID has special characters. #848
Fix AuthorizationException with AWSV4SignerAsyncAuth when the doc ID has special characters. #848
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #848 +/- ##
==========================================
- Coverage 71.95% 70.41% -1.54%
==========================================
Files 91 125 +34
Lines 8001 9300 +1299
==========================================
+ Hits 5757 6549 +792
- Misses 2244 2751 +507 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
The responsibility of the signer is to sign data blindly, ie. it's not supposed to know anything about encoding/decoding. This implementation will fail if I actually encode the URL parameter on my own, then pass it into the client.
Look for a test that ensures that the URL being sent is the same URL that is being signed, and a fix where the URL is encoded before both sending and signing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the fix, see if you can simplify this test further. It's likely that you don't need any fields in the mock session because you're now stubbing signing altogether and thus you can get rid of super().sign_request ...
in the mock signer. This also means you don't need the connection because you won't be making actual requests. Finally, don't rely on general exceptions in the test. Your mock signer could raise an expected error, but it would be best if you replace the connection with a mock that just returns without doing anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test looks ok, but this is not the right fix as I mentioned in #848 (review).
- If the DOC ID is
foo%3Abar
this code will decode it tofoo:bar
and fail the same way. We encode the URL somewhere, find where, remove that, then pass the original url intoperform_request
, and only encode it later. - The same problem (likely) exists in the synchronous path, add tests and a fix in both.
Much better! Get CI to pass. I tested this using https://github.com/dblock/opensearch-python-client-demo.
Failed with 2.4.1 and worked great with your changes.
|
Do you know why it fails on some specific versions? |
Looks like legit test failures that have to do with the changes to when URLs get encoded.
|
Yes, do I need to modify this test since the behavior of the |
Correct. Iterate till all tests pass. |
FYI, I opened #851 where all tests pass, so something in this code is causing at least some of the failures. Make sure to rebase and diff carefully. |
5622137
to
4d6dbf7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran some tests and this change broke a few things.
Indices with /
are not allowed, you get an error. In previous versions we'd encode the parameter and get the expected one.
opensearchpy.exceptions.RequestError: RequestError(400, 'invalid_index_name_exception', 'Invalid index name [movies/shmovies], must not contain the following characters [ , ", *, \\, <, |, ,, >, /, ?]')
With the updated version we don't encode it and get this error, which is incorrect.
opensearchpy.exceptions.RequestError: RequestError(400, 'no handler found for uri [/movies/shmovies] and method [PUT]', 'no handler found for uri [/movies/shmovies] and method [PUT]')
An index name in Russian, хорошо
, now fails with an invalid signature even in the sync client. It did work in 2.4.1..
Signed-off-by: dblock <[email protected]>
Signed-off-by: dblock <[email protected]>
Signed-off-by: Nathalie Jonathan <[email protected]>
d659499
to
b1bc372
Compare
Signed-off-by: Nathalie Jonathan <[email protected]>
Signed-off-by: Nathalie Jonathan <[email protected]>
b1bc372
to
2de6b44
Compare
Tested with samples from #857.
|
Description
AWS
ifid
has special characters #833._make_path
.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.