Support generate presigned URL with tagging #29
Conversation
|
Thank you @phulien for your contribution! I tried adding a test and it immediately fails with below error: 1) aws_signature:sign_v4_query_params_with_tags_test/0
Failure/Error: {error,undef,
[{hackney_url,urlencode,[<<"host;x-amz-tagging">>],[]},
{aws_signature,sign_v4_query_params,8,
[{file,
"/Users/onno.vos/src/github/aws_signature/src/aws_signature.erl"},
{line,272}]},
{aws_signature,sign_v4_query_params_with_tags_test,
0,
[{file,
"/Users/onno.vos/src/github/aws_signature/src/aws_signature.erl"},
{line,1098}]},
{aws_signature,sign_v4_query_params_with_tags_test,
0,[]}]}You're relying on Considering that aws-elixir has Perhaps we can use the |
src/aws_signature.erl
Outdated
| if Tag == undefined -> | ||
| <<"host">>; | ||
| Tag =/= undefined -> | ||
| hackney_url:urlencode(<<"host;x-amz-tagging">>) |
There was a problem hiding this comment.
Are you sure this works? I'd expect something like below instead:
BaseParams0 =
[{<<"X-Amz-Algorithm">>, <<"AWS4-HMAC-SHA256">>},
{<<"X-Amz-SignedHeaders">>, <<"host">>}],
BaseParams = maybe_add_tag_header(BaseParams0, Tags),With the maybe_add_tag_header/2 being defined as something like below (leaving aside the hackney_url problem highlighted in a previous comment) but I'd expect the header to be a part of this?
maybe_add_tag_header(Headers, undefined) ->
Headers;
maybe_add_tag_header(Headers, [{_K, _V} | _] = Tags) ->
[<<"X-Amz-Tagging">>, hackney_url:qs(Tags)} | Headers].(Notice also the usage of Tags since it can be a list of tags :-) )
There was a problem hiding this comment.
That wouldn't be enough since we need to add X-Amz-Tagging to X-Amz-SignedHeaders as defined here: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
There was a problem hiding this comment.
Yes, you're right; it should be a list of tags.
src/aws_signature.erl
Outdated
| maybe_add_tag_query_param(QueryParams, undefined) -> | ||
| QueryParams; | ||
| maybe_add_tag_query_param(QueryParams, Tag) -> | ||
| [{<<"X-Amz-Tagging">>, Tag} | QueryParams]. |
There was a problem hiding this comment.
From quick search online, it seems to me that x-amz-tagging always needs to be send in the headers, so there is no reason to put it in the params.
There was a problem hiding this comment.
Yes, if people want to generate a pre-signed URL with tagging, then x-amz-tagging needs to be included. However, we need to support both scenarios, with and without tagging.
There was a problem hiding this comment.
My understanding is that there is no reason to add x-amz-tagging as query param. It's either sent as header or not. I may totally be missing something though :)
There was a problem hiding this comment.
I understand what you mean now, and you are correct. It should not be needed.
src/aws_signature.erl
Outdated
| if Tag == undefined -> | ||
| [HostHeader]; | ||
| Tag =/= undefined -> | ||
| [HostHeader, {<<"X-Amz-Tagging">>, hackney_url:urldecode(Tag)}] |
There was a problem hiding this comment.
We should accept an unescaped value instead, the same that the caller would use for the header.
There was a problem hiding this comment.
But the session_token in Options is escaped here: https://github.com/aws-beam/aws-erlang/blob/master/src/aws_s3_presigned_url.erl#L44C21-L45C66
There was a problem hiding this comment.
Correct, that's because we put it in the query params. My point is that we should not add tag to the query params, and only add it to headers for signing. So given that, the value should match the actual header value.
There was a problem hiding this comment.
That actually makes a lot of sense. Thanks.
src/aws_signature.erl
Outdated
| if Tag == undefined -> | ||
| <<"host">>; | ||
| Tag =/= undefined -> | ||
| hackney_url:urlencode(<<"host;x-amz-tagging">>) |
There was a problem hiding this comment.
Here we can encode by hand to avoid depending on hackney:
| hackney_url:urlencode(<<"host;x-amz-tagging">>) | |
| <<"host%3x-amz-tagging">> |
|
@phulien Can you try branch: If so, I can tidy that up and bring your commit along in there so you'd still get your name as a contributor 😉 👍 |
I got this error when trying this branch |
@phulien Can you try again after pulling latest change? Sorry, I'm not at the office right now so don't really have an environment where I can test my changes. |
I got the same error with latest change (54fadb5). |
😢 Let me see what I can do without making you my personal guinea pig 😅 Give me an hour or so :-) |
|
@onno-vos-dev the header needs to be listed in |
I have updated the MR. Please check the latest version; it is now much simpler. |
|
FWIW the current version looks good to me, we just need to add the option in the docstring and it also needs a test. |
src/aws_signature.erl
Outdated
| @@ -253,6 +254,7 @@ sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Me | |||
| URIEncodePath = proplists:get_value(uri_encode_path, Options, true), | |||
| TimeToLive = proplists:get_value(ttl, Options, 86400), | |||
| SessionToken = proplists:get_value(session_token, Options, undefined), | |||
| Tag = proplists:get_value(tag, Options, undefined), | |||
There was a problem hiding this comment.
I would prefer plural of tag (so tags) both as the key in the Options as well as the variable name :-)
There was a problem hiding this comment.
Sure, I will update Tags, document and add a test case. Thank for reviewing!
Agreed 👍 Add a test and I'd be happy 👍 |
|
@onno-vos-dev please double-check. |
No description provided.