Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AwsSdk2Transport throw exception when using ApacheHttpClient to make an unsupported DELETE/GET request with a body #1256

Merged
merged 7 commits into from
Nov 11, 2024
Merged

AwsSdk2Transport throw exception when using ApacheHttpClient to make an unsupported DELETE/GET request with a body #1256

merged 7 commits into from
Nov 11, 2024

Conversation

Xtansia
Copy link
Collaborator

@Xtansia Xtansia commented Nov 1, 2024
edited
Loading

Description

The AWS SDK's ApacheHttpClient implementation does not send the request body on DELETE or GET requests, https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/impl/ApacheHttpRequestFactory.java#L118-L137.

Additionally moves to the supported AwsV4HttpSigner as Aws4Signer is now deprecated: https://github.com/aws/aws-sdk-java-v2/blob/88abec27e7d5d35b21545c7e05875a7cc3d0f46e/core/auth/src/main/java/software/amazon/awssdk/auth/signer/Aws4Signer.java

Issues Resolved

Relates to #712
Relates to #521
Fixes #503

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

reta
reta reviewed Nov 1, 2024
View reviewed changes
java-client/build.gradle.kts Outdated Show resolved Hide resolved
@ThorbenLindhauer ThorbenLindhauer mentioned this pull request Nov 4, 2024
Open
5 tasks
@Xtansia Xtansia marked this pull request as draft November 4, 2024 20:52
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch from 8e1d91a to d837e5c Compare November 5, 2024 04:00
@houssain-barouni houssain-barouni mentioned this pull request Nov 5, 2024
Merged
3 tasks
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch 4 times, most recently from e75c9ec to a8a42f8 Compare November 6, 2024 02:28
@Xtansia Xtansia marked this pull request as ready for review November 6, 2024 02:54
@Xtansia Xtansia requested a review from reta November 6, 2024 03:12
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch from 214545a to febd596 Compare November 6, 2024 04:00
dblock
dblock previously approved these changes Nov 6, 2024
View reviewed changes
Copy link
Member

@dblock dblock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. A lot going on that's somewhat unrelated to the signing fix, you might want to extract it first, but up to you.

reta
reta reviewed Nov 6, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch from febd596 to 3e8c288 Compare November 7, 2024 11:27
@Xtansia Xtansia requested review from reta and dblock November 7, 2024 11:28
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch from 3e8c288 to 031f30b Compare November 8, 2024 10:13
@Xtansia Xtansia requested a review from reta November 8, 2024 10:13
@Xtansia Xtansia changed the title Fix AWS SigV4 on delete requests when using AWS SDK's Apache client AwsSdk2Transport throw exception when using ApacheHttpClient to make an unsupported DELETE/GET request with a body Nov 8, 2024
@Xtansia
AwsSdk2Transport throw exception when using ApacheHttpClient to make …
92d1480 
…an unsupported DELETE/GET request with a body

The AWS SDK's ApacheHttpClient implementation does not send the request body on DELETE or GET requests, https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/impl/ApacheHttpRequestFactory.java#L118-L137.

Additionally moves to the supported `AwsV4HttpSigner` as `Aws4Signer` is now deprecated: https://github.com/aws/aws-sdk-java-v2/blob/88abec27e7d5d35b21545c7e05875a7cc3d0f46e/core/auth/src/main/java/software/amazon/awssdk/auth/signer/Aws4Signer.java

Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia Xtansia force-pushed the fix/aws-sigv4-delete-pit-scroll branch from 031f30b to 92d1480 Compare November 8, 2024 10:14
@Xtansia
Copy link
Collaborator Author

Xtansia commented Nov 8, 2024

Unfortunately on further digging and expanding the tests a bit, AWS SDK's ApacheHttpClient does not send the request body at all for DELETE or GET requests, https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/impl/ApacheHttpRequestFactory.java#L118-L137

So this doesn't actually fix anything, as such I've pivoted to pre-emptively throwing an exception as the request would fail signature validation anyway and gives a clear reasoning.

@Xtansia
Add guide note
c2564c9 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia
Fix javadoc
58823eb 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@dblock
Copy link
Member

dblock commented Nov 8, 2024

@Xtansia Probably worth opening an issue in that SDK, AFAIK nothing says GET or DELETE can't have a body.

@reta
Copy link
Collaborator

reta commented Nov 8, 2024
edited
Loading

@Xtansia Probably worth opening an issue in that SDK, AFAIK nothing says GET or DELETE can't have a body.

@dblock indeed the spec [1] is not strict on that but the general recommendation (like [2]) is that GET should not have a body, DELETE may though (but shouldn't) [3]. Fe, https://www.rfc-editor.org/rfc/rfc9110.html#name-get says (similar for DELETE):

Although request message framing is independent of the method used, content received in a GET request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack (Section 11.2 of [HTTP/1.1]). A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain.

[1] https://www.rfc-editor.org/rfc/rfc9110.html#name-changes-from-rfc-7231
[2] https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/GET
[3] https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/DELETE

reta
reta reviewed Nov 8, 2024
View reviewed changes
java-client/src/main/java/org/opensearch/client/transport/aws/AwsSdk2Transport.java
@@ -118,6 +122,10 @@ public AwsSdk2Transport(
* @param options Options that apply to all requests. Can be null. Create with
* {@link AwsSdk2TransportOptions#builder()} and use these to specify non-default credentials,
* compression options, etc.
*
* @implNote Using {@code software.amazon.awssdk.http.apache.ApacheHttpClient} is discouraged as it does not support request bodies on GET or DELETE requests.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Xtansia
Re-use ContentStreamProvider
6e4e8c2 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia Xtansia requested a review from reta November 11, 2024 01:17
@Xtansia
Copy link
Collaborator Author

Xtansia commented Nov 11, 2024

I might just try PR'ing a fix into aws-sdk seeing as it's relatively simple change, and hopefully mean more likely to actually get fixed.

@Xtansia
Also validate URLConnection client
134b7bd 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia
spotless
60d3959 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia
Test HEAD and OPTIONS
30f0ac7 
Signed-off-by: Thomas Farr <tsfarr@amazon.com>
@Xtansia Xtansia mentioned this pull request Nov 11, 2024
Merged
12 tasks
@Xtansia
Copy link
Collaborator Author

Xtansia commented Nov 11, 2024

Created aws/aws-sdk-java-v2#5704

@dblock
Copy link
Member

dblock commented Nov 11, 2024

Created aws/aws-sdk-java-v2#5704

Good work 👏

@Xtansia Xtansia merged commit e8e3a99 into opensearch-project:main Nov 11, 2024
56 checks passed
@Xtansia Xtansia added the backport 2.x Backport to 2.x branch label Nov 11, 2024
@Xtansia Xtansia deleted the fix/aws-sigv4-delete-pit-scroll branch November 11, 2024 22:16
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/opensearch-java/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/opensearch-java/backport-2.x
# Create a new branch
git switch --create backport/backport-1256-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e8e3a9942c1d2e006ea82ce8f4395fc94a4dd53b
# Push it to GitHub
git push --set-upstream origin backport/backport-1256-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/opensearch-java/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-1256-to-2.x.

Xtansia added a commit to Xtansia/opensearch-java that referenced this pull request Nov 12, 2024
@Xtansia
AwsSdk2Transport throw exception when using ApacheHttpClient to make …
c9cf0bb 
…an unsupported DELETE/GET request with a body (opensearch-project#1256)

* AwsSdk2Transport throw exception when using ApacheHttpClient to make an unsupported DELETE/GET request with a body

The AWS SDK's ApacheHttpClient implementation does not send the request body on DELETE or GET requests, https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/impl/ApacheHttpRequestFactory.java#L118-L137.

Additionally moves to the supported `AwsV4HttpSigner` as `Aws4Signer` is now deprecated: https://github.com/aws/aws-sdk-java-v2/blob/88abec27e7d5d35b21545c7e05875a7cc3d0f46e/core/auth/src/main/java/software/amazon/awssdk/auth/signer/Aws4Signer.java

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Add guide note

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Fix javadoc

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Re-use ContentStreamProvider

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Also validate URLConnection client

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* spotless

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Test HEAD and OPTIONS

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

---------

Signed-off-by: Thomas Farr <tsfarr@amazon.com>
(cherry picked from commit e8e3a99)
Xtansia added a commit that referenced this pull request Nov 12, 2024
@Xtansia
AwsSdk2Transport throw exception when using ApacheHttpClient to make …
5983aea 
…an unsupported DELETE/GET request with a body (#1256) (#1288)

* AwsSdk2Transport throw exception when using ApacheHttpClient to make an unsupported DELETE/GET request with a body

The AWS SDK's ApacheHttpClient implementation does not send the request body on DELETE or GET requests, https://github.com/aws/aws-sdk-java-v2/blob/master/http-clients/apache-client/src/main/java/software/amazon/awssdk/http/apache/internal/impl/ApacheHttpRequestFactory.java#L118-L137.

Additionally moves to the supported `AwsV4HttpSigner` as `Aws4Signer` is now deprecated: https://github.com/aws/aws-sdk-java-v2/blob/88abec27e7d5d35b21545c7e05875a7cc3d0f46e/core/auth/src/main/java/software/amazon/awssdk/auth/signer/Aws4Signer.java

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Add guide note

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Fix javadoc

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Re-use ContentStreamProvider

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Also validate URLConnection client

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* spotless

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

* Test HEAD and OPTIONS

Signed-off-by: Thomas Farr <tsfarr@amazon.com>

---------

Signed-off-by: Thomas Farr <tsfarr@amazon.com>
(cherry picked from commit e8e3a99)
@houssain-barouni
Copy link

houssain-barouni commented Nov 27, 2024
edited
Loading

Hello @Xtansia ,
as aws/aws-sdk-java-v2#5704 is now merged and released in awssdk 2.29.22
should we remove this check? or skip it for DELETE, GET, HEAD & OPTIONS methods?

@Xtansia
Copy link
Collaborator Author

Xtansia commented Nov 27, 2024

@houssain-barouni Yes, I have created #1333

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@szczepanczykd szczepanczykd Awaiting requested review from szczepanczykd szczepanczykd is a code owner

@madhusudhankonda madhusudhankonda Awaiting requested review from madhusudhankonda madhusudhankonda is a code owner

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@dblock dblock Awaiting requested review from dblock dblock is a code owner

Assignees
No one assigned
Labels
backport 2.x Backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Maintenance] Unit test coverage on AwsSdk2Transport
4 participants
@Xtansia @dblock @reta @houssain-barouni